summaryrefslogtreecommitdiffstats
path: root/source3/winbindd
diff options
context:
space:
mode:
Diffstat (limited to 'source3/winbindd')
-rw-r--r--source3/winbindd/idmap.c632
-rw-r--r--source3/winbindd/idmap_ad.c1073
-rw-r--r--source3/winbindd/idmap_ad_nss.c418
-rw-r--r--source3/winbindd/idmap_autorid.c945
-rw-r--r--source3/winbindd/idmap_autorid_tdb.c1265
-rw-r--r--source3/winbindd/idmap_hash/idmap_hash.c504
-rw-r--r--source3/winbindd/idmap_hash/idmap_hash.h60
-rw-r--r--source3/winbindd/idmap_hash/mapfile.c182
-rw-r--r--source3/winbindd/idmap_ldap.c1141
-rw-r--r--source3/winbindd/idmap_nss.c227
-rw-r--r--source3/winbindd/idmap_passdb.c87
-rw-r--r--source3/winbindd/idmap_proto.h69
-rw-r--r--source3/winbindd/idmap_rfc2307.c848
-rw-r--r--source3/winbindd/idmap_rid.c182
-rw-r--r--source3/winbindd/idmap_rw.c109
-rw-r--r--source3/winbindd/idmap_rw.h56
-rw-r--r--source3/winbindd/idmap_script.c650
-rw-r--r--source3/winbindd/idmap_tdb.c442
-rw-r--r--source3/winbindd/idmap_tdb2.c612
-rw-r--r--source3/winbindd/idmap_tdb_common.c664
-rw-r--r--source3/winbindd/idmap_tdb_common.h137
-rw-r--r--source3/winbindd/idmap_util.c137
-rw-r--r--source3/winbindd/nss_info.c377
-rw-r--r--source3/winbindd/nss_info_template.c80
-rw-r--r--source3/winbindd/wb_dsgetdcname.c246
-rw-r--r--source3/winbindd/wb_getgrsid.c222
-rw-r--r--source3/winbindd/wb_getpwsid.c156
-rw-r--r--source3/winbindd/wb_gettoken.c290
-rw-r--r--source3/winbindd/wb_group_members.c483
-rw-r--r--source3/winbindd/wb_lookupname.c123
-rw-r--r--source3/winbindd/wb_lookupsid.c114
-rw-r--r--source3/winbindd/wb_lookupsids.c697
-rw-r--r--source3/winbindd/wb_lookupuseraliases.c108
-rw-r--r--source3/winbindd/wb_lookupusergroups.c120
-rw-r--r--source3/winbindd/wb_next_grent.c169
-rw-r--r--source3/winbindd/wb_next_pwent.c162
-rw-r--r--source3/winbindd/wb_query_group_list.c94
-rw-r--r--source3/winbindd/wb_query_user_list.c146
-rw-r--r--source3/winbindd/wb_queryuser.c473
-rw-r--r--source3/winbindd/wb_seqnum.c78
-rw-r--r--source3/winbindd/wb_seqnums.c153
-rw-r--r--source3/winbindd/wb_sids2xids.c786
-rw-r--r--source3/winbindd/wb_xids2sids.c422
-rw-r--r--source3/winbindd/winbindd.c1727
-rw-r--r--source3/winbindd/winbindd.h360
-rw-r--r--source3/winbindd/winbindd_ads.c1580
-rw-r--r--source3/winbindd/winbindd_ads.h34
-rw-r--r--source3/winbindd/winbindd_allocate_gid.c121
-rw-r--r--source3/winbindd/winbindd_allocate_uid.c122
-rw-r--r--source3/winbindd/winbindd_cache.c4805
-rw-r--r--source3/winbindd/winbindd_ccache_access.c373
-rw-r--r--source3/winbindd/winbindd_change_machine_acct.c93
-rw-r--r--source3/winbindd/winbindd_check_machine_acct.c96
-rw-r--r--source3/winbindd/winbindd_cm.c3338
-rw-r--r--source3/winbindd/winbindd_cred_cache.c1061
-rw-r--r--source3/winbindd/winbindd_creds.c147
-rw-r--r--source3/winbindd/winbindd_domain.c37
-rw-r--r--source3/winbindd/winbindd_domain_info.c141
-rw-r--r--source3/winbindd/winbindd_dsgetdcname.c200
-rw-r--r--source3/winbindd/winbindd_dual.c2063
-rw-r--r--source3/winbindd/winbindd_dual_ndr.c615
-rw-r--r--source3/winbindd/winbindd_dual_srv.c2071
-rw-r--r--source3/winbindd/winbindd_endgrent.c54
-rw-r--r--source3/winbindd/winbindd_endpwent.c55
-rw-r--r--source3/winbindd/winbindd_getdcname.c95
-rw-r--r--source3/winbindd/winbindd_getgrent.c213
-rw-r--r--source3/winbindd/winbindd_getgrgid.c156
-rw-r--r--source3/winbindd/winbindd_getgrnam.c206
-rw-r--r--source3/winbindd/winbindd_getgroups.c283
-rw-r--r--source3/winbindd/winbindd_getpwent.c162
-rw-r--r--source3/winbindd/winbindd_getpwnam.c162
-rw-r--r--source3/winbindd/winbindd_getpwsid.c109
-rw-r--r--source3/winbindd/winbindd_getpwuid.c137
-rw-r--r--source3/winbindd/winbindd_getsidaliases.c160
-rw-r--r--source3/winbindd/winbindd_getuserdomgroups.c123
-rw-r--r--source3/winbindd/winbindd_getusersids.c128
-rw-r--r--source3/winbindd/winbindd_gpupdate.c117
-rw-r--r--source3/winbindd/winbindd_group.c154
-rw-r--r--source3/winbindd/winbindd_idmap.c418
-rw-r--r--source3/winbindd/winbindd_irpc.c891
-rw-r--r--source3/winbindd/winbindd_list_groups.c233
-rw-r--r--source3/winbindd/winbindd_list_users.c210
-rw-r--r--source3/winbindd/winbindd_locator.c45
-rw-r--r--source3/winbindd/winbindd_lookupname.c130
-rw-r--r--source3/winbindd/winbindd_lookuprids.c200
-rw-r--r--source3/winbindd/winbindd_lookupsid.c104
-rw-r--r--source3/winbindd/winbindd_lookupsids.c144
-rw-r--r--source3/winbindd/winbindd_misc.c477
-rw-r--r--source3/winbindd/winbindd_msrpc.c1069
-rw-r--r--source3/winbindd/winbindd_ndr.c162
-rw-r--r--source3/winbindd/winbindd_pam.c3556
-rw-r--r--source3/winbindd/winbindd_pam_auth.c286
-rw-r--r--source3/winbindd/winbindd_pam_auth_crap.c285
-rw-r--r--source3/winbindd/winbindd_pam_chauthtok.c197
-rw-r--r--source3/winbindd/winbindd_pam_chng_pswd_auth_crap.c171
-rw-r--r--source3/winbindd/winbindd_pam_logoff.c173
-rw-r--r--source3/winbindd/winbindd_ping_dc.c140
-rw-r--r--source3/winbindd/winbindd_proto.h996
-rw-r--r--source3/winbindd/winbindd_reconnect.c325
-rw-r--r--source3/winbindd/winbindd_reconnect_ads.c334
-rw-r--r--source3/winbindd/winbindd_rpc.c822
-rw-r--r--source3/winbindd/winbindd_rpc.h86
-rw-r--r--source3/winbindd/winbindd_samr.c1355
-rw-r--r--source3/winbindd/winbindd_setgrent.c67
-rw-r--r--source3/winbindd/winbindd_setpwent.c67
-rw-r--r--source3/winbindd/winbindd_show_sequence.c167
-rw-r--r--source3/winbindd/winbindd_sids_to_xids.c164
-rw-r--r--source3/winbindd/winbindd_traceid.c147
-rw-r--r--source3/winbindd/winbindd_traceid.h29
-rw-r--r--source3/winbindd/winbindd_util.c2183
-rw-r--r--source3/winbindd/winbindd_wins_byip.c142
-rw-r--r--source3/winbindd/winbindd_wins_byname.c157
-rw-r--r--source3/winbindd/winbindd_xids_to_sids.c142
-rw-r--r--source3/winbindd/wscript_build290
114 files changed, 53601 insertions, 0 deletions
diff --git a/source3/winbindd/idmap.c b/source3/winbindd/idmap.c
new file mode 100644
index 0000000..eee2899
--- /dev/null
+++ b/source3/winbindd/idmap.c
@@ -0,0 +1,632 @@
+/*
+ Unix SMB/CIFS implementation.
+ ID Mapping
+ Copyright (C) Tim Potter 2000
+ Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003
+ Copyright (C) Simo Sorce 2003-2007
+ Copyright (C) Jeremy Allison 2006
+ Copyright (C) Michael Adam 2010
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "winbindd.h"
+#include "idmap.h"
+#include "lib/util_sid_passdb.h"
+#include "libcli/security/dom_sid.h"
+#include "passdb.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_IDMAP
+
+static_decl_idmap;
+
+/**
+ * Pointer to the backend methods. Modules register themselves here via
+ * smb_register_idmap.
+ */
+
+struct idmap_backend {
+ const char *name;
+ const struct idmap_methods *methods;
+ struct idmap_backend *prev, *next;
+};
+static struct idmap_backend *backends = NULL;
+
+/**
+ * Default idmap domain configured via "idmap backend".
+ */
+static struct idmap_domain *default_idmap_domain;
+
+/**
+ * Passdb idmap domain, not configurable. winbind must always give passdb a
+ * chance to map ids.
+ */
+static struct idmap_domain *passdb_idmap_domain;
+
+/**
+ * List of specially configured idmap domains. This list is filled on demand
+ * in the winbind idmap child when the parent winbind figures out via the
+ * special range parameter or via the domain SID that a special "idmap config
+ * domain" configuration is present.
+ */
+static struct idmap_domain **idmap_domains = NULL;
+static int num_domains = 0;
+
+static struct idmap_domain *idmap_init_named_domain(TALLOC_CTX *mem_ctx,
+ const char *domname);
+static struct idmap_domain *idmap_init_domain(TALLOC_CTX *mem_ctx,
+ const char *domainname,
+ const char *modulename,
+ bool check_range);
+
+struct lp_scan_idmap_domains_state {
+ bool (*fn)(const char *domname, void *private_data);
+ void *private_data;
+};
+
+static bool lp_scan_idmap_found_domain(
+ const char *string, regmatch_t matches[], void *private_data);
+
+bool lp_scan_idmap_domains(bool (*fn)(const char *domname,
+ void *private_data),
+ void *private_data)
+{
+ struct lp_scan_idmap_domains_state state = {
+ .fn = fn, .private_data = private_data };
+ int ret;
+
+ ret = lp_wi_scan_global_parametrics(
+ "idmapconfig\\(.*\\):backend", 2,
+ lp_scan_idmap_found_domain, &state);
+ if (ret != 0) {
+ DBG_WARNING("wi_scan_global_parametrics returned %d\n", ret);
+ return false;
+ }
+
+ return true;
+}
+
+static bool lp_scan_idmap_found_domain(
+ const char *string, regmatch_t matches[], void *private_data)
+{
+ bool ok;
+
+ if (matches[1].rm_so == -1) {
+ DBG_WARNING("Found match, but no name??\n");
+ return false;
+ }
+ if (matches[1].rm_eo <= matches[1].rm_so) {
+ DBG_WARNING("Invalid match\n");
+ return false;
+ }
+
+ {
+ struct lp_scan_idmap_domains_state *state = private_data;
+ regoff_t len = matches[1].rm_eo - matches[1].rm_so;
+ char domname[len+1];
+
+ memcpy(domname, string + matches[1].rm_so, len);
+ domname[len] = '\0';
+
+ DBG_DEBUG("Found idmap domain \"%s\"\n", domname);
+
+ ok = state->fn(domname, state->private_data);
+ }
+
+ return ok;
+}
+
+static bool idmap_found_domain_backend(const char *domname,
+ void *private_data);
+
+static bool idmap_init(void)
+{
+ static bool initialized;
+ bool ok;
+
+ if (initialized) {
+ return true;
+ }
+
+ DEBUG(10, ("idmap_init(): calling static_init_idmap\n"));
+
+ static_init_idmap(NULL);
+
+ initialized = true;
+
+ if (!pdb_is_responsible_for_everything_else()) {
+ default_idmap_domain = idmap_init_named_domain(NULL, "*");
+ if (default_idmap_domain == NULL) {
+ return false;
+ }
+ }
+
+ passdb_idmap_domain = idmap_init_domain(
+ NULL, get_global_sam_name(), "passdb", false);
+ if (passdb_idmap_domain == NULL) {
+ TALLOC_FREE(default_idmap_domain);
+ return false;
+ }
+
+ idmap_domains = talloc_array(NULL, struct idmap_domain *, 0);
+ if (idmap_domains == NULL) {
+ TALLOC_FREE(passdb_idmap_domain);
+ TALLOC_FREE(default_idmap_domain);
+ return false;
+ }
+
+ ok = lp_scan_idmap_domains(idmap_found_domain_backend, NULL);
+ if (!ok) {
+ DBG_WARNING("lp_scan_idmap_domains failed\n");
+ return false;
+ }
+
+ return true;
+}
+
+const char *idmap_config_const_string(const char *domname, const char *option,
+ const char *def)
+{
+ int len = snprintf(NULL, 0, "idmap config %s", domname);
+
+ if (len == -1) {
+ return NULL;
+ }
+ {
+ char config_option[len+1];
+ snprintf(config_option, sizeof(config_option),
+ "idmap config %s", domname);
+ return lp_parm_const_string(-1, config_option, option, def);
+ }
+}
+
+bool idmap_config_bool(const char *domname, const char *option, bool def)
+{
+ int len = snprintf(NULL, 0, "idmap config %s", domname);
+
+ if (len == -1) {
+ return def;
+ }
+ {
+ char config_option[len+1];
+ snprintf(config_option, sizeof(config_option),
+ "idmap config %s", domname);
+ return lp_parm_bool(-1, config_option, option, def);
+ }
+}
+
+int idmap_config_int(const char *domname, const char *option, int def)
+{
+ int len = snprintf(NULL, 0, "idmap config %s", domname);
+
+ if (len == -1) {
+ return def;
+ }
+ {
+ char config_option[len+1];
+ snprintf(config_option, sizeof(config_option),
+ "idmap config %s", domname);
+ return lp_parm_int(-1, config_option, option, def);
+ }
+}
+
+bool domain_has_idmap_config(const char *domname)
+{
+ int i;
+ const char *range = NULL;
+ const char *backend = NULL;
+ bool ok;
+
+ ok = idmap_init();
+ if (!ok) {
+ return false;
+ }
+
+ for (i=0; i<num_domains; i++) {
+ if (strequal(idmap_domains[i]->name, domname)) {
+ return true;
+ }
+ }
+
+ /* fallback: also check loadparm */
+
+ range = idmap_config_const_string(domname, "range", NULL);
+ backend = idmap_config_const_string(domname, "backend", NULL);
+ if (range != NULL && backend != NULL) {
+ DEBUG(5, ("idmap configuration specified for domain '%s'\n",
+ domname));
+ return true;
+ }
+
+ return false;
+}
+
+static bool idmap_found_domain_backend(const char *domname,
+ void *private_data)
+{
+ struct idmap_domain *dom, **tmp;
+
+ DBG_DEBUG("Found idmap domain \"%s\"\n", domname);
+
+ if (strcmp(domname, "*") == 0) {
+ return false;
+ }
+
+ dom = idmap_init_named_domain(idmap_domains, domname);
+ if (dom == NULL) {
+ DBG_NOTICE("Could not init idmap domain %s\n", domname);
+ return false;
+ }
+
+ tmp = talloc_realloc(idmap_domains, idmap_domains,
+ struct idmap_domain *, num_domains + 1);
+ if (tmp == NULL) {
+ DBG_WARNING("talloc_realloc failed\n");
+ TALLOC_FREE(dom);
+ return false;
+ }
+ idmap_domains = tmp;
+ idmap_domains[num_domains] = dom;
+ num_domains += 1;
+
+ return false;
+}
+
+static const struct idmap_methods *get_methods(const char *name)
+{
+ struct idmap_backend *b;
+
+ for (b = backends; b; b = b->next) {
+ if (strequal(b->name, name)) {
+ return b->methods;
+ }
+ }
+
+ return NULL;
+}
+
+bool idmap_is_offline(void)
+{
+ return ( lp_winbind_offline_logon() &&
+ get_global_winbindd_state_offline() );
+}
+
+/**********************************************************************
+ Allow a module to register itself as a method.
+**********************************************************************/
+
+NTSTATUS smb_register_idmap(int version, const char *name,
+ const struct idmap_methods *methods)
+{
+ struct idmap_backend *entry;
+
+ if ((version != SMB_IDMAP_INTERFACE_VERSION)) {
+ DEBUG(0, ("Failed to register idmap module.\n"
+ "The module was compiled against "
+ "SMB_IDMAP_INTERFACE_VERSION %d,\n"
+ "current SMB_IDMAP_INTERFACE_VERSION is %d.\n"
+ "Please recompile against the current version "
+ "of samba!\n",
+ version, SMB_IDMAP_INTERFACE_VERSION));
+ return NT_STATUS_OBJECT_TYPE_MISMATCH;
+ }
+
+ if (!name || !name[0] || !methods) {
+ DEBUG(0,("Called with NULL pointer or empty name!\n"));
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ for (entry = backends; entry != NULL; entry = entry->next) {
+ if (strequal(entry->name, name)) {
+ DEBUG(5,("Idmap module %s already registered!\n",
+ name));
+ return NT_STATUS_OBJECT_NAME_COLLISION;
+ }
+ }
+
+ entry = talloc(NULL, struct idmap_backend);
+ if ( ! entry) {
+ DEBUG(0,("Out of memory!\n"));
+ TALLOC_FREE(entry);
+ return NT_STATUS_NO_MEMORY;
+ }
+ entry->name = talloc_strdup(entry, name);
+ if ( ! entry->name) {
+ DEBUG(0,("Out of memory!\n"));
+ TALLOC_FREE(entry);
+ return NT_STATUS_NO_MEMORY;
+ }
+ entry->methods = methods;
+
+ DLIST_ADD(backends, entry);
+ DEBUG(5, ("Successfully added idmap backend '%s'\n", name));
+ return NT_STATUS_OK;
+}
+
+/**
+ * Initialize a domain structure
+ * @param[in] mem_ctx memory context for the result
+ * @param[in] domainname which domain is this for
+ * @param[in] modulename which backend module
+ * @param[in] check_range whether range checking should be done
+ * @result The initialized structure
+ */
+static struct idmap_domain *idmap_init_domain(TALLOC_CTX *mem_ctx,
+ const char *domainname,
+ const char *modulename,
+ bool check_range)
+{
+ struct idmap_domain *result;
+ NTSTATUS status;
+ const char *range;
+ unsigned low_id = 0;
+ unsigned high_id = 0;
+
+ result = talloc_zero(mem_ctx, struct idmap_domain);
+ if (result == NULL) {
+ DEBUG(0, ("talloc failed\n"));
+ return NULL;
+ }
+
+ result->name = talloc_strdup(result, domainname);
+ if (result->name == NULL) {
+ DEBUG(0, ("talloc failed\n"));
+ goto fail;
+ }
+
+ /*
+ * Check whether the requested backend module exists and
+ * load the methods.
+ */
+
+ result->methods = get_methods(modulename);
+ if (result->methods == NULL) {
+ DEBUG(3, ("idmap backend %s not found\n", modulename));
+
+ status = smb_probe_module("idmap", modulename);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(3, ("Could not probe idmap module %s\n",
+ modulename));
+ goto fail;
+ }
+
+ result->methods = get_methods(modulename);
+ }
+ if (result->methods == NULL) {
+ DEBUG(1, ("idmap backend %s not found\n", modulename));
+ goto fail;
+ }
+
+ /*
+ * load ranges and read only information from the config
+ */
+
+ result->read_only = idmap_config_bool(result->name, "read only", false);
+ range = idmap_config_const_string(result->name, "range", NULL);
+
+ if (range == NULL) {
+ if (check_range) {
+ DEBUG(1, ("idmap range not specified for domain %s\n",
+ result->name));
+ goto fail;
+ }
+ } else if (sscanf(range, "%u - %u", &low_id, &high_id) != 2)
+ {
+ DEBUG(1, ("invalid range '%s' specified for domain "
+ "'%s'\n", range, result->name));
+ if (check_range) {
+ goto fail;
+ }
+ } else if (low_id > high_id) {
+ DEBUG(1, ("Error: invalid idmap range detected: %u - %u\n",
+ low_id, high_id));
+ if (check_range) {
+ goto fail;
+ }
+ }
+
+ result->low_id = low_id;
+ result->high_id = high_id;
+
+ status = result->methods->init(result);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("idmap initialization returned %s\n",
+ nt_errstr(status)));
+ goto fail;
+ }
+
+ return result;
+
+fail:
+ TALLOC_FREE(result);
+ return NULL;
+}
+
+/**
+ * Initialize a named domain structure
+ * @param[in] mem_ctx memory context for the result
+ * @param[in] domname the domain name
+ * @result The default domain structure
+ *
+ * This routine looks at the "idmap config <domname>" parameters to figure out
+ * the configuration.
+ */
+
+static struct idmap_domain *idmap_init_named_domain(TALLOC_CTX *mem_ctx,
+ const char *domname)
+{
+ struct idmap_domain *result = NULL;
+ const char *backend;
+ bool ok;
+
+ ok = idmap_init();
+ if (!ok) {
+ return NULL;
+ }
+
+ backend = idmap_config_const_string(domname, "backend", NULL);
+ if (backend == NULL) {
+ DEBUG(10, ("no idmap backend configured for domain '%s'\n",
+ domname));
+ goto fail;
+ }
+
+ result = idmap_init_domain(mem_ctx, domname, backend, true);
+ if (result == NULL) {
+ goto fail;
+ }
+
+ return result;
+
+fail:
+ TALLOC_FREE(result);
+ return NULL;
+}
+
+/**
+ * Find a domain struct according to a domain name
+ * @param[in] domname Domain name to get the config for
+ * @result The default domain structure that fits
+ *
+ * This is the central routine in the winbindd-idmap child to pick the correct
+ * domain for looking up IDs. If domname is NULL or empty, we use the default
+ * domain. If it contains something, we try to use idmap_init_named_domain()
+ * to fetch the correct backend.
+ *
+ * The choice about "domname" is being made by the winbind parent, look at the
+ * "have_idmap_config" of "struct winbindd_domain" which is set in
+ * add_trusted_domain.
+ */
+
+struct idmap_domain *idmap_find_domain(const char *domname)
+{
+ bool ok;
+ int i;
+
+ DEBUG(10, ("idmap_find_domain called for domain '%s'\n",
+ domname?domname:"NULL"));
+
+ ok = idmap_init();
+ if (!ok) {
+ return NULL;
+ }
+
+ if ((domname == NULL) || (domname[0] == '\0')) {
+ return default_idmap_domain;
+ }
+
+ for (i=0; i<num_domains; i++) {
+ if (strequal(idmap_domains[i]->name, domname)) {
+ return idmap_domains[i];
+ }
+ }
+
+ return default_idmap_domain;
+}
+
+struct idmap_domain *idmap_find_domain_with_sid(const char *domname,
+ const struct dom_sid *sid)
+{
+ bool ok;
+
+ ok = idmap_init();
+ if (!ok) {
+ return NULL;
+ }
+
+ if (sid_check_is_for_passdb(sid)) {
+ return passdb_idmap_domain;
+ }
+
+ return idmap_find_domain(domname);
+}
+
+void idmap_close(void)
+{
+ TALLOC_FREE(default_idmap_domain);
+ TALLOC_FREE(passdb_idmap_domain);
+ TALLOC_FREE(idmap_domains);
+ num_domains = 0;
+}
+
+/**************************************************************************
+ idmap allocator interface functions
+**************************************************************************/
+
+static NTSTATUS idmap_allocate_unixid(struct unixid *id)
+{
+ struct idmap_domain *dom;
+ NTSTATUS ret;
+
+ dom = idmap_find_domain(NULL);
+
+ if (dom == NULL) {
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ if (dom->methods->allocate_id == NULL) {
+ return NT_STATUS_NOT_IMPLEMENTED;
+ }
+
+ ret = dom->methods->allocate_id(dom, id);
+
+ return ret;
+}
+
+
+NTSTATUS idmap_allocate_uid(struct unixid *id)
+{
+ id->type = ID_TYPE_UID;
+ return idmap_allocate_unixid(id);
+}
+
+NTSTATUS idmap_allocate_gid(struct unixid *id)
+{
+ id->type = ID_TYPE_GID;
+ return idmap_allocate_unixid(id);
+}
+
+NTSTATUS idmap_backend_unixids_to_sids(struct id_map **maps,
+ const char *domain_name,
+ struct dom_sid domain_sid)
+{
+ struct idmap_domain *dom = NULL;
+ NTSTATUS status;
+ bool ok;
+
+ ok = idmap_init();
+ if (!ok) {
+ return NT_STATUS_NONE_MAPPED;
+ }
+
+ if (strequal(domain_name, get_global_sam_name())) {
+ dom = passdb_idmap_domain;
+ }
+ if (dom == NULL) {
+ dom = idmap_find_domain(domain_name);
+ }
+ if (dom == NULL) {
+ return NT_STATUS_NONE_MAPPED;
+ }
+
+ dom->dom_sid = domain_sid;
+ status = dom->methods->unixids_to_sids(dom, maps);
+
+ DBG_DEBUG("unixid_to_sids for domain %s returned %s\n",
+ domain_name, nt_errstr(status));
+
+ return status;
+}
diff --git a/source3/winbindd/idmap_ad.c b/source3/winbindd/idmap_ad.c
new file mode 100644
index 0000000..e80b823
--- /dev/null
+++ b/source3/winbindd/idmap_ad.c
@@ -0,0 +1,1073 @@
+/*
+ * idmap_ad: map between Active Directory and RFC 2307 accounts
+ *
+ * Copyright (C) Volker Lendecke 2015
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "includes.h"
+#include "winbindd.h"
+#include "libsmb/namequery.h"
+#include "idmap.h"
+#include "tldap_gensec_bind.h"
+#include "tldap_util.h"
+#include "passdb.h"
+#include "lib/param/param.h"
+#include "auth/gensec/gensec.h"
+#include "librpc/gen_ndr/ndr_netlogon.h"
+#include "libads/ldap_schema_oids.h"
+#include "../libds/common/flags.h"
+#include "libcli/ldap/ldap_ndr.h"
+#include "libcli/security/dom_sid.h"
+#include "source3/libads/sitename_cache.h"
+#include "source3/libads/kerberos_proto.h"
+
+struct idmap_ad_schema_names;
+
+struct idmap_ad_context {
+ struct idmap_domain *dom;
+ struct tldap_context *ld;
+ struct idmap_ad_schema_names *schema;
+ const char *default_nc;
+
+ bool unix_primary_group;
+ bool unix_nss_info;
+};
+
+static NTSTATUS idmap_ad_get_context(struct idmap_domain *dom,
+ struct idmap_ad_context **pctx);
+
+static char *get_schema_path(TALLOC_CTX *mem_ctx, struct tldap_context *ld)
+{
+ struct tldap_message *rootdse;
+
+ rootdse = tldap_rootdse(ld);
+ if (rootdse == NULL) {
+ return NULL;
+ }
+
+ return tldap_talloc_single_attribute(rootdse, "schemaNamingContext",
+ mem_ctx);
+}
+
+static char *get_default_nc(TALLOC_CTX *mem_ctx, struct tldap_context *ld)
+{
+ struct tldap_message *rootdse;
+
+ rootdse = tldap_rootdse(ld);
+ if (rootdse == NULL) {
+ return NULL;
+ }
+
+ return tldap_talloc_single_attribute(rootdse, "defaultNamingContext",
+ mem_ctx);
+}
+
+struct idmap_ad_schema_names {
+ char *name;
+ char *uid;
+ char *gid;
+ char *gecos;
+ char *dir;
+ char *shell;
+};
+
+static TLDAPRC get_attrnames_by_oids(struct tldap_context *ld,
+ TALLOC_CTX *mem_ctx,
+ const char *schema_path,
+ size_t num_oids,
+ const char **oids,
+ char **names)
+{
+ char *filter;
+ const char *attrs[] = { "lDAPDisplayName", "attributeId" };
+ size_t i;
+ TLDAPRC rc;
+ struct tldap_message **msgs;
+ size_t num_msgs;
+
+ filter = talloc_strdup(mem_ctx, "(|");
+ if (filter == NULL) {
+ return TLDAP_NO_MEMORY;
+ }
+
+ for (i=0; i<num_oids; i++) {
+ filter = talloc_asprintf_append_buffer(
+ filter, "(attributeId=%s)", oids[i]);
+ if (filter == NULL) {
+ return TLDAP_NO_MEMORY;
+ }
+ }
+
+ filter = talloc_asprintf_append_buffer(filter, ")");
+ if (filter == NULL) {
+ return TLDAP_NO_MEMORY;
+ }
+
+ rc = tldap_search(ld, schema_path, TLDAP_SCOPE_SUB, filter,
+ attrs, ARRAY_SIZE(attrs), 0, NULL, 0, NULL, 0,
+ 0, 0, 0, mem_ctx, &msgs);;
+ TALLOC_FREE(filter);
+ if (!TLDAP_RC_IS_SUCCESS(rc)) {
+ return rc;
+ }
+
+ for (i=0; i<num_oids; i++) {
+ names[i] = NULL;
+ }
+
+ num_msgs = talloc_array_length(msgs);
+
+ for (i=0; i<num_msgs; i++) {
+ struct tldap_message *msg = msgs[i];
+ char *oid;
+ size_t j;
+
+ if (tldap_msg_type(msg) != TLDAP_RES_SEARCH_ENTRY) {
+ /* Could be a TLDAP_RES_SEARCH_REFERENCE */
+ continue;
+ }
+
+ oid = tldap_talloc_single_attribute(
+ msg, "attributeId", msg);
+ if (oid == NULL) {
+ continue;
+ }
+
+ for (j=0; j<num_oids; j++) {
+ if (strequal(oid, oids[j])) {
+ break;
+ }
+ }
+ TALLOC_FREE(oid);
+
+ if (j == num_oids) {
+ /* not found */
+ continue;
+ }
+
+ names[j] = tldap_talloc_single_attribute(
+ msg, "lDAPDisplayName", mem_ctx);
+ }
+
+ TALLOC_FREE(msgs);
+ for (i=0; i<num_oids; i++) {
+ if (names[i] == NULL) {
+ DBG_ERR("Failed to retrieve schema name for "
+ "oid [%s]. Schema mode is incorrect "
+ "for this domain.\n", oids[i]);
+ return TLDAP_FILTER_ERROR;
+ }
+ }
+
+ return TLDAP_SUCCESS;
+}
+
+static TLDAPRC get_posix_schema_names(struct tldap_context *ld,
+ const char *schema_mode,
+ TALLOC_CTX *mem_ctx,
+ struct idmap_ad_schema_names **pschema)
+{
+ char *schema_path;
+ struct idmap_ad_schema_names *schema;
+ char *names[6];
+ const char *oids_sfu[] = {
+ ADS_ATTR_SFU_UIDNUMBER_OID,
+ ADS_ATTR_SFU_GIDNUMBER_OID,
+ ADS_ATTR_SFU_HOMEDIR_OID,
+ ADS_ATTR_SFU_SHELL_OID,
+ ADS_ATTR_SFU_GECOS_OID,
+ ADS_ATTR_SFU_UID_OID
+ };
+ const char *oids_sfu20[] = {
+ ADS_ATTR_SFU20_UIDNUMBER_OID,
+ ADS_ATTR_SFU20_GIDNUMBER_OID,
+ ADS_ATTR_SFU20_HOMEDIR_OID,
+ ADS_ATTR_SFU20_SHELL_OID,
+ ADS_ATTR_SFU20_GECOS_OID,
+ ADS_ATTR_SFU20_UID_OID
+ };
+ const char *oids_rfc2307[] = {
+ ADS_ATTR_RFC2307_UIDNUMBER_OID,
+ ADS_ATTR_RFC2307_GIDNUMBER_OID,
+ ADS_ATTR_RFC2307_HOMEDIR_OID,
+ ADS_ATTR_RFC2307_SHELL_OID,
+ ADS_ATTR_RFC2307_GECOS_OID,
+ ADS_ATTR_RFC2307_UID_OID
+ };
+ const char **oids;
+
+ TLDAPRC rc;
+
+ schema = talloc(mem_ctx, struct idmap_ad_schema_names);
+ if (schema == NULL) {
+ return TLDAP_NO_MEMORY;
+ }
+
+ schema_path = get_schema_path(schema, ld);
+ if (schema_path == NULL) {
+ TALLOC_FREE(schema);
+ return TLDAP_NO_MEMORY;
+ }
+
+ oids = oids_rfc2307;
+
+ if ((schema_mode != NULL) && (schema_mode[0] != '\0')) {
+ if (strequal(schema_mode, "sfu")) {
+ oids = oids_sfu;
+ } else if (strequal(schema_mode, "sfu20")) {
+ oids = oids_sfu20;
+ } else if (strequal(schema_mode, "rfc2307" )) {
+ oids = oids_rfc2307;
+ } else {
+ DBG_WARNING("Unknown schema mode %s\n", schema_mode);
+ }
+ }
+
+ rc = get_attrnames_by_oids(ld, schema, schema_path, 6, oids, names);
+ TALLOC_FREE(schema_path);
+ if (!TLDAP_RC_IS_SUCCESS(rc)) {
+ TALLOC_FREE(schema);
+ return rc;
+ }
+
+ schema->uid = names[0];
+ schema->gid = names[1];
+ schema->dir = names[2];
+ schema->shell = names[3];
+ schema->gecos = names[4];
+ schema->name = names[5];
+
+ *pschema = schema;
+
+ return TLDAP_SUCCESS;
+}
+
+static void PRINTF_ATTRIBUTE(3, 0) idmap_ad_tldap_debug(
+ void *log_private,
+ enum tldap_debug_level level,
+ const char *fmt,
+ va_list ap)
+{
+ int samba_level = -1;
+
+ switch (level) {
+ case TLDAP_DEBUG_FATAL:
+ samba_level = DBGLVL_ERR;
+ break;
+ case TLDAP_DEBUG_ERROR:
+ samba_level = DBGLVL_ERR;
+ break;
+ case TLDAP_DEBUG_WARNING:
+ samba_level = DBGLVL_WARNING;
+ break;
+ case TLDAP_DEBUG_TRACE:
+ samba_level = DBGLVL_DEBUG;
+ break;
+ }
+
+ if (CHECK_DEBUGLVL(samba_level)) {
+ char *s = NULL;
+ int ret;
+
+ ret = vasprintf(&s, fmt, ap);
+ if (ret == -1) {
+ return;
+ }
+ DEBUG(samba_level, ("idmap_ad_tldap: %s", s));
+ free(s);
+ }
+}
+
+static uint32_t gensec_features_from_ldap_sasl_wrapping(void)
+{
+ int wrap_flags;
+ uint32_t gensec_features = 0;
+
+ wrap_flags = lp_client_ldap_sasl_wrapping();
+ if (wrap_flags == -1) {
+ wrap_flags = 0;
+ }
+
+ if (wrap_flags & ADS_AUTH_SASL_SEAL) {
+ gensec_features |= GENSEC_FEATURE_SEAL;
+ }
+ if (wrap_flags & ADS_AUTH_SASL_SIGN) {
+ gensec_features |= GENSEC_FEATURE_SIGN;
+ }
+
+ if (gensec_features != 0) {
+ gensec_features |= GENSEC_FEATURE_LDAP_STYLE;
+ }
+
+ return gensec_features;
+}
+
+static NTSTATUS idmap_ad_get_tldap_ctx(TALLOC_CTX *mem_ctx,
+ const char *domname,
+ struct tldap_context **pld)
+{
+ struct netr_DsRGetDCNameInfo *dcinfo;
+ struct sockaddr_storage dcaddr;
+ struct cli_credentials *creds;
+ struct loadparm_context *lp_ctx;
+ struct tldap_context *ld;
+ uint32_t gensec_features = gensec_features_from_ldap_sasl_wrapping();
+ char *sitename = NULL;
+ int fd;
+ NTSTATUS status;
+ bool ok;
+ TLDAPRC rc;
+
+ status = wb_dsgetdcname_gencache_get(mem_ctx, domname, &dcinfo);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_DEBUG("Could not get dcinfo for %s: %s\n", domname,
+ nt_errstr(status));
+ return status;
+ }
+
+ if (dcinfo->dc_unc == NULL) {
+ TALLOC_FREE(dcinfo);
+ return NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
+ }
+ if (dcinfo->dc_unc[0] == '\\') {
+ dcinfo->dc_unc += 1;
+ }
+ if (dcinfo->dc_unc[0] == '\\') {
+ dcinfo->dc_unc += 1;
+ }
+
+ ok = resolve_name(dcinfo->dc_unc, &dcaddr, 0x20, true);
+ if (!ok) {
+ DBG_DEBUG("Could not resolve name %s\n", dcinfo->dc_unc);
+ TALLOC_FREE(dcinfo);
+ return NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
+ }
+
+ sitename = sitename_fetch(talloc_tos(), lp_realm());
+
+ /*
+ * create_local_private_krb5_conf_for_domain() can deal with
+ * sitename==NULL
+ */
+
+ ok = create_local_private_krb5_conf_for_domain(
+ lp_realm(), lp_workgroup(), sitename, &dcaddr);
+ TALLOC_FREE(sitename);
+ if (!ok) {
+ DBG_DEBUG("Could not create private krb5.conf\n");
+ TALLOC_FREE(dcinfo);
+ return NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
+ }
+
+ status = open_socket_out(&dcaddr, 389, 10000, &fd);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_DEBUG("open_socket_out failed: %s\n", nt_errstr(status));
+ TALLOC_FREE(dcinfo);
+ return status;
+ }
+
+ ld = tldap_context_create(dcinfo, fd);
+ if (ld == NULL) {
+ DBG_DEBUG("tldap_context_create failed\n");
+ close(fd);
+ TALLOC_FREE(dcinfo);
+ return NT_STATUS_NO_MEMORY;
+ }
+ tldap_set_debug(ld, idmap_ad_tldap_debug, NULL);
+
+ /*
+ * Here we use or own machine account as
+ * we run as domain member.
+ */
+ status = pdb_get_trust_credentials(lp_workgroup(),
+ lp_realm(),
+ dcinfo,
+ &creds);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_DEBUG("pdb_get_trust_credentials() failed - %s\n",
+ nt_errstr(status));
+ TALLOC_FREE(dcinfo);
+ return status;
+ }
+
+ lp_ctx = loadparm_init_s3(dcinfo, loadparm_s3_helpers());
+ if (lp_ctx == NULL) {
+ DBG_DEBUG("loadparm_init_s3 failed\n");
+ TALLOC_FREE(dcinfo);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ rc = tldap_gensec_bind(ld, creds, "ldap", dcinfo->dc_unc, NULL, lp_ctx,
+ gensec_features);
+ if (!TLDAP_RC_IS_SUCCESS(rc)) {
+ DBG_DEBUG("tldap_gensec_bind failed: %s\n",
+ tldap_errstr(dcinfo, ld, rc));
+ TALLOC_FREE(dcinfo);
+ return NT_STATUS_LDAP(TLDAP_RC_V(rc));
+ }
+
+ rc = tldap_fetch_rootdse(ld);
+ if (!TLDAP_RC_IS_SUCCESS(rc)) {
+ DBG_DEBUG("tldap_fetch_rootdse failed: %s\n",
+ tldap_errstr(dcinfo, ld, rc));
+ TALLOC_FREE(dcinfo);
+ return NT_STATUS_LDAP(TLDAP_RC_V(rc));
+ }
+
+ *pld = talloc_move(mem_ctx, &ld);
+ TALLOC_FREE(dcinfo);
+ return NT_STATUS_OK;
+}
+
+static int idmap_ad_context_destructor(struct idmap_ad_context *ctx)
+{
+ if ((ctx->dom != NULL) && (ctx->dom->private_data == ctx)) {
+ ctx->dom->private_data = NULL;
+ }
+ return 0;
+}
+
+static NTSTATUS idmap_ad_context_create(TALLOC_CTX *mem_ctx,
+ struct idmap_domain *dom,
+ const char *domname,
+ struct idmap_ad_context **pctx)
+{
+ struct idmap_ad_context *ctx;
+ const char *schema_mode;
+ NTSTATUS status;
+ TLDAPRC rc;
+
+ ctx = talloc(mem_ctx, struct idmap_ad_context);
+ if (ctx == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ ctx->dom = dom;
+
+ talloc_set_destructor(ctx, idmap_ad_context_destructor);
+
+ status = idmap_ad_get_tldap_ctx(ctx, domname, &ctx->ld);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_DEBUG("idmap_ad_get_tldap_ctx failed: %s\n",
+ nt_errstr(status));
+ TALLOC_FREE(ctx);
+ return status;
+ }
+
+ ctx->default_nc = get_default_nc(ctx, ctx->ld);
+ if (ctx->default_nc == NULL) {
+ DBG_DEBUG("No default nc\n");
+ TALLOC_FREE(ctx);
+ return status;
+ }
+
+ ctx->unix_primary_group = idmap_config_bool(
+ domname, "unix_primary_group", false);
+ ctx->unix_nss_info = idmap_config_bool(
+ domname, "unix_nss_info", false);
+
+ schema_mode = idmap_config_const_string(
+ domname, "schema_mode", "rfc2307");
+
+ rc = get_posix_schema_names(ctx->ld, schema_mode, ctx, &ctx->schema);
+ if (!TLDAP_RC_IS_SUCCESS(rc)) {
+ DBG_DEBUG("get_posix_schema_names failed: %s\n",
+ tldap_errstr(ctx, ctx->ld, rc));
+ TALLOC_FREE(ctx);
+ return NT_STATUS_LDAP(TLDAP_RC_V(rc));
+ }
+
+ *pctx = ctx;
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS idmap_ad_query_user(struct idmap_domain *domain,
+ struct wbint_userinfo *info)
+{
+ struct idmap_ad_context *ctx;
+ TLDAPRC rc;
+ NTSTATUS status;
+ char *sidstr, *filter;
+ const char *attrs[4];
+ size_t i, num_msgs;
+ struct tldap_message **msgs;
+
+ status = idmap_ad_get_context(domain, &ctx);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ if (!(ctx->unix_primary_group || ctx->unix_nss_info)) {
+ return NT_STATUS_OK;
+ }
+
+ attrs[0] = ctx->schema->gid;
+ attrs[1] = ctx->schema->gecos;
+ attrs[2] = ctx->schema->dir;
+ attrs[3] = ctx->schema->shell;
+
+ sidstr = ldap_encode_ndr_dom_sid(talloc_tos(), &info->user_sid);
+ if (sidstr == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ filter = talloc_asprintf(talloc_tos(), "(objectsid=%s)", sidstr);
+ TALLOC_FREE(sidstr);
+ if (filter == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ DBG_DEBUG("Filter: [%s]\n", filter);
+
+ rc = tldap_search(ctx->ld, ctx->default_nc, TLDAP_SCOPE_SUB, filter,
+ attrs, ARRAY_SIZE(attrs), 0, NULL, 0, NULL, 0,
+ 0, 0, 0, talloc_tos(), &msgs);
+ if (!TLDAP_RC_IS_SUCCESS(rc)) {
+ return NT_STATUS_LDAP(TLDAP_RC_V(rc));
+ }
+
+ TALLOC_FREE(filter);
+
+ num_msgs = talloc_array_length(msgs);
+
+ for (i=0; i<num_msgs; i++) {
+ struct tldap_message *msg = msgs[i];
+
+ if (tldap_msg_type(msg) != TLDAP_RES_SEARCH_ENTRY) {
+ continue;
+ }
+
+ if (ctx->unix_primary_group) {
+ bool ok;
+ uint32_t gid;
+
+ ok = tldap_pull_uint32(msg, ctx->schema->gid, &gid);
+ if (ok) {
+ DBG_DEBUG("Setting primary group "
+ "to %"PRIu32" from attr %s\n",
+ gid, ctx->schema->gid);
+ info->primary_gid = gid;
+ }
+ }
+
+ if (ctx->unix_nss_info) {
+ char *attr;
+
+ attr = tldap_talloc_single_attribute(
+ msg, ctx->schema->dir, talloc_tos());
+ if (attr != NULL) {
+ info->homedir = talloc_move(info, &attr);
+ }
+ TALLOC_FREE(attr);
+
+ attr = tldap_talloc_single_attribute(
+ msg, ctx->schema->shell, talloc_tos());
+ if (attr != NULL) {
+ info->shell = talloc_move(info, &attr);
+ }
+ TALLOC_FREE(attr);
+
+ attr = tldap_talloc_single_attribute(
+ msg, ctx->schema->gecos, talloc_tos());
+ if (attr != NULL) {
+ info->full_name = talloc_move(info, &attr);
+ }
+ TALLOC_FREE(attr);
+ }
+ }
+
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS idmap_ad_query_user_retry(struct idmap_domain *domain,
+ struct wbint_userinfo *info)
+{
+ const NTSTATUS status_server_down =
+ NT_STATUS_LDAP(TLDAP_RC_V(TLDAP_SERVER_DOWN));
+ NTSTATUS status;
+
+ status = idmap_ad_query_user(domain, info);
+
+ if (NT_STATUS_EQUAL(status, status_server_down)) {
+ TALLOC_FREE(domain->private_data);
+ status = idmap_ad_query_user(domain, info);
+ }
+
+ return status;
+}
+
+static NTSTATUS idmap_ad_initialize(struct idmap_domain *dom)
+{
+ dom->query_user = idmap_ad_query_user_retry;
+ dom->private_data = NULL;
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS idmap_ad_get_context(struct idmap_domain *dom,
+ struct idmap_ad_context **pctx)
+{
+ struct idmap_ad_context *ctx = NULL;
+ NTSTATUS status;
+
+ if (IS_AD_DC) {
+ /*
+ * Make sure we never try to use LDAP against
+ * a trusted domain as AD_DC.
+ *
+ * This shouldn't be called currently,
+ * but you never know what happens in future.
+ */
+ return NT_STATUS_REQUEST_NOT_ACCEPTED;
+ }
+
+ if (dom->private_data != NULL) {
+ *pctx = talloc_get_type_abort(dom->private_data,
+ struct idmap_ad_context);
+ return NT_STATUS_OK;
+ }
+
+ status = idmap_ad_context_create(dom, dom, dom->name, &ctx);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_DEBUG("idmap_ad_context_create failed: %s\n",
+ nt_errstr(status));
+ return status;
+ }
+
+ dom->private_data = ctx;
+ *pctx = ctx;
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS idmap_ad_unixids_to_sids(struct idmap_domain *dom,
+ struct id_map **ids)
+{
+ struct idmap_ad_context *ctx;
+ TLDAPRC rc;
+ NTSTATUS status;
+ struct tldap_message **msgs;
+
+ size_t i, num_msgs;
+ char *u_filter, *g_filter, *filter;
+
+ const char *attrs[] = {
+ "sAMAccountType",
+ "objectSid",
+ NULL, /* attr_uidnumber */
+ NULL, /* attr_gidnumber */
+ };
+
+ status = idmap_ad_get_context(dom, &ctx);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ attrs[2] = ctx->schema->uid;
+ attrs[3] = ctx->schema->gid;
+
+ u_filter = talloc_strdup(talloc_tos(), "");
+ if (u_filter == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ g_filter = talloc_strdup(talloc_tos(), "");
+ if (g_filter == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ for (i=0; ids[i] != NULL; i++) {
+ struct id_map *id = ids[i];
+
+ id->status = ID_UNKNOWN;
+
+ switch (id->xid.type) {
+ case ID_TYPE_UID: {
+ u_filter = talloc_asprintf_append_buffer(
+ u_filter, "(%s=%ju)", ctx->schema->uid,
+ (uintmax_t)id->xid.id);
+ if (u_filter == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ break;
+ }
+
+ case ID_TYPE_GID: {
+ g_filter = talloc_asprintf_append_buffer(
+ g_filter, "(%s=%ju)", ctx->schema->gid,
+ (uintmax_t)id->xid.id);
+ if (g_filter == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ break;
+ }
+
+ default:
+ DBG_WARNING("Unknown id type: %u\n",
+ (unsigned)id->xid.type);
+ break;
+ }
+ }
+
+ filter = talloc_strdup(talloc_tos(), "(|");
+ if (filter == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if (*u_filter != '\0') {
+ filter = talloc_asprintf_append_buffer(
+ filter,
+ "(&(|(sAMAccountType=%d)(sAMAccountType=%d)"
+ "(sAMAccountType=%d))(|%s))",
+ ATYPE_NORMAL_ACCOUNT, ATYPE_WORKSTATION_TRUST,
+ ATYPE_INTERDOMAIN_TRUST, u_filter);
+ if (filter == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+ TALLOC_FREE(u_filter);
+
+ if (*g_filter != '\0') {
+ filter = talloc_asprintf_append_buffer(
+ filter,
+ "(&(|(sAMAccountType=%d)(sAMAccountType=%d))(|%s))",
+ ATYPE_SECURITY_GLOBAL_GROUP,
+ ATYPE_SECURITY_LOCAL_GROUP,
+ g_filter);
+ if (filter == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+ TALLOC_FREE(g_filter);
+
+ filter = talloc_asprintf_append_buffer(filter, ")");
+ if (filter == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ DBG_DEBUG("Filter: [%s]\n", filter);
+
+ rc = tldap_search(ctx->ld, ctx->default_nc, TLDAP_SCOPE_SUB, filter,
+ attrs, ARRAY_SIZE(attrs), 0, NULL, 0, NULL, 0,
+ 0, 0, 0, talloc_tos(), &msgs);
+ if (!TLDAP_RC_IS_SUCCESS(rc)) {
+ return NT_STATUS_LDAP(TLDAP_RC_V(rc));
+ }
+
+ TALLOC_FREE(filter);
+
+ num_msgs = talloc_array_length(msgs);
+
+ for (i=0; i<num_msgs; i++) {
+ struct tldap_message *msg = msgs[i];
+ char *dn;
+ struct id_map *map;
+ struct dom_sid sid;
+ size_t j;
+ bool ok;
+ uint32_t atype, xid;
+ enum id_type type;
+ struct dom_sid_buf sidbuf;
+
+ if (tldap_msg_type(msg) != TLDAP_RES_SEARCH_ENTRY) {
+ continue;
+ }
+
+ ok = tldap_entry_dn(msg, &dn);
+ if (!ok) {
+ DBG_DEBUG("No dn found in msg %zu\n", i);
+ continue;
+ }
+
+ ok = tldap_pull_uint32(msg, "sAMAccountType", &atype);
+ if (!ok) {
+ DBG_DEBUG("No atype in object %s\n", dn);
+ continue;
+ }
+
+ switch (atype & 0xF0000000) {
+ case ATYPE_SECURITY_GLOBAL_GROUP:
+ case ATYPE_SECURITY_LOCAL_GROUP:
+ type = ID_TYPE_GID;
+ break;
+ case ATYPE_NORMAL_ACCOUNT:
+ case ATYPE_WORKSTATION_TRUST:
+ case ATYPE_INTERDOMAIN_TRUST:
+ type = ID_TYPE_UID;
+ break;
+ default:
+ DBG_WARNING("unrecognized SAM account type %08x\n",
+ atype);
+ continue;
+ }
+
+ ok = tldap_pull_uint32(msg, (type == ID_TYPE_UID) ?
+ ctx->schema->uid : ctx->schema->gid,
+ &xid);
+ if (!ok) {
+ DBG_WARNING("No unix id in object %s\n", dn);
+ continue;
+ }
+
+ ok = tldap_pull_binsid(msg, "objectSid", &sid);
+ if (!ok) {
+ DBG_DEBUG("No objectSid in object %s\n", dn);
+ continue;
+ }
+
+ map = NULL;
+ for (j=0; ids[j]; j++) {
+ if ((type == ids[j]->xid.type) &&
+ (xid == ids[j]->xid.id)) {
+ map = ids[j];
+ break;
+ }
+ }
+ if (map == NULL) {
+ DBG_DEBUG("Got unexpected sid %s from object %s\n",
+ dom_sid_str_buf(&sid, &sidbuf),
+ dn);
+ continue;
+ }
+
+ sid_copy(map->sid, &sid);
+ map->status = ID_MAPPED;
+
+ DBG_DEBUG("Mapped %s -> %ju (%d)\n",
+ dom_sid_str_buf(map->sid, &sidbuf),
+ (uintmax_t)map->xid.id, map->xid.type);
+ }
+
+ TALLOC_FREE(msgs);
+
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS idmap_ad_sids_to_unixids(struct idmap_domain *dom,
+ struct id_map **ids)
+{
+ struct idmap_ad_context *ctx;
+ TLDAPRC rc;
+ NTSTATUS status;
+ struct tldap_message **msgs;
+
+ char *filter;
+ size_t i, num_msgs;
+
+ const char *attrs[] = {
+ "sAMAccountType",
+ "objectSid",
+ NULL, /* attr_uidnumber */
+ NULL, /* attr_gidnumber */
+ };
+
+ status = idmap_ad_get_context(dom, &ctx);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ attrs[2] = ctx->schema->uid;
+ attrs[3] = ctx->schema->gid;
+
+ filter = talloc_asprintf(
+ talloc_tos(),
+ "(&(|(sAMAccountType=%d)(sAMAccountType=%d)(sAMAccountType=%d)"
+ "(sAMAccountType=%d)(sAMAccountType=%d))(|",
+ ATYPE_NORMAL_ACCOUNT, ATYPE_WORKSTATION_TRUST,
+ ATYPE_INTERDOMAIN_TRUST, ATYPE_SECURITY_GLOBAL_GROUP,
+ ATYPE_SECURITY_LOCAL_GROUP);
+ if (filter == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ for (i=0; ids[i]; i++) {
+ char *sidstr;
+
+ ids[i]->status = ID_UNKNOWN;
+
+ sidstr = ldap_encode_ndr_dom_sid(talloc_tos(), ids[i]->sid);
+ if (sidstr == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ filter = talloc_asprintf_append_buffer(
+ filter, "(objectSid=%s)", sidstr);
+ TALLOC_FREE(sidstr);
+ if (filter == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+
+ filter = talloc_asprintf_append_buffer(filter, "))");
+ if (filter == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ DBG_DEBUG("Filter: [%s]\n", filter);
+
+ rc = tldap_search(ctx->ld, ctx->default_nc, TLDAP_SCOPE_SUB, filter,
+ attrs, ARRAY_SIZE(attrs), 0, NULL, 0, NULL, 0,
+ 0, 0, 0, talloc_tos(), &msgs);
+ if (!TLDAP_RC_IS_SUCCESS(rc)) {
+ return NT_STATUS_LDAP(TLDAP_RC_V(rc));
+ }
+
+ TALLOC_FREE(filter);
+
+ num_msgs = talloc_array_length(msgs);
+
+ for (i=0; i<num_msgs; i++) {
+ struct tldap_message *msg = msgs[i];
+ char *dn;
+ struct id_map *map;
+ struct dom_sid sid;
+ size_t j;
+ bool ok;
+ uint64_t account_type, xid;
+ enum id_type type;
+ struct dom_sid_buf buf;
+
+ if (tldap_msg_type(msg) != TLDAP_RES_SEARCH_ENTRY) {
+ continue;
+ }
+
+ ok = tldap_entry_dn(msg, &dn);
+ if (!ok) {
+ DBG_DEBUG("No dn found in msg %zu\n", i);
+ continue;
+ }
+
+ ok = tldap_pull_binsid(msg, "objectSid", &sid);
+ if (!ok) {
+ DBG_DEBUG("No objectSid in object %s\n", dn);
+ continue;
+ }
+
+ map = NULL;
+ for (j=0; ids[j]; j++) {
+ if (dom_sid_equal(&sid, ids[j]->sid)) {
+ map = ids[j];
+ break;
+ }
+ }
+ if (map == NULL) {
+ DBG_DEBUG("Got unexpected sid %s from object %s\n",
+ dom_sid_str_buf(&sid, &buf),
+ dn);
+ continue;
+ }
+
+ ok = tldap_pull_uint64(msg, "sAMAccountType", &account_type);
+ if (!ok) {
+ DBG_DEBUG("No sAMAccountType in %s\n", dn);
+ continue;
+ }
+
+ switch (account_type & 0xF0000000) {
+ case ATYPE_SECURITY_GLOBAL_GROUP:
+ case ATYPE_SECURITY_LOCAL_GROUP:
+ type = ID_TYPE_GID;
+ break;
+ case ATYPE_NORMAL_ACCOUNT:
+ case ATYPE_WORKSTATION_TRUST:
+ case ATYPE_INTERDOMAIN_TRUST:
+ type = ID_TYPE_UID;
+ break;
+ default:
+ DBG_WARNING("unrecognized SAM account type %"PRIu64"\n",
+ account_type);
+ continue;
+ }
+
+ ok = tldap_pull_uint64(msg,
+ type == ID_TYPE_UID ?
+ ctx->schema->uid : ctx->schema->gid,
+ &xid);
+ if (!ok) {
+ DBG_DEBUG("No xid in %s\n", dn);
+ continue;
+ }
+
+ /* mapped */
+ map->xid.type = type;
+ map->xid.id = xid;
+ map->status = ID_MAPPED;
+
+ DEBUG(10, ("Mapped %s -> %lu (%d)\n",
+ dom_sid_str_buf(map->sid, &buf),
+ (unsigned long)map->xid.id, map->xid.type));
+ }
+
+ TALLOC_FREE(msgs);
+
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS idmap_ad_unixids_to_sids_retry(struct idmap_domain *dom,
+ struct id_map **ids)
+{
+ const NTSTATUS status_server_down =
+ NT_STATUS_LDAP(TLDAP_RC_V(TLDAP_SERVER_DOWN));
+ NTSTATUS status;
+
+ status = idmap_ad_unixids_to_sids(dom, ids);
+
+ if (NT_STATUS_EQUAL(status, status_server_down)) {
+ TALLOC_FREE(dom->private_data);
+ status = idmap_ad_unixids_to_sids(dom, ids);
+ }
+
+ return status;
+}
+
+static NTSTATUS idmap_ad_sids_to_unixids_retry(struct idmap_domain *dom,
+ struct id_map **ids)
+{
+ const NTSTATUS status_server_down =
+ NT_STATUS_LDAP(TLDAP_RC_V(TLDAP_SERVER_DOWN));
+ NTSTATUS status;
+
+ status = idmap_ad_sids_to_unixids(dom, ids);
+
+ if (NT_STATUS_EQUAL(status, status_server_down)) {
+ TALLOC_FREE(dom->private_data);
+ status = idmap_ad_sids_to_unixids(dom, ids);
+ }
+
+ return status;
+}
+
+static const struct idmap_methods ad_methods = {
+ .init = idmap_ad_initialize,
+ .unixids_to_sids = idmap_ad_unixids_to_sids_retry,
+ .sids_to_unixids = idmap_ad_sids_to_unixids_retry,
+};
+
+static_decl_idmap;
+NTSTATUS idmap_ad_init(TALLOC_CTX *ctx)
+{
+ NTSTATUS status;
+
+ status = smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION,
+ "ad", &ad_methods);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ status = idmap_ad_nss_init(ctx);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ return NT_STATUS_OK;
+}
diff --git a/source3/winbindd/idmap_ad_nss.c b/source3/winbindd/idmap_ad_nss.c
new file mode 100644
index 0000000..3120280
--- /dev/null
+++ b/source3/winbindd/idmap_ad_nss.c
@@ -0,0 +1,418 @@
+/*
+ * idmap_ad: map between Active Directory and RFC 2307 or "Services for Unix" (SFU) Accounts
+ *
+ * Unix SMB/CIFS implementation.
+ *
+ * Winbind ADS backend functions
+ *
+ * Copyright (C) Andrew Tridgell 2001
+ * Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003
+ * Copyright (C) Gerald (Jerry) Carter 2004-2007
+ * Copyright (C) Luke Howard 2001-2004
+ * Copyright (C) Michael Adam 2008,2010
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "includes.h"
+#include "winbindd.h"
+#include "../libds/common/flags.h"
+#include "winbindd_ads.h"
+#include "libads/ldap_schema.h"
+#include "nss_info.h"
+#include "idmap.h"
+#include "../libcli/ldap/ldap_ndr.h"
+#include "../libcli/security/security.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_IDMAP
+
+#define CHECK_ALLOC_DONE(mem) do { \
+ if (!mem) { \
+ DEBUG(0, ("Out of memory!\n")); \
+ ret = NT_STATUS_NO_MEMORY; \
+ goto done; \
+ } \
+} while (0)
+
+struct idmap_ad_context {
+ ADS_STRUCT *ads;
+ struct posix_schema *ad_schema;
+ enum wb_posix_mapping ad_map_type; /* WB_POSIX_MAP_UNKNOWN */
+};
+
+/************************************************************************
+ ***********************************************************************/
+
+static ADS_STATUS ad_idmap_cached_connection(struct idmap_domain *dom)
+{
+ ADS_STATUS status;
+ struct idmap_ad_context * ctx;
+
+ DEBUG(10, ("ad_idmap_cached_connection: called for domain '%s'\n",
+ dom->name));
+
+ ctx = talloc_get_type(dom->private_data, struct idmap_ad_context);
+
+ status = ads_idmap_cached_connection(dom->name, ctx, &ctx->ads);
+ if (!ADS_ERR_OK(status)) {
+ return status;
+ }
+
+ /* if we have a valid ADS_STRUCT and the schema model is
+ defined, then we can return here. */
+
+ if ( ctx->ad_schema ) {
+ return ADS_SUCCESS;
+ }
+
+ /* Otherwise, set the schema model */
+
+ if ( (ctx->ad_map_type == WB_POSIX_MAP_SFU) ||
+ (ctx->ad_map_type == WB_POSIX_MAP_SFU20) ||
+ (ctx->ad_map_type == WB_POSIX_MAP_RFC2307) )
+ {
+ status = ads_check_posix_schema_mapping(
+ ctx, ctx->ads, ctx->ad_map_type, &ctx->ad_schema);
+ if ( !ADS_ERR_OK(status) ) {
+ DEBUG(2,("ad_idmap_cached_connection: Failed to obtain schema details!\n"));
+ }
+ }
+
+ return status;
+}
+
+/*
+ * nss_info_{sfu,sfu20,rfc2307}
+ */
+
+/************************************************************************
+ Initialize the {sfu,sfu20,rfc2307} state
+ ***********************************************************************/
+
+static const char *wb_posix_map_unknown_string = "WB_POSIX_MAP_UNKNOWN";
+static const char *wb_posix_map_template_string = "WB_POSIX_MAP_TEMPLATE";
+static const char *wb_posix_map_sfu_string = "WB_POSIX_MAP_SFU";
+static const char *wb_posix_map_sfu20_string = "WB_POSIX_MAP_SFU20";
+static const char *wb_posix_map_rfc2307_string = "WB_POSIX_MAP_RFC2307";
+static const char *wb_posix_map_unixinfo_string = "WB_POSIX_MAP_UNIXINFO";
+
+static const char *ad_map_type_string(enum wb_posix_mapping map_type)
+{
+ switch (map_type) {
+ case WB_POSIX_MAP_TEMPLATE:
+ return wb_posix_map_template_string;
+ case WB_POSIX_MAP_SFU:
+ return wb_posix_map_sfu_string;
+ case WB_POSIX_MAP_SFU20:
+ return wb_posix_map_sfu20_string;
+ case WB_POSIX_MAP_RFC2307:
+ return wb_posix_map_rfc2307_string;
+ case WB_POSIX_MAP_UNIXINFO:
+ return wb_posix_map_unixinfo_string;
+ default:
+ return wb_posix_map_unknown_string;
+ }
+}
+
+static NTSTATUS nss_ad_generic_init(struct nss_domain_entry *e,
+ enum wb_posix_mapping new_ad_map_type)
+{
+ struct idmap_domain *dom;
+ struct idmap_ad_context *ctx;
+
+ if (e->state != NULL) {
+ dom = talloc_get_type(e->state, struct idmap_domain);
+ } else {
+ dom = talloc_zero(e, struct idmap_domain);
+ if (dom == NULL) {
+ DEBUG(0, ("Out of memory!\n"));
+ return NT_STATUS_NO_MEMORY;
+ }
+ e->state = dom;
+ }
+
+ if (e->domain != NULL) {
+ dom->name = talloc_strdup(dom, e->domain);
+ if (dom->name == NULL) {
+ DEBUG(0, ("Out of memory!\n"));
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+
+ if (dom->private_data != NULL) {
+ ctx = talloc_get_type(dom->private_data,
+ struct idmap_ad_context);
+ } else {
+ ctx = talloc_zero(dom, struct idmap_ad_context);
+ if (ctx == NULL) {
+ DEBUG(0, ("Out of memory!\n"));
+ return NT_STATUS_NO_MEMORY;
+ }
+ ctx->ad_map_type = WB_POSIX_MAP_RFC2307;
+ dom->private_data = ctx;
+ }
+
+ if ((ctx->ad_map_type != WB_POSIX_MAP_UNKNOWN) &&
+ (ctx->ad_map_type != new_ad_map_type))
+ {
+ DEBUG(2, ("nss_ad_generic_init: "
+ "Warning: overriding previously set posix map type "
+ "%s for domain %s with map type %s.\n",
+ ad_map_type_string(ctx->ad_map_type),
+ dom->name,
+ ad_map_type_string(new_ad_map_type)));
+ }
+
+ ctx->ad_map_type = new_ad_map_type;
+
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS nss_sfu_init( struct nss_domain_entry *e )
+{
+ return nss_ad_generic_init(e, WB_POSIX_MAP_SFU);
+}
+
+static NTSTATUS nss_sfu20_init( struct nss_domain_entry *e )
+{
+ return nss_ad_generic_init(e, WB_POSIX_MAP_SFU20);
+}
+
+static NTSTATUS nss_rfc2307_init( struct nss_domain_entry *e )
+{
+ return nss_ad_generic_init(e, WB_POSIX_MAP_RFC2307);
+}
+
+/**********************************************************************
+ *********************************************************************/
+
+static NTSTATUS nss_ad_map_to_alias(TALLOC_CTX *mem_ctx,
+ struct nss_domain_entry *e,
+ const char *name,
+ char **alias)
+{
+ const char *attrs[] = {NULL, /* attr_uid */
+ NULL };
+ char *filter = NULL;
+ LDAPMessage *msg = NULL;
+ ADS_STATUS ads_status = ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
+ NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
+ struct idmap_domain *dom;
+ struct idmap_ad_context *ctx = NULL;
+
+ /* Check incoming parameters */
+
+ if ( !e || !e->domain || !name || !*alias) {
+ nt_status = NT_STATUS_INVALID_PARAMETER;
+ goto done;
+ }
+
+ /* Only do query if we are online */
+
+ if (idmap_is_offline()) {
+ nt_status = NT_STATUS_FILE_IS_OFFLINE;
+ goto done;
+ }
+
+ dom = talloc_get_type(e->state, struct idmap_domain);
+ ctx = talloc_get_type(dom->private_data, struct idmap_ad_context);
+
+ ads_status = ad_idmap_cached_connection(dom);
+ if (!ADS_ERR_OK(ads_status)) {
+ return NT_STATUS_OBJECT_NAME_NOT_FOUND;
+ }
+
+ if (!ctx->ad_schema) {
+ nt_status = NT_STATUS_OBJECT_PATH_NOT_FOUND;
+ goto done;
+ }
+
+ attrs[0] = ctx->ad_schema->posix_uid_attr;
+
+ filter = talloc_asprintf(mem_ctx,
+ "(sAMAccountName=%s)",
+ name);
+ if (!filter) {
+ nt_status = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
+
+ ads_status = ads_search_retry(ctx->ads, &msg, filter, attrs);
+ if (!ADS_ERR_OK(ads_status)) {
+ nt_status = ads_ntstatus(ads_status);
+ goto done;
+ }
+
+ *alias = ads_pull_string(ctx->ads, mem_ctx, msg, ctx->ad_schema->posix_uid_attr);
+
+ if (!*alias) {
+ return NT_STATUS_OBJECT_NAME_NOT_FOUND;
+ }
+
+ nt_status = NT_STATUS_OK;
+
+done:
+ if (filter) {
+ talloc_destroy(filter);
+ }
+ if (msg) {
+ ads_msgfree(ctx->ads, msg);
+ }
+
+ return nt_status;
+}
+
+/**********************************************************************
+ *********************************************************************/
+
+static NTSTATUS nss_ad_map_from_alias( TALLOC_CTX *mem_ctx,
+ struct nss_domain_entry *e,
+ const char *alias,
+ char **name )
+{
+ const char *attrs[] = {"sAMAccountName",
+ NULL };
+ char *filter = NULL;
+ LDAPMessage *msg = NULL;
+ ADS_STATUS ads_status = ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
+ NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
+ char *username = NULL;
+ struct idmap_domain *dom;
+ struct idmap_ad_context *ctx = NULL;
+
+ /* Check incoming parameters */
+
+ if ( !alias || !name) {
+ nt_status = NT_STATUS_INVALID_PARAMETER;
+ goto done;
+ }
+
+ /* Only do query if we are online */
+
+ if (idmap_is_offline()) {
+ nt_status = NT_STATUS_FILE_IS_OFFLINE;
+ goto done;
+ }
+
+ dom = talloc_get_type(e->state, struct idmap_domain);
+ ctx = talloc_get_type(dom->private_data, struct idmap_ad_context);
+
+ ads_status = ad_idmap_cached_connection(dom);
+ if (!ADS_ERR_OK(ads_status)) {
+ return NT_STATUS_OBJECT_NAME_NOT_FOUND;
+ }
+
+ if (!ctx->ad_schema) {
+ nt_status = NT_STATUS_OBJECT_PATH_NOT_FOUND;
+ goto done;
+ }
+
+ filter = talloc_asprintf(mem_ctx,
+ "(%s=%s)",
+ ctx->ad_schema->posix_uid_attr,
+ alias);
+ if (!filter) {
+ nt_status = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
+
+ ads_status = ads_search_retry(ctx->ads, &msg, filter, attrs);
+ if (!ADS_ERR_OK(ads_status)) {
+ nt_status = ads_ntstatus(ads_status);
+ goto done;
+ }
+
+ username = ads_pull_string(ctx->ads, mem_ctx, msg,
+ "sAMAccountName");
+ if (!username) {
+ nt_status = NT_STATUS_OBJECT_NAME_NOT_FOUND;
+ goto done;
+ }
+
+ *name = talloc_asprintf(mem_ctx, "%s\\%s",
+ lp_workgroup(),
+ username);
+ if (!*name) {
+ nt_status = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
+
+ nt_status = NT_STATUS_OK;
+
+done:
+ TALLOC_FREE(username);
+ TALLOC_FREE(filter);
+ if (msg) {
+ ads_msgfree(ctx->ads, msg);
+ }
+
+ return nt_status;
+}
+
+/************************************************************************
+ Function dispatch tables for the idmap and nss plugins
+ ***********************************************************************/
+
+/* The SFU and RFC2307 NSS plugins share everything but the init
+ function which sets the intended schema model to use */
+
+static const struct nss_info_methods nss_rfc2307_methods = {
+ .init = nss_rfc2307_init,
+ .map_to_alias = nss_ad_map_to_alias,
+ .map_from_alias = nss_ad_map_from_alias,
+};
+
+static const struct nss_info_methods nss_sfu_methods = {
+ .init = nss_sfu_init,
+ .map_to_alias = nss_ad_map_to_alias,
+ .map_from_alias = nss_ad_map_from_alias,
+};
+
+static const struct nss_info_methods nss_sfu20_methods = {
+ .init = nss_sfu20_init,
+ .map_to_alias = nss_ad_map_to_alias,
+ .map_from_alias = nss_ad_map_from_alias,
+};
+
+
+
+/************************************************************************
+ Initialize the plugins
+ ***********************************************************************/
+
+NTSTATUS idmap_ad_nss_init(TALLOC_CTX *mem_ctx)
+{
+ NTSTATUS status;
+
+ status = smb_register_idmap_nss(SMB_NSS_INFO_INTERFACE_VERSION,
+ "rfc2307", &nss_rfc2307_methods);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ status = smb_register_idmap_nss(SMB_NSS_INFO_INTERFACE_VERSION,
+ "sfu", &nss_sfu_methods);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ status = smb_register_idmap_nss(SMB_NSS_INFO_INTERFACE_VERSION,
+ "sfu20", &nss_sfu20_methods);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ return NT_STATUS_OK;
+}
diff --git a/source3/winbindd/idmap_autorid.c b/source3/winbindd/idmap_autorid.c
new file mode 100644
index 0000000..bf5947a
--- /dev/null
+++ b/source3/winbindd/idmap_autorid.c
@@ -0,0 +1,945 @@
+/*
+ * idmap_autorid: static map between Active Directory/NT RIDs
+ * and RFC 2307 accounts
+ *
+ * based on the idmap_rid module, but this module defines the ranges
+ * for the domains by automatically allocating a range for each domain
+ *
+ * Copyright (C) Christian Ambach, 2010-2012
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+/*
+ * This module allocates ranges for domains to be used in a
+ * algorithmic mode like idmap_rid. Multiple ranges are supported
+ * for a single domain: If a rid exceeds the range size, a matching
+ * range is allocated to hold the rid's id.
+ *
+ * Here are the formulas applied:
+ *
+ *
+ * For a sid of the form domain_sid-rid, we have
+ *
+ * rid = reduced_rid + domain_range_index * range_size
+ *
+ * with
+ * reduced_rid := rid % range_size
+ * domain_range_index := rid / range_size
+ *
+ * And reduced_rid fits into a range.
+ *
+ * In the database, we associate a range_number to
+ * the pair domain_sid,domain_range_index.
+ *
+ * Now the unix id for the given sid calculates as:
+ *
+ * id = reduced_rid + range_low_id
+ *
+ * with
+ *
+ * range_low_id = low_id + range_number * range_size
+ *
+ *
+ * The inverse calculation goes like this:
+ *
+ * Given a unix id, let
+ *
+ * normalized_id := id - low_id
+ * reduced_rid := normalized_id % range_size
+ * range_number = normalized_id / range_size
+ *
+ * Then we have
+ *
+ * id = reduced_rid + low_id + range_number * range_size
+ *
+ * From the database, get the domain_sid,domain_range_index pair
+ * belonging to the range_number (if there is already one).
+ *
+ * Then the rid for the unix id calculates as:
+ *
+ * rid = reduced_rid + domain_range_index * range_size
+ */
+
+#include "idmap_autorid_tdb.h"
+#include "winbindd.h"
+#include "idmap.h"
+#include "idmap_rw.h"
+#include "../libcli/security/dom_sid.h"
+#include "libsmb/samlogon_cache.h"
+#include "passdb/machine_sid.h"
+#include "lib/util/string_wrappers.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_IDMAP
+
+#define IDMAP_AUTORID_ALLOC_RESERVED 500
+
+/* handle to the tdb storing domain <-> range assignments */
+static struct db_context *autorid_db;
+
+static bool ignore_builtin = false;
+
+static NTSTATUS idmap_autorid_get_alloc_range(struct idmap_domain *dom,
+ struct autorid_range_config *range)
+{
+ NTSTATUS status;
+
+ ZERO_STRUCT(*range);
+
+ fstrcpy(range->domsid, ALLOC_RANGE);
+
+ status = idmap_autorid_get_domainrange(autorid_db,
+ range,
+ dom->read_only);
+
+ return status;
+}
+
+static NTSTATUS idmap_autorid_allocate_id(struct idmap_domain *dom,
+ struct unixid *xid) {
+
+ NTSTATUS ret;
+ struct autorid_range_config range;
+
+ if (dom->read_only) {
+ DEBUG(3, ("Backend is read-only, refusing "
+ "new allocation request\n"));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ /* fetch the range for the allocation pool */
+
+ ret = idmap_autorid_get_alloc_range(dom, &range);
+ if (!NT_STATUS_IS_OK(ret)) {
+ DEBUG(3, ("Could not determine range for allocation pool, "
+ "check previous messages for reason\n"));
+ return ret;
+ }
+
+ ret = idmap_tdb_common_get_new_id(dom, xid);
+
+ if (!NT_STATUS_IS_OK(ret)) {
+ DEBUG(1, ("Fatal error while allocating new ID!\n"));
+ return ret;
+ }
+
+ xid->id = xid->id + range.low_id;
+
+ DEBUG(10, ("Returned new %s %d from allocation range\n",
+ (xid->type==ID_TYPE_UID)?"uid":"gid", xid->id));
+
+ return ret;
+}
+
+/*
+ * map a xid to SID using the idmap_tdb like pool
+ */
+static NTSTATUS idmap_autorid_id_to_sid_alloc(struct idmap_domain *dom,
+ struct id_map *map)
+{
+ NTSTATUS ret;
+
+ /* look out for the mapping */
+ ret = idmap_tdb_common_unixid_to_sid(dom, map);
+
+ if (NT_STATUS_IS_OK(ret)) {
+ map->status = ID_MAPPED;
+ return ret;
+ }
+
+ map->status = ID_UNKNOWN;
+
+ DEBUG(10, ("no ID->SID mapping for %d could be found\n", map->xid.id));
+
+ return ret;
+}
+
+static NTSTATUS idmap_autorid_id_to_sid(struct autorid_global_config *cfg,
+ struct idmap_domain *dom,
+ struct id_map *map)
+{
+ uint32_t range_number;
+ uint32_t domain_range_index;
+ uint32_t normalized_id;
+ uint32_t reduced_rid;
+ uint32_t rid;
+ TDB_DATA data = tdb_null;
+ char *keystr;
+ struct dom_sid domsid;
+ NTSTATUS status;
+ bool ok;
+ const char *q = NULL;
+
+ /* can this be one of our ids? */
+ if (map->xid.id < cfg->minvalue) {
+ DEBUG(10, ("id %d is lower than minimum value, "
+ "ignoring mapping request\n", map->xid.id));
+ map->status = ID_UNKNOWN;
+ return NT_STATUS_OK;
+ }
+
+ if (map->xid.id > (cfg->minvalue + cfg->rangesize * cfg->maxranges)) {
+ DEBUG(10, ("id %d is outside of maximum id value, "
+ "ignoring mapping request\n", map->xid.id));
+ map->status = ID_UNKNOWN;
+ return NT_STATUS_OK;
+ }
+
+ /* determine the range of this uid */
+
+ normalized_id = map->xid.id - cfg->minvalue;
+ range_number = normalized_id / cfg->rangesize;
+
+ keystr = talloc_asprintf(talloc_tos(), "%u", range_number);
+ if (!keystr) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ status = dbwrap_fetch_bystring(autorid_db, talloc_tos(), keystr, &data);
+ TALLOC_FREE(keystr);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(4, ("id %d belongs to range %d which does not have "
+ "domain mapping, ignoring mapping request\n",
+ map->xid.id, range_number));
+ TALLOC_FREE(data.dptr);
+ map->status = ID_UNKNOWN;
+ return NT_STATUS_OK;
+ }
+
+ if ((data.dsize == 0) || (data.dptr[data.dsize-1] != '\0')) {
+ DBG_WARNING("Invalid range %"PRIu32"\n", range_number);
+ TALLOC_FREE(data.dptr);
+ map->status = ID_UNKNOWN;
+ return NT_STATUS_OK;
+ }
+
+ if (strncmp((const char *)data.dptr,
+ ALLOC_RANGE,
+ strlen(ALLOC_RANGE)) == 0) {
+ /*
+ * this is from the alloc range, check if there is a mapping
+ */
+ DEBUG(5, ("id %d belongs to allocation range, "
+ "checking for mapping\n",
+ map->xid.id));
+ TALLOC_FREE(data.dptr);
+ return idmap_autorid_id_to_sid_alloc(dom, map);
+ }
+
+ ok = dom_sid_parse_endp((const char *)data.dptr, &domsid, &q);
+ if (!ok) {
+ TALLOC_FREE(data.dptr);
+ map->status = ID_UNKNOWN;
+ return NT_STATUS_OK;
+ }
+
+ /*
+ * Allow for sid#range_index, just sid is range index 0
+ */
+
+ switch (*q) {
+ case '\0':
+ domain_range_index = 0;
+ break;
+ case '#':
+ if (sscanf(q+1, "%"SCNu32, &domain_range_index) == 1) {
+ break;
+ }
+ /* If we end up here, something weird is in the record. */
+
+ FALL_THROUGH;
+ default:
+ DBG_DEBUG("SID/domain range: %s\n",
+ (const char *)data.dptr);
+ TALLOC_FREE(data.dptr);
+ map->status = ID_UNKNOWN;
+ return NT_STATUS_OK;
+ }
+
+ TALLOC_FREE(data.dptr);
+
+ reduced_rid = normalized_id % cfg->rangesize;
+ rid = reduced_rid + domain_range_index * cfg->rangesize;
+
+ sid_compose(map->sid, &domsid, rid);
+
+ /* We **really** should have some way of validating
+ the SID exists and is the correct type here. But
+ that is a deficiency in the idmap_rid design. */
+
+ map->status = ID_MAPPED;
+ map->xid.type = ID_TYPE_BOTH;
+
+ return NT_STATUS_OK;
+}
+
+/**********************************
+ Single sid to id lookup function.
+**********************************/
+
+static NTSTATUS idmap_autorid_sid_to_id_rid(
+ uint32_t rangesize,
+ uint32_t low_id,
+ struct id_map *map)
+{
+ uint32_t rid;
+ uint32_t reduced_rid;
+
+ sid_peek_rid(map->sid, &rid);
+
+ reduced_rid = rid % rangesize;
+
+ map->xid.id = reduced_rid + low_id;
+ map->xid.type = ID_TYPE_BOTH;
+ map->status = ID_MAPPED;
+
+ return NT_STATUS_OK;
+}
+
+/**********************************
+ lookup a set of unix ids.
+**********************************/
+
+static NTSTATUS idmap_autorid_unixids_to_sids(struct idmap_domain *dom,
+ struct id_map **ids)
+{
+ struct idmap_tdb_common_context *commoncfg;
+ struct autorid_global_config *globalcfg;
+ NTSTATUS ret;
+ int i;
+ int num_tomap = 0;
+ int num_mapped = 0;
+
+ /* initialize the status to avoid surprise */
+ for (i = 0; ids[i]; i++) {
+ ids[i]->status = ID_UNKNOWN;
+ num_tomap++;
+ }
+
+ commoncfg =
+ talloc_get_type_abort(dom->private_data,
+ struct idmap_tdb_common_context);
+
+ globalcfg = talloc_get_type(commoncfg->private_data,
+ struct autorid_global_config);
+
+ for (i = 0; ids[i]; i++) {
+
+ ret = idmap_autorid_id_to_sid(globalcfg, dom, ids[i]);
+
+ if ((!NT_STATUS_IS_OK(ret)) &&
+ (!NT_STATUS_EQUAL(ret, NT_STATUS_NONE_MAPPED))) {
+ /* some fatal error occurred, log it */
+ DBG_NOTICE("Unexpected error resolving an ID "
+ "(%d): %s\n", ids[i]->xid.id,
+ nt_errstr(ret));
+ goto failure;
+ }
+
+ if (NT_STATUS_IS_OK(ret) && ids[i]->status == ID_MAPPED) {
+ num_mapped++;
+ }
+
+ }
+
+ if (num_tomap == num_mapped) {
+ return NT_STATUS_OK;
+ }
+ if (num_mapped == 0) {
+ return NT_STATUS_NONE_MAPPED;
+ }
+
+ return STATUS_SOME_UNMAPPED;
+
+
+ failure:
+ return ret;
+}
+
+static bool idmap_autorid_sid_is_special(struct dom_sid *sid)
+{
+ bool match;
+
+ match = sid_check_is_in_wellknown_domain(sid);
+ if (match) {
+ return true;
+ }
+
+ return false;
+}
+
+static NTSTATUS idmap_autorid_sid_to_id_special(struct idmap_domain *dom,
+ struct id_map *map)
+{
+ struct idmap_tdb_common_context *common =
+ talloc_get_type_abort(dom->private_data,
+ struct idmap_tdb_common_context);
+ uint32_t count;
+ struct autorid_range_config range;
+ NTSTATUS status;
+ uint32_t free_id;
+
+ status = idmap_autorid_get_alloc_range(dom, &range);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ /* Take the next free ID, counting from the top */
+ free_id = 0;
+ for (count = 0; count < IDMAP_AUTORID_ALLOC_RESERVED; count++) {
+ struct id_map test_map;
+ struct dom_sid sid;
+
+ test_map.sid = &sid;
+ test_map.xid.type = map->xid.type;
+ test_map.xid.id = range.high_id - count;
+ test_map.status = ID_UNKNOWN;
+
+ status = idmap_tdb_common_unixid_to_sid(dom, &test_map);
+ if (NT_STATUS_EQUAL(NT_STATUS_NONE_MAPPED, status)) {
+ free_id = test_map.xid.id;
+ break;
+ }
+
+ if (!NT_STATUS_IS_OK(status)) {
+ /* error - get out */
+ return status;
+ }
+
+ /* mapping exists - try next ID */
+ }
+
+ if (free_id == 0) {
+ return NT_STATUS_NONE_MAPPED;
+ }
+
+ map->status = ID_MAPPED;
+ map->xid.id = free_id;
+
+ status = common->rw_ops->set_mapping(dom, map);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(2, ("Error storing new mapping: %s\n",
+ nt_errstr(status)));
+ return status;
+ }
+
+ return NT_STATUS_OK;
+}
+
+struct idmap_autorid_sid_to_id_alloc_ctx {
+ struct idmap_domain *dom;
+ struct id_map *map;
+};
+
+static NTSTATUS idmap_autorid_sid_to_id_alloc_action(
+ struct db_context *db,
+ void *private_data)
+{
+ struct idmap_autorid_sid_to_id_alloc_ctx *ctx;
+
+ ctx = (struct idmap_autorid_sid_to_id_alloc_ctx *)private_data;
+
+ if (idmap_autorid_sid_is_special(ctx->map->sid)) {
+ struct dom_sid_buf buf;
+ NTSTATUS ret;
+
+ ret = idmap_autorid_sid_to_id_special(ctx->dom, ctx->map);
+ if (NT_STATUS_IS_OK(ret)) {
+ return NT_STATUS_OK;
+ }
+ if (!NT_STATUS_EQUAL(NT_STATUS_NONE_MAPPED, ret)) {
+ return ret;
+ }
+
+ DEBUG(10, ("Special sid %s not mapped. falling back to "
+ "regular allocation\n",
+ dom_sid_str_buf(ctx->map->sid, &buf)));
+ }
+
+ return idmap_tdb_common_new_mapping(ctx->dom, ctx->map);
+}
+
+/*
+ * map a SID to xid using the idmap_tdb like pool
+ */
+static NTSTATUS idmap_autorid_sid_to_id_alloc(
+ struct idmap_tdb_common_context *ctx,
+ struct idmap_domain *dom,
+ struct id_map *map)
+{
+ NTSTATUS ret;
+ struct idmap_autorid_sid_to_id_alloc_ctx alloc_ctx;
+ struct dom_sid_buf buf;
+
+ map->status = ID_UNKNOWN;
+
+ /* see if we already have a mapping */
+ ret = idmap_tdb_common_sid_to_unixid(dom, map);
+
+ if (NT_STATUS_IS_OK(ret)) {
+ map->status = ID_MAPPED;
+ return ret;
+ }
+
+ /* bad things happened */
+ if (!NT_STATUS_EQUAL(ret, NT_STATUS_NONE_MAPPED)) {
+ DEBUG(1, ("Looking up SID->ID mapping for %s failed: %s\n",
+ dom_sid_str_buf(map->sid, &buf),
+ nt_errstr(ret)));
+ return ret;
+ }
+
+ if (dom->read_only) {
+ DEBUG(3, ("Not allocating new mapping for %s, because backend "
+ "is read-only\n",
+ dom_sid_str_buf(map->sid, &buf)));
+ map->status = ID_UNMAPPED;
+ return NT_STATUS_NONE_MAPPED;
+ }
+
+ DEBUG(10, ("Creating new mapping in pool for %s\n",
+ dom_sid_str_buf(map->sid, &buf)));
+
+ alloc_ctx.dom = dom;
+ alloc_ctx.map = map;
+
+ ret = dbwrap_trans_do(ctx->db, idmap_autorid_sid_to_id_alloc_action,
+ &alloc_ctx);
+ if (!NT_STATUS_IS_OK(ret)) {
+ DEBUG(1, ("Failed to create a new mapping in alloc range: %s\n",
+ nt_errstr(ret)));
+ return NT_STATUS_INTERNAL_DB_CORRUPTION;
+ }
+
+ map->status = ID_MAPPED;
+ return NT_STATUS_OK;
+}
+
+static bool idmap_autorid_domsid_is_for_alloc(struct dom_sid *sid)
+{
+ bool match;
+
+ match = sid_check_is_wellknown_domain(sid, NULL);
+ if (match) {
+ return true;
+ }
+
+ return false;
+}
+
+static NTSTATUS idmap_autorid_sid_to_id(struct idmap_tdb_common_context *common,
+ struct idmap_domain *dom,
+ struct id_map *map)
+{
+ struct autorid_global_config *global =
+ talloc_get_type_abort(common->private_data,
+ struct autorid_global_config);
+ struct autorid_range_config range;
+ uint32_t rid;
+ struct dom_sid domainsid;
+ struct dom_sid_buf buf;
+ NTSTATUS ret;
+
+ ZERO_STRUCT(range);
+ map->status = ID_UNKNOWN;
+
+ DEBUG(10, ("Trying to map %s\n", dom_sid_str_buf(map->sid, &buf)));
+
+ sid_copy(&domainsid, map->sid);
+ if (!sid_split_rid(&domainsid, &rid)) {
+ DEBUG(4, ("Could not determine domain SID from %s, "
+ "ignoring mapping request\n",
+ dom_sid_str_buf(map->sid, &buf)));
+ map->status = ID_UNMAPPED;
+ return NT_STATUS_NONE_MAPPED;
+ }
+
+ if (idmap_autorid_domsid_is_for_alloc(&domainsid)) {
+ DEBUG(10, ("SID %s is for ALLOC range.\n",
+ dom_sid_str_buf(map->sid, &buf)));
+
+ return idmap_autorid_sid_to_id_alloc(common, dom, map);
+ }
+
+ if (dom_sid_equal(&domainsid, &global_sid_Builtin) && ignore_builtin) {
+ DEBUG(10, ("Ignoring request for BUILTIN domain\n"));
+ map->status = ID_UNMAPPED;
+ return NT_STATUS_NONE_MAPPED;
+ }
+
+ sid_to_fstring(range.domsid, &domainsid);
+
+ range.domain_range_index = rid / (global->rangesize);
+
+ ret = idmap_autorid_getrange(autorid_db, range.domsid,
+ range.domain_range_index,
+ &range.rangenum, &range.low_id);
+ if (NT_STATUS_IS_OK(ret)) {
+ return idmap_autorid_sid_to_id_rid(
+ global->rangesize, range.low_id, map);
+ }
+
+ if (dom->read_only) {
+ DBG_DEBUG("read-only is enabled, did not allocate "
+ "new range for domain %s\n", range.domsid);
+ map->status = ID_UNMAPPED;
+ return NT_STATUS_NONE_MAPPED;
+ }
+
+ /*
+ * Check if we should allocate a domain range. We need to
+ * protect against unknown domains to not fill our ranges
+ * needlessly.
+ */
+
+ if (sid_check_is_builtin(&domainsid) ||
+ sid_check_is_our_sam(&domainsid)) {
+ goto allocate;
+ }
+
+ {
+ struct winbindd_domain *domain;
+
+ /*
+ * Deterministic check for domain members: We can be
+ * sure that the domain we are member of is worth to
+ * add a mapping for.
+ */
+
+ domain = find_our_domain();
+ if ((domain != NULL) &&
+ dom_sid_equal(&domain->sid, &domainsid)) {
+ goto allocate;
+ }
+ }
+
+ /*
+ * If we have already allocated range index 0, this domain is
+ * worth allocating for in higher ranges.
+ */
+ if (range.domain_range_index != 0) {
+ uint32_t zero_rangenum, zero_low_id;
+
+ ret = idmap_autorid_getrange(autorid_db, range.domsid, 0,
+ &zero_rangenum, &zero_low_id);
+ if (NT_STATUS_IS_OK(ret)) {
+ goto allocate;
+ }
+ }
+
+ /*
+ * If the caller already did a lookup sid and made sure the
+ * domain sid is valid, we can allocate a new range.
+ *
+ * Currently the winbindd parent already does a lookup sids
+ * first, but hopefully changes in future. If the
+ * caller knows the domain sid, ID_TYPE_BOTH should be
+ * passed instead of ID_TYPE_NOT_SPECIFIED.
+ */
+ if (map->xid.type != ID_TYPE_NOT_SPECIFIED) {
+ goto allocate;
+ }
+
+ /*
+ * Check of last resort: A domain is valid if a user from that
+ * domain has recently logged in. The samlogon_cache these
+ * days also stores the domain sid.
+ *
+ * We used to check the list of trusted domains we received
+ * from "our" dc, but this is not reliable enough.
+ */
+ if (netsamlogon_cache_have(&domainsid)) {
+ goto allocate;
+ }
+
+ /*
+ * Nobody knows this domain, so refuse to allocate a fresh
+ * range.
+ */
+
+ DBG_NOTICE("Allocating range for domain %s required type_hint\n", range.domsid);
+ map->status = ID_REQUIRE_TYPE;
+ return NT_STATUS_SOME_NOT_MAPPED;
+
+allocate:
+ ret = idmap_autorid_acquire_range(autorid_db, &range);
+ if (!NT_STATUS_IS_OK(ret)) {
+ DBG_NOTICE("Could not determine range for domain: %s, "
+ "check previous messages for reason\n",
+ nt_errstr(ret));
+ return ret;
+ }
+
+ return idmap_autorid_sid_to_id_rid(global->rangesize, range.low_id,
+ map);
+}
+
+/**********************************
+ lookup a set of sids.
+**********************************/
+
+static NTSTATUS idmap_autorid_sids_to_unixids(struct idmap_domain *dom,
+ struct id_map **ids)
+{
+ struct idmap_tdb_common_context *commoncfg;
+ NTSTATUS ret;
+ size_t i;
+ size_t num_tomap = 0;
+ size_t num_mapped = 0;
+ size_t num_required = 0;
+
+ /* initialize the status to avoid surprise */
+ for (i = 0; ids[i]; i++) {
+ ids[i]->status = ID_UNKNOWN;
+ num_tomap++;
+ }
+
+ commoncfg =
+ talloc_get_type_abort(dom->private_data,
+ struct idmap_tdb_common_context);
+
+ for (i = 0; ids[i]; i++) {
+ ret = idmap_autorid_sid_to_id(commoncfg, dom, ids[i]);
+ if (NT_STATUS_EQUAL(ret, NT_STATUS_SOME_NOT_MAPPED) &&
+ ids[i]->status == ID_REQUIRE_TYPE)
+ {
+ num_required++;
+ continue;
+ }
+ if ((!NT_STATUS_IS_OK(ret)) &&
+ (!NT_STATUS_EQUAL(ret, NT_STATUS_NONE_MAPPED))) {
+ struct dom_sid_buf buf;
+ /* some fatal error occurred, log it */
+ DEBUG(3, ("Unexpected error resolving a SID (%s)\n",
+ dom_sid_str_buf(ids[i]->sid, &buf)));
+ return ret;
+ }
+
+ if (NT_STATUS_IS_OK(ret) && ids[i]->status == ID_MAPPED) {
+ num_mapped++;
+ }
+ }
+
+ if (num_tomap == num_mapped) {
+ return NT_STATUS_OK;
+ } else if (num_required > 0) {
+ return STATUS_SOME_UNMAPPED;
+ } else if (num_mapped == 0) {
+ return NT_STATUS_NONE_MAPPED;
+ }
+
+ return STATUS_SOME_UNMAPPED;
+}
+
+static NTSTATUS idmap_autorid_preallocate_wellknown(struct idmap_domain *dom)
+{
+ const char *groups[] = { "S-1-1-0", "S-1-2-0", "S-1-2-1",
+ "S-1-3-0", "S-1-3-1", "S-1-3-2", "S-1-3-3", "S-1-3-4",
+ "S-1-5-1", "S-1-5-2", "S-1-5-3", "S-1-5-4", "S-1-5-6",
+ "S-1-5-7", "S-1-5-8", "S-1-5-9", "S-1-5-10", "S-1-5-11",
+ "S-1-5-12", "S-1-5-13", "S-1-5-14", "S-1-5-15",
+ "S-1-5-17", "S-1-5-18", "S-1-5-19", "S-1-5-20"
+ };
+
+ struct id_map **maps;
+ int i, num;
+ NTSTATUS status;
+
+ if (dom->read_only) {
+ return NT_STATUS_OK;
+ }
+
+ num = ARRAY_SIZE(groups);
+
+ maps = talloc_array(talloc_tos(), struct id_map*, num+1);
+ if (!maps) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ for (i = 0; i < num; i++) {
+ maps[i] = talloc(maps, struct id_map);
+ if (maps[i] == NULL) {
+ talloc_free(maps);
+ return NT_STATUS_NO_MEMORY;
+ }
+ maps[i]->xid.type = ID_TYPE_GID;
+ maps[i]->sid = dom_sid_parse_talloc(maps, groups[i]);
+ }
+
+ maps[num] = NULL;
+
+ status = idmap_autorid_sids_to_unixids(dom, maps);
+
+ DEBUG(10,("Preallocation run finished with status %s\n",
+ nt_errstr(status)));
+
+ talloc_free(maps);
+
+ return NT_STATUS_IS_OK(status)?NT_STATUS_OK:NT_STATUS_UNSUCCESSFUL;
+}
+
+static NTSTATUS idmap_autorid_initialize_action(struct db_context *db,
+ void *private_data)
+{
+ struct idmap_domain *dom;
+ struct idmap_tdb_common_context *common;
+ struct autorid_global_config *config;
+ NTSTATUS status;
+
+ dom = (struct idmap_domain *)private_data;
+ common = (struct idmap_tdb_common_context *)dom->private_data;
+ config = (struct autorid_global_config *)common->private_data;
+
+ status = idmap_autorid_init_hwms(db);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ status = idmap_autorid_saveconfig(db, config);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("Failed to store configuration data!\n"));
+ return status;
+ }
+
+ status = idmap_autorid_preallocate_wellknown(dom);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("Failed to preallocate wellknown sids: %s\n",
+ nt_errstr(status)));
+ return status;
+ }
+
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS idmap_autorid_initialize(struct idmap_domain *dom)
+{
+ struct idmap_tdb_common_context *commonconfig;
+ struct autorid_global_config *config;
+ NTSTATUS status;
+ char *db_path;
+
+ if (!strequal(dom->name, "*")) {
+ DEBUG(0, ("idmap_autorid_initialize: Error: autorid configured "
+ "for domain '%s'. But autorid can only be used for "
+ "the default idmap configuration.\n", dom->name));
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ commonconfig = talloc_zero(dom, struct idmap_tdb_common_context);
+ if (!commonconfig) {
+ DEBUG(0, ("Out of memory!\n"));
+ return NT_STATUS_NO_MEMORY;
+ }
+ dom->private_data = commonconfig;
+
+ commonconfig->rw_ops = talloc_zero(commonconfig, struct idmap_rw_ops);
+ if (commonconfig->rw_ops == NULL) {
+ DEBUG(0, ("Out of memory!\n"));
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ config = talloc_zero(commonconfig, struct autorid_global_config);
+ if (!config) {
+ DEBUG(0, ("Out of memory!\n"));
+ return NT_STATUS_NO_MEMORY;
+ }
+ commonconfig->private_data = config;
+
+ config->minvalue = dom->low_id;
+ config->rangesize = idmap_config_int("*", "rangesize", 100000);
+
+ config->maxranges = (dom->high_id - dom->low_id + 1) /
+ config->rangesize;
+
+ if (config->maxranges < 2) {
+ DBG_WARNING("Allowed idmap range is not a least double the "
+ "size of the rangesize. Please increase idmap "
+ "range.\n");
+ status = NT_STATUS_INVALID_PARAMETER;
+ goto error;
+ }
+
+ /* check if the high-low limit is a multiple of the rangesize */
+ if ((dom->high_id - dom->low_id + 1) % config->rangesize != 0) {
+ DEBUG(5, ("High uid-low uid difference of %d "
+ "is not a multiple of the rangesize %d, "
+ "limiting ranges to lower boundary number of %d\n",
+ (dom->high_id - dom->low_id + 1), config->rangesize,
+ config->maxranges));
+ }
+
+ DEBUG(5, ("%d domain ranges with a size of %d are available\n",
+ config->maxranges, config->rangesize));
+
+ ignore_builtin = idmap_config_bool("*", "ignore builtin", false);
+
+ /* fill the TDB common configuration */
+
+ commonconfig->max_id = config->rangesize - 1
+ - IDMAP_AUTORID_ALLOC_RESERVED;
+ commonconfig->hwmkey_uid = ALLOC_HWM_UID;
+ commonconfig->hwmkey_gid = ALLOC_HWM_GID;
+ commonconfig->rw_ops->get_new_id = idmap_autorid_allocate_id;
+ commonconfig->rw_ops->set_mapping = idmap_tdb_common_set_mapping;
+
+ db_path = state_path(talloc_tos(), "autorid.tdb");
+ if (db_path == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto error;
+ }
+
+ status = idmap_autorid_db_open(db_path,
+ NULL, /* TALLOC_CTX */
+ &autorid_db);
+ TALLOC_FREE(db_path);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto error;
+ }
+
+ commonconfig->db = autorid_db;
+
+ status = dbwrap_trans_do(autorid_db,
+ idmap_autorid_initialize_action,
+ dom);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("Failed to init the idmap database: %s\n",
+ nt_errstr(status)));
+ goto error;
+ }
+
+ goto done;
+
+error:
+ talloc_free(config);
+
+done:
+ return status;
+}
+
+static const struct idmap_methods autorid_methods = {
+ .init = idmap_autorid_initialize,
+ .unixids_to_sids = idmap_autorid_unixids_to_sids,
+ .sids_to_unixids = idmap_autorid_sids_to_unixids,
+ .allocate_id = idmap_autorid_allocate_id
+};
+
+static_decl_idmap;
+NTSTATUS idmap_autorid_init(TALLOC_CTX *ctx)
+{
+ return smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION,
+ "autorid", &autorid_methods);
+}
diff --git a/source3/winbindd/idmap_autorid_tdb.c b/source3/winbindd/idmap_autorid_tdb.c
new file mode 100644
index 0000000..24cf380
--- /dev/null
+++ b/source3/winbindd/idmap_autorid_tdb.c
@@ -0,0 +1,1265 @@
+/*
+ * idmap_autorid_tdb: This file contains common code used by
+ * idmap_autorid and net idmap autorid utilities. The common
+ * code provides functions for performing various operations
+ * on autorid.tdb
+ *
+ * Copyright (C) Christian Ambach, 2010-2012
+ * Copyright (C) Atul Kulkarni, 2013
+ * Copyright (C) Michael Adam, 2012-2013
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#include "idmap_autorid_tdb.h"
+#include "../libcli/security/dom_sid.h"
+#include "lib/util/string_wrappers.h"
+
+/**
+ * Build the database keystring for getting a range
+ * belonging to a domain sid and a range index.
+ */
+static void idmap_autorid_build_keystr(const char *domsid,
+ uint32_t domain_range_index,
+ fstring keystr)
+{
+ if (domain_range_index > 0) {
+ fstr_sprintf(keystr, "%s#%"PRIu32,
+ domsid, domain_range_index);
+ } else {
+ fstrcpy(keystr, domsid);
+ }
+}
+
+static char *idmap_autorid_build_keystr_talloc(TALLOC_CTX *mem_ctx,
+ const char *domsid,
+ uint32_t domain_range_index)
+{
+ char *keystr;
+
+ if (domain_range_index > 0) {
+ keystr = talloc_asprintf(mem_ctx, "%s#%"PRIu32, domsid,
+ domain_range_index);
+ } else {
+ keystr = talloc_strdup(mem_ctx, domsid);
+ }
+
+ return keystr;
+}
+
+
+static bool idmap_autorid_validate_sid(const char *sid)
+{
+ struct dom_sid ignore;
+ if (sid == NULL) {
+ return false;
+ }
+
+ if (strcmp(sid, ALLOC_RANGE) == 0) {
+ return true;
+ }
+
+ return dom_sid_parse(sid, &ignore);
+}
+
+struct idmap_autorid_addrange_ctx {
+ struct autorid_range_config *range;
+ bool acquire;
+};
+
+static NTSTATUS idmap_autorid_addrange_action(struct db_context *db,
+ void *private_data)
+{
+ struct idmap_autorid_addrange_ctx *ctx;
+ uint32_t requested_rangenum, stored_rangenum;
+ struct autorid_range_config *range;
+ bool acquire;
+ NTSTATUS ret;
+ uint32_t hwm;
+ char *numstr;
+ struct autorid_global_config globalcfg = {0};
+ fstring keystr;
+ uint32_t increment;
+ TALLOC_CTX *mem_ctx = NULL;
+
+ ctx = (struct idmap_autorid_addrange_ctx *)private_data;
+ range = ctx->range;
+ acquire = ctx->acquire;
+ requested_rangenum = range->rangenum;
+
+ if (db == NULL) {
+ DEBUG(3, ("Invalid database argument: NULL"));
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ if (range == NULL) {
+ DEBUG(3, ("Invalid range argument: NULL"));
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ DEBUG(10, ("Adding new range for domain %s "
+ "(domain_range_index=%"PRIu32")\n",
+ range->domsid, range->domain_range_index));
+
+ if (!idmap_autorid_validate_sid(range->domsid)) {
+ DEBUG(3, ("Invalid SID: %s\n", range->domsid));
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ idmap_autorid_build_keystr(range->domsid, range->domain_range_index,
+ keystr);
+
+ ret = dbwrap_fetch_uint32_bystring(db, keystr, &stored_rangenum);
+
+ if (NT_STATUS_IS_OK(ret)) {
+ /* entry is already present*/
+ if (acquire) {
+ DEBUG(10, ("domain range already allocated - "
+ "Not adding!\n"));
+
+ ret = idmap_autorid_loadconfig(db, &globalcfg);
+ if (!NT_STATUS_IS_OK(ret)) {
+ DEBUG(1, ("Fatal error while fetching "
+ "configuration: %s\n",
+ nt_errstr(ret)));
+ goto error;
+ }
+
+ range->rangenum = stored_rangenum;
+ range->low_id = globalcfg.minvalue
+ + range->rangenum * globalcfg.rangesize;
+ range->high_id =
+ range->low_id + globalcfg.rangesize - 1;
+
+ return NT_STATUS_OK;
+ }
+
+ if (stored_rangenum != requested_rangenum) {
+ DEBUG(1, ("Error: requested rangenumber (%u) differs "
+ "from stored one (%u).\n",
+ requested_rangenum, stored_rangenum));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ DEBUG(10, ("Note: stored range agrees with requested "
+ "one - ok\n"));
+ return NT_STATUS_OK;
+ }
+
+ /* fetch the current HWM */
+ ret = dbwrap_fetch_uint32_bystring(db, HWM, &hwm);
+ if (!NT_STATUS_IS_OK(ret)) {
+ DEBUG(1, ("Fatal error while fetching current "
+ "HWM value: %s\n", nt_errstr(ret)));
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
+ mem_ctx = talloc_stackframe();
+
+ ret = idmap_autorid_loadconfig(db, &globalcfg);
+ if (!NT_STATUS_IS_OK(ret)) {
+ DEBUG(1, ("Fatal error while fetching configuration: %s\n",
+ nt_errstr(ret)));
+ goto error;
+ }
+
+ if (acquire) {
+ /*
+ * automatically acquire the next range
+ */
+ requested_rangenum = hwm;
+ }
+
+ if (requested_rangenum >= globalcfg.maxranges) {
+ DEBUG(1, ("Not enough ranges available: New range %u must be "
+ "smaller than configured maximum number of ranges "
+ "(%u).\n",
+ requested_rangenum, globalcfg.maxranges));
+ ret = NT_STATUS_NO_MEMORY;
+ goto error;
+ }
+
+ /*
+ * Check that it is not yet taken.
+ * If the range is requested and < HWM, we need
+ * to check anyways, and otherwise, we also better
+ * check in order to prevent further corruption
+ * in case the db has been externally modified.
+ */
+
+ numstr = talloc_asprintf(mem_ctx, "%u", requested_rangenum);
+ if (!numstr) {
+ DEBUG(1, ("Talloc failed!\n"));
+ ret = NT_STATUS_NO_MEMORY;
+ goto error;
+ }
+
+ if (dbwrap_exists(db, string_term_tdb_data(numstr))) {
+ DEBUG(1, ("Requested range '%s' is already in use.\n", numstr));
+
+ if (requested_rangenum < hwm) {
+ ret = NT_STATUS_INVALID_PARAMETER;
+ } else {
+ ret = NT_STATUS_INTERNAL_DB_CORRUPTION;
+ }
+
+ goto error;
+ }
+
+ if (requested_rangenum >= hwm) {
+ /*
+ * requested or automatic range >= HWM:
+ * increment the HWM.
+ */
+
+ /* HWM always contains current max range + 1 */
+ increment = requested_rangenum + 1 - hwm;
+
+ /* increase the HWM */
+ ret = dbwrap_change_uint32_atomic_bystring(db, HWM, &hwm,
+ increment);
+ if (!NT_STATUS_IS_OK(ret)) {
+ DEBUG(1, ("Fatal error while incrementing the HWM "
+ "value in the database: %s\n",
+ nt_errstr(ret)));
+ goto error;
+ }
+ }
+
+ /*
+ * store away the new mapping in both directions
+ */
+
+ ret = dbwrap_store_uint32_bystring(db, keystr, requested_rangenum);
+ if (!NT_STATUS_IS_OK(ret)) {
+ DEBUG(1, ("Fatal error while storing new "
+ "domain->range assignment: %s\n", nt_errstr(ret)));
+ goto error;
+ }
+
+ numstr = talloc_asprintf(mem_ctx, "%u", requested_rangenum);
+ if (!numstr) {
+ ret = NT_STATUS_NO_MEMORY;
+ goto error;
+ }
+
+ ret = dbwrap_store_bystring(db, numstr,
+ string_term_tdb_data(keystr), TDB_INSERT);
+
+ if (!NT_STATUS_IS_OK(ret)) {
+ DEBUG(1, ("Fatal error while storing new "
+ "domain->range assignment: %s\n", nt_errstr(ret)));
+ goto error;
+ }
+
+ DEBUG(5, ("%s new range #%d for domain %s "
+ "(domain_range_index=%"PRIu32")\n",
+ (acquire?"Acquired":"Stored"),
+ requested_rangenum, keystr,
+ range->domain_range_index));
+
+ range->rangenum = requested_rangenum;
+
+ range->low_id = globalcfg.minvalue
+ + range->rangenum * globalcfg.rangesize;
+ range->high_id = range->low_id + globalcfg.rangesize - 1;
+
+ ret = NT_STATUS_OK;
+
+error:
+ talloc_free(mem_ctx);
+ return ret;
+}
+
+static NTSTATUS idmap_autorid_addrange(struct db_context *db,
+ struct autorid_range_config *range,
+ bool acquire)
+{
+ NTSTATUS status;
+ struct idmap_autorid_addrange_ctx ctx;
+
+ ctx.acquire = acquire;
+ ctx.range = range;
+
+ status = dbwrap_trans_do(db, idmap_autorid_addrange_action, &ctx);
+ return status;
+}
+
+NTSTATUS idmap_autorid_setrange(struct db_context *db,
+ const char *domsid,
+ uint32_t domain_range_index,
+ uint32_t rangenum)
+{
+ NTSTATUS status;
+ struct autorid_range_config range;
+
+ ZERO_STRUCT(range);
+ fstrcpy(range.domsid, domsid);
+ range.domain_range_index = domain_range_index;
+ range.rangenum = rangenum;
+
+ status = idmap_autorid_addrange(db, &range, false);
+ return status;
+}
+
+NTSTATUS idmap_autorid_acquire_range(struct db_context *db,
+ struct autorid_range_config *range)
+{
+ return idmap_autorid_addrange(db, range, true);
+}
+
+static NTSTATUS idmap_autorid_getrange_int(struct db_context *db,
+ struct autorid_range_config *range)
+{
+ NTSTATUS status = NT_STATUS_INVALID_PARAMETER;
+ struct autorid_global_config globalcfg = {0};
+ fstring keystr;
+
+ if (db == NULL || range == NULL) {
+ DEBUG(3, ("Invalid arguments received\n"));
+ goto done;
+ }
+
+ if (!idmap_autorid_validate_sid(range->domsid)) {
+ DEBUG(3, ("Invalid SID: '%s'\n", range->domsid));
+ status = NT_STATUS_INVALID_PARAMETER;
+ goto done;
+ }
+
+ idmap_autorid_build_keystr(range->domsid, range->domain_range_index,
+ keystr);
+
+ DEBUG(10, ("reading domain range for key %s\n", keystr));
+ status = dbwrap_fetch_uint32_bystring(db, keystr, &(range->rangenum));
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("Failed to read database record for key '%s': %s\n",
+ keystr, nt_errstr(status)));
+ goto done;
+ }
+
+ status = idmap_autorid_loadconfig(db, &globalcfg);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("Failed to read global configuration"));
+ goto done;
+ }
+ range->low_id = globalcfg.minvalue
+ + range->rangenum * globalcfg.rangesize;
+ range->high_id = range->low_id + globalcfg.rangesize - 1;
+done:
+ return status;
+}
+
+NTSTATUS idmap_autorid_getrange(struct db_context *db,
+ const char *domsid,
+ uint32_t domain_range_index,
+ uint32_t *rangenum,
+ uint32_t *low_id)
+{
+ NTSTATUS status;
+ struct autorid_range_config range;
+
+ if (rangenum == NULL) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ ZERO_STRUCT(range);
+ fstrcpy(range.domsid, domsid);
+ range.domain_range_index = domain_range_index;
+
+ status = idmap_autorid_getrange_int(db, &range);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ *rangenum = range.rangenum;
+
+ if (low_id != NULL) {
+ *low_id = range.low_id;
+ }
+
+ return NT_STATUS_OK;
+}
+
+NTSTATUS idmap_autorid_get_domainrange(struct db_context *db,
+ struct autorid_range_config *range,
+ bool read_only)
+{
+ NTSTATUS ret;
+
+ ret = idmap_autorid_getrange_int(db, range);
+ if (!NT_STATUS_IS_OK(ret)) {
+ DEBUG(10, ("Failed to read range config for '%s': %s\n",
+ range->domsid, nt_errstr(ret)));
+ if (read_only) {
+ DEBUG(10, ("Not allocating new range for '%s' because "
+ "read-only is enabled.\n", range->domsid));
+ return NT_STATUS_NOT_FOUND;
+ }
+
+ ret = idmap_autorid_acquire_range(db, range);
+ }
+
+ DEBUG(10, ("Using range #%d for domain %s "
+ "(domain_range_index=%"PRIu32", low_id=%"PRIu32")\n",
+ range->rangenum, range->domsid, range->domain_range_index,
+ range->low_id));
+
+ return ret;
+}
+
+/* initialize the given HWM to 0 if it does not exist yet */
+static NTSTATUS idmap_autorid_init_hwm_action(struct db_context *db,
+ void *private_data)
+{
+ NTSTATUS status;
+ uint32_t hwmval;
+ const char *hwm;
+
+ hwm = (char *)private_data;
+
+ status = dbwrap_fetch_uint32_bystring(db, hwm, &hwmval);
+ if (NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("HWM (%s) already initialized in autorid database "
+ "(value %"PRIu32").\n", hwm, hwmval));
+ return NT_STATUS_OK;
+ }
+ if (!NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
+ DEBUG(0, ("Error fetching HWM (%s) from autorid "
+ "database: %s\n", hwm, nt_errstr(status)));
+ return status;
+ }
+
+ status = dbwrap_trans_store_uint32_bystring(db, hwm, 0);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("Error storing HWM (%s) in autorid database: %s\n",
+ hwm, nt_errstr(status)));
+ return status;
+ }
+
+ return NT_STATUS_OK;
+}
+
+NTSTATUS idmap_autorid_init_hwm(struct db_context *db, const char *hwm)
+{
+ NTSTATUS status;
+ uint32_t hwmval;
+
+ status = dbwrap_fetch_uint32_bystring(db, hwm, &hwmval);
+ if (NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("HWM (%s) already initialized in autorid database "
+ "(value %"PRIu32").\n", hwm, hwmval));
+ return NT_STATUS_OK;
+ }
+ if (!NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
+ DEBUG(0, ("unable to fetch HWM (%s) from autorid "
+ "database: %s\n", hwm, nt_errstr(status)));
+ return status;
+ }
+
+ status = dbwrap_trans_do(db, idmap_autorid_init_hwm_action,
+ discard_const(hwm));
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("Error initializing HWM (%s) in autorid database: "
+ "%s\n", hwm, nt_errstr(status)));
+ return NT_STATUS_INTERNAL_DB_ERROR;
+ }
+
+ DEBUG(1, ("Initialized HWM (%s) in autorid database.\n", hwm));
+
+ return NT_STATUS_OK;
+}
+
+/*
+ * Delete a domain#index <-> range mapping from the database.
+ * The mapping is specified by the sid and index.
+ * If force == true, invalid mapping records are deleted as far
+ * as possible, otherwise they are left untouched.
+ */
+
+struct idmap_autorid_delete_range_by_sid_ctx {
+ const char *domsid;
+ uint32_t domain_range_index;
+ bool force;
+};
+
+static NTSTATUS idmap_autorid_delete_range_by_sid_action(struct db_context *db,
+ void *private_data)
+{
+ struct idmap_autorid_delete_range_by_sid_ctx *ctx =
+ (struct idmap_autorid_delete_range_by_sid_ctx *)private_data;
+ const char *domsid;
+ uint32_t domain_range_index;
+ uint32_t rangenum;
+ char *keystr;
+ char *range_keystr;
+ TDB_DATA data;
+ NTSTATUS status;
+ TALLOC_CTX *frame = talloc_stackframe();
+ bool is_valid_range_mapping = true;
+ bool force;
+
+ domsid = ctx->domsid;
+ domain_range_index = ctx->domain_range_index;
+ force = ctx->force;
+
+ keystr = idmap_autorid_build_keystr_talloc(frame, domsid,
+ domain_range_index);
+ if (keystr == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
+
+ status = dbwrap_fetch_uint32_bystring(db, keystr, &rangenum);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+
+ range_keystr = talloc_asprintf(frame, "%"PRIu32, rangenum);
+ if (range_keystr == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
+
+ status = dbwrap_fetch_bystring(db, frame, range_keystr, &data);
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
+ DEBUG(1, ("Incomplete mapping %s -> %s: no backward mapping\n",
+ keystr, range_keystr));
+ is_valid_range_mapping = false;
+ } else if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("Error fetching reverse mapping for %s -> %s: %s\n",
+ keystr, range_keystr, nt_errstr(status)));
+ goto done;
+ } else if (strncmp((const char *)data.dptr, keystr, strlen(keystr))
+ != 0)
+ {
+ DEBUG(1, ("Invalid mapping: %s -> %s -> %s\n",
+ keystr, range_keystr, (const char *)data.dptr));
+ is_valid_range_mapping = false;
+ }
+
+ if (!is_valid_range_mapping && !force) {
+ DEBUG(10, ("Not deleting invalid mapping, since not in force "
+ "mode.\n"));
+ status = NT_STATUS_FILE_INVALID;
+ goto done;
+ }
+
+ status = dbwrap_delete_bystring(db, keystr);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("Deletion of '%s' failed: %s\n",
+ keystr, nt_errstr(status)));
+ goto done;
+ }
+
+ if (!is_valid_range_mapping) {
+ goto done;
+ }
+
+ status = dbwrap_delete_bystring(db, range_keystr);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("Deletion of '%s' failed: %s\n",
+ range_keystr, nt_errstr(status)));
+ goto done;
+ }
+
+ DEBUG(10, ("Deleted range mapping %s <--> %s\n", keystr,
+ range_keystr));
+
+done:
+ TALLOC_FREE(frame);
+ return status;
+}
+
+NTSTATUS idmap_autorid_delete_range_by_sid(struct db_context *db,
+ const char *domsid,
+ uint32_t domain_range_index,
+ bool force)
+{
+ NTSTATUS status;
+ struct idmap_autorid_delete_range_by_sid_ctx ctx;
+
+ ctx.domain_range_index = domain_range_index;
+ ctx.domsid = domsid;
+ ctx.force = force;
+
+ status = dbwrap_trans_do(db, idmap_autorid_delete_range_by_sid_action,
+ &ctx);
+ return status;
+}
+
+/*
+ * Delete a domain#index <-> range mapping from the database.
+ * The mapping is specified by the range number.
+ * If force == true, invalid mapping records are deleted as far
+ * as possible, otherwise they are left untouched.
+ */
+struct idmap_autorid_delete_range_by_num_ctx {
+ uint32_t rangenum;
+ bool force;
+};
+
+static NTSTATUS idmap_autorid_delete_range_by_num_action(struct db_context *db,
+ void *private_data)
+{
+ struct idmap_autorid_delete_range_by_num_ctx *ctx =
+ (struct idmap_autorid_delete_range_by_num_ctx *)private_data;
+ uint32_t rangenum;
+ char *keystr = NULL;
+ char *range_keystr;
+ TDB_DATA val;
+ NTSTATUS status;
+ TALLOC_CTX *frame = talloc_stackframe();
+ bool is_valid_range_mapping = true;
+ bool force;
+
+ rangenum = ctx->rangenum;
+ force = ctx->force;
+
+ range_keystr = talloc_asprintf(frame, "%"PRIu32, rangenum);
+ if (range_keystr == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
+
+ ZERO_STRUCT(val);
+
+ status = dbwrap_fetch_bystring(db, frame, range_keystr, &val);
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
+ DEBUG(10, ("Did not find range '%s' in database.\n",
+ range_keystr));
+ goto done;
+ } else if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(5, ("Error fetching rang key: %s\n", nt_errstr(status)));
+ goto done;
+ }
+
+ if (val.dptr == NULL) {
+ DEBUG(1, ("Invalid mapping: %s -> empty value\n",
+ range_keystr));
+ is_valid_range_mapping = false;
+ } else {
+ uint32_t reverse_rangenum = 0;
+
+ keystr = (char *)val.dptr;
+
+ status = dbwrap_fetch_uint32_bystring(db, keystr,
+ &reverse_rangenum);
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
+ DEBUG(1, ("Incomplete mapping %s -> %s: "
+ "no backward mapping\n",
+ range_keystr, keystr));
+ is_valid_range_mapping = false;
+ } else if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("Error fetching reverse mapping for "
+ "%s -> %s: %s\n",
+ range_keystr, keystr, nt_errstr(status)));
+ goto done;
+ } else if (rangenum != reverse_rangenum) {
+ is_valid_range_mapping = false;
+ }
+ }
+
+ if (!is_valid_range_mapping && !force) {
+ DEBUG(10, ("Not deleting invalid mapping, since not in force "
+ "mode.\n"));
+ status = NT_STATUS_FILE_INVALID;
+ goto done;
+ }
+
+ status = dbwrap_delete_bystring(db, range_keystr);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("Deletion of '%s' failed: %s\n",
+ range_keystr, nt_errstr(status)));
+ goto done;
+ }
+
+ if (!is_valid_range_mapping) {
+ goto done;
+ }
+
+ status = dbwrap_delete_bystring(db, keystr);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("Deletion of '%s' failed: %s\n",
+ keystr, nt_errstr(status)));
+ goto done;
+ }
+
+ DEBUG(10, ("Deleted range mapping %s <--> %s\n", range_keystr,
+ keystr));
+
+done:
+ talloc_free(frame);
+ return status;
+}
+
+NTSTATUS idmap_autorid_delete_range_by_num(struct db_context *db,
+ uint32_t rangenum,
+ bool force)
+{
+ NTSTATUS status;
+ struct idmap_autorid_delete_range_by_num_ctx ctx;
+
+ ctx.rangenum = rangenum;
+ ctx.force = force;
+
+ status = dbwrap_trans_do(db, idmap_autorid_delete_range_by_num_action,
+ &ctx);
+ return status;
+}
+
+/**
+ * Open and possibly create the database.
+ */
+NTSTATUS idmap_autorid_db_open(const char *path,
+ TALLOC_CTX *mem_ctx,
+ struct db_context **db)
+{
+ if (*db != NULL) {
+ /* its already open */
+ return NT_STATUS_OK;
+ }
+
+ /* Open idmap repository */
+ *db = db_open(mem_ctx, path, 0, TDB_DEFAULT, O_RDWR | O_CREAT, 0644,
+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
+
+ if (*db == NULL) {
+ DEBUG(0, ("Unable to open idmap_autorid database '%s'\n", path));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ return NT_STATUS_OK;
+}
+
+/**
+ * Initialize the high watermark records in the database.
+ */
+NTSTATUS idmap_autorid_init_hwms(struct db_context *db)
+{
+ NTSTATUS status;
+
+ status = idmap_autorid_init_hwm(db, HWM);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ status = idmap_autorid_init_hwm(db, ALLOC_HWM_UID);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ status = idmap_autorid_init_hwm(db, ALLOC_HWM_GID);
+
+ return status;
+}
+
+NTSTATUS idmap_autorid_db_init(const char *path,
+ TALLOC_CTX *mem_ctx,
+ struct db_context **db)
+{
+ NTSTATUS status;
+
+ status = idmap_autorid_db_open(path, mem_ctx, db);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ status = idmap_autorid_init_hwms(*db);
+ return status;
+}
+
+
+
+struct idmap_autorid_fetch_config_state {
+ TALLOC_CTX *mem_ctx;
+ char *configstr;
+};
+
+static void idmap_autorid_config_parser(TDB_DATA key, TDB_DATA value,
+ void *private_data)
+{
+ struct idmap_autorid_fetch_config_state *state;
+
+ state = (struct idmap_autorid_fetch_config_state *)private_data;
+
+ /*
+ * strndup because we have non-nullterminated strings in the db
+ */
+ state->configstr = talloc_strndup(
+ state->mem_ctx, (const char *)value.dptr, value.dsize);
+}
+
+NTSTATUS idmap_autorid_getconfigstr(struct db_context *db, TALLOC_CTX *mem_ctx,
+ char **result)
+{
+ TDB_DATA key;
+ NTSTATUS status;
+ struct idmap_autorid_fetch_config_state state;
+
+ if (result == NULL) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ key = string_term_tdb_data(CONFIGKEY);
+
+ state.mem_ctx = mem_ctx;
+ state.configstr = NULL;
+
+ status = dbwrap_parse_record(db, key, idmap_autorid_config_parser,
+ &state);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("Error while retrieving config: %s\n",
+ nt_errstr(status)));
+ return status;
+ }
+
+ if (state.configstr == NULL) {
+ DEBUG(1, ("Error while retrieving config\n"));
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ DEBUG(5, ("found CONFIG: %s\n", state.configstr));
+
+ *result = state.configstr;
+ return NT_STATUS_OK;
+}
+
+bool idmap_autorid_parse_configstr(const char *configstr,
+ struct autorid_global_config *cfg)
+{
+ unsigned long minvalue, rangesize, maxranges;
+
+ if (sscanf(configstr,
+ "minvalue:%lu rangesize:%lu maxranges:%lu",
+ &minvalue, &rangesize, &maxranges) != 3) {
+ DEBUG(1,
+ ("Found invalid configuration data. "
+ "Creating new config\n"));
+ return false;
+ }
+
+ cfg->minvalue = minvalue;
+ cfg->rangesize = rangesize;
+ cfg->maxranges = maxranges;
+
+ return true;
+}
+
+NTSTATUS idmap_autorid_loadconfig(struct db_context *db,
+ struct autorid_global_config *result)
+{
+ struct autorid_global_config cfg = {0};
+ NTSTATUS status;
+ bool ok;
+ char *configstr = NULL;
+
+ if (result == NULL) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ status = idmap_autorid_getconfigstr(db, db, &configstr);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ ok = idmap_autorid_parse_configstr(configstr, &cfg);
+ TALLOC_FREE(configstr);
+ if (!ok) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ DEBUG(10, ("Loaded previously stored configuration "
+ "minvalue:%d rangesize:%d\n",
+ cfg.minvalue, cfg.rangesize));
+
+ *result = cfg;
+
+ return NT_STATUS_OK;
+}
+
+NTSTATUS idmap_autorid_saveconfig(struct db_context *db,
+ struct autorid_global_config *cfg)
+{
+
+ struct autorid_global_config storedconfig = {0};
+ NTSTATUS status = NT_STATUS_INVALID_PARAMETER;
+ TDB_DATA data;
+ char *cfgstr;
+ uint32_t hwm;
+ TALLOC_CTX *frame = talloc_stackframe();
+
+ DEBUG(10, ("New configuration provided for storing is "
+ "minvalue:%d rangesize:%d maxranges:%d\n",
+ cfg->minvalue, cfg->rangesize, cfg->maxranges));
+
+ if (cfg->rangesize < 2000) {
+ DEBUG(1, ("autorid rangesize must be at least 2000\n"));
+ goto done;
+ }
+
+ if (cfg->maxranges == 0) {
+ DEBUG(1, ("An autorid maxranges value of 0 is invalid. "
+ "Must have at least one range available.\n"));
+ goto done;
+ }
+
+ status = idmap_autorid_loadconfig(db, &storedconfig);
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
+ DEBUG(5, ("No configuration found. Storing initial "
+ "configuration.\n"));
+ storedconfig = *cfg;
+ } else if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("Error loading configuration: %s\n",
+ nt_errstr(status)));
+ goto done;
+ }
+
+ /* did the minimum value or rangesize change? */
+ if ((storedconfig.minvalue != cfg->minvalue) ||
+ (storedconfig.rangesize != cfg->rangesize))
+ {
+ DEBUG(1, ("New configuration values for rangesize or "
+ "minimum uid value conflict with previously "
+ "used values! Not storing new config.\n"));
+ status = NT_STATUS_INVALID_PARAMETER;
+ goto done;
+ }
+
+ status = dbwrap_fetch_uint32_bystring(db, HWM, &hwm);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("Fatal error while fetching current "
+ "HWM value: %s\n", nt_errstr(status)));
+ status = NT_STATUS_INTERNAL_ERROR;
+ goto done;
+ }
+
+ /*
+ * has the highest uid value been reduced to setting that is not
+ * sufficient any more for already existing ranges?
+ */
+ if (hwm > cfg->maxranges) {
+ DEBUG(1, ("New upper uid limit is too low to cover "
+ "existing mappings! Not storing new config.\n"));
+ status = NT_STATUS_INVALID_PARAMETER;
+ goto done;
+ }
+
+ cfgstr =
+ talloc_asprintf(frame,
+ "minvalue:%u rangesize:%u maxranges:%u",
+ cfg->minvalue, cfg->rangesize, cfg->maxranges);
+
+ if (cfgstr == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
+
+ data = string_tdb_data(cfgstr);
+
+ status = dbwrap_trans_store_bystring(db, CONFIGKEY, data, TDB_REPLACE);
+
+done:
+ TALLOC_FREE(frame);
+ return status;
+}
+
+NTSTATUS idmap_autorid_saveconfigstr(struct db_context *db,
+ const char *configstr)
+{
+ bool ok;
+ NTSTATUS status;
+ struct autorid_global_config cfg;
+
+ ok = idmap_autorid_parse_configstr(configstr, &cfg);
+ if (!ok) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ status = idmap_autorid_saveconfig(db, &cfg);
+ return status;
+}
+
+
+/*
+ * iteration: Work on all range mappings for a given domain
+ */
+
+struct domain_range_visitor_ctx {
+ const char *domsid;
+ NTSTATUS (*fn)(struct db_context *db,
+ const char *domsid,
+ uint32_t index,
+ uint32_t rangenum,
+ void *private_data);
+ void *private_data;
+ int count; /* number of records worked on */
+};
+
+static int idmap_autorid_visit_domain_range(struct db_record *rec,
+ void *private_data)
+{
+ struct domain_range_visitor_ctx *vi;
+ char *domsid;
+ char *sep;
+ uint32_t range_index = 0;
+ uint32_t rangenum = 0;
+ TDB_DATA key, value;
+ NTSTATUS status;
+ int ret = 0;
+ struct db_context *db;
+
+ vi = talloc_get_type_abort(private_data,
+ struct domain_range_visitor_ctx);
+
+ key = dbwrap_record_get_key(rec);
+
+ /*
+ * split string "<sid>[#<index>]" into sid string and index number
+ */
+
+ domsid = (char *)key.dptr;
+
+ DEBUG(10, ("idmap_autorid_visit_domain_range: visiting key '%s'\n",
+ domsid));
+
+ sep = strrchr(domsid, '#');
+ if (sep != NULL) {
+ char *index_str;
+ *sep = '\0';
+ index_str = sep+1;
+ if (sscanf(index_str, "%"SCNu32, &range_index) != 1) {
+ DEBUG(10, ("Found separator '#' but '%s' is not a "
+ "valid range index. Skipping record\n",
+ index_str));
+ goto done;
+ }
+ }
+
+ if (!idmap_autorid_validate_sid(domsid)) {
+ DEBUG(10, ("String '%s' is not a valid sid. "
+ "Skipping record.\n", domsid));
+ goto done;
+ }
+
+ if ((vi->domsid != NULL) && (strcmp(domsid, vi->domsid) != 0)) {
+ DEBUG(10, ("key sid '%s' does not match requested sid '%s'.\n",
+ domsid, vi->domsid));
+ goto done;
+ }
+
+ value = dbwrap_record_get_value(rec);
+
+ if (value.dsize != sizeof(uint32_t)) {
+ /* it might be a mapping of a well known sid */
+ DEBUG(10, ("value size %u != sizeof(uint32_t) for sid '%s', "
+ "skipping.\n", (unsigned)value.dsize, vi->domsid));
+ goto done;
+ }
+
+ rangenum = IVAL(value.dptr, 0);
+
+ db = dbwrap_record_get_db(rec);
+
+ status = vi->fn(db, domsid, range_index, rangenum, vi->private_data);
+ if (!NT_STATUS_IS_OK(status)) {
+ ret = -1;
+ goto done;
+ }
+
+ vi->count++;
+ ret = 0;
+
+done:
+ return ret;
+}
+
+static NTSTATUS idmap_autorid_iterate_domain_ranges_int(struct db_context *db,
+ const char *domsid,
+ NTSTATUS (*fn)(struct db_context *db,
+ const char *domsid,
+ uint32_t index,
+ uint32_t rangnum,
+ void *private_data),
+ void *private_data,
+ int *count,
+ NTSTATUS (*traverse)(struct db_context *db,
+ int (*f)(struct db_record *, void *),
+ void *private_data,
+ int *count))
+{
+ NTSTATUS status;
+ struct domain_range_visitor_ctx *vi;
+ TALLOC_CTX *frame = talloc_stackframe();
+
+ if (domsid == NULL) {
+ DEBUG(10, ("No sid provided, operating on all ranges\n"));
+ }
+
+ if (fn == NULL) {
+ DEBUG(1, ("Error: missing visitor callback\n"));
+ status = NT_STATUS_INVALID_PARAMETER;
+ goto done;
+ }
+
+ vi = talloc_zero(frame, struct domain_range_visitor_ctx);
+ if (vi == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
+
+ vi->domsid = domsid;
+ vi->fn = fn;
+ vi->private_data = private_data;
+
+ status = traverse(db, idmap_autorid_visit_domain_range, vi, NULL);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+
+ if (count != NULL) {
+ *count = vi->count;
+ }
+
+done:
+ talloc_free(frame);
+ return status;
+}
+
+NTSTATUS idmap_autorid_iterate_domain_ranges(struct db_context *db,
+ const char *domsid,
+ NTSTATUS (*fn)(struct db_context *db,
+ const char *domsid,
+ uint32_t index,
+ uint32_t rangenum,
+ void *private_data),
+ void *private_data,
+ int *count)
+{
+ NTSTATUS status;
+
+ status = idmap_autorid_iterate_domain_ranges_int(db,
+ domsid,
+ fn,
+ private_data,
+ count,
+ dbwrap_traverse);
+
+ return status;
+}
+
+
+NTSTATUS idmap_autorid_iterate_domain_ranges_read(struct db_context *db,
+ const char *domsid,
+ NTSTATUS (*fn)(struct db_context *db,
+ const char *domsid,
+ uint32_t index,
+ uint32_t rangenum,
+ void *count),
+ void *private_data,
+ int *count)
+{
+ NTSTATUS status;
+
+ status = idmap_autorid_iterate_domain_ranges_int(db,
+ domsid,
+ fn,
+ private_data,
+ count,
+ dbwrap_traverse_read);
+
+ return status;
+}
+
+
+/*
+ * Delete all ranges configured for a given domain
+ */
+
+struct delete_domain_ranges_visitor_ctx {
+ bool force;
+};
+
+static NTSTATUS idmap_autorid_delete_domain_ranges_visitor(
+ struct db_context *db,
+ const char *domsid,
+ uint32_t domain_range_index,
+ uint32_t rangenum,
+ void *private_data)
+{
+ struct delete_domain_ranges_visitor_ctx *ctx;
+ NTSTATUS status;
+
+ ctx = (struct delete_domain_ranges_visitor_ctx *)private_data;
+
+ status = idmap_autorid_delete_range_by_sid(
+ db, domsid, domain_range_index, ctx->force);
+ return status;
+}
+
+struct idmap_autorid_delete_domain_ranges_ctx {
+ const char *domsid;
+ bool force;
+ int count; /* output: count records operated on */
+};
+
+static NTSTATUS idmap_autorid_delete_domain_ranges_action(struct db_context *db,
+ void *private_data)
+{
+ struct idmap_autorid_delete_domain_ranges_ctx *ctx;
+ struct delete_domain_ranges_visitor_ctx visitor_ctx;
+ int count;
+ NTSTATUS status;
+
+ ctx = (struct idmap_autorid_delete_domain_ranges_ctx *)private_data;
+
+ ZERO_STRUCT(visitor_ctx);
+ visitor_ctx.force = ctx->force;
+
+ status = idmap_autorid_iterate_domain_ranges(db,
+ ctx->domsid,
+ idmap_autorid_delete_domain_ranges_visitor,
+ &visitor_ctx,
+ &count);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ ctx->count = count;
+
+ return NT_STATUS_OK;
+}
+
+NTSTATUS idmap_autorid_delete_domain_ranges(struct db_context *db,
+ const char *domsid,
+ bool force,
+ int *count)
+{
+ NTSTATUS status;
+ struct idmap_autorid_delete_domain_ranges_ctx ctx;
+
+ ZERO_STRUCT(ctx);
+ ctx.domsid = domsid;
+ ctx.force = force;
+
+ status = dbwrap_trans_do(db, idmap_autorid_delete_domain_ranges_action,
+ &ctx);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ *count = ctx.count;
+
+ return NT_STATUS_OK;
+}
diff --git a/source3/winbindd/idmap_hash/idmap_hash.c b/source3/winbindd/idmap_hash/idmap_hash.c
new file mode 100644
index 0000000..e9d90e3
--- /dev/null
+++ b/source3/winbindd/idmap_hash/idmap_hash.c
@@ -0,0 +1,504 @@
+/*
+ * idmap_hash.c
+ *
+ * Copyright (C) Gerald Carter <jerry@samba.org> 2007 - 2008
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#include "includes.h"
+#include "winbindd/winbindd.h"
+#include "idmap.h"
+#include "idmap_hash.h"
+#include "ads.h"
+#include "nss_info.h"
+#include "../libcli/security/dom_sid.h"
+#include "libsmb/samlogon_cache.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_IDMAP
+
+struct sid_hash_table {
+ struct dom_sid *sid;
+};
+
+/*********************************************************************
+ Hash a domain SID (S-1-5-12-aaa-bbb-ccc) to a 12bit number
+ ********************************************************************/
+
+static uint32_t hash_domain_sid(const struct dom_sid *sid)
+{
+ uint32_t hash;
+
+ if (sid->num_auths != 4)
+ return 0;
+
+ /* XOR the last three subauths */
+
+ hash = ((sid->sub_auths[1] ^ sid->sub_auths[2]) ^ sid->sub_auths[3]);
+
+ /* Take all 32-bits into account when generating the 12-bit
+ hash value */
+ hash = (((hash & 0xFFF00000) >> 20)
+ + ((hash & 0x000FFF00) >> 8)
+ + (hash & 0x000000FF)) & 0x0000FFF;
+
+ /* return a 12-bit hash value */
+
+ return hash;
+}
+
+/*********************************************************************
+ Hash a Relative ID to a 19 bit number
+ ********************************************************************/
+
+static uint32_t hash_rid(uint32_t rid)
+{
+ /*
+ * 19 bits for the rid which allows us to support
+ * the first 50K users/groups in a domain
+ *
+ */
+
+ return (rid & 0x0007FFFF);
+}
+
+/*********************************************************************
+ ********************************************************************/
+
+static uint32_t combine_hashes(uint32_t h_domain,
+ uint32_t h_rid)
+{
+ uint32_t return_id = 0;
+
+ /*
+ * shift the hash_domain 19 bits to the left and OR with the
+ * hash_rid
+ *
+ * This will generate a 31 bit number out of
+ * 12 bit domain and 19 bit rid.
+ */
+
+ return_id = ((h_domain<<19) | h_rid);
+
+ return return_id;
+}
+
+/*********************************************************************
+ ********************************************************************/
+
+static void separate_hashes(uint32_t id,
+ uint32_t *h_domain,
+ uint32_t *h_rid)
+{
+ *h_rid = id & 0x0007FFFF;
+ *h_domain = (id & 0x7FF80000) >> 19;
+
+ return;
+}
+
+
+/*********************************************************************
+ ********************************************************************/
+
+static NTSTATUS idmap_hash_initialize(struct idmap_domain *dom)
+{
+ struct sid_hash_table *hashed_domains;
+ NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
+ struct winbindd_tdc_domain *dom_list = NULL;
+ size_t num_domains = 0;
+ size_t i;
+
+ DBG_ERR("The idmap_hash module is deprecated and should not be used. "
+ "Please migrate to a different plugin. This module will be "
+ "removed in a future version of Samba\n");
+
+ if (!strequal(dom->name, "*")) {
+ DBG_ERR("Error: idmap_hash configured for domain '%s'. "
+ "But the hash module can only be used for the default "
+ "idmap configuration.\n", dom->name);
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ if (!wcache_tdc_fetch_list(&dom_list, &num_domains)) {
+ nt_status = NT_STATUS_TRUSTED_DOMAIN_FAILURE;
+ BAIL_ON_NTSTATUS_ERROR(nt_status);
+ }
+
+ /* Create the hash table of domain SIDs */
+
+ hashed_domains = talloc_zero_array(dom, struct sid_hash_table, 4096);
+ BAIL_ON_PTR_NT_ERROR(hashed_domains, nt_status);
+
+ /* create the hash table of domain SIDs */
+
+ for (i=0; i<num_domains; i++) {
+ struct dom_sid_buf buf;
+ uint32_t hash;
+
+ if (is_null_sid(&dom_list[i].sid))
+ continue;
+
+ /*
+ * Check if the domain from the list is not already configured
+ * to use another idmap backend. Not checking this makes the
+ * idmap_hash module map IDs for *all* domains implicitly. This
+ * is quite dangerous in setups that use multiple idmap
+ * configurations.
+ */
+
+ if (domain_has_idmap_config(dom_list[i].domain_name)) {
+ continue;
+ }
+
+ if ((hash = hash_domain_sid(&dom_list[i].sid)) == 0)
+ continue;
+
+ DBG_INFO("Adding %s (%s) -> %d\n",
+ dom_list[i].domain_name,
+ dom_sid_str_buf(&dom_list[i].sid, &buf),
+ hash);
+
+ hashed_domains[hash].sid = talloc(hashed_domains, struct dom_sid);
+ sid_copy(hashed_domains[hash].sid, &dom_list[i].sid);
+ }
+
+ dom->private_data = hashed_domains;
+
+done:
+ return nt_status;
+}
+
+/*********************************************************************
+ ********************************************************************/
+
+static NTSTATUS idmap_hash_id_to_sid(struct sid_hash_table *hashed_domains,
+ struct idmap_domain *dom,
+ struct id_map *id)
+{
+ uint32_t h_domain = 0, h_rid = 0;
+
+ id->status = ID_UNMAPPED;
+
+ separate_hashes(id->xid.id, &h_domain, &h_rid);
+
+ /*
+ * If the domain hash doesn't find a SID in the table,
+ * skip it
+ */
+ if (hashed_domains[h_domain].sid == NULL) {
+ /* keep ID_UNMAPPED */
+ return NT_STATUS_OK;
+ }
+
+ id->xid.type = ID_TYPE_BOTH;
+ sid_compose(id->sid, hashed_domains[h_domain].sid, h_rid);
+ id->status = ID_MAPPED;
+
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS unixids_to_sids(struct idmap_domain *dom,
+ struct id_map **ids)
+{
+ struct sid_hash_table *hashed_domains = talloc_get_type_abort(
+ dom->private_data, struct sid_hash_table);
+ size_t i;
+ size_t num_tomap = 0;
+ size_t num_mapped = 0;
+
+ /* initialize the status to avoid surprise */
+ for (i = 0; ids[i]; i++) {
+ ids[i]->status = ID_UNKNOWN;
+ num_tomap++;
+ }
+
+ for (i=0; ids[i]; i++) {
+ NTSTATUS ret;
+
+ ret = idmap_hash_id_to_sid(hashed_domains, dom, ids[i]);
+ if (!NT_STATUS_IS_OK(ret)) {
+ /* some fatal error occurred, log it */
+ DBG_NOTICE("Unexpected error resolving an ID "
+ "(%d): %s\n", ids[i]->xid.id,
+ nt_errstr(ret));
+ return ret;
+ }
+
+ if (ids[i]->status == ID_MAPPED) {
+ num_mapped++;
+ }
+ }
+
+ if (num_tomap == num_mapped) {
+ return NT_STATUS_OK;
+ } else if (num_mapped == 0) {
+ return NT_STATUS_NONE_MAPPED;
+ }
+
+ return STATUS_SOME_UNMAPPED;
+}
+
+/*********************************************************************
+ ********************************************************************/
+
+static NTSTATUS idmap_hash_sid_to_id(struct sid_hash_table *hashed_domains,
+ struct idmap_domain *dom,
+ struct id_map *id)
+{
+ struct dom_sid sid;
+ uint32_t rid;
+ uint32_t h_domain, h_rid;
+
+ id->status = ID_UNMAPPED;
+
+ sid_copy(&sid, id->sid);
+ sid_split_rid(&sid, &rid);
+
+ h_domain = hash_domain_sid(&sid);
+ h_rid = hash_rid(rid);
+
+ /* Check that both hashes are non-zero*/
+ if (h_domain == 0) {
+ /* keep ID_UNMAPPED */
+ return NT_STATUS_OK;
+ }
+ if (h_rid == 0) {
+ /* keep ID_UNMAPPED */
+ return NT_STATUS_OK;
+ }
+
+ /*
+ * If the domain hash already exists find a SID in the table,
+ * just return the mapping.
+ */
+ if (hashed_domains[h_domain].sid != NULL) {
+ goto return_mapping;
+ }
+
+ /*
+ * Check of last resort: A domain is valid if a user from that
+ * domain has recently logged in. The samlogon_cache these
+ * days also stores the domain sid.
+ */
+ if (netsamlogon_cache_have(&sid)) {
+ /*
+ * The domain is valid, so we'll
+ * remember it in order to
+ * allow reverse mappings to work.
+ */
+ goto remember_domain;
+ }
+
+ if (id->xid.type == ID_TYPE_NOT_SPECIFIED) {
+ /*
+ * idmap_hash used to bounce back the requested type,
+ * which was ID_TYPE_UID, ID_TYPE_GID or
+ * ID_TYPE_NOT_SPECIFIED before as the winbindd parent
+ * always used a lookupsids. When the lookupsids
+ * failed because of an unknown domain, the idmap child
+ * weren't requested at all and the caller sees
+ * ID_TYPE_NOT_SPECIFIED.
+ *
+ * Now that the winbindd parent will pass ID_TYPE_BOTH
+ * in order to indicate that the domain exists.
+ * We should ask the parent to fallback to lookupsids
+ * if the domain is not known yet.
+ */
+ id->status = ID_REQUIRE_TYPE;
+ return NT_STATUS_OK;
+ }
+
+ /*
+ * Now we're sure the domain exist, remember
+ * the domain in order to return reverse mappings
+ * in future.
+ */
+remember_domain:
+ hashed_domains[h_domain].sid = dom_sid_dup(hashed_domains, &sid);
+ if (hashed_domains[h_domain].sid == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ /*
+ * idmap_hash used to bounce back the requested type,
+ * which was ID_TYPE_UID, ID_TYPE_GID or
+ * ID_TYPE_NOT_SPECIFIED before as the winbindd parent
+ * always used a lookupsids.
+ *
+ * This module should have supported ID_TYPE_BOTH since
+ * samba-4.1.0, similar to idmap_rid and idmap_autorid.
+ *
+ * Now that the winbindd parent will pass ID_TYPE_BOTH
+ * in order to indicate that the domain exists, it's
+ * better to always return ID_TYPE_BOTH instead of a
+ * random mix of ID_TYPE_UID, ID_TYPE_GID or
+ * ID_TYPE_BOTH.
+ */
+return_mapping:
+ id->xid.type = ID_TYPE_BOTH;
+ id->xid.id = combine_hashes(h_domain, h_rid);
+ id->status = ID_MAPPED;
+
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS sids_to_unixids(struct idmap_domain *dom,
+ struct id_map **ids)
+{
+ struct sid_hash_table *hashed_domains = talloc_get_type_abort(
+ dom->private_data, struct sid_hash_table);
+ size_t i;
+ size_t num_tomap = 0;
+ size_t num_mapped = 0;
+ size_t num_required = 0;
+
+ /* initialize the status to avoid surprise */
+ for (i = 0; ids[i]; i++) {
+ ids[i]->status = ID_UNKNOWN;
+ num_tomap++;
+ }
+
+ for (i=0; ids[i]; i++) {
+ NTSTATUS ret;
+
+ ret = idmap_hash_sid_to_id(hashed_domains, dom, ids[i]);
+ if (!NT_STATUS_IS_OK(ret)) {
+ struct dom_sid_buf buf;
+ /* some fatal error occurred, log it */
+ DBG_NOTICE("Unexpected error resolving a SID "
+ "(%s): %s\n",
+ dom_sid_str_buf(ids[i]->sid, &buf),
+ nt_errstr(ret));
+ return ret;
+ }
+
+ if (ids[i]->status == ID_MAPPED) {
+ num_mapped++;
+ }
+ if (ids[i]->status == ID_REQUIRE_TYPE) {
+ num_required++;
+ }
+ }
+
+ if (num_tomap == num_mapped) {
+ return NT_STATUS_OK;
+ } else if (num_required > 0) {
+ return STATUS_SOME_UNMAPPED;
+ } else if (num_mapped == 0) {
+ return NT_STATUS_NONE_MAPPED;
+ }
+
+ return STATUS_SOME_UNMAPPED;
+}
+
+/*********************************************************************
+ ********************************************************************/
+
+static NTSTATUS nss_hash_init(struct nss_domain_entry *e )
+{
+ return NT_STATUS_OK;
+}
+
+/**********************************************************************
+ *********************************************************************/
+
+static NTSTATUS nss_hash_map_to_alias(TALLOC_CTX *mem_ctx,
+ struct nss_domain_entry *e,
+ const char *name,
+ char **alias)
+{
+ NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
+ const char *value;
+
+ value = talloc_asprintf(mem_ctx, "%s\\%s", e->domain, name);
+ BAIL_ON_PTR_NT_ERROR(value, nt_status);
+
+ nt_status = mapfile_lookup_key(mem_ctx, value, alias);
+ BAIL_ON_NTSTATUS_ERROR(nt_status);
+
+done:
+ return nt_status;
+}
+
+/**********************************************************************
+ *********************************************************************/
+
+static NTSTATUS nss_hash_map_from_alias(TALLOC_CTX *mem_ctx,
+ struct nss_domain_entry *e,
+ const char *alias,
+ char **name)
+{
+ return mapfile_lookup_value(mem_ctx, alias, name);
+}
+
+/**********************************************************************
+ *********************************************************************/
+
+static NTSTATUS nss_hash_close(void)
+{
+ return NT_STATUS_OK;
+}
+
+/*********************************************************************
+ Dispatch Tables for IDMap and NssInfo Methods
+********************************************************************/
+
+static const struct idmap_methods hash_idmap_methods = {
+ .init = idmap_hash_initialize,
+ .unixids_to_sids = unixids_to_sids,
+ .sids_to_unixids = sids_to_unixids,
+};
+
+static const struct nss_info_methods hash_nss_methods = {
+ .init = nss_hash_init,
+ .map_to_alias = nss_hash_map_to_alias,
+ .map_from_alias = nss_hash_map_from_alias,
+ .close_fn = nss_hash_close
+};
+
+/**********************************************************************
+ Register with the idmap and idmap_nss subsystems. We have to protect
+ against the idmap and nss_info interfaces being in a half-registered
+ state.
+ **********************************************************************/
+
+static_decl_idmap;
+NTSTATUS idmap_hash_init(TALLOC_CTX *ctx)
+{
+ static NTSTATUS idmap_status = NT_STATUS_UNSUCCESSFUL;
+ static NTSTATUS nss_status = NT_STATUS_UNSUCCESSFUL;
+
+ if ( !NT_STATUS_IS_OK(idmap_status) ) {
+ idmap_status = smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION,
+ "hash", &hash_idmap_methods);
+
+ if ( !NT_STATUS_IS_OK(idmap_status) ) {
+ DEBUG(0,("Failed to register hash idmap plugin.\n"));
+ return idmap_status;
+ }
+ }
+
+ if ( !NT_STATUS_IS_OK(nss_status) ) {
+ nss_status = smb_register_idmap_nss(SMB_NSS_INFO_INTERFACE_VERSION,
+ "hash", &hash_nss_methods);
+ if ( !NT_STATUS_IS_OK(nss_status) ) {
+ DEBUG(0,("Failed to register hash idmap nss plugin.\n"));
+ return nss_status;
+ }
+ }
+
+ return NT_STATUS_OK;
+}
diff --git a/source3/winbindd/idmap_hash/idmap_hash.h b/source3/winbindd/idmap_hash/idmap_hash.h
new file mode 100644
index 0000000..621520e
--- /dev/null
+++ b/source3/winbindd/idmap_hash/idmap_hash.h
@@ -0,0 +1,60 @@
+/*
+ * lwopen.h
+ *
+ * Copyright (C) Gerald Carter <jerry@samba.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#ifndef _LWOPEN_H
+#define _LWOPEN_H
+
+#define BAIL_ON_NTSTATUS_ERROR(x) \
+ do { \
+ if (!NT_STATUS_IS_OK(x)) { \
+ DEBUG(10,("Failed! (%s)\n", nt_errstr(x))); \
+ goto done; \
+ } \
+ } \
+ while (0); \
+
+#define BAIL_ON_PTR_NT_ERROR(p, x) \
+ do { \
+ if ((p) == NULL ) { \
+ DEBUG(10,("NULL pointer!\n")); \
+ x = NT_STATUS_NO_MEMORY; \
+ goto done; \
+ } else { \
+ x = NT_STATUS_OK; \
+ } \
+ } while (0);
+
+#define PRINT_NTSTATUS_ERROR(x, hdr, level) \
+ do { \
+ if (!NT_STATUS_IS_OK(x)) { \
+ DEBUG(level,("Likewise Open ("hdr"): %s\n", nt_errstr(x))); \
+ } \
+ } while(0);
+
+
+NTSTATUS mapfile_lookup_key(TALLOC_CTX *ctx,
+ const char *value,
+ char **key);
+
+NTSTATUS mapfile_lookup_value(TALLOC_CTX *ctx,
+ const char *key,
+ char **value);
+
+#endif /* _LWOPEN_H */
diff --git a/source3/winbindd/idmap_hash/mapfile.c b/source3/winbindd/idmap_hash/mapfile.c
new file mode 100644
index 0000000..82812a1
--- /dev/null
+++ b/source3/winbindd/idmap_hash/mapfile.c
@@ -0,0 +1,182 @@
+/*
+ * mapfile.c
+ *
+ * Copyright (C) Gerald Carter <jerry@samba.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#include "includes.h"
+#include "system/filesys.h"
+#include "winbindd/winbindd.h"
+#include "idmap.h"
+#include "idmap_hash.h"
+
+static FILE *lw_map_file = NULL;
+
+/*********************************************************************
+ ********************************************************************/
+
+static bool mapfile_open(void)
+{
+ const char *mapfile_name = NULL;
+
+ /* If we have an open handle, just reset it */
+
+ if (lw_map_file) {
+ return (fseek(lw_map_file, 0, SEEK_SET) == 0);
+ }
+
+ mapfile_name = lp_parm_const_string(-1, "idmap_hash", "name_map", NULL);
+ if (!mapfile_name) {
+ return false;
+ }
+
+ lw_map_file = fopen(mapfile_name, "r");
+ if (!lw_map_file) {
+ DEBUG(0,("can't open idmap_hash:name_map (%s). Error %s\n",
+ mapfile_name, strerror(errno) ));
+ return false;
+ }
+
+ return true;
+}
+
+/*********************************************************************
+ ********************************************************************/
+
+static bool mapfile_read_line(fstring key, fstring value)
+{
+ char buffer[1024];
+ char *p;
+ int len;
+
+ if (!lw_map_file)
+ return false;
+
+ p = fgets(buffer, sizeof(buffer)-1, lw_map_file);
+ if (p == NULL) {
+ return false;
+ }
+
+ /* Strip newlines and carriage returns */
+
+ len = strlen_m(buffer);
+ if (len == 0) {
+ return false;
+ }
+ len -= 1;
+
+ while ((buffer[len] == '\n') || (buffer[len] == '\r')) {
+ buffer[len--] = '\0';
+ }
+
+
+ if ((p = strchr_m(buffer, '=')) == NULL ) {
+ DEBUG(0,("idmap_hash: Bad line in name_map (%s)\n", buffer));
+ return false;
+ }
+
+ *p = '\0';
+ p++;
+
+ strlcpy(key, buffer, sizeof(fstring));
+ strlcpy(value, p, sizeof(fstring));
+
+ /* Eat whitespace */
+
+ if (!trim_char(key, ' ', ' '))
+ return false;
+
+ if (!trim_char(value, ' ', ' '))
+ return false;
+
+ return true;
+}
+
+/*********************************************************************
+ ********************************************************************/
+
+static bool mapfile_close(void)
+{
+ int ret = 0;
+ if (lw_map_file) {
+ ret = fclose(lw_map_file);
+ lw_map_file = NULL;
+ }
+
+ return (ret == 0);
+}
+
+
+/*********************************************************************
+ ********************************************************************/
+
+NTSTATUS mapfile_lookup_key(TALLOC_CTX *ctx, const char *value, char **key)
+{
+ fstring r_key, r_value;
+ NTSTATUS ret = NT_STATUS_NOT_FOUND;
+
+ if (!mapfile_open())
+ return NT_STATUS_OBJECT_PATH_NOT_FOUND;
+
+ while (mapfile_read_line(r_key, r_value))
+ {
+ if (strequal(r_value, value)) {
+ ret = NT_STATUS_OK;
+
+ /* We're done once finishing this block */
+ *key = talloc_strdup(ctx, r_key);
+ if (!*key) {
+ ret = NT_STATUS_NO_MEMORY;
+ }
+ break;
+ }
+ }
+
+ mapfile_close();
+
+ return ret;
+}
+
+/*********************************************************************
+ ********************************************************************/
+
+NTSTATUS mapfile_lookup_value(TALLOC_CTX *ctx, const char *key, char **value)
+{
+ fstring r_key, r_value;
+ NTSTATUS ret = NT_STATUS_NOT_FOUND;
+
+ if (!mapfile_open())
+ return NT_STATUS_OBJECT_PATH_NOT_FOUND;
+
+ while (mapfile_read_line(r_key, r_value))
+ {
+ if (strequal(r_key, key)) {
+ ret = NT_STATUS_OK;
+
+ /* We're done once finishing this block */
+ *value = talloc_strdup(ctx, r_value);
+ if (!*key) {
+ ret = NT_STATUS_NO_MEMORY;
+ }
+ break;
+ }
+ }
+
+ mapfile_close();
+
+ return ret;
+}
diff --git a/source3/winbindd/idmap_ldap.c b/source3/winbindd/idmap_ldap.c
new file mode 100644
index 0000000..36ab94b
--- /dev/null
+++ b/source3/winbindd/idmap_ldap.c
@@ -0,0 +1,1141 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ idmap LDAP backend
+
+ Copyright (C) Tim Potter 2000
+ Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003
+ Copyright (C) Gerald Carter 2003
+ Copyright (C) Simo Sorce 2003-2007
+ Copyright (C) Michael Adam 2010
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "winbindd.h"
+#include "secrets.h"
+#include "idmap.h"
+#include "idmap_rw.h"
+#include "../libcli/security/security.h"
+#include "lib/util/smb_strtox.h"
+#include "lib/global_contexts.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_IDMAP
+
+#include <lber.h>
+#include <ldap.h>
+
+#include "smbldap.h"
+#include "passdb/pdb_ldap_schema.h"
+
+struct idmap_ldap_context {
+ struct smbldap_state *smbldap_state;
+ char *url;
+ char *suffix;
+ char *user_dn;
+ bool anon;
+ struct idmap_rw_ops *rw_ops;
+};
+
+#define CHECK_ALLOC_DONE(mem) do { \
+ if (!mem) { \
+ DEBUG(0, ("Out of memory!\n")); \
+ ret = NT_STATUS_NO_MEMORY; \
+ goto done; \
+ } } while (0)
+
+/**********************************************************************
+ IDMAP ALLOC TDB BACKEND
+**********************************************************************/
+
+/*********************************************************************
+ ********************************************************************/
+
+static NTSTATUS get_credentials( TALLOC_CTX *mem_ctx,
+ struct smbldap_state *ldap_state,
+ struct idmap_domain *dom,
+ char **dn )
+{
+ NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
+ char *secret = NULL;
+ const char *tmp = NULL;
+ char *user_dn = NULL;
+ bool anon = False;
+
+ /* assume anonymous if we don't have a specified user */
+
+ tmp = idmap_config_const_string(dom->name, "ldap_user_dn", NULL);
+
+ if ( tmp ) {
+ secret = idmap_fetch_secret("ldap", dom->name, tmp);
+ if (!secret) {
+ DEBUG(0, ("get_credentials: Unable to fetch "
+ "auth credentials for %s in %s\n",
+ tmp, (dom==NULL)?"ALLOC":dom->name));
+ ret = NT_STATUS_ACCESS_DENIED;
+ goto done;
+ }
+ *dn = talloc_strdup(mem_ctx, tmp);
+ CHECK_ALLOC_DONE(*dn);
+ } else {
+ if (!fetch_ldap_pw(&user_dn, &secret)) {
+ DEBUG(2, ("get_credentials: Failed to lookup ldap "
+ "bind creds. Using anonymous connection.\n"));
+ anon = True;
+ *dn = NULL;
+ } else {
+ *dn = talloc_strdup(mem_ctx, user_dn);
+ SAFE_FREE( user_dn );
+ CHECK_ALLOC_DONE(*dn);
+ }
+ }
+
+ smbldap_set_creds(ldap_state, anon, *dn, secret);
+ ret = NT_STATUS_OK;
+
+done:
+ SAFE_FREE(secret);
+
+ return ret;
+}
+
+
+/**********************************************************************
+ Verify the sambaUnixIdPool entry in the directory.
+**********************************************************************/
+
+static NTSTATUS verify_idpool(struct idmap_domain *dom)
+{
+ NTSTATUS ret;
+ TALLOC_CTX *mem_ctx;
+ LDAPMessage *result = NULL;
+ LDAPMod **mods = NULL;
+ const char **attr_list;
+ char *filter;
+ int count;
+ int rc;
+ struct idmap_ldap_context *ctx;
+
+ ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context);
+
+ mem_ctx = talloc_new(ctx);
+ if (mem_ctx == NULL) {
+ DEBUG(0, ("Out of memory!\n"));
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ filter = talloc_asprintf(mem_ctx, "(objectclass=%s)", LDAP_OBJ_IDPOOL);
+ CHECK_ALLOC_DONE(filter);
+
+ attr_list = get_attr_list(mem_ctx, idpool_attr_list);
+ CHECK_ALLOC_DONE(attr_list);
+
+ rc = smbldap_search(ctx->smbldap_state,
+ ctx->suffix,
+ LDAP_SCOPE_SUBTREE,
+ filter,
+ attr_list,
+ 0,
+ &result);
+
+ if (rc != LDAP_SUCCESS) {
+ DEBUG(1, ("Unable to verify the idpool, "
+ "cannot continue initialization!\n"));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ count = ldap_count_entries(smbldap_get_ldap(ctx->smbldap_state),
+ result);
+
+ ldap_msgfree(result);
+
+ if ( count > 1 ) {
+ DEBUG(0,("Multiple entries returned from %s (base == %s)\n",
+ filter, ctx->suffix));
+ ret = NT_STATUS_UNSUCCESSFUL;
+ goto done;
+ }
+ else if (count == 0) {
+ char *uid_str, *gid_str;
+
+ uid_str = talloc_asprintf(mem_ctx, "%lu",
+ (unsigned long)dom->low_id);
+ gid_str = talloc_asprintf(mem_ctx, "%lu",
+ (unsigned long)dom->low_id);
+
+ smbldap_set_mod(&mods, LDAP_MOD_ADD,
+ "objectClass", LDAP_OBJ_IDPOOL);
+ smbldap_set_mod(&mods, LDAP_MOD_ADD,
+ get_attr_key2string(idpool_attr_list,
+ LDAP_ATTR_UIDNUMBER),
+ uid_str);
+ smbldap_set_mod(&mods, LDAP_MOD_ADD,
+ get_attr_key2string(idpool_attr_list,
+ LDAP_ATTR_GIDNUMBER),
+ gid_str);
+ if (mods) {
+ rc = smbldap_modify(ctx->smbldap_state,
+ ctx->suffix,
+ mods);
+ ldap_mods_free(mods, True);
+ } else {
+ ret = NT_STATUS_UNSUCCESSFUL;
+ goto done;
+ }
+ }
+
+ ret = (rc == LDAP_SUCCESS)?NT_STATUS_OK:NT_STATUS_UNSUCCESSFUL;
+done:
+ talloc_free(mem_ctx);
+ return ret;
+}
+
+/********************************
+ Allocate a new uid or gid
+********************************/
+
+static NTSTATUS idmap_ldap_allocate_id_internal(struct idmap_domain *dom,
+ struct unixid *xid)
+{
+ TALLOC_CTX *mem_ctx;
+ NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
+ int rc = LDAP_SERVER_DOWN;
+ int count = 0;
+ LDAPMessage *result = NULL;
+ LDAPMessage *entry = NULL;
+ LDAPMod **mods = NULL;
+ char *id_str;
+ char *new_id_str;
+ char *filter = NULL;
+ const char *dn = NULL;
+ const char **attr_list;
+ const char *type;
+ struct idmap_ldap_context *ctx;
+ int error = 0;
+
+ /* Only do query if we are online */
+ if (idmap_is_offline()) {
+ return NT_STATUS_FILE_IS_OFFLINE;
+ }
+
+ ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context);
+
+ mem_ctx = talloc_new(ctx);
+ if (!mem_ctx) {
+ DEBUG(0, ("Out of memory!\n"));
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ /* get type */
+ switch (xid->type) {
+
+ case ID_TYPE_UID:
+ type = get_attr_key2string(idpool_attr_list,
+ LDAP_ATTR_UIDNUMBER);
+ break;
+
+ case ID_TYPE_GID:
+ type = get_attr_key2string(idpool_attr_list,
+ LDAP_ATTR_GIDNUMBER);
+ break;
+
+ case ID_TYPE_BOTH:
+ /*
+ * This is not supported here yet and
+ * already handled in idmap_rw_new_mapping()
+ */
+ FALL_THROUGH;
+ case ID_TYPE_NOT_SPECIFIED:
+ /*
+ * This is handled in idmap_rw_new_mapping()
+ */
+ FALL_THROUGH;
+ default:
+ DEBUG(2, ("Invalid ID type (0x%x)\n", xid->type));
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ filter = talloc_asprintf(mem_ctx, "(objectClass=%s)", LDAP_OBJ_IDPOOL);
+ CHECK_ALLOC_DONE(filter);
+
+ attr_list = get_attr_list(mem_ctx, idpool_attr_list);
+ CHECK_ALLOC_DONE(attr_list);
+
+ DEBUG(10, ("Search of the id pool (filter: %s)\n", filter));
+
+ rc = smbldap_search(ctx->smbldap_state,
+ ctx->suffix,
+ LDAP_SCOPE_SUBTREE, filter,
+ attr_list, 0, &result);
+
+ if (rc != LDAP_SUCCESS) {
+ DEBUG(0,("%s object not found\n", LDAP_OBJ_IDPOOL));
+ goto done;
+ }
+
+ smbldap_talloc_autofree_ldapmsg(mem_ctx, result);
+
+ count = ldap_count_entries(smbldap_get_ldap(ctx->smbldap_state),
+ result);
+ if (count != 1) {
+ DEBUG(0,("Single %s object not found\n", LDAP_OBJ_IDPOOL));
+ goto done;
+ }
+
+ entry = ldap_first_entry(smbldap_get_ldap(ctx->smbldap_state), result);
+
+ dn = smbldap_talloc_dn(mem_ctx,
+ smbldap_get_ldap(ctx->smbldap_state),
+ entry);
+ if ( ! dn) {
+ goto done;
+ }
+
+ id_str = smbldap_talloc_single_attribute(
+ smbldap_get_ldap(ctx->smbldap_state),
+ entry, type, mem_ctx);
+ if (id_str == NULL) {
+ DEBUG(0,("%s attribute not found\n", type));
+ ret = NT_STATUS_UNSUCCESSFUL;
+ goto done;
+ }
+
+ xid->id = smb_strtoul(id_str, NULL, 10, &error, SMB_STR_STANDARD);
+ if (error != 0) {
+ ret = NT_STATUS_UNSUCCESSFUL;
+ goto done;
+ }
+
+ /* make sure we still have room to grow */
+
+ switch (xid->type) {
+ case ID_TYPE_UID:
+ if (xid->id > dom->high_id) {
+ DEBUG(0,("Cannot allocate uid above %lu!\n",
+ (unsigned long)dom->high_id));
+ goto done;
+ }
+ break;
+
+ case ID_TYPE_GID:
+ if (xid->id > dom->high_id) {
+ DEBUG(0,("Cannot allocate gid above %lu!\n",
+ (unsigned long)dom->high_id));
+ goto done;
+ }
+ break;
+
+ default:
+ /* impossible */
+ goto done;
+ }
+
+ new_id_str = talloc_asprintf(mem_ctx, "%lu", (unsigned long)xid->id + 1);
+ if ( ! new_id_str) {
+ DEBUG(0,("Out of memory\n"));
+ ret = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
+
+ smbldap_set_mod(&mods, LDAP_MOD_DELETE, type, id_str);
+ smbldap_set_mod(&mods, LDAP_MOD_ADD, type, new_id_str);
+
+ if (mods == NULL) {
+ DEBUG(0,("smbldap_set_mod() failed.\n"));
+ goto done;
+ }
+
+ DEBUG(10, ("Try to atomically increment the id (%s -> %s)\n",
+ id_str, new_id_str));
+
+ rc = smbldap_modify(ctx->smbldap_state, dn, mods);
+
+ ldap_mods_free(mods, True);
+
+ if (rc != LDAP_SUCCESS) {
+ DEBUG(1,("Failed to allocate new %s. "
+ "smbldap_modify() failed.\n", type));
+ goto done;
+ }
+
+ ret = NT_STATUS_OK;
+
+done:
+ talloc_free(mem_ctx);
+ return ret;
+}
+
+/**
+ * Allocate a new unix-ID.
+ * For now this is for the default idmap domain only.
+ * Should be extended later on.
+ */
+static NTSTATUS idmap_ldap_allocate_id(struct idmap_domain *dom,
+ struct unixid *id)
+{
+ NTSTATUS ret;
+
+ if (!strequal(dom->name, "*")) {
+ DEBUG(3, ("idmap_ldap_allocate_id: "
+ "Refusing allocation of a new unixid for domain'%s'. "
+ "This is only supported for the default "
+ "domain \"*\".\n",
+ dom->name));
+ return NT_STATUS_NOT_IMPLEMENTED;
+ }
+
+ ret = idmap_ldap_allocate_id_internal(dom, id);
+
+ return ret;
+}
+
+
+/**********************************************************************
+ IDMAP MAPPING LDAP BACKEND
+**********************************************************************/
+
+static int idmap_ldap_close_destructor(struct idmap_ldap_context *ctx)
+{
+ smbldap_free_struct(&ctx->smbldap_state);
+ DEBUG(5,("The connection to the LDAP server was closed\n"));
+ /* maybe free the results here --metze */
+
+ return 0;
+}
+
+/********************************
+ Initialise idmap database.
+********************************/
+
+static NTSTATUS idmap_ldap_set_mapping(struct idmap_domain *dom,
+ const struct id_map *map);
+
+static NTSTATUS idmap_ldap_db_init(struct idmap_domain *dom)
+{
+ NTSTATUS ret;
+ struct idmap_ldap_context *ctx = NULL;
+ const char *tmp = NULL;
+
+ /* Only do init if we are online */
+ if (idmap_is_offline()) {
+ return NT_STATUS_FILE_IS_OFFLINE;
+ }
+
+ ctx = talloc_zero(dom, struct idmap_ldap_context);
+ if ( ! ctx) {
+ DEBUG(0, ("Out of memory!\n"));
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ tmp = idmap_config_const_string(dom->name, "ldap_url", NULL);
+
+ if ( ! tmp) {
+ DEBUG(1, ("ERROR: missing idmap ldap url\n"));
+ ret = NT_STATUS_UNSUCCESSFUL;
+ goto done;
+ }
+
+ ctx->url = talloc_strdup(ctx, tmp);
+
+ trim_char(ctx->url, '\"', '\"');
+
+ tmp = idmap_config_const_string(dom->name, "ldap_base_dn", NULL);
+ if ( ! tmp || ! *tmp) {
+ tmp = lp_ldap_idmap_suffix(talloc_tos());
+ if ( ! tmp) {
+ DEBUG(1, ("ERROR: missing idmap ldap suffix\n"));
+ ret = NT_STATUS_UNSUCCESSFUL;
+ goto done;
+ }
+ }
+
+ ctx->suffix = talloc_strdup(ctx, tmp);
+ CHECK_ALLOC_DONE(ctx->suffix);
+
+ ctx->rw_ops = talloc_zero(ctx, struct idmap_rw_ops);
+ CHECK_ALLOC_DONE(ctx->rw_ops);
+
+ ctx->rw_ops->get_new_id = idmap_ldap_allocate_id_internal;
+ ctx->rw_ops->set_mapping = idmap_ldap_set_mapping;
+
+ /* get_credentials deals with setting up creds */
+
+ ret = smbldap_init(ctx, global_event_context(), ctx->url,
+ false, NULL, NULL, &ctx->smbldap_state);
+ if (!NT_STATUS_IS_OK(ret)) {
+ DEBUG(1, ("ERROR: smbldap_init (%s) failed!\n", ctx->url));
+ goto done;
+ }
+
+ ret = get_credentials( ctx, ctx->smbldap_state,
+ dom, &ctx->user_dn );
+ if ( !NT_STATUS_IS_OK(ret) ) {
+ DEBUG(1,("idmap_ldap_db_init: Failed to get connection "
+ "credentials (%s)\n", nt_errstr(ret)));
+ goto done;
+ }
+
+ /*
+ * Set the destructor on the context, so that resources are
+ * properly freed when the context is released.
+ */
+ talloc_set_destructor(ctx, idmap_ldap_close_destructor);
+
+ dom->private_data = ctx;
+
+ ret = verify_idpool(dom);
+ if (!NT_STATUS_IS_OK(ret)) {
+ DEBUG(1, ("idmap_ldap_db_init: failed to verify ID pool (%s)\n",
+ nt_errstr(ret)));
+ goto done;
+ }
+
+ return NT_STATUS_OK;
+
+/*failed */
+done:
+ talloc_free(ctx);
+ return ret;
+}
+
+/**
+ * set a mapping.
+ */
+
+/* TODO: change this: This function cannot be called to modify a mapping,
+ * only set a new one */
+
+static NTSTATUS idmap_ldap_set_mapping(struct idmap_domain *dom,
+ const struct id_map *map)
+{
+ NTSTATUS ret;
+ TALLOC_CTX *memctx;
+ struct idmap_ldap_context *ctx;
+ LDAPMessage *entry = NULL;
+ LDAPMod **mods = NULL;
+ const char *type;
+ char *id_str;
+ struct dom_sid_buf sid;
+ char *dn;
+ int rc = -1;
+
+ /* Only do query if we are online */
+ if (idmap_is_offline()) {
+ return NT_STATUS_FILE_IS_OFFLINE;
+ }
+
+ ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context);
+
+ switch(map->xid.type) {
+ case ID_TYPE_UID:
+ type = get_attr_key2string(sidmap_attr_list,
+ LDAP_ATTR_UIDNUMBER);
+ break;
+
+ case ID_TYPE_GID:
+ type = get_attr_key2string(sidmap_attr_list,
+ LDAP_ATTR_GIDNUMBER);
+ break;
+
+ default:
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ memctx = talloc_new(ctx);
+ if ( ! memctx) {
+ DEBUG(0, ("Out of memory!\n"));
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ id_str = talloc_asprintf(memctx, "%lu", (unsigned long)map->xid.id);
+ CHECK_ALLOC_DONE(id_str);
+
+ dn = talloc_asprintf(memctx, "%s=%s,%s",
+ get_attr_key2string(sidmap_attr_list, LDAP_ATTR_SID),
+ dom_sid_str_buf(map->sid, &sid),
+ ctx->suffix);
+ CHECK_ALLOC_DONE(dn);
+
+ smbldap_set_mod(&mods, LDAP_MOD_ADD,
+ "objectClass", LDAP_OBJ_IDMAP_ENTRY);
+
+ smbldap_make_mod(smbldap_get_ldap(ctx->smbldap_state),
+ entry, &mods, type, id_str);
+
+ smbldap_make_mod(smbldap_get_ldap(ctx->smbldap_state), entry, &mods,
+ get_attr_key2string(sidmap_attr_list, LDAP_ATTR_SID),
+ sid.buf);
+
+ if ( ! mods) {
+ DEBUG(2, ("ERROR: No mods?\n"));
+ ret = NT_STATUS_UNSUCCESSFUL;
+ goto done;
+ }
+
+ /* TODO: remove conflicting mappings! */
+
+ smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_SID_ENTRY);
+
+ DEBUG(10, ("Set DN %s (%s -> %s)\n", dn, sid.buf, id_str));
+
+ rc = smbldap_add(ctx->smbldap_state, dn, mods);
+ ldap_mods_free(mods, True);
+
+ if (rc != LDAP_SUCCESS) {
+ char *ld_error = NULL;
+ ldap_get_option(smbldap_get_ldap(ctx->smbldap_state),
+ LDAP_OPT_ERROR_STRING, &ld_error);
+ DEBUG(0,("ldap_set_mapping_internals: Failed to add %s to %lu "
+ "mapping [%s]\n", sid.buf,
+ (unsigned long)map->xid.id, type));
+ DEBUG(0, ("ldap_set_mapping_internals: Error was: %s (%s)\n",
+ ld_error ? ld_error : "(NULL)", ldap_err2string (rc)));
+ if (ld_error) {
+ ldap_memfree(ld_error);
+ }
+ ret = NT_STATUS_UNSUCCESSFUL;
+ goto done;
+ }
+
+ DEBUG(10,("ldap_set_mapping: Successfully created mapping from %s to "
+ "%lu [%s]\n", sid.buf, (unsigned long)map->xid.id, type));
+
+ ret = NT_STATUS_OK;
+
+done:
+ talloc_free(memctx);
+ return ret;
+}
+
+/**
+ * Create a new mapping for an unmapped SID, also allocating a new ID.
+ * If possible, this should be run inside a transaction to make the
+ * action atomic.
+ */
+static NTSTATUS idmap_ldap_new_mapping(struct idmap_domain *dom, struct id_map *map)
+{
+ NTSTATUS ret;
+ struct idmap_ldap_context *ctx;
+
+ ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context);
+
+ ret = idmap_rw_new_mapping(dom, ctx->rw_ops, map);
+
+ return ret;
+}
+
+/**********************************
+ lookup a set of unix ids.
+**********************************/
+
+static NTSTATUS idmap_ldap_unixids_to_sids(struct idmap_domain *dom,
+ struct id_map **ids)
+{
+ NTSTATUS ret;
+ TALLOC_CTX *memctx;
+ struct idmap_ldap_context *ctx;
+ LDAPMessage *result = NULL;
+ LDAPMessage *entry = NULL;
+ const char *uidNumber;
+ const char *gidNumber;
+ const char **attr_list;
+ char *filter = NULL;
+ bool multi = False;
+ int idx = 0;
+ int bidx = 0;
+ int count;
+ int rc;
+ int i;
+ int error = 0;
+
+ /* Only do query if we are online */
+ if (idmap_is_offline()) {
+ return NT_STATUS_FILE_IS_OFFLINE;
+ }
+
+ ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context);
+
+ memctx = talloc_new(ctx);
+ if ( ! memctx) {
+ DEBUG(0, ("Out of memory!\n"));
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ uidNumber = get_attr_key2string(idpool_attr_list, LDAP_ATTR_UIDNUMBER);
+ gidNumber = get_attr_key2string(idpool_attr_list, LDAP_ATTR_GIDNUMBER);
+
+ attr_list = get_attr_list(memctx, sidmap_attr_list);
+
+ if ( ! ids[1]) {
+ /* if we are requested just one mapping use the simple filter */
+
+ filter = talloc_asprintf(memctx, "(&(objectClass=%s)(%s=%lu))",
+ LDAP_OBJ_IDMAP_ENTRY,
+ (ids[0]->xid.type==ID_TYPE_UID)?uidNumber:gidNumber,
+ (unsigned long)ids[0]->xid.id);
+ CHECK_ALLOC_DONE(filter);
+ DEBUG(10, ("Filter: [%s]\n", filter));
+ } else {
+ /* multiple mappings */
+ multi = True;
+ }
+
+ for (i = 0; ids[i]; i++) {
+ ids[i]->status = ID_UNKNOWN;
+ }
+
+again:
+ if (multi) {
+
+ talloc_free(filter);
+ filter = talloc_asprintf(memctx,
+ "(&(objectClass=%s)(|",
+ LDAP_OBJ_IDMAP_ENTRY);
+ CHECK_ALLOC_DONE(filter);
+
+ bidx = idx;
+ for (i = 0; (i < IDMAP_LDAP_MAX_IDS) && ids[idx]; i++, idx++) {
+ filter = talloc_asprintf_append_buffer(filter, "(%s=%lu)",
+ (ids[idx]->xid.type==ID_TYPE_UID)?uidNumber:gidNumber,
+ (unsigned long)ids[idx]->xid.id);
+ CHECK_ALLOC_DONE(filter);
+ }
+ filter = talloc_asprintf_append_buffer(filter, "))");
+ CHECK_ALLOC_DONE(filter);
+ DEBUG(10, ("Filter: [%s]\n", filter));
+ } else {
+ bidx = 0;
+ idx = 1;
+ }
+
+ rc = smbldap_search(ctx->smbldap_state, ctx->suffix, LDAP_SCOPE_SUBTREE,
+ filter, attr_list, 0, &result);
+
+ if (rc != LDAP_SUCCESS) {
+ DEBUG(3,("Failure looking up ids (%s)\n", ldap_err2string(rc)));
+ ret = NT_STATUS_UNSUCCESSFUL;
+ goto done;
+ }
+
+ count = ldap_count_entries(smbldap_get_ldap(ctx->smbldap_state),
+ result);
+
+ if (count == 0) {
+ DEBUG(10, ("NO SIDs found\n"));
+ }
+
+ for (i = 0; i < count; i++) {
+ char *sidstr = NULL;
+ char *tmp = NULL;
+ enum id_type type;
+ struct id_map *map;
+ uint32_t id;
+ struct dom_sid_buf buf;
+
+ if (i == 0) { /* first entry */
+ entry = ldap_first_entry(
+ smbldap_get_ldap(ctx->smbldap_state), result);
+ } else { /* following ones */
+ entry = ldap_next_entry(
+ smbldap_get_ldap(ctx->smbldap_state), entry);
+ }
+ if ( ! entry) {
+ DEBUG(2, ("ERROR: Unable to fetch ldap entries "
+ "from results\n"));
+ break;
+ }
+
+ /* first check if the SID is present */
+ sidstr = smbldap_talloc_single_attribute(
+ smbldap_get_ldap(ctx->smbldap_state),
+ entry, LDAP_ATTRIBUTE_SID, memctx);
+ if ( ! sidstr) { /* no sid, skip entry */
+ DEBUG(2, ("WARNING SID not found on entry\n"));
+ continue;
+ }
+
+ /* now try to see if it is a uid, if not try with a gid
+ * (gid is more common, but in case both uidNumber and
+ * gidNumber are returned the SID is mapped to the uid
+ *not the gid) */
+ type = ID_TYPE_UID;
+ tmp = smbldap_talloc_single_attribute(
+ smbldap_get_ldap(ctx->smbldap_state),
+ entry, uidNumber, memctx);
+ if ( ! tmp) {
+ type = ID_TYPE_GID;
+ tmp = smbldap_talloc_single_attribute(
+ smbldap_get_ldap(ctx->smbldap_state),
+ entry, gidNumber, memctx);
+ }
+ if ( ! tmp) { /* wow very strange entry, how did it match ? */
+ DEBUG(5, ("Unprobable match on (%s), no uidNumber, "
+ "nor gidNumber returned\n", sidstr));
+ TALLOC_FREE(sidstr);
+ continue;
+ }
+
+ id = smb_strtoul(tmp, NULL, 10, &error, SMB_STR_STANDARD);
+ TALLOC_FREE(tmp);
+ if (error != 0) {
+ DEBUG(5, ("Requested id (%u) out of range (%u - %u). "
+ "Filtered!\n", id,
+ dom->low_id, dom->high_id));
+ TALLOC_FREE(sidstr);
+ continue;
+ }
+
+ if (!idmap_unix_id_is_in_range(id, dom)) {
+ DEBUG(5, ("Requested id (%u) out of range (%u - %u). "
+ "Filtered!\n", id,
+ dom->low_id, dom->high_id));
+ TALLOC_FREE(sidstr);
+ continue;
+ }
+
+ map = idmap_find_map_by_id(&ids[bidx], type, id);
+ if (!map) {
+ DEBUG(2, ("WARNING: couldn't match sid (%s) "
+ "with requested ids\n", sidstr));
+ TALLOC_FREE(sidstr);
+ continue;
+ }
+
+ if ( ! string_to_sid(map->sid, sidstr)) {
+ DEBUG(2, ("ERROR: Invalid SID on entry\n"));
+ TALLOC_FREE(sidstr);
+ continue;
+ }
+
+ if (map->status == ID_MAPPED) {
+ DEBUG(1, ("WARNING: duplicate %s mapping in LDAP. "
+ "overwriting mapping %u -> %s with %u -> %s\n",
+ (type == ID_TYPE_UID) ? "UID" : "GID",
+ id,
+ dom_sid_str_buf(map->sid, &buf),
+ id,
+ sidstr));
+ }
+
+ TALLOC_FREE(sidstr);
+
+ /* mapped */
+ map->status = ID_MAPPED;
+
+ DEBUG(10, ("Mapped %s -> %lu (%d)\n",
+ dom_sid_str_buf(map->sid, &buf),
+ (unsigned long)map->xid.id, map->xid.type));
+ }
+
+ /* free the ldap results */
+ if (result) {
+ ldap_msgfree(result);
+ result = NULL;
+ }
+
+ if (multi && ids[idx]) { /* still some values to map */
+ goto again;
+ }
+
+ ret = NT_STATUS_OK;
+
+ /* mark all unknwon/expired ones as unmapped */
+ for (i = 0; ids[i]; i++) {
+ if (ids[i]->status != ID_MAPPED)
+ ids[i]->status = ID_UNMAPPED;
+ }
+
+done:
+ talloc_free(memctx);
+ return ret;
+}
+
+/**********************************
+ lookup a set of sids.
+**********************************/
+
+static NTSTATUS idmap_ldap_sids_to_unixids(struct idmap_domain *dom,
+ struct id_map **ids)
+{
+ LDAPMessage *entry = NULL;
+ NTSTATUS ret;
+ TALLOC_CTX *memctx;
+ struct idmap_ldap_context *ctx;
+ LDAPMessage *result = NULL;
+ const char *uidNumber;
+ const char *gidNumber;
+ const char **attr_list;
+ char *filter = NULL;
+ bool multi = False;
+ size_t num_required = 0;
+ int idx = 0;
+ int bidx = 0;
+ int count;
+ int rc;
+ int i;
+
+ /* Only do query if we are online */
+ if (idmap_is_offline()) {
+ return NT_STATUS_FILE_IS_OFFLINE;
+ }
+
+ ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context);
+
+ memctx = talloc_new(ctx);
+ if ( ! memctx) {
+ DEBUG(0, ("Out of memory!\n"));
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ uidNumber = get_attr_key2string(idpool_attr_list, LDAP_ATTR_UIDNUMBER);
+ gidNumber = get_attr_key2string(idpool_attr_list, LDAP_ATTR_GIDNUMBER);
+
+ attr_list = get_attr_list(memctx, sidmap_attr_list);
+
+ if ( ! ids[1]) {
+ struct dom_sid_buf buf;
+ /* if we are requested just one mapping use the simple filter */
+
+ filter = talloc_asprintf(memctx, "(&(objectClass=%s)(%s=%s))",
+ LDAP_OBJ_IDMAP_ENTRY,
+ LDAP_ATTRIBUTE_SID,
+ dom_sid_str_buf(ids[0]->sid, &buf));
+ CHECK_ALLOC_DONE(filter);
+ DEBUG(10, ("Filter: [%s]\n", filter));
+ } else {
+ /* multiple mappings */
+ multi = True;
+ }
+
+ for (i = 0; ids[i]; i++) {
+ ids[i]->status = ID_UNKNOWN;
+ }
+
+again:
+ if (multi) {
+
+ TALLOC_FREE(filter);
+ filter = talloc_asprintf(memctx,
+ "(&(objectClass=%s)(|",
+ LDAP_OBJ_IDMAP_ENTRY);
+ CHECK_ALLOC_DONE(filter);
+
+ bidx = idx;
+ for (i = 0; (i < IDMAP_LDAP_MAX_IDS) && ids[idx]; i++, idx++) {
+ struct dom_sid_buf buf;
+ filter = talloc_asprintf_append_buffer(filter, "(%s=%s)",
+ LDAP_ATTRIBUTE_SID,
+ dom_sid_str_buf(ids[idx]->sid, &buf));
+ CHECK_ALLOC_DONE(filter);
+ }
+ filter = talloc_asprintf_append_buffer(filter, "))");
+ CHECK_ALLOC_DONE(filter);
+ DEBUG(10, ("Filter: [%s]", filter));
+ } else {
+ bidx = 0;
+ idx = 1;
+ }
+
+ rc = smbldap_search(ctx->smbldap_state, ctx->suffix, LDAP_SCOPE_SUBTREE,
+ filter, attr_list, 0, &result);
+
+ if (rc != LDAP_SUCCESS) {
+ DEBUG(3,("Failure looking up sids (%s)\n",
+ ldap_err2string(rc)));
+ ret = NT_STATUS_UNSUCCESSFUL;
+ goto done;
+ }
+
+ count = ldap_count_entries(smbldap_get_ldap(ctx->smbldap_state),
+ result);
+
+ if (count == 0) {
+ DEBUG(10, ("NO SIDs found\n"));
+ }
+
+ for (i = 0; i < count; i++) {
+ char *sidstr = NULL;
+ char *tmp = NULL;
+ enum id_type type;
+ struct id_map *map;
+ struct dom_sid sid;
+ struct dom_sid_buf buf;
+ uint32_t id;
+ int error = 0;
+
+ if (i == 0) { /* first entry */
+ entry = ldap_first_entry(
+ smbldap_get_ldap(ctx->smbldap_state), result);
+ } else { /* following ones */
+ entry = ldap_next_entry(
+ smbldap_get_ldap(ctx->smbldap_state), entry);
+ }
+ if ( ! entry) {
+ DEBUG(2, ("ERROR: Unable to fetch ldap entries "
+ "from results\n"));
+ break;
+ }
+
+ /* first check if the SID is present */
+ sidstr = smbldap_talloc_single_attribute(
+ smbldap_get_ldap(ctx->smbldap_state),
+ entry, LDAP_ATTRIBUTE_SID, memctx);
+ if ( ! sidstr) { /* no sid ??, skip entry */
+ DEBUG(2, ("WARNING SID not found on entry\n"));
+ continue;
+ }
+
+ if ( ! string_to_sid(&sid, sidstr)) {
+ DEBUG(2, ("ERROR: Invalid SID on entry\n"));
+ TALLOC_FREE(sidstr);
+ continue;
+ }
+
+ map = idmap_find_map_by_sid(&ids[bidx], &sid);
+ if (!map) {
+ DEBUG(2, ("WARNING: couldn't find entry sid (%s) "
+ "in ids", sidstr));
+ TALLOC_FREE(sidstr);
+ continue;
+ }
+
+ /* now try to see if it is a uid, if not try with a gid
+ * (gid is more common, but in case both uidNumber and
+ * gidNumber are returned the SID is mapped to the uid
+ * not the gid) */
+ type = ID_TYPE_UID;
+ tmp = smbldap_talloc_single_attribute(
+ smbldap_get_ldap(ctx->smbldap_state),
+ entry, uidNumber, memctx);
+ if ( ! tmp) {
+ type = ID_TYPE_GID;
+ tmp = smbldap_talloc_single_attribute(
+ smbldap_get_ldap(ctx->smbldap_state),
+ entry, gidNumber, memctx);
+ }
+ if ( ! tmp) { /* no ids ?? */
+ DEBUG(5, ("no uidNumber, "
+ "nor gidNumber attributes found\n"));
+ TALLOC_FREE(sidstr);
+ continue;
+ }
+
+ id = smb_strtoul(tmp, NULL, 10, &error, SMB_STR_STANDARD);
+ TALLOC_FREE(tmp);
+ if (error != 0) {
+ DEBUG(5, ("Requested id (%u) out of range (%u - %u). "
+ "Filtered!\n", id,
+ dom->low_id, dom->high_id));
+ TALLOC_FREE(sidstr);
+ continue;
+ }
+
+ if (error != 0 || !idmap_unix_id_is_in_range(id, dom)) {
+ DEBUG(5, ("Requested id (%u) out of range (%u - %u). "
+ "Filtered!\n", id,
+ dom->low_id, dom->high_id));
+ TALLOC_FREE(sidstr);
+ continue;
+ }
+
+ if (map->status == ID_MAPPED) {
+ DEBUG(1, ("WARNING: duplicate %s mapping in LDAP. "
+ "overwriting mapping %s -> %u with %s -> %u\n",
+ (type == ID_TYPE_UID) ? "UID" : "GID",
+ sidstr, map->xid.id, sidstr, id));
+ }
+
+ TALLOC_FREE(sidstr);
+
+ /* mapped */
+ map->xid.type = type;
+ map->xid.id = id;
+ map->status = ID_MAPPED;
+
+ DEBUG(10, ("Mapped %s -> %lu (%d)\n",
+ dom_sid_str_buf(map->sid, &buf),
+ (unsigned long)map->xid.id,
+ map->xid.type));
+ }
+
+ /* free the ldap results */
+ if (result) {
+ ldap_msgfree(result);
+ result = NULL;
+ }
+
+ if (multi && ids[idx]) { /* still some values to map */
+ goto again;
+ }
+
+ /*
+ * try to create new mappings for unmapped sids
+ */
+ for (i = 0; ids[i]; i++) {
+ if (ids[i]->status != ID_MAPPED) {
+ ids[i]->status = ID_UNMAPPED;
+ if (ids[i]->sid != NULL) {
+ ret = idmap_ldap_new_mapping(dom, ids[i]);
+ DBG_DEBUG("idmap_ldap_new_mapping returned %s\n",
+ nt_errstr(ret));
+ if (NT_STATUS_EQUAL(ret, STATUS_SOME_UNMAPPED)) {
+ if (ids[i]->status == ID_REQUIRE_TYPE) {
+ num_required += 1;
+ continue;
+ }
+ }
+ if (!NT_STATUS_IS_OK(ret)) {
+ /*
+ * If we can't create
+ * a new mapping it's unlikely
+ * that it will work for the
+ * next entry.
+ */
+ goto done;
+ }
+ }
+ }
+ }
+
+ ret = NT_STATUS_OK;
+ if (num_required > 0) {
+ ret = STATUS_SOME_UNMAPPED;
+ }
+
+done:
+ talloc_free(memctx);
+ return ret;
+}
+
+/**********************************
+ Close the idmap ldap instance
+**********************************/
+
+static const struct idmap_methods idmap_ldap_methods = {
+
+ .init = idmap_ldap_db_init,
+ .unixids_to_sids = idmap_ldap_unixids_to_sids,
+ .sids_to_unixids = idmap_ldap_sids_to_unixids,
+ .allocate_id = idmap_ldap_allocate_id,
+};
+
+NTSTATUS idmap_ldap_init(TALLOC_CTX *);
+NTSTATUS idmap_ldap_init(TALLOC_CTX *ctx)
+{
+ return smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION, "ldap",
+ &idmap_ldap_methods);
+}
+
diff --git a/source3/winbindd/idmap_nss.c b/source3/winbindd/idmap_nss.c
new file mode 100644
index 0000000..2729a0d
--- /dev/null
+++ b/source3/winbindd/idmap_nss.c
@@ -0,0 +1,227 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ idmap NSS backend
+
+ Copyright (C) Simo Sorce 2006
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "system/passwd.h"
+#include "winbindd.h"
+#include "nsswitch/winbind_client.h"
+#include "idmap.h"
+#include "lib/winbind_util.h"
+#include "libcli/security/dom_sid.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_IDMAP
+
+/*****************************
+ Initialise idmap database.
+*****************************/
+
+static NTSTATUS idmap_nss_int_init(struct idmap_domain *dom)
+{
+ return NT_STATUS_OK;
+}
+
+/**********************************
+ lookup a set of unix ids.
+**********************************/
+
+static NTSTATUS idmap_nss_unixids_to_sids(struct idmap_domain *dom, struct id_map **ids)
+{
+ int i;
+
+ /* initialize the status to avoid suprise */
+ for (i = 0; ids[i]; i++) {
+ ids[i]->status = ID_UNKNOWN;
+ }
+
+ for (i = 0; ids[i]; i++) {
+ struct passwd *pw;
+ struct group *gr;
+ const char *name;
+ struct dom_sid sid;
+ enum lsa_SidType type;
+ bool ret;
+
+ switch (ids[i]->xid.type) {
+ case ID_TYPE_UID:
+ pw = getpwuid((uid_t)ids[i]->xid.id);
+
+ if (!pw) {
+ ids[i]->status = ID_UNMAPPED;
+ continue;
+ }
+ name = pw->pw_name;
+ break;
+ case ID_TYPE_GID:
+ gr = getgrgid((gid_t)ids[i]->xid.id);
+
+ if (!gr) {
+ ids[i]->status = ID_UNMAPPED;
+ continue;
+ }
+ name = gr->gr_name;
+ break;
+ default: /* ?? */
+ ids[i]->status = ID_UNKNOWN;
+ continue;
+ }
+
+ /* by default calls to winbindd are disabled
+ the following call will not recurse so this is safe */
+ (void)winbind_on();
+ /* Lookup name from PDC using lsa_lookup_names() */
+ ret = winbind_lookup_name(dom->name, name, &sid, &type);
+ (void)winbind_off();
+
+ if (!ret) {
+ /* TODO: how do we know if the name is really not mapped,
+ * or something just failed ? */
+ ids[i]->status = ID_UNMAPPED;
+ continue;
+ }
+
+ switch (type) {
+ case SID_NAME_USER:
+ if (ids[i]->xid.type == ID_TYPE_UID) {
+ sid_copy(ids[i]->sid, &sid);
+ ids[i]->status = ID_MAPPED;
+ }
+ break;
+
+ case SID_NAME_DOM_GRP:
+ case SID_NAME_ALIAS:
+ case SID_NAME_WKN_GRP:
+ if (ids[i]->xid.type == ID_TYPE_GID) {
+ sid_copy(ids[i]->sid, &sid);
+ ids[i]->status = ID_MAPPED;
+ }
+ break;
+
+ default:
+ ids[i]->status = ID_UNKNOWN;
+ break;
+ }
+ }
+ return NT_STATUS_OK;
+}
+
+/**********************************
+ lookup a set of sids.
+**********************************/
+
+static NTSTATUS idmap_nss_sids_to_unixids(struct idmap_domain *dom, struct id_map **ids)
+{
+ int i;
+
+ /* initialize the status to avoid suprise */
+ for (i = 0; ids[i]; i++) {
+ ids[i]->status = ID_UNKNOWN;
+ }
+
+ for (i = 0; ids[i]; i++) {
+ struct group *gr;
+ enum lsa_SidType type;
+ const char *_domain = NULL;
+ const char *_name = NULL;
+ char *domain = NULL;
+ char *name = NULL;
+ bool ret;
+
+ /* by default calls to winbindd are disabled
+ the following call will not recurse so this is safe */
+ (void)winbind_on();
+ ret = winbind_lookup_sid(talloc_tos(),
+ ids[i]->sid,
+ &_domain,
+ &_name,
+ &type);
+ (void)winbind_off();
+ if (!ret) {
+ /* TODO: how do we know if the name is really not mapped,
+ * or something just failed ? */
+ ids[i]->status = ID_UNMAPPED;
+ continue;
+ }
+
+ domain = discard_const_p(char, _domain);
+ name = discard_const_p(char, _name);
+
+ if (!strequal(domain, dom->name)) {
+ struct dom_sid_buf buf;
+ DBG_ERR("DOMAIN[%s] ignoring SID[%s] belongs to %s [%s\\%s]\n",
+ dom->name, dom_sid_str_buf(ids[i]->sid, &buf),
+ sid_type_lookup(type), domain, name);
+ ids[i]->status = ID_UNMAPPED;
+ continue;
+ }
+
+ switch (type) {
+ case SID_NAME_USER: {
+ struct passwd *pw;
+
+ /* this will find also all lower case name and use username level */
+
+ pw = Get_Pwnam_alloc(talloc_tos(), name);
+ if (pw) {
+ ids[i]->xid.id = pw->pw_uid;
+ ids[i]->xid.type = ID_TYPE_UID;
+ ids[i]->status = ID_MAPPED;
+ }
+ TALLOC_FREE(pw);
+ break;
+ }
+
+ case SID_NAME_DOM_GRP:
+ case SID_NAME_ALIAS:
+ case SID_NAME_WKN_GRP:
+
+ gr = getgrnam(name);
+ if (gr) {
+ ids[i]->xid.id = gr->gr_gid;
+ ids[i]->xid.type = ID_TYPE_GID;
+ ids[i]->status = ID_MAPPED;
+ }
+ break;
+
+ default:
+ ids[i]->status = ID_UNKNOWN;
+ break;
+ }
+ TALLOC_FREE(domain);
+ TALLOC_FREE(name);
+ }
+ return NT_STATUS_OK;
+}
+
+/**********************************
+ Close the idmap tdb instance
+**********************************/
+
+static const struct idmap_methods nss_methods = {
+ .init = idmap_nss_int_init,
+ .unixids_to_sids = idmap_nss_unixids_to_sids,
+ .sids_to_unixids = idmap_nss_sids_to_unixids,
+};
+
+NTSTATUS idmap_nss_init(TALLOC_CTX *mem_ctx)
+{
+ return smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION, "nss", &nss_methods);
+}
diff --git a/source3/winbindd/idmap_passdb.c b/source3/winbindd/idmap_passdb.c
new file mode 100644
index 0000000..758f31a
--- /dev/null
+++ b/source3/winbindd/idmap_passdb.c
@@ -0,0 +1,87 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ idmap PASSDB backend
+
+ Copyright (C) Simo Sorce 2006
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "idmap.h"
+#include "passdb.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_IDMAP
+
+/*****************************
+ Initialise idmap database.
+*****************************/
+
+static NTSTATUS idmap_pdb_init(struct idmap_domain *dom)
+{
+ return NT_STATUS_OK;
+}
+
+/**********************************
+ lookup a set of unix ids.
+**********************************/
+
+static NTSTATUS idmap_pdb_unixids_to_sids(struct idmap_domain *dom, struct id_map **ids)
+{
+ int i;
+
+ for (i = 0; ids[i]; i++) {
+ /* unmapped by default */
+ ids[i]->status = ID_UNMAPPED;
+
+ if (pdb_id_to_sid(&ids[i]->xid, ids[i]->sid)) {
+ ids[i]->status = ID_MAPPED;
+ }
+ }
+
+ return NT_STATUS_OK;
+}
+
+/**********************************
+ lookup a set of sids.
+**********************************/
+
+static NTSTATUS idmap_pdb_sids_to_unixids(struct idmap_domain *dom, struct id_map **ids)
+{
+ int i;
+
+ for (i = 0; ids[i]; i++) {
+ if (pdb_sid_to_id(ids[i]->sid, &ids[i]->xid)) {
+ ids[i]->status = ID_MAPPED;
+ } else {
+ /* Query Failed */
+ ids[i]->status = ID_UNMAPPED;
+ }
+ }
+
+ return NT_STATUS_OK;
+}
+
+static const struct idmap_methods passdb_methods = {
+ .init = idmap_pdb_init,
+ .unixids_to_sids = idmap_pdb_unixids_to_sids,
+ .sids_to_unixids = idmap_pdb_sids_to_unixids,
+};
+
+NTSTATUS idmap_passdb_init(TALLOC_CTX *mem_ctx)
+{
+ return smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION, "passdb", &passdb_methods);
+}
diff --git a/source3/winbindd/idmap_proto.h b/source3/winbindd/idmap_proto.h
new file mode 100644
index 0000000..adc0443
--- /dev/null
+++ b/source3/winbindd/idmap_proto.h
@@ -0,0 +1,69 @@
+/*
+ * Unix SMB/CIFS implementation.
+ * ID Mapping
+ *
+ * Copyright (C) Tim Potter 2000
+ * Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003
+ * Copyright (C) Simo Sorce 2003-2007
+ * Copyright (C) Jeremy Allison 2006
+ * Copyright (C) Michael Adam 2009-2010
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef _WINBINDD_IDMAP_PROTO_H_
+#define _WINBINDD_IDMAP_PROTO_H_
+
+/* The following definitions come from winbindd/idmap.c */
+
+bool idmap_is_offline(void);
+NTSTATUS smb_register_idmap(int version, const char *name,
+ const struct idmap_methods *methods);
+void idmap_close(void);
+NTSTATUS idmap_allocate_uid(struct unixid *id);
+NTSTATUS idmap_allocate_gid(struct unixid *id);
+NTSTATUS idmap_backend_unixids_to_sids(struct id_map **maps,
+ const char *domain_name,
+ struct dom_sid domain_sid);
+struct idmap_domain *idmap_find_domain(const char *domname);
+
+/* The following definitions come from winbindd/idmap_nss.c */
+
+NTSTATUS idmap_nss_init(TALLOC_CTX *mem_ctx);
+
+/* The following definitions come from winbindd/idmap_passdb.c */
+
+NTSTATUS idmap_passdb_init(TALLOC_CTX *mem_ctx);
+
+/* The following definitions come from winbindd/idmap_tdb.c */
+
+NTSTATUS idmap_tdb_init(TALLOC_CTX *mem_ctx);
+
+/* The following definitions come from winbindd/idmap_util.c */
+
+bool idmap_unix_id_is_in_range(uint32_t id, struct idmap_domain *dom);
+struct id_map *idmap_find_map_by_id(struct id_map **maps, enum id_type type,
+ uint32_t id);
+struct id_map *idmap_find_map_by_sid(struct id_map **maps, struct dom_sid *sid);
+char *idmap_fetch_secret(const char *backend, const char *domain,
+ const char *identity);
+
+struct id_map **id_map_ptrs_init(TALLOC_CTX *mem_ctx, size_t num_ids);
+
+/* max number of ids requested per LDAP batch query */
+#define IDMAP_LDAP_MAX_IDS 30
+
+NTSTATUS idmap_ad_nss_init(TALLOC_CTX *mem_ctx);
+
+#endif /* _WINBINDD_IDMAP_PROTO_H_ */
diff --git a/source3/winbindd/idmap_rfc2307.c b/source3/winbindd/idmap_rfc2307.c
new file mode 100644
index 0000000..d84cf93
--- /dev/null
+++ b/source3/winbindd/idmap_rfc2307.c
@@ -0,0 +1,848 @@
+/*
+ * Unix SMB/CIFS implementation.
+ *
+ * Id mapping using LDAP records as defined in RFC 2307
+ *
+ * The SID<->uid/gid mapping is performed in two steps: 1) Query the
+ * AD server for the name<->sid mapping. 2) Query an LDAP server
+ * according to RFC 2307 for the name<->uid/gid mapping.
+ *
+ * Copyright (C) Christof Schmitt 2012,2013
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "includes.h"
+#include "winbindd.h"
+#include "winbindd_ads.h"
+#include "idmap.h"
+#include "smbldap.h"
+#include "nsswitch/winbind_client.h"
+#include "lib/winbind_util.h"
+#include "libcli/security/dom_sid.h"
+#include "lib/global_contexts.h"
+
+/*
+ * Config and connection info per domain.
+ */
+struct idmap_rfc2307_context {
+ const char *bind_path_user;
+ const char *bind_path_group;
+ const char *ldap_domain;
+ bool user_cn;
+ const char *realm;
+
+ /*
+ * Pointer to ldap struct in ads or smbldap_state, has to be
+ * updated after connecting to server
+ */
+ LDAP *ldap;
+
+ /* Optional function to check connection to server */
+ NTSTATUS (*check_connection)(struct idmap_domain *dom);
+
+ /* Issue ldap query */
+ NTSTATUS (*search)(struct idmap_rfc2307_context *ctx,
+ const char *bind_path, const char *expr,
+ const char **attrs, LDAPMessage **res);
+
+ /* Access to LDAP in AD server */
+ ADS_STRUCT *ads;
+
+ /* Access to stand-alone LDAP server */
+ struct smbldap_state *smbldap_state;
+};
+
+/*
+ * backend functions for LDAP queries through ADS
+ */
+
+static NTSTATUS idmap_rfc2307_ads_check_connection(struct idmap_domain *dom)
+{
+ struct idmap_rfc2307_context *ctx;
+ const char *dom_name = dom->name;
+ ADS_STATUS status;
+
+ DEBUG(10, ("ad_idmap_cached_connection: called for domain '%s'\n",
+ dom->name));
+
+ ctx = talloc_get_type(dom->private_data, struct idmap_rfc2307_context);
+ dom_name = ctx->ldap_domain ? ctx->ldap_domain : dom->name;
+
+ status = ads_idmap_cached_connection(dom_name, ctx, &ctx->ads);
+ if (ADS_ERR_OK(status)) {
+ ctx->ldap = ctx->ads->ldap.ld;
+ } else {
+ DEBUG(1, ("Could not connect to domain %s: %s\n", dom->name,
+ ads_errstr(status)));
+ }
+
+ return ads_ntstatus(status);
+}
+
+static NTSTATUS idmap_rfc2307_ads_search(struct idmap_rfc2307_context *ctx,
+ const char *bind_path,
+ const char *expr,
+ const char **attrs,
+ LDAPMessage **result)
+{
+ ADS_STATUS status;
+
+ status = ads_do_search_retry(ctx->ads, bind_path,
+ LDAP_SCOPE_SUBTREE, expr, attrs, result);
+
+ if (!ADS_ERR_OK(status)) {
+ return ads_ntstatus(status);
+ }
+
+ ctx->ldap = ctx->ads->ldap.ld;
+ return ads_ntstatus(status);
+}
+
+static NTSTATUS idmap_rfc2307_init_ads(struct idmap_rfc2307_context *ctx,
+ const char *domain_name)
+{
+ const char *ldap_domain;
+
+ ctx->search = idmap_rfc2307_ads_search;
+ ctx->check_connection = idmap_rfc2307_ads_check_connection;
+
+ ldap_domain = idmap_config_const_string(domain_name, "ldap_domain",
+ NULL);
+ if (ldap_domain) {
+ ctx->ldap_domain = talloc_strdup(ctx, ldap_domain);
+ if (ctx->ldap_domain == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+
+ return NT_STATUS_OK;
+}
+
+/*
+ * backend function for LDAP queries through stand-alone LDAP server
+ */
+
+static NTSTATUS idmap_rfc2307_ldap_search(struct idmap_rfc2307_context *ctx,
+ const char *bind_path,
+ const char *expr,
+ const char **attrs,
+ LDAPMessage **result)
+{
+ int ret;
+
+ ret = smbldap_search(ctx->smbldap_state, bind_path, LDAP_SCOPE_SUBTREE,
+ expr, attrs, 0, result);
+ ctx->ldap = smbldap_get_ldap(ctx->smbldap_state);
+
+ if (ret == LDAP_SUCCESS) {
+ return NT_STATUS_OK;
+ }
+
+ return NT_STATUS_LDAP(ret);
+}
+
+static bool idmap_rfc2307_get_uint32(LDAP *ldap, LDAPMessage *entry,
+ const char *field, uint32_t *value)
+{
+ bool b;
+ char str[20];
+
+ b = smbldap_get_single_attribute(ldap, entry, field, str, sizeof(str));
+
+ if (b) {
+ *value = atoi(str);
+ }
+
+ return b;
+}
+
+static NTSTATUS idmap_rfc2307_init_ldap(struct idmap_rfc2307_context *ctx,
+ const char *domain_name)
+{
+ NTSTATUS ret;
+ char *url;
+ char *secret = NULL;
+ const char *ldap_url, *user_dn;
+ TALLOC_CTX *mem_ctx = ctx;
+
+ ldap_url = idmap_config_const_string(domain_name, "ldap_url", NULL);
+ if (!ldap_url) {
+ DEBUG(1, ("ERROR: missing idmap ldap url\n"));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ url = talloc_strdup(talloc_tos(), ldap_url);
+
+ user_dn = idmap_config_const_string(domain_name, "ldap_user_dn", NULL);
+ if (user_dn) {
+ secret = idmap_fetch_secret("ldap", domain_name, user_dn);
+ if (!secret) {
+ ret = NT_STATUS_ACCESS_DENIED;
+ goto done;
+ }
+ }
+
+ /* assume anonymous if we don't have a specified user */
+ ret = smbldap_init(mem_ctx, global_event_context(), url,
+ (user_dn == NULL), user_dn, secret,
+ &ctx->smbldap_state);
+ SAFE_FREE(secret);
+ if (!NT_STATUS_IS_OK(ret)) {
+ DEBUG(1, ("ERROR: smbldap_init (%s) failed!\n", url));
+ goto done;
+ }
+
+ ctx->search = idmap_rfc2307_ldap_search;
+
+done:
+ talloc_free(url);
+ return ret;
+}
+
+/*
+ * common code for stand-alone LDAP and ADS
+ */
+
+static void idmap_rfc2307_map_sid_results(struct idmap_rfc2307_context *ctx,
+ TALLOC_CTX *mem_ctx,
+ struct id_map **ids,
+ LDAPMessage *result,
+ const char *dom_name,
+ const char **attrs, int type)
+{
+ int count, i;
+ LDAPMessage *entry;
+
+ count = ldap_count_entries(ctx->ldap, result);
+
+ for (i = 0; i < count; i++) {
+ char *name;
+ struct dom_sid sid;
+ enum lsa_SidType lsa_type;
+ struct id_map *map;
+ uint32_t id;
+ bool b;
+
+ if (i == 0) {
+ entry = ldap_first_entry(ctx->ldap, result);
+ } else {
+ entry = ldap_next_entry(ctx->ldap, entry);
+ }
+ if (!entry) {
+ DEBUG(2, ("Unable to fetch entry.\n"));
+ break;
+ }
+
+ name = smbldap_talloc_single_attribute(ctx->ldap, entry,
+ attrs[0], mem_ctx);
+ if (!name) {
+ DEBUG(1, ("Could not get user name\n"));
+ continue;
+ }
+
+ b = idmap_rfc2307_get_uint32(ctx->ldap, entry, attrs[1], &id);
+ if (!b) {
+ DEBUG(1, ("Could not pull id for record %s\n", name));
+ continue;
+ }
+
+ map = idmap_find_map_by_id(ids, type, id);
+ if (!map) {
+ DEBUG(1, ("Could not find id %d, name %s\n", id, name));
+ continue;
+ }
+
+ if (ctx->realm != NULL) {
+ /* Strip @realm from user or group name */
+ char *delim;
+
+ delim = strchr(name, '@');
+ if (delim) {
+ *delim = '\0';
+ }
+ }
+
+ /* by default calls to winbindd are disabled
+ the following call will not recurse so this is safe */
+ (void)winbind_on();
+ /* Lookup name from PDC using lsa_lookup_names() */
+ b = winbind_lookup_name(dom_name, name, &sid, &lsa_type);
+ (void)winbind_off();
+
+ if (!b) {
+ DEBUG(1, ("SID lookup failed for id %d, %s\n",
+ id, name));
+ continue;
+ }
+
+ if (type == ID_TYPE_UID && lsa_type != SID_NAME_USER) {
+ DEBUG(1, ("Wrong type %d for user name %s\n",
+ type, name));
+ continue;
+ }
+
+ if (type == ID_TYPE_GID && lsa_type != SID_NAME_DOM_GRP &&
+ lsa_type != SID_NAME_ALIAS &&
+ lsa_type != SID_NAME_WKN_GRP) {
+ DEBUG(1, ("Wrong type %d for group name %s\n",
+ type, name));
+ continue;
+ }
+
+ map->status = ID_MAPPED;
+ sid_copy(map->sid, &sid);
+ }
+}
+
+/*
+ * Map unixids to names and then to sids.
+ */
+static NTSTATUS idmap_rfc2307_unixids_to_sids(struct idmap_domain *dom,
+ struct id_map **ids)
+{
+ struct idmap_rfc2307_context *ctx;
+ char *fltr_usr = NULL, *fltr_grp = NULL;
+ TALLOC_CTX *mem_ctx;
+ int cnt_usr = 0, cnt_grp = 0, idx = 0, bidx = 0;
+ LDAPMessage *result = NULL;
+ NTSTATUS ret;
+
+ ctx = talloc_get_type(dom->private_data, struct idmap_rfc2307_context);
+ mem_ctx = talloc_new(ctx);
+ if (!mem_ctx) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if (ctx->check_connection) {
+ ret = ctx->check_connection(dom);
+ if (!NT_STATUS_IS_OK(ret)) {
+ goto out;
+ }
+ }
+
+again:
+ bidx = idx;
+
+ if (!fltr_usr) {
+ /* prepare new user query, see getpwuid() in RFC2307 */
+ fltr_usr = talloc_asprintf(mem_ctx,
+ "(&(objectClass=posixAccount)(|");
+ }
+
+ if (!fltr_grp) {
+ /* prepare new group query, see getgrgid() in RFC2307 */
+ fltr_grp = talloc_asprintf(mem_ctx,
+ "(&(objectClass=posixGroup)(|");
+ }
+
+ if (!fltr_usr || !fltr_grp) {
+ ret = NT_STATUS_NO_MEMORY;
+ goto out;
+ }
+
+ while (cnt_usr < IDMAP_LDAP_MAX_IDS &&
+ cnt_grp < IDMAP_LDAP_MAX_IDS && ids[idx]) {
+
+ switch (ids[idx]->xid.type) {
+ case ID_TYPE_UID:
+ fltr_usr = talloc_asprintf_append_buffer(fltr_usr,
+ "(uidNumber=%d)", ids[idx]->xid.id);
+ cnt_usr++;
+ break;
+ case ID_TYPE_GID:
+ fltr_grp = talloc_asprintf_append_buffer(fltr_grp,
+ "(gidNumber=%d)", ids[idx]->xid.id);
+ cnt_grp++;
+ break;
+ default:
+ DEBUG(3, ("Error: unknown ID type %d\n",
+ ids[idx]->xid.type));
+ ret = NT_STATUS_UNSUCCESSFUL;
+ goto out;
+ }
+
+ if (!fltr_usr || !fltr_grp) {
+ ret = NT_STATUS_NO_MEMORY;
+ goto out;
+ }
+
+ idx++;
+ }
+
+ if (cnt_usr == IDMAP_LDAP_MAX_IDS || (cnt_usr != 0 && !ids[idx])) {
+ const char *attrs[] = { NULL, /* uid or cn */
+ "uidNumber",
+ NULL };
+
+ fltr_usr = talloc_strdup_append(fltr_usr, "))");
+ if (!fltr_usr) {
+ ret = NT_STATUS_NO_MEMORY;
+ goto out;
+ }
+
+ attrs[0] = ctx->user_cn ? "cn" : "uid";
+ ret = ctx->search(ctx, ctx->bind_path_user, fltr_usr, attrs,
+ &result);
+ if (!NT_STATUS_IS_OK(ret)) {
+ goto out;
+ }
+
+ idmap_rfc2307_map_sid_results(ctx, mem_ctx, &ids[bidx], result,
+ dom->name, attrs, ID_TYPE_UID);
+ cnt_usr = 0;
+ TALLOC_FREE(fltr_usr);
+ }
+
+ if (cnt_grp == IDMAP_LDAP_MAX_IDS || (cnt_grp != 0 && !ids[idx])) {
+ const char *attrs[] = { "cn", "gidNumber", NULL };
+
+ fltr_grp = talloc_strdup_append(fltr_grp, "))");
+ if (!fltr_grp) {
+ ret = NT_STATUS_NO_MEMORY;
+ goto out;
+ }
+ ret = ctx->search(ctx, ctx->bind_path_group, fltr_grp, attrs,
+ &result);
+ if (!NT_STATUS_IS_OK(ret)) {
+ goto out;
+ }
+
+ idmap_rfc2307_map_sid_results(ctx, mem_ctx, &ids[bidx], result,
+ dom->name, attrs, ID_TYPE_GID);
+ cnt_grp = 0;
+ TALLOC_FREE(fltr_grp);
+ }
+
+ if (ids[idx]) {
+ goto again;
+ }
+
+ ret = NT_STATUS_OK;
+
+out:
+ talloc_free(mem_ctx);
+ return ret;
+}
+
+struct idmap_rfc2307_map {
+ struct id_map *map;
+ const char *name;
+ enum id_type type;
+};
+
+/*
+ * Lookup names for SIDS and store the data in the local mapping
+ * array.
+ */
+static NTSTATUS idmap_rfc_2307_sids_to_names(TALLOC_CTX *mem_ctx,
+ struct id_map **ids,
+ struct idmap_rfc2307_map *maps,
+ struct idmap_rfc2307_context *ctx)
+{
+ int i;
+
+ for (i = 0; ids[i]; i++) {
+ const char *domain, *name;
+ enum lsa_SidType lsa_type;
+ struct id_map *id = ids[i];
+ struct idmap_rfc2307_map *map = &maps[i];
+ struct dom_sid_buf buf;
+ bool b;
+
+ /* by default calls to winbindd are disabled
+ the following call will not recurse so this is safe */
+ (void)winbind_on();
+ b = winbind_lookup_sid(mem_ctx, ids[i]->sid, &domain, &name,
+ &lsa_type);
+ (void)winbind_off();
+
+ if (!b) {
+ DEBUG(1, ("Lookup sid %s failed.\n",
+ dom_sid_str_buf(ids[i]->sid, &buf)));
+ continue;
+ }
+
+ switch(lsa_type) {
+ case SID_NAME_USER:
+ id->xid.type = map->type = ID_TYPE_UID;
+ if (ctx->user_cn && ctx->realm != NULL) {
+ name = talloc_asprintf(mem_ctx, "%s@%s",
+ name, ctx->realm);
+ }
+ id->xid.type = map->type = ID_TYPE_UID;
+ break;
+
+ case SID_NAME_DOM_GRP:
+ case SID_NAME_ALIAS:
+ case SID_NAME_WKN_GRP:
+ if (ctx->realm != NULL) {
+ name = talloc_asprintf(mem_ctx, "%s@%s",
+ name, ctx->realm);
+ }
+ id->xid.type = map->type = ID_TYPE_GID;
+ break;
+
+ default:
+ DEBUG(1, ("Unknown lsa type %d for sid %s\n",
+ lsa_type,
+ dom_sid_str_buf(id->sid, &buf)));
+ id->status = ID_UNMAPPED;
+ continue;
+ }
+
+ map->map = id;
+ id->status = ID_UNKNOWN;
+ map->name = strupper_talloc(mem_ctx, name);
+
+ if (!map->name) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+
+ return NT_STATUS_OK;
+}
+
+/*
+ * Find id_map entry by looking up the name in the internal
+ * mapping array.
+ */
+static struct id_map* idmap_rfc2307_find_map(struct idmap_rfc2307_map *maps,
+ enum id_type type,
+ const char *name)
+{
+ int i;
+
+ DEBUG(10, ("Looking for name %s, type %d\n", name, type));
+
+ for (i = 0; maps[i].map != NULL; i++) {
+ DEBUG(10, ("Entry %d: name %s, type %d\n",
+ i, maps[i].name, maps[i].type));
+ if (type == maps[i].type && strcmp(name, maps[i].name) == 0) {
+ return maps[i].map;
+ }
+ }
+
+ return NULL;
+}
+
+static void idmap_rfc2307_map_xid_results(struct idmap_rfc2307_context *ctx,
+ TALLOC_CTX *mem_ctx,
+ struct idmap_rfc2307_map *maps,
+ LDAPMessage *result,
+ struct idmap_domain *dom,
+ const char **attrs, enum id_type type)
+{
+ int count, i;
+ LDAPMessage *entry;
+
+ count = ldap_count_entries(ctx->ldap, result);
+
+ for (i = 0; i < count; i++) {
+ uint32_t id;
+ char *name;
+ bool b;
+ struct id_map *id_map;
+
+ if (i == 0) {
+ entry = ldap_first_entry(ctx->ldap, result);
+ } else {
+ entry = ldap_next_entry(ctx->ldap, entry);
+ }
+ if (!entry) {
+ DEBUG(2, ("Unable to fetch entry.\n"));
+ break;
+ }
+
+ name = smbldap_talloc_single_attribute(ctx->ldap, entry,
+ attrs[0], mem_ctx);
+ if (!name) {
+ DEBUG(1, ("Could not get user name\n"));
+ continue;
+ }
+
+ b = idmap_rfc2307_get_uint32(ctx->ldap, entry, attrs[1], &id);
+ if (!b) {
+ DEBUG(5, ("Could not pull id for record %s\n", name));
+ continue;
+ }
+
+ if (!idmap_unix_id_is_in_range(id, dom)) {
+ DEBUG(5, ("Requested id (%u) out of range (%u - %u).\n",
+ id, dom->low_id, dom->high_id));
+ continue;
+ }
+
+ if (!strupper_m(name)) {
+ DEBUG(5, ("Could not convert %s to uppercase\n", name));
+ continue;
+ }
+ id_map = idmap_rfc2307_find_map(maps, type, name);
+ if (!id_map) {
+ DEBUG(0, ("Could not find mapping entry for name %s\n",
+ name));
+ continue;
+ }
+
+ id_map->xid.id = id;
+ id_map->status = ID_MAPPED;
+ }
+}
+
+/*
+ * Map sids to names and then to unixids.
+ */
+static NTSTATUS idmap_rfc2307_sids_to_unixids(struct idmap_domain *dom,
+ struct id_map **ids)
+{
+ struct idmap_rfc2307_context *ctx;
+ TALLOC_CTX *mem_ctx;
+ struct idmap_rfc2307_map *int_maps;
+ int cnt_usr = 0, cnt_grp = 0, idx = 0;
+ char *fltr_usr = NULL, *fltr_grp = NULL;
+ NTSTATUS ret;
+ int i;
+
+ ctx = talloc_get_type(dom->private_data, struct idmap_rfc2307_context);
+ mem_ctx = talloc_new(talloc_tos());
+ if (!mem_ctx) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if (ctx->check_connection) {
+ ret = ctx->check_connection(dom);
+ if (!NT_STATUS_IS_OK(ret)) {
+ goto out;
+ }
+ }
+
+ for (i = 0; ids[i]; i++);
+ int_maps = talloc_zero_array(mem_ctx, struct idmap_rfc2307_map, i);
+ if (!int_maps) {
+ ret = NT_STATUS_NO_MEMORY;
+ goto out;
+ }
+
+ ret = idmap_rfc_2307_sids_to_names(mem_ctx, ids, int_maps, ctx);
+ if (!NT_STATUS_IS_OK(ret)) {
+ goto out;
+ }
+
+again:
+ if (!fltr_usr) {
+ /* prepare new user query, see getpwuid() in RFC2307 */
+ fltr_usr = talloc_asprintf(mem_ctx,
+ "(&(objectClass=posixAccount)(|");
+ }
+
+ if (!fltr_grp) {
+ /* prepare new group query, see getgrgid() in RFC2307 */
+ fltr_grp = talloc_asprintf(mem_ctx,
+ "(&(objectClass=posixGroup)(|");
+ }
+
+ if (!fltr_usr || !fltr_grp) {
+ ret = NT_STATUS_NO_MEMORY;
+ goto out;
+ }
+
+ while (cnt_usr < IDMAP_LDAP_MAX_IDS &&
+ cnt_grp < IDMAP_LDAP_MAX_IDS && ids[idx]) {
+ struct id_map *id = ids[idx];
+ struct idmap_rfc2307_map *map = &int_maps[idx];
+
+ switch(id->xid.type) {
+ case ID_TYPE_UID:
+ fltr_usr = talloc_asprintf_append_buffer(fltr_usr,
+ "(%s=%s)", (ctx->user_cn ? "cn" : "uid"),
+ map->name);
+ cnt_usr++;
+ break;
+
+ case ID_TYPE_GID:
+ fltr_grp = talloc_asprintf_append_buffer(fltr_grp,
+ "(cn=%s)", map->name);
+ cnt_grp++;
+ break;
+
+ default:
+ break;
+ }
+
+ if (!fltr_usr || !fltr_grp) {
+ ret = NT_STATUS_NO_MEMORY;
+ goto out;
+ }
+
+ idx++;
+ }
+
+ if (cnt_usr == IDMAP_LDAP_MAX_IDS || (cnt_usr != 0 && !ids[idx])) {
+ const char *attrs[] = { NULL, /* uid or cn */
+ "uidNumber",
+ NULL };
+ LDAPMessage *result;
+
+ fltr_usr = talloc_strdup_append(fltr_usr, "))");
+ if (!fltr_usr) {
+ ret = NT_STATUS_NO_MEMORY;
+ goto out;
+ }
+
+ attrs[0] = ctx->user_cn ? "cn" : "uid";
+ ret = ctx->search(ctx, ctx->bind_path_user, fltr_usr, attrs,
+ &result);
+ if (!NT_STATUS_IS_OK(ret)) {
+ goto out;
+ }
+
+ idmap_rfc2307_map_xid_results(ctx, mem_ctx, int_maps,
+ result, dom, attrs, ID_TYPE_UID);
+
+ cnt_usr = 0;
+ TALLOC_FREE(fltr_usr);
+ }
+
+ if (cnt_grp == IDMAP_LDAP_MAX_IDS || (cnt_grp != 0 && !ids[idx])) {
+ const char *attrs[] = {"cn", "gidNumber", NULL };
+ LDAPMessage *result;
+
+ fltr_grp = talloc_strdup_append(fltr_grp, "))");
+ if (!fltr_grp) {
+ ret = NT_STATUS_NO_MEMORY;
+ goto out;
+ }
+
+ ret = ctx->search(ctx, ctx->bind_path_group, fltr_grp, attrs,
+ &result);
+ if (!NT_STATUS_IS_OK(ret)) {
+ goto out;
+ }
+
+ idmap_rfc2307_map_xid_results(ctx, mem_ctx, int_maps, result,
+ dom, attrs, ID_TYPE_GID);
+ cnt_grp = 0;
+ TALLOC_FREE(fltr_grp);
+ }
+
+ if (ids[idx]) {
+ goto again;
+ }
+
+ ret = NT_STATUS_OK;
+
+out:
+ talloc_free(mem_ctx);
+ return ret;
+}
+
+static int idmap_rfc2307_context_destructor(struct idmap_rfc2307_context *ctx)
+{
+ TALLOC_FREE(ctx->ads);
+
+ if (ctx->smbldap_state != NULL) {
+ smbldap_free_struct(&ctx->smbldap_state);
+ }
+
+ return 0;
+}
+
+static NTSTATUS idmap_rfc2307_initialize(struct idmap_domain *domain)
+{
+ struct idmap_rfc2307_context *ctx;
+ const char *bind_path_user, *bind_path_group, *ldap_server, *realm;
+ NTSTATUS status;
+
+ ctx = talloc_zero(domain, struct idmap_rfc2307_context);
+ if (ctx == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ talloc_set_destructor(ctx, idmap_rfc2307_context_destructor);
+
+ bind_path_user = idmap_config_const_string(
+ domain->name, "bind_path_user", NULL);
+ if (bind_path_user == NULL) {
+ status = NT_STATUS_INVALID_PARAMETER;
+ goto err;
+ }
+ ctx->bind_path_user = talloc_strdup(ctx, bind_path_user);
+ if (ctx->bind_path_user == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto err;
+ }
+
+ bind_path_group = idmap_config_const_string(
+ domain->name, "bind_path_group", NULL);
+ if (bind_path_group == NULL) {
+ status = NT_STATUS_INVALID_PARAMETER;
+ goto err;
+ }
+ ctx->bind_path_group = talloc_strdup(ctx, bind_path_group);
+ if (ctx->bind_path_group == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto err;
+ }
+
+ ldap_server = idmap_config_const_string(
+ domain->name, "ldap_server", NULL);
+ if (!ldap_server) {
+ status = NT_STATUS_INVALID_PARAMETER;
+ goto err;
+ }
+
+ if (strcmp(ldap_server, "stand-alone") == 0) {
+ status = idmap_rfc2307_init_ldap(ctx, domain->name);
+
+ } else if (strcmp(ldap_server, "ad") == 0) {
+ status = idmap_rfc2307_init_ads(ctx, domain->name);
+
+ } else {
+ status = NT_STATUS_INVALID_PARAMETER;
+ }
+
+ if (!NT_STATUS_IS_OK(status)) {
+ goto err;
+ }
+
+ realm = idmap_config_const_string(domain->name, "realm", NULL);
+ if (realm) {
+ ctx->realm = talloc_strdup(ctx, realm);
+ if (ctx->realm == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto err;
+ }
+ }
+
+ ctx->user_cn = idmap_config_bool(domain->name, "user_cn", false);
+
+ domain->private_data = ctx;
+ return NT_STATUS_OK;
+
+err:
+ talloc_free(ctx);
+ return status;
+}
+
+static const struct idmap_methods rfc2307_methods = {
+ .init = idmap_rfc2307_initialize,
+ .unixids_to_sids = idmap_rfc2307_unixids_to_sids,
+ .sids_to_unixids = idmap_rfc2307_sids_to_unixids,
+};
+
+static_decl_idmap;
+NTSTATUS idmap_rfc2307_init(TALLOC_CTX *ctx)
+{
+ return smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION, "rfc2307",
+ &rfc2307_methods);
+}
diff --git a/source3/winbindd/idmap_rid.c b/source3/winbindd/idmap_rid.c
new file mode 100644
index 0000000..33f0496
--- /dev/null
+++ b/source3/winbindd/idmap_rid.c
@@ -0,0 +1,182 @@
+/*
+ * idmap_rid: static map between Active Directory/NT RIDs and RFC 2307 accounts
+ * Copyright (C) Guenther Deschner, 2004
+ * Copyright (C) Sumit Bose, 2004
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#include "includes.h"
+#include "winbindd.h"
+#include "idmap.h"
+#include "../libcli/security/dom_sid.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_IDMAP
+
+struct idmap_rid_context {
+ uint32_t base_rid;
+};
+
+/******************************************************************************
+ compat params can't be used because of the completely different way
+ we support multiple domains in the new idmap
+ *****************************************************************************/
+
+static NTSTATUS idmap_rid_initialize(struct idmap_domain *dom)
+{
+ struct idmap_rid_context *ctx;
+
+ ctx = talloc_zero(dom, struct idmap_rid_context);
+ if (ctx == NULL) {
+ DEBUG(0, ("Out of memory!\n"));
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ ctx->base_rid = idmap_config_int(dom->name, "base_rid", 0);
+
+ dom->private_data = ctx;
+
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS idmap_rid_id_to_sid(struct idmap_domain *dom, struct id_map *map)
+{
+ struct idmap_rid_context *ctx;
+
+ ctx = talloc_get_type(dom->private_data, struct idmap_rid_context);
+
+ /* apply filters before checking */
+ if (!idmap_unix_id_is_in_range(map->xid.id, dom)) {
+ DEBUG(5, ("Requested id (%u) out of range (%u - %u). Filtered!\n",
+ map->xid.id, dom->low_id, dom->high_id));
+ return NT_STATUS_NONE_MAPPED;
+ }
+
+ if (is_null_sid(&dom->dom_sid)) {
+ DBG_INFO("idmap domain '%s' without SID\n", dom->name);
+ return NT_STATUS_NONE_MAPPED;
+ }
+
+ sid_compose(map->sid, &dom->dom_sid,
+ map->xid.id - dom->low_id + ctx->base_rid);
+
+ map->status = ID_MAPPED;
+ map->xid.type = ID_TYPE_BOTH;
+
+ return NT_STATUS_OK;
+}
+
+/**********************************
+ Single sid to id lookup function.
+**********************************/
+
+static NTSTATUS idmap_rid_sid_to_id(struct idmap_domain *dom, struct id_map *map)
+{
+ uint32_t rid;
+ struct idmap_rid_context *ctx;
+
+ ctx = talloc_get_type(dom->private_data, struct idmap_rid_context);
+
+ sid_peek_rid(map->sid, &rid);
+ map->xid.id = rid - ctx->base_rid + dom->low_id;
+ map->xid.type = ID_TYPE_BOTH;
+
+ /* apply filters before returning result */
+
+ if (!idmap_unix_id_is_in_range(map->xid.id, dom)) {
+ DEBUG(5, ("Requested id (%u) out of range (%u - %u). Filtered!\n",
+ map->xid.id, dom->low_id, dom->high_id));
+ map->status = ID_UNMAPPED;
+ return NT_STATUS_NONE_MAPPED;
+ }
+
+ map->status = ID_MAPPED;
+
+ return NT_STATUS_OK;
+}
+
+/**********************************
+ lookup a set of unix ids.
+**********************************/
+
+static NTSTATUS idmap_rid_unixids_to_sids(struct idmap_domain *dom, struct id_map **ids)
+{
+ NTSTATUS ret;
+ int i;
+
+ /* initialize the status to avoid suprise */
+ for (i = 0; ids[i]; i++) {
+ ids[i]->status = ID_UNKNOWN;
+ }
+
+ for (i = 0; ids[i]; i++) {
+
+ ret = idmap_rid_id_to_sid(dom, ids[i]);
+
+ if (( ! NT_STATUS_IS_OK(ret)) &&
+ ( ! NT_STATUS_EQUAL(ret, NT_STATUS_NONE_MAPPED))) {
+ /* some fatal error occurred, log it */
+ DBG_NOTICE("Unexpected error resolving an ID "
+ "(%d): %s\n", ids[i]->xid.id,
+ nt_errstr(ret));
+ }
+ }
+
+ return NT_STATUS_OK;
+}
+
+/**********************************
+ lookup a set of sids.
+**********************************/
+
+static NTSTATUS idmap_rid_sids_to_unixids(struct idmap_domain *dom, struct id_map **ids)
+{
+ NTSTATUS ret;
+ int i;
+
+ /* initialize the status to avoid suprise */
+ for (i = 0; ids[i]; i++) {
+ ids[i]->status = ID_UNKNOWN;
+ }
+
+ for (i = 0; ids[i]; i++) {
+
+ ret = idmap_rid_sid_to_id(dom, ids[i]);
+
+ if (( ! NT_STATUS_IS_OK(ret)) &&
+ ( ! NT_STATUS_EQUAL(ret, NT_STATUS_NONE_MAPPED))) {
+ struct dom_sid_buf buf;
+ /* some fatal error occurred, log it */
+ DEBUG(3, ("Unexpected error resolving a SID (%s)\n",
+ dom_sid_str_buf(ids[i]->sid, &buf)));
+ }
+ }
+
+ return NT_STATUS_OK;
+}
+
+static const struct idmap_methods rid_methods = {
+ .init = idmap_rid_initialize,
+ .unixids_to_sids = idmap_rid_unixids_to_sids,
+ .sids_to_unixids = idmap_rid_sids_to_unixids,
+};
+
+static_decl_idmap;
+NTSTATUS idmap_rid_init(TALLOC_CTX *ctx)
+{
+ return smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION, "rid", &rid_methods);
+}
+
diff --git a/source3/winbindd/idmap_rw.c b/source3/winbindd/idmap_rw.c
new file mode 100644
index 0000000..71bfc14
--- /dev/null
+++ b/source3/winbindd/idmap_rw.c
@@ -0,0 +1,109 @@
+/*
+ * Unix SMB/CIFS implementation.
+ *
+ * ID mapping: abstract r/w new-mapping mechanism
+ *
+ * Copyright (C) Michael Adam 2010
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "includes.h"
+#include "winbindd.h"
+#include "idmap.h"
+#include "idmap_rw.h"
+#include "libcli/security/dom_sid.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_IDMAP
+
+NTSTATUS idmap_rw_new_mapping(struct idmap_domain *dom,
+ struct idmap_rw_ops *ops,
+ struct id_map *map)
+{
+ struct dom_sid_buf buf;
+ NTSTATUS status;
+
+ if (map == NULL) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ if (map->sid == NULL) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ switch (map->xid.type) {
+ case ID_TYPE_NOT_SPECIFIED:
+ /*
+ * We need to know if we need a user or group mapping.
+ * Ask the winbindd parent to provide a valid type hint.
+ */
+ DBG_INFO("%s ID_TYPE_NOT_SPECIFIED => ID_REQUIRE_TYPE\n",
+ dom_sid_str_buf(map->sid, &buf));
+ map->status = ID_REQUIRE_TYPE;
+ return NT_STATUS_SOME_NOT_MAPPED;
+
+ case ID_TYPE_BOTH:
+ /*
+ * For now we still require
+ * an explicit type as hint
+ * and don't support ID_TYPE_BOTH
+ */
+ DBG_INFO("%s ID_TYPE_BOTH => ID_REQUIRE_TYPE\n",
+ dom_sid_str_buf(map->sid, &buf));
+ map->status = ID_REQUIRE_TYPE;
+ return NT_STATUS_SOME_NOT_MAPPED;
+
+ case ID_TYPE_UID:
+ break;
+
+ case ID_TYPE_GID:
+ break;
+
+ default:
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ status = ops->get_new_id(dom, &map->xid);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(3, ("Could not allocate id: %s\n", nt_errstr(status)));
+ return status;
+ }
+
+ DEBUG(10, ("Setting mapping: %s <-> %s %lu\n",
+ dom_sid_str_buf(map->sid, &buf),
+ (map->xid.type == ID_TYPE_UID) ? "UID" : "GID",
+ (unsigned long)map->xid.id));
+
+ map->status = ID_MAPPED;
+ status = ops->set_mapping(dom, map);
+
+ if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_COLLISION)) {
+ struct id_map *ids[2];
+ DEBUG(5, ("Mapping for %s exists - retrying to map sid\n",
+ dom_sid_str_buf(map->sid, &buf)));
+ ids[0] = map;
+ ids[1] = NULL;
+ status = dom->methods->sids_to_unixids(dom, ids);
+ }
+
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(3, ("Could not store the new mapping: %s\n",
+ nt_errstr(status)));
+ return status;
+ }
+
+ return NT_STATUS_OK;
+}
diff --git a/source3/winbindd/idmap_rw.h b/source3/winbindd/idmap_rw.h
new file mode 100644
index 0000000..72389e7
--- /dev/null
+++ b/source3/winbindd/idmap_rw.h
@@ -0,0 +1,56 @@
+/*
+ * Unix SMB/CIFS implementation.
+ *
+ * ID mapping: abstract r/w new-mapping mechanism
+ *
+ * Copyright (C) Michael Adam 2010
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+/*
+ * This module implements the abstract logic for creating a new
+ * SID<->Unix-ID mapping. It can be used by idmap backends that
+ * need to create mappings for unmapped SIDs upon request.
+ */
+
+#ifndef _IDMAP_RW_H_
+#define _IDMAP_RW_H_
+
+#include "includes.h"
+#include "idmap.h"
+
+struct idmap_rw_ops {
+ NTSTATUS (*get_new_id)(struct idmap_domain *dom, struct unixid *id);
+ NTSTATUS (*set_mapping)(struct idmap_domain *dom,
+ const struct id_map *map);
+};
+
+/**
+ * This is the abstract mechanism of creating a new mapping
+ * for a given SID. It is meant to be called called from an
+ * allocating backend from within idmap_<backend>_sids_to_unixids().
+ * It expects map->sid and map->xid.type to be set.
+ * Upon success, the new mapping is stored by the backend and
+ * map contains the new mapped xid.
+ *
+ * The caller has to take care of the necessary steps to
+ * guarantee atomicity of the operation, e.g. wrapping
+ * this call in a transaction if available.
+ */
+NTSTATUS idmap_rw_new_mapping(struct idmap_domain *dom,
+ struct idmap_rw_ops *ops,
+ struct id_map *map);
+
+#endif /* _IDMAP_RW_H_ */
diff --git a/source3/winbindd/idmap_script.c b/source3/winbindd/idmap_script.c
new file mode 100644
index 0000000..bb89175
--- /dev/null
+++ b/source3/winbindd/idmap_script.c
@@ -0,0 +1,650 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ idmap script backend, used for Samba setups where you need to map SIDs to
+ specific UIDs/GIDs.
+
+ Copyright (C) Richard Sharpe 2014.
+
+ This is heavily based upon idmap_tdb2.c, which is:
+
+ Copyright (C) Tim Potter 2000
+ Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003
+ Copyright (C) Jeremy Allison 2006
+ Copyright (C) Simo Sorce 2003-2006
+ Copyright (C) Michael Adam 2009-2010
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#include "includes.h"
+#include "system/filesys.h"
+#include "winbindd.h"
+#include "idmap.h"
+#include "idmap_rw.h"
+#include "../libcli/security/dom_sid.h"
+#include "lib/util_file.h"
+#include "lib/util/tevent_unix.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_IDMAP
+
+struct idmap_script_context {
+ const char *script; /* script to provide idmaps */
+};
+
+/*
+ run a script to perform a mapping
+
+ The script should accept the following command lines:
+
+ SIDTOID S-1-xxxx -> XID:<id> | ERR:<str>
+ SIDTOID S-1-xxxx -> UID:<id> | ERR:<str>
+ SIDTOID S-1-xxxx -> GID:<id> | ERR:<str>
+ IDTOSID XID xxxx -> SID:<sid> | ERR:<str>
+ IDTOSID UID xxxx -> SID:<sid> | ERR:<str>
+ IDTOSID GID xxxx -> SID:<sid> | ERR:<str>
+
+ where XID means both a UID and a GID. This is the case for ID_TYPE_BOTH.
+
+ TODO: Needs more validation ... like that we got a UID when we asked for one.
+ */
+
+struct idmap_script_xid2sid_state {
+ char **argl;
+ size_t idx;
+ uint8_t *out;
+};
+
+static void idmap_script_xid2sid_done(struct tevent_req *subreq);
+
+static struct tevent_req *idmap_script_xid2sid_send(
+ TALLOC_CTX *mem_ctx, struct tevent_context *ev,
+ struct unixid xid, const char *script, size_t idx)
+{
+ struct tevent_req *req, *subreq;
+ struct idmap_script_xid2sid_state *state;
+ char key;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct idmap_script_xid2sid_state);
+ if (req == NULL) {
+ return NULL;
+ }
+ state->idx = idx;
+
+ switch (xid.type) {
+ case ID_TYPE_UID:
+ key = 'U';
+ break;
+ case ID_TYPE_GID:
+ key = 'G';
+ break;
+ case ID_TYPE_BOTH:
+ key = 'X';
+ break;
+ default:
+ DBG_WARNING("INVALID unix ID type: 0x02%x\n", xid.type);
+ tevent_req_error(req, EINVAL);
+ return tevent_req_post(req, ev);
+ }
+
+ state->argl = str_list_make_empty(state);
+ str_list_add_printf(&state->argl, "%s", script);
+ str_list_add_printf(&state->argl, "IDTOSID");
+ str_list_add_printf(&state->argl, "%cID", key);
+ str_list_add_printf(&state->argl, "%lu", (unsigned long)xid.id);
+ if (tevent_req_nomem(state->argl, req)) {
+ return tevent_req_post(req, ev);
+ }
+
+ subreq = file_ploadv_send(state, ev, state->argl, 1024);
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+ tevent_req_set_callback(subreq, idmap_script_xid2sid_done, req);
+ return req;
+}
+
+static void idmap_script_xid2sid_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct idmap_script_xid2sid_state *state = tevent_req_data(
+ req, struct idmap_script_xid2sid_state);
+ int ret;
+
+ ret = file_ploadv_recv(subreq, state, &state->out);
+ TALLOC_FREE(subreq);
+ if (tevent_req_error(req, ret)) {
+ return;
+ }
+ tevent_req_done(req);
+}
+
+static int idmap_script_xid2sid_recv(struct tevent_req *req, size_t *idx,
+ enum id_mapping *status,
+ struct dom_sid *sid)
+{
+ struct idmap_script_xid2sid_state *state = tevent_req_data(
+ req, struct idmap_script_xid2sid_state);
+ char *out = (char *)state->out;
+ size_t out_size = talloc_get_size(out);
+ int err;
+
+ if (tevent_req_is_unix_error(req, &err)) {
+ return err;
+ }
+
+ if (out_size == 0) {
+ goto unmapped;
+ }
+ if (state->out[out_size-1] != '\0') {
+ goto unmapped;
+ }
+
+ *idx = state->idx;
+
+ if ((strncmp(out, "SID:S-", 6) != 0) ||
+ !dom_sid_parse(out+4, sid)) {
+ DBG_WARNING("Bad sid from script: %s\n", out);
+ goto unmapped;
+ }
+
+ *status = ID_MAPPED;
+ return 0;
+
+unmapped:
+ *sid = (struct dom_sid) {0};
+ *status = ID_UNMAPPED;
+ return 0;
+}
+
+struct idmap_script_xids2sids_state {
+ struct id_map **ids;
+ size_t num_ids;
+ size_t num_done;
+};
+
+static void idmap_script_xids2sids_done(struct tevent_req *subreq);
+
+static struct tevent_req *idmap_script_xids2sids_send(
+ TALLOC_CTX *mem_ctx, struct tevent_context *ev,
+ struct id_map **ids, size_t num_ids, const char *script)
+{
+ struct tevent_req *req;
+ struct idmap_script_xids2sids_state *state;
+ size_t i;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct idmap_script_xids2sids_state);
+ if (req == NULL) {
+ return NULL;
+ }
+ state->ids = ids;
+ state->num_ids = num_ids;
+
+ if (state->num_ids == 0) {
+ tevent_req_done(req);
+ return tevent_req_post(req, ev);
+ }
+
+ for (i=0; i<num_ids; i++) {
+ struct tevent_req *subreq;
+
+ subreq = idmap_script_xid2sid_send(
+ state, ev, ids[i]->xid, script, i);
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+ tevent_req_set_callback(subreq, idmap_script_xids2sids_done,
+ req);
+ }
+
+ return req;
+}
+
+static void idmap_script_xids2sids_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct idmap_script_xids2sids_state *state = tevent_req_data(
+ req, struct idmap_script_xids2sids_state);
+ size_t idx = 0;
+ enum id_mapping status = ID_UNKNOWN;
+ struct dom_sid sid = {0};
+ int ret;
+
+ ret = idmap_script_xid2sid_recv(subreq, &idx, &status, &sid);
+ TALLOC_FREE(subreq);
+ if (tevent_req_error(req, ret)) {
+ return;
+ }
+
+ if (idx >= state->num_ids) {
+ tevent_req_error(req, EINVAL);
+ return;
+ }
+
+ state->ids[idx]->status = status;
+
+ state->ids[idx]->sid = dom_sid_dup(state->ids, &sid);
+ if (tevent_req_nomem(state->ids[idx]->sid, req)) {
+ return;
+ }
+
+ state->num_done += 1;
+
+ if (state->num_done >= state->num_ids) {
+ tevent_req_done(req);
+ }
+}
+
+static int idmap_script_xids2sids_recv(struct tevent_req *req)
+{
+ return tevent_req_simple_recv_unix(req);
+}
+
+static int idmap_script_xids2sids(struct id_map **ids, size_t num_ids,
+ const char *script)
+{
+ TALLOC_CTX *frame = talloc_stackframe();
+ struct tevent_context *ev;
+ struct tevent_req *req;
+ int ret = ENOMEM;
+
+ ev = samba_tevent_context_init(frame);
+ if (ev == NULL) {
+ goto fail;
+ }
+ req = idmap_script_xids2sids_send(frame, ev, ids, num_ids, script);
+ if (req == NULL) {
+ goto fail;
+ }
+ if (!tevent_req_poll(req, ev)) {
+ ret = errno;
+ goto fail;
+ }
+ ret = idmap_script_xids2sids_recv(req);
+fail:
+ TALLOC_FREE(frame);
+ return ret;
+}
+
+static NTSTATUS idmap_script_unixids_to_sids(struct idmap_domain *dom,
+ struct id_map **ids)
+{
+ struct idmap_script_context *ctx = talloc_get_type_abort(
+ dom->private_data, struct idmap_script_context);
+ int ret;
+ size_t i, num_ids, num_mapped;
+
+ DEBUG(10, ("%s called ...\n", __func__));
+ /* Init status to avoid surprise ... */
+ for (i = 0; ids[i]; i++) {
+ ids[i]->status = ID_UNKNOWN;
+ }
+ num_ids = i;
+
+ ret = idmap_script_xids2sids(ids, num_ids, ctx->script);
+ if (ret != 0) {
+ DBG_DEBUG("idmap_script_xids2sids returned %s\n",
+ strerror(ret));
+ return map_nt_error_from_unix(ret);
+ }
+
+ num_mapped = 0;
+
+ for (i = 0; ids[i]; i++) {
+ if (ids[i]->status == ID_MAPPED) {
+ num_mapped += 1;
+ }
+ }
+
+ if (num_mapped == 0) {
+ return NT_STATUS_NONE_MAPPED;
+ }
+ if (num_mapped < num_ids) {
+ return STATUS_SOME_UNMAPPED;
+ }
+ return NT_STATUS_OK;
+}
+
+struct idmap_script_sid2xid_state {
+ char **argl;
+ size_t idx;
+ uint8_t *out;
+};
+
+static void idmap_script_sid2xid_done(struct tevent_req *subreq);
+
+static struct tevent_req *idmap_script_sid2xid_send(
+ TALLOC_CTX *mem_ctx, struct tevent_context *ev,
+ const struct dom_sid *sid, const char *script, size_t idx)
+{
+ struct tevent_req *req, *subreq;
+ struct idmap_script_sid2xid_state *state;
+ struct dom_sid_buf sidbuf;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct idmap_script_sid2xid_state);
+ if (req == NULL) {
+ return NULL;
+ }
+ state->idx = idx;
+
+ state->argl = str_list_make_empty(state);
+ str_list_add_printf(&state->argl, "%s", script);
+ str_list_add_printf(&state->argl, "SIDTOID");
+ str_list_add_printf(
+ &state->argl, "%s", dom_sid_str_buf(sid, &sidbuf));
+ if (tevent_req_nomem(state->argl, req)) {
+ return tevent_req_post(req, ev);
+ }
+
+ subreq = file_ploadv_send(state, ev, state->argl, 1024);
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+ tevent_req_set_callback(subreq, idmap_script_sid2xid_done, req);
+ return req;
+}
+
+static void idmap_script_sid2xid_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct idmap_script_sid2xid_state *state = tevent_req_data(
+ req, struct idmap_script_sid2xid_state);
+ int ret;
+
+ ret = file_ploadv_recv(subreq, state, &state->out);
+ TALLOC_FREE(subreq);
+ if (tevent_req_error(req, ret)) {
+ return;
+ }
+ tevent_req_done(req);
+}
+
+static int idmap_script_sid2xid_recv(struct tevent_req *req,
+ size_t *idx, enum id_mapping *status,
+ struct unixid *xid)
+{
+ struct idmap_script_sid2xid_state *state = tevent_req_data(
+ req, struct idmap_script_sid2xid_state);
+ char *out = (char *)state->out;
+ size_t out_size = talloc_get_size(out);
+ unsigned long v;
+ int err;
+
+ if (tevent_req_is_unix_error(req, &err)) {
+ return err;
+ }
+
+ if (out_size == 0) {
+ goto unmapped;
+ }
+ if (state->out[out_size-1] != '\0') {
+ goto unmapped;
+ }
+
+ *idx = state->idx;
+
+ if (sscanf(out, "XID:%lu\n", &v) == 1) {
+ *xid = (struct unixid) { .id = v, .type = ID_TYPE_BOTH };
+ } else if (sscanf(out, "UID:%lu\n", &v) == 1) {
+ *xid = (struct unixid) { .id = v, .type = ID_TYPE_UID };
+ } else if (sscanf(out, "GID:%lu\n", &v) == 1) {
+ *xid = (struct unixid) { .id = v, .type = ID_TYPE_GID };
+ } else {
+ goto unmapped;
+ }
+
+ *status = ID_MAPPED;
+ return 0;
+
+unmapped:
+ *xid = (struct unixid) { .id = UINT32_MAX,
+ .type = ID_TYPE_NOT_SPECIFIED };
+ *status = ID_UNMAPPED;
+ return 0;
+}
+
+struct idmap_script_sids2xids_state {
+ struct id_map **ids;
+ size_t num_ids;
+ size_t num_done;
+};
+
+static void idmap_script_sids2xids_done(struct tevent_req *subreq);
+
+static struct tevent_req *idmap_script_sids2xids_send(
+ TALLOC_CTX *mem_ctx, struct tevent_context *ev,
+ struct id_map **ids, size_t num_ids, const char *script)
+{
+ struct tevent_req *req;
+ struct idmap_script_sids2xids_state *state;
+ size_t i;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct idmap_script_sids2xids_state);
+ if (req == NULL) {
+ return NULL;
+ }
+ state->ids = ids;
+ state->num_ids = num_ids;
+
+ if (state->num_ids == 0) {
+ tevent_req_done(req);
+ return tevent_req_post(req, ev);
+ }
+
+ for (i=0; i<num_ids; i++) {
+ struct tevent_req *subreq;
+
+ subreq = idmap_script_sid2xid_send(
+ state, ev, ids[i]->sid, script, i);
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+ tevent_req_set_callback(subreq, idmap_script_sids2xids_done,
+ req);
+ }
+
+ return req;
+}
+
+static void idmap_script_sids2xids_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct idmap_script_sids2xids_state *state = tevent_req_data(
+ req, struct idmap_script_sids2xids_state);
+ size_t idx = 0;
+ enum id_mapping status = ID_UNKNOWN;
+ struct unixid xid = { .id = UINT32_MAX,
+ .type = ID_TYPE_NOT_SPECIFIED };
+ int ret;
+
+ ret = idmap_script_sid2xid_recv(subreq, &idx, &status, &xid);
+ TALLOC_FREE(subreq);
+ if (tevent_req_error(req, ret)) {
+ return;
+ }
+
+ if (idx >= state->num_ids) {
+ tevent_req_error(req, EINVAL);
+ return;
+ }
+
+ state->ids[idx]->status = status;
+ state->ids[idx]->xid = xid;
+
+ state->num_done += 1;
+
+ if (state->num_done >= state->num_ids) {
+ tevent_req_done(req);
+ }
+}
+
+static int idmap_script_sids2xids_recv(struct tevent_req *req)
+{
+ return tevent_req_simple_recv_unix(req);
+}
+
+static int idmap_script_sids2xids(struct id_map **ids, size_t num_ids,
+ const char *script)
+{
+ TALLOC_CTX *frame = talloc_stackframe();
+ struct tevent_context *ev;
+ struct tevent_req *req;
+ int ret = ENOMEM;
+
+ ev = samba_tevent_context_init(frame);
+ if (ev == NULL) {
+ goto fail;
+ }
+ req = idmap_script_sids2xids_send(frame, ev, ids, num_ids, script);
+ if (req == NULL) {
+ goto fail;
+ }
+ if (!tevent_req_poll(req, ev)) {
+ ret = errno;
+ goto fail;
+ }
+ ret = idmap_script_sids2xids_recv(req);
+fail:
+ TALLOC_FREE(frame);
+ return ret;
+}
+
+static NTSTATUS idmap_script_sids_to_unixids(struct idmap_domain *dom,
+ struct id_map **ids)
+{
+ struct idmap_script_context *ctx = talloc_get_type_abort(
+ dom->private_data, struct idmap_script_context);
+ int ret;
+ size_t i, num_ids, num_mapped;
+
+ DEBUG(10, ("%s called ...\n", __func__));
+ /* Init status to avoid surprise ... */
+ for (i = 0; ids[i]; i++) {
+ ids[i]->status = ID_UNKNOWN;
+ }
+ num_ids = i;
+
+ ret = idmap_script_sids2xids(ids, num_ids, ctx->script);
+ if (ret != 0) {
+ DBG_DEBUG("idmap_script_sids2xids returned %s\n",
+ strerror(ret));
+ return map_nt_error_from_unix(ret);
+ }
+
+ num_mapped = 0;
+
+ for (i=0; i<num_ids; i++) {
+ struct id_map *map = ids[i];
+
+ if ((map->status == ID_MAPPED) &&
+ !idmap_unix_id_is_in_range(map->xid.id, dom)) {
+ DBG_INFO("Script returned id (%u) out of range "
+ "(%u - %u). Filtered!\n",
+ map->xid.id, dom->low_id, dom->high_id);
+ map->status = ID_UNMAPPED;
+ }
+
+ if (map->status == ID_MAPPED) {
+ num_mapped += 1;
+ }
+ }
+
+ if (num_mapped == 0) {
+ return NT_STATUS_NONE_MAPPED;
+ }
+ if (num_mapped < num_ids) {
+ return STATUS_SOME_UNMAPPED;
+ }
+ return NT_STATUS_OK;
+}
+
+/*
+ * Initialise idmap_script database.
+ */
+static NTSTATUS idmap_script_db_init(struct idmap_domain *dom)
+{
+ NTSTATUS ret;
+ struct idmap_script_context *ctx;
+ const char * idmap_script = NULL;
+ const char *ctx_script = NULL;
+
+ DEBUG(10, ("%s called ...\n", __func__));
+
+ ctx = talloc_zero(dom, struct idmap_script_context);
+ if (!ctx) {
+ DEBUG(0, ("Out of memory!\n"));
+ ret = NT_STATUS_NO_MEMORY;
+ goto failed;
+ }
+
+ ctx_script = idmap_config_const_string(dom->name, "script", NULL);
+
+ /* Do we even need to handle this? */
+ idmap_script = lp_parm_const_string(-1, "idmap", "script", NULL);
+ if (idmap_script != NULL) {
+ DEBUG(0, ("Warning: 'idmap:script' is deprecated. "
+ " Please use 'idmap config * : script' instead!\n"));
+ }
+
+ if (strequal(dom->name, "*") && ctx_script == NULL) {
+ /* fall back to idmap:script for backwards compatibility */
+ ctx_script = idmap_script;
+ }
+
+ if (ctx_script) {
+ DEBUG(1, ("using idmap script '%s'\n", ctx->script));
+ /*
+ * We must ensure this memory is owned by ctx.
+ * The ctx_script const pointer is a pointer into
+ * the config file data and may become invalid
+ * on config file reload. BUG: 13956
+ */
+ ctx->script = talloc_strdup(ctx, ctx_script);
+ if (ctx->script == NULL) {
+ ret = NT_STATUS_NO_MEMORY;
+ goto failed;
+ }
+ }
+
+ dom->private_data = ctx;
+ dom->read_only = true; /* We do not allocate!*/
+
+ return NT_STATUS_OK;
+
+failed:
+ talloc_free(ctx);
+ return ret;
+}
+
+static const struct idmap_methods db_methods = {
+ .init = idmap_script_db_init,
+ .unixids_to_sids = idmap_script_unixids_to_sids,
+ .sids_to_unixids = idmap_script_sids_to_unixids,
+};
+
+static_decl_idmap;
+NTSTATUS idmap_script_init(TALLOC_CTX *ctx)
+{
+ return smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION, "script", &db_methods);
+}
diff --git a/source3/winbindd/idmap_tdb.c b/source3/winbindd/idmap_tdb.c
new file mode 100644
index 0000000..ac0dbec
--- /dev/null
+++ b/source3/winbindd/idmap_tdb.c
@@ -0,0 +1,442 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ idmap TDB backend
+
+ Copyright (C) Tim Potter 2000
+ Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003
+ Copyright (C) Jeremy Allison 2006
+ Copyright (C) Simo Sorce 2003-2006
+ Copyright (C) Michael Adam 2009-2010
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "system/filesys.h"
+#include "winbindd.h"
+#include "idmap.h"
+#include "idmap_rw.h"
+#include "idmap_tdb_common.h"
+#include "dbwrap/dbwrap.h"
+#include "dbwrap/dbwrap_open.h"
+#include "../libcli/security/security.h"
+#include "util_tdb.h"
+#include "lib/util/string_wrappers.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_IDMAP
+
+/* idmap version determines auto-conversion - this is the database
+ structure version specifier. */
+
+#define IDMAP_VERSION 2
+
+/* High water mark keys */
+#define HWM_GROUP "GROUP HWM"
+#define HWM_USER "USER HWM"
+
+struct convert_fn_state {
+ struct db_context *db;
+ bool failed;
+};
+
+/*****************************************************************************
+ For idmap conversion: convert one record to new format
+ Ancient versions (eg 2.2.3a) of winbindd_idmap.tdb mapped DOMAINNAME/rid
+ instead of the SID.
+*****************************************************************************/
+static int convert_fn(struct db_record *rec, void *private_data)
+{
+ struct winbindd_domain *domain;
+ char *p;
+ NTSTATUS status;
+ struct dom_sid sid;
+ uint32_t rid;
+ struct dom_sid_buf keystr;
+ fstring dom_name;
+ TDB_DATA key;
+ TDB_DATA key2;
+ TDB_DATA value;
+ struct convert_fn_state *s = (struct convert_fn_state *)private_data;
+
+ key = dbwrap_record_get_key(rec);
+
+ DEBUG(10,("Converting %s\n", (const char *)key.dptr));
+
+ p = strchr((const char *)key.dptr, '/');
+ if (!p)
+ return 0;
+
+ *p = 0;
+ fstrcpy(dom_name, (const char *)key.dptr);
+ *p++ = '/';
+
+ domain = find_domain_from_name(dom_name);
+ if (domain == NULL) {
+ /* We must delete the old record. */
+ DEBUG(0,("Unable to find domain %s\n", dom_name ));
+ DEBUG(0,("deleting record %s\n", (const char *)key.dptr ));
+
+ status = dbwrap_record_delete(rec);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("Unable to delete record %s:%s\n",
+ (const char *)key.dptr,
+ nt_errstr(status)));
+ s->failed = true;
+ return -1;
+ }
+
+ return 0;
+ }
+
+ rid = atoi(p);
+
+ sid_compose(&sid, &domain->sid, rid);
+
+ key2 = string_term_tdb_data(dom_sid_str_buf(&sid, &keystr));
+
+ value = dbwrap_record_get_value(rec);
+
+ status = dbwrap_store(s->db, key2, value, TDB_INSERT);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0,("Unable to add record %s:%s\n",
+ (const char *)key2.dptr,
+ nt_errstr(status)));
+ s->failed = true;
+ return -1;
+ }
+
+ status = dbwrap_store(s->db, value, key2, TDB_REPLACE);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0,("Unable to update record %s:%s\n",
+ (const char *)value.dptr,
+ nt_errstr(status)));
+ s->failed = true;
+ return -1;
+ }
+
+ status = dbwrap_record_delete(rec);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0,("Unable to delete record %s:%s\n",
+ (const char *)key.dptr,
+ nt_errstr(status)));
+ s->failed = true;
+ return -1;
+ }
+
+ return 0;
+}
+
+/*****************************************************************************
+ Convert the idmap database from an older version.
+*****************************************************************************/
+
+static bool idmap_tdb_upgrade(struct idmap_domain *dom, struct db_context *db)
+{
+ int32_t vers;
+ struct convert_fn_state s;
+ NTSTATUS status;
+
+ status = dbwrap_fetch_int32_bystring(db, "IDMAP_VERSION", &vers);
+ if (!NT_STATUS_IS_OK(status)) {
+ vers = -1;
+ }
+
+ if (IREV(vers) == IDMAP_VERSION) {
+ /* Arrggghh ! Bytereversed - make order independent ! */
+ /*
+ * high and low records were created on a
+ * big endian machine and will need byte-reversing.
+ */
+
+ int32_t wm;
+
+ status = dbwrap_fetch_int32_bystring(db, HWM_USER, &wm);
+ if (!NT_STATUS_IS_OK(status)) {
+ wm = -1;
+ }
+
+ if (wm != -1) {
+ wm = IREV(wm);
+ } else {
+ wm = dom->low_id;
+ }
+
+ status = dbwrap_store_int32_bystring(db, HWM_USER, wm);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("Unable to byteswap user hwm in idmap "
+ "database: %s\n", nt_errstr(status)));
+ return False;
+ }
+
+ status = dbwrap_fetch_int32_bystring(db, HWM_GROUP, &wm);
+ if (!NT_STATUS_IS_OK(status)) {
+ wm = -1;
+ }
+
+ if (wm != -1) {
+ wm = IREV(wm);
+ } else {
+ wm = dom->low_id;
+ }
+
+ status = dbwrap_store_int32_bystring(db, HWM_GROUP, wm);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("Unable to byteswap group hwm in idmap "
+ "database: %s\n", nt_errstr(status)));
+ return False;
+ }
+ }
+
+ s.db = db;
+ s.failed = false;
+
+ /* the old format stored as DOMAIN/rid - now we store the SID direct */
+ status = dbwrap_traverse(db, convert_fn, &s, NULL);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("Database traverse failed during conversion\n"));
+ return false;
+ }
+
+ if (s.failed) {
+ DEBUG(0, ("Problem during conversion\n"));
+ return False;
+ }
+
+ status = dbwrap_store_int32_bystring(db, "IDMAP_VERSION",
+ IDMAP_VERSION);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("Unable to store idmap version in database: %s\n",
+ nt_errstr(status)));
+ return False;
+ }
+
+ return True;
+}
+
+static NTSTATUS idmap_tdb_init_hwm(struct idmap_domain *dom)
+{
+ uint32_t low_uid;
+ uint32_t low_gid;
+ bool update_uid = false;
+ bool update_gid = false;
+ struct idmap_tdb_common_context *ctx;
+ NTSTATUS status;
+
+ ctx = talloc_get_type(dom->private_data,
+ struct idmap_tdb_common_context);
+
+ status = dbwrap_fetch_uint32_bystring(ctx->db, HWM_USER, &low_uid);
+ if (!NT_STATUS_IS_OK(status) || low_uid < dom->low_id) {
+ update_uid = true;
+ }
+
+ status = dbwrap_fetch_uint32_bystring(ctx->db, HWM_GROUP, &low_gid);
+ if (!NT_STATUS_IS_OK(status) || low_gid < dom->low_id) {
+ update_gid = true;
+ }
+
+ if (!update_uid && !update_gid) {
+ return NT_STATUS_OK;
+ }
+
+ if (dbwrap_transaction_start(ctx->db) != 0) {
+ DEBUG(0, ("Unable to start upgrade transaction!\n"));
+ return NT_STATUS_INTERNAL_DB_ERROR;
+ }
+
+ if (update_uid) {
+ status = dbwrap_store_uint32_bystring(ctx->db, HWM_USER,
+ dom->low_id);
+ if (!NT_STATUS_IS_OK(status)) {
+ dbwrap_transaction_cancel(ctx->db);
+ DEBUG(0, ("Unable to initialise user hwm in idmap "
+ "database: %s\n", nt_errstr(status)));
+ return NT_STATUS_INTERNAL_DB_ERROR;
+ }
+ }
+
+ if (update_gid) {
+ status = dbwrap_store_uint32_bystring(ctx->db, HWM_GROUP,
+ dom->low_id);
+ if (!NT_STATUS_IS_OK(status)) {
+ dbwrap_transaction_cancel(ctx->db);
+ DEBUG(0, ("Unable to initialise group hwm in idmap "
+ "database: %s\n", nt_errstr(status)));
+ return NT_STATUS_INTERNAL_DB_ERROR;
+ }
+ }
+
+ if (dbwrap_transaction_commit(ctx->db) != 0) {
+ DEBUG(0, ("Unable to commit upgrade transaction!\n"));
+ return NT_STATUS_INTERNAL_DB_ERROR;
+ }
+
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS idmap_tdb_open_db(struct idmap_domain *dom)
+{
+ NTSTATUS ret;
+ TALLOC_CTX *mem_ctx;
+ char *tdbfile = NULL;
+ struct db_context *db = NULL;
+ int32_t version;
+ bool config_error = false;
+ struct idmap_tdb_common_context *ctx;
+
+ ctx = talloc_get_type(dom->private_data,
+ struct idmap_tdb_common_context);
+
+ if (ctx->db) {
+ /* it is already open */
+ return NT_STATUS_OK;
+ }
+
+ /* use our own context here */
+ mem_ctx = talloc_stackframe();
+
+ /* use the old database if present */
+ tdbfile = state_path(talloc_tos(), "winbindd_idmap.tdb");
+ if (!tdbfile) {
+ DEBUG(0, ("Out of memory!\n"));
+ ret = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
+
+ DEBUG(10,("Opening tdbfile %s\n", tdbfile ));
+
+ /* Open idmap repository */
+ db = db_open(mem_ctx, tdbfile, 0, TDB_DEFAULT, O_RDWR | O_CREAT, 0644,
+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
+ if (!db) {
+ DEBUG(0, ("Unable to open idmap database\n"));
+ ret = NT_STATUS_UNSUCCESSFUL;
+ goto done;
+ }
+
+ /* check against earlier versions */
+ ret = dbwrap_fetch_int32_bystring(db, "IDMAP_VERSION", &version);
+ if (!NT_STATUS_IS_OK(ret)) {
+ version = -1;
+ }
+
+ if (version != IDMAP_VERSION) {
+ if (config_error) {
+ DEBUG(0,("Upgrade of IDMAP_VERSION from %d to %d is not "
+ "possible with incomplete configuration\n",
+ version, IDMAP_VERSION));
+ ret = NT_STATUS_UNSUCCESSFUL;
+ goto done;
+ }
+ if (dbwrap_transaction_start(db) != 0) {
+ DEBUG(0, ("Unable to start upgrade transaction!\n"));
+ ret = NT_STATUS_INTERNAL_DB_ERROR;
+ goto done;
+ }
+
+ if (!idmap_tdb_upgrade(dom, db)) {
+ dbwrap_transaction_cancel(db);
+ DEBUG(0, ("Unable to open idmap database, it's in an old format, and upgrade failed!\n"));
+ ret = NT_STATUS_INTERNAL_DB_ERROR;
+ goto done;
+ }
+
+ if (dbwrap_transaction_commit(db) != 0) {
+ DEBUG(0, ("Unable to commit upgrade transaction!\n"));
+ ret = NT_STATUS_INTERNAL_DB_ERROR;
+ goto done;
+ }
+ }
+
+ ctx->db = talloc_move(ctx, &db);
+
+ ret = idmap_tdb_init_hwm(dom);
+
+done:
+ talloc_free(mem_ctx);
+ return ret;
+}
+
+/**********************************************************************
+ IDMAP MAPPING TDB BACKEND
+**********************************************************************/
+
+/*****************************
+ Initialise idmap database.
+*****************************/
+
+static NTSTATUS idmap_tdb_db_init(struct idmap_domain *dom)
+{
+ NTSTATUS ret;
+ struct idmap_tdb_common_context *ctx;
+
+ DEBUG(10, ("idmap_tdb_db_init called for domain '%s'\n", dom->name));
+
+ ctx = talloc_zero(dom, struct idmap_tdb_common_context);
+ if ( ! ctx) {
+ DEBUG(0, ("Out of memory!\n"));
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ /* load backend specific configuration here: */
+#if 0
+ if (strequal(dom->name, "*")) {
+ } else {
+ }
+#endif
+
+ ctx->rw_ops = talloc_zero(ctx, struct idmap_rw_ops);
+ if (ctx->rw_ops == NULL) {
+ DEBUG(0, ("Out of memory!\n"));
+ ret = NT_STATUS_NO_MEMORY;
+ goto failed;
+ }
+
+ ctx->max_id = dom->high_id;
+ ctx->hwmkey_uid = HWM_USER;
+ ctx->hwmkey_gid = HWM_GROUP;
+
+ ctx->rw_ops->get_new_id = idmap_tdb_common_get_new_id;
+ ctx->rw_ops->set_mapping = idmap_tdb_common_set_mapping;
+
+ dom->private_data = ctx;
+
+ ret = idmap_tdb_open_db(dom);
+ if ( ! NT_STATUS_IS_OK(ret)) {
+ goto failed;
+ }
+
+ return NT_STATUS_OK;
+
+failed:
+ talloc_free(ctx);
+ return ret;
+}
+
+static const struct idmap_methods db_methods = {
+ .init = idmap_tdb_db_init,
+ .unixids_to_sids = idmap_tdb_common_unixids_to_sids,
+ .sids_to_unixids = idmap_tdb_common_sids_to_unixids,
+ .allocate_id = idmap_tdb_common_get_new_id,
+};
+
+NTSTATUS idmap_tdb_init(TALLOC_CTX *mem_ctx)
+{
+ DEBUG(10, ("calling idmap_tdb_init\n"));
+
+ return smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION, "tdb", &db_methods);
+}
diff --git a/source3/winbindd/idmap_tdb2.c b/source3/winbindd/idmap_tdb2.c
new file mode 100644
index 0000000..f2731f9
--- /dev/null
+++ b/source3/winbindd/idmap_tdb2.c
@@ -0,0 +1,612 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ idmap TDB2 backend, used for clustered Samba setups.
+
+ This uses dbwrap to access tdb files. The location can be set
+ using tdb:idmap2.tdb =" in smb.conf
+
+ Copyright (C) Andrew Tridgell 2007
+
+ This is heavily based upon idmap_tdb.c, which is:
+
+ Copyright (C) Tim Potter 2000
+ Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003
+ Copyright (C) Jeremy Allison 2006
+ Copyright (C) Simo Sorce 2003-2006
+ Copyright (C) Michael Adam 2009-2010
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#include "includes.h"
+#include "system/filesys.h"
+#include "winbindd.h"
+#include "idmap.h"
+#include "idmap_rw.h"
+#include "dbwrap/dbwrap.h"
+#include "dbwrap/dbwrap_open.h"
+#include "../libcli/security/dom_sid.h"
+#include "util_tdb.h"
+#include "idmap_tdb_common.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_IDMAP
+
+struct idmap_tdb2_context {
+ const char *script; /* script to provide idmaps */
+};
+
+/* High water mark keys */
+#define HWM_GROUP "GROUP HWM"
+#define HWM_USER "USER HWM"
+
+/*
+ * check and initialize high/low water marks in the db
+ */
+static NTSTATUS idmap_tdb2_init_hwm(struct idmap_domain *dom)
+{
+ NTSTATUS status;
+ uint32_t low_id;
+ struct idmap_tdb_common_context *ctx;
+
+ ctx = talloc_get_type(dom->private_data,
+ struct idmap_tdb_common_context);
+
+ /* Create high water marks for group and user id */
+
+ status = dbwrap_fetch_uint32_bystring(ctx->db, HWM_USER, &low_id);
+ if (!NT_STATUS_IS_OK(status) || (low_id < dom->low_id)) {
+ status = dbwrap_trans_store_uint32_bystring(ctx->db, HWM_USER,
+ dom->low_id);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("Unable to initialise user hwm in idmap "
+ "database: %s\n", nt_errstr(status)));
+ return NT_STATUS_INTERNAL_DB_ERROR;
+ }
+ }
+
+ status = dbwrap_fetch_uint32_bystring(ctx->db, HWM_GROUP, &low_id);
+ if (!NT_STATUS_IS_OK(status) || (low_id < dom->low_id)) {
+ status = dbwrap_trans_store_uint32_bystring(ctx->db, HWM_GROUP,
+ dom->low_id);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("Unable to initialise group hwm in idmap "
+ "database: %s\n", nt_errstr(status)));
+ return NT_STATUS_INTERNAL_DB_ERROR;
+ }
+ }
+
+ return NT_STATUS_OK;
+}
+
+
+/*
+ open the permanent tdb
+ */
+static NTSTATUS idmap_tdb2_open_db(struct idmap_domain *dom)
+{
+ char *db_path;
+ struct idmap_tdb_common_context *ctx;
+
+ ctx = talloc_get_type(dom->private_data,
+ struct idmap_tdb_common_context);
+
+ if (ctx->db) {
+ /* its already open */
+ return NT_STATUS_OK;
+ }
+
+ db_path = talloc_asprintf(NULL, "%s/idmap2.tdb", lp_private_dir());
+ NT_STATUS_HAVE_NO_MEMORY(db_path);
+
+ /* Open idmap repository */
+ ctx->db = db_open(ctx, db_path, 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0644,
+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
+ if (ctx->db == NULL) {
+ DEBUG(0, ("Unable to open idmap_tdb2 database '%s'\n",
+ db_path));
+ TALLOC_FREE(db_path);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+ TALLOC_FREE(db_path);
+
+ return idmap_tdb2_init_hwm(dom);
+}
+
+/**
+ * store a mapping in the database.
+ */
+
+struct idmap_tdb2_set_mapping_context {
+ const char *ksidstr;
+ const char *kidstr;
+};
+
+static NTSTATUS idmap_tdb2_set_mapping_action(struct db_context *db,
+ void *private_data)
+{
+ TDB_DATA data;
+ NTSTATUS ret;
+ struct idmap_tdb2_set_mapping_context *state;
+ TALLOC_CTX *tmp_ctx = talloc_stackframe();
+
+ state = (struct idmap_tdb2_set_mapping_context *)private_data;
+
+ DEBUG(10, ("Storing %s <-> %s map\n", state->ksidstr, state->kidstr));
+
+ /* check wheter sid mapping is already present in db */
+ ret = dbwrap_fetch_bystring(db, tmp_ctx, state->ksidstr, &data);
+ if (NT_STATUS_IS_OK(ret)) {
+ ret = NT_STATUS_OBJECT_NAME_COLLISION;
+ goto done;
+ }
+
+ ret = dbwrap_store_bystring(db, state->ksidstr,
+ string_term_tdb_data(state->kidstr),
+ TDB_INSERT);
+ if (!NT_STATUS_IS_OK(ret)) {
+ DEBUG(0, ("Error storing SID -> ID: %s\n", nt_errstr(ret)));
+ goto done;
+ }
+
+ ret = dbwrap_store_bystring(db, state->kidstr,
+ string_term_tdb_data(state->ksidstr),
+ TDB_INSERT);
+ if (!NT_STATUS_IS_OK(ret)) {
+ DEBUG(0, ("Error storing ID -> SID: %s\n", nt_errstr(ret)));
+ /* try to remove the previous stored SID -> ID map */
+ dbwrap_delete_bystring(db, state->ksidstr);
+ goto done;
+ }
+
+ DEBUG(10,("Stored %s <-> %s\n", state->ksidstr, state->kidstr));
+
+done:
+ talloc_free(tmp_ctx);
+ return ret;
+}
+
+static NTSTATUS idmap_tdb2_set_mapping(struct idmap_domain *dom, const struct id_map *map)
+{
+ struct idmap_tdb2_context *ctx;
+ NTSTATUS ret;
+ char *kidstr;
+ struct dom_sid_buf sid_str;
+ struct idmap_tdb_common_context *commonctx;
+ struct idmap_tdb2_set_mapping_context state;
+
+ if (!map || !map->sid) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ kidstr = NULL;
+
+ /* TODO: should we filter a set_mapping using low/high filters ? */
+
+ commonctx = talloc_get_type(dom->private_data,
+ struct idmap_tdb_common_context);
+
+ ctx = talloc_get_type(commonctx->private_data,
+ struct idmap_tdb2_context);
+
+ switch (map->xid.type) {
+
+ case ID_TYPE_UID:
+ kidstr = talloc_asprintf(ctx, "UID %lu", (unsigned long)map->xid.id);
+ break;
+
+ case ID_TYPE_GID:
+ kidstr = talloc_asprintf(ctx, "GID %lu", (unsigned long)map->xid.id);
+ break;
+
+ default:
+ DEBUG(2, ("INVALID unix ID type: 0x02%x\n", map->xid.type));
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ if (kidstr == NULL) {
+ DEBUG(0, ("ERROR: Out of memory!\n"));
+ ret = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
+
+ state.ksidstr = dom_sid_str_buf(map->sid, &sid_str);
+ state.kidstr = kidstr;
+
+ ret = dbwrap_trans_do(commonctx->db, idmap_tdb2_set_mapping_action,
+ &state);
+
+done:
+ talloc_free(kidstr);
+ return ret;
+}
+
+/*
+ run a script to perform a mapping
+
+ The script should the following command lines:
+
+ SIDTOID S-1-xxxx
+ IDTOSID UID xxxx
+ IDTOSID GID xxxx
+
+ and should return one of the following as a single line of text
+ UID:xxxx
+ GID:xxxx
+ SID:xxxx
+ ERR:xxxx
+ */
+static NTSTATUS idmap_tdb2_script(struct idmap_tdb2_context *ctx,
+ struct id_map *map, const char *fmt, ...)
+ PRINTF_ATTRIBUTE(3,4);
+
+static NTSTATUS idmap_tdb2_script(struct idmap_tdb2_context *ctx, struct id_map *map,
+ const char *fmt, ...)
+{
+ va_list ap;
+ char *cmd;
+ FILE *p;
+ char line[64];
+ unsigned long v;
+
+ cmd = talloc_asprintf(ctx, "%s ", ctx->script);
+ NT_STATUS_HAVE_NO_MEMORY(cmd);
+
+ va_start(ap, fmt);
+ cmd = talloc_vasprintf_append(cmd, fmt, ap);
+ va_end(ap);
+ NT_STATUS_HAVE_NO_MEMORY(cmd);
+
+ p = popen(cmd, "r");
+ talloc_free(cmd);
+ if (p == NULL) {
+ return NT_STATUS_NONE_MAPPED;
+ }
+
+ if (fgets(line, sizeof(line)-1, p) == NULL) {
+ pclose(p);
+ return NT_STATUS_NONE_MAPPED;
+ }
+ pclose(p);
+
+ DEBUG(10,("idmap script gave: %s\n", line));
+
+ if (sscanf(line, "UID:%lu", &v) == 1) {
+ map->xid.id = v;
+ map->xid.type = ID_TYPE_UID;
+ } else if (sscanf(line, "GID:%lu", &v) == 1) {
+ map->xid.id = v;
+ map->xid.type = ID_TYPE_GID;
+ } else if (strncmp(line, "SID:S-", 6) == 0) {
+ if (!string_to_sid(map->sid, &line[4])) {
+ DEBUG(0,("Bad SID in '%s' from idmap script %s\n",
+ line, ctx->script));
+ return NT_STATUS_NONE_MAPPED;
+ }
+ } else {
+ DEBUG(0,("Bad reply '%s' from idmap script %s\n",
+ line, ctx->script));
+ return NT_STATUS_NONE_MAPPED;
+ }
+
+ return NT_STATUS_OK;
+}
+
+
+
+/*
+ Single id to sid lookup function.
+*/
+static NTSTATUS idmap_tdb2_id_to_sid(struct idmap_domain *dom, struct id_map *map)
+{
+ NTSTATUS ret;
+ TDB_DATA data;
+ char *keystr;
+ NTSTATUS status;
+ struct idmap_tdb_common_context *commonctx;
+ struct idmap_tdb2_context *ctx;
+
+
+ if (!dom || !map) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ status = idmap_tdb2_open_db(dom);
+ NT_STATUS_NOT_OK_RETURN(status);
+
+ commonctx = talloc_get_type(dom->private_data,
+ struct idmap_tdb_common_context);
+
+ ctx = talloc_get_type(commonctx->private_data,
+ struct idmap_tdb2_context);
+
+ /* apply filters before checking */
+ if (!idmap_unix_id_is_in_range(map->xid.id, dom)) {
+ DEBUG(5, ("Requested id (%u) out of range (%u - %u). Filtered!\n",
+ map->xid.id, dom->low_id, dom->high_id));
+ return NT_STATUS_NONE_MAPPED;
+ }
+
+ switch (map->xid.type) {
+
+ case ID_TYPE_UID:
+ keystr = talloc_asprintf(ctx, "UID %lu", (unsigned long)map->xid.id);
+ break;
+
+ case ID_TYPE_GID:
+ keystr = talloc_asprintf(ctx, "GID %lu", (unsigned long)map->xid.id);
+ break;
+
+ default:
+ DEBUG(2, ("INVALID unix ID type: 0x02%x\n", map->xid.type));
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ if (keystr == NULL) {
+ DEBUG(0, ("Out of memory!\n"));
+ ret = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
+
+ DEBUG(10,("Fetching record %s\n", keystr));
+
+ /* Check if the mapping exists */
+ status = dbwrap_fetch_bystring(commonctx->db, keystr, keystr, &data);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ struct dom_sid_buf sidstr;
+ struct idmap_tdb2_set_mapping_context store_state;
+
+ DEBUG(10,("Record %s not found\n", keystr));
+ if (ctx->script == NULL) {
+ ret = NT_STATUS_NONE_MAPPED;
+ goto done;
+ }
+
+ ret = idmap_tdb2_script(ctx, map, "IDTOSID %s", keystr);
+ if (!NT_STATUS_IS_OK(ret)) {
+ goto done;
+ }
+
+ store_state.ksidstr = dom_sid_str_buf(map->sid, &sidstr);
+ store_state.kidstr = keystr;
+
+ ret = dbwrap_trans_do(commonctx->db,
+ idmap_tdb2_set_mapping_action,
+ &store_state);
+ goto done;
+ }
+
+ if (!string_to_sid(map->sid, (const char *)data.dptr)) {
+ DEBUG(10,("INVALID SID (%s) in record %s\n",
+ (const char *)data.dptr, keystr));
+ ret = NT_STATUS_INTERNAL_DB_ERROR;
+ goto done;
+ }
+
+ DEBUG(10,("Found record %s -> %s\n", keystr, (const char *)data.dptr));
+ ret = NT_STATUS_OK;
+
+done:
+ talloc_free(keystr);
+ return ret;
+}
+
+
+/*
+ Single sid to id lookup function.
+*/
+static NTSTATUS idmap_tdb2_sid_to_id(struct idmap_domain *dom, struct id_map *map)
+{
+ NTSTATUS ret;
+ TDB_DATA data;
+ struct dom_sid_buf keystr;
+ unsigned long rec_id = 0;
+ struct idmap_tdb_common_context *commonctx;
+ struct idmap_tdb2_context *ctx;
+ TALLOC_CTX *tmp_ctx = talloc_stackframe();
+
+ ret = idmap_tdb2_open_db(dom);
+ NT_STATUS_NOT_OK_RETURN(ret);
+
+ commonctx = talloc_get_type(dom->private_data,
+ struct idmap_tdb_common_context);
+
+ ctx = talloc_get_type(commonctx->private_data,
+ struct idmap_tdb2_context);
+
+ dom_sid_str_buf(map->sid, &keystr);
+
+ DEBUG(10, ("Fetching record %s\n", keystr.buf));
+
+ /* Check if sid is present in database */
+ ret = dbwrap_fetch_bystring(commonctx->db, tmp_ctx, keystr.buf, &data);
+ if (!NT_STATUS_IS_OK(ret)) {
+ char *idstr;
+ struct idmap_tdb2_set_mapping_context store_state;
+
+ DBG_DEBUG("Record %s not found\n", keystr.buf);
+
+ if (ctx->script == NULL) {
+ ret = NT_STATUS_NONE_MAPPED;
+ goto done;
+ }
+
+ ret = idmap_tdb2_script(ctx, map, "SIDTOID %s", keystr.buf);
+ if (!NT_STATUS_IS_OK(ret)) {
+ goto done;
+ }
+
+ /* apply filters before returning result */
+ if (!idmap_unix_id_is_in_range(map->xid.id, dom)) {
+ DEBUG(5, ("Script returned id (%u) out of range "
+ "(%u - %u). Filtered!\n",
+ map->xid.id, dom->low_id, dom->high_id));
+ ret = NT_STATUS_NONE_MAPPED;
+ goto done;
+ }
+
+ idstr = talloc_asprintf(tmp_ctx, "%cID %lu",
+ map->xid.type == ID_TYPE_UID?'U':'G',
+ (unsigned long)map->xid.id);
+ if (idstr == NULL) {
+ ret = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
+
+ store_state.ksidstr = keystr.buf;
+ store_state.kidstr = idstr;
+
+ ret = dbwrap_trans_do(commonctx->db,
+ idmap_tdb2_set_mapping_action,
+ &store_state);
+ goto done;
+ }
+
+ /* What type of record is this ? */
+ if (sscanf((const char *)data.dptr, "UID %lu", &rec_id) == 1) { /* Try a UID record. */
+ map->xid.id = rec_id;
+ map->xid.type = ID_TYPE_UID;
+ DBG_DEBUG("Found uid record %s -> %s \n",
+ keystr.buf,
+ (const char *)data.dptr );
+ ret = NT_STATUS_OK;
+
+ } else if (sscanf((const char *)data.dptr, "GID %lu", &rec_id) == 1) { /* Try a GID record. */
+ map->xid.id = rec_id;
+ map->xid.type = ID_TYPE_GID;
+ DBG_DEBUG("Found gid record %s -> %s \n",
+ keystr.buf,
+ (const char *)data.dptr );
+ ret = NT_STATUS_OK;
+
+ } else { /* Unknown record type ! */
+ DBG_WARNING("Found INVALID record %s -> %s\n",
+ keystr.buf,
+ (const char *)data.dptr);
+ ret = NT_STATUS_INTERNAL_DB_ERROR;
+ goto done;
+ }
+
+ /* apply filters before returning result */
+ if (!idmap_unix_id_is_in_range(map->xid.id, dom)) {
+ DEBUG(5, ("Requested id (%u) out of range (%u - %u). Filtered!\n",
+ map->xid.id, dom->low_id, dom->high_id));
+ ret = NT_STATUS_NONE_MAPPED;
+ }
+
+done:
+ talloc_free(tmp_ctx);
+ return ret;
+}
+
+/*
+ Initialise idmap database.
+*/
+static NTSTATUS idmap_tdb2_db_init(struct idmap_domain *dom)
+{
+ NTSTATUS ret;
+ struct idmap_tdb_common_context *commonctx;
+ struct idmap_tdb2_context *ctx;
+ const char * idmap_script = NULL;
+ const char *ctx_script = NULL;
+
+ commonctx = talloc_zero(dom, struct idmap_tdb_common_context);
+ if(!commonctx) {
+ DEBUG(0, ("Out of memory!\n"));
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ commonctx->rw_ops = talloc_zero(commonctx, struct idmap_rw_ops);
+ if (commonctx->rw_ops == NULL) {
+ DEBUG(0, ("Out of memory!\n"));
+ ret = NT_STATUS_NO_MEMORY;
+ goto failed;
+ }
+
+ ctx = talloc_zero(commonctx, struct idmap_tdb2_context);
+ if (!ctx) {
+ DEBUG(0, ("Out of memory!\n"));
+ ret = NT_STATUS_NO_MEMORY;
+ goto failed;
+ }
+
+ ctx_script = idmap_config_const_string(dom->name, "script", NULL);
+
+ idmap_script = lp_parm_const_string(-1, "idmap", "script", NULL);
+ if (idmap_script != NULL) {
+ DEBUG(0, ("Warning: 'idmap:script' is deprecated. "
+ " Please use 'idmap config * : script' instead!\n"));
+ }
+
+ if (strequal(dom->name, "*") && ctx_script == NULL) {
+ /* fall back to idmap:script for backwards compatibility */
+ ctx_script = idmap_script;
+ }
+
+ if (ctx_script) {
+ DEBUG(1, ("using idmap script '%s'\n", ctx_script));
+ /*
+ * We must ensure this memory is owned by ctx.
+ * The ctx_script const pointer is a pointer into
+ * the config file data and may become invalid
+ * on config file reload. BUG: 13956
+ */
+ ctx->script = talloc_strdup(ctx, ctx_script);
+ if (ctx->script == NULL) {
+ ret = NT_STATUS_NO_MEMORY;
+ goto failed;
+ }
+ }
+
+ commonctx->max_id = dom->high_id;
+ commonctx->hwmkey_uid = HWM_USER;
+ commonctx->hwmkey_gid = HWM_GROUP;
+
+ commonctx->sid_to_unixid_fn = idmap_tdb2_sid_to_id;
+ commonctx->unixid_to_sid_fn = idmap_tdb2_id_to_sid;
+
+ commonctx->rw_ops->get_new_id = idmap_tdb_common_get_new_id;
+ commonctx->rw_ops->set_mapping = idmap_tdb2_set_mapping;
+
+ commonctx->private_data = ctx;
+ dom->private_data = commonctx;
+
+ ret = idmap_tdb2_open_db(dom);
+ if (!NT_STATUS_IS_OK(ret)) {
+ goto failed;
+ }
+
+ return NT_STATUS_OK;
+
+failed:
+ talloc_free(commonctx);
+ return ret;
+}
+
+
+static const struct idmap_methods db_methods = {
+ .init = idmap_tdb2_db_init,
+ .unixids_to_sids = idmap_tdb_common_unixids_to_sids,
+ .sids_to_unixids = idmap_tdb_common_sids_to_unixids,
+ .allocate_id = idmap_tdb_common_get_new_id
+};
+
+static_decl_idmap;
+NTSTATUS idmap_tdb2_init(TALLOC_CTX *ctx)
+{
+ return smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION, "tdb2", &db_methods);
+}
diff --git a/source3/winbindd/idmap_tdb_common.c b/source3/winbindd/idmap_tdb_common.c
new file mode 100644
index 0000000..0df8f2f
--- /dev/null
+++ b/source3/winbindd/idmap_tdb_common.c
@@ -0,0 +1,664 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ common functions for TDB based idmapping backends
+
+ Copyright (C) Christian Ambach 2012
+
+ These functions were initially copied over from idmap_tdb.c and idmap_tdb2.c
+ which are:
+
+ Copyright (C) Tim Potter 2000
+ Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003
+ Copyright (C) Jeremy Allison 2006
+ Copyright (C) Simo Sorce 2003-2006
+ Copyright (C) Michael Adam 2009-2010
+ Copyright (C) Andrew Tridgell 2007
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#include "includes.h"
+#include "idmap_tdb_common.h"
+#include "dbwrap/dbwrap.h"
+#include "util_tdb.h"
+#include "idmap_rw.h"
+#include "../libcli/security/dom_sid.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_IDMAP
+
+struct idmap_tdb_common_allocate_id_context {
+ const char *hwmkey;
+ const char *hwmtype;
+ uint32_t high_hwm;
+ uint32_t hwm;
+};
+
+static NTSTATUS idmap_tdb_common_allocate_id_action(struct db_context *db,
+ void *private_data)
+{
+ NTSTATUS ret;
+ struct idmap_tdb_common_allocate_id_context *state = private_data;
+ uint32_t hwm;
+
+ ret = dbwrap_fetch_uint32_bystring(db, state->hwmkey, &hwm);
+ if (!NT_STATUS_IS_OK(ret)) {
+ ret = NT_STATUS_INTERNAL_DB_ERROR;
+ goto done;
+ }
+
+ /* check it is in the range */
+ if (hwm > state->high_hwm) {
+ DEBUG(1, ("Fatal Error: %s range full!! (max: %lu)\n",
+ state->hwmtype, (unsigned long)state->high_hwm));
+ ret = NT_STATUS_UNSUCCESSFUL;
+ goto done;
+ }
+
+ /* fetch a new id and increment it */
+ ret = dbwrap_change_uint32_atomic_bystring(db, state->hwmkey, &hwm, 1);
+ if (!NT_STATUS_IS_OK(ret)) {
+ DEBUG(1, ("Fatal error while fetching a new %s value\n!",
+ state->hwmtype));
+ goto done;
+ }
+
+ /* recheck it is in the range */
+ if (hwm > state->high_hwm) {
+ DEBUG(1, ("Fatal Error: %s range full!! (max: %lu)\n",
+ state->hwmtype, (unsigned long)state->high_hwm));
+ ret = NT_STATUS_UNSUCCESSFUL;
+ goto done;
+ }
+
+ ret = NT_STATUS_OK;
+ state->hwm = hwm;
+
+ done:
+ return ret;
+}
+
+static NTSTATUS idmap_tdb_common_allocate_id(struct idmap_domain *dom,
+ struct unixid *xid)
+{
+ const char *hwmkey;
+ const char *hwmtype;
+ uint32_t hwm = 0;
+ NTSTATUS status;
+ struct idmap_tdb_common_allocate_id_context state;
+ struct idmap_tdb_common_context *ctx;
+
+ ctx =
+ talloc_get_type_abort(dom->private_data,
+ struct idmap_tdb_common_context);
+
+ /* Get current high water mark */
+ switch (xid->type) {
+
+ case ID_TYPE_UID:
+ hwmkey = ctx->hwmkey_uid;
+ hwmtype = "UID";
+ break;
+
+ case ID_TYPE_GID:
+ hwmkey = ctx->hwmkey_gid;
+ hwmtype = "GID";
+ break;
+
+ case ID_TYPE_BOTH:
+ /*
+ * This is not supported here yet and
+ * already handled in idmap_rw_new_mapping()
+ */
+ FALL_THROUGH;
+ case ID_TYPE_NOT_SPECIFIED:
+ /*
+ * This is handled in idmap_rw_new_mapping()
+ */
+ FALL_THROUGH;
+ default:
+ DEBUG(2, ("Invalid ID type (0x%x)\n", xid->type));
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ state.hwm = hwm;
+ state.high_hwm = ctx->max_id;
+ state.hwmtype = hwmtype;
+ state.hwmkey = hwmkey;
+
+ status = dbwrap_trans_do(ctx->db, idmap_tdb_common_allocate_id_action,
+ &state);
+
+ if (NT_STATUS_IS_OK(status)) {
+ xid->id = state.hwm;
+ DEBUG(10, ("New %s = %d\n", hwmtype, state.hwm));
+ } else {
+ DEBUG(1, ("Error allocating a new %s\n", hwmtype));
+ }
+
+ return status;
+}
+
+/**
+ * Allocate a new unix-ID.
+ * For now this is for the default idmap domain only.
+ * Should be extended later on.
+ */
+NTSTATUS idmap_tdb_common_get_new_id(struct idmap_domain * dom,
+ struct unixid * id)
+{
+ NTSTATUS ret;
+
+ if (!strequal(dom->name, "*")) {
+ DEBUG(3, ("idmap_tdb_common_get_new_id: "
+ "Refusing allocation of a new unixid for domain'%s'. "
+ "Currently only supported for the default "
+ "domain \"*\".\n", dom->name));
+ return NT_STATUS_NOT_IMPLEMENTED;
+ }
+
+ ret = idmap_tdb_common_allocate_id(dom, id);
+
+ return ret;
+}
+
+/**
+ * store a mapping in the database.
+ */
+
+struct idmap_tdb_common_set_mapping_context {
+ const char *ksidstr;
+ const char *kidstr;
+};
+
+static NTSTATUS idmap_tdb_common_set_mapping_action(struct db_context *db,
+ void *private_data)
+{
+ TDB_DATA data;
+ NTSTATUS ret;
+ struct idmap_tdb_common_set_mapping_context *state = private_data;
+ TALLOC_CTX *tmp_ctx = talloc_stackframe();
+
+ DEBUG(10, ("Storing %s <-> %s map\n", state->ksidstr, state->kidstr));
+
+ /* check whether sid mapping is already present in db */
+ ret = dbwrap_fetch_bystring(db, tmp_ctx, state->ksidstr, &data);
+ if (NT_STATUS_IS_OK(ret)) {
+ ret = NT_STATUS_OBJECT_NAME_COLLISION;
+ goto done;
+ }
+
+ ret = dbwrap_store_bystring(db, state->ksidstr,
+ string_term_tdb_data(state->kidstr),
+ TDB_INSERT);
+ if (!NT_STATUS_IS_OK(ret)) {
+ DEBUG(0, ("Error storing SID -> ID: %s\n", nt_errstr(ret)));
+ goto done;
+ }
+
+ ret = dbwrap_store_bystring(db, state->kidstr,
+ string_term_tdb_data(state->ksidstr),
+ TDB_INSERT);
+ if (!NT_STATUS_IS_OK(ret)) {
+ DEBUG(0, ("Error storing ID -> SID: %s\n", nt_errstr(ret)));
+ /* try to remove the previous stored SID -> ID map */
+ dbwrap_delete_bystring(db, state->ksidstr);
+ goto done;
+ }
+
+ DEBUG(10, ("Stored %s <-> %s\n", state->ksidstr, state->kidstr));
+
+ done:
+ talloc_free(tmp_ctx);
+ return ret;
+}
+
+NTSTATUS idmap_tdb_common_set_mapping(struct idmap_domain * dom,
+ const struct id_map * map)
+{
+ struct idmap_tdb_common_context *ctx;
+ struct idmap_tdb_common_set_mapping_context state;
+ NTSTATUS ret;
+ struct dom_sid_buf ksidstr;
+ char *kidstr = NULL;
+
+ if (!map || !map->sid) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ /* TODO: should we filter a set_mapping using low/high filters ? */
+
+ ctx =
+ talloc_get_type_abort(dom->private_data,
+ struct idmap_tdb_common_context);
+
+ switch (map->xid.type) {
+
+ case ID_TYPE_UID:
+ kidstr =
+ talloc_asprintf(ctx, "UID %lu", (unsigned long)map->xid.id);
+ break;
+
+ case ID_TYPE_GID:
+ kidstr =
+ talloc_asprintf(ctx, "GID %lu", (unsigned long)map->xid.id);
+ break;
+
+ default:
+ DEBUG(2, ("INVALID unix ID type: 0x%02x\n", map->xid.type));
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ if (kidstr == NULL) {
+ DEBUG(0, ("ERROR: Out of memory!\n"));
+ ret = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
+
+ state.ksidstr = dom_sid_str_buf(map->sid, &ksidstr);
+ state.kidstr = kidstr;
+
+ ret = dbwrap_trans_do(ctx->db, idmap_tdb_common_set_mapping_action,
+ &state);
+
+ done:
+ talloc_free(kidstr);
+ return ret;
+}
+
+/*
+ * Create a new mapping for an unmapped SID, also allocating a new ID.
+ * This should be run inside a transaction.
+ *
+ * TODO:
+ * Properly integrate this with multi domain idmap config:
+ * Currently, the allocator is default-config only.
+ */
+NTSTATUS idmap_tdb_common_new_mapping(struct idmap_domain * dom,
+ struct id_map * map)
+{
+ NTSTATUS ret;
+ struct idmap_tdb_common_context *ctx;
+
+ ctx =
+ talloc_get_type_abort(dom->private_data,
+ struct idmap_tdb_common_context);
+
+ ret = idmap_rw_new_mapping(dom, ctx->rw_ops, map);
+
+ return ret;
+}
+
+/*
+ lookup a set of unix ids
+*/
+NTSTATUS idmap_tdb_common_unixids_to_sids(struct idmap_domain * dom,
+ struct id_map ** ids)
+{
+ NTSTATUS ret;
+ size_t i, num_mapped = 0;
+ struct idmap_tdb_common_context *ctx;
+
+ NTSTATUS(*unixid_to_sid_fn) (struct idmap_domain * dom,
+ struct id_map * map);
+ ctx =
+ talloc_get_type_abort(dom->private_data,
+ struct idmap_tdb_common_context);
+
+ if (ctx->unixid_to_sid_fn == NULL) {
+ unixid_to_sid_fn = idmap_tdb_common_unixid_to_sid;
+ } else {
+ unixid_to_sid_fn = ctx->unixid_to_sid_fn;
+ }
+
+ /* initialize the status to avoid surprise */
+ for (i = 0; ids[i]; i++) {
+ ids[i]->status = ID_UNKNOWN;
+ }
+
+ for (i = 0; ids[i]; i++) {
+ ret = unixid_to_sid_fn(dom, ids[i]);
+ if (!NT_STATUS_IS_OK(ret)) {
+
+ /* if it is just a failed mapping continue */
+ if (NT_STATUS_EQUAL(ret, NT_STATUS_NONE_MAPPED)) {
+
+ /* make sure it is marked as unmapped */
+ ids[i]->status = ID_UNMAPPED;
+ continue;
+ }
+
+ /* some fatal error occurred, return immediately */
+ goto done;
+ }
+
+ /* all ok, id is mapped */
+ ids[i]->status = ID_MAPPED;
+ num_mapped += 1;
+ }
+
+ ret = NT_STATUS_OK;
+
+done:
+
+ if (NT_STATUS_IS_OK(ret)) {
+ if (i == 0 || num_mapped == 0) {
+ ret = NT_STATUS_NONE_MAPPED;
+ } else if (num_mapped < i) {
+ ret = STATUS_SOME_UNMAPPED;
+ } else {
+ ret = NT_STATUS_OK;
+ }
+ }
+
+ return ret;
+}
+
+/*
+ default single id to sid lookup function
+*/
+NTSTATUS idmap_tdb_common_unixid_to_sid(struct idmap_domain * dom,
+ struct id_map * map)
+{
+ NTSTATUS ret;
+ TDB_DATA data;
+ char *keystr;
+ struct idmap_tdb_common_context *ctx;
+
+ if (!dom || !map) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ ctx =
+ talloc_get_type_abort(dom->private_data,
+ struct idmap_tdb_common_context);
+
+ /* apply filters before checking */
+ if (!idmap_unix_id_is_in_range(map->xid.id, dom)) {
+ DEBUG(5,
+ ("Requested id (%u) out of range (%u - %u). Filtered!\n",
+ map->xid.id, dom->low_id, dom->high_id));
+ return NT_STATUS_NONE_MAPPED;
+ }
+
+ switch (map->xid.type) {
+
+ case ID_TYPE_UID:
+ keystr =
+ talloc_asprintf(ctx, "UID %lu", (unsigned long)map->xid.id);
+ break;
+
+ case ID_TYPE_GID:
+ keystr =
+ talloc_asprintf(ctx, "GID %lu", (unsigned long)map->xid.id);
+ break;
+
+ default:
+ DEBUG(2, ("INVALID unix ID type: 0x%02x\n", map->xid.type));
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ if (keystr == NULL) {
+ DEBUG(0, ("Out of memory!\n"));
+ ret = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
+
+ DEBUG(10, ("Fetching record %s\n", keystr));
+
+ /* Check if the mapping exists */
+ ret = dbwrap_fetch_bystring(ctx->db, keystr, keystr, &data);
+
+ if (!NT_STATUS_IS_OK(ret)) {
+ DEBUG(10, ("Record %s not found\n", keystr));
+ ret = NT_STATUS_NONE_MAPPED;
+ goto done;
+ }
+
+ if ((data.dsize == 0) || (data.dptr[data.dsize-1] != '\0')) {
+ DBG_DEBUG("Invalid record length %zu\n", data.dsize);
+ ret = NT_STATUS_INTERNAL_DB_ERROR;
+ goto done;
+ }
+
+ if (!string_to_sid(map->sid, (const char *)data.dptr)) {
+ DEBUG(10, ("INVALID SID (%s) in record %s\n",
+ (const char *)data.dptr, keystr));
+ ret = NT_STATUS_INTERNAL_DB_ERROR;
+ goto done;
+ }
+
+ DEBUG(10, ("Found record %s -> %s\n", keystr, (const char *)data.dptr));
+ ret = NT_STATUS_OK;
+
+ done:
+ talloc_free(keystr);
+ return ret;
+}
+
+/**********************************
+ Single sid to id lookup function.
+**********************************/
+
+NTSTATUS idmap_tdb_common_sid_to_unixid(struct idmap_domain * dom,
+ struct id_map * map)
+{
+ NTSTATUS ret;
+ TDB_DATA data;
+ struct dom_sid_buf keystr;
+ unsigned long rec_id = 0;
+ struct idmap_tdb_common_context *ctx;
+ TALLOC_CTX *tmp_ctx = talloc_stackframe();
+
+ if (!dom || !map) {
+ talloc_free(tmp_ctx);
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ ctx =
+ talloc_get_type_abort(dom->private_data,
+ struct idmap_tdb_common_context);
+
+ dom_sid_str_buf(map->sid, &keystr);
+
+ DEBUG(10, ("Fetching record %s\n", keystr.buf));
+
+ /* Check if sid is present in database */
+ ret = dbwrap_fetch_bystring(ctx->db, tmp_ctx, keystr.buf, &data);
+ if (!NT_STATUS_IS_OK(ret)) {
+ DEBUG(10, ("Record %s not found\n", keystr.buf));
+ ret = NT_STATUS_NONE_MAPPED;
+ goto done;
+ }
+
+ /* What type of record is this ? */
+ if (sscanf((const char *)data.dptr, "UID %lu", &rec_id) == 1) {
+ /* Try a UID record. */
+ map->xid.id = rec_id;
+ map->xid.type = ID_TYPE_UID;
+ DEBUG(10,
+ ("Found uid record %s -> %s \n", keystr.buf,
+ (const char *)data.dptr));
+ ret = NT_STATUS_OK;
+
+ } else if (sscanf((const char *)data.dptr, "GID %lu", &rec_id) == 1) {
+ /* Try a GID record. */
+ map->xid.id = rec_id;
+ map->xid.type = ID_TYPE_GID;
+ DEBUG(10,
+ ("Found gid record %s -> %s \n", keystr.buf,
+ (const char *)data.dptr));
+ ret = NT_STATUS_OK;
+
+ } else { /* Unknown record type ! */
+ DEBUG(2,
+ ("Found INVALID record %s -> %s\n", keystr.buf,
+ (const char *)data.dptr));
+ ret = NT_STATUS_INTERNAL_DB_ERROR;
+ goto done;
+ }
+
+ /* apply filters before returning result */
+ if (!idmap_unix_id_is_in_range(map->xid.id, dom)) {
+ DEBUG(5,
+ ("Requested id (%u) out of range (%u - %u). Filtered!\n",
+ map->xid.id, dom->low_id, dom->high_id));
+ ret = NT_STATUS_NONE_MAPPED;
+ }
+
+ done:
+ talloc_free(tmp_ctx);
+ return ret;
+}
+
+/**********************************
+ lookup a set of sids
+**********************************/
+
+struct idmap_tdb_common_sids_to_unixids_context {
+ struct idmap_domain *dom;
+ struct id_map **ids;
+ bool allocate_unmapped;
+ NTSTATUS(*sid_to_unixid_fn) (struct idmap_domain * dom,
+ struct id_map * map);
+};
+
+static NTSTATUS idmap_tdb_common_sids_to_unixids_action(struct db_context *db,
+ void *private_data)
+{
+ struct idmap_tdb_common_sids_to_unixids_context *state = private_data;
+ size_t i, num_mapped = 0, num_required = 0;
+ NTSTATUS ret = NT_STATUS_OK;
+
+ DEBUG(10, ("idmap_tdb_common_sids_to_unixids: "
+ " domain: [%s], allocate: %s\n",
+ state->dom->name, state->allocate_unmapped ? "yes" : "no"));
+
+ for (i = 0; state->ids[i]; i++) {
+ if ((state->ids[i]->status == ID_UNKNOWN) ||
+ /* retry if we could not map in previous run: */
+ (state->ids[i]->status == ID_UNMAPPED)) {
+ NTSTATUS ret2;
+
+ ret2 = state->sid_to_unixid_fn(state->dom,
+ state->ids[i]);
+
+ if (!NT_STATUS_IS_OK(ret2)) {
+
+ /* if it is just a failed mapping, continue */
+ if (NT_STATUS_EQUAL
+ (ret2, NT_STATUS_NONE_MAPPED)) {
+
+ /* make sure it is marked as unmapped */
+ state->ids[i]->status = ID_UNMAPPED;
+ ret = STATUS_SOME_UNMAPPED;
+ } else {
+ /*
+ * some fatal error occurred,
+ * return immediately
+ */
+ ret = ret2;
+ goto done;
+ }
+ } else {
+ /* all ok, id is mapped */
+ state->ids[i]->status = ID_MAPPED;
+ }
+ }
+
+ if (state->ids[i]->status == ID_MAPPED) {
+ num_mapped += 1;
+ }
+
+ if ((state->ids[i]->status == ID_UNMAPPED) &&
+ state->allocate_unmapped) {
+ ret =
+ idmap_tdb_common_new_mapping(state->dom,
+ state->ids[i]);
+ DBG_DEBUG("idmap_tdb_common_new_mapping returned %s\n",
+ nt_errstr(ret));
+ if (NT_STATUS_EQUAL(ret, STATUS_SOME_UNMAPPED)) {
+ if (state->ids[i]->status == ID_REQUIRE_TYPE) {
+ num_required += 1;
+ continue;
+ }
+ }
+ if (!NT_STATUS_IS_OK(ret)) {
+ ret = STATUS_SOME_UNMAPPED;
+ continue;
+ }
+ num_mapped += 1;
+ }
+ }
+
+done:
+
+ if (NT_STATUS_IS_OK(ret) ||
+ NT_STATUS_EQUAL(ret, STATUS_SOME_UNMAPPED)) {
+ if (i == 0 || num_mapped == 0) {
+ ret = NT_STATUS_NONE_MAPPED;
+ } else if (num_mapped < i) {
+ ret = STATUS_SOME_UNMAPPED;
+ } else {
+ ret = NT_STATUS_OK;
+ }
+ if (num_required > 0) {
+ ret = STATUS_SOME_UNMAPPED;
+ }
+ }
+
+ return ret;
+}
+
+NTSTATUS idmap_tdb_common_sids_to_unixids(struct idmap_domain * dom,
+ struct id_map ** ids)
+{
+ NTSTATUS ret;
+ int i;
+ struct idmap_tdb_common_sids_to_unixids_context state;
+ struct idmap_tdb_common_context *ctx;
+
+ ctx =
+ talloc_get_type_abort(dom->private_data,
+ struct idmap_tdb_common_context);
+
+ /* initialize the status to avoid surprise */
+ for (i = 0; ids[i]; i++) {
+ ids[i]->status = ID_UNKNOWN;
+ }
+
+ state.dom = dom;
+ state.ids = ids;
+ state.allocate_unmapped = false;
+ if (ctx->sid_to_unixid_fn == NULL) {
+ state.sid_to_unixid_fn = idmap_tdb_common_sid_to_unixid;
+ } else {
+ state.sid_to_unixid_fn = ctx->sid_to_unixid_fn;
+ }
+
+ ret = idmap_tdb_common_sids_to_unixids_action(ctx->db, &state);
+
+ if ( (NT_STATUS_EQUAL(ret, STATUS_SOME_UNMAPPED) ||
+ NT_STATUS_EQUAL(ret, NT_STATUS_NONE_MAPPED)) &&
+ !dom->read_only) {
+ state.allocate_unmapped = true;
+ ret = dbwrap_trans_do(ctx->db,
+ idmap_tdb_common_sids_to_unixids_action,
+ &state);
+ }
+
+ return ret;
+}
diff --git a/source3/winbindd/idmap_tdb_common.h b/source3/winbindd/idmap_tdb_common.h
new file mode 100644
index 0000000..3343b58
--- /dev/null
+++ b/source3/winbindd/idmap_tdb_common.h
@@ -0,0 +1,137 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ common functions for TDB based idmapping backends
+
+ Copyright (C) Christian Ambach 2012
+
+ These functions were initially copied over from idmap_tdb.c and idmap_tdb2.c
+ which are:
+
+ Copyright (C) Tim Potter 2000
+ Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003
+ Copyright (C) Jeremy Allison 2006
+ Copyright (C) Simo Sorce 2003-2006
+ Copyright (C) Michael Adam 2009-2010
+ Copyright (C) Andrew Tridgell 2007
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#ifndef _IDMAP_TDB_COMMON_H_
+#define _IDMAP_TDB_COMMON_H_
+
+#include "includes.h"
+#include "idmap.h"
+#include "dbwrap/dbwrap.h"
+
+/*
+ * this must be stored in idmap_domain->private_data
+ * when using idmap_tdb_common_get_new_id and the
+ * mapping functions idmap_tdb_common_unixid(s)_to_sids
+ *
+ * private_data can be used for backend specific
+ * configuration data (e.g. idmap script in idmap_tdb2)
+ *
+ */
+struct idmap_tdb_common_context {
+ struct db_context *db;
+ struct idmap_rw_ops *rw_ops;
+ /*
+ * what is the maximum xid to be allocated
+ * this is typically just dom->high_id
+ */
+ uint32_t max_id;
+ const char *hwmkey_uid;
+ const char *hwmkey_gid;
+ /**
+ * if not set, idmap_tdb_common_unixids_to_sid will be used by
+ * idmap_tdb_common_unixids_to_sids
+ */
+ NTSTATUS(*unixid_to_sid_fn) (struct idmap_domain *dom,
+ struct id_map * map);
+ /*
+ * if not set, idmap_tdb_common_sid_to_id will be used by
+ * idmap_tdb_common_sids_to_unixids
+ */
+ NTSTATUS(*sid_to_unixid_fn) (struct idmap_domain *dom,
+ struct id_map * map);
+ void *private_data;
+};
+
+/**
+ * Allocate a new unix-ID.
+ * For now this is for the default idmap domain only.
+ * Should be extended later on.
+ */
+NTSTATUS idmap_tdb_common_get_new_id(struct idmap_domain *dom,
+ struct unixid *id);
+
+/*
+ * store a mapping into the idmap database
+ *
+ * the entries that will be stored are
+ * UID map->xid.id => map->sid and map->sid => UID map->xid.id
+ * or
+ * GID map->xid.id => map->sid and map->sid => GID map->xid.id
+ *
+ * for example
+ * UID 12345 = S-1-5-21-297746067-1479432880-4056370663
+ * S-1-5-21-297746067-1479432880-4056370663 = UID 12345
+ *
+ */
+NTSTATUS idmap_tdb_common_set_mapping(struct idmap_domain *dom,
+ const struct id_map *map);
+
+/*
+ * Create a new mapping for an unmapped SID, also allocating a new ID.
+ * This should be run inside a transaction.
+ *
+ * TODO:
+ * Properly integrate this with multi domain idmap config:
+ * Currently, the allocator is default-config only.
+ */
+NTSTATUS idmap_tdb_common_new_mapping(struct idmap_domain *dom,
+ struct id_map *map);
+
+/*
+ * default multiple id to sid lookup function
+ *
+ * will call idmap_tdb_common_unixid_to_sid for each mapping
+ * if no other function to lookup unixid_to_sid was given in
+ * idmap_tdb_common_context
+ */
+NTSTATUS idmap_tdb_common_unixids_to_sids(struct idmap_domain *dom,
+ struct id_map **ids);
+
+/*
+ * default single id to sid lookup function
+ *
+ * will read the entries written by idmap_tdb_common_set_mapping
+ */
+NTSTATUS idmap_tdb_common_unixid_to_sid(struct idmap_domain *dom,
+ struct id_map *map);
+
+/**********************************
+ Single sid to id lookup function.
+**********************************/
+
+NTSTATUS idmap_tdb_common_sid_to_unixid(struct idmap_domain *dom,
+ struct id_map *map);
+
+NTSTATUS idmap_tdb_common_sids_to_unixids(struct idmap_domain *dom,
+ struct id_map **ids);
+
+#endif /* _IDMAP_TDB_COMMON_H_ */
diff --git a/source3/winbindd/idmap_util.c b/source3/winbindd/idmap_util.c
new file mode 100644
index 0000000..fd2ae4a
--- /dev/null
+++ b/source3/winbindd/idmap_util.c
@@ -0,0 +1,137 @@
+/*
+ Unix SMB/CIFS implementation.
+ ID Mapping
+ Copyright (C) Simo Sorce 2003
+ Copyright (C) Jeremy Allison 2006
+ Copyright (C) Michael Adam 2010
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.*/
+
+#include "includes.h"
+#include "winbindd.h"
+#include "winbindd_proto.h"
+#include "idmap.h"
+#include "idmap_cache.h"
+#include "../libcli/security/security.h"
+#include "secrets.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_IDMAP
+
+/**
+ * check whether a given unix id is inside the filter range of an idmap domain
+ */
+bool idmap_unix_id_is_in_range(uint32_t id, struct idmap_domain *dom)
+{
+ if ((dom->low_id && (id < dom->low_id)) ||
+ (dom->high_id && (id > dom->high_id)))
+ {
+ return false;
+ }
+
+ return true;
+}
+
+/**
+ * Helper for unixids_to_sids: find entry by id in mapping array,
+ * search up to IDMAP_AD_MAX_IDS entries
+ */
+struct id_map *idmap_find_map_by_id(struct id_map **maps, enum id_type type,
+ uint32_t id)
+{
+ int i;
+
+ for (i = 0; maps[i] != NULL; i++) {
+ if ((maps[i]->xid.type == type) && (maps[i]->xid.id == id)) {
+ return maps[i];
+ }
+ }
+
+ return NULL;
+}
+
+/**
+ * Helper for sids_to_unix_ids: find entry by SID in mapping array,
+ * search up to IDMAP_AD_MAX_IDS entries
+ */
+struct id_map *idmap_find_map_by_sid(struct id_map **maps, struct dom_sid *sid)
+{
+ int i;
+
+ for (i = 0; i < IDMAP_LDAP_MAX_IDS; i++) {
+ if (maps[i] == NULL) { /* end of the run */
+ return NULL;
+ }
+ if (dom_sid_equal(maps[i]->sid, sid)) {
+ return maps[i];
+ }
+ }
+
+ return NULL;
+}
+
+char *idmap_fetch_secret(const char *backend, const char *domain,
+ const char *identity)
+{
+ char *tmp, *ret;
+ int r;
+
+ r = asprintf(&tmp, "IDMAP_%s_%s", backend, domain);
+
+ if (r < 0)
+ return NULL;
+
+ /* make sure the key is case insensitive */
+ if (!strupper_m(tmp)) {
+ SAFE_FREE(tmp);
+ return NULL;
+ }
+
+ ret = secrets_fetch_generic(tmp, identity);
+
+ SAFE_FREE(tmp);
+
+ return ret;
+}
+
+struct id_map **id_map_ptrs_init(TALLOC_CTX *mem_ctx, size_t num_ids)
+{
+ struct id_map **ptrs;
+ struct id_map *maps;
+ struct dom_sid *sids;
+ size_t i;
+
+ ptrs = talloc_array(mem_ctx, struct id_map *, num_ids+1);
+ if (ptrs == NULL) {
+ return NULL;
+ }
+ maps = talloc_array(ptrs, struct id_map, num_ids);
+ if (maps == NULL) {
+ TALLOC_FREE(ptrs);
+ return NULL;
+ }
+ sids = talloc_zero_array(ptrs, struct dom_sid, num_ids);
+ if (sids == NULL) {
+ TALLOC_FREE(ptrs);
+ return NULL;
+ }
+
+ for (i=0; i<num_ids; i++) {
+ maps[i] = (struct id_map) { .sid = &sids[i] };
+ ptrs[i] = &maps[i];
+ }
+ ptrs[num_ids] = NULL;
+
+ return ptrs;
+}
diff --git a/source3/winbindd/nss_info.c b/source3/winbindd/nss_info.c
new file mode 100644
index 0000000..9c502e8
--- /dev/null
+++ b/source3/winbindd/nss_info.c
@@ -0,0 +1,377 @@
+/*
+ Unix SMB/CIFS implementation.
+ Idmap NSS headers
+
+ Copyright (C) Gerald Carter 2006
+ Copyright (C) Michael Adam 2008
+
+ This library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 3 of the License, or (at your option) any later version.
+
+ This library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Library General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "nss_info.h"
+
+static struct nss_function_entry *backends = NULL;
+static struct nss_function_entry *default_backend = NULL;
+static struct nss_domain_entry *nss_domain_list = NULL;
+
+/**********************************************************************
+ Get idmap nss methods.
+**********************************************************************/
+
+static struct nss_function_entry *nss_get_backend(const char *name )
+{
+ struct nss_function_entry *entry = backends;
+
+ for(entry = backends; entry; entry = entry->next) {
+ if ( strequal(entry->name, name) )
+ return entry;
+ }
+
+ return NULL;
+}
+
+/*********************************************************************
+ Allow a module to register itself as a backend.
+**********************************************************************/
+
+ NTSTATUS smb_register_idmap_nss(int version, const char *name,
+ const struct nss_info_methods *methods)
+{
+ struct nss_function_entry *entry;
+
+ if ((version != SMB_NSS_INFO_INTERFACE_VERSION)) {
+ DEBUG(0, ("smb_register_idmap_nss: Failed to register idmap_nss module.\n"
+ "The module was compiled against SMB_NSS_INFO_INTERFACE_VERSION %d,\n"
+ "current SMB_NSS_INFO_INTERFACE_VERSION is %d.\n"
+ "Please recompile against the current version of samba!\n",
+ version, SMB_NSS_INFO_INTERFACE_VERSION));
+ return NT_STATUS_OBJECT_TYPE_MISMATCH;
+ }
+
+ if (!name || !name[0] || !methods) {
+ DEBUG(0,("smb_register_idmap_nss: called with NULL pointer or empty name!\n"));
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ if ( nss_get_backend(name) ) {
+ DEBUG(5,("smb_register_idmap_nss: idmap module %s "
+ "already registered!\n", name));
+ return NT_STATUS_OBJECT_NAME_COLLISION;
+ }
+
+ entry = SMB_XMALLOC_P(struct nss_function_entry);
+ entry->name = smb_xstrdup(name);
+ entry->methods = methods;
+
+ DLIST_ADD(backends, entry);
+ DEBUG(5, ("smb_register_idmap_nss: Successfully added idmap "
+ "nss backend '%s'\n", name));
+
+ return NT_STATUS_OK;
+}
+
+/********************************************************************
+ *******************************************************************/
+
+static bool parse_nss_parm(TALLOC_CTX *mem_ctx,
+ const char *config,
+ char **backend,
+ char **domain)
+{
+ char *p;
+
+ *backend = *domain = NULL;
+
+ if ( !config )
+ return False;
+
+ p = strchr( config, ':' );
+
+ /* if no : then the string must be the backend name only */
+
+ if ( !p ) {
+ *backend = talloc_strdup(mem_ctx, config);
+ return (*backend != NULL);
+ }
+
+ /* split the string and return the two parts */
+
+ if ( strlen(p+1) > 0 ) {
+ *domain = talloc_strdup(mem_ctx, p + 1);
+ }
+
+ *backend = talloc_strndup(mem_ctx, config, PTR_DIFF(p, config));
+ return (*backend != NULL);
+}
+
+static NTSTATUS nss_domain_list_add_domain(const char *domain,
+ struct nss_function_entry *nss_backend)
+{
+ struct nss_domain_entry *nss_domain;
+
+ nss_domain = talloc_zero(nss_domain_list, struct nss_domain_entry);
+ if (!nss_domain) {
+ DEBUG(0, ("nss_domain_list_add_domain: talloc() failure!\n"));
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ nss_domain->backend = nss_backend;
+ if (domain) {
+ nss_domain->domain = talloc_strdup(nss_domain, domain);
+ if (!nss_domain->domain) {
+ DEBUG(0, ("nss_domain_list_add_domain: talloc() "
+ "failure!\n"));
+ TALLOC_FREE(nss_domain);
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+
+ nss_domain->init_status = nss_domain->backend->methods->init(nss_domain);
+ if (!NT_STATUS_IS_OK(nss_domain->init_status)) {
+ DEBUG(0, ("nss_init: Failed to init backend '%s' for domain "
+ "'%s'!\n", nss_backend->name, nss_domain->domain));
+ }
+
+ DLIST_ADD(nss_domain_list, nss_domain);
+
+ DEBUG(10, ("Added domain '%s' with backend '%s' to nss_domain_list.\n",
+ domain, nss_backend->name));
+
+ return NT_STATUS_OK;
+}
+
+/********************************************************************
+ Each nss backend must not store global state, but rather be able
+ to initialize the state on a per domain basis.
+ *******************************************************************/
+
+static NTSTATUS nss_init(const char **nss_list)
+{
+ NTSTATUS status;
+ static bool nss_initialized = false;
+ int i;
+ char *backend = NULL, *domain = NULL;
+ struct nss_function_entry *nss_backend;
+ TALLOC_CTX *frame;
+
+ /* check for previous successful initializations */
+
+ if (nss_initialized) {
+ return NT_STATUS_OK;
+ }
+
+ frame = talloc_stackframe();
+
+ /* The "template" backend should always be registered as it
+ is a static module */
+
+ nss_backend = nss_get_backend("template");
+ if (nss_backend == NULL) {
+ static_init_nss_info(NULL);
+ }
+
+ /* Create the list of nss_domains (loading any shared plugins
+ as necessary) */
+
+ for ( i=0; nss_list && nss_list[i]; i++ ) {
+ bool ok;
+
+ ok = parse_nss_parm(frame, nss_list[i], &backend, &domain);
+ if (!ok) {
+ DEBUG(0,("nss_init: failed to parse \"%s\"!\n",
+ nss_list[i]));
+ continue;
+ }
+
+ DEBUG(10, ("parsed backend = '%s', domain = '%s'\n",
+ backend, domain));
+
+ /* validate the backend */
+
+ nss_backend = nss_get_backend(backend);
+ if (nss_backend == NULL) {
+ /*
+ * This is a freaking hack. We don't have proper
+ * modules for nss_info backends. Right now we have
+ * our standard nss_info backends in the ad backend.
+ */
+ status = smb_probe_module("idmap", "ad");
+ if ( !NT_STATUS_IS_OK(status) ) {
+ continue;
+ }
+ }
+
+ nss_backend = nss_get_backend(backend);
+ if (nss_backend == NULL) {
+ /* attempt to register the backend */
+ status = smb_probe_module( "nss_info", backend );
+ if ( !NT_STATUS_IS_OK(status) ) {
+ continue;
+ }
+ }
+
+ /* try again */
+ nss_backend = nss_get_backend(backend);
+ if (nss_backend == NULL) {
+ DEBUG(0, ("nss_init: unregistered backend %s!. "
+ "Skipping\n", backend));
+ continue;
+ }
+
+ /*
+ * The first config item of the list without an explicit domain
+ * is treated as the default nss info backend.
+ */
+ if ((domain == NULL) && (default_backend == NULL)) {
+ DEBUG(10, ("nss_init: using '%s' as default backend.\n",
+ backend));
+ default_backend = nss_backend;
+ }
+
+ status = nss_domain_list_add_domain(domain, nss_backend);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ /* cleanup */
+
+ TALLOC_FREE(domain);
+ TALLOC_FREE(backend);
+ }
+
+
+ if ( !nss_domain_list ) {
+ DEBUG(3,("nss_init: no nss backends configured. "
+ "Defaulting to \"template\".\n"));
+
+
+ /* we should default to use template here */
+ }
+
+ nss_initialized = true;
+
+ TALLOC_FREE(frame);
+ return NT_STATUS_OK;
+}
+
+/********************************************************************
+ *******************************************************************/
+
+static struct nss_domain_entry *find_nss_domain( const char *domain )
+{
+ NTSTATUS status;
+ struct nss_domain_entry *p;
+
+ status = nss_init( lp_winbind_nss_info() );
+ if ( !NT_STATUS_IS_OK(status) ) {
+ DEBUG(4,("find_nss_domain: Failed to init nss_info API "
+ "(%s)!\n", nt_errstr(status)));
+ return NULL;
+ }
+
+ for ( p=nss_domain_list; p; p=p->next ) {
+ if ( strequal( p->domain, domain ) )
+ break;
+ }
+
+ /* If we didn't find a match, then use the default nss backend */
+
+ if ( !p ) {
+ if (!default_backend) {
+ return NULL;
+ }
+
+ status = nss_domain_list_add_domain(domain, default_backend);
+ if (!NT_STATUS_IS_OK(status)) {
+ return NULL;
+ }
+
+ /*
+ * HACK ALERT:
+ * Here, we use the fact that the new domain was added at
+ * the beginning of the list...
+ */
+ p = nss_domain_list;
+ }
+
+ if ( !NT_STATUS_IS_OK( p->init_status ) ) {
+ p->init_status = p->backend->methods->init( p );
+ }
+
+ return p;
+}
+
+/********************************************************************
+ *******************************************************************/
+
+ NTSTATUS nss_map_to_alias( TALLOC_CTX *mem_ctx, const char *domain,
+ const char *name, char **alias )
+{
+ struct nss_domain_entry *p;
+ const struct nss_info_methods *m;
+
+ if ( (p = find_nss_domain( domain )) == NULL ) {
+ DEBUG(4,("nss_map_to_alias: Failed to find nss domain pointer for %s\n",
+ domain ));
+ return NT_STATUS_NOT_FOUND;
+ }
+
+ m = p->backend->methods;
+
+ return m->map_to_alias(mem_ctx, p, name, alias);
+}
+
+
+/********************************************************************
+ *******************************************************************/
+
+ NTSTATUS nss_map_from_alias( TALLOC_CTX *mem_ctx, const char *domain,
+ const char *alias, char **name )
+{
+ struct nss_domain_entry *p;
+ const struct nss_info_methods *m;
+
+ if ( (p = find_nss_domain( domain )) == NULL ) {
+ DEBUG(4,("nss_map_from_alias: Failed to find nss domain pointer for %s\n",
+ domain ));
+ return NT_STATUS_NOT_FOUND;
+ }
+
+ m = p->backend->methods;
+
+ return m->map_from_alias( mem_ctx, p, alias, name );
+}
+
+/********************************************************************
+ *******************************************************************/
+
+ NTSTATUS nss_close( const char *parameters )
+{
+ struct nss_domain_entry *p = nss_domain_list;
+ struct nss_domain_entry *q;
+
+ while ( p && p->backend && p->backend->methods ) {
+ /* close the backend */
+ p->backend->methods->close_fn();
+
+ /* free the memory */
+ q = p;
+ p = p->next;
+ TALLOC_FREE( q );
+ }
+
+ return NT_STATUS_OK;
+}
+
diff --git a/source3/winbindd/nss_info_template.c b/source3/winbindd/nss_info_template.c
new file mode 100644
index 0000000..c58a7fc
--- /dev/null
+++ b/source3/winbindd/nss_info_template.c
@@ -0,0 +1,80 @@
+/*
+ Unix SMB/CIFS implementation.
+ idMap nss template plugin
+
+ Copyright (C) Gerald Carter 2006
+
+ This library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 3 of the License, or (at your option) any later version.
+
+ This library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Library General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "ads.h"
+#include "nss_info.h"
+
+/************************************************************************
+ ***********************************************************************/
+
+static NTSTATUS nss_template_init( struct nss_domain_entry *e )
+{
+ return NT_STATUS_OK;
+}
+
+/**********************************************************************
+ *********************************************************************/
+
+static NTSTATUS nss_template_map_to_alias( TALLOC_CTX *mem_ctx,
+ struct nss_domain_entry *e,
+ const char *name,
+ char **alias )
+{
+ return NT_STATUS_NOT_IMPLEMENTED;
+}
+
+/**********************************************************************
+ *********************************************************************/
+
+static NTSTATUS nss_template_map_from_alias( TALLOC_CTX *mem_ctx,
+ struct nss_domain_entry *e,
+ const char *alias,
+ char **name )
+{
+ return NT_STATUS_NOT_IMPLEMENTED;
+}
+
+/************************************************************************
+ ***********************************************************************/
+
+static NTSTATUS nss_template_close( void )
+{
+ return NT_STATUS_OK;
+}
+
+
+/************************************************************************
+ ***********************************************************************/
+
+static struct nss_info_methods nss_template_methods = {
+ .init = nss_template_init,
+ .map_to_alias = nss_template_map_to_alias,
+ .map_from_alias = nss_template_map_from_alias,
+ .close_fn = nss_template_close
+};
+
+NTSTATUS nss_info_template_init(TALLOC_CTX *mem_ctx)
+{
+ return smb_register_idmap_nss(SMB_NSS_INFO_INTERFACE_VERSION,
+ "template",
+ &nss_template_methods);
+}
+
diff --git a/source3/winbindd/wb_dsgetdcname.c b/source3/winbindd/wb_dsgetdcname.c
new file mode 100644
index 0000000..ab9be5b
--- /dev/null
+++ b/source3/winbindd/wb_dsgetdcname.c
@@ -0,0 +1,246 @@
+/*
+ Unix SMB/CIFS implementation.
+ async dsgetdcname
+ Copyright (C) Volker Lendecke 2009
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "winbindd.h"
+#include "librpc/gen_ndr/ndr_winbind_c.h"
+#include "librpc/gen_ndr/ndr_netlogon.h"
+#include "lib/gencache.h"
+
+struct wb_dsgetdcname_state {
+ struct netr_DsRGetDCNameInfo *dcinfo;
+};
+
+static void wb_dsgetdcname_done(struct tevent_req *subreq);
+
+struct tevent_req *wb_dsgetdcname_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ const char *domain_name,
+ const struct GUID *domain_guid,
+ const char *site_name,
+ uint32_t flags)
+{
+ struct tevent_req *req, *subreq;
+ struct wb_dsgetdcname_state *state;
+ struct dcerpc_binding_handle *child_binding_handle = NULL;
+ struct GUID guid;
+ struct GUID *guid_ptr = NULL;
+
+ req = tevent_req_create(mem_ctx, &state, struct wb_dsgetdcname_state);
+ if (req == NULL) {
+ return NULL;
+ }
+
+ D_INFO("WB command dsgetdcname start.\n"
+ "Search domain name %s and site name %s.\n",
+ domain_name,
+ site_name);
+ if (strequal(domain_name, "BUILTIN")) {
+ /*
+ * This makes no sense
+ */
+ tevent_req_nterror(req, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND);
+ return tevent_req_post(req, ev);
+ }
+
+ if (strequal(domain_name, get_global_sam_name())) {
+ int role = lp_server_role();
+ if ( role != ROLE_ACTIVE_DIRECTORY_DC ) {
+ /*
+ * Two options here: Give back our own address, or say there's
+ * nobody around. Right now opting for the latter, one measure
+ * to prevent the loopback connects. This might change if
+ * needed.
+ */
+ tevent_req_nterror(req, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND);
+ return tevent_req_post(req, ev);
+ }
+ }
+
+ if (IS_DC) {
+ /*
+ * We have to figure out the DC ourselves
+ */
+ child_binding_handle = locator_child_handle();
+ } else {
+ struct winbindd_domain *domain = find_our_domain();
+ child_binding_handle = dom_child_handle(domain);
+ }
+
+ if (domain_guid != NULL) {
+ /* work around a const issue in rpccli_ autogenerated code */
+ guid = *domain_guid;
+ guid_ptr = &guid;
+ }
+
+ subreq = dcerpc_wbint_DsGetDcName_send(
+ state, ev, child_binding_handle, domain_name, guid_ptr, site_name,
+ flags, &state->dcinfo);
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+ tevent_req_set_callback(subreq, wb_dsgetdcname_done, req);
+ return req;
+}
+
+static void wb_dsgetdcname_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct wb_dsgetdcname_state *state = tevent_req_data(
+ req, struct wb_dsgetdcname_state);
+ NTSTATUS status, result;
+
+ status = dcerpc_wbint_DsGetDcName_recv(subreq, state, &result);
+ TALLOC_FREE(subreq);
+ if (any_nt_status_not_ok(status, result, &status)) {
+ tevent_req_nterror(req, status);
+ return;
+ }
+ tevent_req_done(req);
+}
+
+NTSTATUS wb_dsgetdcname_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
+ struct netr_DsRGetDCNameInfo **pdcinfo)
+{
+ struct wb_dsgetdcname_state *state = tevent_req_data(
+ req, struct wb_dsgetdcname_state);
+ NTSTATUS status;
+
+ D_INFO("WB command dsgetdcname end.\n");
+ if (tevent_req_is_nterror(req, &status)) {
+ D_WARNING("Failed with %s.\n", nt_errstr(status));
+ return status;
+ }
+ *pdcinfo = talloc_move(mem_ctx, &state->dcinfo);
+ return NT_STATUS_OK;
+}
+
+NTSTATUS wb_dsgetdcname_gencache_set(const char *domname,
+ struct netr_DsRGetDCNameInfo *dcinfo)
+{
+ DATA_BLOB blob;
+ enum ndr_err_code ndr_err;
+ char *key;
+ bool ok;
+
+ key = talloc_asprintf_strupper_m(talloc_tos(), "DCINFO/%s", domname);
+ if (key == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if (DEBUGLEVEL >= 10) {
+ NDR_PRINT_DEBUG(netr_DsRGetDCNameInfo, dcinfo);
+ }
+
+ ndr_err = ndr_push_struct_blob(
+ &blob, key, dcinfo,
+ (ndr_push_flags_fn_t)ndr_push_netr_DsRGetDCNameInfo);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
+ DBG_WARNING("ndr_push_struct_blob failed: %s\n",
+ ndr_errstr(ndr_err));
+ TALLOC_FREE(key);
+ return status;
+ }
+
+ ok = gencache_set_data_blob(key, blob, time(NULL)+3600);
+
+ if (!ok) {
+ DBG_WARNING("gencache_set_data_blob for key %s failed\n", key);
+ TALLOC_FREE(key);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ TALLOC_FREE(key);
+ return NT_STATUS_OK;
+}
+
+struct dcinfo_parser_state {
+ NTSTATUS status;
+ TALLOC_CTX *mem_ctx;
+ struct netr_DsRGetDCNameInfo *dcinfo;
+};
+
+static void dcinfo_parser(const struct gencache_timeout *timeout,
+ DATA_BLOB blob,
+ void *private_data)
+{
+ struct dcinfo_parser_state *state = private_data;
+ enum ndr_err_code ndr_err;
+
+ if (gencache_timeout_expired(timeout)) {
+ return;
+ }
+
+ state->dcinfo = talloc(state->mem_ctx, struct netr_DsRGetDCNameInfo);
+ if (state->dcinfo == NULL) {
+ state->status = NT_STATUS_NO_MEMORY;
+ return;
+ }
+
+ ndr_err = ndr_pull_struct_blob_all(
+ &blob, state->dcinfo, state->dcinfo,
+ (ndr_pull_flags_fn_t)ndr_pull_netr_DsRGetDCNameInfo);
+
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ DBG_ERR("ndr_pull_struct_blob failed\n");
+ state->status = ndr_map_error2ntstatus(ndr_err);
+ TALLOC_FREE(state->dcinfo);
+ return;
+ }
+
+ state->status = NT_STATUS_OK;
+}
+
+NTSTATUS wb_dsgetdcname_gencache_get(TALLOC_CTX *mem_ctx,
+ const char *domname,
+ struct netr_DsRGetDCNameInfo **dcinfo)
+{
+ struct dcinfo_parser_state state;
+ char *key;
+ bool ok;
+
+ key = talloc_asprintf_strupper_m(mem_ctx, "DCINFO/%s", domname);
+ if (key == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ state = (struct dcinfo_parser_state) {
+ .status = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND,
+ .mem_ctx = mem_ctx,
+ };
+
+ ok = gencache_parse(key, dcinfo_parser, &state);
+ TALLOC_FREE(key);
+ if (!ok) {
+ return NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
+ }
+
+ if (!NT_STATUS_IS_OK(state.status)) {
+ return state.status;
+ }
+
+ if (DEBUGLEVEL >= 10) {
+ NDR_PRINT_DEBUG(netr_DsRGetDCNameInfo, state.dcinfo);
+ }
+
+ *dcinfo = state.dcinfo;
+ return NT_STATUS_OK;
+}
diff --git a/source3/winbindd/wb_getgrsid.c b/source3/winbindd/wb_getgrsid.c
new file mode 100644
index 0000000..c62d504
--- /dev/null
+++ b/source3/winbindd/wb_getgrsid.c
@@ -0,0 +1,222 @@
+/*
+ Unix SMB/CIFS implementation.
+ async getgrsid
+ Copyright (C) Volker Lendecke 2009
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "winbindd.h"
+#include "librpc/gen_ndr/ndr_winbind_c.h"
+#include "../libcli/security/security.h"
+#include "lib/dbwrap/dbwrap_rbt.h"
+
+struct wb_getgrsid_state {
+ struct tevent_context *ev;
+ struct dom_sid sid;
+ int max_nesting;
+ const char *domname;
+ const char *name;
+ enum lsa_SidType type;
+ gid_t gid;
+ struct db_context *members;
+};
+
+static void wb_getgrsid_lookupsid_done(struct tevent_req *subreq);
+static void wb_getgrsid_sid2gid_done(struct tevent_req *subreq);
+static void wb_getgrsid_got_members(struct tevent_req *subreq);
+
+struct tevent_req *wb_getgrsid_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ const struct dom_sid *group_sid,
+ int max_nesting)
+{
+ struct tevent_req *req, *subreq;
+ struct wb_getgrsid_state *state;
+ struct dom_sid_buf buf;
+
+ req = tevent_req_create(mem_ctx, &state, struct wb_getgrsid_state);
+ if (req == NULL) {
+ return NULL;
+ }
+
+ D_INFO("WB command getgrsid start.\nLooking up group SID %s.\n", dom_sid_str_buf(group_sid, &buf));
+
+ sid_copy(&state->sid, group_sid);
+ state->ev = ev;
+ state->max_nesting = max_nesting;
+
+ if (dom_sid_in_domain(&global_sid_Unix_Groups, group_sid)) {
+ /* unmapped Unix groups must be resolved locally */
+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ return tevent_req_post(req, ev);
+ }
+
+ subreq = wb_lookupsid_send(state, ev, &state->sid);
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+ tevent_req_set_callback(subreq, wb_getgrsid_lookupsid_done, req);
+ return req;
+}
+
+static void wb_getgrsid_lookupsid_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct wb_getgrsid_state *state = tevent_req_data(
+ req, struct wb_getgrsid_state);
+ NTSTATUS status;
+
+ status = wb_lookupsid_recv(subreq, state, &state->type,
+ &state->domname, &state->name);
+ TALLOC_FREE(subreq);
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+
+ switch (state->type) {
+ case SID_NAME_DOM_GRP:
+ case SID_NAME_ALIAS:
+ case SID_NAME_WKN_GRP:
+ /*
+ * also treat user-type SIDS (they might map to ID_TYPE_BOTH)
+ */
+ case SID_NAME_USER:
+ case SID_NAME_COMPUTER:
+ break;
+ default:
+ tevent_req_nterror(req, NT_STATUS_NO_SUCH_GROUP);
+ return;
+ }
+
+ subreq = wb_sids2xids_send(state, state->ev, &state->sid, 1);
+ if (tevent_req_nomem(subreq, req)) {
+ return;
+ }
+ tevent_req_set_callback(subreq, wb_getgrsid_sid2gid_done, req);
+}
+
+static void wb_getgrsid_sid2gid_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct wb_getgrsid_state *state = tevent_req_data(
+ req, struct wb_getgrsid_state);
+ NTSTATUS status;
+ struct unixid xids[1];
+
+ status = wb_sids2xids_recv(subreq, xids, ARRAY_SIZE(xids));
+ TALLOC_FREE(subreq);
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+
+ /*
+ * We are filtering further down in sids2xids, but that filtering
+ * depends on the actual type of the sid handed in (as determined
+ * by lookupsids). Here we need to filter for the type of object
+ * actually requested, in this case uid.
+ */
+ if (!(xids[0].type == ID_TYPE_GID || xids[0].type == ID_TYPE_BOTH)) {
+ tevent_req_nterror(req, NT_STATUS_NONE_MAPPED);
+ return;
+ }
+
+ state->gid = (gid_t)xids[0].id;
+
+ if (state->type == SID_NAME_USER || state->type == SID_NAME_COMPUTER) {
+ /*
+ * special treatment for a user sid that is
+ * mapped to ID_TYPE_BOTH:
+ * create a group with the sid/xid as only member
+ */
+ const char *name;
+
+ if (xids[0].type != ID_TYPE_BOTH) {
+ tevent_req_nterror(req, NT_STATUS_NO_SUCH_GROUP);
+ return;
+ }
+
+ state->members = db_open_rbt(state);
+ if (tevent_req_nomem(state->members, req)) {
+ return;
+ }
+
+ name = fill_domain_username_talloc(talloc_tos(),
+ state->domname,
+ state->name,
+ true /* can_assume */);
+ if (tevent_req_nomem(name, req)) {
+ return;
+ }
+
+ status = add_member_to_db(state->members, &state->sid, name);
+ if (!NT_STATUS_IS_OK(status)) {
+ tevent_req_nterror(req, status);
+ return;
+ }
+
+ tevent_req_done(req);
+ return;
+ }
+
+ /*
+ * the "regular" case of a group type sid.
+ */
+
+ subreq = wb_group_members_send(state, state->ev, &state->sid,
+ state->type, state->max_nesting);
+ if (tevent_req_nomem(subreq, req)) {
+ return;
+ }
+ tevent_req_set_callback(subreq, wb_getgrsid_got_members, req);
+}
+
+static void wb_getgrsid_got_members(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct wb_getgrsid_state *state = tevent_req_data(
+ req, struct wb_getgrsid_state);
+ NTSTATUS status;
+
+ status = wb_group_members_recv(subreq, state, &state->members);
+ TALLOC_FREE(subreq);
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+ tevent_req_done(req);
+}
+
+NTSTATUS wb_getgrsid_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
+ const char **domname, const char **name, gid_t *gid,
+ struct db_context **members)
+{
+ struct wb_getgrsid_state *state = tevent_req_data(
+ req, struct wb_getgrsid_state);
+ NTSTATUS status;
+
+ D_INFO("WB command getgrsid end.\n");
+ if (tevent_req_is_nterror(req, &status)) {
+ D_WARNING("Failed with %s.\n", nt_errstr(status));
+ return status;
+ }
+ *domname = talloc_move(mem_ctx, &state->domname);
+ *name = talloc_move(mem_ctx, &state->name);
+ *gid = state->gid;
+ *members = talloc_move(mem_ctx, &state->members);
+ return NT_STATUS_OK;
+}
diff --git a/source3/winbindd/wb_getpwsid.c b/source3/winbindd/wb_getpwsid.c
new file mode 100644
index 0000000..7d04c39
--- /dev/null
+++ b/source3/winbindd/wb_getpwsid.c
@@ -0,0 +1,156 @@
+/*
+ Unix SMB/CIFS implementation.
+ async getpwsid
+ Copyright (C) Volker Lendecke 2009
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "winbindd.h"
+#include "librpc/gen_ndr/ndr_winbind_c.h"
+#include "../libcli/security/security.h"
+#include "lib/util/string_wrappers.h"
+#include "source3/lib/substitute.h"
+
+struct wb_getpwsid_state {
+ struct tevent_context *ev;
+ struct dom_sid sid;
+ struct wbint_userinfo *userinfo;
+ struct winbindd_pw *pw;
+};
+
+static void wb_getpwsid_queryuser_done(struct tevent_req *subreq);
+
+struct tevent_req *wb_getpwsid_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ const struct dom_sid *user_sid,
+ struct winbindd_pw *pw)
+{
+ struct tevent_req *req, *subreq;
+ struct wb_getpwsid_state *state;
+ struct dom_sid_buf buf;
+
+ req = tevent_req_create(mem_ctx, &state, struct wb_getpwsid_state);
+ if (req == NULL) {
+ return NULL;
+ }
+ D_INFO("WB command getpwsid start.\nQuery user SID %s.\n", dom_sid_str_buf(user_sid, &buf));
+ sid_copy(&state->sid, user_sid);
+ state->ev = ev;
+ state->pw = pw;
+
+ if (dom_sid_in_domain(&global_sid_Unix_Users, user_sid)) {
+ /* unmapped Unix users must be resolved locally */
+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ return tevent_req_post(req, ev);
+ }
+
+ subreq = wb_queryuser_send(state, ev, &state->sid);
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+ tevent_req_set_callback(subreq, wb_getpwsid_queryuser_done, req);
+ return req;
+}
+
+static void wb_getpwsid_queryuser_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct wb_getpwsid_state *state = tevent_req_data(
+ req, struct wb_getpwsid_state);
+ struct winbindd_pw *pw = state->pw;
+ struct wbint_userinfo *info;
+ fstring acct_name;
+ const char *output_username = NULL;
+ char *mapped_name = NULL;
+ char *tmp;
+ NTSTATUS status;
+
+ status = wb_queryuser_recv(subreq, state, &state->userinfo);
+ TALLOC_FREE(subreq);
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+ info = state->userinfo;
+
+ pw->pw_uid = info->uid;
+ pw->pw_gid = info->primary_gid;
+
+ fstrcpy(acct_name, info->acct_name);
+ if (!strlower_m(acct_name)) {
+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ return;
+ }
+
+ /*
+ * TODO:
+ * This function should be called in 'idmap winbind child'. It shouldn't
+ * be a blocking call, but for this we need to add a new function for
+ * winbind.idl. This is a fix which can be backported for now.
+ */
+ status = normalize_name_map(state,
+ info->domain_name,
+ acct_name,
+ &mapped_name);
+ if (NT_STATUS_IS_OK(status) ||
+ NT_STATUS_EQUAL(status, NT_STATUS_FILE_RENAMED)) {
+ fstrcpy(acct_name, mapped_name);
+ }
+ output_username = fill_domain_username_talloc(state,
+ info->domain_name,
+ acct_name,
+ true);
+ if (output_username == NULL) {
+ tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
+ return;
+ }
+
+ strlcpy(pw->pw_name, output_username, sizeof(pw->pw_name));
+
+ strlcpy(pw->pw_gecos, info->full_name ? info->full_name : "",
+ sizeof(pw->pw_gecos));
+
+ tmp = talloc_sub_specified(
+ state, info->homedir, acct_name,
+ info->primary_group_name, info->domain_name,
+ pw->pw_uid, pw->pw_gid);
+ if (tevent_req_nomem(tmp, req)) {
+ return;
+ }
+ strlcpy(pw->pw_dir, tmp, sizeof(pw->pw_dir));
+ TALLOC_FREE(tmp);
+
+ tmp = talloc_sub_specified(
+ state, info->shell, acct_name,
+ info->primary_group_name, info->domain_name,
+ pw->pw_uid, pw->pw_gid);
+ if (tevent_req_nomem(tmp, req)) {
+ return;
+ }
+ strlcpy(pw->pw_shell, tmp, sizeof(pw->pw_shell));
+ TALLOC_FREE(tmp);
+
+ strlcpy(pw->pw_passwd, "*", sizeof(pw->pw_passwd));
+
+ tevent_req_done(req);
+}
+
+NTSTATUS wb_getpwsid_recv(struct tevent_req *req)
+{
+ NTSTATUS status = tevent_req_simple_recv_ntstatus(req);
+ D_INFO("WB command getpwsid end.\nReturn status %s.\n", nt_errstr(status));
+ return status;
+}
diff --git a/source3/winbindd/wb_gettoken.c b/source3/winbindd/wb_gettoken.c
new file mode 100644
index 0000000..3930f71
--- /dev/null
+++ b/source3/winbindd/wb_gettoken.c
@@ -0,0 +1,290 @@
+/*
+ Unix SMB/CIFS implementation.
+ async gettoken
+ Copyright (C) Volker Lendecke 2009
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "util/debug.h"
+#include "winbindd.h"
+#include "librpc/gen_ndr/ndr_winbind_c.h"
+#include "../libcli/security/security.h"
+#include "passdb/machine_sid.h"
+
+struct wb_gettoken_state {
+ struct tevent_context *ev;
+ struct dom_sid usersid;
+ bool expand_local_aliases;
+ uint32_t num_sids;
+ struct dom_sid *sids;
+};
+
+static NTSTATUS wb_add_rids_to_sids(TALLOC_CTX *mem_ctx,
+ uint32_t *pnum_sids,
+ struct dom_sid **psids,
+ const struct dom_sid *domain_sid,
+ uint32_t num_rids, uint32_t *rids);
+
+static void wb_gettoken_gotuser(struct tevent_req *subreq);
+static void wb_gettoken_gotgroups(struct tevent_req *subreq);
+static void wb_gettoken_gotlocalgroups(struct tevent_req *subreq);
+static void wb_gettoken_gotbuiltins(struct tevent_req *subreq);
+
+struct tevent_req *wb_gettoken_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ const struct dom_sid *sid,
+ bool expand_local_aliases)
+{
+ struct tevent_req *req, *subreq;
+ struct wb_gettoken_state *state;
+ struct dom_sid_buf buf;
+
+ req = tevent_req_create(mem_ctx, &state, struct wb_gettoken_state);
+ if (req == NULL) {
+ return NULL;
+ }
+ sid_copy(&state->usersid, sid);
+ state->ev = ev;
+ state->expand_local_aliases = expand_local_aliases;
+
+ D_INFO("WB command gettoken start.\n"
+ "Query user SID %s (expand local aliases is %d).\n",
+ dom_sid_str_buf(sid, &buf),
+ expand_local_aliases);
+ subreq = wb_queryuser_send(state, ev, &state->usersid);
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+ tevent_req_set_callback(subreq, wb_gettoken_gotuser, req);
+ return req;
+}
+
+static void wb_gettoken_gotuser(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct wb_gettoken_state *state = tevent_req_data(
+ req, struct wb_gettoken_state);
+ struct wbint_userinfo *info;
+ NTSTATUS status;
+ struct dom_sid_buf buf0, buf1;
+
+ status = wb_queryuser_recv(subreq, state, &info);
+ TALLOC_FREE(subreq);
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+
+ state->sids = talloc_array(state, struct dom_sid, 2);
+ if (tevent_req_nomem(state->sids, req)) {
+ return;
+ }
+ state->num_sids = 2;
+
+ D_DEBUG("Got user SID %s and group SID %s\n",
+ dom_sid_str_buf(&info->user_sid, &buf0),
+ dom_sid_str_buf(&info->group_sid, &buf1));
+ sid_copy(&state->sids[0], &info->user_sid);
+ sid_copy(&state->sids[1], &info->group_sid);
+
+ D_DEBUG("Looking up user groups for the user SID.\n");
+ subreq = wb_lookupusergroups_send(state, state->ev, &info->user_sid);
+ if (tevent_req_nomem(subreq, req)) {
+ return;
+ }
+ tevent_req_set_callback(subreq, wb_gettoken_gotgroups, req);
+}
+
+static void wb_gettoken_gotgroups(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct wb_gettoken_state *state = tevent_req_data(
+ req, struct wb_gettoken_state);
+ uint32_t i, num_groups;
+ struct dom_sid *groups;
+ struct winbindd_domain *domain;
+ NTSTATUS status;
+ struct dom_sid_buf buf;
+
+ status = wb_lookupusergroups_recv(subreq, state, &num_groups, &groups);
+ TALLOC_FREE(subreq);
+ if (!NT_STATUS_IS_OK(status)) {
+ tevent_req_done(req);
+ return;
+ }
+
+ D_DEBUG("Received %"PRIu32" group(s).\n", num_groups);
+ for (i = 0; i < num_groups; i++) {
+ D_DEBUG("Adding SID %s.\n", dom_sid_str_buf(&groups[i], &buf));
+ status = add_sid_to_array_unique(
+ state, &groups[i], &state->sids, &state->num_sids);
+
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+ }
+
+ if (!state->expand_local_aliases) {
+ D_DEBUG("Done. Not asked to expand local aliases.\n");
+ tevent_req_done(req);
+ return;
+ }
+
+ /*
+ * Expand our domain's aliases
+ */
+ domain = find_domain_from_sid_noinit(get_global_sam_sid());
+ if (domain == NULL) {
+ tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
+ return;
+ }
+
+ D_DEBUG("Expand domain's aliases for %"PRIu32" SID(s).\n",
+ state->num_sids);
+ subreq = wb_lookupuseraliases_send(state, state->ev, domain,
+ state->num_sids, state->sids);
+ if (tevent_req_nomem(subreq, req)) {
+ return;
+ }
+ tevent_req_set_callback(subreq, wb_gettoken_gotlocalgroups, req);
+}
+
+static void wb_gettoken_gotlocalgroups(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct wb_gettoken_state *state = tevent_req_data(
+ req, struct wb_gettoken_state);
+ uint32_t num_rids;
+ uint32_t *rids;
+ struct winbindd_domain *domain;
+ NTSTATUS status;
+
+ status = wb_lookupuseraliases_recv(subreq, state, &num_rids, &rids);
+ TALLOC_FREE(subreq);
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+
+ D_DEBUG("Got %"PRIu32" RID(s).\n", num_rids);
+ status = wb_add_rids_to_sids(state, &state->num_sids, &state->sids,
+ get_global_sam_sid(), num_rids, rids);
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+ TALLOC_FREE(rids);
+
+ /*
+ * Now expand the builtin groups
+ */
+
+ D_DEBUG("Expand the builtin groups for %"PRIu32" SID(s).\n",
+ state->num_sids);
+ domain = find_domain_from_sid(&global_sid_Builtin);
+ if (domain == NULL) {
+ tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
+ return;
+ }
+
+ subreq = wb_lookupuseraliases_send(state, state->ev, domain,
+ state->num_sids, state->sids);
+ if (tevent_req_nomem(subreq, req)) {
+ return;
+ }
+ tevent_req_set_callback(subreq, wb_gettoken_gotbuiltins, req);
+}
+
+static void wb_gettoken_gotbuiltins(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct wb_gettoken_state *state = tevent_req_data(
+ req, struct wb_gettoken_state);
+ uint32_t num_rids;
+ uint32_t *rids;
+ NTSTATUS status;
+
+ status = wb_lookupuseraliases_recv(subreq, state, &num_rids, &rids);
+ TALLOC_FREE(subreq);
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+ D_DEBUG("Got %"PRIu32" RID(s).\n", num_rids);
+ status = wb_add_rids_to_sids(state, &state->num_sids, &state->sids,
+ &global_sid_Builtin, num_rids, rids);
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+ tevent_req_done(req);
+}
+
+NTSTATUS wb_gettoken_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
+ uint32_t *num_sids, struct dom_sid **sids)
+{
+ struct wb_gettoken_state *state = tevent_req_data(
+ req, struct wb_gettoken_state);
+ NTSTATUS status;
+ uint32_t i;
+
+ if (tevent_req_is_nterror(req, &status)) {
+ return status;
+ }
+ *num_sids = state->num_sids;
+ D_INFO("WB command gettoken end.\nReceived %"PRIu32" SID(s).\n",
+ state->num_sids);
+
+ if (CHECK_DEBUGLVL(DBGLVL_INFO)) {
+ for (i = 0; i < state->num_sids; i++) {
+ struct dom_sid_buf sidbuf;
+ D_INFO("%"PRIu32": %s\n",
+ i,
+ dom_sid_str_buf(&state->sids[i],
+ &sidbuf));
+ }
+ }
+
+ *sids = talloc_move(mem_ctx, &state->sids);
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS wb_add_rids_to_sids(TALLOC_CTX *mem_ctx,
+ uint32_t *pnum_sids,
+ struct dom_sid **psids,
+ const struct dom_sid *domain_sid,
+ uint32_t num_rids, uint32_t *rids)
+{
+ uint32_t i;
+
+ D_DEBUG("%"PRIu32" SID(s) will be uniquely added to the SID array.\n"
+ "Before the addition the array has %"PRIu32" SID(s).\n",
+ num_rids, *pnum_sids);
+
+ for (i = 0; i < num_rids; i++) {
+ NTSTATUS status;
+ struct dom_sid sid;
+
+ sid_compose(&sid, domain_sid, rids[i]);
+ status = add_sid_to_array_unique(
+ mem_ctx, &sid, psids, pnum_sids);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ }
+ D_DEBUG("After the addition the array has %"PRIu32" SID(s).\n",
+ *pnum_sids);
+ return NT_STATUS_OK;
+}
diff --git a/source3/winbindd/wb_group_members.c b/source3/winbindd/wb_group_members.c
new file mode 100644
index 0000000..65ae427
--- /dev/null
+++ b/source3/winbindd/wb_group_members.c
@@ -0,0 +1,483 @@
+/*
+ Unix SMB/CIFS implementation.
+ async lookupgroupmembers
+ Copyright (C) Volker Lendecke 2009
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "winbindd.h"
+#include "librpc/gen_ndr/ndr_winbind_c.h"
+#include "../librpc/gen_ndr/ndr_security.h"
+#include "../libcli/security/security.h"
+#include "lib/util/util_tdb.h"
+#include "lib/dbwrap/dbwrap.h"
+#include "lib/dbwrap/dbwrap_rbt.h"
+
+/*
+ * We have 3 sets of routines here:
+ *
+ * wb_lookupgroupmem is the low-level one-group routine
+ *
+ * wb_groups_members walks a list of groups
+ *
+ * wb_group_members finally is the high-level routine expanding groups
+ * recursively
+ */
+
+/*
+ * TODO: fill_grent_mem_domusers must be re-added
+ */
+
+/*
+ * Look up members of a single group. Essentially a wrapper around the
+ * lookup_groupmem winbindd_methods routine.
+ */
+
+struct wb_lookupgroupmem_state {
+ struct dom_sid sid;
+ struct wbint_Principals members;
+};
+
+static void wb_lookupgroupmem_done(struct tevent_req *subreq);
+
+static struct tevent_req *wb_lookupgroupmem_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ const struct dom_sid *group_sid,
+ enum lsa_SidType type)
+{
+ struct tevent_req *req, *subreq;
+ struct wb_lookupgroupmem_state *state;
+ struct winbindd_domain *domain;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct wb_lookupgroupmem_state);
+ if (req == NULL) {
+ return NULL;
+ }
+ sid_copy(&state->sid, group_sid);
+
+ domain = find_domain_from_sid_noinit(group_sid);
+ if (domain == NULL) {
+ tevent_req_nterror(req, NT_STATUS_NO_SUCH_GROUP);
+ return tevent_req_post(req, ev);
+ }
+
+ subreq = dcerpc_wbint_LookupGroupMembers_send(
+ state, ev, dom_child_handle(domain), &state->sid, type,
+ &state->members);
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+ tevent_req_set_callback(subreq, wb_lookupgroupmem_done, req);
+ return req;
+}
+
+static void wb_lookupgroupmem_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct wb_lookupgroupmem_state *state = tevent_req_data(
+ req, struct wb_lookupgroupmem_state);
+ NTSTATUS status, result;
+
+ status = dcerpc_wbint_LookupGroupMembers_recv(subreq, state, &result);
+ TALLOC_FREE(subreq);
+ if (any_nt_status_not_ok(status, result, &status)) {
+ tevent_req_nterror(req, status);
+ return;
+ }
+ tevent_req_done(req);
+}
+
+static NTSTATUS wb_lookupgroupmem_recv(struct tevent_req *req,
+ TALLOC_CTX *mem_ctx,
+ uint32_t *num_members,
+ struct wbint_Principal **members)
+{
+ struct wb_lookupgroupmem_state *state = tevent_req_data(
+ req, struct wb_lookupgroupmem_state);
+ NTSTATUS status;
+
+ if (tevent_req_is_nterror(req, &status)) {
+ return status;
+ }
+
+ *num_members = state->members.num_principals;
+ *members = talloc_move(mem_ctx, &state->members.principals);
+ return NT_STATUS_OK;
+}
+
+/*
+ * Same as wb_lookupgroupmem for a list of groups
+ */
+
+struct wb_groups_members_state {
+ struct tevent_context *ev;
+ struct wbint_Principal *groups;
+ uint32_t num_groups;
+ uint32_t next_group;
+ struct wbint_Principal *all_members;
+};
+
+static NTSTATUS wb_groups_members_next_subreq(
+ struct wb_groups_members_state *state,
+ TALLOC_CTX *mem_ctx, struct tevent_req **psubreq);
+static void wb_groups_members_done(struct tevent_req *subreq);
+
+static struct tevent_req *wb_groups_members_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ uint32_t num_groups,
+ struct wbint_Principal *groups)
+{
+ struct tevent_req *req, *subreq = NULL;
+ struct wb_groups_members_state *state;
+ NTSTATUS status;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct wb_groups_members_state);
+ if (req == NULL) {
+ return NULL;
+ }
+ state->ev = ev;
+ state->groups = groups;
+ state->num_groups = num_groups;
+ state->next_group = 0;
+ state->all_members = NULL;
+
+ D_DEBUG("Looking up %"PRIu32" group(s).\n", num_groups);
+ status = wb_groups_members_next_subreq(state, state, &subreq);
+ if (tevent_req_nterror(req, status)) {
+ return tevent_req_post(req, ev);
+ }
+ if (subreq == NULL) {
+ tevent_req_done(req);
+ return tevent_req_post(req, ev);
+ }
+ tevent_req_set_callback(subreq, wb_groups_members_done, req);
+ return req;
+}
+
+static NTSTATUS wb_groups_members_next_subreq(
+ struct wb_groups_members_state *state,
+ TALLOC_CTX *mem_ctx, struct tevent_req **psubreq)
+{
+ struct tevent_req *subreq;
+ struct wbint_Principal *g;
+
+ if (state->next_group >= state->num_groups) {
+ *psubreq = NULL;
+ return NT_STATUS_OK;
+ }
+
+ g = &state->groups[state->next_group];
+ state->next_group += 1;
+
+ subreq = wb_lookupgroupmem_send(mem_ctx, state->ev, &g->sid, g->type);
+ if (subreq == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ *psubreq = subreq;
+ return NT_STATUS_OK;
+}
+
+static void wb_groups_members_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct wb_groups_members_state *state = tevent_req_data(
+ req, struct wb_groups_members_state);
+ uint32_t i, num_all_members;
+ uint32_t num_members = 0;
+ struct wbint_Principal *members = NULL;
+ NTSTATUS status;
+
+ status = wb_lookupgroupmem_recv(subreq, state, &num_members, &members);
+ TALLOC_FREE(subreq);
+
+ /*
+ * In this error handling here we might have to be a bit more generous
+ * and just continue if an error occurred.
+ */
+
+ if (!NT_STATUS_IS_OK(status)) {
+ if (!NT_STATUS_EQUAL(
+ status, NT_STATUS_TRUSTED_DOMAIN_FAILURE)) {
+ tevent_req_nterror(req, status);
+ return;
+ }
+ num_members = 0;
+ }
+
+ num_all_members = talloc_array_length(state->all_members);
+
+ D_DEBUG("Adding %"PRIu32" new member(s) to existing %"PRIu32" member(s)\n",
+ num_members,
+ num_all_members);
+
+ state->all_members = talloc_realloc(
+ state, state->all_members, struct wbint_Principal,
+ num_all_members + num_members);
+ if ((num_all_members + num_members != 0)
+ && tevent_req_nomem(state->all_members, req)) {
+ return;
+ }
+ for (i=0; i<num_members; i++) {
+ struct wbint_Principal *src, *dst;
+ src = &members[i];
+ dst = &state->all_members[num_all_members + i];
+ sid_copy(&dst->sid, &src->sid);
+ dst->name = talloc_move(state->all_members, &src->name);
+ dst->type = src->type;
+ }
+ TALLOC_FREE(members);
+
+ status = wb_groups_members_next_subreq(state, state, &subreq);
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+ if (subreq == NULL) {
+ tevent_req_done(req);
+ return;
+ }
+ tevent_req_set_callback(subreq, wb_groups_members_done, req);
+}
+
+static NTSTATUS wb_groups_members_recv(struct tevent_req *req,
+ TALLOC_CTX *mem_ctx,
+ uint32_t *num_members,
+ struct wbint_Principal **members)
+{
+ struct wb_groups_members_state *state = tevent_req_data(
+ req, struct wb_groups_members_state);
+ NTSTATUS status;
+
+ if (tevent_req_is_nterror(req, &status)) {
+ return status;
+ }
+ *num_members = talloc_array_length(state->all_members);
+ *members = talloc_move(mem_ctx, &state->all_members);
+ return NT_STATUS_OK;
+}
+
+
+/*
+ * This is the routine expanding a list of groups up to a certain level. We
+ * collect the users in a rbt database: We have to add them without duplicates,
+ * and the db is indexed by SID.
+ */
+
+struct wb_group_members_state {
+ struct tevent_context *ev;
+ int depth;
+ struct db_context *users;
+ struct wbint_Principal *groups;
+};
+
+static NTSTATUS wb_group_members_next_subreq(
+ struct wb_group_members_state *state,
+ TALLOC_CTX *mem_ctx, struct tevent_req **psubreq);
+static void wb_group_members_done(struct tevent_req *subreq);
+
+struct tevent_req *wb_group_members_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ const struct dom_sid *sid,
+ enum lsa_SidType type,
+ int max_depth)
+{
+ struct tevent_req *req, *subreq = NULL;
+ struct wb_group_members_state *state;
+ NTSTATUS status;
+ struct dom_sid_buf buf;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct wb_group_members_state);
+ if (req == NULL) {
+ return NULL;
+ }
+ D_INFO("WB command group_members start.\n"
+ "Looking up domain SID %s with SID type %d and max_depth %d.\n",
+ dom_sid_str_buf(sid, &buf),
+ type,
+ max_depth);
+
+ state->ev = ev;
+ state->depth = max_depth;
+ state->users = db_open_rbt(state);
+ if (tevent_req_nomem(state->users, req)) {
+ return tevent_req_post(req, ev);
+ }
+
+ state->groups = talloc(state, struct wbint_Principal);
+ if (tevent_req_nomem(state->groups, req)) {
+ return tevent_req_post(req, ev);
+ }
+ state->groups->name = NULL;
+ sid_copy(&state->groups->sid, sid);
+ state->groups->type = type;
+
+ status = wb_group_members_next_subreq(state, state, &subreq);
+ if (tevent_req_nterror(req, status)) {
+ return tevent_req_post(req, ev);
+ }
+ if (subreq == NULL) {
+ tevent_req_done(req);
+ return tevent_req_post(req, ev);
+ }
+ tevent_req_set_callback(subreq, wb_group_members_done, req);
+ return req;
+}
+
+static NTSTATUS wb_group_members_next_subreq(
+ struct wb_group_members_state *state,
+ TALLOC_CTX *mem_ctx, struct tevent_req **psubreq)
+{
+ struct tevent_req *subreq;
+
+ if ((talloc_array_length(state->groups) == 0)
+ || (state->depth <= 0)) {
+ *psubreq = NULL;
+ D_DEBUG("Finished. The depth is %d.\n", state->depth);
+ return NT_STATUS_OK;
+ }
+ state->depth -= 1;
+
+ D_DEBUG("The depth is decremented to %d.\n", state->depth);
+ subreq = wb_groups_members_send(
+ mem_ctx, state->ev, talloc_array_length(state->groups),
+ state->groups);
+ if (subreq == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ *psubreq = subreq;
+ return NT_STATUS_OK;
+}
+
+NTSTATUS add_member_to_db(struct db_context *db, struct dom_sid *sid,
+ const char *name)
+{
+ size_t len = ndr_size_dom_sid(sid, 0);
+ uint8_t sidbuf[len];
+ TDB_DATA key = { .dptr = sidbuf, .dsize = sizeof(sidbuf) };
+ NTSTATUS status;
+
+ sid_linearize(sidbuf, sizeof(sidbuf), sid);
+
+ status = dbwrap_store(db, key, string_term_tdb_data(name), 0);
+ return status;
+}
+
+static void wb_group_members_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct wb_group_members_state *state = tevent_req_data(
+ req, struct wb_group_members_state);
+ uint32_t i, num_groups, new_groups;
+ uint32_t num_members = 0;
+ struct wbint_Principal *members = NULL;
+ NTSTATUS status;
+
+ status = wb_groups_members_recv(subreq, state, &num_members, &members);
+ TALLOC_FREE(subreq);
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+
+ new_groups = 0;
+ for (i=0; i<num_members; i++) {
+ switch (members[i].type) {
+ case SID_NAME_DOM_GRP:
+ case SID_NAME_ALIAS:
+ case SID_NAME_WKN_GRP:
+ new_groups += 1;
+ break;
+ default:
+ /* Ignore everything else */
+ break;
+ }
+ }
+
+ num_groups = 0;
+ TALLOC_FREE(state->groups);
+ state->groups = talloc_array(state, struct wbint_Principal,
+ new_groups);
+
+ /*
+ * Collect the users into state->users and the groups into
+ * state->groups for the next iteration.
+ */
+
+ for (i=0; i<num_members; i++) {
+ switch (members[i].type) {
+ case SID_NAME_USER:
+ case SID_NAME_COMPUTER: {
+ /*
+ * Add a copy of members[i] to state->users
+ */
+ status = add_member_to_db(state->users, &members[i].sid,
+ members[i].name);
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+
+ break;
+ }
+ case SID_NAME_DOM_GRP:
+ case SID_NAME_ALIAS:
+ case SID_NAME_WKN_GRP: {
+ struct wbint_Principal *g;
+ /*
+ * Save members[i] for the next round
+ */
+ g = &state->groups[num_groups];
+ sid_copy(&g->sid, &members[i].sid);
+ g->name = talloc_move(state->groups, &members[i].name);
+ g->type = members[i].type;
+ num_groups += 1;
+ break;
+ }
+ default:
+ /* Ignore everything else */
+ break;
+ }
+ }
+
+ status = wb_group_members_next_subreq(state, state, &subreq);
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+ if (subreq == NULL) {
+ tevent_req_done(req);
+ return;
+ }
+ tevent_req_set_callback(subreq, wb_group_members_done, req);
+}
+
+NTSTATUS wb_group_members_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
+ struct db_context **members)
+{
+ struct wb_group_members_state *state = tevent_req_data(
+ req, struct wb_group_members_state);
+ NTSTATUS status;
+
+ D_INFO("WB command group_members end.\n");
+ if (tevent_req_is_nterror(req, &status)) {
+ D_WARNING("Failed with %s.\n", nt_errstr(status));
+ return status;
+ }
+ *members = talloc_move(mem_ctx, &state->users);
+ return NT_STATUS_OK;
+}
diff --git a/source3/winbindd/wb_lookupname.c b/source3/winbindd/wb_lookupname.c
new file mode 100644
index 0000000..12dbfbe
--- /dev/null
+++ b/source3/winbindd/wb_lookupname.c
@@ -0,0 +1,123 @@
+/*
+ Unix SMB/CIFS implementation.
+ async lookupname
+ Copyright (C) Volker Lendecke 2009
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "winbindd.h"
+#include "librpc/gen_ndr/ndr_winbind_c.h"
+#include "../libcli/security/security.h"
+
+struct wb_lookupname_state {
+ struct tevent_context *ev;
+ const char *dom_name;
+ const char *name;
+ uint32_t flags;
+ struct dom_sid sid;
+ enum lsa_SidType type;
+};
+
+static void wb_lookupname_done(struct tevent_req *subreq);
+
+struct tevent_req *wb_lookupname_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ const char *namespace,
+ const char *dom_name,
+ const char *name,
+ uint32_t flags)
+{
+ struct tevent_req *req, *subreq;
+ struct wb_lookupname_state *state;
+ struct winbindd_domain *domain;
+
+ req = tevent_req_create(mem_ctx, &state, struct wb_lookupname_state);
+ if (req == NULL) {
+ return NULL;
+ }
+
+ D_INFO("WB command lookupname start.\n"
+ "Search namespace '%s' and domain '%s' for name '%s'.\n",
+ namespace, dom_name, name);
+ state->ev = ev;
+ state->flags = flags;
+
+ /*
+ * Uppercase domain and name so that we become cache-friendly
+ */
+ state->dom_name = talloc_strdup_upper(state, dom_name);
+ if (tevent_req_nomem(state->dom_name, req)) {
+ return tevent_req_post(req, ev);
+ }
+ state->name = talloc_strdup_upper(state, name);
+ if (tevent_req_nomem(state->name, req)) {
+ return tevent_req_post(req, ev);
+ }
+
+ domain = find_lookup_domain_from_name(namespace);
+ if (domain == NULL) {
+ D_WARNING("Could not find domain for %s\n", namespace);
+ tevent_req_nterror(req, NT_STATUS_NONE_MAPPED);
+ return tevent_req_post(req, ev);
+ }
+
+ subreq = dcerpc_wbint_LookupName_send(
+ state, ev, dom_child_handle(domain),
+ state->dom_name, state->name,
+ flags, &state->type, &state->sid);
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+ tevent_req_set_callback(subreq, wb_lookupname_done, req);
+ return req;
+}
+
+static void wb_lookupname_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct wb_lookupname_state *state = tevent_req_data(
+ req, struct wb_lookupname_state);
+ NTSTATUS status, result;
+
+ status = dcerpc_wbint_LookupName_recv(subreq, state, &result);
+ TALLOC_FREE(subreq);
+ if (any_nt_status_not_ok(status, result, &status)) {
+ tevent_req_nterror(req, status);
+ return;
+ }
+ tevent_req_done(req);
+}
+
+NTSTATUS wb_lookupname_recv(struct tevent_req *req, struct dom_sid *sid,
+ enum lsa_SidType *type)
+{
+ struct wb_lookupname_state *state = tevent_req_data(
+ req, struct wb_lookupname_state);
+ NTSTATUS status;
+ struct dom_sid_buf buf;
+
+ if (tevent_req_is_nterror(req, &status)) {
+ return status;
+ }
+ sid_copy(sid, &state->sid);
+ *type = state->type;
+ D_INFO("WB command lookupname end.\n"
+ "Found SID %s with SID type %d.\n",
+ dom_sid_str_buf(sid, &buf),
+ *type);
+ return NT_STATUS_OK;
+}
diff --git a/source3/winbindd/wb_lookupsid.c b/source3/winbindd/wb_lookupsid.c
new file mode 100644
index 0000000..31820f9
--- /dev/null
+++ b/source3/winbindd/wb_lookupsid.c
@@ -0,0 +1,114 @@
+/*
+ Unix SMB/CIFS implementation.
+ async lookupsid
+ Copyright (C) Volker Lendecke 2009
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "winbindd.h"
+#include "librpc/gen_ndr/ndr_winbind_c.h"
+#include "../libcli/security/security.h"
+
+struct wb_lookupsid_state {
+ struct tevent_context *ev;
+ struct winbindd_domain *lookup_domain;
+ struct dom_sid sid;
+ enum lsa_SidType type;
+ const char *domname;
+ const char *name;
+};
+
+static void wb_lookupsid_done(struct tevent_req *subreq);
+
+struct tevent_req *wb_lookupsid_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ const struct dom_sid *sid)
+{
+ struct tevent_req *req, *subreq;
+ struct wb_lookupsid_state *state;
+ struct dom_sid_buf buf;
+
+ req = tevent_req_create(mem_ctx, &state, struct wb_lookupsid_state);
+ if (req == NULL) {
+ return NULL;
+ }
+
+ D_INFO("WB command lookupsid start.\n");
+ sid_copy(&state->sid, sid);
+ state->ev = ev;
+
+ state->lookup_domain = find_lookup_domain_from_sid(sid);
+ if (state->lookup_domain == NULL) {
+ D_WARNING("Could not find domain for sid %s\n",
+ dom_sid_str_buf(sid, &buf));
+ tevent_req_nterror(req, NT_STATUS_NONE_MAPPED);
+ return tevent_req_post(req, ev);
+ }
+
+ D_DEBUG("Looking up SID %s in domain %s.\n",
+ dom_sid_str_buf(&state->sid, &buf),
+ state->lookup_domain->name);
+ subreq = dcerpc_wbint_LookupSid_send(
+ state, ev, dom_child_handle(state->lookup_domain),
+ &state->sid, &state->type, &state->domname, &state->name);
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+ tevent_req_set_callback(subreq, wb_lookupsid_done, req);
+ return req;
+}
+
+static void wb_lookupsid_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct wb_lookupsid_state *state = tevent_req_data(
+ req, struct wb_lookupsid_state);
+ NTSTATUS status, result;
+
+ status = dcerpc_wbint_LookupSid_recv(subreq, state, &result);
+ TALLOC_FREE(subreq);
+ if (any_nt_status_not_ok(status, result, &status)) {
+ tevent_req_nterror(req, status);
+ return;
+ }
+ tevent_req_done(req);
+}
+
+NTSTATUS wb_lookupsid_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
+ enum lsa_SidType *type, const char **domain,
+ const char **name)
+{
+ struct wb_lookupsid_state *state = tevent_req_data(
+ req, struct wb_lookupsid_state);
+ NTSTATUS status;
+ struct dom_sid_buf buf;
+
+ D_INFO("WB command lookupsid end.\n");
+ if (tevent_req_is_nterror(req, &status)) {
+ D_WARNING("Failed with %s.\n", nt_errstr(status));
+ return status;
+ }
+ *type = state->type;
+ *domain = talloc_move(mem_ctx, &state->domname);
+ *name = talloc_move(mem_ctx, &state->name);
+ D_INFO("SID %s has name '%s' with type '%d' in domain '%s'.\n",
+ dom_sid_str_buf(&state->sid, &buf),
+ *name,
+ *type,
+ *domain);
+ return NT_STATUS_OK;
+}
diff --git a/source3/winbindd/wb_lookupsids.c b/source3/winbindd/wb_lookupsids.c
new file mode 100644
index 0000000..d025911
--- /dev/null
+++ b/source3/winbindd/wb_lookupsids.c
@@ -0,0 +1,697 @@
+/*
+ Unix SMB/CIFS implementation.
+ async lookupsids
+ Copyright (C) Volker Lendecke 2011
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "winbindd.h"
+#include "lib/util_unixsids.h"
+#include "librpc/gen_ndr/ndr_winbind_c.h"
+#include "../libcli/security/security.h"
+#include "passdb/machine_sid.h"
+#include "lsa.h"
+
+struct wb_lookupsids_domain {
+ struct winbindd_domain *domain;
+
+ /*
+ * Array of sids to be passed into wbint_LookupSids. Preallocated with
+ * num_sids.
+ */
+ struct lsa_SidArray sids;
+
+ /*
+ * Indexes into wb_lookupsids_state->sids and thus
+ * wb_lookupsids_state->res_names. Preallocated with num_sids.
+ */
+ uint32_t *sid_indexes;
+};
+
+struct wb_translated_name {
+ const char *domain_name;
+ const char *name;
+ enum lsa_SidType type;
+};
+
+static struct wb_lookupsids_domain *wb_lookupsids_get_domain(
+ const struct dom_sid *sid, TALLOC_CTX *mem_ctx,
+ struct wb_lookupsids_domain **domains, uint32_t num_sids);
+
+struct wb_lookupsids_state {
+ struct tevent_context *ev;
+
+ /*
+ * SIDs passed in
+ */
+ struct dom_sid *sids;
+ uint32_t num_sids;
+
+ /*
+ * The domains we're using for bulk lookup via wbint_LookupRids or
+ * wbint_LookupSids. We expect very few domains, so we do a
+ * talloc_realloc and rely on talloc_array_length.
+ */
+ struct wb_lookupsids_domain *domains;
+ uint32_t domains_done;
+
+ /*
+ * These SIDs are looked up individually via
+ * wbint_LookupSid. Preallocated with num_sids.
+ */
+ uint32_t *single_sids;
+ uint32_t num_single_sids;
+ uint32_t single_sids_done;
+
+ /*
+ * Intermediate store for wbint_LookupRids to passdb. These are
+ * spliced into res_domains/res_names in wb_lookupsids_move_name.
+ */
+ struct wbint_RidArray rids;
+ const char *domain_name;
+ struct wbint_Principals rid_names;
+
+ /*
+ * Intermediate results for wbint_LookupSids. These results are
+ * spliced into res_domains/res_names in wb_lookupsids_move_name.
+ */
+ struct lsa_RefDomainList tmp_domains;
+ struct lsa_TransNameArray tmp_names;
+
+ /*
+ * Results
+ */
+ struct lsa_RefDomainList *res_domains;
+ /*
+ * Indexed as "sids" in this structure
+ */
+ struct lsa_TransNameArray *res_names;
+};
+
+static bool wb_lookupsids_next(struct tevent_req *req,
+ struct wb_lookupsids_state *state);
+static void wb_lookupsids_single_done(struct tevent_req *subreq);
+static void wb_lookupsids_lookuprids_done(struct tevent_req *subreq);
+static void wb_lookupsids_done(struct tevent_req *subreq);
+
+struct tevent_req *wb_lookupsids_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct dom_sid *sids,
+ uint32_t num_sids)
+{
+ struct tevent_req *req;
+ struct wb_lookupsids_state *state;
+ uint32_t i;
+
+ D_INFO("WB command lookupsids start.\nLooking up %"PRIu32" SID(s)\n",
+ num_sids);
+ if (CHECK_DEBUGLVL(DBGLVL_INFO)) {
+ for (i = 0; i < num_sids; i++) {
+ struct dom_sid_buf buf;
+ D_INFO("%"PRIu32": %s\n",
+ i, dom_sid_str_buf(&sids[i], &buf));
+ }
+ }
+ req = tevent_req_create(mem_ctx, &state, struct wb_lookupsids_state);
+ if (req == NULL) {
+ return NULL;
+ }
+ state->ev = ev;
+ state->sids = sids;
+ state->num_sids = num_sids;
+
+ state->single_sids = talloc_zero_array(state, uint32_t, num_sids);
+ if (tevent_req_nomem(state->single_sids, req)) {
+ return tevent_req_post(req, ev);
+ }
+
+ state->res_domains = talloc_zero(state, struct lsa_RefDomainList);
+ if (tevent_req_nomem(state->res_domains, req)) {
+ return tevent_req_post(req, ev);
+ }
+ state->res_domains->domains = talloc_zero_array(
+ state->res_domains, struct lsa_DomainInfo, num_sids);
+ if (tevent_req_nomem(state->res_domains->domains, req)) {
+ return tevent_req_post(req, ev);
+ }
+
+ state->res_names = talloc_zero(state, struct lsa_TransNameArray);
+ if (tevent_req_nomem(state->res_names, req)) {
+ return tevent_req_post(req, ev);
+ }
+ state->res_names->names = talloc_zero_array(
+ state->res_names, struct lsa_TranslatedName, num_sids);
+ if (tevent_req_nomem(state->res_names->names, req)) {
+ return tevent_req_post(req, ev);
+ }
+
+ if (num_sids == 0) {
+ tevent_req_done(req);
+ return tevent_req_post(req, ev);
+ }
+
+ for (i=0; i<num_sids; i++) {
+ struct wb_lookupsids_domain *d;
+
+ d = wb_lookupsids_get_domain(&sids[i], state, &state->domains,
+ num_sids);
+ if (d != NULL) {
+ d->sids.sids[d->sids.num_sids].sid = &sids[i];
+ d->sid_indexes[d->sids.num_sids] = i;
+ d->sids.num_sids += 1;
+ } else {
+ state->single_sids[state->num_single_sids] = i;
+ state->num_single_sids += 1;
+ }
+ }
+
+ if (!wb_lookupsids_next(req, state)) {
+ return tevent_req_post(req, ev);
+ }
+ return req;
+}
+
+static bool wb_lookupsids_next(struct tevent_req *req,
+ struct wb_lookupsids_state *state)
+{
+ struct tevent_req *subreq;
+
+ if (state->domains_done < talloc_array_length(state->domains)) {
+ struct wb_lookupsids_domain *d;
+ uint32_t i;
+
+ d = &state->domains[state->domains_done];
+
+ if (d->domain->internal) {
+ /*
+ * This is only our local SAM,
+ * see wb_lookupsids_bulk() and
+ * wb_lookupsids_get_domain().
+ */
+ state->rids.num_rids = d->sids.num_sids;
+ state->rids.rids = talloc_array(state, uint32_t,
+ state->rids.num_rids);
+ if (tevent_req_nomem(state->rids.rids, req)) {
+ return false;
+ }
+ for (i=0; i<state->rids.num_rids; i++) {
+ sid_peek_rid(d->sids.sids[i].sid,
+ &state->rids.rids[i]);
+ }
+ subreq = dcerpc_wbint_LookupRids_send(
+ state, state->ev, dom_child_handle(d->domain),
+ &d->domain->sid, &state->rids, &state->domain_name,
+ &state->rid_names);
+ if (tevent_req_nomem(subreq, req)) {
+ return false;
+ }
+ tevent_req_set_callback(
+ subreq, wb_lookupsids_lookuprids_done, req);
+ return true;
+ }
+
+ subreq = dcerpc_wbint_LookupSids_send(
+ state, state->ev, dom_child_handle(d->domain),
+ &d->sids, &state->tmp_domains, &state->tmp_names);
+ if (tevent_req_nomem(subreq, req)) {
+ return false;
+ }
+ tevent_req_set_callback(subreq, wb_lookupsids_done, req);
+ return true;
+ }
+
+ if (state->single_sids_done < state->num_single_sids) {
+ uint32_t sid_idx;
+ const struct dom_sid *sid;
+
+ sid_idx = state->single_sids[state->single_sids_done];
+ sid = &state->sids[sid_idx];
+
+ subreq = wb_lookupsid_send(state, state->ev, sid);
+ if (tevent_req_nomem(subreq, req)) {
+ return false;
+ }
+ tevent_req_set_callback(subreq, wb_lookupsids_single_done,
+ req);
+ return true;
+ }
+
+ tevent_req_done(req);
+ return false;
+}
+
+/*
+ * Decide whether to do bulk lookupsids. We have optimizations for
+ * passdb via lookuprids and to remote DCs via lookupsids.
+ */
+
+static bool wb_lookupsids_bulk(const struct dom_sid *sid)
+{
+ struct dom_sid_buf sidbuf;
+
+ if (sid->num_auths != 5) {
+ /*
+ * Only do "S-1-5-21-x-y-z-rid" domains via bulk
+ * lookup
+ */
+ DBG_DEBUG("No bulk setup for SID %s with %"PRIi8" subauths\n",
+ dom_sid_str_buf(sid, &sidbuf),
+ sid->num_auths);
+ return false;
+ }
+
+ if (sid_check_is_in_our_sam(sid)) {
+ /*
+ * Passdb lookup via lookuprids
+ */
+ DBG_DEBUG("%s is in our domain\n",
+ dom_sid_str_buf(sid, &sidbuf));
+ return true;
+ }
+
+ if (IS_DC) {
+ /*
+ * Bulk lookups to trusted DCs
+ */
+ return (find_domain_from_sid_noinit(sid) != NULL);
+ }
+
+ if (lp_server_role() != ROLE_DOMAIN_MEMBER) {
+ /*
+ * Don't do bulk lookups as standalone, the only bulk
+ * lookup left is for domain members.
+ */
+ return false;
+ }
+
+ if (sid_check_is_in_unix_groups(sid) ||
+ sid_check_is_unix_groups(sid) ||
+ sid_check_is_in_unix_users(sid) ||
+ sid_check_is_unix_users(sid) ||
+ sid_check_is_in_builtin(sid) ||
+ sid_check_is_builtin(sid) ||
+ sid_check_is_wellknown_domain(sid, NULL) ||
+ sid_check_is_in_wellknown_domain(sid))
+ {
+ /*
+ * These are locally done piece by piece anyway, no
+ * need for bulk optimizations.
+ */
+ return false;
+ }
+
+ /*
+ * All other SIDs are sent to the DC we're connected to as
+ * member via a single lsa_lookupsids call.
+ */
+ return true;
+}
+
+static struct wb_lookupsids_domain *wb_lookupsids_get_domain(
+ const struct dom_sid *sid, TALLOC_CTX *mem_ctx,
+ struct wb_lookupsids_domain **pdomains, uint32_t num_sids)
+{
+ struct wb_lookupsids_domain *domains, *domain;
+ struct winbindd_domain *wb_domain;
+ uint32_t i, num_domains;
+
+ if (!wb_lookupsids_bulk(sid)) {
+ D_DEBUG("wb_lookupsids_bulk() is FALSE\n");
+ return NULL;
+ }
+ D_DEBUG("wb_lookupsids_bulk() is TRUE\n");
+
+ domains = *pdomains;
+ num_domains = talloc_array_length(domains);
+
+ wb_domain = find_lookup_domain_from_sid(sid);
+ if (wb_domain == NULL) {
+ return NULL;
+ }
+
+ D_DEBUG("Searching %"PRIu32" domain(s) for domain '%s'\n",
+ num_domains, wb_domain->name);
+ for (i=0; i<num_domains; i++) {
+ if (domains[i].domain != wb_domain) {
+ continue;
+ }
+
+ if (!domains[i].domain->internal) {
+ /*
+ * If it's not our local sam,
+ * we can re-use the domain without
+ * checking the sid.
+ *
+ * Note the wb_lookupsids_bulk() above
+ * already catched special SIDs,
+ * e.g. the unix and builtin domains.
+ */
+ return &domains[i];
+ }
+
+ if (dom_sid_compare_domain(sid, &domains[i].domain->sid) == 0) {
+ /*
+ * If it's out local sam we can also use it.
+ */
+ return &domains[i];
+ }
+
+ /*
+ * I'm not sure if this can be triggered,
+ * as wb_lookupsids_bulk() should also catch this,
+ * but we need to make sure that we don't use
+ * wbint_LookupRids() without a SID match.
+ */
+ return NULL;
+ }
+
+ domains = talloc_realloc(
+ mem_ctx, domains, struct wb_lookupsids_domain, num_domains+1);
+ if (domains == NULL) {
+ return NULL;
+ }
+ *pdomains = domains;
+
+ domain = &domains[num_domains];
+ domain->domain = wb_domain;
+
+ domain->sids.sids = talloc_zero_array(domains, struct lsa_SidPtr, num_sids);
+ if (domains->sids.sids == NULL) {
+ goto fail;
+ }
+ domain->sids.num_sids = 0;
+
+ domain->sid_indexes = talloc_zero_array(domains, uint32_t, num_sids);
+ if (domain->sid_indexes == NULL) {
+ TALLOC_FREE(domain->sids.sids);
+ goto fail;
+ }
+ return domain;
+
+fail:
+ /*
+ * Realloc to the state it was in before
+ */
+ *pdomains = talloc_realloc(
+ mem_ctx, domains, struct wb_lookupsids_domain, num_domains);
+ return NULL;
+}
+
+static bool wb_lookupsids_find_dom_idx(struct lsa_DomainInfo *domain,
+ struct lsa_RefDomainList *list,
+ uint32_t *idx)
+{
+ uint32_t i;
+ struct lsa_DomainInfo *new_domain;
+
+ for (i=0; i<list->count; i++) {
+ if (dom_sid_equal(domain->sid, list->domains[i].sid)) {
+ *idx = i;
+ return true;
+ }
+ }
+
+ new_domain = &list->domains[list->count];
+
+ new_domain->name.string = talloc_strdup(
+ list->domains, domain->name.string);
+ if (new_domain->name.string == NULL) {
+ return false;
+ }
+
+ new_domain->sid = dom_sid_dup(list->domains, domain->sid);
+ if (new_domain->sid == NULL) {
+ return false;
+ }
+
+ *idx = list->count;
+ list->count += 1;
+ return true;
+}
+
+static bool wb_lookupsids_move_name(struct lsa_RefDomainList *src_domains,
+ struct lsa_TranslatedName *src_name,
+ struct lsa_RefDomainList *dst_domains,
+ struct lsa_TransNameArray *dst_names,
+ uint32_t dst_name_index)
+{
+ struct lsa_TranslatedName *dst_name;
+ struct lsa_DomainInfo *src_domain;
+ uint32_t src_domain_index;
+ uint32_t dst_domain_index = UINT32_MAX;
+ bool ok;
+
+ src_domain_index = src_name->sid_index;
+ if ((src_domain_index != UINT32_MAX) && (src_domains != NULL)) {
+ if (src_domain_index >= src_domains->count) {
+ return false;
+ }
+ src_domain = &src_domains->domains[src_domain_index];
+
+ ok = wb_lookupsids_find_dom_idx(src_domain,
+ dst_domains,
+ &dst_domain_index);
+ if (!ok) {
+ return false;
+ }
+ }
+
+ dst_name = &dst_names->names[dst_name_index];
+
+ dst_name->sid_type = src_name->sid_type;
+ dst_name->name.string = talloc_move(dst_names->names,
+ &src_name->name.string);
+ dst_name->sid_index = dst_domain_index;
+ dst_names->count += 1;
+
+ return true;
+}
+
+static void wb_lookupsids_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct wb_lookupsids_state *state = tevent_req_data(
+ req, struct wb_lookupsids_state);
+ struct wb_lookupsids_domain *d;
+ uint32_t i;
+
+ NTSTATUS status, result;
+
+ status = dcerpc_wbint_LookupSids_recv(subreq, state, &result);
+ TALLOC_FREE(subreq);
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+ if (NT_STATUS_LOOKUP_ERR(result)) {
+ tevent_req_nterror(req, result);
+ return;
+ }
+
+ /*
+ * Look at the individual states in the translated names.
+ */
+
+ d = &state->domains[state->domains_done];
+
+ for (i=0; i<state->tmp_names.count; i++) {
+ uint32_t res_sid_index = d->sid_indexes[i];
+
+ if (!wb_lookupsids_move_name(
+ &state->tmp_domains, &state->tmp_names.names[i],
+ state->res_domains, state->res_names,
+ res_sid_index)) {
+ tevent_req_oom(req);
+ return;
+ }
+ }
+ state->domains_done += 1;
+ wb_lookupsids_next(req, state);
+}
+
+static void wb_lookupsids_single_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct wb_lookupsids_state *state = tevent_req_data(
+ req, struct wb_lookupsids_state);
+ const char *domain_name = NULL;
+ const char *name = NULL;
+ enum lsa_SidType type = SID_NAME_UNKNOWN;
+ uint32_t res_sid_index;
+ uint32_t src_rid;
+
+ struct dom_sid src_domain_sid;
+ struct lsa_DomainInfo src_domain;
+ struct lsa_RefDomainList src_domains;
+ struct lsa_RefDomainList *psrc_domains = NULL;
+ struct lsa_TranslatedName src_name;
+
+ uint32_t domain_idx = UINT32_MAX;
+ NTSTATUS status;
+ bool ok;
+
+ status = wb_lookupsid_recv(subreq, talloc_tos(), &type,
+ &domain_name, &name);
+ TALLOC_FREE(subreq);
+ if (NT_STATUS_LOOKUP_ERR(status)) {
+ tevent_req_nterror(req, status);
+ return;
+ }
+
+ res_sid_index = state->single_sids[state->single_sids_done];
+
+ if ((domain_name != NULL) && (domain_name[0] != '\0')) {
+ /*
+ * Build structs with the domain name for
+ * wb_lookupsids_move_name(). If we didn't get a name, we will
+ * pass NULL and UINT32_MAX.
+ */
+
+ sid_copy(&src_domain_sid, &state->sids[res_sid_index]);
+ if (type != SID_NAME_DOMAIN) {
+ sid_split_rid(&src_domain_sid, &src_rid);
+ }
+
+ src_domain.name.string = domain_name;
+ src_domain.sid = &src_domain_sid;
+
+ src_domains.count = 1;
+ src_domains.domains = &src_domain;
+ psrc_domains = &src_domains;
+
+ domain_idx = 0;
+ }
+
+ src_name.sid_type = type;
+ src_name.name.string = name;
+ src_name.sid_index = domain_idx;
+
+ ok = wb_lookupsids_move_name(psrc_domains,
+ &src_name,
+ state->res_domains,
+ state->res_names,
+ res_sid_index);
+ if (!ok) {
+ tevent_req_oom(req);
+ return;
+ }
+ state->single_sids_done += 1;
+ wb_lookupsids_next(req, state);
+}
+
+static void wb_lookupsids_lookuprids_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct wb_lookupsids_state *state = tevent_req_data(
+ req, struct wb_lookupsids_state);
+ struct dom_sid src_domain_sid;
+ struct lsa_DomainInfo src_domain;
+ struct lsa_RefDomainList src_domains;
+ NTSTATUS status, result;
+ struct wb_lookupsids_domain *d;
+ uint32_t i;
+
+ status = dcerpc_wbint_LookupRids_recv(subreq, state, &result);
+ TALLOC_FREE(subreq);
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+ if (NT_STATUS_LOOKUP_ERR(result)) {
+ tevent_req_nterror(req, result);
+ return;
+ }
+
+ /*
+ * Look at the individual states in the translated names.
+ */
+
+ d = &state->domains[state->domains_done];
+
+ sid_copy(&src_domain_sid, get_global_sam_sid());
+ src_domain.name.string = get_global_sam_name();
+ src_domain.sid = &src_domain_sid;
+ src_domains.count = 1;
+ src_domains.domains = &src_domain;
+
+ for (i=0; i<state->rid_names.num_principals; i++) {
+ struct lsa_TranslatedName src_name;
+ uint32_t res_sid_index;
+
+ /*
+ * Fake up structs for wb_lookupsids_move_name
+ */
+ res_sid_index = d->sid_indexes[i];
+
+ src_name.sid_type = state->rid_names.principals[i].type;
+ src_name.name.string = state->rid_names.principals[i].name;
+ src_name.sid_index = 0;
+
+ if (!wb_lookupsids_move_name(
+ &src_domains, &src_name,
+ state->res_domains, state->res_names,
+ res_sid_index)) {
+ tevent_req_oom(req);
+ return;
+ }
+ }
+
+ state->domains_done += 1;
+ wb_lookupsids_next(req, state);
+}
+
+NTSTATUS wb_lookupsids_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
+ struct lsa_RefDomainList **domains,
+ struct lsa_TransNameArray **names)
+{
+ struct wb_lookupsids_state *state = tevent_req_data(
+ req, struct wb_lookupsids_state);
+ NTSTATUS status;
+
+ D_INFO("WB command lookupsids end.\n");
+ if (tevent_req_is_nterror(req, &status)) {
+ D_WARNING("Failed with %s.\n", nt_errstr(status));
+ return status;
+ }
+
+ /*
+ * The returned names need to match the given sids,
+ * if not we have a bug in the code!
+ */
+ if (state->res_names->count != state->num_sids) {
+ D_WARNING("Got %"PRIu32" returned name(s), but expected %"PRIu32"!\n",
+ state->res_names->count, state->num_sids);
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
+ /*
+ * Not strictly needed, but it might make debugging in the callers
+ * easier in future, if the talloc_array_length() returns the
+ * expected result...
+ */
+ state->res_domains->domains = talloc_realloc(state->res_domains,
+ state->res_domains->domains,
+ struct lsa_DomainInfo,
+ state->res_domains->count);
+
+ *domains = talloc_move(mem_ctx, &state->res_domains);
+ *names = talloc_move(mem_ctx, &state->res_names);
+ D_INFO("Returning %"PRIu32" domain(s) and %"PRIu32" name(s).\n",
+ (*domains)->count,
+ (*names)->count);
+ return NT_STATUS_OK;
+}
diff --git a/source3/winbindd/wb_lookupuseraliases.c b/source3/winbindd/wb_lookupuseraliases.c
new file mode 100644
index 0000000..a9ad7d4
--- /dev/null
+++ b/source3/winbindd/wb_lookupuseraliases.c
@@ -0,0 +1,108 @@
+/*
+ Unix SMB/CIFS implementation.
+ async lookupuseraliases
+ Copyright (C) Volker Lendecke 2009
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "winbindd.h"
+#include "librpc/gen_ndr/ndr_winbind_c.h"
+#include "libcli/security/dom_sid.h"
+
+struct wb_lookupuseraliases_state {
+ struct tevent_context *ev;
+ struct wbint_SidArray sids;
+ struct wbint_RidArray rids;
+};
+
+static void wb_lookupuseraliases_done(struct tevent_req *subreq);
+
+struct tevent_req *wb_lookupuseraliases_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_domain *domain,
+ uint32_t num_sids,
+ const struct dom_sid *sids)
+{
+ struct tevent_req *req, *subreq;
+ struct wb_lookupuseraliases_state *state;
+ uint32_t i;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct wb_lookupuseraliases_state);
+ if (req == NULL) {
+ return NULL;
+ }
+
+ D_INFO("WB command lookupuseraliases start.\n"
+ "Query domain %s for max %"PRIu32" SID(s).\n",
+ domain->name, num_sids);
+
+ for (i = 0; i < num_sids; i++) {
+ struct dom_sid_buf buf;
+ D_INFO("%"PRIu32": SID %s\n", i, dom_sid_str_buf(&sids[i], &buf));
+ }
+ state->sids.num_sids = num_sids;
+ state->sids.sids = discard_const_p(struct dom_sid, sids);
+
+ subreq = dcerpc_wbint_LookupUserAliases_send(
+ state, ev, dom_child_handle(domain), &state->sids, &state->rids);
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+ tevent_req_set_callback(subreq, wb_lookupuseraliases_done, req);
+ return req;
+}
+
+static void wb_lookupuseraliases_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct wb_lookupuseraliases_state *state = tevent_req_data(
+ req, struct wb_lookupuseraliases_state);
+ NTSTATUS status, result;
+
+ status = dcerpc_wbint_LookupUserAliases_recv(subreq, state, &result);
+ TALLOC_FREE(subreq);
+ if (any_nt_status_not_ok(status, result, &status)) {
+ D_WARNING("LookupUserAliases failed with %s.\n",
+ nt_errstr(status));
+ tevent_req_nterror(req, status);
+ return;
+ }
+ tevent_req_done(req);
+}
+
+NTSTATUS wb_lookupuseraliases_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
+ uint32_t *num_aliases, uint32_t **aliases)
+{
+ struct wb_lookupuseraliases_state *state = tevent_req_data(
+ req, struct wb_lookupuseraliases_state);
+ NTSTATUS status;
+ uint32_t i;
+
+ if (tevent_req_is_nterror(req, &status)) {
+ return status;
+ }
+ *num_aliases = state->rids.num_rids;
+ D_INFO("WB command lookupuseraliases end.\nGot %"PRIu32" alias(es):\n",
+ *num_aliases);
+ for (i = 0; i < *num_aliases; i++) {
+ D_INFO("%"PRIu32": RID %"PRIu32"\n", i, state->rids.rids[i]);
+ }
+
+ *aliases = talloc_move(mem_ctx, &state->rids.rids);
+ return NT_STATUS_OK;
+}
diff --git a/source3/winbindd/wb_lookupusergroups.c b/source3/winbindd/wb_lookupusergroups.c
new file mode 100644
index 0000000..7f359ee
--- /dev/null
+++ b/source3/winbindd/wb_lookupusergroups.c
@@ -0,0 +1,120 @@
+/*
+ Unix SMB/CIFS implementation.
+ async lookupusergroups
+ Copyright (C) Volker Lendecke 2009
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "winbindd.h"
+#include "librpc/gen_ndr/ndr_winbind_c.h"
+#include "../libcli/security/security.h"
+
+struct wb_lookupusergroups_state {
+ struct tevent_context *ev;
+ struct dom_sid sid;
+ struct wbint_SidArray sids;
+};
+
+static void wb_lookupusergroups_done(struct tevent_req *subreq);
+
+struct tevent_req *wb_lookupusergroups_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ const struct dom_sid *sid)
+{
+ struct tevent_req *req, *subreq;
+ struct wb_lookupusergroups_state *state;
+ struct winbindd_domain *domain;
+ NTSTATUS status;
+ struct dom_sid_buf buf;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct wb_lookupusergroups_state);
+ if (req == NULL) {
+ return NULL;
+ }
+ D_INFO("WB command lookupusergroups start.\nLooking up SID %s.\n",
+ dom_sid_str_buf(sid, &buf));
+ sid_copy(&state->sid, sid);
+
+ status = lookup_usergroups_cached(state,
+ &state->sid,
+ &state->sids.num_sids,
+ &state->sids.sids);
+ if (NT_STATUS_IS_OK(status)) {
+ tevent_req_done(req);
+ return tevent_req_post(req, ev);
+ }
+
+ domain = find_domain_from_sid_noinit(&state->sid);
+ if (domain == NULL) {
+ DBG_WARNING("could not find domain entry for sid %s\n",
+ dom_sid_str_buf(&state->sid, &buf));
+ tevent_req_nterror(req, NT_STATUS_NO_SUCH_DOMAIN);
+ return tevent_req_post(req, ev);
+ }
+
+ subreq = dcerpc_wbint_LookupUserGroups_send(
+ state, ev, dom_child_handle(domain), &state->sid, &state->sids);
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+ tevent_req_set_callback(subreq, wb_lookupusergroups_done, req);
+ return req;
+}
+
+static void wb_lookupusergroups_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct wb_lookupusergroups_state *state = tevent_req_data(
+ req, struct wb_lookupusergroups_state);
+ NTSTATUS status, result;
+
+ status = dcerpc_wbint_LookupUserGroups_recv(subreq, state, &result);
+ TALLOC_FREE(subreq);
+ if (any_nt_status_not_ok(status, result, &status)) {
+ D_WARNING("Failed with %s.\n", nt_errstr(status));
+ tevent_req_nterror(req, status);
+ return;
+ }
+ tevent_req_done(req);
+}
+
+NTSTATUS wb_lookupusergroups_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
+ uint32_t *num_sids, struct dom_sid **sids)
+{
+ struct wb_lookupusergroups_state *state = tevent_req_data(
+ req, struct wb_lookupusergroups_state);
+ NTSTATUS status;
+ uint32_t i;
+
+ if (tevent_req_is_nterror(req, &status)) {
+ return status;
+ }
+ *num_sids = state->sids.num_sids;
+ *sids = talloc_move(mem_ctx, &state->sids.sids);
+
+ D_INFO("WB command lookupusergroups end.\nReceived %"PRIu32" SID(s).\n",
+ *num_sids);
+ if (CHECK_DEBUGLVL(DBGLVL_INFO)) {
+ for (i = 0; i < *num_sids; i++) {
+ struct dom_sid_buf buf;
+ D_INFO("%"PRIu32": %s\n",
+ i, dom_sid_str_buf(&(*sids)[i], &buf));
+ }
+ }
+ return NT_STATUS_OK;
+}
diff --git a/source3/winbindd/wb_next_grent.c b/source3/winbindd/wb_next_grent.c
new file mode 100644
index 0000000..5c2d447
--- /dev/null
+++ b/source3/winbindd/wb_next_grent.c
@@ -0,0 +1,169 @@
+/*
+ Unix SMB/CIFS implementation.
+ async next_grent
+ Copyright (C) Volker Lendecke 2009
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "winbindd.h"
+#include "librpc/gen_ndr/ndr_winbind_c.h"
+#include "passdb/machine_sid.h"
+
+struct wb_next_grent_state {
+ struct tevent_context *ev;
+ int max_nesting;
+ struct getgrent_state *gstate;
+ struct winbindd_gr *gr;
+ struct db_context *members;
+};
+
+static void wb_next_grent_fetch_done(struct tevent_req *subreq);
+static void wb_next_grent_getgrsid_done(struct tevent_req *subreq);
+
+static void wb_next_grent_send_do(struct tevent_req *req,
+ struct wb_next_grent_state *state)
+{
+ struct tevent_req *subreq;
+
+ if (state->gstate->next_group >= state->gstate->num_groups) {
+ TALLOC_FREE(state->gstate->groups);
+
+ state->gstate->domain = wb_next_domain(state->gstate->domain);
+ if (state->gstate->domain == NULL) {
+ tevent_req_nterror(req, NT_STATUS_NO_MORE_ENTRIES);
+ return;
+ }
+
+ subreq = wb_query_group_list_send(state, state->ev,
+ state->gstate->domain);
+ if (tevent_req_nomem(subreq, req)) {
+ return;
+ }
+ tevent_req_set_callback(subreq, wb_next_grent_fetch_done, req);
+ return;
+ }
+
+ subreq = wb_getgrsid_send(
+ state, state->ev,
+ &state->gstate->groups[state->gstate->next_group].sid,
+ state->max_nesting);
+ if (tevent_req_nomem(subreq, req)) {
+ return;
+ }
+ tevent_req_set_callback(subreq, wb_next_grent_getgrsid_done, req);
+}
+
+struct tevent_req *wb_next_grent_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ int max_nesting,
+ struct getgrent_state *gstate,
+ struct winbindd_gr *gr)
+{
+ struct tevent_req *req;
+ struct wb_next_grent_state *state;
+
+ req = tevent_req_create(mem_ctx, &state, struct wb_next_grent_state);
+ if (req == NULL) {
+ return NULL;
+ }
+
+ D_INFO("WB command next_grent start.\n");
+
+ state->ev = ev;
+ state->gstate = gstate;
+ state->gr = gr;
+ state->max_nesting = max_nesting;
+
+ wb_next_grent_send_do(req, state);
+ if (!tevent_req_is_in_progress(req)) {
+ return tevent_req_post(req, ev);
+ }
+
+ return req;
+}
+
+static void wb_next_grent_fetch_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct wb_next_grent_state *state = tevent_req_data(
+ req, struct wb_next_grent_state);
+ NTSTATUS status;
+
+ status = wb_query_group_list_recv(subreq, state->gstate,
+ &state->gstate->num_groups,
+ &state->gstate->groups);
+ TALLOC_FREE(subreq);
+ if (!NT_STATUS_IS_OK(status)) {
+ /* Ignore errors here, just log it */
+ D_DEBUG("query_group_list for domain %s returned %s\n",
+ state->gstate->domain->name, nt_errstr(status));
+ state->gstate->num_groups = 0;
+ }
+
+ state->gstate->next_group = 0;
+
+ wb_next_grent_send_do(req, state);
+}
+
+static void wb_next_grent_getgrsid_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct wb_next_grent_state *state = tevent_req_data(
+ req, struct wb_next_grent_state);
+ const char *domname, *name;
+ NTSTATUS status;
+
+ status = wb_getgrsid_recv(subreq, talloc_tos(), &domname, &name,
+ &state->gr->gr_gid, &state->members);
+ TALLOC_FREE(subreq);
+
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)) {
+ state->gstate->next_group += 1;
+
+ wb_next_grent_send_do(req, state);
+
+ return;
+ } else if (tevent_req_nterror(req, status)) {
+ return;
+ }
+
+ if (!fill_grent(talloc_tos(), state->gr, domname, name,
+ state->gr->gr_gid)) {
+ D_WARNING("fill_grent failed\n");
+ tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
+ return;
+ }
+ state->gstate->next_group += 1;
+ tevent_req_done(req);
+}
+
+NTSTATUS wb_next_grent_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
+ struct db_context **members)
+{
+ struct wb_next_grent_state *state = tevent_req_data(
+ req, struct wb_next_grent_state);
+ NTSTATUS status;
+
+ D_INFO("WB command next_grent end.\n");
+ if (tevent_req_is_nterror(req, &status)) {
+ D_WARNING("Failed with %s.\n", nt_errstr(status));
+ return status;
+ }
+ *members = talloc_move(mem_ctx, &state->members);
+ return NT_STATUS_OK;
+}
diff --git a/source3/winbindd/wb_next_pwent.c b/source3/winbindd/wb_next_pwent.c
new file mode 100644
index 0000000..f000c64
--- /dev/null
+++ b/source3/winbindd/wb_next_pwent.c
@@ -0,0 +1,162 @@
+/*
+ Unix SMB/CIFS implementation.
+ async next_pwent
+ Copyright (C) Volker Lendecke 2009
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "winbindd.h"
+#include "librpc/gen_ndr/ndr_winbind_c.h"
+#include "libcli/security/dom_sid.h"
+#include "passdb/machine_sid.h"
+
+struct wb_next_pwent_state {
+ struct tevent_context *ev;
+ struct getpwent_state *gstate;
+ struct dom_sid next_sid;
+ struct winbindd_pw *pw;
+};
+
+static void wb_next_pwent_fetch_done(struct tevent_req *subreq);
+static void wb_next_pwent_fill_done(struct tevent_req *subreq);
+
+static void wb_next_pwent_send_do(struct tevent_req *req,
+ struct wb_next_pwent_state *state)
+{
+ struct tevent_req *subreq;
+ struct dom_sid_buf buf, buf1;
+
+ if (state->gstate->next_user >= state->gstate->rids.num_rids) {
+ TALLOC_FREE(state->gstate->rids.rids);
+ state->gstate->rids.num_rids = 0;
+
+ state->gstate->domain = wb_next_domain(state->gstate->domain);
+ if (state->gstate->domain == NULL) {
+ tevent_req_nterror(req, NT_STATUS_NO_MORE_ENTRIES);
+ return;
+ }
+
+ D_DEBUG("Query user RID list for domain %s.\n",
+ state->gstate->domain->name);
+ subreq = dcerpc_wbint_QueryUserRidList_send(
+ state, state->ev,
+ dom_child_handle(state->gstate->domain),
+ &state->gstate->rids);
+ if (tevent_req_nomem(subreq, req)) {
+ return;
+ }
+
+ tevent_req_set_callback(subreq, wb_next_pwent_fetch_done, req);
+ return;
+ }
+
+ sid_compose(&state->next_sid, &state->gstate->domain->sid,
+ state->gstate->rids.rids[state->gstate->next_user]);
+
+ D_DEBUG("Get pw for SID %s composed from domain SID %s and RID %"PRIu32".\n",
+ dom_sid_str_buf(&state->next_sid, &buf),
+ dom_sid_str_buf(&state->gstate->domain->sid, &buf1),
+ state->gstate->rids.rids[state->gstate->next_user]);
+ subreq = wb_getpwsid_send(state, state->ev, &state->next_sid,
+ state->pw);
+ if (tevent_req_nomem(subreq, req)) {
+ return;
+ }
+
+ tevent_req_set_callback(subreq, wb_next_pwent_fill_done, req);
+}
+
+struct tevent_req *wb_next_pwent_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct getpwent_state *gstate,
+ struct winbindd_pw *pw)
+{
+ struct tevent_req *req;
+ struct wb_next_pwent_state *state;
+
+ req = tevent_req_create(mem_ctx, &state, struct wb_next_pwent_state);
+ if (req == NULL) {
+ return NULL;
+ }
+ D_INFO("WB command next_pwent start.\n");
+ state->ev = ev;
+ state->gstate = gstate;
+ state->pw = pw;
+
+ wb_next_pwent_send_do(req, state);
+ if (!tevent_req_is_in_progress(req)) {
+ return tevent_req_post(req, ev);
+ }
+
+ return req;
+}
+
+static void wb_next_pwent_fetch_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct wb_next_pwent_state *state = tevent_req_data(
+ req, struct wb_next_pwent_state);
+ NTSTATUS status, result;
+
+ status = dcerpc_wbint_QueryUserRidList_recv(subreq, state->gstate,
+ &result);
+ TALLOC_FREE(subreq);
+ if (any_nt_status_not_ok(status, result, &status)) {
+ /* Ignore errors here, just log it */
+ D_DEBUG("query_user_list for domain %s returned %s\n",
+ state->gstate->domain->name,
+ nt_errstr(status));
+ state->gstate->rids.num_rids = 0;
+ }
+
+ state->gstate->next_user = 0;
+
+ wb_next_pwent_send_do(req, state);
+}
+
+static void wb_next_pwent_fill_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct wb_next_pwent_state *state = tevent_req_data(
+ req, struct wb_next_pwent_state);
+ NTSTATUS status;
+
+ status = wb_getpwsid_recv(subreq);
+ TALLOC_FREE(subreq);
+ /*
+ * When you try to enumerate users with 'getent passwd' and the user
+ * doesn't have a uid set we should just move on.
+ */
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
+ state->gstate->next_user += 1;
+
+ wb_next_pwent_send_do(req, state);
+
+ return;
+ } else if (tevent_req_nterror(req, status)) {
+ return;
+ }
+ state->gstate->next_user += 1;
+ tevent_req_done(req);
+}
+
+NTSTATUS wb_next_pwent_recv(struct tevent_req *req)
+{
+ D_INFO("WB command next_pwent end.\n");
+ return tevent_req_simple_recv_ntstatus(req);
+}
diff --git a/source3/winbindd/wb_query_group_list.c b/source3/winbindd/wb_query_group_list.c
new file mode 100644
index 0000000..a71e162
--- /dev/null
+++ b/source3/winbindd/wb_query_group_list.c
@@ -0,0 +1,94 @@
+/*
+ Unix SMB/CIFS implementation.
+ async query_group_list
+ Copyright (C) Volker Lendecke 2009
+ Copyright (C) Michael Adam 2015
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "winbindd.h"
+#include "librpc/gen_ndr/ndr_winbind_c.h"
+
+
+struct wb_query_group_list_state {
+ struct wbint_Principals groups;
+};
+
+static void wb_query_group_list_done(struct tevent_req *subreq);
+
+struct tevent_req *wb_query_group_list_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_domain *domain)
+{
+ struct tevent_req *req, *subreq;
+ struct wb_query_group_list_state *state;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct wb_query_group_list_state);
+ if (req == NULL) {
+ return NULL;
+ }
+
+ D_INFO("WB command group_list start.\nQuery domain %s\n", domain->name);
+ subreq = dcerpc_wbint_QueryGroupList_send(state, ev,
+ dom_child_handle(domain),
+ &state->groups);
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+
+ tevent_req_set_callback(subreq, wb_query_group_list_done, req);
+ return req;
+}
+
+static void wb_query_group_list_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct wb_query_group_list_state *state = tevent_req_data(
+ req, struct wb_query_group_list_state);
+ NTSTATUS status, result;
+
+ status = dcerpc_wbint_QueryGroupList_recv(subreq, state, &result);
+ TALLOC_FREE(subreq);
+ if (any_nt_status_not_ok(status, result, &status)) {
+ tevent_req_nterror(req, status);
+ return;
+ }
+
+ tevent_req_done(req);
+}
+
+NTSTATUS wb_query_group_list_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
+ uint32_t *num_groups,
+ struct wbint_Principal **groups)
+{
+ struct wb_query_group_list_state *state = tevent_req_data(
+ req, struct wb_query_group_list_state);
+ NTSTATUS status;
+
+ if (tevent_req_is_nterror(req, &status)) {
+ D_WARNING("Failed with: %s\n", nt_errstr(status));
+ return status;
+ }
+
+ *num_groups = state->groups.num_principals;
+ *groups = talloc_move(mem_ctx, &state->groups.principals);
+
+ D_INFO("WB command group_list end.\n"
+ "Returning %"PRIu32" group(s).\n", *num_groups);
+ return NT_STATUS_OK;
+}
diff --git a/source3/winbindd/wb_query_user_list.c b/source3/winbindd/wb_query_user_list.c
new file mode 100644
index 0000000..451ac6b
--- /dev/null
+++ b/source3/winbindd/wb_query_user_list.c
@@ -0,0 +1,146 @@
+/*
+ Unix SMB/CIFS implementation.
+ async query_user_list
+ Copyright (C) Volker Lendecke 2009
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "winbindd.h"
+#include "librpc/gen_ndr/ndr_winbind_c.h"
+#include "lib/util/strv.h"
+
+struct wb_query_user_list_state {
+ struct tevent_context *ev;
+ struct winbindd_domain *domain;
+ struct wbint_RidArray rids;
+ const char *domain_name;
+ struct wbint_Principals names;
+ char *users;
+};
+
+static void wb_query_user_list_gotrids(struct tevent_req *subreq);
+static void wb_query_user_list_done(struct tevent_req *subreq);
+
+struct tevent_req *wb_query_user_list_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_domain *domain)
+{
+ struct tevent_req *req, *subreq;
+ struct wb_query_user_list_state *state;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct wb_query_user_list_state);
+ if (req == NULL) {
+ return NULL;
+ }
+
+ D_INFO("WB command user_list start.\nQuery users in domain %s.\n",
+ domain->name);
+ state->ev = ev;
+ state->domain = domain;
+
+ subreq = dcerpc_wbint_QueryUserRidList_send(
+ state, ev, dom_child_handle(domain), &state->rids);
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+ tevent_req_set_callback(subreq, wb_query_user_list_gotrids, req);
+ return req;
+}
+
+static void wb_query_user_list_gotrids(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct wb_query_user_list_state *state = tevent_req_data(
+ req, struct wb_query_user_list_state);
+ NTSTATUS status, result;
+
+ status = dcerpc_wbint_QueryUserRidList_recv(subreq, state, &result);
+ TALLOC_FREE(subreq);
+ if (any_nt_status_not_ok(status, result, &status)) {
+ tevent_req_nterror(req, status);
+ return;
+ }
+
+ D_DEBUG("dcerpc_wbint_QueryUserList returned %"PRIu32" users\n",
+ state->rids.num_rids);
+
+ subreq = dcerpc_wbint_LookupRids_send(
+ state, state->ev, dom_child_handle(state->domain),
+ &state->domain->sid, &state->rids,
+ &state->domain_name, &state->names);
+ if (tevent_req_nomem(subreq, req)) {
+ return;
+ }
+ tevent_req_set_callback(subreq, wb_query_user_list_done, req);
+}
+
+static void wb_query_user_list_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct wb_query_user_list_state *state = tevent_req_data(
+ req, struct wb_query_user_list_state);
+ NTSTATUS status, result;
+ uint32_t i;
+
+ status = dcerpc_wbint_LookupRids_recv(subreq, state, &result);
+ TALLOC_FREE(subreq);
+ if (any_nt_status_not_ok(status, result, &status)) {
+ tevent_req_nterror(req, status);
+ return;
+ }
+ D_DEBUG("Processing %"PRIu32" principal(s).\n",
+ state->names.num_principals);
+ for (i=0; i<state->names.num_principals; i++) {
+ struct wbint_Principal *p = &state->names.principals[i];
+ const char *name;
+ int ret;
+
+ name = fill_domain_username_talloc(state, state->domain_name, p->name, true);
+ if (name == NULL) {
+ tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
+ return;
+ }
+ ret = strv_add(state, &state->users, name);
+ if (ret != 0) {
+ tevent_req_nterror(req, map_nt_error_from_unix(ret));
+ return;
+ }
+ D_DEBUG("%"PRIu32": Adding user %s\n", i, name);
+ }
+
+ tevent_req_done(req);
+}
+
+NTSTATUS wb_query_user_list_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
+ char **users)
+{
+ struct wb_query_user_list_state *state = tevent_req_data(
+ req, struct wb_query_user_list_state);
+ NTSTATUS status;
+
+ D_INFO("WB command user_list end.\n");
+ if (tevent_req_is_nterror(req, &status)) {
+ D_WARNING("Failed with: %s\n", nt_errstr(status));
+ return status;
+ }
+
+ *users = talloc_move(mem_ctx, &state->users);
+
+ return NT_STATUS_OK;
+}
diff --git a/source3/winbindd/wb_queryuser.c b/source3/winbindd/wb_queryuser.c
new file mode 100644
index 0000000..c079cbc
--- /dev/null
+++ b/source3/winbindd/wb_queryuser.c
@@ -0,0 +1,473 @@
+/*
+ Unix SMB/CIFS implementation.
+ async queryuser
+ Copyright (C) Volker Lendecke 2009
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "util/debug.h"
+#include "winbindd.h"
+#include "librpc/gen_ndr/ndr_winbind_c.h"
+#include "../libcli/security/security.h"
+#include "libsmb/samlogon_cache.h"
+#include "librpc/gen_ndr/ndr_winbind.h"
+
+struct wb_queryuser_state {
+ struct tevent_context *ev;
+ struct wbint_userinfo *info;
+ const struct wb_parent_idmap_config *idmap_cfg;
+ bool tried_dclookup;
+};
+
+static void wb_queryuser_idmap_setup_done(struct tevent_req *subreq);
+static void wb_queryuser_got_uid(struct tevent_req *subreq);
+static void wb_queryuser_got_domain(struct tevent_req *subreq);
+static void wb_queryuser_got_dc(struct tevent_req *subreq);
+static void wb_queryuser_got_gid(struct tevent_req *subreq);
+static void wb_queryuser_got_group_name(struct tevent_req *subreq);
+static void wb_queryuser_done(struct tevent_req *subreq);
+
+struct tevent_req *wb_queryuser_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ const struct dom_sid *user_sid)
+{
+ struct tevent_req *req, *subreq;
+ struct wb_queryuser_state *state;
+ struct wbint_userinfo *info;
+ struct dom_sid_buf buf;
+
+ req = tevent_req_create(mem_ctx, &state, struct wb_queryuser_state);
+ if (req == NULL) {
+ return NULL;
+ }
+ D_INFO("WB command queryuser start.\nQuery user sid %s\n",
+ dom_sid_str_buf(user_sid, &buf));
+ state->ev = ev;
+
+ state->info = talloc_zero(state, struct wbint_userinfo);
+ if (tevent_req_nomem(state->info, req)) {
+ return tevent_req_post(req, ev);
+ }
+ info = state->info;
+
+ info->primary_gid = (gid_t)-1;
+
+ sid_copy(&info->user_sid, user_sid);
+
+ subreq = wb_parent_idmap_setup_send(state, state->ev);
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+ tevent_req_set_callback(subreq, wb_queryuser_idmap_setup_done, req);
+ return req;
+}
+
+static void wb_queryuser_idmap_setup_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct wb_queryuser_state *state = tevent_req_data(
+ req, struct wb_queryuser_state);
+ NTSTATUS status;
+ struct dom_sid_buf buf;
+
+ status = wb_parent_idmap_setup_recv(subreq, &state->idmap_cfg);
+ TALLOC_FREE(subreq);
+ if (tevent_req_nterror(req, status)) {
+ D_WARNING("wb_parent_idmap_setup_recv() failed with %s.\n",
+ nt_errstr(status));
+ return;
+ }
+
+ D_DEBUG("Convert the user SID %s to XID.\n",
+ dom_sid_str_buf(&state->info->user_sid, &buf));
+ subreq = wb_sids2xids_send(
+ state, state->ev, &state->info->user_sid, 1);
+ if (tevent_req_nomem(subreq, req)) {
+ return;
+ }
+ tevent_req_set_callback(subreq, wb_queryuser_got_uid, req);
+ return;
+}
+
+static void wb_queryuser_got_uid(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct wb_queryuser_state *state = tevent_req_data(
+ req, struct wb_queryuser_state);
+ struct wbint_userinfo *info = state->info;
+ struct netr_SamInfo3 *info3;
+ struct dcerpc_binding_handle *child_binding_handle = NULL;
+ struct unixid xid;
+ NTSTATUS status;
+ struct dom_sid_buf buf, buf1;
+
+ status = wb_sids2xids_recv(subreq, &xid, 1);
+ TALLOC_FREE(subreq);
+ if (tevent_req_nterror(req, status)) {
+ D_WARNING("wb_sids2xids_recv() failed with %s.\n",
+ nt_errstr(status));
+ return;
+ }
+
+ if ((xid.type != ID_TYPE_UID) && (xid.type != ID_TYPE_BOTH)) {
+ D_WARNING("XID type is %d, should be ID_TYPE_UID or ID_TYPE_BOTH.\n",
+ xid.type);
+ tevent_req_nterror(req, NT_STATUS_NO_SUCH_USER);
+ return;
+ }
+
+ D_DEBUG("Received XID %"PRIu32" for SID %s.\n",
+ xid.id,
+ dom_sid_str_buf(&info->user_sid, &buf1));
+ info->uid = xid.id;
+
+ /*
+ * Default the group sid to "Domain Users" in the user's
+ * domain. The samlogon cache or the query_user call later on
+ * can override this.
+ */
+ sid_copy(&info->group_sid, &info->user_sid);
+ sid_split_rid(&info->group_sid, NULL);
+ sid_append_rid(&info->group_sid, DOMAIN_RID_USERS);
+
+ D_DEBUG("Preconfigured 'Domain Users' RID %u was used to create group SID %s from user SID %s.\n",
+ DOMAIN_RID_USERS,
+ dom_sid_str_buf(&info->group_sid, &buf),
+ dom_sid_str_buf(&info->user_sid, &buf1));
+
+ info->homedir = talloc_strdup(info, lp_template_homedir());
+ D_DEBUG("Setting 'homedir' to the template '%s'.\n", info->homedir);
+ if (tevent_req_nomem(info->homedir, req)) {
+ return;
+ }
+
+ info->shell = talloc_strdup(info, lp_template_shell());
+ D_DEBUG("Setting 'shell' to the template '%s'.\n", info->shell);
+ if (tevent_req_nomem(info->shell, req)) {
+ return;
+ }
+
+ info3 = netsamlogon_cache_get(state, &info->user_sid);
+ if (info3 != NULL) {
+ D_DEBUG("Filling data received from netsamlogon_cache\n");
+ sid_compose(&info->group_sid, info3->base.domain_sid,
+ info3->base.primary_gid);
+ info->acct_name = talloc_move(
+ info, &info3->base.account_name.string);
+ info->full_name = talloc_move(
+ info, &info3->base.full_name.string);
+
+ info->domain_name = talloc_move(
+ state, &info3->base.logon_domain.string);
+
+ TALLOC_FREE(info3);
+ }
+
+ NDR_PRINT_DEBUG_LEVEL(DBGLVL_DEBUG, wbint_userinfo, state->info);
+ if (info->domain_name == NULL) {
+ D_DEBUG("Domain name is empty, calling wb_lookupsid_send() to get it.\n");
+ subreq = wb_lookupsid_send(state, state->ev, &info->user_sid);
+ if (tevent_req_nomem(subreq, req)) {
+ return;
+ }
+ tevent_req_set_callback(subreq, wb_queryuser_got_domain, req);
+ return;
+ }
+
+ /*
+ * Note wb_sids2xids_send/recv was called before,
+ * so we're sure that wb_parent_idmap_setup_send/recv
+ * was already called.
+ */
+ child_binding_handle = idmap_child_handle();
+ D_DEBUG("Domain name is set, calling dcerpc_wbint_GetNssInfo_send()\n");
+ subreq = dcerpc_wbint_GetNssInfo_send(
+ state, state->ev, child_binding_handle, info);
+ if (tevent_req_nomem(subreq, req)) {
+ return;
+ }
+ tevent_req_set_callback(subreq, wb_queryuser_done, req);
+}
+
+static void wb_queryuser_got_domain(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct wb_queryuser_state *state = tevent_req_data(
+ req, struct wb_queryuser_state);
+ struct wbint_userinfo *info = state->info;
+ enum lsa_SidType type;
+ struct dcerpc_binding_handle *child_binding_handle = NULL;
+ NTSTATUS status;
+
+ status = wb_lookupsid_recv(subreq, state, &type,
+ &info->domain_name, &info->acct_name);
+ TALLOC_FREE(subreq);
+ if (tevent_req_nterror(req, status)) {
+ D_WARNING("wb_lookupsid_recv failed with %s.\n",
+ nt_errstr(status));
+ return;
+ }
+
+ NDR_PRINT_DEBUG_LEVEL(DBGLVL_DEBUG, wbint_userinfo, state->info);
+ switch (type) {
+ case SID_NAME_USER:
+ case SID_NAME_COMPUTER:
+ /*
+ * user case: we only need the account name from lookup_sids
+ */
+ break;
+ case SID_NAME_DOM_GRP:
+ case SID_NAME_ALIAS:
+ case SID_NAME_WKN_GRP:
+ /*
+ * also treat group-type SIDs (they might map to ID_TYPE_BOTH)
+ */
+ sid_copy(&info->group_sid, &info->user_sid);
+ break;
+ default:
+ D_WARNING("Unknown type:%d, return NT_STATUS_NO_SUCH_USER.\n",
+ type);
+ tevent_req_nterror(req, NT_STATUS_NO_SUCH_USER);
+ return;
+ }
+
+ /*
+ * Note wb_sids2xids_send/recv was called before,
+ * so we're sure that wb_parent_idmap_setup_send/recv
+ * was already called.
+ */
+ child_binding_handle = idmap_child_handle();
+ D_DEBUG("About to call dcerpc_wbint_GetNssInfo_send()\n");
+ subreq = dcerpc_wbint_GetNssInfo_send(
+ state, state->ev, child_binding_handle, info);
+ if (tevent_req_nomem(subreq, req)) {
+ return;
+ }
+ tevent_req_set_callback(subreq, wb_queryuser_done, req);
+}
+
+static void wb_queryuser_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct wb_queryuser_state *state = tevent_req_data(
+ req, struct wb_queryuser_state);
+ struct wbint_userinfo *info = state->info;
+ NTSTATUS status, result;
+ bool need_group_name = false;
+ const char *tmpl = NULL;
+
+ status = dcerpc_wbint_GetNssInfo_recv(subreq, info, &result);
+ TALLOC_FREE(subreq);
+ if (tevent_req_nterror(req, status)) {
+ D_WARNING("GetNssInfo failed with %s.\n", nt_errstr(status));
+ return;
+ }
+
+ if (NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) &&
+ !state->tried_dclookup) {
+ D_DEBUG("GetNssInfo got DOMAIN_CONTROLLER_NOT_FOUND, calling wb_dsgetdcname_send()\n");
+ subreq = wb_dsgetdcname_send(
+ state, state->ev, state->info->domain_name, NULL, NULL,
+ DS_RETURN_DNS_NAME);
+ if (tevent_req_nomem(subreq, req)) {
+ return;
+ }
+ tevent_req_set_callback(subreq, wb_queryuser_got_dc, req);
+ return;
+ }
+
+ /*
+ * Ignore failure in "result" here. We'll try to fill in stuff
+ * that misses further down.
+ */
+
+ if (state->info->primary_gid == (gid_t)-1) {
+ D_DEBUG("Calling wb_sids2xids_send() to resolve primary gid.\n");
+ subreq = wb_sids2xids_send(
+ state, state->ev, &info->group_sid, 1);
+ if (tevent_req_nomem(subreq, req)) {
+ return;
+ }
+ tevent_req_set_callback(subreq, wb_queryuser_got_gid, req);
+ return;
+ }
+
+ tmpl = lp_template_homedir();
+ if(strstr_m(tmpl, "%g") || strstr_m(tmpl, "%G")) {
+ need_group_name = true;
+ }
+ tmpl = lp_template_shell();
+ if(strstr_m(tmpl, "%g") || strstr_m(tmpl, "%G")) {
+ need_group_name = true;
+ }
+
+ if (need_group_name && state->info->primary_group_name == NULL) {
+ D_DEBUG("Calling wb_lookupsid_send() to resolve primary group name.\n");
+ subreq = wb_lookupsid_send(state, state->ev, &info->group_sid);
+ if (tevent_req_nomem(subreq, req)) {
+ return;
+ }
+ tevent_req_set_callback(subreq, wb_queryuser_got_group_name,
+ req);
+ return;
+ }
+
+ NDR_PRINT_DEBUG_LEVEL(DBGLVL_DEBUG, wbint_userinfo, state->info);
+ tevent_req_done(req);
+}
+
+static void wb_queryuser_got_dc(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct wb_queryuser_state *state = tevent_req_data(
+ req, struct wb_queryuser_state);
+ struct wbint_userinfo *info = state->info;
+ struct netr_DsRGetDCNameInfo *dcinfo;
+ struct dcerpc_binding_handle *child_binding_handle = NULL;
+ NTSTATUS status;
+
+ status = wb_dsgetdcname_recv(subreq, state, &dcinfo);
+ TALLOC_FREE(subreq);
+ if (tevent_req_nterror(req, status)) {
+ D_WARNING("wb_dsgetdcname_recv() failed with %s.\n",
+ nt_errstr(status));
+ return;
+ }
+
+ state->tried_dclookup = true;
+
+ D_DEBUG("Got DC name, calling wb_dsgetdcname_gencache_set().\n");
+ status = wb_dsgetdcname_gencache_set(info->domain_name, dcinfo);
+ if (tevent_req_nterror(req, status)) {
+ D_WARNING("wb_dsgetdcname_gencache_set() failed with %s.\n",
+ nt_errstr(status));
+ return;
+ }
+ NDR_PRINT_DEBUG_LEVEL(DBGLVL_DEBUG, wbint_userinfo, state->info);
+
+ /*
+ * Note wb_sids2xids_send/recv was called before,
+ * so we're sure that wb_parent_idmap_setup_send/recv
+ * was already called.
+ */
+ child_binding_handle = idmap_child_handle();
+ subreq = dcerpc_wbint_GetNssInfo_send(
+ state, state->ev, child_binding_handle, info);
+ if (tevent_req_nomem(subreq, req)) {
+ return;
+ }
+ tevent_req_set_callback(subreq, wb_queryuser_done, req);
+}
+
+static void wb_queryuser_got_gid(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct wb_queryuser_state *state = tevent_req_data(
+ req, struct wb_queryuser_state);
+ struct unixid xid;
+ NTSTATUS status;
+ bool need_group_name = false;
+ const char *tmpl = NULL;
+ struct dom_sid_buf buf;
+
+ status = wb_sids2xids_recv(subreq, &xid, 1);
+ TALLOC_FREE(subreq);
+ if (tevent_req_nterror(req, status)) {
+ D_WARNING("wb_sids2xids_recv() failed with %s.\n",
+ nt_errstr(status));
+ return;
+ }
+
+ D_DEBUG("Got XID %"PRIu32" with type %d.\n", xid.id, xid.type);
+ if ((xid.type != ID_TYPE_GID) && (xid.type != ID_TYPE_BOTH)) {
+ D_WARNING("Returning NT_STATUS_NO_SUCH_USER\n"
+ "xid.type must be ID_TYPE_UID or ID_TYPE_BOTH.\n");
+ tevent_req_nterror(req, NT_STATUS_NO_SUCH_USER);
+ return;
+ }
+
+ state->info->primary_gid = xid.id;
+
+ tmpl = lp_template_homedir();
+ if(strstr_m(tmpl, "%g") || strstr_m(tmpl, "%G")) {
+ need_group_name = true;
+ }
+ tmpl = lp_template_shell();
+ if(strstr_m(tmpl, "%g") || strstr_m(tmpl, "%G")) {
+ need_group_name = true;
+ }
+
+ NDR_PRINT_DEBUG_LEVEL(DBGLVL_DEBUG, wbint_userinfo, state->info);
+
+ if (need_group_name && state->info->primary_group_name == NULL) {
+ D_DEBUG("Calling wb_lookupsid_send for group SID %s.\n",
+ dom_sid_str_buf(&state->info->group_sid, &buf));
+ subreq = wb_lookupsid_send(state, state->ev,
+ &state->info->group_sid);
+ if (tevent_req_nomem(subreq, req)) {
+ return;
+ }
+ tevent_req_set_callback(subreq, wb_queryuser_got_group_name,
+ req);
+ return;
+ }
+
+ D_DEBUG("No need to lookup primary group name. Request is done!\n");
+ tevent_req_done(req);
+}
+
+static void wb_queryuser_got_group_name(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct wb_queryuser_state *state = tevent_req_data(
+ req, struct wb_queryuser_state);
+ enum lsa_SidType type;
+ NTSTATUS status;
+ const char *domain_name;
+
+ status = wb_lookupsid_recv(subreq, state->info, &type, &domain_name,
+ &state->info->primary_group_name);
+ TALLOC_FREE(subreq);
+ if (tevent_req_nterror(req, status)) {
+ D_WARNING("wb_lookupsid_recv() failed with %s.\n",
+ nt_errstr(status));
+ return;
+ }
+ tevent_req_done(req);
+}
+
+NTSTATUS wb_queryuser_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
+ struct wbint_userinfo **pinfo)
+{
+ struct wb_queryuser_state *state = tevent_req_data(
+ req, struct wb_queryuser_state);
+ NTSTATUS status;
+
+ D_INFO("WB command queryuser end.\n");
+ NDR_PRINT_DEBUG_LEVEL(DBGLVL_INFO, wbint_userinfo, state->info);
+ if (tevent_req_is_nterror(req, &status)) {
+ return status;
+ }
+ *pinfo = talloc_move(mem_ctx, &state->info);
+ return NT_STATUS_OK;
+}
diff --git a/source3/winbindd/wb_seqnum.c b/source3/winbindd/wb_seqnum.c
new file mode 100644
index 0000000..7affd76
--- /dev/null
+++ b/source3/winbindd/wb_seqnum.c
@@ -0,0 +1,78 @@
+/*
+ Unix SMB/CIFS implementation.
+ async seqnum
+ Copyright (C) Volker Lendecke 2009
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "winbindd.h"
+#include "librpc/gen_ndr/ndr_winbind_c.h"
+
+struct wb_seqnum_state {
+ uint32_t seqnum;
+};
+
+static void wb_seqnum_done(struct tevent_req *subreq);
+
+struct tevent_req *wb_seqnum_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_domain *domain)
+{
+ struct tevent_req *req, *subreq;
+ struct wb_seqnum_state *state;
+
+ req = tevent_req_create(mem_ctx, &state, struct wb_seqnum_state);
+ if (req == NULL) {
+ return NULL;
+ }
+ subreq = dcerpc_wbint_QuerySequenceNumber_send(
+ state, ev, dom_child_handle(domain), &state->seqnum);
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+ tevent_req_set_callback(subreq, wb_seqnum_done, req);
+ return req;
+}
+
+static void wb_seqnum_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct wb_seqnum_state *state = tevent_req_data(
+ req, struct wb_seqnum_state);
+ NTSTATUS status, result;
+
+ status = dcerpc_wbint_QuerySequenceNumber_recv(subreq, state, &result);
+ TALLOC_FREE(subreq);
+ if (any_nt_status_not_ok(status, result, &status)) {
+ tevent_req_nterror(req, status);
+ return;
+ }
+ tevent_req_done(req);
+}
+
+NTSTATUS wb_seqnum_recv(struct tevent_req *req, uint32_t *seqnum)
+{
+ struct wb_seqnum_state *state = tevent_req_data(
+ req, struct wb_seqnum_state);
+ NTSTATUS status;
+
+ if (tevent_req_is_nterror(req, &status)) {
+ return status;
+ }
+ *seqnum = state->seqnum;
+ return NT_STATUS_OK;
+}
diff --git a/source3/winbindd/wb_seqnums.c b/source3/winbindd/wb_seqnums.c
new file mode 100644
index 0000000..3c9af01
--- /dev/null
+++ b/source3/winbindd/wb_seqnums.c
@@ -0,0 +1,153 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ async seqnums, update the seqnums in winbindd_cache.c
+
+ Copyright (C) Volker Lendecke 2009
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "winbindd.h"
+#include "librpc/gen_ndr/ndr_winbind_c.h"
+
+struct wb_seqnums_state {
+ int num_domains;
+ int num_received;
+
+ struct tevent_req **subreqs;
+ struct winbindd_domain **domains;
+ NTSTATUS *stati;
+ uint32_t *seqnums;
+};
+
+static void wb_seqnums_done(struct tevent_req *subreq);
+
+struct tevent_req *wb_seqnums_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev)
+{
+ struct tevent_req *req;
+ struct wb_seqnums_state *state;
+ struct winbindd_domain *domain;
+ int i;
+
+ req = tevent_req_create(mem_ctx, &state, struct wb_seqnums_state);
+ if (req == NULL) {
+ return NULL;
+ }
+ state->num_received = 0;
+ state->num_domains = 0;
+
+ for (domain = domain_list(); domain != NULL; domain = domain->next) {
+ state->num_domains += 1;
+ }
+
+ state->subreqs = talloc_array(state, struct tevent_req *,
+ state->num_domains);
+ state->domains = talloc_zero_array(state, struct winbindd_domain *,
+ state->num_domains);
+ state->stati = talloc_array(state, NTSTATUS, state->num_domains);
+ state->seqnums = talloc_array(state, uint32_t, state->num_domains);
+
+ if ((state->subreqs == NULL) || (state->domains == NULL) ||
+ (state->stati == NULL) || (state->seqnums == NULL)) {
+ tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
+ return tevent_req_post(req, ev);
+ }
+
+ i = 0;
+
+ for (domain = domain_list(); domain != NULL; domain = domain->next) {
+ state->domains[i] = domain;
+ state->subreqs[i] = wb_seqnum_send(state->subreqs, ev, domain);
+ if (tevent_req_nomem(state->subreqs[i], req)) {
+ /* Don't even start all the other requests */
+ TALLOC_FREE(state->subreqs);
+ return tevent_req_post(req, ev);
+ }
+ tevent_req_set_callback(state->subreqs[i], wb_seqnums_done,
+ req);
+ i += 1;
+ }
+ return req;
+}
+
+static void wb_seqnums_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct wb_seqnums_state *state = tevent_req_data(
+ req, struct wb_seqnums_state);
+ NTSTATUS status;
+ uint32_t seqnum;
+ int i;
+
+ status = wb_seqnum_recv(subreq, &seqnum);
+
+ for (i=0; i<state->num_domains; i++) {
+ if (subreq == state->subreqs[i]) {
+ break;
+ }
+ }
+ if (i < state->num_domains) {
+ /* found one */
+
+ state->subreqs[i] = NULL;
+ state->stati[i] = status;
+ if (NT_STATUS_IS_OK(status)) {
+ state->seqnums[i] = seqnum;
+
+ /*
+ * This first assignment might be removed
+ * later
+ */
+ state->domains[i]->sequence_number = seqnum;
+
+ if (!wcache_store_seqnum(state->domains[i]->name,
+ state->seqnums[i],
+ time(NULL))) {
+ DEBUG(1, ("wcache_store_seqnum failed for "
+ "domain %s\n",
+ state->domains[i]->name));
+ }
+ }
+ }
+
+ TALLOC_FREE(subreq);
+
+ state->num_received += 1;
+
+ if (state->num_received >= state->num_domains) {
+ tevent_req_done(req);
+ }
+}
+
+NTSTATUS wb_seqnums_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
+ int *num_domains, struct winbindd_domain ***domains,
+ NTSTATUS **stati, uint32_t **seqnums)
+{
+ struct wb_seqnums_state *state = tevent_req_data(
+ req, struct wb_seqnums_state);
+ NTSTATUS status;
+
+ if (tevent_req_is_nterror(req, &status)) {
+ return status;
+ }
+ *num_domains = state->num_domains;
+ *domains = talloc_move(mem_ctx, &state->domains);
+ *stati = talloc_move(mem_ctx, &state->stati);
+ *seqnums = talloc_move(mem_ctx, &state->seqnums);
+ return NT_STATUS_OK;
+}
diff --git a/source3/winbindd/wb_sids2xids.c b/source3/winbindd/wb_sids2xids.c
new file mode 100644
index 0000000..179a51f
--- /dev/null
+++ b/source3/winbindd/wb_sids2xids.c
@@ -0,0 +1,786 @@
+/*
+ Unix SMB/CIFS implementation.
+ async sids2xids
+ Copyright (C) Volker Lendecke 2011
+ Copyright (C) Michael Adam 2012
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "winbindd.h"
+#include "../libcli/security/security.h"
+#include "idmap_cache.h"
+#include "librpc/gen_ndr/ndr_winbind_c.h"
+#include "librpc/gen_ndr/ndr_netlogon.h"
+#include "lsa.h"
+
+struct wb_sids2xids_state {
+ struct tevent_context *ev;
+
+ const struct wb_parent_idmap_config *cfg;
+
+ struct dom_sid *sids;
+ uint32_t num_sids;
+
+ struct wbint_TransIDArray all_ids;
+
+ /* Used to translated the idx back into all_ids.ids[idx] */
+ uint32_t *tmp_idx;
+
+ uint32_t lookup_count;
+ struct dom_sid *lookup_sids;
+
+ struct wbint_TransIDArray map_ids_in;
+ struct wbint_TransIDArray map_ids_out;
+
+ /*
+ * Domain array to use for the idmap call. The output from
+ * lookupsids cannot be used directly since for migrated
+ * objects the returned domain SID can be different than the
+ * original one. The new domain SID cannot be combined with
+ * the RID from the previous domain.
+ *
+ * The proper way would be asking for the correct RID in the
+ * new domain, but this approach avoids id mappings for
+ * invalid SIDs.
+ */
+ struct lsa_RefDomainList idmap_doms;
+
+ uint32_t dom_index;
+ struct lsa_RefDomainList idmap_dom;
+ bool tried_dclookup;
+};
+
+static void wb_sids2xids_idmap_setup_done(struct tevent_req *subreq);
+static bool wb_sids2xids_in_cache(struct dom_sid *sid, struct id_map *map);
+static void wb_sids2xids_lookupsids_done(struct tevent_req *subreq);
+static void wb_sids2xids_done(struct tevent_req *subreq);
+static void wb_sids2xids_gotdc(struct tevent_req *subreq);
+static void wb_sids2xids_next_sids2unix(struct tevent_req *req);
+static enum id_type lsa_SidType_to_id_type(const enum lsa_SidType sid_type);
+
+struct tevent_req *wb_sids2xids_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ const struct dom_sid *sids,
+ const uint32_t num_sids)
+{
+ struct tevent_req *req, *subreq;
+ struct wb_sids2xids_state *state;
+ uint32_t i;
+ uint32_t num_valid = 0;
+
+ D_INFO("WB command sids2xids start.\n"
+ "Resolving %"PRIu32" SID(s).\n", num_sids);
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct wb_sids2xids_state);
+ if (req == NULL) {
+ return NULL;
+ }
+
+ state->ev = ev;
+
+ state->num_sids = num_sids;
+
+ state->sids = talloc_zero_array(state, struct dom_sid, num_sids);
+ if (tevent_req_nomem(state->sids, req)) {
+ return tevent_req_post(req, ev);
+ }
+
+ for (i = 0; i < num_sids; i++) {
+ sid_copy(&state->sids[i], &sids[i]);
+ }
+
+ state->all_ids.num_ids = num_sids;
+ state->all_ids.ids = talloc_zero_array(state, struct wbint_TransID, num_sids);
+ if (tevent_req_nomem(state->all_ids.ids, req)) {
+ return tevent_req_post(req, ev);
+ }
+
+ state->tmp_idx = talloc_zero_array(state, uint32_t, num_sids);
+ if (tevent_req_nomem(state->tmp_idx, req)) {
+ return tevent_req_post(req, ev);
+ }
+
+ state->lookup_sids = talloc_zero_array(state, struct dom_sid, num_sids);
+ if (tevent_req_nomem(state->lookup_sids, req)) {
+ return tevent_req_post(req, ev);
+ }
+
+ state->map_ids_in.ids = talloc_zero_array(state, struct wbint_TransID, num_sids);
+ if (tevent_req_nomem(state->map_ids_in.ids, req)) {
+ return tevent_req_post(req, ev);
+ }
+
+ /*
+ * Extract those sids that can not be resolved from cache
+ * into a separate list to be handed to id mapping, keeping
+ * the same index.
+ */
+ for (i=0; i<state->num_sids; i++) {
+ struct wbint_TransID *cur_id = &state->all_ids.ids[i];
+ struct dom_sid domain_sid;
+ struct dom_sid_buf buf;
+ struct id_map map = { .status = ID_UNMAPPED, };
+ uint32_t rid = 0;
+ bool in_cache;
+
+ sid_copy(&domain_sid, &state->sids[i]);
+ sid_split_rid(&domain_sid, &rid);
+
+ /*
+ * Start with an invalid entry.
+ */
+ *cur_id = (struct wbint_TransID) {
+ .type_hint = ID_TYPE_NOT_SPECIFIED,
+ .domain_index = UINT32_MAX - 1, /* invalid */
+ .rid = rid,
+ .xid = {
+ .id = UINT32_MAX,
+ .type = ID_TYPE_NOT_SPECIFIED,
+ },
+ };
+
+ D_DEBUG("%"PRIu32": SID %s\n",
+ i, dom_sid_str_buf(&state->sids[i], &buf));
+
+ in_cache = wb_sids2xids_in_cache(&state->sids[i], &map);
+ if (in_cache) {
+ /*
+ * We used to ignore map.status and just rely
+ * on map.xid.type.
+ *
+ * Lets keep this logic for now...
+ */
+
+ cur_id->xid = map.xid;
+ cur_id->domain_index = UINT32_MAX; /* this marks it as filled entry */
+ num_valid += 1;
+ continue;
+ }
+ }
+
+ D_DEBUG("Found %"PRIu32" (out of %"PRIu32") SID(s) in cache.\n",
+ num_valid, num_sids);
+ if (num_valid == num_sids) {
+ tevent_req_done(req);
+ return tevent_req_post(req, ev);
+ }
+
+ subreq = wb_parent_idmap_setup_send(state, state->ev);
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+ tevent_req_set_callback(subreq, wb_sids2xids_idmap_setup_done, req);
+ return req;
+}
+
+static void wb_sids2xids_idmap_setup_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct wb_sids2xids_state *state = tevent_req_data(
+ req, struct wb_sids2xids_state);
+ NTSTATUS status;
+ uint32_t i;
+
+ status = wb_parent_idmap_setup_recv(subreq, &state->cfg);
+ TALLOC_FREE(subreq);
+ if (tevent_req_nterror(req, status)) {
+ D_WARNING("Failed with %s.\n", nt_errstr(status));
+ return;
+ }
+ SMB_ASSERT(state->cfg->num_doms > 0);
+ D_DEBUG("We will loop over %"PRIu32" SID(s) (skipping those already resolved via cache) and over %"PRIu32" domain(s).\n",
+ state->num_sids,
+ state->cfg->num_doms);
+
+ /*
+ * Now we build a list with all domain
+ * with non cached entries
+ */
+ for (i=0; i<state->num_sids; i++) {
+ struct wbint_TransID *t = &state->all_ids.ids[i];
+ struct dom_sid domain_sid;
+ const char *domain_name = NULL;
+ int domain_index;
+ uint32_t rid = 0;
+ uint32_t di;
+ struct dom_sid_buf buf0, buf1;
+
+ D_DEBUG("%"PRIu32": Processing SID %s\n",
+ i,
+ dom_sid_str_buf(&state->sids[i], &buf0));
+ if (t->domain_index == UINT32_MAX) {
+ /* ignore already filled entries */
+ D_DEBUG("%"PRIu32": Ignoring already resolved SID %s\n",
+ i,
+ dom_sid_str_buf(&state->sids[i], &buf0));
+ continue;
+ }
+
+ sid_copy(&domain_sid, &state->sids[i]);
+ sid_split_rid(&domain_sid, &rid);
+ D_DEBUG("%"PRIu32": Splitted SID %s into domain SID %s and RID %"PRIu32"\n",
+ i,
+ dom_sid_str_buf(&state->sids[i], &buf0),
+ dom_sid_str_buf(&domain_sid, &buf1),
+ rid);
+
+ if (t->type_hint == ID_TYPE_NOT_SPECIFIED) {
+ const char *tmp_name = NULL;
+ enum lsa_SidType sid_type = SID_NAME_USE_NONE;
+ const struct dom_sid *tmp_authority_sid = NULL;
+ const char *tmp_authority_name = NULL;
+
+ /*
+ * Try to get a type hint from for predefined sids
+ */
+ status = dom_sid_lookup_predefined_sid(&state->sids[i],
+ &tmp_name,
+ &sid_type,
+ &tmp_authority_sid,
+ &tmp_authority_name);
+ if (NT_STATUS_IS_OK(status)) {
+ t->type_hint = lsa_SidType_to_id_type(sid_type);
+ D_DEBUG("Got a type hint: %d from predefined SID.\n",
+ t->type_hint);
+ }
+ }
+
+ D_DEBUG("Looping over %"PRIu32" domain(s) to find domain SID %s.\n",
+ state->cfg->num_doms,
+ dom_sid_str_buf(&domain_sid, &buf0));
+ for (di = 0; di < state->cfg->num_doms; di++) {
+ struct wb_parent_idmap_config_dom *dom =
+ &state->cfg->doms[di];
+ bool match;
+
+ match = dom_sid_equal(&domain_sid, &dom->sid);
+ if (!match) {
+ continue;
+ }
+
+ domain_name = dom->name;
+ D_DEBUG("Found domain '%s'.\n", domain_name);
+ break;
+ }
+ if (domain_name == NULL) {
+ struct winbindd_domain *wb_domain = NULL;
+
+ D_DEBUG("Could not find a domain for domain SID %s. Trying to fill the domain name from list of known domains.\n",
+ dom_sid_str_buf(&domain_sid, &buf0));
+ /*
+ * Try to fill the name if we already know it
+ */
+ wb_domain = find_domain_from_sid_noinit(&state->sids[i]);
+ if (wb_domain != NULL) {
+ domain_name = wb_domain->name;
+ D_DEBUG("Found domain '%s' in list of known domains.\n", domain_name);
+ }
+ }
+ if (domain_name == NULL) {
+ domain_name = "";
+ D_DEBUG("Not found domain in list of known domains, setting empty domain name.\n");
+ }
+
+ if (t->type_hint == ID_TYPE_NOT_SPECIFIED) {
+ if (domain_name[0] != '\0') {
+ /*
+ * We know the domain, we indicate this
+ * by passing ID_TYPE_BOTH as a hint
+ *
+ * Maybe that's already enough for the backend
+ */
+ t->type_hint = ID_TYPE_BOTH;
+ D_DEBUG("Setting type hint ID_TYPE_BOTH for domain '%s'.\n", domain_name);
+ }
+ }
+
+ domain_index = init_lsa_ref_domain_list(state,
+ &state->idmap_doms,
+ domain_name,
+ &domain_sid);
+ if (domain_index == -1) {
+ tevent_req_oom(req);
+ return;
+ }
+ t->domain_index = domain_index;
+ }
+
+ /*
+ * We defer lookupsids because it requires domain controller
+ * interaction.
+ *
+ * First we ask the idmap child without explicit type hints.
+ * In most cases mappings already exist in the backend and
+ * a type_hint is not needed.
+ */
+ wb_sids2xids_next_sids2unix(req);
+}
+
+static bool wb_sids2xids_in_cache(struct dom_sid *sid, struct id_map *map)
+{
+ struct unixid id;
+ bool expired;
+
+ if (!winbindd_use_idmap_cache()) {
+ return false;
+ }
+ if (idmap_cache_find_sid2unixid(sid, &id, &expired)) {
+ if (expired && is_domain_online(find_our_domain())) {
+ return false;
+ }
+ map->sid = sid;
+ map->xid = id;
+ map->status = ID_MAPPED;
+ return true;
+ }
+ return false;
+}
+
+static void wb_sids2xids_lookupsids_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct wb_sids2xids_state *state = tevent_req_data(
+ req, struct wb_sids2xids_state);
+ struct lsa_RefDomainList *domains = NULL;
+ struct lsa_TransNameArray *names = NULL;
+ NTSTATUS status;
+ uint32_t li;
+
+ status = wb_lookupsids_recv(subreq, state, &domains, &names);
+ TALLOC_FREE(subreq);
+ if (tevent_req_nterror(req, status)) {
+ D_WARNING("Failed with %s.\n", nt_errstr(status));
+ return;
+ }
+
+ if (domains == NULL) {
+ tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
+ D_WARNING("Failed with NT_STATUS_INTERNAL_ERROR.\n");
+ return;
+ }
+
+ if (names == NULL) {
+ tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
+ D_WARNING("Failed with NT_STATUS_INTERNAL_ERROR.\n");
+ return;
+ }
+
+ for (li = 0; li < state->lookup_count; li++) {
+ struct lsa_TranslatedName *n = &names->names[li];
+ uint32_t ai = state->tmp_idx[li];
+ struct wbint_TransID *t = &state->all_ids.ids[ai];
+ enum id_type type_hint;
+
+ type_hint = lsa_SidType_to_id_type(n->sid_type);
+ if (type_hint != ID_TYPE_NOT_SPECIFIED) {
+ /*
+ * We know it's a valid user or group.
+ */
+ t->type_hint = type_hint;
+ continue;
+ }
+
+ if (n->sid_index == UINT32_MAX) {
+ /*
+ * The domain is not known, there's
+ * no point to try mapping again.
+ * mark is done and add a negative cache
+ * entry.
+ */
+ t->domain_index = UINT32_MAX; /* mark as valid */
+ idmap_cache_set_sid2unixid(&state->sids[ai], &t->xid);
+ continue;
+ }
+
+ if (n->sid_index >= domains->count) {
+ tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
+ D_WARNING("Failed with NT_STATUS_INTERNAL_ERROR.\n");
+ return;
+ }
+
+ if (domains->domains[n->sid_index].name.string == NULL) {
+ tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
+ D_WARNING("Failed with NT_STATUS_INTERNAL_ERROR.\n");
+ return;
+ }
+ if (domains->domains[n->sid_index].sid == NULL) {
+ tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
+ D_WARNING("Failed with NT_STATUS_INTERNAL_ERROR.\n");
+ return;
+ }
+
+ if (t->type_hint != ID_TYPE_NOT_SPECIFIED) {
+ /*
+ * We already tried with a type hint there's
+ * no point to try mapping again with ID_TYPE_BOTH.
+ *
+ * Mark is done and add a negative cache entry.
+ */
+ t->domain_index = UINT32_MAX; /* mark as valid */
+ idmap_cache_set_sid2unixid(&state->sids[ai], &t->xid);
+ continue;
+ }
+
+ /*
+ * We only know the domain exists, but the user doesn't
+ */
+ t->type_hint = ID_TYPE_BOTH;
+ }
+
+ TALLOC_FREE(names);
+ TALLOC_FREE(domains);
+
+ /*
+ * Now that we have type_hints for the remaining sids,
+ * we need to restart with the first domain.
+ */
+ state->dom_index = 0;
+ wb_sids2xids_next_sids2unix(req);
+}
+
+static void wb_sids2xids_next_sids2unix(struct tevent_req *req)
+{
+ struct wb_sids2xids_state *state = tevent_req_data(
+ req, struct wb_sids2xids_state);
+ struct tevent_req *subreq = NULL;
+ struct dcerpc_binding_handle *child_binding_handle = NULL;
+ const struct wbint_TransIDArray *src = NULL;
+ struct wbint_TransIDArray *dst = NULL;
+ uint32_t si;
+
+ next_domain:
+ state->tried_dclookup = false;
+
+ D_DEBUG("Processing next domain (dom_index=%"PRIu32", idmap_doms.count=%"PRIu32", lookup_count=%"PRIu32").\n",
+ state->dom_index,
+ state->idmap_doms.count,
+ state->lookup_count);
+ if (state->dom_index == state->idmap_doms.count) {
+ if (state->lookup_count != 0) {
+ /*
+ * We already called wb_lookupsids_send()
+ * before, so we're done.
+ */
+ D_DEBUG("We already called wb_lookupsids_send() before, so we're done.\n");
+ tevent_req_done(req);
+ return;
+ }
+
+ for (si=0; si < state->num_sids; si++) {
+ struct wbint_TransID *t = &state->all_ids.ids[si];
+
+ if (t->domain_index == UINT32_MAX) {
+ /* ignore already filled entries */
+ continue;
+ }
+
+ state->tmp_idx[state->lookup_count] = si;
+ sid_copy(&state->lookup_sids[state->lookup_count],
+ &state->sids[si]);
+ state->lookup_count += 1;
+ }
+
+ D_DEBUG("Prepared %"PRIu32" SID(s) for lookup wb_lookupsids_send().\n",
+ state->lookup_count);
+ if (state->lookup_count == 0) {
+ /*
+ * no wb_lookupsids_send() needed...
+ */
+ tevent_req_done(req);
+ return;
+ }
+
+ subreq = wb_lookupsids_send(state,
+ state->ev,
+ state->lookup_sids,
+ state->lookup_count);
+ if (tevent_req_nomem(subreq, req)) {
+ return;
+ }
+ tevent_req_set_callback(subreq, wb_sids2xids_lookupsids_done, req);
+ return;
+ }
+
+ src = &state->all_ids;
+ dst = &state->map_ids_in;
+ dst->num_ids = 0;
+
+ for (si=0; si < src->num_ids; si++) {
+ if (src->ids[si].domain_index != state->dom_index) {
+ continue;
+ }
+
+ state->tmp_idx[dst->num_ids] = si;
+ dst->ids[dst->num_ids] = src->ids[si];
+ dst->ids[dst->num_ids].domain_index = 0;
+ dst->num_ids += 1;
+ }
+
+ if (dst->num_ids == 0) {
+ state->dom_index += 1;
+ D_DEBUG("Go to next domain.\n");
+ goto next_domain;
+ }
+
+ state->idmap_dom = (struct lsa_RefDomainList) {
+ .count = 1,
+ .domains = &state->idmap_doms.domains[state->dom_index],
+ .max_size = 1
+ };
+
+ /*
+ * dcerpc_wbint_Sids2UnixIDs_send/recv will
+ * allocate a new array for the response
+ * and overwrite _ids->ids pointer.
+ *
+ * So we better make a temporary copy
+ * of state->map_ids_in (which contains the request array)
+ * into state->map_ids_out.
+ *
+ * That makes it possible to reuse the pre-allocated
+ * state->map_ids_in.ids array.
+ */
+ state->map_ids_out = state->map_ids_in;
+ child_binding_handle = idmap_child_handle();
+ subreq = dcerpc_wbint_Sids2UnixIDs_send(
+ state, state->ev, child_binding_handle, &state->idmap_dom,
+ &state->map_ids_out);
+ if (tevent_req_nomem(subreq, req)) {
+ return;
+ }
+ tevent_req_set_callback(subreq, wb_sids2xids_done, req);
+}
+
+static enum id_type lsa_SidType_to_id_type(const enum lsa_SidType sid_type)
+{
+ enum id_type type;
+
+ switch(sid_type) {
+ case SID_NAME_COMPUTER:
+ case SID_NAME_USER:
+ type = ID_TYPE_UID;
+ break;
+ case SID_NAME_DOM_GRP:
+ case SID_NAME_ALIAS:
+ case SID_NAME_WKN_GRP:
+ type = ID_TYPE_GID;
+ break;
+ default:
+ type = ID_TYPE_NOT_SPECIFIED;
+ break;
+ }
+
+ return type;
+}
+
+static void wb_sids2xids_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct wb_sids2xids_state *state = tevent_req_data(
+ req, struct wb_sids2xids_state);
+ NTSTATUS status, result;
+ const struct wbint_TransIDArray *src = NULL;
+ struct wbint_TransIDArray *dst = NULL;
+ uint32_t si;
+
+ status = dcerpc_wbint_Sids2UnixIDs_recv(subreq, state, &result);
+ TALLOC_FREE(subreq);
+
+ if (tevent_req_nterror(req, status)) {
+ D_WARNING("Failed with %s.\n", nt_errstr(status));
+ return;
+ }
+
+ if (NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) &&
+ !state->tried_dclookup) {
+
+ struct lsa_DomainInfo *d;
+
+ D_DEBUG("Domain controller not found. Calling wb_dsgetdcname_send() to get it.\n");
+ d = &state->idmap_doms.domains[state->dom_index];
+
+ subreq = wb_dsgetdcname_send(
+ state, state->ev, d->name.string, NULL, NULL,
+ DS_RETURN_DNS_NAME);
+ if (tevent_req_nomem(subreq, req)) {
+ return;
+ }
+ tevent_req_set_callback(subreq, wb_sids2xids_gotdc, req);
+ return;
+ }
+
+ src = &state->map_ids_out;
+ dst = &state->all_ids;
+
+ if (any_nt_status_not_ok(status, result, &status)) {
+ D_DEBUG("Either status %s or result %s is not ok. Report SIDs as not mapped.\n",
+ nt_errstr(status),
+ nt_errstr(result));
+ /*
+ * All we can do here is to report "not mapped"
+ */
+ src = &state->map_ids_in;
+ for (si=0; si < src->num_ids; si++) {
+ src->ids[si].xid.type = ID_TYPE_NOT_SPECIFIED;
+ }
+ }
+
+ if (src->num_ids != state->map_ids_in.num_ids) {
+ tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
+ D_WARNING("Number of mapped SIDs does not match. Failing with NT_STATUS_INTERNAL_ERROR.\n");
+ return;
+ }
+
+ for (si=0; si < src->num_ids; si++) {
+ uint32_t di = state->tmp_idx[si];
+
+ if (src->ids[si].xid.type == ID_TYPE_WB_REQUIRE_TYPE) {
+ if (state->lookup_count == 0) {
+ D_DEBUG("The backend asks for more information (a type_hint), we'll do a lookupsids later.\n");
+ /*
+ * The backend asks for more information
+ * (a type_hint), we'll do a lookupsids
+ * later.
+ */
+ continue;
+ }
+
+ /*
+ * lookupsids was not able to provide a type_hint that
+ * satisfied the backend.
+ *
+ * Make sure we don't expose ID_TYPE_WB_REQUIRE_TYPE
+ * outside of winbindd!
+ */
+ D_DEBUG("lookupsids was not able to provide a type_hint that satisfied the backend. Make sure we don't expose ID_TYPE_WB_REQUIRE_TYPE outside of winbindd!\n");
+ src->ids[si].xid.type = ID_TYPE_NOT_SPECIFIED;
+ }
+
+ if (src->ids[si].xid.type != ID_TYPE_NOT_SPECIFIED) {
+ dst->ids[di].xid = src->ids[si].xid;
+ D_DEBUG("%"PRIu32": Setting XID %"PRIu32"\n",
+ si, src->ids[si].xid.id);
+ }
+ dst->ids[di].domain_index = UINT32_MAX; /* mark as valid */
+ idmap_cache_set_sid2unixid(&state->sids[di], &dst->ids[di].xid);
+ }
+
+ state->map_ids_in.num_ids = 0;
+ if (NT_STATUS_IS_OK(status)) {
+ /*
+ * If we got a valid response, we expect
+ * state->map_ids_out.ids to be a new allocated
+ * array, which we want to free early.
+ */
+ SMB_ASSERT(state->map_ids_out.ids != state->map_ids_in.ids);
+ TALLOC_FREE(state->map_ids_out.ids);
+ }
+ state->map_ids_out = (struct wbint_TransIDArray) { .num_ids = 0, };
+
+ state->dom_index += 1;
+
+ wb_sids2xids_next_sids2unix(req);
+}
+
+static void wb_sids2xids_gotdc(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct wb_sids2xids_state *state = tevent_req_data(
+ req, struct wb_sids2xids_state);
+ struct dcerpc_binding_handle *child_binding_handle = NULL;
+ struct netr_DsRGetDCNameInfo *dcinfo;
+ NTSTATUS status;
+
+ status = wb_dsgetdcname_recv(subreq, state, &dcinfo);
+ TALLOC_FREE(subreq);
+ if (tevent_req_nterror(req, status)) {
+ D_WARNING("Failed with %s.\n", nt_errstr(status));
+ return;
+ }
+
+ state->tried_dclookup = true;
+
+ {
+ struct lsa_DomainInfo *d =
+ &state->idmap_doms.domains[state->dom_index];
+ const char *dom_name = d->name.string;
+
+ status = wb_dsgetdcname_gencache_set(dom_name, dcinfo);
+ if (tevent_req_nterror(req, status)) {
+ D_WARNING("Failed with %s.\n", nt_errstr(status));
+ return;
+ }
+ }
+
+ /*
+ * dcerpc_wbint_Sids2UnixIDs_send/recv will
+ * allocate a new array for the response
+ * and overwrite _ids->ids pointer.
+ *
+ * So we better make a temporary copy
+ * of state->map_ids_in (which contains the request array)
+ * into state->map_ids_out.
+ *
+ * That makes it possible to reuse the pre-allocated
+ * state->map_ids_in.ids array.
+ */
+ state->map_ids_out = state->map_ids_in;
+ child_binding_handle = idmap_child_handle();
+ subreq = dcerpc_wbint_Sids2UnixIDs_send(
+ state, state->ev, child_binding_handle, &state->idmap_dom,
+ &state->map_ids_out);
+ if (tevent_req_nomem(subreq, req)) {
+ return;
+ }
+ tevent_req_set_callback(subreq, wb_sids2xids_done, req);
+}
+
+NTSTATUS wb_sids2xids_recv(struct tevent_req *req,
+ struct unixid xids[], uint32_t num_xids)
+{
+ struct wb_sids2xids_state *state = tevent_req_data(
+ req, struct wb_sids2xids_state);
+ NTSTATUS status;
+ uint32_t i;
+
+ if (tevent_req_is_nterror(req, &status)) {
+ D_WARNING("Failed with %s.\n", nt_errstr(status));
+ return status;
+ }
+
+ if (num_xids != state->num_sids) {
+ D_WARNING("Error. We have resolved only %"PRIu32" XID(s), but caller asked for %"PRIu32".\n",
+ state->num_sids, num_xids);
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
+ D_INFO("WB command sids2xids end.\n");
+ for (i=0; i<state->num_sids; i++) {
+ struct dom_sid_buf buf;
+ xids[i] = state->all_ids.ids[i].xid;
+ D_INFO("%"PRIu32": Found XID %"PRIu32" for SID %s\n",
+ i,
+ xids[i].id,
+ dom_sid_str_buf(&state->sids[i], &buf));
+ }
+
+ return NT_STATUS_OK;
+}
diff --git a/source3/winbindd/wb_xids2sids.c b/source3/winbindd/wb_xids2sids.c
new file mode 100644
index 0000000..86bd7f9
--- /dev/null
+++ b/source3/winbindd/wb_xids2sids.c
@@ -0,0 +1,422 @@
+/*
+ * Unix SMB/CIFS implementation.
+ * async xids2sids
+ * Copyright (C) Volker Lendecke 2015
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "includes.h"
+#include "winbindd.h"
+#include "../libcli/security/security.h"
+#include "idmap_cache.h"
+#include "librpc/gen_ndr/ndr_winbind_c.h"
+#include "librpc/gen_ndr/ndr_netlogon.h"
+#include "passdb/lookup_sid.h"
+
+struct wb_xids2sids_dom_state {
+ struct tevent_context *ev;
+ struct unixid *all_xids;
+ const bool *cached;
+ size_t num_all_xids;
+ struct dom_sid *all_sids;
+ const struct wb_parent_idmap_config_dom *dom_map;
+ bool tried_dclookup;
+
+ size_t num_dom_xids;
+ struct unixid *dom_xids;
+ struct dom_sid *dom_sids;
+};
+
+static void wb_xids2sids_dom_done(struct tevent_req *subreq);
+static void wb_xids2sids_dom_gotdc(struct tevent_req *subreq);
+
+static struct tevent_req *wb_xids2sids_dom_send(
+ TALLOC_CTX *mem_ctx, struct tevent_context *ev,
+ const struct wb_parent_idmap_config_dom *dom_map,
+ struct unixid *xids,
+ const bool *cached,
+ size_t num_xids,
+ struct dom_sid *sids)
+{
+ struct tevent_req *req, *subreq;
+ struct wb_xids2sids_dom_state *state;
+ struct dcerpc_binding_handle *child_binding_handle = NULL;
+ size_t i;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct wb_xids2sids_dom_state);
+ if (req == NULL) {
+ return NULL;
+ }
+
+ D_DEBUG("Searching for %zu xid(s) in domain %s.\n",
+ num_xids,
+ dom_map->name);
+
+ state->ev = ev;
+ state->all_xids = xids;
+ state->cached = cached;
+ state->num_all_xids = num_xids;
+ state->all_sids = sids;
+ state->dom_map = dom_map;
+
+ state->dom_xids = talloc_array(state, struct unixid, num_xids);
+ if (tevent_req_nomem(state->dom_xids, req)) {
+ return tevent_req_post(req, ev);
+ }
+ state->dom_sids = talloc_array(state, struct dom_sid, num_xids);
+ if (tevent_req_nomem(state->dom_sids, req)) {
+ return tevent_req_post(req, ev);
+ }
+
+ for (i=0; i<num_xids; i++) {
+ struct unixid id = state->all_xids[i];
+
+ if ((id.id < dom_map->low_id) || (id.id > dom_map->high_id)) {
+ /* out of range */
+ D_DEBUG("%zu: XID %"PRIu32" is out of range.\n",
+ i, id.id);
+ continue;
+ }
+ if (state->cached[i]) {
+ /* already found in cache */
+ D_DEBUG("%zu: XID %"PRIu32" is already found in cache.\n",
+ i, id.id);
+ continue;
+ }
+ if (!is_null_sid(&state->all_sids[i])) {
+ /* already mapped in a previously asked domain */
+ D_DEBUG("%zu: XID %"PRIu32" is already mapped in a previously asked domain.\n",
+ i, id.id);
+ continue;
+ }
+ D_DEBUG("%zu: XID %"PRIu32" will be looked up via dcerpc_wbint_UnixIDs2Sids_send().\n",
+ i, id.id);
+ state->dom_xids[state->num_dom_xids++] = id;
+ }
+
+ if (state->num_dom_xids == 0) {
+ tevent_req_done(req);
+ return tevent_req_post(req, ev);
+ }
+
+ child_binding_handle = idmap_child_handle();
+ subreq = dcerpc_wbint_UnixIDs2Sids_send(
+ state, ev, child_binding_handle, dom_map->name, dom_map->sid,
+ state->num_dom_xids, state->dom_xids, state->dom_sids);
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+ tevent_req_set_callback(subreq, wb_xids2sids_dom_done, req);
+ return req;
+}
+
+static void wb_xids2sids_dom_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct wb_xids2sids_dom_state *state = tevent_req_data(
+ req, struct wb_xids2sids_dom_state);
+ const struct wb_parent_idmap_config_dom *dom_map = state->dom_map;
+ NTSTATUS status, result;
+ size_t i;
+ size_t dom_sid_idx;
+
+ status = dcerpc_wbint_UnixIDs2Sids_recv(subreq, state, &result);
+ TALLOC_FREE(subreq);
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+
+ if (NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) &&
+ !state->tried_dclookup) {
+
+ subreq = wb_dsgetdcname_send(
+ state, state->ev, state->dom_map->name, NULL, NULL,
+ DS_RETURN_DNS_NAME);
+ if (tevent_req_nomem(subreq, req)) {
+ return;
+ }
+ tevent_req_set_callback(subreq, wb_xids2sids_dom_gotdc, req);
+ return;
+ }
+
+ if (!NT_STATUS_EQUAL(result, NT_STATUS_NONE_MAPPED) &&
+ tevent_req_nterror(req, result)) {
+ return;
+ }
+
+ dom_sid_idx = 0;
+
+ D_DEBUG("Processing response for %zu xid(s).\n", state->num_all_xids);
+ for (i=0; i<state->num_all_xids; i++) {
+ struct unixid *id = &state->all_xids[i];
+ struct dom_sid_buf buf;
+
+ if ((id->id < dom_map->low_id) || (id->id > dom_map->high_id)) {
+ /* out of range */
+ continue;
+ }
+ if (state->cached[i]) {
+ /* already found in cache */
+ continue;
+ }
+ if (!is_null_sid(&state->all_sids[i])) {
+ /* already mapped in a previously asked domain */
+ continue;
+ }
+
+ sid_copy(&state->all_sids[i], &state->dom_sids[dom_sid_idx]);
+ *id = state->dom_xids[dom_sid_idx];
+ D_DEBUG("%zu: XID %"PRIu32" mapped to SID %s.\n",
+ i,
+ id->id,
+ dom_sid_str_buf(&state->all_sids[i], &buf));
+
+ dom_sid_idx += 1;
+ }
+
+ tevent_req_done(req);
+}
+
+static void wb_xids2sids_dom_gotdc(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct wb_xids2sids_dom_state *state = tevent_req_data(
+ req, struct wb_xids2sids_dom_state);
+ struct dcerpc_binding_handle *child_binding_handle = NULL;
+ struct netr_DsRGetDCNameInfo *dcinfo;
+ NTSTATUS status;
+
+ status = wb_dsgetdcname_recv(subreq, state, &dcinfo);
+ TALLOC_FREE(subreq);
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+
+ state->tried_dclookup = true;
+
+ status = wb_dsgetdcname_gencache_set(state->dom_map->name, dcinfo);
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+
+ child_binding_handle = idmap_child_handle();
+ subreq = dcerpc_wbint_UnixIDs2Sids_send(
+ state, state->ev, child_binding_handle, state->dom_map->name,
+ state->dom_map->sid, state->num_dom_xids,
+ state->dom_xids, state->dom_sids);
+ if (tevent_req_nomem(subreq, req)) {
+ return;
+ }
+ tevent_req_set_callback(subreq, wb_xids2sids_dom_done, req);
+}
+
+static NTSTATUS wb_xids2sids_dom_recv(struct tevent_req *req)
+{
+ return tevent_req_simple_recv_ntstatus(req);
+}
+
+struct wb_xids2sids_state {
+ struct tevent_context *ev;
+ struct unixid *xids;
+ size_t num_xids;
+ struct dom_sid *sids;
+ bool *cached;
+
+ size_t dom_idx;
+ const struct wb_parent_idmap_config *cfg;
+};
+
+static void wb_xids2sids_idmap_setup_done(struct tevent_req *subreq);
+static void wb_xids2sids_done(struct tevent_req *subreq);
+
+struct tevent_req *wb_xids2sids_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ const struct unixid *xids,
+ uint32_t num_xids)
+{
+ struct tevent_req *req, *subreq;
+ struct wb_xids2sids_state *state;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct wb_xids2sids_state);
+ if (req == NULL) {
+ return NULL;
+ }
+
+ D_INFO("WB command xids2sids start.\nLooking up %"PRIu32" XID(s).\n",
+ num_xids);
+
+ state->ev = ev;
+ state->num_xids = num_xids;
+
+ state->xids = talloc_array(state, struct unixid, num_xids);
+ if (tevent_req_nomem(state->xids, req)) {
+ return tevent_req_post(req, ev);
+ }
+ memcpy(state->xids, xids, num_xids * sizeof(struct unixid));
+
+ state->sids = talloc_zero_array(state, struct dom_sid, num_xids);
+ if (tevent_req_nomem(state->sids, req)) {
+ return tevent_req_post(req, ev);
+ }
+
+ state->cached = talloc_zero_array(state, bool, num_xids);
+ if (tevent_req_nomem(state->cached, req)) {
+ return tevent_req_post(req, ev);
+ }
+
+ if (winbindd_use_idmap_cache()) {
+ uint32_t i;
+
+ for (i=0; i<num_xids; i++) {
+ struct dom_sid sid = {0};
+ bool ok, expired = true;
+
+ ok = idmap_cache_find_xid2sid(
+ &xids[i], &sid, &expired);
+ if (ok && !expired) {
+ struct dom_sid_buf buf;
+ DBG_DEBUG("Found %cID in cache: %s\n",
+ xids[i].type == ID_TYPE_UID?'U':'G',
+ dom_sid_str_buf(&sid, &buf));
+
+ sid_copy(&state->sids[i], &sid);
+ state->cached[i] = true;
+ }
+ }
+ }
+
+ subreq = wb_parent_idmap_setup_send(state, state->ev);
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+ tevent_req_set_callback(subreq, wb_xids2sids_idmap_setup_done, req);
+ return req;
+}
+
+static void wb_xids2sids_idmap_setup_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct wb_xids2sids_state *state = tevent_req_data(
+ req, struct wb_xids2sids_state);
+ NTSTATUS status;
+
+ status = wb_parent_idmap_setup_recv(subreq, &state->cfg);
+ TALLOC_FREE(subreq);
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+ SMB_ASSERT(state->cfg->num_doms > 0);
+
+ subreq = wb_xids2sids_dom_send(
+ state, state->ev,
+ &state->cfg->doms[state->dom_idx],
+ state->xids, state->cached, state->num_xids, state->sids);
+ if (tevent_req_nomem(subreq, req)) {
+ return;
+ }
+ tevent_req_set_callback(subreq, wb_xids2sids_done, req);
+ return;
+}
+
+static void wb_xids2sids_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct wb_xids2sids_state *state = tevent_req_data(
+ req, struct wb_xids2sids_state);
+ size_t i;
+ NTSTATUS status;
+
+ status = wb_xids2sids_dom_recv(subreq);
+ TALLOC_FREE(subreq);
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+
+ state->dom_idx += 1;
+ if (state->dom_idx < state->cfg->num_doms) {
+ const struct wb_parent_idmap_config_dom *dom_map =
+ &state->cfg->doms[state->dom_idx];
+
+ subreq = wb_xids2sids_dom_send(state,
+ state->ev,
+ dom_map,
+ state->xids,
+ state->cached,
+ state->num_xids,
+ state->sids);
+ if (tevent_req_nomem(subreq, req)) {
+ return;
+ }
+ tevent_req_set_callback(subreq, wb_xids2sids_done, req);
+ return;
+ }
+
+
+ for (i = 0; i < state->num_xids; i++) {
+ /*
+ * Prime the cache after an xid2sid call. It's important that we
+ * use the xid value returned from the backend for the xid value
+ * passed to idmap_cache_set_sid2unixid(), not the input to
+ * wb_xids2sids_send: the input carries what was asked for,
+ * e.g. a ID_TYPE_UID. The result from the backend something the
+ * idmap child possibly changed to ID_TYPE_BOTH.
+ *
+ * And of course If the value was from the cache don't update
+ * the cache.
+ */
+
+ if (state->cached[i]) {
+ continue;
+ }
+
+ idmap_cache_set_sid2unixid(&state->sids[i], &state->xids[i]);
+ }
+
+ tevent_req_done(req);
+ return;
+}
+
+NTSTATUS wb_xids2sids_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
+ struct dom_sid **sids)
+{
+ struct wb_xids2sids_state *state = tevent_req_data(
+ req, struct wb_xids2sids_state);
+ NTSTATUS status;
+ size_t i;
+
+ D_INFO("WB command xids2sids end.\n");
+ if (tevent_req_is_nterror(req, &status)) {
+ D_WARNING("wb_sids_to_xids failed: %s\n", nt_errstr(status));
+ return status;
+ }
+
+ *sids = talloc_move(mem_ctx, &state->sids);
+ if (CHECK_DEBUGLVL(DBGLVL_INFO)) {
+ for (i = 0; i < state->num_xids; i++) {
+ struct dom_sid_buf buf;
+ D_INFO("%zu: XID %"PRIu32" mapped to SID %s\n",
+ i,
+ state->xids[i].id,
+ dom_sid_str_buf(&((*sids)[i]), &buf));
+ }
+ }
+ return NT_STATUS_OK;
+}
diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c
new file mode 100644
index 0000000..6796b07
--- /dev/null
+++ b/source3/winbindd/winbindd.c
@@ -0,0 +1,1727 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ Winbind daemon for ntdom nss module
+
+ Copyright (C) by Tim Potter 2000-2002
+ Copyright (C) Andrew Tridgell 2002
+ Copyright (C) Jelmer Vernooij 2003
+ Copyright (C) Volker Lendecke 2004
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "lib/cmdline/cmdline.h"
+#include "winbindd.h"
+#include "nsswitch/winbind_client.h"
+#include "nsswitch/wb_reqtrans.h"
+#include "ntdomain.h"
+#include "librpc/rpc/dcesrv_core.h"
+#include "librpc/gen_ndr/ndr_lsa_scompat.h"
+#include "librpc/gen_ndr/ndr_samr_scompat.h"
+#include "librpc/gen_ndr/ndr_winbind_scompat.h"
+#include "secrets.h"
+#include "rpc_client/cli_netlogon.h"
+#include "idmap.h"
+#include "lib/addrchange.h"
+#include "auth.h"
+#include "messages.h"
+#include "../lib/util/pidfile.h"
+#include "util_cluster.h"
+#include "source4/lib/messaging/irpc.h"
+#include "source4/lib/messaging/messaging.h"
+#include "lib/param/param.h"
+#include "lib/async_req/async_sock.h"
+#include "libsmb/samlogon_cache.h"
+#include "libcli/auth/netlogon_creds_cli.h"
+#include "passdb.h"
+#include "lib/util/tevent_req_profile.h"
+#include "lib/gencache.h"
+#include "rpc_server/rpc_config.h"
+#include "lib/global_contexts.h"
+#include "source3/lib/substitute.h"
+#include "winbindd_traceid.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_WINBIND
+
+#define SCRUB_CLIENTS_INTERVAL 5
+
+static bool client_is_idle(struct winbindd_cli_state *state);
+static void remove_client(struct winbindd_cli_state *state);
+
+static bool interactive = False;
+
+/* Reload configuration */
+
+
+
+static void winbindd_status(void)
+{
+ struct winbindd_cli_state *tmp;
+
+ DEBUG(0, ("winbindd status:\n"));
+
+ /* Print client state information */
+
+ DEBUG(0, ("\t%d clients currently active\n", winbindd_num_clients()));
+
+ if (DEBUGLEVEL >= 2 && winbindd_num_clients()) {
+ DEBUG(2, ("\tclient list:\n"));
+ for(tmp = winbindd_client_list(); tmp; tmp = tmp->next) {
+ DEBUGADD(2, ("\t\tpid %lu, sock %d (%s)\n",
+ (unsigned long)tmp->pid, tmp->sock,
+ client_is_idle(tmp) ? "idle" : "active"));
+ }
+ }
+}
+
+/*
+ handle stdin becoming readable when we are in --foreground mode
+ */
+static void winbindd_stdin_handler(struct tevent_context *ev,
+ struct tevent_fd *fde,
+ uint16_t flags,
+ void *private_data)
+{
+ char c;
+ if (read(0, &c, 1) != 1) {
+ bool *is_parent = talloc_get_type_abort(private_data, bool);
+
+ /* we have reached EOF on stdin, which means the
+ parent has exited. Shutdown the server */
+ DEBUG(0,("EOF on stdin (is_parent=%d)\n",
+ (int)*is_parent));
+ winbindd_terminate(*is_parent);
+ }
+}
+
+bool winbindd_setup_stdin_handler(bool parent, bool foreground)
+{
+ bool *is_parent;
+
+ if (foreground) {
+ struct stat st;
+
+ is_parent = talloc(global_event_context(), bool);
+ if (!is_parent) {
+ return false;
+ }
+
+ *is_parent = parent;
+
+ /* if we are running in the foreground then look for
+ EOF on stdin, and exit if it happens. This allows
+ us to die if the parent process dies
+ Only do this on a pipe or socket, no other device.
+ */
+ if (fstat(0, &st) != 0) {
+ return false;
+ }
+ if (S_ISFIFO(st.st_mode) || S_ISSOCK(st.st_mode)) {
+ tevent_add_fd(global_event_context(),
+ is_parent,
+ 0,
+ TEVENT_FD_READ,
+ winbindd_stdin_handler,
+ is_parent);
+ }
+ }
+
+ return true;
+}
+
+static void winbindd_sig_chld_handler(struct tevent_context *ev,
+ struct tevent_signal *se,
+ int signum,
+ int count,
+ void *siginfo,
+ void *private_data)
+{
+ pid_t pid;
+
+ while ((pid = waitpid(-1, NULL, WNOHANG)) > 0) {
+ winbind_child_died(pid);
+ }
+}
+
+static bool winbindd_setup_sig_chld_handler(void)
+{
+ struct tevent_signal *se;
+
+ se = tevent_add_signal(global_event_context(),
+ global_event_context(),
+ SIGCHLD, 0,
+ winbindd_sig_chld_handler,
+ NULL);
+ if (!se) {
+ return false;
+ }
+
+ return true;
+}
+
+static void winbindd_sig_usr2_handler(struct tevent_context *ev,
+ struct tevent_signal *se,
+ int signum,
+ int count,
+ void *siginfo,
+ void *private_data)
+{
+ winbindd_status();
+}
+
+static bool winbindd_setup_sig_usr2_handler(void)
+{
+ struct tevent_signal *se;
+
+ se = tevent_add_signal(global_event_context(),
+ global_event_context(),
+ SIGUSR2, 0,
+ winbindd_sig_usr2_handler,
+ NULL);
+ if (!se) {
+ return false;
+ }
+
+ return true;
+}
+
+/* React on 'smbcontrol winbindd shutdown' in the same way as on SIGTERM*/
+static void msg_shutdown(struct messaging_context *msg,
+ void *private_data,
+ uint32_t msg_type,
+ struct server_id server_id,
+ DATA_BLOB *data)
+{
+ /* only the parent waits for this message */
+ DEBUG(0,("Got shutdown message\n"));
+ winbindd_terminate(true);
+}
+
+
+static void winbind_msg_validate_cache(struct messaging_context *msg_ctx,
+ void *private_data,
+ uint32_t msg_type,
+ struct server_id server_id,
+ DATA_BLOB *data)
+{
+ uint8_t ret;
+ pid_t child_pid;
+ NTSTATUS status;
+
+ DEBUG(10, ("winbindd_msg_validate_cache: got validate-cache "
+ "message.\n"));
+
+ /*
+ * call the validation code from a child:
+ * so we don't block the main winbindd and the validation
+ * code can safely use fork/waitpid...
+ */
+ child_pid = fork();
+
+ if (child_pid == -1) {
+ DEBUG(1, ("winbind_msg_validate_cache: Could not fork: %s\n",
+ strerror(errno)));
+ return;
+ }
+
+ if (child_pid != 0) {
+ /* parent */
+ DEBUG(5, ("winbind_msg_validate_cache: child created with "
+ "pid %d.\n", (int)child_pid));
+ return;
+ }
+
+ /* child */
+
+ status = winbindd_reinit_after_fork(NULL, NULL);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("winbindd_reinit_after_fork failed: %s\n",
+ nt_errstr(status)));
+ _exit(0);
+ }
+
+ /* install default SIGCHLD handler: validation code uses fork/waitpid */
+ CatchSignal(SIGCHLD, SIG_DFL);
+
+ setproctitle("validate cache child");
+
+ ret = (uint8_t)winbindd_validate_cache_nobackup();
+ DEBUG(10, ("winbindd_msg_validata_cache: got return value %d\n", ret));
+ messaging_send_buf(msg_ctx, server_id, MSG_WINBIND_VALIDATE_CACHE, &ret,
+ (size_t)1);
+ _exit(0);
+}
+
+static struct winbindd_bool_dispatch_table {
+ enum winbindd_cmd cmd;
+ bool (*fn)(struct winbindd_cli_state *state);
+ const char *cmd_name;
+} bool_dispatch_table[] = {
+ { WINBINDD_INTERFACE_VERSION,
+ winbindd_interface_version,
+ "INTERFACE_VERSION" },
+ { WINBINDD_INFO,
+ winbindd_info,
+ "INFO" },
+ { WINBINDD_PING,
+ winbindd_ping,
+ "PING" },
+ { WINBINDD_DOMAIN_NAME,
+ winbindd_domain_name,
+ "DOMAIN_NAME" },
+ { WINBINDD_NETBIOS_NAME,
+ winbindd_netbios_name,
+ "NETBIOS_NAME" },
+ { WINBINDD_DC_INFO,
+ winbindd_dc_info,
+ "DC_INFO" },
+ { WINBINDD_CCACHE_NTLMAUTH,
+ winbindd_ccache_ntlm_auth,
+ "NTLMAUTH" },
+ { WINBINDD_CCACHE_SAVE,
+ winbindd_ccache_save,
+ "CCACHE_SAVE" },
+ { WINBINDD_PRIV_PIPE_DIR,
+ winbindd_priv_pipe_dir,
+ "WINBINDD_PRIV_PIPE_DIR" },
+ { WINBINDD_LIST_TRUSTDOM,
+ winbindd_list_trusted_domains,
+ "LIST_TRUSTDOM" },
+};
+
+struct winbindd_async_dispatch_table {
+ enum winbindd_cmd cmd;
+ const char *cmd_name;
+ struct tevent_req *(*send_req)(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request);
+ NTSTATUS (*recv_req)(struct tevent_req *req,
+ struct winbindd_response *presp);
+};
+
+static struct winbindd_async_dispatch_table async_nonpriv_table[] = {
+ { WINBINDD_LOOKUPSID, "LOOKUPSID",
+ winbindd_lookupsid_send, winbindd_lookupsid_recv },
+ { WINBINDD_LOOKUPSIDS, "LOOKUPSIDS",
+ winbindd_lookupsids_send, winbindd_lookupsids_recv },
+ { WINBINDD_LOOKUPNAME, "LOOKUPNAME",
+ winbindd_lookupname_send, winbindd_lookupname_recv },
+ { WINBINDD_SIDS_TO_XIDS, "SIDS_TO_XIDS",
+ winbindd_sids_to_xids_send, winbindd_sids_to_xids_recv },
+ { WINBINDD_XIDS_TO_SIDS, "XIDS_TO_SIDS",
+ winbindd_xids_to_sids_send, winbindd_xids_to_sids_recv },
+ { WINBINDD_GETPWSID, "GETPWSID",
+ winbindd_getpwsid_send, winbindd_getpwsid_recv },
+ { WINBINDD_GETPWNAM, "GETPWNAM",
+ winbindd_getpwnam_send, winbindd_getpwnam_recv },
+ { WINBINDD_GETPWUID, "GETPWUID",
+ winbindd_getpwuid_send, winbindd_getpwuid_recv },
+ { WINBINDD_GETSIDALIASES, "GETSIDALIASES",
+ winbindd_getsidaliases_send, winbindd_getsidaliases_recv },
+ { WINBINDD_GETUSERDOMGROUPS, "GETUSERDOMGROUPS",
+ winbindd_getuserdomgroups_send, winbindd_getuserdomgroups_recv },
+ { WINBINDD_GETGROUPS, "GETGROUPS",
+ winbindd_getgroups_send, winbindd_getgroups_recv },
+ { WINBINDD_SHOW_SEQUENCE, "SHOW_SEQUENCE",
+ winbindd_show_sequence_send, winbindd_show_sequence_recv },
+ { WINBINDD_GETGRGID, "GETGRGID",
+ winbindd_getgrgid_send, winbindd_getgrgid_recv },
+ { WINBINDD_GETGRNAM, "GETGRNAM",
+ winbindd_getgrnam_send, winbindd_getgrnam_recv },
+ { WINBINDD_GETUSERSIDS, "GETUSERSIDS",
+ winbindd_getusersids_send, winbindd_getusersids_recv },
+ { WINBINDD_LOOKUPRIDS, "LOOKUPRIDS",
+ winbindd_lookuprids_send, winbindd_lookuprids_recv },
+ { WINBINDD_SETPWENT, "SETPWENT",
+ winbindd_setpwent_send, winbindd_setpwent_recv },
+ { WINBINDD_GETPWENT, "GETPWENT",
+ winbindd_getpwent_send, winbindd_getpwent_recv },
+ { WINBINDD_ENDPWENT, "ENDPWENT",
+ winbindd_endpwent_send, winbindd_endpwent_recv },
+ { WINBINDD_DSGETDCNAME, "DSGETDCNAME",
+ winbindd_dsgetdcname_send, winbindd_dsgetdcname_recv },
+ { WINBINDD_GETDCNAME, "GETDCNAME",
+ winbindd_getdcname_send, winbindd_getdcname_recv },
+ { WINBINDD_SETGRENT, "SETGRENT",
+ winbindd_setgrent_send, winbindd_setgrent_recv },
+ { WINBINDD_GETGRENT, "GETGRENT",
+ winbindd_getgrent_send, winbindd_getgrent_recv },
+ { WINBINDD_ENDGRENT, "ENDGRENT",
+ winbindd_endgrent_send, winbindd_endgrent_recv },
+ { WINBINDD_LIST_USERS, "LIST_USERS",
+ winbindd_list_users_send, winbindd_list_users_recv },
+ { WINBINDD_LIST_GROUPS, "LIST_GROUPS",
+ winbindd_list_groups_send, winbindd_list_groups_recv },
+ { WINBINDD_CHECK_MACHACC, "CHECK_MACHACC",
+ winbindd_check_machine_acct_send, winbindd_check_machine_acct_recv },
+ { WINBINDD_PING_DC, "PING_DC",
+ winbindd_ping_dc_send, winbindd_ping_dc_recv },
+ { WINBINDD_PAM_AUTH, "PAM_AUTH",
+ winbindd_pam_auth_send, winbindd_pam_auth_recv },
+ { WINBINDD_PAM_LOGOFF, "PAM_LOGOFF",
+ winbindd_pam_logoff_send, winbindd_pam_logoff_recv },
+ { WINBINDD_PAM_CHAUTHTOK, "PAM_CHAUTHTOK",
+ winbindd_pam_chauthtok_send, winbindd_pam_chauthtok_recv },
+ { WINBINDD_PAM_CHNG_PSWD_AUTH_CRAP, "PAM_CHNG_PSWD_AUTH_CRAP",
+ winbindd_pam_chng_pswd_auth_crap_send,
+ winbindd_pam_chng_pswd_auth_crap_recv },
+ { WINBINDD_WINS_BYIP, "WINS_BYIP",
+ winbindd_wins_byip_send, winbindd_wins_byip_recv },
+ { WINBINDD_WINS_BYNAME, "WINS_BYNAME",
+ winbindd_wins_byname_send, winbindd_wins_byname_recv },
+ { WINBINDD_DOMAIN_INFO, "DOMAIN_INFO",
+ winbindd_domain_info_send, winbindd_domain_info_recv },
+
+ { 0, NULL, NULL, NULL }
+};
+
+static struct winbindd_async_dispatch_table async_priv_table[] = {
+ { WINBINDD_ALLOCATE_UID, "ALLOCATE_UID",
+ winbindd_allocate_uid_send, winbindd_allocate_uid_recv },
+ { WINBINDD_ALLOCATE_GID, "ALLOCATE_GID",
+ winbindd_allocate_gid_send, winbindd_allocate_gid_recv },
+ { WINBINDD_CHANGE_MACHACC, "CHANGE_MACHACC",
+ winbindd_change_machine_acct_send, winbindd_change_machine_acct_recv },
+ { WINBINDD_PAM_AUTH_CRAP, "PAM_AUTH_CRAP",
+ winbindd_pam_auth_crap_send, winbindd_pam_auth_crap_recv },
+
+ { 0, NULL, NULL, NULL }
+};
+
+struct process_request_state {
+ struct winbindd_cli_state *cli_state;
+ struct tevent_context *ev;
+};
+
+static void process_request_done(struct tevent_req *subreq);
+static void process_request_written(struct tevent_req *subreq);
+
+static struct tevent_req *process_request_send(
+ TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli_state)
+{
+ struct tevent_req *req, *subreq;
+ struct process_request_state *state;
+ struct winbindd_async_dispatch_table *atable;
+ enum winbindd_cmd cmd = cli_state->request->cmd;
+ size_t i;
+ bool ok;
+ static uint64_t request_index = 1;
+
+ /*
+ * debug traceid values:
+ * 0 .. inactive
+ * 1 .. not processing a winbind request, but in other code (timers)
+ * >=2 .. winbind request processing
+ */
+ if (debug_traceid_get() != 0) {
+ request_index = ++request_index == 0 ? 2 : request_index;
+ debug_traceid_set(request_index);
+ }
+ req = tevent_req_create(mem_ctx, &state,
+ struct process_request_state);
+ if (req == NULL) {
+ return NULL;
+ }
+ state->cli_state = cli_state;
+ state->ev = ev;
+
+ ok = tevent_req_set_profile(req);
+ if (!ok) {
+ return tevent_req_post(req, ev);
+ }
+
+ SMB_ASSERT(cli_state->mem_ctx == NULL);
+ cli_state->mem_ctx = talloc_named(cli_state, 0, "winbind request");
+ if (tevent_req_nomem(cli_state->mem_ctx, req)) {
+ return tevent_req_post(req, ev);
+ }
+
+ cli_state->response = talloc_zero(
+ cli_state->mem_ctx,
+ struct winbindd_response);
+ if (tevent_req_nomem(cli_state->response, req)) {
+ return tevent_req_post(req, ev);
+ }
+ cli_state->response->result = WINBINDD_PENDING;
+ cli_state->response->length = sizeof(struct winbindd_response);
+
+ /* Remember who asked us. */
+ cli_state->pid = cli_state->request->pid;
+ memcpy(cli_state->client_name,
+ cli_state->request->client_name,
+ sizeof(cli_state->client_name));
+
+ cli_state->cmd_name = "unknown request";
+ cli_state->recv_fn = NULL;
+
+ /* client is newest */
+ winbindd_promote_client(cli_state);
+
+ for (atable = async_nonpriv_table; atable->send_req; atable += 1) {
+ if (cmd == atable->cmd) {
+ break;
+ }
+ }
+
+ if ((atable->send_req == NULL) && cli_state->privileged) {
+ for (atable = async_priv_table; atable->send_req;
+ atable += 1) {
+ if (cmd == atable->cmd) {
+ break;
+ }
+ }
+ }
+
+ if (atable->send_req != NULL) {
+ cli_state->cmd_name = atable->cmd_name;
+ cli_state->recv_fn = atable->recv_req;
+
+ DBG_NOTICE("[%s (%d)] Handling async request: %s\n",
+ cli_state->client_name,
+ (int)cli_state->pid,
+ cli_state->cmd_name);
+
+ subreq = atable->send_req(
+ state,
+ state->ev,
+ cli_state,
+ cli_state->request);
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+ tevent_req_set_callback(subreq, process_request_done, req);
+ return req;
+ }
+
+ for (i=0; i<ARRAY_SIZE(bool_dispatch_table); i++) {
+ if (cmd == bool_dispatch_table[i].cmd) {
+ break;
+ }
+ }
+
+ ok = false;
+
+ if (i < ARRAY_SIZE(bool_dispatch_table)) {
+ cli_state->cmd_name = bool_dispatch_table[i].cmd_name;
+
+ DBG_DEBUG("process_request: request fn %s\n",
+ bool_dispatch_table[i].cmd_name);
+ ok = bool_dispatch_table[i].fn(cli_state);
+ }
+
+ cli_state->response->result = ok ? WINBINDD_OK : WINBINDD_ERROR;
+
+ TALLOC_FREE(cli_state->io_req);
+ TALLOC_FREE(cli_state->request);
+
+ subreq = wb_resp_write_send(
+ state,
+ state->ev,
+ cli_state->out_queue,
+ cli_state->sock,
+ cli_state->response);
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+ tevent_req_set_callback(subreq, process_request_written, req);
+
+ cli_state->io_req = subreq;
+
+ return req;
+}
+
+static void process_request_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct process_request_state *state = tevent_req_data(
+ req, struct process_request_state);
+ struct winbindd_cli_state *cli_state = state->cli_state;
+ NTSTATUS status;
+ bool ok;
+
+ status = cli_state->recv_fn(subreq, cli_state->response);
+ TALLOC_FREE(subreq);
+
+ DBG_NOTICE("[%s(%d):%s]: %s\n",
+ cli_state->client_name,
+ (int)cli_state->pid,
+ cli_state->cmd_name,
+ nt_errstr(status));
+
+ ok = NT_STATUS_IS_OK(status);
+ cli_state->response->result = ok ? WINBINDD_OK : WINBINDD_ERROR;
+
+ TALLOC_FREE(cli_state->io_req);
+ TALLOC_FREE(cli_state->request);
+
+ subreq = wb_resp_write_send(
+ state,
+ state->ev,
+ cli_state->out_queue,
+ cli_state->sock,
+ cli_state->response);
+ if (tevent_req_nomem(subreq, req)) {
+ return;
+ }
+ tevent_req_set_callback(subreq, process_request_written, req);
+
+ cli_state->io_req = subreq;
+}
+
+static void process_request_written(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct process_request_state *state = tevent_req_data(
+ req, struct process_request_state);
+ struct winbindd_cli_state *cli_state = state->cli_state;
+ ssize_t ret;
+ int err;
+
+ cli_state->io_req = NULL;
+
+ ret = wb_resp_write_recv(subreq, &err);
+ TALLOC_FREE(subreq);
+ if (ret == -1) {
+ tevent_req_nterror(req, map_nt_error_from_unix(err));
+ return;
+ }
+
+ DBG_DEBUG("[%s(%d):%s]: delivered response to client\n",
+ cli_state->client_name,
+ (int)cli_state->pid,
+ cli_state->cmd_name);
+
+ TALLOC_FREE(cli_state->mem_ctx);
+ cli_state->response = NULL;
+ cli_state->cmd_name = "no request";
+ cli_state->recv_fn = NULL;
+
+ tevent_req_done(req);
+}
+
+static NTSTATUS process_request_recv(
+ struct tevent_req *req,
+ TALLOC_CTX *mem_ctx,
+ struct tevent_req_profile **profile)
+{
+ NTSTATUS status;
+
+ if (tevent_req_is_nterror(req, &status)) {
+ tevent_req_received(req);
+ return status;
+ }
+
+ *profile = tevent_req_move_profile(req, mem_ctx);
+ tevent_req_received(req);
+ return NT_STATUS_OK;
+}
+
+/*
+ * This is the main event loop of winbind requests. It goes through a
+ * state-machine of 3 read/write requests, 4 if you have extra data to send.
+ *
+ * An idle winbind client has a read request of 4 bytes outstanding,
+ * finalizing function is request_len_recv, checking the length. request_recv
+ * then processes the packet. The processing function then at some point has
+ * to call request_finished which schedules sending the response.
+ */
+
+static void winbind_client_request_read(struct tevent_req *req);
+static void winbind_client_activity(struct tevent_req *req);
+static void winbind_client_processed(struct tevent_req *req);
+
+/* Process a new connection by adding it to the client connection list */
+
+static void new_connection(int listen_sock, bool privileged)
+{
+ struct sockaddr_un sunaddr;
+ struct winbindd_cli_state *state;
+ struct tevent_req *req;
+ socklen_t len;
+ int sock;
+
+ /* Accept connection */
+
+ len = sizeof(sunaddr);
+
+ sock = accept(listen_sock, (struct sockaddr *)(void *)&sunaddr, &len);
+
+ if (sock == -1) {
+ if (errno != EINTR) {
+ D_ERR("Failed to accept socket: %s\n", strerror(errno));
+ }
+ return;
+ }
+ smb_set_close_on_exec(sock);
+
+ D_INFO("Accepted client socket %d\n", sock);
+
+ /* Create new connection structure */
+
+ if ((state = talloc_zero(NULL, struct winbindd_cli_state)) == NULL) {
+ close(sock);
+ return;
+ }
+
+ state->sock = sock;
+
+ state->out_queue = tevent_queue_create(state, "winbind client reply");
+ if (state->out_queue == NULL) {
+ close(sock);
+ TALLOC_FREE(state);
+ return;
+ }
+
+ state->privileged = privileged;
+
+ req = wb_req_read_send(state, global_event_context(), state->sock,
+ WINBINDD_MAX_EXTRA_DATA);
+ if (req == NULL) {
+ TALLOC_FREE(state);
+ close(sock);
+ return;
+ }
+ tevent_req_set_callback(req, winbind_client_request_read, state);
+ state->io_req = req;
+
+ /* Add to connection list */
+
+ winbindd_add_client(state);
+}
+
+static void winbind_client_request_read(struct tevent_req *req)
+{
+ struct winbindd_cli_state *state = tevent_req_callback_data(
+ req, struct winbindd_cli_state);
+ ssize_t ret;
+ int err;
+
+ state->io_req = NULL;
+
+ ret = wb_req_read_recv(req, state, &state->request, &err);
+ TALLOC_FREE(req);
+ if (ret == -1) {
+ if (err == EPIPE) {
+ DEBUG(6, ("closing socket %d, client exited\n",
+ state->sock));
+ } else {
+ DEBUG(2, ("Could not read client request from fd %d: "
+ "%s\n", state->sock, strerror(err)));
+ }
+ close(state->sock);
+ state->sock = -1;
+ remove_client(state);
+ return;
+ }
+
+ req = wait_for_read_send(state, global_event_context(), state->sock,
+ true);
+ if (req == NULL) {
+ DEBUG(0, ("winbind_client_request_read[%d:%s]:"
+ " wait_for_read_send failed - removing client\n",
+ (int)state->pid, state->cmd_name));
+ remove_client(state);
+ return;
+ }
+ tevent_req_set_callback(req, winbind_client_activity, state);
+ state->io_req = req;
+
+ req = process_request_send(state, global_event_context(), state);
+ if (req == NULL) {
+ DBG_ERR("process_request_send failed\n");
+ remove_client(state);
+ return;
+ }
+ tevent_req_set_callback(req, winbind_client_processed, state);
+}
+
+static void winbind_client_activity(struct tevent_req *req)
+{
+ struct winbindd_cli_state *state =
+ tevent_req_callback_data(req, struct winbindd_cli_state);
+ int err;
+ bool has_data;
+
+ has_data = wait_for_read_recv(req, &err);
+
+ if (has_data) {
+ DEBUG(0, ("winbind_client_activity[%d:%s]:"
+ "unexpected data from client - removing client\n",
+ (int)state->pid, state->cmd_name));
+ } else {
+ if (err == EPIPE) {
+ DEBUG(6, ("winbind_client_activity[%d:%s]: "
+ "client has closed connection - removing "
+ "client\n",
+ (int)state->pid, state->cmd_name));
+ } else {
+ DEBUG(2, ("winbind_client_activity[%d:%s]: "
+ "client socket error (%s) - removing "
+ "client\n",
+ (int)state->pid, state->cmd_name,
+ strerror(err)));
+ }
+ }
+
+ remove_client(state);
+}
+
+static void winbind_client_processed(struct tevent_req *req)
+{
+ struct winbindd_cli_state *cli_state = tevent_req_callback_data(
+ req, struct winbindd_cli_state);
+ struct tevent_req_profile *profile = NULL;
+ struct timeval start, stop, diff;
+ int threshold;
+ NTSTATUS status;
+
+ status = process_request_recv(req, cli_state, &profile);
+ TALLOC_FREE(req);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_DEBUG("process_request failed: %s\n", nt_errstr(status));
+ remove_client(cli_state);
+ return;
+ }
+
+ tevent_req_profile_get_start(profile, NULL, &start);
+ tevent_req_profile_get_stop(profile, NULL, &stop);
+ diff = tevent_timeval_until(&start, &stop);
+
+ threshold = lp_parm_int(-1, "winbind", "request profile threshold", 60);
+
+ if (diff.tv_sec >= threshold) {
+ int depth;
+ char *str;
+
+ depth = lp_parm_int(
+ -1,
+ "winbind",
+ "request profile depth",
+ INT_MAX);
+
+ DBG_ERR("request took %u.%.6u seconds\n",
+ (unsigned)diff.tv_sec, (unsigned)diff.tv_usec);
+
+ str = tevent_req_profile_string(
+ talloc_tos(), profile, 0, depth);
+ if (str != NULL) {
+ /* No "\n", already contained in "str" */
+ DEBUGADD(0, ("%s", str));
+ }
+ TALLOC_FREE(str);
+ }
+
+ TALLOC_FREE(profile);
+
+ req = wb_req_read_send(
+ cli_state,
+ global_event_context(),
+ cli_state->sock,
+ WINBINDD_MAX_EXTRA_DATA);
+ if (req == NULL) {
+ remove_client(cli_state);
+ return;
+ }
+ tevent_req_set_callback(req, winbind_client_request_read, cli_state);
+ cli_state->io_req = req;
+}
+
+/* Remove a client connection from client connection list */
+
+static void remove_client(struct winbindd_cli_state *state)
+{
+ /* It's a dead client - hold a funeral */
+
+ if (state == NULL) {
+ return;
+ }
+
+ /*
+ * We need to remove a pending wb_req_read_*
+ * or wb_resp_write_* request before closing the
+ * socket.
+ *
+ * This is important as they might have used tevent_add_fd() and we
+ * use the epoll * backend on linux. So we must remove the tevent_fd
+ * before closing the fd.
+ *
+ * Otherwise we might hit a race with close_conns_after_fork() (via
+ * winbindd_reinit_after_fork()) where a file descriptor
+ * is still open in a child, which means it's still active in
+ * the parents epoll queue, but the related tevent_fd is already
+ * already gone in the parent.
+ *
+ * See bug #11141.
+ */
+ TALLOC_FREE(state->io_req);
+
+ if (state->sock != -1) {
+ char c = 0;
+ int nwritten;
+
+ /* tell client, we are closing ... */
+ nwritten = write(state->sock, &c, sizeof(c));
+ if (nwritten == -1) {
+ DEBUG(2, ("final write to client failed: %s\n",
+ strerror(errno)));
+ }
+
+ /* Close socket */
+
+ close(state->sock);
+ state->sock = -1;
+ }
+
+ TALLOC_FREE(state->mem_ctx);
+
+ /* Remove from list and free */
+
+ winbindd_remove_client(state);
+ TALLOC_FREE(state);
+}
+
+/* Is a client idle? */
+
+static bool client_is_idle(struct winbindd_cli_state *state) {
+ return (state->request == NULL &&
+ state->response == NULL &&
+ !state->pwent_state && !state->grent_state);
+}
+
+/* Shutdown client connection which has been idle for the longest time */
+
+static bool remove_idle_client(void)
+{
+ struct winbindd_cli_state *state, *remove_state = NULL;
+ int nidle = 0;
+
+ for (state = winbindd_client_list(); state; state = state->next) {
+ if (client_is_idle(state)) {
+ nidle++;
+ /* list is sorted by access time */
+ remove_state = state;
+ }
+ }
+
+ if (remove_state) {
+ DEBUG(5,("Found %d idle client connections, shutting down sock %d, pid %u\n",
+ nidle, remove_state->sock, (unsigned int)remove_state->pid));
+ remove_client(remove_state);
+ return True;
+ }
+
+ return False;
+}
+
+/*
+ * Terminate all clients whose requests have taken longer than
+ * "winbind request timeout" seconds to process, or have been
+ * idle for more than "winbind request timeout" seconds.
+ */
+
+static void remove_timed_out_clients(void)
+{
+ struct winbindd_cli_state *state, *prev = NULL;
+ time_t curr_time = time(NULL);
+ int timeout_val = lp_winbind_request_timeout();
+
+ for (state = winbindd_client_list_tail(); state; state = prev) {
+ time_t expiry_time;
+
+ prev = winbindd_client_list_prev(state);
+ expiry_time = state->last_access + timeout_val;
+
+ if (curr_time <= expiry_time) {
+ /* list is sorted, previous clients in
+ list are newer */
+ break;
+ }
+
+ if (client_is_idle(state)) {
+ DEBUG(5,("Idle client timed out, "
+ "shutting down sock %d, pid %u\n",
+ state->sock,
+ (unsigned int)state->pid));
+ } else {
+ DEBUG(5,("Client request timed out, "
+ "shutting down sock %d, pid %u\n",
+ state->sock,
+ (unsigned int)state->pid));
+ }
+
+ remove_client(state);
+ }
+}
+
+static void winbindd_scrub_clients_handler(struct tevent_context *ev,
+ struct tevent_timer *te,
+ struct timeval current_time,
+ void *private_data)
+{
+ remove_timed_out_clients();
+ if (tevent_add_timer(ev, ev,
+ timeval_current_ofs(SCRUB_CLIENTS_INTERVAL, 0),
+ winbindd_scrub_clients_handler, NULL) == NULL) {
+ DEBUG(0, ("winbindd: failed to reschedule client scrubber\n"));
+ exit(1);
+ }
+}
+
+struct winbindd_listen_state {
+ bool privileged;
+ int fd;
+};
+
+static void winbindd_listen_fde_handler(struct tevent_context *ev,
+ struct tevent_fd *fde,
+ uint16_t flags,
+ void *private_data)
+{
+ struct winbindd_listen_state *s = talloc_get_type_abort(private_data,
+ struct winbindd_listen_state);
+
+ while (winbindd_num_clients() > lp_winbind_max_clients() - 1) {
+ DEBUG(5,("winbindd: Exceeding %d client "
+ "connections, removing idle "
+ "connection.\n", lp_winbind_max_clients()));
+ if (!remove_idle_client()) {
+ DEBUG(0,("winbindd: Exceeding %d "
+ "client connections, no idle "
+ "connection found\n",
+ lp_winbind_max_clients()));
+ break;
+ }
+ }
+ remove_timed_out_clients();
+ new_connection(s->fd, s->privileged);
+}
+
+/*
+ * Winbindd socket accessor functions
+ */
+
+static bool winbindd_setup_listeners(void)
+{
+ struct winbindd_listen_state *pub_state = NULL;
+ struct winbindd_listen_state *priv_state = NULL;
+ struct tevent_fd *fde;
+ int rc;
+ char *socket_path;
+
+ pub_state = talloc(global_event_context(),
+ struct winbindd_listen_state);
+ if (!pub_state) {
+ goto failed;
+ }
+
+ pub_state->privileged = false;
+ pub_state->fd = create_pipe_sock(
+ lp_winbindd_socket_directory(), WINBINDD_SOCKET_NAME, 0755);
+ if (pub_state->fd == -1) {
+ goto failed;
+ }
+ rc = listen(pub_state->fd, 5);
+ if (rc < 0) {
+ goto failed;
+ }
+
+ fde = tevent_add_fd(global_event_context(), pub_state, pub_state->fd,
+ TEVENT_FD_READ, winbindd_listen_fde_handler,
+ pub_state);
+ if (fde == NULL) {
+ close(pub_state->fd);
+ goto failed;
+ }
+ tevent_fd_set_auto_close(fde);
+
+ priv_state = talloc(global_event_context(),
+ struct winbindd_listen_state);
+ if (!priv_state) {
+ goto failed;
+ }
+
+ socket_path = get_winbind_priv_pipe_dir();
+ if (socket_path == NULL) {
+ goto failed;
+ }
+
+ priv_state->privileged = true;
+ priv_state->fd = create_pipe_sock(
+ socket_path, WINBINDD_SOCKET_NAME, 0750);
+ TALLOC_FREE(socket_path);
+ if (priv_state->fd == -1) {
+ goto failed;
+ }
+ rc = listen(priv_state->fd, 5);
+ if (rc < 0) {
+ goto failed;
+ }
+
+ fde = tevent_add_fd(global_event_context(), priv_state,
+ priv_state->fd, TEVENT_FD_READ,
+ winbindd_listen_fde_handler, priv_state);
+ if (fde == NULL) {
+ close(priv_state->fd);
+ goto failed;
+ }
+ tevent_fd_set_auto_close(fde);
+
+ winbindd_scrub_clients_handler(global_event_context(), NULL,
+ timeval_current(), NULL);
+ return true;
+failed:
+ TALLOC_FREE(pub_state);
+ TALLOC_FREE(priv_state);
+ return false;
+}
+
+static void winbindd_register_handlers(struct messaging_context *msg_ctx,
+ bool foreground)
+{
+ bool scan_trusts = true;
+ NTSTATUS status;
+ struct tevent_timer *te = NULL;
+
+ /* Setup signal handlers */
+
+ if (!winbindd_setup_sig_term_handler(true))
+ exit(1);
+ if (!winbindd_setup_stdin_handler(true, foreground))
+ exit(1);
+ if (!winbindd_setup_sig_hup_handler(NULL))
+ exit(1);
+ if (!winbindd_setup_sig_chld_handler())
+ exit(1);
+ if (!winbindd_setup_sig_usr2_handler())
+ exit(1);
+
+ CatchSignal(SIGPIPE, SIG_IGN); /* Ignore sigpipe */
+
+ /*
+ * Ensure all cache and idmap caches are consistent
+ * and initialized before we startup.
+ */
+ if (!winbindd_cache_validate_and_initialize()) {
+ exit(1);
+ }
+
+ /* React on 'smbcontrol winbindd reload-config' in the same way
+ as to SIGHUP signal */
+ messaging_register(msg_ctx, NULL,
+ MSG_SMB_CONF_UPDATED,
+ winbindd_msg_reload_services_parent);
+ messaging_register(msg_ctx, NULL,
+ MSG_SHUTDOWN, msg_shutdown);
+
+ /* Handle online/offline messages. */
+ messaging_register(msg_ctx, NULL,
+ MSG_WINBIND_OFFLINE, winbind_msg_offline);
+ messaging_register(msg_ctx, NULL,
+ MSG_WINBIND_ONLINE, winbind_msg_online);
+ messaging_register(msg_ctx, NULL,
+ MSG_WINBIND_ONLINESTATUS, winbind_msg_onlinestatus);
+
+ /* Handle domain online/offline messages for domains */
+ messaging_register(global_messaging_context(), NULL,
+ MSG_WINBIND_DOMAIN_OFFLINE, winbind_msg_domain_offline);
+ messaging_register(global_messaging_context(), NULL,
+ MSG_WINBIND_DOMAIN_ONLINE, winbind_msg_domain_online);
+
+ messaging_register(msg_ctx, NULL,
+ MSG_WINBIND_VALIDATE_CACHE,
+ winbind_msg_validate_cache);
+
+ messaging_register(msg_ctx, NULL,
+ MSG_WINBIND_DUMP_DOMAIN_LIST,
+ winbind_msg_dump_domain_list);
+
+ messaging_register(msg_ctx, NULL,
+ MSG_WINBIND_IP_DROPPED,
+ winbind_msg_ip_dropped_parent);
+
+ /* Register handler for MSG_DEBUG. */
+ messaging_register(msg_ctx, NULL,
+ MSG_DEBUG,
+ winbind_msg_debug);
+
+ messaging_register(msg_ctx, NULL,
+ MSG_WINBIND_DISCONNECT_DC,
+ winbind_disconnect_dc_parent);
+
+ netsamlogon_cache_init(); /* Non-critical */
+
+ /* clear the cached list of trusted domains */
+
+ wcache_tdc_clear();
+
+ if (!init_domain_list()) {
+ DEBUG(0,("unable to initialize domain list\n"));
+ exit(1);
+ }
+
+ init_idmap_child();
+ init_locator_child();
+
+ smb_nscd_flush_user_cache();
+ smb_nscd_flush_group_cache();
+
+ if (!lp_winbind_scan_trusted_domains()) {
+ scan_trusts = false;
+ }
+
+ if (!lp_allow_trusted_domains()) {
+ scan_trusts = false;
+ }
+
+ if (IS_DC) {
+ scan_trusts = false;
+ }
+
+ if (scan_trusts) {
+ if (tevent_add_timer(global_event_context(), NULL, timeval_zero(),
+ rescan_trusted_domains, NULL) == NULL) {
+ DEBUG(0, ("Could not trigger rescan_trusted_domains()\n"));
+ exit(1);
+ }
+ }
+
+ te = tevent_add_timer(global_event_context(),
+ NULL,
+ timeval_zero(),
+ winbindd_ping_offline_domains,
+ NULL);
+ if (te == NULL) {
+ DBG_ERR("Failed to schedule winbindd_ping_offline_domains()\n");
+ exit(1);
+ }
+
+ status = wb_irpc_register();
+
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("Could not register IRPC handlers\n"));
+ exit(1);
+ }
+}
+
+struct winbindd_addrchanged_state {
+ struct addrchange_context *ctx;
+ struct tevent_context *ev;
+ struct messaging_context *msg_ctx;
+};
+
+static void winbindd_addr_changed(struct tevent_req *req);
+
+static void winbindd_init_addrchange(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct messaging_context *msg_ctx)
+{
+ struct winbindd_addrchanged_state *state;
+ struct tevent_req *req;
+ NTSTATUS status;
+
+ state = talloc(mem_ctx, struct winbindd_addrchanged_state);
+ if (state == NULL) {
+ DEBUG(10, ("talloc failed\n"));
+ return;
+ }
+ state->ev = ev;
+ state->msg_ctx = msg_ctx;
+
+ status = addrchange_context_create(state, &state->ctx);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(10, ("addrchange_context_create failed: %s\n",
+ nt_errstr(status)));
+ TALLOC_FREE(state);
+ return;
+ }
+ req = addrchange_send(state, ev, state->ctx);
+ if (req == NULL) {
+ DEBUG(0, ("addrchange_send failed\n"));
+ TALLOC_FREE(state);
+ return;
+ }
+ tevent_req_set_callback(req, winbindd_addr_changed, state);
+}
+
+static void winbindd_addr_changed(struct tevent_req *req)
+{
+ struct winbindd_addrchanged_state *state = tevent_req_callback_data(
+ req, struct winbindd_addrchanged_state);
+ enum addrchange_type type;
+ struct sockaddr_storage addr;
+ NTSTATUS status;
+
+ status = addrchange_recv(req, &type, &addr);
+ TALLOC_FREE(req);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(10, ("addrchange_recv failed: %s, stop listening\n",
+ nt_errstr(status)));
+ TALLOC_FREE(state);
+ return;
+ }
+ if (type == ADDRCHANGE_DEL) {
+ char addrstr[INET6_ADDRSTRLEN];
+ DATA_BLOB blob;
+
+ print_sockaddr(addrstr, sizeof(addrstr), &addr);
+
+ DEBUG(3, ("winbindd: kernel (AF_NETLINK) dropped ip %s\n",
+ addrstr));
+
+ blob = data_blob_const(addrstr, strlen(addrstr)+1);
+
+ status = messaging_send(state->msg_ctx,
+ messaging_server_id(state->msg_ctx),
+ MSG_WINBIND_IP_DROPPED, &blob);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(10, ("messaging_send failed: %s - ignoring\n",
+ nt_errstr(status)));
+ }
+ }
+ req = addrchange_send(state, state->ev, state->ctx);
+ if (req == NULL) {
+ DEBUG(0, ("addrchange_send failed\n"));
+ TALLOC_FREE(state);
+ return;
+ }
+ tevent_req_set_callback(req, winbindd_addr_changed, state);
+}
+
+/* Main function */
+
+int main(int argc, const char **argv)
+{
+ static bool log_stdout = False;
+ struct samba_cmdline_daemon_cfg *cmdline_daemon_cfg = NULL;
+ struct poptOption long_options[] = {
+ POPT_AUTOHELP
+ {
+ .longName = "no-caching",
+ .shortName = 'n',
+ .argInfo = POPT_ARG_NONE,
+ .arg = NULL,
+ .val = 'n',
+ .descrip = "Disable caching",
+ },
+ POPT_COMMON_SAMBA
+ POPT_COMMON_DAEMON
+ POPT_COMMON_VERSION
+ POPT_TABLEEND
+ };
+ const struct loadparm_substitution *lp_sub =
+ loadparm_s3_global_substitution();
+ poptContext pc;
+ int opt;
+ TALLOC_CTX *frame;
+ NTSTATUS status;
+ bool ok;
+ const struct dcesrv_endpoint_server *ep_server = NULL;
+ struct dcesrv_context *dce_ctx = NULL;
+ size_t winbindd_socket_dir_len = 0;
+ char *winbindd_priv_socket_dir = NULL;
+ size_t winbindd_priv_socket_dir_len = 0;
+
+ setproctitle_init(argc, discard_const(argv), environ);
+
+ /*
+ * Do this before any other talloc operation
+ */
+ talloc_enable_null_tracking();
+ frame = talloc_stackframe();
+
+ /*
+ * We want total control over the permissions on created files,
+ * so set our umask to 0.
+ */
+ umask(0);
+
+ smb_init_locale();
+
+ /* glibc (?) likes to print "User defined signal 1" and exit if a
+ SIGUSR[12] is received before a handler is installed */
+
+ CatchSignal(SIGUSR1, SIG_IGN);
+ CatchSignal(SIGUSR2, SIG_IGN);
+
+ ok = samba_cmdline_init(frame,
+ SAMBA_CMDLINE_CONFIG_SERVER,
+ true /* require_smbconf */);
+ if (!ok) {
+ DBG_ERR("Failed to setup cmdline parser\n");
+ TALLOC_FREE(frame);
+ exit(1);
+ }
+
+ cmdline_daemon_cfg = samba_cmdline_get_daemon_cfg();
+
+ pc = samba_popt_get_context(getprogname(), argc, argv, long_options, 0);
+ if (pc == NULL) {
+ DBG_ERR("Failed to setup popt parser!\n");
+ TALLOC_FREE(frame);
+ exit(1);
+ }
+
+ while ((opt = poptGetNextOpt(pc)) != -1) {
+ switch (opt) {
+ case 'n':
+ winbindd_set_use_cache(false);
+ break;
+ default:
+ d_fprintf(stderr, "\nInvalid option %s: %s\n\n",
+ poptBadOption(pc, 0), poptStrerror(opt));
+ poptPrintUsage(pc, stderr, 0);
+ exit(1);
+ }
+ }
+
+ /* Set environment variable so we don't recursively call ourselves.
+ This may also be useful interactively. */
+ if ( !winbind_off() ) {
+ DEBUG(0,("Failed to disable recusive winbindd calls. Exiting.\n"));
+ exit(1);
+ }
+
+ /* Initialise for running in non-root mode */
+ sec_init();
+
+ set_remote_machine_name("winbindd", False);
+
+ dump_core_setup("winbindd", lp_logfile(talloc_tos(), lp_sub));
+ if (cmdline_daemon_cfg->daemon && cmdline_daemon_cfg->interactive) {
+ d_fprintf(stderr,"\nERROR: "
+ "Option -i|--interactive is not allowed together with -D|--daemon\n\n");
+ poptPrintUsage(pc, stderr, 0);
+ exit(1);
+ }
+
+ log_stdout = (debug_get_log_type() == DEBUG_STDOUT);
+ if (cmdline_daemon_cfg->interactive) {
+ /*
+ * libcmdline POPT_DAEMON callback sets "fork" to false if "-i"
+ * for interactive is passed on the commandline. Set it back to
+ * true. TODO: check if this is correct, smbd and nmbd don't do
+ * this.
+ */
+ cmdline_daemon_cfg->fork = true;
+ log_stdout = true;
+ }
+
+ if (log_stdout && cmdline_daemon_cfg->fork) {
+ d_fprintf(stderr, "\nERROR: "
+ "Can't log to stdout (-S) unless daemon is in "
+ "foreground (-F) or interactive (-i)\n\n");
+ poptPrintUsage(pc, stderr, 0);
+ exit(1);
+ }
+
+ poptFreeContext(pc);
+
+ reopen_logs();
+
+ DEBUG(0,("winbindd version %s started.\n", samba_version_string()));
+ DEBUGADD(0,("%s\n", COPYRIGHT_STARTUP_MESSAGE));
+
+ /* After parsing the configuration file we setup the core path one more time
+ * as the log file might have been set in the configuration and cores's
+ * path is by default basename(lp_logfile()).
+ */
+ dump_core_setup("winbindd", lp_logfile(talloc_tos(), lp_sub));
+
+ if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC) {
+ if (!lp_parm_bool(-1, "server role check", "inhibit", false)) {
+ DBG_ERR("server role = 'active directory domain controller' not compatible with running the winbindd binary. \n");
+ DEBUGADD(0, ("You should start 'samba' instead, and it will control starting the internal AD DC winbindd implementation, which is not the same as this one\n"));
+ exit(1);
+ }
+ /* Main 'samba' daemon will notify */
+ daemon_sd_notifications(false);
+ }
+
+ if (lp_security() == SEC_ADS) {
+ const char *realm = lp_realm();
+ const char *workgroup = lp_workgroup();
+
+ if (workgroup == NULL || strlen(workgroup) == 0) {
+ DBG_ERR("For 'secuirity = ADS' mode, the 'workgroup' "
+ "parameter is required to be set!\n");
+ exit(1);
+ }
+
+ if (realm == NULL || strlen(realm) == 0) {
+ DBG_ERR("For 'secuirity = ADS' mode, the 'realm' "
+ "parameter is required to be set!\n");
+ exit(1);
+ }
+ }
+
+ winbindd_socket_dir_len = strlen(lp_winbindd_socket_directory());
+ if (winbindd_socket_dir_len > 0) {
+ size_t winbindd_socket_len =
+ winbindd_socket_dir_len + 1 +
+ strlen(WINBINDD_SOCKET_NAME);
+ struct sockaddr_un un = {
+ .sun_family = AF_UNIX,
+ };
+ size_t sun_path_len = sizeof(un.sun_path);
+
+ if (winbindd_socket_len >= sun_path_len) {
+ DBG_ERR("The winbind socket path [%s/%s] is too long "
+ "(%zu >= %zu)\n",
+ lp_winbindd_socket_directory(),
+ WINBINDD_SOCKET_NAME,
+ winbindd_socket_len,
+ sun_path_len);
+ exit(1);
+ }
+ } else {
+ DBG_ERR("'winbindd_socket_directory' parameter is empty\n");
+ exit(1);
+ }
+
+ winbindd_priv_socket_dir = get_winbind_priv_pipe_dir();
+ winbindd_priv_socket_dir_len = strlen(winbindd_priv_socket_dir);
+ if (winbindd_priv_socket_dir_len > 0) {
+ size_t winbindd_priv_socket_len =
+ winbindd_priv_socket_dir_len + 1 +
+ strlen(WINBINDD_SOCKET_NAME);
+ struct sockaddr_un un = {
+ .sun_family = AF_UNIX,
+ };
+ size_t sun_path_len = sizeof(un.sun_path);
+
+ if (winbindd_priv_socket_len >= sun_path_len) {
+ DBG_ERR("The winbind privileged socket path [%s/%s] is too long "
+ "(%zu >= %zu)\n",
+ winbindd_priv_socket_dir,
+ WINBINDD_SOCKET_NAME,
+ winbindd_priv_socket_len,
+ sun_path_len);
+ exit(1);
+ }
+ } else {
+ DBG_ERR("'winbindd_priv_socket_directory' parameter is empty\n");
+ exit(1);
+ }
+ TALLOC_FREE(winbindd_priv_socket_dir);
+
+ if (!cluster_probe_ok()) {
+ exit(1);
+ }
+
+ /* Initialise messaging system */
+
+ if (global_messaging_context() == NULL) {
+ exit(1);
+ }
+
+ if (!winbindd_reload_services_file(NULL)) {
+ DEBUG(0, ("error opening config file\n"));
+ exit(1);
+ }
+
+ {
+ size_t i;
+ const char *idmap_backend;
+ const char *invalid_backends[] = {
+ "ad", "rfc2307", "rid",
+ };
+
+ idmap_backend = lp_idmap_default_backend();
+ for (i = 0; i < ARRAY_SIZE(invalid_backends); i++) {
+ ok = strequal(idmap_backend, invalid_backends[i]);
+ if (ok) {
+ DBG_ERR("FATAL: Invalid idmap backend %s "
+ "configured as the default backend!\n",
+ idmap_backend);
+ exit(1);
+ }
+ }
+ }
+
+ ok = directory_create_or_exist(lp_lock_directory(), 0755);
+ if (!ok) {
+ DEBUG(0, ("Failed to create directory %s for lock files - %s\n",
+ lp_lock_directory(), strerror(errno)));
+ exit(1);
+ }
+
+ ok = directory_create_or_exist(lp_pid_directory(), 0755);
+ if (!ok) {
+ DEBUG(0, ("Failed to create directory %s for pid files - %s\n",
+ lp_pid_directory(), strerror(errno)));
+ exit(1);
+ }
+
+ load_interfaces();
+
+ if (!secrets_init()) {
+
+ DEBUG(0,("Could not initialize domain trust account secrets. Giving up\n"));
+ return False;
+ }
+
+ status = rpccli_pre_open_netlogon_creds();
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("rpccli_pre_open_netlogon_creds() - %s\n",
+ nt_errstr(status)));
+ exit(1);
+ }
+
+ /* Unblock all signals we are interested in as they may have been
+ blocked by the parent process. */
+
+ BlockSignals(False, SIGINT);
+ BlockSignals(False, SIGQUIT);
+ BlockSignals(False, SIGTERM);
+ BlockSignals(False, SIGUSR1);
+ BlockSignals(False, SIGUSR2);
+ BlockSignals(False, SIGHUP);
+ BlockSignals(False, SIGCHLD);
+
+ if (!interactive) {
+ become_daemon(cmdline_daemon_cfg->fork,
+ cmdline_daemon_cfg->no_process_group,
+ log_stdout);
+ } else {
+ daemon_status("winbindd", "Starting process ...");
+ }
+
+ pidfile_create(lp_pid_directory(), "winbindd");
+
+#ifdef HAVE_SETPGID
+ /*
+ * If we're interactive we want to set our own process group for
+ * signal management.
+ */
+ if (cmdline_daemon_cfg->interactive &&
+ !cmdline_daemon_cfg->no_process_group)
+ {
+ setpgid( (pid_t)0, (pid_t)0);
+ }
+#endif
+
+ TimeInit();
+
+ /* Don't use winbindd_reinit_after_fork here as
+ * we're just starting up and haven't created any
+ * winbindd-specific resources we must free yet. JRA.
+ */
+
+ status = reinit_after_fork(global_messaging_context(),
+ global_event_context(),
+ false, NULL);
+ if (!NT_STATUS_IS_OK(status)) {
+ exit_daemon("Winbindd reinit_after_fork() failed", map_errno_from_nt_status(status));
+ }
+
+ if (lp_winbind_debug_traceid()) {
+ winbind_debug_traceid_setup(global_event_context());
+ }
+ ok = initialize_password_db(true, global_event_context());
+ if (!ok) {
+ exit_daemon("Failed to initialize passdb backend! "
+ "Check the 'passdb backend' variable in your "
+ "smb.conf file.", EINVAL);
+ }
+
+ /*
+ * Do not initialize the parent-child-pipe before becoming
+ * a daemon: this is used to detect a died parent in the child
+ * process.
+ */
+ status = init_before_fork();
+ if (!NT_STATUS_IS_OK(status)) {
+ exit_daemon(nt_errstr(status), map_errno_from_nt_status(status));
+ }
+
+ winbindd_register_handlers(global_messaging_context(),
+ !cmdline_daemon_cfg->fork);
+
+ if (!messaging_parent_dgm_cleanup_init(global_messaging_context())) {
+ exit(1);
+ }
+
+ status = init_system_session_info(NULL);
+ if (!NT_STATUS_IS_OK(status)) {
+ exit_daemon("Winbindd failed to setup system user info", map_errno_from_nt_status(status));
+ }
+
+ DBG_INFO("Registering DCE/RPC endpoint servers\n");
+
+ ep_server = winbind_get_ep_server();
+ if (ep_server == NULL) {
+ DBG_ERR("Failed to get 'winbind' endpoint server\n");
+ exit(1);
+ }
+ status = dcerpc_register_ep_server(ep_server);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_ERR("Failed to register 'winbind' endpoint "
+ "server: %s\n", nt_errstr(status));
+ exit(1);
+ }
+
+ dce_ctx = global_dcesrv_context();
+
+ DBG_INFO("Initializing DCE/RPC registered endpoint servers\n");
+
+ /* Init all registered ep servers */
+ status = dcesrv_init_registered_ep_servers(dce_ctx);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_ERR("Failed to init DCE/RPC endpoint servers: %s\n",
+ nt_errstr(status));
+ exit(1);
+ }
+
+ winbindd_init_addrchange(NULL, global_event_context(),
+ global_messaging_context());
+
+ /* setup listen sockets */
+
+ if (!winbindd_setup_listeners()) {
+ exit_daemon("Winbindd failed to setup listeners", EPIPE);
+ }
+
+ irpc_add_name(winbind_imessaging_context(), "winbind_server");
+
+ TALLOC_FREE(frame);
+
+ if (!interactive) {
+ daemon_ready("winbindd");
+ }
+
+ gpupdate_init();
+
+ /* Loop waiting for requests */
+ while (1) {
+ frame = talloc_stackframe();
+
+ if (tevent_loop_once(global_event_context()) == -1) {
+ DEBUG(1, ("tevent_loop_once() failed: %s\n",
+ strerror(errno)));
+ return 1;
+ }
+
+ TALLOC_FREE(frame);
+ }
+
+ return 0;
+}
diff --git a/source3/winbindd/winbindd.h b/source3/winbindd/winbindd.h
new file mode 100644
index 0000000..093a9fa
--- /dev/null
+++ b/source3/winbindd/winbindd.h
@@ -0,0 +1,360 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ Winbind daemon for ntdom nss module
+
+ Copyright (C) Tim Potter 2000
+ Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003
+
+ This library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 3 of the License, or (at your option) any later version.
+
+ This library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Library General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#ifndef _WINBINDD_H
+#define _WINBINDD_H
+
+#include "nsswitch/winbind_struct_protocol.h"
+#include "nsswitch/libwbclient/wbclient.h"
+#include "librpc/gen_ndr/dcerpc.h"
+#include "librpc/gen_ndr/winbind.h"
+
+#include "../lib/util/tevent_ntstatus.h"
+
+#ifdef HAVE_LIBNSCD
+#include <libnscd.h>
+#endif
+
+#ifdef HAVE_SYS_MMAN_H
+#include <sys/mman.h>
+#endif
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_WINBIND
+
+#define WB_REPLACE_CHAR '_'
+
+struct winbind_internal_pipes;
+struct ads_struct;
+
+struct winbindd_cli_state {
+ struct winbindd_cli_state *prev, *next; /* Linked list pointers */
+ int sock; /* Open socket from client */
+ pid_t pid; /* pid of client */
+ char client_name[32]; /* The process name of the client */
+ time_t last_access; /* Time of last access (read or write) */
+ bool privileged; /* Is the client 'privileged' */
+
+ TALLOC_CTX *mem_ctx; /* memory per request */
+ const char *cmd_name;
+ NTSTATUS (*recv_fn)(struct tevent_req *req,
+ struct winbindd_response *presp);
+ struct winbindd_request *request; /* Request from client */
+ struct tevent_queue *out_queue;
+ struct winbindd_response *response; /* Respose to client */
+ struct tevent_req *io_req; /* wb_req_read_* or wb_resp_write_* */
+
+ struct getpwent_state *pwent_state; /* State for getpwent() */
+ struct getgrent_state *grent_state; /* State for getgrent() */
+};
+
+struct getpwent_state {
+ struct winbindd_domain *domain;
+ uint32_t next_user;
+ struct wbint_RidArray rids;
+};
+
+struct getgrent_state {
+ struct winbindd_domain *domain;
+ uint32_t next_group;
+ uint32_t num_groups;
+ struct wbint_Principal *groups;
+};
+
+/* Our connection to the DC */
+
+struct winbindd_cm_conn {
+ struct cli_state *cli;
+
+ enum dcerpc_AuthLevel auth_level;
+
+ struct rpc_pipe_client *samr_pipe;
+ struct policy_handle sam_connect_handle, sam_domain_handle;
+
+ struct rpc_pipe_client *lsa_pipe;
+ struct rpc_pipe_client *lsa_pipe_tcp;
+ struct policy_handle lsa_policy;
+
+ struct rpc_pipe_client *netlogon_pipe;
+ struct netlogon_creds_cli_context *netlogon_creds_ctx;
+ bool netlogon_force_reauth;
+};
+
+/* Async child */
+
+struct winbindd_domain;
+
+struct winbindd_child {
+ pid_t pid;
+ struct winbindd_domain *domain;
+ char *logfilename;
+
+ int sock;
+ struct tevent_fd *monitor_fde; /* Watch for dead children/sockets */
+ struct tevent_queue *queue;
+ struct dcerpc_binding_handle *binding_handle;
+
+ struct tevent_timer *lockout_policy_event;
+ struct tevent_timer *machine_password_change_event;
+};
+
+/* Structures to hold per domain information */
+
+struct winbindd_domain {
+ char *name; /* Domain name (NetBIOS) */
+ char *alt_name; /* alt Domain name, if any (FQDN for ADS) */
+ char *forest_name; /* Name of the AD forest we're in */
+ struct dom_sid sid; /* SID for this domain */
+ enum netr_SchannelType secure_channel_type;
+ uint32_t domain_flags; /* Domain flags from netlogon.h */
+ uint32_t domain_type; /* Domain type from netlogon.h */
+ uint32_t domain_trust_attribs; /* Trust attribs from netlogon.h */
+ struct winbindd_domain *routing_domain;
+ bool initialized; /* Did we already ask for the domain mode? */
+ bool native_mode; /* is this a win2k domain in native mode ? */
+ bool active_directory; /* is this a win2k active directory ? */
+ bool primary; /* is this our primary domain ? */
+ bool internal; /* BUILTIN and member SAM */
+ bool rodc; /* Are we an RODC for this AD domain? (do some operations locally) */
+ bool online; /* is this domain available ? */
+ time_t startup_time; /* When we set "startup" true. monotonic clock */
+ bool startup; /* are we in the first 30 seconds after startup_time ? */
+
+ bool can_do_ncacn_ip_tcp;
+
+ /*
+ * Lookup methods for this domain (LDAP or RPC). The backend
+ * methods are used by the cache layer.
+ */
+ struct winbindd_methods *backend;
+
+ struct {
+ struct winbind_internal_pipes *samr_pipes;
+ struct ads_struct *ads_conn;
+ } backend_data;
+
+ /* A working DC */
+ char *dcname;
+ const char *ping_dcname;
+ struct sockaddr_storage dcaddr;
+
+ /* Sequence number stuff */
+
+ time_t last_seq_check;
+ uint32_t sequence_number;
+ NTSTATUS last_status;
+
+ /* The smb connection */
+
+ struct winbindd_cm_conn conn;
+
+ /* The child pid we're talking to */
+
+ struct winbindd_child *children;
+
+ struct tevent_queue *queue;
+ struct dcerpc_binding_handle *binding_handle;
+
+ struct tevent_req *check_online_event;
+
+ /* Linked list info */
+
+ struct winbindd_domain *prev, *next;
+};
+
+struct wb_parent_idmap_config_dom {
+ unsigned low_id;
+ unsigned high_id;
+ const char *name;
+ struct dom_sid sid;
+};
+
+struct wb_parent_idmap_config {
+ struct tevent_queue *queue;
+ uint32_t num_doms;
+ struct wb_parent_idmap_config_dom *doms;
+};
+
+struct wb_acct_info {
+ const char *acct_name; /* account name */
+ const char *acct_desc; /* account name */
+ uint32_t rid; /* domain-relative RID */
+};
+
+/* per-domain methods. This is how LDAP vs RPC is selected
+ */
+struct winbindd_methods {
+ /* does this backend provide a consistent view of the data? (ie. is the primary group
+ always correct) */
+ bool consistent;
+
+ /* get a list of users, returning a wbint_userinfo for each one */
+ NTSTATUS (*query_user_list)(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ uint32_t **rids);
+
+ /* get a list of domain groups */
+ NTSTATUS (*enum_dom_groups)(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ uint32_t *num_entries,
+ struct wb_acct_info **info);
+
+ /* get a list of domain local groups */
+ NTSTATUS (*enum_local_groups)(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ uint32_t *num_entries,
+ struct wb_acct_info **info);
+
+ /* convert one user or group name to a sid */
+ NTSTATUS (*name_to_sid)(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ const char *domain_name,
+ const char *name,
+ uint32_t flags,
+ const char **pdom_name,
+ struct dom_sid *sid,
+ enum lsa_SidType *type);
+
+ /* convert a sid to a user or group name */
+ NTSTATUS (*sid_to_name)(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ const struct dom_sid *sid,
+ char **domain_name,
+ char **name,
+ enum lsa_SidType *type);
+
+ NTSTATUS (*rids_to_names)(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ const struct dom_sid *domain_sid,
+ uint32_t *rids,
+ size_t num_rids,
+ char **domain_name,
+ char ***names,
+ enum lsa_SidType **types);
+
+ /* lookup all groups that a user is a member of. The backend
+ can also choose to lookup by username or rid for this
+ function */
+ NTSTATUS (*lookup_usergroups)(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ const struct dom_sid *user_sid,
+ uint32_t *num_groups, struct dom_sid **user_gids);
+
+ /* Lookup all aliases that the sids delivered are member of. This is
+ * to implement 'domain local groups' correctly */
+ NTSTATUS (*lookup_useraliases)(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ uint32_t num_sids,
+ const struct dom_sid *sids,
+ uint32_t *num_aliases,
+ uint32_t **alias_rids);
+
+ /* find all members of the group with the specified group_rid */
+ NTSTATUS (*lookup_groupmem)(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ const struct dom_sid *group_sid,
+ enum lsa_SidType type,
+ uint32_t *num_names,
+ struct dom_sid **sid_mem, char ***names,
+ uint32_t **name_types);
+
+ /* return the lockout policy */
+ NTSTATUS (*lockout_policy)(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ struct samr_DomInfo12 *lockout_policy);
+
+ /* return the lockout policy */
+ NTSTATUS (*password_policy)(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ struct samr_DomInfo1 *password_policy);
+
+ /* enumerate trusted domains */
+ NTSTATUS (*trusted_domains)(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ struct netr_DomainTrustList *trusts);
+};
+
+/* Filled out by IDMAP backends */
+struct winbindd_idmap_methods {
+ /* Called when backend is first loaded */
+ bool (*init)(void);
+
+ bool (*get_sid_from_uid)(uid_t uid, struct dom_sid *sid);
+ bool (*get_sid_from_gid)(gid_t gid, struct dom_sid *sid);
+
+ bool (*get_uid_from_sid)(struct dom_sid *sid, uid_t *uid);
+ bool (*get_gid_from_sid)(struct dom_sid *sid, gid_t *gid);
+
+ /* Called when backend is unloaded */
+ bool (*close)(void);
+ /* Called to dump backend status */
+ void (*status)(void);
+};
+
+/* Data structures for dealing with the trusted domain cache */
+
+struct winbindd_tdc_domain {
+ const char *domain_name;
+ const char *dns_name;
+ struct dom_sid sid;
+ uint32_t trust_flags;
+ uint32_t trust_attribs;
+ uint32_t trust_type;
+};
+
+struct WINBINDD_MEMORY_CREDS {
+ struct WINBINDD_MEMORY_CREDS *next, *prev;
+ const char *username; /* lookup key. */
+ uid_t uid;
+ int ref_count;
+ size_t len;
+ uint8_t *nt_hash; /* Base pointer for the following 2 */
+ uint8_t *lm_hash;
+ char *pass;
+};
+
+struct WINBINDD_CCACHE_ENTRY {
+ struct WINBINDD_CCACHE_ENTRY *next, *prev;
+ const char *principal_name;
+ const char *ccname;
+ const char *service;
+ const char *username;
+ const char *realm;
+ const char *canon_principal;
+ const char *canon_realm;
+ struct WINBINDD_MEMORY_CREDS *cred_ptr;
+ int ref_count;
+ uid_t uid;
+ time_t create_time;
+ time_t renew_until;
+ time_t refresh_time;
+ struct tevent_timer *event;
+};
+
+#include "winbindd/winbindd_proto.h"
+
+#define WINBINDD_ESTABLISH_LOOP 30
+#define WINBINDD_RESCAN_FREQ lp_winbind_cache_time()
+#define WINBINDD_PAM_AUTH_KRB5_RENEW_TIME 2592000 /* one month */
+#define DOM_SEQUENCE_NONE ((uint32_t)-1)
+
+#endif /* _WINBINDD_H */
diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
new file mode 100644
index 0000000..d2b0962
--- /dev/null
+++ b/source3/winbindd/winbindd_ads.c
@@ -0,0 +1,1580 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ Winbind ADS backend functions
+
+ Copyright (C) Andrew Tridgell 2001
+ Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003
+ Copyright (C) Gerald (Jerry) Carter 2004
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "winbindd.h"
+#include "winbindd_ads.h"
+#include "libsmb/namequery.h"
+#include "rpc_client/rpc_client.h"
+#include "../librpc/gen_ndr/ndr_netlogon_c.h"
+#include "../libds/common/flags.h"
+#include "ads.h"
+#include "../libcli/ldap/ldap_ndr.h"
+#include "../libcli/security/security.h"
+#include "../libds/common/flag_mapping.h"
+#include "libsmb/samlogon_cache.h"
+#include "passdb.h"
+#include "auth/credentials/credentials.h"
+
+#ifdef HAVE_ADS
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_WINBIND
+
+extern struct winbindd_methods reconnect_methods;
+extern struct winbindd_methods msrpc_methods;
+
+#define WINBIND_CCACHE_NAME "MEMORY:winbind_ccache"
+
+/**
+ * Check if cached connection can be reused. If the connection cannot
+ * be reused the ADS_STRUCT is freed and the pointer is set to NULL.
+ */
+static void ads_cached_connection_reuse(ADS_STRUCT **adsp)
+{
+
+ ADS_STRUCT *ads = *adsp;
+
+ if (ads != NULL) {
+ time_t expire;
+ time_t now = time(NULL);
+
+ expire = MIN(ads->auth.tgt_expire, ads->auth.tgs_expire);
+
+ DEBUG(7, ("Current tickets expire in %d seconds (at %d, time "
+ "is now %d)\n", (uint32_t)expire - (uint32_t)now,
+ (uint32_t) expire, (uint32_t) now));
+
+ if ( ads->config.realm && (expire > now)) {
+ return;
+ } else {
+ /* we own this ADS_STRUCT so make sure it goes away */
+ DEBUG(7,("Deleting expired krb5 credential cache\n"));
+ TALLOC_FREE(ads);
+ ads_kdestroy(WINBIND_CCACHE_NAME);
+ *adsp = NULL;
+ }
+ }
+}
+
+/**
+ * @brief Establish a connection to a DC
+ *
+ * @param[out] adsp ADS_STRUCT that will be created
+ * @param[in] target_realm Realm of domain to connect to
+ * @param[in] target_dom_name 'workgroup' name of domain to connect to
+ * @param[in] ldap_server DNS name of server to connect to
+ * @param[in] password Our machine acount secret
+ * @param[in] auth_realm Realm of local domain for creating krb token
+ * @param[in] renewable Renewable ticket time
+ *
+ * @return ADS_STATUS
+ */
+static ADS_STATUS ads_cached_connection_connect(const char *target_realm,
+ const char *target_dom_name,
+ const char *ldap_server,
+ char *password,
+ char *auth_realm,
+ time_t renewable,
+ TALLOC_CTX *mem_ctx,
+ ADS_STRUCT **adsp)
+{
+ TALLOC_CTX *tmp_ctx = talloc_stackframe();
+ ADS_STRUCT *ads;
+ ADS_STATUS status;
+ struct sockaddr_storage dc_ss;
+ fstring dc_name;
+ enum credentials_use_kerberos krb5_state;
+
+ if (auth_realm == NULL) {
+ TALLOC_FREE(tmp_ctx);
+ return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
+ }
+
+ /* we don't want this to affect the users ccache */
+ setenv("KRB5CCNAME", WINBIND_CCACHE_NAME, 1);
+
+ ads = ads_init(tmp_ctx,
+ target_realm,
+ target_dom_name,
+ ldap_server,
+ ADS_SASL_SEAL);
+ if (!ads) {
+ DEBUG(1,("ads_init for domain %s failed\n", target_dom_name));
+ status = ADS_ERROR(LDAP_NO_MEMORY);
+ goto out;
+ }
+
+ TALLOC_FREE(ads->auth.password);
+ TALLOC_FREE(ads->auth.realm);
+
+ ads->auth.renewable = renewable;
+ ads->auth.password = talloc_strdup(ads, password);
+ if (ads->auth.password == NULL) {
+ status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
+ goto out;
+ }
+
+ /* In FIPS mode, client use kerberos is forced to required. */
+ krb5_state = lp_client_use_kerberos();
+ switch (krb5_state) {
+ case CRED_USE_KERBEROS_REQUIRED:
+ ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
+ ads->auth.flags &= ~ADS_AUTH_ALLOW_NTLMSSP;
+ break;
+ case CRED_USE_KERBEROS_DESIRED:
+ ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
+ ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
+ break;
+ case CRED_USE_KERBEROS_DISABLED:
+ ads->auth.flags |= ADS_AUTH_DISABLE_KERBEROS;
+ ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
+ break;
+ }
+
+ ads->auth.realm = talloc_asprintf_strupper_m(ads, "%s", auth_realm);
+ if (ads->auth.realm == NULL) {
+ status = ADS_ERROR_NT(NT_STATUS_INTERNAL_ERROR);
+ goto out;
+ }
+
+ /* Setup the server affinity cache. We don't reaally care
+ about the name. Just setup affinity and the KRB5_CONFIG
+ file. */
+ get_dc_name(ads->server.workgroup, ads->server.realm, dc_name, &dc_ss);
+
+ status = ads_connect(ads);
+ if (!ADS_ERR_OK(status)) {
+ DEBUG(1,("ads_connect for domain %s failed: %s\n",
+ target_dom_name, ads_errstr(status)));
+ goto out;
+ }
+
+ *adsp = talloc_move(mem_ctx, &ads);
+out:
+ TALLOC_FREE(tmp_ctx);
+ return status;
+}
+
+ADS_STATUS ads_idmap_cached_connection(const char *dom_name,
+ TALLOC_CTX *mem_ctx,
+ ADS_STRUCT **adsp)
+{
+ TALLOC_CTX *tmp_ctx = talloc_stackframe();
+ char *ldap_server = NULL;
+ char *realm = NULL;
+ char *password = NULL;
+ struct winbindd_domain *wb_dom = NULL;
+ ADS_STATUS status;
+
+ if (IS_AD_DC) {
+ /*
+ * Make sure we never try to use LDAP against
+ * a trusted domain as AD DC.
+ */
+ TALLOC_FREE(tmp_ctx);
+ return ADS_ERROR_NT(NT_STATUS_REQUEST_NOT_ACCEPTED);
+ }
+
+ ads_cached_connection_reuse(adsp);
+ if (*adsp != NULL) {
+ TALLOC_FREE(tmp_ctx);
+ return ADS_SUCCESS;
+ }
+
+ /*
+ * At this point we only have the NetBIOS domain name.
+ * Check if we can get server nam and realm from SAF cache
+ * and the domain list.
+ */
+ ldap_server = saf_fetch(tmp_ctx, dom_name);
+
+ DBG_DEBUG("ldap_server from saf cache: '%s'\n",
+ ldap_server ? ldap_server : "");
+
+ wb_dom = find_domain_from_name(dom_name);
+ if (wb_dom == NULL) {
+ DBG_DEBUG("could not find domain '%s'\n", dom_name);
+ status = ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
+ goto out;
+ }
+
+ DBG_DEBUG("find_domain_from_name found realm '%s' for "
+ " domain '%s'\n", wb_dom->alt_name, dom_name);
+
+ if (!get_trust_pw_clear(dom_name, &password, NULL, NULL)) {
+ status = ADS_ERROR_NT(NT_STATUS_CANT_ACCESS_DOMAIN_INFO);
+ goto out;
+ }
+
+ if (IS_DC) {
+ SMB_ASSERT(wb_dom->alt_name != NULL);
+ realm = talloc_strdup(tmp_ctx, wb_dom->alt_name);
+ } else {
+ struct winbindd_domain *our_domain = wb_dom;
+
+ /* always give preference to the alt_name in our
+ primary domain if possible */
+
+ if (!wb_dom->primary) {
+ our_domain = find_our_domain();
+ }
+
+ if (our_domain->alt_name != NULL) {
+ realm = talloc_strdup(tmp_ctx, our_domain->alt_name);
+ } else {
+ realm = talloc_strdup(tmp_ctx, lp_realm());
+ }
+ }
+
+ if (realm == NULL) {
+ status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
+ goto out;
+ }
+
+ status = ads_cached_connection_connect(
+ wb_dom->alt_name, /* realm to connect to. */
+ dom_name, /* 'workgroup' name for ads_init */
+ ldap_server, /* DNS name to connect to. */
+ password, /* password for auth realm. */
+ realm, /* realm used for krb5 ticket. */
+ 0, /* renewable ticket time. */
+ mem_ctx, /* memory context for ads struct */
+ adsp); /* Returns ads struct. */
+
+out:
+ TALLOC_FREE(tmp_ctx);
+ SAFE_FREE(password);
+
+ return status;
+}
+
+/*
+ return our ads connections structure for a domain. We keep the connection
+ open to make things faster
+*/
+static ADS_STATUS ads_cached_connection(struct winbindd_domain *domain,
+ ADS_STRUCT **adsp)
+{
+ TALLOC_CTX *tmp_ctx = talloc_stackframe();
+ ADS_STATUS status;
+ char *password = NULL;
+ char *realm = NULL;
+
+ if (IS_AD_DC) {
+ /*
+ * Make sure we never try to use LDAP against
+ * a trusted domain as AD DC.
+ */
+ TALLOC_FREE(tmp_ctx);
+ return ADS_ERROR_NT(NT_STATUS_REQUEST_NOT_ACCEPTED);
+ }
+
+ DBG_DEBUG("ads_cached_connection\n");
+
+ ads_cached_connection_reuse(&domain->backend_data.ads_conn);
+ if (domain->backend_data.ads_conn != NULL) {
+ *adsp = domain->backend_data.ads_conn;
+ TALLOC_FREE(tmp_ctx);
+ return ADS_SUCCESS;
+ }
+
+ /* the machine acct password might have change - fetch it every time */
+
+ if (!get_trust_pw_clear(domain->name, &password, NULL, NULL)) {
+ status = ADS_ERROR_NT(NT_STATUS_CANT_ACCESS_DOMAIN_INFO);
+ goto out;
+ }
+
+ if ( IS_DC ) {
+ SMB_ASSERT(domain->alt_name != NULL);
+ realm = talloc_strdup(tmp_ctx, domain->alt_name);
+ } else {
+ struct winbindd_domain *our_domain = domain;
+
+
+ /* always give preference to the alt_name in our
+ primary domain if possible */
+
+ if ( !domain->primary )
+ our_domain = find_our_domain();
+
+ if (our_domain->alt_name != NULL) {
+ realm = talloc_strdup(tmp_ctx, our_domain->alt_name );
+ } else {
+ realm = talloc_strdup(tmp_ctx, lp_realm() );
+ }
+ }
+
+ if (realm == NULL) {
+ status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
+ goto out;
+ }
+
+ status = ads_cached_connection_connect(
+ domain->alt_name,
+ domain->name, NULL,
+ password,
+ realm,
+ WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
+ domain,
+ &domain->backend_data.ads_conn);
+ if (!ADS_ERR_OK(status)) {
+ /* if we get ECONNREFUSED then it might be a NT4
+ server, fall back to MSRPC */
+ if (status.error_type == ENUM_ADS_ERROR_SYSTEM &&
+ status.err.rc == ECONNREFUSED) {
+ /* 'reconnect_methods' is the MS-RPC backend. */
+ DBG_NOTICE("Trying MSRPC methods for domain '%s'\n",
+ domain->name);
+ domain->backend = &reconnect_methods;
+ }
+ goto out;
+ }
+
+ *adsp = domain->backend_data.ads_conn;
+out:
+ TALLOC_FREE(tmp_ctx);
+ SAFE_FREE(password);
+
+ return status;
+}
+
+/* Query display info for a realm. This is the basic user list fn */
+static NTSTATUS query_user_list(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ uint32_t **prids)
+{
+ ADS_STRUCT *ads = NULL;
+ const char *attrs[] = { "sAMAccountType", "objectSid", NULL };
+ int count;
+ uint32_t *rids = NULL;
+ ADS_STATUS rc;
+ LDAPMessage *res = NULL;
+ LDAPMessage *msg = NULL;
+ NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
+
+ DEBUG(3,("ads: query_user_list\n"));
+
+ if ( !winbindd_can_contact_domain( domain ) ) {
+ DEBUG(10,("query_user_list: No incoming trust for domain %s\n",
+ domain->name));
+ return NT_STATUS_OK;
+ }
+
+ rc = ads_cached_connection(domain, &ads);
+ if (!ADS_ERR_OK(rc)) {
+ domain->last_status = NT_STATUS_SERVER_DISABLED;
+ goto done;
+ }
+
+ rc = ads_search_retry(ads, &res, "(objectCategory=user)", attrs);
+ if (!ADS_ERR_OK(rc)) {
+ DEBUG(1,("query_user_list ads_search: %s\n", ads_errstr(rc)));
+ status = ads_ntstatus(rc);
+ goto done;
+ } else if (!res) {
+ DEBUG(1,("query_user_list ads_search returned NULL res\n"));
+ goto done;
+ }
+
+ count = ads_count_replies(ads, res);
+ if (count == 0) {
+ DEBUG(1,("query_user_list: No users found\n"));
+ goto done;
+ }
+
+ rids = talloc_zero_array(mem_ctx, uint32_t, count);
+ if (rids == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
+
+ count = 0;
+
+ for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
+ struct dom_sid user_sid;
+ uint32_t atype;
+ bool ok;
+
+ ok = ads_pull_uint32(ads, msg, "sAMAccountType", &atype);
+ if (!ok) {
+ DBG_INFO("Object lacks sAMAccountType attribute\n");
+ continue;
+ }
+ if (ds_atype_map(atype) != SID_NAME_USER) {
+ DBG_INFO("Not a user account? atype=0x%x\n", atype);
+ continue;
+ }
+
+ if (!ads_pull_sid(ads, msg, "objectSid", &user_sid)) {
+ char *dn = ads_get_dn(ads, talloc_tos(), msg);
+ DBG_INFO("No sid for %s !?\n", dn);
+ TALLOC_FREE(dn);
+ continue;
+ }
+
+ if (!dom_sid_in_domain(&domain->sid, &user_sid)) {
+ struct dom_sid_buf sidstr, domstr;
+ DBG_WARNING("Got sid %s in domain %s\n",
+ dom_sid_str_buf(&user_sid, &sidstr),
+ dom_sid_str_buf(&domain->sid, &domstr));
+ continue;
+ }
+
+ sid_split_rid(&user_sid, &rids[count]);
+ count += 1;
+ }
+
+ rids = talloc_realloc(mem_ctx, rids, uint32_t, count);
+ if (prids != NULL) {
+ *prids = rids;
+ }
+
+ status = NT_STATUS_OK;
+
+ DBG_NOTICE("ads query_user_list gave %d entries\n", count);
+
+done:
+ ads_msgfree(ads, res);
+ return status;
+}
+
+/* list all domain groups */
+static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ uint32_t *num_entries,
+ struct wb_acct_info **info)
+{
+ ADS_STRUCT *ads = NULL;
+ const char *attrs[] = {"userPrincipalName", "sAMAccountName",
+ "name", "objectSid", NULL};
+ int i, count;
+ ADS_STATUS rc;
+ LDAPMessage *res = NULL;
+ LDAPMessage *msg = NULL;
+ NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
+ const char *filter;
+ bool enum_dom_local_groups = False;
+
+ *num_entries = 0;
+
+ DEBUG(3,("ads: enum_dom_groups\n"));
+
+ if ( !winbindd_can_contact_domain( domain ) ) {
+ DEBUG(10,("enum_dom_groups: No incoming trust for domain %s\n",
+ domain->name));
+ return NT_STATUS_OK;
+ }
+
+ /* only grab domain local groups for our domain */
+ if ( domain->active_directory && strequal(lp_realm(), domain->alt_name) ) {
+ enum_dom_local_groups = True;
+ }
+
+ /* Workaround ADS LDAP bug present in MS W2K3 SP0 and W2K SP4 w/o
+ * rollup-fixes:
+ *
+ * According to Section 5.1(4) of RFC 2251 if a value of a type is it's
+ * default value, it MUST be absent. In case of extensible matching the
+ * "dnattr" boolean defaults to FALSE and so it must be only be present
+ * when set to TRUE.
+ *
+ * When it is set to FALSE and the OpenLDAP lib (correctly) encodes a
+ * filter using bitwise matching rule then the buggy AD fails to decode
+ * the extensible match. As a workaround set it to TRUE and thereby add
+ * the dnAttributes "dn" field to cope with those older AD versions.
+ * It should not harm and won't put any additional load on the AD since
+ * none of the dn components have a bitmask-attribute.
+ *
+ * Thanks to Ralf Haferkamp for input and testing - Guenther */
+
+ filter = talloc_asprintf(mem_ctx, "(&(objectCategory=group)(&(groupType:dn:%s:=%d)(!(groupType:dn:%s:=%d))))",
+ ADS_LDAP_MATCHING_RULE_BIT_AND, GROUP_TYPE_SECURITY_ENABLED,
+ ADS_LDAP_MATCHING_RULE_BIT_AND,
+ enum_dom_local_groups ? GROUP_TYPE_BUILTIN_LOCAL_GROUP : GROUP_TYPE_RESOURCE_GROUP);
+
+ if (filter == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
+
+ rc = ads_cached_connection(domain, &ads);
+ if (!ADS_ERR_OK(rc)) {
+ domain->last_status = NT_STATUS_SERVER_DISABLED;
+ goto done;
+ }
+
+ rc = ads_search_retry(ads, &res, filter, attrs);
+ if (!ADS_ERR_OK(rc)) {
+ status = ads_ntstatus(rc);
+ DEBUG(1,("enum_dom_groups ads_search: %s\n", ads_errstr(rc)));
+ goto done;
+ } else if (!res) {
+ DEBUG(1,("enum_dom_groups ads_search returned NULL res\n"));
+ goto done;
+ }
+
+ count = ads_count_replies(ads, res);
+ if (count == 0) {
+ DEBUG(1,("enum_dom_groups: No groups found\n"));
+ goto done;
+ }
+
+ (*info) = talloc_zero_array(mem_ctx, struct wb_acct_info, count);
+ if (!*info) {
+ status = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
+
+ i = 0;
+
+ for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
+ char *name, *gecos;
+ struct dom_sid sid;
+ uint32_t rid;
+
+ name = ads_pull_username(ads, (*info), msg);
+ gecos = ads_pull_string(ads, (*info), msg, "name");
+ if (!ads_pull_sid(ads, msg, "objectSid", &sid)) {
+ DEBUG(1,("No sid for %s !?\n", name));
+ continue;
+ }
+
+ if (!sid_peek_check_rid(&domain->sid, &sid, &rid)) {
+ DEBUG(1,("No rid for %s !?\n", name));
+ continue;
+ }
+
+ (*info)[i].acct_name = name;
+ (*info)[i].acct_desc = gecos;
+ (*info)[i].rid = rid;
+ i++;
+ }
+
+ (*num_entries) = i;
+
+ status = NT_STATUS_OK;
+
+ DEBUG(3,("ads enum_dom_groups gave %d entries\n", (*num_entries)));
+
+done:
+ if (res)
+ ads_msgfree(ads, res);
+
+ return status;
+}
+
+/* list all domain local groups */
+static NTSTATUS enum_local_groups(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ uint32_t *num_entries,
+ struct wb_acct_info **info)
+{
+ /*
+ * This is a stub function only as we returned the domain
+ * local groups in enum_dom_groups() if the domain->native field
+ * was true. This is a simple performance optimization when
+ * using LDAP.
+ *
+ * if we ever need to enumerate domain local groups separately,
+ * then this optimization in enum_dom_groups() will need
+ * to be split out
+ */
+ *num_entries = 0;
+
+ return NT_STATUS_OK;
+}
+
+/* convert a single name to a sid in a domain - use rpc methods */
+static NTSTATUS name_to_sid(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ const char *domain_name,
+ const char *name,
+ uint32_t flags,
+ const char **pdom_name,
+ struct dom_sid *sid,
+ enum lsa_SidType *type)
+{
+ return msrpc_methods.name_to_sid(domain, mem_ctx, domain_name, name,
+ flags, pdom_name, sid, type);
+}
+
+/* convert a domain SID to a user or group name - use rpc methods */
+static NTSTATUS sid_to_name(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ const struct dom_sid *sid,
+ char **domain_name,
+ char **name,
+ enum lsa_SidType *type)
+{
+ return msrpc_methods.sid_to_name(domain, mem_ctx, sid,
+ domain_name, name, type);
+}
+
+/* convert a list of rids to names - use rpc methods */
+static NTSTATUS rids_to_names(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ const struct dom_sid *sid,
+ uint32_t *rids,
+ size_t num_rids,
+ char **domain_name,
+ char ***names,
+ enum lsa_SidType **types)
+{
+ return msrpc_methods.rids_to_names(domain, mem_ctx, sid,
+ rids, num_rids,
+ domain_name, names, types);
+}
+
+/* Lookup groups a user is a member of - alternate method, for when
+ tokenGroups are not available. */
+static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ const char *user_dn,
+ struct dom_sid *primary_group,
+ uint32_t *p_num_groups, struct dom_sid **user_sids)
+{
+ ADS_STATUS rc;
+ NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
+ int count;
+ LDAPMessage *res = NULL;
+ LDAPMessage *msg = NULL;
+ char *ldap_exp;
+ ADS_STRUCT *ads = NULL;
+ const char *group_attrs[] = {"objectSid", NULL};
+ char *escaped_dn;
+ uint32_t num_groups = 0;
+
+ DEBUG(3,("ads: lookup_usergroups_member\n"));
+
+ if ( !winbindd_can_contact_domain( domain ) ) {
+ DEBUG(10,("lookup_usergroups_members: No incoming trust for domain %s\n",
+ domain->name));
+ return NT_STATUS_OK;
+ }
+
+ rc = ads_cached_connection(domain, &ads);
+ if (!ADS_ERR_OK(rc)) {
+ domain->last_status = NT_STATUS_SERVER_DISABLED;
+ goto done;
+ }
+
+ if (!(escaped_dn = escape_ldap_string(talloc_tos(), user_dn))) {
+ status = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
+
+ ldap_exp = talloc_asprintf(mem_ctx,
+ "(&(member=%s)(objectCategory=group)(groupType:dn:%s:=%d))",
+ escaped_dn,
+ ADS_LDAP_MATCHING_RULE_BIT_AND,
+ GROUP_TYPE_SECURITY_ENABLED);
+ if (!ldap_exp) {
+ DEBUG(1,("lookup_usergroups(dn=%s) asprintf failed!\n", user_dn));
+ TALLOC_FREE(escaped_dn);
+ status = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
+
+ TALLOC_FREE(escaped_dn);
+
+ rc = ads_search_retry(ads, &res, ldap_exp, group_attrs);
+
+ if (!ADS_ERR_OK(rc)) {
+ DEBUG(1,("lookup_usergroups ads_search member=%s: %s\n", user_dn, ads_errstr(rc)));
+ return ads_ntstatus(rc);
+ } else if (!res) {
+ DEBUG(1,("lookup_usergroups ads_search returned NULL res\n"));
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
+
+ count = ads_count_replies(ads, res);
+
+ *user_sids = NULL;
+ num_groups = 0;
+
+ /* always add the primary group to the sid array */
+ status = add_sid_to_array(mem_ctx, primary_group, user_sids,
+ &num_groups);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+
+ if (count > 0) {
+ for (msg = ads_first_entry(ads, res); msg;
+ msg = ads_next_entry(ads, msg)) {
+ struct dom_sid group_sid;
+
+ if (!ads_pull_sid(ads, msg, "objectSid", &group_sid)) {
+ DEBUG(1,("No sid for this group ?!?\n"));
+ continue;
+ }
+
+ /* ignore Builtin groups from ADS - Guenther */
+ if (sid_check_is_in_builtin(&group_sid)) {
+ continue;
+ }
+
+ status = add_sid_to_array(mem_ctx, &group_sid,
+ user_sids, &num_groups);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+ }
+
+ }
+
+ *p_num_groups = num_groups;
+ status = (user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
+
+ DEBUG(3,("ads lookup_usergroups (member) succeeded for dn=%s\n", user_dn));
+done:
+ if (res)
+ ads_msgfree(ads, res);
+
+ return status;
+}
+
+/* Lookup groups a user is a member of - alternate method, for when
+ tokenGroups are not available. */
+static NTSTATUS lookup_usergroups_memberof(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ const char *user_dn,
+ struct dom_sid *primary_group,
+ uint32_t *p_num_groups,
+ struct dom_sid **user_sids)
+{
+ ADS_STATUS rc;
+ NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
+ ADS_STRUCT *ads = NULL;
+ const char *attrs[] = {"memberOf", NULL};
+ uint32_t num_groups = 0;
+ struct dom_sid *group_sids = NULL;
+ size_t i;
+ char **strings = NULL;
+ size_t num_strings = 0, num_sids = 0;
+
+
+ DEBUG(3,("ads: lookup_usergroups_memberof\n"));
+
+ if ( !winbindd_can_contact_domain( domain ) ) {
+ DEBUG(10,("lookup_usergroups_memberof: No incoming trust for "
+ "domain %s\n", domain->name));
+ return NT_STATUS_OK;
+ }
+
+ rc = ads_cached_connection(domain, &ads);
+ if (!ADS_ERR_OK(rc)) {
+ domain->last_status = NT_STATUS_SERVER_DISABLED;
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ rc = ads_search_retry_extended_dn_ranged(ads, mem_ctx, user_dn, attrs,
+ ADS_EXTENDED_DN_HEX_STRING,
+ &strings, &num_strings);
+
+ if (!ADS_ERR_OK(rc)) {
+ DEBUG(1,("lookup_usergroups_memberof ads_search "
+ "member=%s: %s\n", user_dn, ads_errstr(rc)));
+ return ads_ntstatus(rc);
+ }
+
+ *user_sids = NULL;
+ num_groups = 0;
+
+ /* always add the primary group to the sid array */
+ status = add_sid_to_array(mem_ctx, primary_group, user_sids,
+ &num_groups);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+
+ group_sids = talloc_zero_array(mem_ctx, struct dom_sid, num_strings + 1);
+ if (!group_sids) {
+ status = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
+
+ for (i=0; i<num_strings; i++) {
+ rc = ads_get_sid_from_extended_dn(mem_ctx, strings[i],
+ ADS_EXTENDED_DN_HEX_STRING,
+ &(group_sids)[i]);
+ if (!ADS_ERR_OK(rc)) {
+ /* ignore members without SIDs */
+ if (NT_STATUS_EQUAL(ads_ntstatus(rc),
+ NT_STATUS_NOT_FOUND)) {
+ continue;
+ }
+ else {
+ status = ads_ntstatus(rc);
+ goto done;
+ }
+ }
+ num_sids++;
+ }
+
+ if (i == 0) {
+ DEBUG(1,("No memberOf for this user?!?\n"));
+ status = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
+
+ for (i=0; i<num_sids; i++) {
+
+ /* ignore Builtin groups from ADS - Guenther */
+ if (sid_check_is_in_builtin(&group_sids[i])) {
+ continue;
+ }
+
+ status = add_sid_to_array(mem_ctx, &group_sids[i], user_sids,
+ &num_groups);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+
+ }
+
+ *p_num_groups = num_groups;
+ status = (*user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
+
+ DEBUG(3,("ads lookup_usergroups (memberof) succeeded for dn=%s\n",
+ user_dn));
+
+done:
+ TALLOC_FREE(strings);
+ TALLOC_FREE(group_sids);
+
+ return status;
+}
+
+
+/* Lookup groups a user is a member of. */
+static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ const struct dom_sid *sid,
+ uint32_t *p_num_groups, struct dom_sid **user_sids)
+{
+ ADS_STRUCT *ads = NULL;
+ const char *attrs[] = {"tokenGroups", "primaryGroupID", NULL};
+ ADS_STATUS rc;
+ int count;
+ LDAPMessage *msg = NULL;
+ char *user_dn = NULL;
+ struct dom_sid *sids;
+ int i;
+ struct dom_sid primary_group;
+ uint32_t primary_group_rid;
+ NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
+ uint32_t num_groups = 0;
+ struct dom_sid_buf buf;
+
+ DEBUG(3,("ads: lookup_usergroups\n"));
+ *p_num_groups = 0;
+
+ status = lookup_usergroups_cached(mem_ctx, sid,
+ p_num_groups, user_sids);
+ if (NT_STATUS_IS_OK(status)) {
+ return NT_STATUS_OK;
+ }
+
+ if ( !winbindd_can_contact_domain( domain ) ) {
+ DEBUG(10,("lookup_usergroups: No incoming trust for domain %s\n",
+ domain->name));
+
+ /* Tell the cache manager not to remember this one */
+
+ return NT_STATUS_SYNCHRONIZATION_REQUIRED;
+ }
+
+ rc = ads_cached_connection(domain, &ads);
+ if (!ADS_ERR_OK(rc)) {
+ domain->last_status = NT_STATUS_SERVER_DISABLED;
+ status = NT_STATUS_SERVER_DISABLED;
+ goto done;
+ }
+
+ rc = ads_search_retry_sid(ads, &msg, sid, attrs);
+
+ if (!ADS_ERR_OK(rc)) {
+ status = ads_ntstatus(rc);
+ DEBUG(1, ("lookup_usergroups(sid=%s) ads_search tokenGroups: "
+ "%s\n",
+ dom_sid_str_buf(sid, &buf),
+ ads_errstr(rc)));
+ goto done;
+ }
+
+ count = ads_count_replies(ads, msg);
+ if (count != 1) {
+ status = NT_STATUS_UNSUCCESSFUL;
+ DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: "
+ "invalid number of results (count=%d)\n",
+ dom_sid_str_buf(sid, &buf),
+ count));
+ goto done;
+ }
+
+ if (!msg) {
+ DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: NULL msg\n",
+ dom_sid_str_buf(sid, &buf)));
+ status = NT_STATUS_UNSUCCESSFUL;
+ goto done;
+ }
+
+ user_dn = ads_get_dn(ads, mem_ctx, msg);
+ if (user_dn == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
+
+ if (!ads_pull_uint32(ads, msg, "primaryGroupID", &primary_group_rid)) {
+ DEBUG(1,("%s: No primary group for sid=%s !?\n",
+ domain->name,
+ dom_sid_str_buf(sid, &buf)));
+ goto done;
+ }
+
+ sid_compose(&primary_group, &domain->sid, primary_group_rid);
+
+ count = ads_pull_sids(ads, mem_ctx, msg, "tokenGroups", &sids);
+
+ /* there must always be at least one group in the token,
+ unless we are talking to a buggy Win2k server */
+
+ /* actually this only happens when the machine account has no read
+ * permissions on the tokenGroup attribute - gd */
+
+ if (count == 0) {
+
+ /* no tokenGroups */
+
+ /* lookup what groups this user is a member of by DN search on
+ * "memberOf" */
+
+ status = lookup_usergroups_memberof(domain, mem_ctx, user_dn,
+ &primary_group,
+ &num_groups, user_sids);
+ *p_num_groups = num_groups;
+ if (NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+
+ /* lookup what groups this user is a member of by DN search on
+ * "member" */
+
+ status = lookup_usergroups_member(domain, mem_ctx, user_dn,
+ &primary_group,
+ &num_groups, user_sids);
+ *p_num_groups = num_groups;
+ goto done;
+ }
+
+ *user_sids = NULL;
+ num_groups = 0;
+
+ status = add_sid_to_array(mem_ctx, &primary_group, user_sids,
+ &num_groups);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+
+ for (i=0;i<count;i++) {
+
+ /* ignore Builtin groups from ADS - Guenther */
+ if (sid_check_is_in_builtin(&sids[i])) {
+ continue;
+ }
+
+ status = add_sid_to_array_unique(mem_ctx, &sids[i],
+ user_sids, &num_groups);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+ }
+
+ *p_num_groups = (uint32_t)num_groups;
+ status = (*user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
+
+ DEBUG(3,("ads lookup_usergroups (tokenGroups) succeeded for sid=%s\n",
+ dom_sid_str_buf(sid, &buf)));
+done:
+ TALLOC_FREE(user_dn);
+ ads_msgfree(ads, msg);
+ return status;
+}
+
+/* Lookup aliases a user is member of - use rpc methods */
+static NTSTATUS lookup_useraliases(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ uint32_t num_sids, const struct dom_sid *sids,
+ uint32_t *num_aliases, uint32_t **alias_rids)
+{
+ return msrpc_methods.lookup_useraliases(domain, mem_ctx, num_sids, sids,
+ num_aliases, alias_rids);
+}
+
+static NTSTATUS add_primary_group_members(
+ ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, uint32_t rid,
+ char ***all_members, size_t *num_all_members)
+{
+ char *filter;
+ NTSTATUS status = NT_STATUS_NO_MEMORY;
+ ADS_STATUS rc;
+ const char *attrs[] = { "dn", NULL };
+ LDAPMessage *res = NULL;
+ LDAPMessage *msg;
+ char **members;
+ size_t num_members;
+ ads_control args;
+
+ filter = talloc_asprintf(
+ mem_ctx, "(&(objectCategory=user)(primaryGroupID=%u))",
+ (unsigned)rid);
+ if (filter == NULL) {
+ goto done;
+ }
+
+ args.control = ADS_EXTENDED_DN_OID;
+ args.val = ADS_EXTENDED_DN_HEX_STRING;
+ args.critical = True;
+
+ rc = ads_do_search_all_args(ads, ads->config.bind_path,
+ LDAP_SCOPE_SUBTREE, filter, attrs, &args,
+ &res);
+
+ if (!ADS_ERR_OK(rc)) {
+ status = ads_ntstatus(rc);
+ DEBUG(1,("%s: ads_search: %s\n", __func__, ads_errstr(rc)));
+ goto done;
+ }
+ if (res == NULL) {
+ DEBUG(1,("%s: ads_search returned NULL res\n", __func__));
+ goto done;
+ }
+
+ num_members = ads_count_replies(ads, res);
+
+ DEBUG(10, ("%s: Got %ju primary group members\n", __func__,
+ (uintmax_t)num_members));
+
+ if (num_members == 0) {
+ status = NT_STATUS_OK;
+ goto done;
+ }
+
+ members = talloc_realloc(mem_ctx, *all_members, char *,
+ *num_all_members + num_members);
+ if (members == NULL) {
+ DEBUG(1, ("%s: talloc_realloc failed\n", __func__));
+ goto done;
+ }
+ *all_members = members;
+
+ for (msg = ads_first_entry(ads, res); msg != NULL;
+ msg = ads_next_entry(ads, msg)) {
+ char *dn;
+
+ dn = ads_get_dn(ads, members, msg);
+ if (dn == NULL) {
+ DEBUG(1, ("%s: ads_get_dn failed\n", __func__));
+ continue;
+ }
+
+ members[*num_all_members] = dn;
+ *num_all_members += 1;
+ }
+
+ status = NT_STATUS_OK;
+done:
+ if (res != NULL) {
+ ads_msgfree(ads, res);
+ }
+ TALLOC_FREE(filter);
+ return status;
+}
+
+/*
+ find the members of a group, given a group rid and domain
+ */
+static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ const struct dom_sid *group_sid,
+ enum lsa_SidType type,
+ uint32_t *num_names,
+ struct dom_sid **sid_mem, char ***names,
+ uint32_t **name_types)
+{
+ ADS_STATUS rc;
+ ADS_STRUCT *ads = NULL;
+ char *ldap_exp;
+ NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
+ char *sidbinstr;
+ char **members = NULL;
+ size_t i;
+ size_t num_members = 0;
+ ads_control args;
+ struct dom_sid *sid_mem_nocache = NULL;
+ char **names_nocache = NULL;
+ enum lsa_SidType *name_types_nocache = NULL;
+ char **domains_nocache = NULL; /* only needed for rpccli_lsa_lookup_sids */
+ uint32_t num_nocache = 0;
+ TALLOC_CTX *tmp_ctx = NULL;
+ uint32_t rid;
+ struct dom_sid_buf buf;
+
+ DEBUG(10,("ads: lookup_groupmem %s sid=%s\n", domain->name,
+ dom_sid_str_buf(group_sid, &buf)));
+
+ *num_names = 0;
+
+ tmp_ctx = talloc_new(mem_ctx);
+ if (!tmp_ctx) {
+ DEBUG(1, ("ads: lookup_groupmem: talloc failed\n"));
+ status = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
+
+ if (!sid_peek_rid(group_sid, &rid)) {
+ DEBUG(1, ("%s: sid_peek_rid failed\n", __func__));
+ status = NT_STATUS_INVALID_PARAMETER;
+ goto done;
+ }
+
+ if ( !winbindd_can_contact_domain( domain ) ) {
+ DEBUG(10,("lookup_groupmem: No incoming trust for domain %s\n",
+ domain->name));
+ return NT_STATUS_OK;
+ }
+
+ rc = ads_cached_connection(domain, &ads);
+ if (!ADS_ERR_OK(rc)) {
+ domain->last_status = NT_STATUS_SERVER_DISABLED;
+ goto done;
+ }
+
+ if ((sidbinstr = ldap_encode_ndr_dom_sid(talloc_tos(), group_sid)) == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
+
+ /* search for all members of the group */
+ ldap_exp = talloc_asprintf(tmp_ctx, "(objectSid=%s)", sidbinstr);
+ TALLOC_FREE(sidbinstr);
+ if (ldap_exp == NULL) {
+ DEBUG(1, ("ads: lookup_groupmem: talloc_asprintf for ldap_exp failed!\n"));
+ status = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
+
+ args.control = ADS_EXTENDED_DN_OID;
+ args.val = ADS_EXTENDED_DN_HEX_STRING;
+ args.critical = True;
+
+ rc = ads_ranged_search(ads, tmp_ctx, LDAP_SCOPE_SUBTREE, ads->config.bind_path,
+ ldap_exp, &args, "member", &members, &num_members);
+
+ if (!ADS_ERR_OK(rc)) {
+ DEBUG(0,("ads_ranged_search failed with: %s\n", ads_errstr(rc)));
+ status = NT_STATUS_UNSUCCESSFUL;
+ goto done;
+ }
+
+ DEBUG(10, ("ads lookup_groupmem: got %d sids via extended dn call\n", (int)num_members));
+
+ status = add_primary_group_members(ads, mem_ctx, rid,
+ &members, &num_members);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(10, ("%s: add_primary_group_members failed: %s\n",
+ __func__, nt_errstr(status)));
+ goto done;
+ }
+
+ DEBUG(10, ("%s: Got %d sids after adding primary group members\n",
+ __func__, (int)num_members));
+
+ /* Now that we have a list of sids, we need to get the
+ * lists of names and name_types belonging to these sids.
+ * even though conceptually not quite clean, we use the
+ * RPC call lsa_lookup_sids for this since it can handle a
+ * list of sids. ldap calls can just resolve one sid at a time.
+ *
+ * At this stage, the sids are still hidden in the exetended dn
+ * member output format. We actually do a little better than
+ * stated above: In extracting the sids from the member strings,
+ * we try to resolve as many sids as possible from the
+ * cache. Only the rest is passed to the lsa_lookup_sids call. */
+
+ if (num_members) {
+ (*sid_mem) = talloc_zero_array(mem_ctx, struct dom_sid, num_members);
+ (*names) = talloc_zero_array(mem_ctx, char *, num_members);
+ (*name_types) = talloc_zero_array(mem_ctx, uint32_t, num_members);
+ (sid_mem_nocache) = talloc_zero_array(tmp_ctx, struct dom_sid, num_members);
+
+ if ((members == NULL) || (*sid_mem == NULL) ||
+ (*names == NULL) || (*name_types == NULL) ||
+ (sid_mem_nocache == NULL))
+ {
+ DEBUG(1, ("ads: lookup_groupmem: talloc failed\n"));
+ status = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
+ }
+ else {
+ (*sid_mem) = NULL;
+ (*names) = NULL;
+ (*name_types) = NULL;
+ }
+
+ for (i=0; i<num_members; i++) {
+ enum lsa_SidType name_type;
+ char *name, *domain_name;
+ struct dom_sid sid;
+
+ rc = ads_get_sid_from_extended_dn(tmp_ctx, members[i], args.val,
+ &sid);
+ if (!ADS_ERR_OK(rc)) {
+ if (NT_STATUS_EQUAL(ads_ntstatus(rc),
+ NT_STATUS_NOT_FOUND)) {
+ /* Group members can be objects, like Exchange
+ * Public Folders, that don't have a SID. Skip
+ * them. */
+ continue;
+ }
+ else {
+ status = ads_ntstatus(rc);
+ goto done;
+ }
+ }
+ if (lookup_cached_sid(mem_ctx, &sid, &domain_name, &name,
+ &name_type)) {
+ DEBUG(10,("ads: lookup_groupmem: got sid %s from "
+ "cache\n",
+ dom_sid_str_buf(&sid, &buf)));
+ sid_copy(&(*sid_mem)[*num_names], &sid);
+ (*names)[*num_names] = fill_domain_username_talloc(
+ *names,
+ domain_name,
+ name,
+ true);
+
+ (*name_types)[*num_names] = name_type;
+ (*num_names)++;
+ }
+ else {
+ DEBUG(10, ("ads: lookup_groupmem: sid %s not found in "
+ "cache\n",
+ dom_sid_str_buf(&sid, &buf)));
+ sid_copy(&(sid_mem_nocache)[num_nocache], &sid);
+ num_nocache++;
+ }
+ }
+
+ DEBUG(10, ("ads: lookup_groupmem: %d sids found in cache, "
+ "%d left for lsa_lookupsids\n", *num_names, num_nocache));
+
+ /* handle sids not resolved from cache by lsa_lookup_sids */
+ if (num_nocache > 0) {
+
+ status = winbindd_lookup_sids(tmp_ctx,
+ domain,
+ num_nocache,
+ sid_mem_nocache,
+ &domains_nocache,
+ &names_nocache,
+ &name_types_nocache);
+
+ if (!(NT_STATUS_IS_OK(status) ||
+ NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED) ||
+ NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)))
+ {
+ DEBUG(1, ("lsa_lookupsids call failed with %s "
+ "- retrying...\n", nt_errstr(status)));
+
+ status = winbindd_lookup_sids(tmp_ctx,
+ domain,
+ num_nocache,
+ sid_mem_nocache,
+ &domains_nocache,
+ &names_nocache,
+ &name_types_nocache);
+ }
+
+ if (NT_STATUS_IS_OK(status) ||
+ NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED))
+ {
+ /* Copy the entries over from the "_nocache" arrays
+ * to the result arrays, skipping the gaps the
+ * lookup_sids call left. */
+ for (i=0; i < num_nocache; i++) {
+ if (((names_nocache)[i] != NULL) &&
+ ((name_types_nocache)[i] != SID_NAME_UNKNOWN))
+ {
+ sid_copy(&(*sid_mem)[*num_names],
+ &sid_mem_nocache[i]);
+ (*names)[*num_names] =
+ fill_domain_username_talloc(
+ *names,
+ domains_nocache[i],
+ names_nocache[i],
+ true);
+ (*name_types)[*num_names] = name_types_nocache[i];
+ (*num_names)++;
+ }
+ }
+ }
+ else if (NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)) {
+ DEBUG(10, ("lookup_groupmem: lsa_lookup_sids could "
+ "not map any SIDs at all.\n"));
+ /* Don't handle this as an error here.
+ * There is nothing left to do with respect to the
+ * overall result... */
+ }
+ else if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(10, ("lookup_groupmem: Error looking up %d "
+ "sids via rpc_lsa_lookup_sids: %s\n",
+ (int)num_members, nt_errstr(status)));
+ goto done;
+ }
+ }
+
+ status = NT_STATUS_OK;
+ DEBUG(3,("ads lookup_groupmem for sid=%s succeeded\n",
+ dom_sid_str_buf(group_sid, &buf)));
+
+done:
+
+ TALLOC_FREE(tmp_ctx);
+
+ return status;
+}
+
+/* find the lockout policy of a domain - use rpc methods */
+static NTSTATUS lockout_policy(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ struct samr_DomInfo12 *policy)
+{
+ return msrpc_methods.lockout_policy(domain, mem_ctx, policy);
+}
+
+/* find the password policy of a domain - use rpc methods */
+static NTSTATUS password_policy(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ struct samr_DomInfo1 *policy)
+{
+ return msrpc_methods.password_policy(domain, mem_ctx, policy);
+}
+
+/* get a list of trusted domains */
+static NTSTATUS trusted_domains(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ struct netr_DomainTrustList *trusts)
+{
+ NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
+ WERROR werr;
+ uint32_t i;
+ uint32_t flags;
+ struct rpc_pipe_client *cli;
+ int ret_count;
+ struct dcerpc_binding_handle *b;
+
+ DEBUG(3,("ads: trusted_domains\n"));
+
+ ZERO_STRUCTP(trusts);
+
+ /* If this is our primary domain or a root in our forest,
+ query for all trusts. If not, then just look for domain
+ trusts in the target forest */
+
+ if (domain->primary || domain_is_forest_root(domain)) {
+ flags = NETR_TRUST_FLAG_OUTBOUND |
+ NETR_TRUST_FLAG_INBOUND |
+ NETR_TRUST_FLAG_IN_FOREST;
+ } else {
+ flags = NETR_TRUST_FLAG_IN_FOREST;
+ }
+
+ result = cm_connect_netlogon(domain, &cli);
+
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(5, ("trusted_domains: Could not open a connection to %s "
+ "for PIPE_NETLOGON (%s)\n",
+ domain->name, nt_errstr(result)));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ b = cli->binding_handle;
+
+ result = dcerpc_netr_DsrEnumerateDomainTrusts(b, mem_ctx,
+ cli->desthost,
+ flags,
+ trusts,
+ &werr);
+ if (!NT_STATUS_IS_OK(result)) {
+ return result;
+ }
+
+ if (!W_ERROR_IS_OK(werr)) {
+ return werror_to_ntstatus(werr);
+ }
+ if (trusts->count == 0) {
+ return NT_STATUS_OK;
+ }
+
+ /* Copy across names and sids */
+
+ ret_count = 0;
+ for (i = 0; i < trusts->count; i++) {
+ struct netr_DomainTrust *trust = &trusts->array[i];
+ struct winbindd_domain d;
+
+ ZERO_STRUCT(d);
+
+ /*
+ * drop external trusts if this is not our primary
+ * domain. This means that the returned number of
+ * domains may be less that the ones actually trusted
+ * by the DC.
+ */
+
+ if ((trust->trust_attributes
+ & LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN) &&
+ !domain->primary )
+ {
+ DEBUG(10,("trusted_domains: Skipping external trusted "
+ "domain %s because it is outside of our "
+ "primary domain\n",
+ trust->netbios_name));
+ continue;
+ }
+
+ /* add to the trusted domain cache */
+
+ d.name = discard_const_p(char, trust->netbios_name);
+ d.alt_name = discard_const_p(char, trust->dns_name);
+
+ if (trust->sid) {
+ sid_copy(&d.sid, trust->sid);
+ } else {
+ sid_copy(&d.sid, &global_sid_NULL);
+ }
+
+ if ( domain->primary ) {
+ DEBUG(10,("trusted_domains(ads): Searching "
+ "trusted domain list of %s and storing "
+ "trust flags for domain %s\n",
+ domain->name, d.alt_name));
+
+ d.domain_flags = trust->trust_flags;
+ d.domain_type = trust->trust_type;
+ d.domain_trust_attribs = trust->trust_attributes;
+
+ wcache_tdc_add_domain( &d );
+ ret_count++;
+ } else if (domain_is_forest_root(domain)) {
+ /* Check if we already have this record. If
+ * we are following our forest root that is not
+ * our primary domain, we want to keep trust
+ * flags from the perspective of our primary
+ * domain not our forest root. */
+ struct winbindd_tdc_domain *exist = NULL;
+
+ exist = wcache_tdc_fetch_domain(
+ talloc_tos(), trust->netbios_name);
+ if (!exist) {
+ DEBUG(10,("trusted_domains(ads): Searching "
+ "trusted domain list of %s and "
+ "storing trust flags for domain "
+ "%s\n", domain->name, d.alt_name));
+ d.domain_flags = trust->trust_flags;
+ d.domain_type = trust->trust_type;
+ d.domain_trust_attribs =
+ trust->trust_attributes;
+
+ wcache_tdc_add_domain( &d );
+ ret_count++;
+ }
+ TALLOC_FREE(exist);
+ } else {
+ /* This gets a little tricky. If we are
+ following a transitive forest trust, then
+ innerit the flags, type, and attribs from
+ the domain we queried to make sure we don't
+ record the view of the trust from the wrong
+ side. Always view it from the side of our
+ primary domain. --jerry */
+ struct winbindd_tdc_domain *parent = NULL;
+
+ DEBUG(10,("trusted_domains(ads): Searching "
+ "trusted domain list of %s and inheriting "
+ "trust flags for domain %s\n",
+ domain->name, d.alt_name));
+
+ parent = wcache_tdc_fetch_domain(talloc_tos(),
+ domain->name);
+ if (parent) {
+ d.domain_flags = parent->trust_flags;
+ d.domain_type = parent->trust_type;
+ d.domain_trust_attribs = parent->trust_attribs;
+ } else {
+ d.domain_flags = domain->domain_flags;
+ d.domain_type = domain->domain_type;
+ d.domain_trust_attribs =
+ domain->domain_trust_attribs;
+ }
+ TALLOC_FREE(parent);
+
+ /*
+ * We need to pass the modified properties
+ * to the caller.
+ */
+ trust->trust_flags = d.domain_flags;
+ trust->trust_type = d.domain_type;
+ trust->trust_attributes = d.domain_trust_attribs;
+
+ wcache_tdc_add_domain( &d );
+ ret_count++;
+ }
+ }
+ return result;
+}
+
+/* the ADS backend methods are exposed via this structure */
+struct winbindd_methods ads_methods = {
+ True,
+ query_user_list,
+ enum_dom_groups,
+ enum_local_groups,
+ name_to_sid,
+ sid_to_name,
+ rids_to_names,
+ lookup_usergroups,
+ lookup_useraliases,
+ lookup_groupmem,
+ lockout_policy,
+ password_policy,
+ trusted_domains,
+};
+
+#endif
diff --git a/source3/winbindd/winbindd_ads.h b/source3/winbindd/winbindd_ads.h
new file mode 100644
index 0000000..0fd9774
--- /dev/null
+++ b/source3/winbindd/winbindd_ads.h
@@ -0,0 +1,34 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ Winbind ADS backend functions
+
+ Copyright (C) Volker Lendecke 2017
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#ifndef __WINBINDD_ADS_H__
+#define __WINBINDD_ADS_H__
+
+
+#include "ads.h"
+
+extern struct winbindd_methods ads_methods;
+
+ADS_STATUS ads_idmap_cached_connection(const char *dom_name,
+ TALLOC_CTX *mem_ctx,
+ ADS_STRUCT **adsp);
+
+#endif
diff --git a/source3/winbindd/winbindd_allocate_gid.c b/source3/winbindd/winbindd_allocate_gid.c
new file mode 100644
index 0000000..2841d96
--- /dev/null
+++ b/source3/winbindd/winbindd_allocate_gid.c
@@ -0,0 +1,121 @@
+/*
+ Unix SMB/CIFS implementation.
+ async implementation of WINBINDD_ALLOCATE_GID
+ Copyright (C) Volker Lendecke 2009
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "winbindd.h"
+#include "librpc/gen_ndr/ndr_winbind_c.h"
+
+struct winbindd_allocate_gid_state {
+ struct tevent_context *ev;
+ uint64_t gid;
+};
+
+static void winbindd_allocate_gid_initialized(struct tevent_req *subreq);
+static void winbindd_allocate_gid_done(struct tevent_req *subreq);
+
+struct tevent_req *winbindd_allocate_gid_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request)
+{
+ struct tevent_req *req, *subreq;
+ struct winbindd_allocate_gid_state *state;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct winbindd_allocate_gid_state);
+ if (req == NULL) {
+ return NULL;
+ }
+ state->ev = ev;
+
+ DEBUG(3, ("allocate_gid\n"));
+
+ subreq = wb_parent_idmap_setup_send(state, ev);
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+ tevent_req_set_callback(
+ subreq, winbindd_allocate_gid_initialized, req);
+ return req;
+}
+
+static void winbindd_allocate_gid_initialized(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct winbindd_allocate_gid_state *state = tevent_req_data(
+ req, struct winbindd_allocate_gid_state);
+ NTSTATUS status;
+ const struct wb_parent_idmap_config *cfg = NULL;
+ struct dcerpc_binding_handle *child_binding_handle = NULL;
+
+ status = wb_parent_idmap_setup_recv(subreq, &cfg);
+ TALLOC_FREE(subreq);
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+ if (cfg->num_doms == 0) {
+ /*
+ * idmap_tdb also returns UNSUCCESSFUL if a range is full
+ */
+ tevent_req_nterror(req, NT_STATUS_UNSUCCESSFUL);
+ return;
+ }
+
+ child_binding_handle = idmap_child_handle();
+
+ subreq = dcerpc_wbint_AllocateGid_send(
+ state, state->ev, child_binding_handle, &state->gid);
+ if (tevent_req_nomem(subreq, req)) {
+ return;
+ }
+ tevent_req_set_callback(subreq, winbindd_allocate_gid_done, req);
+}
+
+static void winbindd_allocate_gid_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct winbindd_allocate_gid_state *state = tevent_req_data(
+ req, struct winbindd_allocate_gid_state);
+ NTSTATUS status, result;
+
+ status = dcerpc_wbint_AllocateGid_recv(subreq, state, &result);
+ TALLOC_FREE(subreq);
+ if (any_nt_status_not_ok(status, result, &status)) {
+ tevent_req_nterror(req, status);
+ return;
+ }
+ tevent_req_done(req);
+}
+
+NTSTATUS winbindd_allocate_gid_recv(struct tevent_req *req,
+ struct winbindd_response *response)
+{
+ struct winbindd_allocate_gid_state *state = tevent_req_data(
+ req, struct winbindd_allocate_gid_state);
+ NTSTATUS status;
+
+ if (tevent_req_is_nterror(req, &status)) {
+ DEBUG(5, ("Could not allocate gid: %s\n", nt_errstr(status)));
+ return status;
+ }
+ response->data.gid = state->gid;
+ return NT_STATUS_OK;
+}
diff --git a/source3/winbindd/winbindd_allocate_uid.c b/source3/winbindd/winbindd_allocate_uid.c
new file mode 100644
index 0000000..64711f1
--- /dev/null
+++ b/source3/winbindd/winbindd_allocate_uid.c
@@ -0,0 +1,122 @@
+/*
+ Unix SMB/CIFS implementation.
+ async implementation of WINBINDD_ALLOCATE_UID
+ Copyright (C) Volker Lendecke 2009
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "winbindd.h"
+#include "librpc/gen_ndr/ndr_winbind_c.h"
+
+struct winbindd_allocate_uid_state {
+ struct tevent_context *ev;
+ uint64_t uid;
+};
+
+static void winbindd_allocate_uid_initialized(struct tevent_req *subreq);
+static void winbindd_allocate_uid_done(struct tevent_req *subreq);
+
+struct tevent_req *winbindd_allocate_uid_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request)
+{
+ struct tevent_req *req, *subreq;
+ struct winbindd_allocate_uid_state *state;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct winbindd_allocate_uid_state);
+ if (req == NULL) {
+ return NULL;
+ }
+ state->ev = ev;
+
+ DEBUG(3, ("allocate_uid\n"));
+
+ subreq = wb_parent_idmap_setup_send(state, ev);
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+ tevent_req_set_callback(subreq, winbindd_allocate_uid_initialized, req);
+ return req;
+}
+
+static void winbindd_allocate_uid_initialized(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct dcerpc_binding_handle *child_binding_handle = NULL;
+ struct winbindd_allocate_uid_state *state = tevent_req_data(
+ req, struct winbindd_allocate_uid_state);
+ const struct wb_parent_idmap_config *cfg = NULL;
+ NTSTATUS status;
+
+ status = wb_parent_idmap_setup_recv(subreq, &cfg);
+ TALLOC_FREE(subreq);
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+ if (cfg->num_doms == 0) {
+ /*
+ * idmap_tdb also returns UNSUCCESSFUL if a range is full
+ */
+ tevent_req_nterror(req, NT_STATUS_UNSUCCESSFUL);
+ return;
+ }
+
+ child_binding_handle = idmap_child_handle();
+
+ subreq = dcerpc_wbint_AllocateUid_send(state,
+ state->ev,
+ child_binding_handle,
+ &state->uid);
+ if (tevent_req_nomem(subreq, req)) {
+ return;
+ }
+ tevent_req_set_callback(subreq, winbindd_allocate_uid_done, req);
+}
+
+static void winbindd_allocate_uid_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct winbindd_allocate_uid_state *state = tevent_req_data(
+ req, struct winbindd_allocate_uid_state);
+ NTSTATUS status, result;
+
+ status = dcerpc_wbint_AllocateUid_recv(subreq, state, &result);
+ TALLOC_FREE(subreq);
+ if (any_nt_status_not_ok(status, result, &status)) {
+ tevent_req_nterror(req, status);
+ return;
+ }
+ tevent_req_done(req);
+}
+
+NTSTATUS winbindd_allocate_uid_recv(struct tevent_req *req,
+ struct winbindd_response *response)
+{
+ struct winbindd_allocate_uid_state *state = tevent_req_data(
+ req, struct winbindd_allocate_uid_state);
+ NTSTATUS status;
+
+ if (tevent_req_is_nterror(req, &status)) {
+ DEBUG(5, ("Could not allocate uid: %s\n", nt_errstr(status)));
+ return status;
+ }
+ response->data.uid = state->uid;
+ return NT_STATUS_OK;
+}
diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c
new file mode 100644
index 0000000..de8cab0
--- /dev/null
+++ b/source3/winbindd/winbindd_cache.c
@@ -0,0 +1,4805 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ Winbind cache backend functions
+
+ Copyright (C) Andrew Tridgell 2001
+ Copyright (C) Gerald Carter 2003-2007
+ Copyright (C) Volker Lendecke 2005
+ Copyright (C) Guenther Deschner 2005
+ Copyright (C) Michael Adam 2007
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "system/filesys.h"
+#include "winbindd.h"
+#include "tdb_validate.h"
+#include "../libcli/auth/libcli_auth.h"
+#include "../librpc/gen_ndr/ndr_winbind.h"
+#include "ads.h"
+#include "nss_info.h"
+#include "../libcli/security/security.h"
+#include "passdb/machine_sid.h"
+#include "util_tdb.h"
+#include "libsmb/samlogon_cache.h"
+#include "lib/namemap_cache.h"
+#include "lib/util/string_wrappers.h"
+
+#include "lib/crypto/gnutls_helpers.h"
+#include <gnutls/crypto.h>
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_WINBIND
+
+#define WINBINDD_CACHE_VER1 1 /* initial db version */
+#define WINBINDD_CACHE_VER2 2 /* second version with timeouts for NDR entries */
+
+#define WINBINDD_CACHE_VERSION WINBINDD_CACHE_VER2
+#define WINBINDD_CACHE_VERSION_KEYSTR "WINBINDD_CACHE_VERSION"
+
+extern struct winbindd_methods reconnect_methods;
+#ifdef HAVE_ADS
+extern struct winbindd_methods reconnect_ads_methods;
+#endif
+extern struct winbindd_methods builtin_passdb_methods;
+extern struct winbindd_methods sam_passdb_methods;
+
+static void wcache_flush_cache(void);
+
+static bool opt_nocache = False;
+
+/*
+ * JRA. KEEP THIS LIST UP TO DATE IF YOU ADD CACHE ENTRIES.
+ * Here are the list of entry types that are *not* stored
+ * as form struct cache_entry in the cache.
+ */
+
+static const char *non_centry_keys[] = {
+ "SEQNUM/",
+ "WINBINDD_OFFLINE",
+ WINBINDD_CACHE_VERSION_KEYSTR,
+ NULL
+};
+
+bool winbindd_use_idmap_cache(void)
+{
+ return !opt_nocache;
+}
+
+bool winbindd_use_cache(void)
+{
+ return !opt_nocache;
+}
+
+void winbindd_set_use_cache(bool use_cache)
+{
+ opt_nocache = !use_cache;
+}
+
+void winbindd_flush_caches(void)
+{
+ /* We need to invalidate cached user list entries on a SIGHUP
+ otherwise cached access denied errors due to restrict anonymous
+ hang around until the sequence number changes. */
+
+ if (!wcache_invalidate_cache()) {
+ DEBUG(0, ("invalidating the cache failed; revalidate the cache\n"));
+ if (!winbindd_cache_validate_and_initialize()) {
+ exit(1);
+ }
+ }
+}
+
+/************************************************************************
+ Is this key a non-centry type ?
+************************************************************************/
+
+static bool is_non_centry_key(TDB_DATA kbuf)
+{
+ int i;
+
+ if (kbuf.dptr == NULL || kbuf.dsize == 0) {
+ return false;
+ }
+ for (i = 0; non_centry_keys[i] != NULL; i++) {
+ size_t namelen = strlen(non_centry_keys[i]);
+ if (kbuf.dsize < namelen) {
+ continue;
+ }
+ if (strncmp(non_centry_keys[i], (const char *)kbuf.dptr, namelen) == 0) {
+ return true;
+ }
+ }
+ return false;
+}
+
+struct winbind_cache {
+ TDB_CONTEXT *tdb;
+};
+
+struct cache_entry {
+ NTSTATUS status;
+ uint32_t sequence_number;
+ uint64_t timeout;
+ uint8_t *data;
+ uint32_t len, ofs;
+};
+
+void (*smb_panic_fn)(const char *const why) = smb_panic;
+
+static struct winbind_cache *wcache;
+
+static char *wcache_path(void)
+{
+ /*
+ * Data needs to be kept persistent in state directory for
+ * running with "winbindd offline logon".
+ */
+ return state_path(talloc_tos(), "winbindd_cache.tdb");
+}
+
+static void winbindd_domain_init_backend(struct winbindd_domain *domain)
+{
+ if (domain->backend != NULL) {
+ return;
+ }
+
+ if (domain->internal) {
+ domain->backend = &builtin_passdb_methods;
+ }
+
+ if (dom_sid_equal(&domain->sid, &global_sid_Builtin)) {
+ domain->initialized = true;
+ }
+
+ if (strequal(domain->name, get_global_sam_name()) &&
+ sid_check_is_our_sam(&domain->sid))
+ {
+ domain->backend = &sam_passdb_methods;
+ }
+
+ if (!domain->initialized) {
+ /* We do not need a connection to an RW DC for cache operation */
+ init_dc_connection(domain, false);
+ }
+
+#ifdef HAVE_ADS
+ if (domain->backend == NULL) {
+ struct winbindd_domain *our_domain = domain;
+
+ /* find our domain first so we can figure out if we
+ are joined to a kerberized domain */
+
+ if (!domain->primary) {
+ our_domain = find_our_domain();
+ }
+
+ if ((our_domain->active_directory || IS_DC)
+ && domain->active_directory
+ && !lp_winbind_rpc_only())
+ {
+ DBG_INFO("Setting ADS methods for domain %s\n",
+ domain->name);
+ domain->backend = &reconnect_ads_methods;
+ }
+ }
+#endif /* HAVE_ADS */
+
+ if (domain->backend == NULL) {
+ DBG_INFO("Setting MS-RPC methods for domain %s\n", domain->name);
+ domain->backend = &reconnect_methods;
+ }
+}
+
+/* get the winbind_cache structure */
+static struct winbind_cache *get_cache(struct winbindd_domain *domain)
+{
+ struct winbind_cache *ret = wcache;
+
+ winbindd_domain_init_backend(domain);
+
+ if (ret != NULL) {
+ return ret;
+ }
+
+ ret = SMB_XMALLOC_P(struct winbind_cache);
+ ZERO_STRUCTP(ret);
+
+ wcache = ret;
+ wcache_flush_cache();
+
+ return ret;
+}
+
+/*
+ free a centry structure
+*/
+static void centry_free(struct cache_entry *centry)
+{
+ if (!centry)
+ return;
+ SAFE_FREE(centry->data);
+ free(centry);
+}
+
+static bool centry_check_bytes(struct cache_entry *centry, size_t nbytes)
+{
+ if (centry->len - centry->ofs < nbytes) {
+ DEBUG(0,("centry corruption? needed %u bytes, have %d\n",
+ (unsigned int)nbytes,
+ centry->len - centry->ofs));
+ return false;
+ }
+ return true;
+}
+
+/*
+ pull a uint64_t from a cache entry
+*/
+static uint64_t centry_uint64_t(struct cache_entry *centry)
+{
+ uint64_t ret;
+
+ if (!centry_check_bytes(centry, 8)) {
+ smb_panic_fn("centry_uint64_t");
+ }
+ ret = BVAL(centry->data, centry->ofs);
+ centry->ofs += 8;
+ return ret;
+}
+
+/*
+ pull a uint32_t from a cache entry
+*/
+static uint32_t centry_uint32(struct cache_entry *centry)
+{
+ uint32_t ret;
+
+ if (!centry_check_bytes(centry, 4)) {
+ smb_panic_fn("centry_uint32");
+ }
+ ret = IVAL(centry->data, centry->ofs);
+ centry->ofs += 4;
+ return ret;
+}
+
+/*
+ pull a uint16_t from a cache entry
+*/
+static uint16_t centry_uint16(struct cache_entry *centry)
+{
+ uint16_t ret;
+ if (!centry_check_bytes(centry, 2)) {
+ smb_panic_fn("centry_uint16");
+ }
+ ret = SVAL(centry->data, centry->ofs);
+ centry->ofs += 2;
+ return ret;
+}
+
+/*
+ pull a uint8_t from a cache entry
+*/
+static uint8_t centry_uint8(struct cache_entry *centry)
+{
+ uint8_t ret;
+ if (!centry_check_bytes(centry, 1)) {
+ smb_panic_fn("centry_uint8");
+ }
+ ret = CVAL(centry->data, centry->ofs);
+ centry->ofs += 1;
+ return ret;
+}
+
+/*
+ pull a NTTIME from a cache entry
+*/
+static NTTIME centry_nttime(struct cache_entry *centry)
+{
+ NTTIME ret;
+ if (!centry_check_bytes(centry, 8)) {
+ smb_panic_fn("centry_nttime");
+ }
+ ret = IVAL(centry->data, centry->ofs);
+ centry->ofs += 4;
+ ret += (uint64_t)IVAL(centry->data, centry->ofs) << 32;
+ centry->ofs += 4;
+ return ret;
+}
+
+/*
+ pull a time_t from a cache entry. time_t stored portably as a 64-bit time.
+*/
+static time_t centry_time(struct cache_entry *centry)
+{
+ return (time_t)centry_nttime(centry);
+}
+
+/* pull a string from a cache entry, using the supplied
+ talloc context
+*/
+static char *centry_string(struct cache_entry *centry, TALLOC_CTX *mem_ctx)
+{
+ uint32_t len;
+ char *ret;
+
+ len = centry_uint8(centry);
+
+ if (len == 0xFF) {
+ /* a deliberate NULL string */
+ return NULL;
+ }
+
+ if (!centry_check_bytes(centry, (size_t)len)) {
+ smb_panic_fn("centry_string");
+ }
+
+ ret = talloc_array(mem_ctx, char, len+1);
+ if (!ret) {
+ smb_panic_fn("centry_string out of memory\n");
+ }
+ memcpy(ret,centry->data + centry->ofs, len);
+ ret[len] = 0;
+ centry->ofs += len;
+ return ret;
+}
+
+/* pull a hash16 from a cache entry, using the supplied
+ talloc context
+*/
+static char *centry_hash16(struct cache_entry *centry, TALLOC_CTX *mem_ctx)
+{
+ uint32_t len;
+ char *ret;
+
+ len = centry_uint8(centry);
+
+ if (len != 16) {
+ DEBUG(0,("centry corruption? hash len (%u) != 16\n",
+ len ));
+ return NULL;
+ }
+
+ if (!centry_check_bytes(centry, 16)) {
+ return NULL;
+ }
+
+ ret = talloc_array(mem_ctx, char, 16);
+ if (!ret) {
+ smb_panic_fn("centry_hash out of memory\n");
+ }
+ memcpy(ret,centry->data + centry->ofs, 16);
+ centry->ofs += 16;
+ return ret;
+}
+
+/* pull a sid from a cache entry, using the supplied
+ talloc context
+*/
+static bool centry_sid(struct cache_entry *centry, struct dom_sid *sid)
+{
+ char *sid_string;
+ bool ret;
+
+ sid_string = centry_string(centry, talloc_tos());
+ if (sid_string == NULL) {
+ return false;
+ }
+ ret = string_to_sid(sid, sid_string);
+ TALLOC_FREE(sid_string);
+ return ret;
+}
+
+
+/*
+ pull a NTSTATUS from a cache entry
+*/
+static NTSTATUS centry_ntstatus(struct cache_entry *centry)
+{
+ NTSTATUS status;
+
+ status = NT_STATUS(centry_uint32(centry));
+ return status;
+}
+
+
+/* the server is considered down if it can't give us a sequence number */
+static bool wcache_server_down(struct winbindd_domain *domain)
+{
+ bool ret;
+
+ if (!wcache->tdb)
+ return false;
+
+ ret = (domain->sequence_number == DOM_SEQUENCE_NONE);
+
+ if (ret)
+ DEBUG(10,("wcache_server_down: server for Domain %s down\n",
+ domain->name ));
+ return ret;
+}
+
+struct wcache_seqnum_state {
+ uint32_t *seqnum;
+ uint32_t *last_seq_check;
+};
+
+static int wcache_seqnum_parser(TDB_DATA key, TDB_DATA data,
+ void *private_data)
+{
+ struct wcache_seqnum_state *state = private_data;
+
+ if (data.dsize != 8) {
+ DEBUG(10, ("wcache_fetch_seqnum: invalid data size %d\n",
+ (int)data.dsize));
+ return -1;
+ }
+
+ *state->seqnum = IVAL(data.dptr, 0);
+ *state->last_seq_check = IVAL(data.dptr, 4);
+ return 0;
+}
+
+static bool wcache_fetch_seqnum(const char *domain_name, uint32_t *seqnum,
+ uint32_t *last_seq_check)
+{
+ struct wcache_seqnum_state state = {
+ .seqnum = seqnum, .last_seq_check = last_seq_check
+ };
+ size_t len = strlen(domain_name);
+ char keystr[len+8];
+ TDB_DATA key = { .dptr = (uint8_t *)keystr, .dsize = sizeof(keystr) };
+ int ret;
+
+ if (wcache->tdb == NULL) {
+ DEBUG(10,("wcache_fetch_seqnum: tdb == NULL\n"));
+ return false;
+ }
+
+ snprintf(keystr, sizeof(keystr), "SEQNUM/%s", domain_name);
+
+ ret = tdb_parse_record(wcache->tdb, key, wcache_seqnum_parser,
+ &state);
+ return (ret == 0);
+}
+
+static NTSTATUS fetch_cache_seqnum( struct winbindd_domain *domain, time_t now )
+{
+ uint32_t last_check, time_diff;
+
+ if (!wcache_fetch_seqnum(domain->name, &domain->sequence_number,
+ &last_check)) {
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+ domain->last_seq_check = last_check;
+
+ /* have we expired? */
+
+ time_diff = now - domain->last_seq_check;
+ if ((int)time_diff > lp_winbind_cache_time()) {
+ DEBUG(10,("fetch_cache_seqnum: timeout [%s][%u @ %u]\n",
+ domain->name, domain->sequence_number,
+ (uint32_t)domain->last_seq_check));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ DEBUG(10,("fetch_cache_seqnum: success [%s][%u @ %u]\n",
+ domain->name, domain->sequence_number,
+ (uint32_t)domain->last_seq_check));
+
+ return NT_STATUS_OK;
+}
+
+bool wcache_store_seqnum(const char *domain_name, uint32_t seqnum,
+ time_t last_seq_check)
+{
+ size_t len = strlen(domain_name);
+ char keystr[len+8];
+ TDB_DATA key = { .dptr = (uint8_t *)keystr, .dsize = sizeof(keystr) };
+ uint8_t buf[8];
+ int ret;
+
+ if (wcache->tdb == NULL) {
+ DEBUG(10, ("wcache_store_seqnum: wcache->tdb == NULL\n"));
+ return false;
+ }
+
+ snprintf(keystr, sizeof(keystr), "SEQNUM/%s", domain_name);
+
+ SIVAL(buf, 0, seqnum);
+ SIVAL(buf, 4, last_seq_check);
+
+ ret = tdb_store(wcache->tdb, key, make_tdb_data(buf, sizeof(buf)),
+ TDB_REPLACE);
+ if (ret != 0) {
+ DEBUG(10, ("tdb_store_bystring failed: %s\n",
+ tdb_errorstr(wcache->tdb)));
+ return false;
+ }
+
+ DEBUG(10, ("wcache_store_seqnum: success [%s][%u @ %u]\n",
+ domain_name, seqnum, (unsigned)last_seq_check));
+
+ return true;
+}
+
+static bool store_cache_seqnum( struct winbindd_domain *domain )
+{
+ return wcache_store_seqnum(domain->name, domain->sequence_number,
+ domain->last_seq_check);
+}
+
+/*
+ refresh the domain sequence number on timeout.
+*/
+
+static void refresh_sequence_number(struct winbindd_domain *domain)
+{
+ NTSTATUS status;
+ unsigned time_diff;
+ time_t t = time(NULL);
+ unsigned cache_time = lp_winbind_cache_time();
+
+ if (is_domain_offline(domain)) {
+ return;
+ }
+
+ get_cache( domain );
+
+ time_diff = t - domain->last_seq_check;
+
+ /* see if we have to refetch the domain sequence number */
+ if ((time_diff < cache_time) &&
+ (domain->sequence_number != DOM_SEQUENCE_NONE) &&
+ NT_STATUS_IS_OK(domain->last_status)) {
+ DEBUG(10, ("refresh_sequence_number: %s time ok\n", domain->name));
+ goto done;
+ }
+
+ /* try to get the sequence number from the tdb cache first */
+ /* this will update the timestamp as well */
+
+ status = fetch_cache_seqnum( domain, t );
+ if (NT_STATUS_IS_OK(status) &&
+ (domain->sequence_number != DOM_SEQUENCE_NONE) &&
+ NT_STATUS_IS_OK(domain->last_status)) {
+ goto done;
+ }
+
+ /* just use the current time */
+ domain->last_status = NT_STATUS_OK;
+ domain->sequence_number = time(NULL);
+ domain->last_seq_check = time(NULL);
+
+ /* save the new sequence number in the cache */
+ store_cache_seqnum( domain );
+
+done:
+ DEBUG(10, ("refresh_sequence_number: %s seq number is now %d\n",
+ domain->name, domain->sequence_number));
+
+ return;
+}
+
+/*
+ decide if a cache entry has expired
+*/
+static bool centry_expired(struct winbindd_domain *domain, const char *keystr, struct cache_entry *centry)
+{
+ /* If we've been told to be offline - stay in that state... */
+ if (lp_winbind_offline_logon() && get_global_winbindd_state_offline()) {
+ DEBUG(10,("centry_expired: Key %s for domain %s valid as winbindd is globally offline.\n",
+ keystr, domain->name ));
+ return false;
+ }
+
+ /* when the domain is offline return the cached entry.
+ * This deals with transient offline states... */
+
+ if (!domain->online) {
+ DEBUG(10,("centry_expired: Key %s for domain %s valid as domain is offline.\n",
+ keystr, domain->name ));
+ return false;
+ }
+
+ /* if the server is OK and our cache entry came from when it was down then
+ the entry is invalid */
+ if ((domain->sequence_number != DOM_SEQUENCE_NONE) &&
+ (centry->sequence_number == DOM_SEQUENCE_NONE)) {
+ DEBUG(10,("centry_expired: Key %s for domain %s invalid sequence.\n",
+ keystr, domain->name ));
+ return true;
+ }
+
+ /* if the server is down or the cache entry is not older than the
+ current sequence number or it did not timeout then it is OK */
+ if (wcache_server_down(domain)
+ || ((centry->sequence_number == domain->sequence_number)
+ && ((time_t)centry->timeout > time(NULL)))) {
+ DEBUG(10,("centry_expired: Key %s for domain %s is good.\n",
+ keystr, domain->name ));
+ return false;
+ }
+
+ DEBUG(10,("centry_expired: Key %s for domain %s expired\n",
+ keystr, domain->name ));
+
+ /* it's expired */
+ return true;
+}
+
+static struct cache_entry *wcache_fetch_raw(char *kstr)
+{
+ TDB_DATA data;
+ struct cache_entry *centry;
+ TDB_DATA key;
+
+ key = string_tdb_data(kstr);
+ data = tdb_fetch(wcache->tdb, key);
+ if (!data.dptr) {
+ /* a cache miss */
+ return NULL;
+ }
+
+ centry = SMB_XMALLOC_P(struct cache_entry);
+ centry->data = (unsigned char *)data.dptr;
+ centry->len = data.dsize;
+ centry->ofs = 0;
+
+ if (centry->len < 16) {
+ /* huh? corrupt cache? */
+ DEBUG(10,("wcache_fetch_raw: Corrupt cache for key %s "
+ "(len < 16)?\n", kstr));
+ centry_free(centry);
+ return NULL;
+ }
+
+ centry->status = centry_ntstatus(centry);
+ centry->sequence_number = centry_uint32(centry);
+ centry->timeout = centry_uint64_t(centry);
+
+ return centry;
+}
+
+static bool is_my_own_sam_domain(struct winbindd_domain *domain)
+{
+ if (strequal(domain->name, get_global_sam_name()) &&
+ sid_check_is_our_sam(&domain->sid)) {
+ return true;
+ }
+
+ return false;
+}
+
+static bool is_builtin_domain(struct winbindd_domain *domain)
+{
+ if (strequal(domain->name, "BUILTIN") &&
+ sid_check_is_builtin(&domain->sid)) {
+ return true;
+ }
+
+ return false;
+}
+
+/*
+ fetch an entry from the cache, with a varargs key. auto-fetch the sequence
+ number and return status
+*/
+static struct cache_entry *wcache_fetch(struct winbind_cache *cache,
+ struct winbindd_domain *domain,
+ const char *format, ...) PRINTF_ATTRIBUTE(3,4);
+static struct cache_entry *wcache_fetch(struct winbind_cache *cache,
+ struct winbindd_domain *domain,
+ const char *format, ...)
+{
+ va_list ap;
+ char *kstr;
+ struct cache_entry *centry;
+ int ret;
+
+ if (!winbindd_use_cache() ||
+ is_my_own_sam_domain(domain) ||
+ is_builtin_domain(domain)) {
+ return NULL;
+ }
+
+ refresh_sequence_number(domain);
+
+ va_start(ap, format);
+ ret = vasprintf(&kstr, format, ap);
+ va_end(ap);
+
+ if (ret == -1) {
+ return NULL;
+ }
+
+ centry = wcache_fetch_raw(kstr);
+ if (centry == NULL) {
+ free(kstr);
+ return NULL;
+ }
+
+ if (centry_expired(domain, kstr, centry)) {
+
+ DEBUG(10,("wcache_fetch: entry %s expired for domain %s\n",
+ kstr, domain->name ));
+
+ centry_free(centry);
+ free(kstr);
+ return NULL;
+ }
+
+ DEBUG(10,("wcache_fetch: returning entry %s for domain %s\n",
+ kstr, domain->name ));
+
+ free(kstr);
+ return centry;
+}
+
+static void wcache_delete(const char *format, ...) PRINTF_ATTRIBUTE(1,2);
+static void wcache_delete(const char *format, ...)
+{
+ va_list ap;
+ char *kstr;
+ TDB_DATA key;
+ int ret;
+
+ va_start(ap, format);
+ ret = vasprintf(&kstr, format, ap);
+ va_end(ap);
+
+ if (ret == -1) {
+ return;
+ }
+
+ key = string_tdb_data(kstr);
+
+ tdb_delete(wcache->tdb, key);
+ free(kstr);
+}
+
+/*
+ make sure we have at least len bytes available in a centry
+*/
+static void centry_expand(struct cache_entry *centry, uint32_t len)
+{
+ if (centry->len - centry->ofs >= len)
+ return;
+ centry->len *= 2;
+ centry->data = SMB_REALLOC_ARRAY(centry->data, unsigned char,
+ centry->len);
+ if (!centry->data) {
+ DEBUG(0,("out of memory: needed %d bytes in centry_expand\n", centry->len));
+ smb_panic_fn("out of memory in centry_expand");
+ }
+}
+
+/*
+ push a uint64_t into a centry
+*/
+static void centry_put_uint64_t(struct cache_entry *centry, uint64_t v)
+{
+ centry_expand(centry, 8);
+ SBVAL(centry->data, centry->ofs, v);
+ centry->ofs += 8;
+}
+
+/*
+ push a uint32_t into a centry
+*/
+static void centry_put_uint32(struct cache_entry *centry, uint32_t v)
+{
+ centry_expand(centry, 4);
+ SIVAL(centry->data, centry->ofs, v);
+ centry->ofs += 4;
+}
+
+/*
+ push a uint16_t into a centry
+*/
+static void centry_put_uint16(struct cache_entry *centry, uint16_t v)
+{
+ centry_expand(centry, 2);
+ SSVAL(centry->data, centry->ofs, v);
+ centry->ofs += 2;
+}
+
+/*
+ push a uint8_t into a centry
+*/
+static void centry_put_uint8(struct cache_entry *centry, uint8_t v)
+{
+ centry_expand(centry, 1);
+ SCVAL(centry->data, centry->ofs, v);
+ centry->ofs += 1;
+}
+
+/*
+ push a string into a centry
+ */
+static void centry_put_string(struct cache_entry *centry, const char *s)
+{
+ int len;
+
+ if (!s) {
+ /* null strings are marked as len 0xFFFF */
+ centry_put_uint8(centry, 0xFF);
+ return;
+ }
+
+ len = strlen(s);
+ /* can't handle more than 254 char strings. Truncating is probably best */
+ if (len > 254) {
+ DEBUG(10,("centry_put_string: truncating len (%d) to: 254\n", len));
+ len = 254;
+ }
+ centry_put_uint8(centry, len);
+ centry_expand(centry, len);
+ memcpy(centry->data + centry->ofs, s, len);
+ centry->ofs += len;
+}
+
+/*
+ push a 16 byte hash into a centry - treat as 16 byte string.
+ */
+static void centry_put_hash16(struct cache_entry *centry, const uint8_t val[16])
+{
+ centry_put_uint8(centry, 16);
+ centry_expand(centry, 16);
+ memcpy(centry->data + centry->ofs, val, 16);
+ centry->ofs += 16;
+}
+
+static void centry_put_sid(struct cache_entry *centry, const struct dom_sid *sid)
+{
+ struct dom_sid_buf sid_string;
+ centry_put_string(centry, dom_sid_str_buf(sid, &sid_string));
+}
+
+
+/*
+ put NTSTATUS into a centry
+*/
+static void centry_put_ntstatus(struct cache_entry *centry, NTSTATUS status)
+{
+ uint32_t status_value = NT_STATUS_V(status);
+ centry_put_uint32(centry, status_value);
+}
+
+
+/*
+ push a NTTIME into a centry
+*/
+static void centry_put_nttime(struct cache_entry *centry, NTTIME nt)
+{
+ centry_expand(centry, 8);
+ SIVAL(centry->data, centry->ofs, nt & 0xFFFFFFFF);
+ centry->ofs += 4;
+ SIVAL(centry->data, centry->ofs, nt >> 32);
+ centry->ofs += 4;
+}
+
+/*
+ push a time_t into a centry - use a 64 bit size.
+ NTTIME here is being used as a convenient 64-bit size.
+*/
+static void centry_put_time(struct cache_entry *centry, time_t t)
+{
+ NTTIME nt = (NTTIME)t;
+ centry_put_nttime(centry, nt);
+}
+
+/*
+ start a centry for output. When finished, call centry_end()
+*/
+static struct cache_entry *centry_start(struct winbindd_domain *domain,
+ NTSTATUS status)
+{
+ struct cache_entry *centry;
+
+ if (!wcache->tdb)
+ return NULL;
+
+ centry = SMB_XMALLOC_P(struct cache_entry);
+
+ centry->len = 8192; /* reasonable default */
+ centry->data = SMB_XMALLOC_ARRAY(uint8_t, centry->len);
+ centry->ofs = 0;
+ centry->sequence_number = domain->sequence_number;
+ centry->timeout = lp_winbind_cache_time() + time(NULL);
+ centry_put_ntstatus(centry, status);
+ centry_put_uint32(centry, centry->sequence_number);
+ centry_put_uint64_t(centry, centry->timeout);
+ return centry;
+}
+
+/*
+ finish a centry and write it to the tdb
+*/
+static void centry_end(struct cache_entry *centry, const char *format, ...) PRINTF_ATTRIBUTE(2,3);
+static void centry_end(struct cache_entry *centry, const char *format, ...)
+{
+ va_list ap;
+ char *kstr;
+ TDB_DATA key, data;
+ int ret;
+
+ if (!winbindd_use_cache()) {
+ return;
+ }
+
+ va_start(ap, format);
+ ret = vasprintf(&kstr, format, ap);
+ va_end(ap);
+
+ if (ret == -1) {
+ return;
+ }
+
+ key = string_tdb_data(kstr);
+ data.dptr = centry->data;
+ data.dsize = centry->ofs;
+
+ tdb_store(wcache->tdb, key, data, TDB_REPLACE);
+ free(kstr);
+}
+
+static void wcache_save_name_to_sid(struct winbindd_domain *domain,
+ NTSTATUS status, const char *domain_name,
+ const char *name, const struct dom_sid *sid,
+ enum lsa_SidType type)
+{
+ bool ok;
+
+ ok = namemap_cache_set_name2sid(domain_name, name, sid, type,
+ time(NULL) + lp_winbind_cache_time());
+ if (!ok) {
+ DBG_DEBUG("namemap_cache_set_name2sid failed\n");
+ }
+
+ /*
+ * Don't store the reverse mapping. The name came from user
+ * input, and we might not have the correct capitalization,
+ * which is important for nsswitch.
+ */
+}
+
+static void wcache_save_sid_to_name(struct winbindd_domain *domain, NTSTATUS status,
+ const struct dom_sid *sid, const char *domain_name, const char *name, enum lsa_SidType type)
+{
+ bool ok;
+
+ ok = namemap_cache_set_sid2name(sid, domain_name, name, type,
+ time(NULL) + lp_winbind_cache_time());
+ if (!ok) {
+ DBG_DEBUG("namemap_cache_set_sid2name failed\n");
+ }
+
+ if (type != SID_NAME_UNKNOWN) {
+ ok = namemap_cache_set_name2sid(
+ domain_name, name, sid, type,
+ time(NULL) + lp_winbind_cache_time());
+ if (!ok) {
+ DBG_DEBUG("namemap_cache_set_name2sid failed\n");
+ }
+ }
+}
+
+static void wcache_save_lockout_policy(struct winbindd_domain *domain,
+ NTSTATUS status,
+ struct samr_DomInfo12 *lockout_policy)
+{
+ struct cache_entry *centry;
+
+ centry = centry_start(domain, status);
+ if (!centry)
+ return;
+
+ centry_put_nttime(centry, lockout_policy->lockout_duration);
+ centry_put_nttime(centry, lockout_policy->lockout_window);
+ centry_put_uint16(centry, lockout_policy->lockout_threshold);
+
+ centry_end(centry, "LOC_POL/%s", domain->name);
+
+ DEBUG(10,("wcache_save_lockout_policy: %s\n", domain->name));
+
+ centry_free(centry);
+}
+
+
+
+static void wcache_save_password_policy(struct winbindd_domain *domain,
+ NTSTATUS status,
+ struct samr_DomInfo1 *policy)
+{
+ struct cache_entry *centry;
+
+ centry = centry_start(domain, status);
+ if (!centry)
+ return;
+
+ centry_put_uint16(centry, policy->min_password_length);
+ centry_put_uint16(centry, policy->password_history_length);
+ centry_put_uint32(centry, policy->password_properties);
+ centry_put_nttime(centry, policy->max_password_age);
+ centry_put_nttime(centry, policy->min_password_age);
+
+ centry_end(centry, "PWD_POL/%s", domain->name);
+
+ DEBUG(10,("wcache_save_password_policy: %s\n", domain->name));
+
+ centry_free(centry);
+}
+
+/***************************************************************************
+ ***************************************************************************/
+
+static void wcache_save_username_alias(struct winbindd_domain *domain,
+ NTSTATUS status,
+ const char *name, const char *alias)
+{
+ struct cache_entry *centry;
+ fstring uname;
+
+ if ( (centry = centry_start(domain, status)) == NULL )
+ return;
+
+ centry_put_string( centry, alias );
+
+ fstrcpy(uname, name);
+ (void)strupper_m(uname);
+ centry_end(centry, "NSS/NA/%s", uname);
+
+ DEBUG(10,("wcache_save_username_alias: %s -> %s\n", name, alias ));
+
+ centry_free(centry);
+}
+
+static void wcache_save_alias_username(struct winbindd_domain *domain,
+ NTSTATUS status,
+ const char *alias, const char *name)
+{
+ struct cache_entry *centry;
+ fstring uname;
+
+ if ( (centry = centry_start(domain, status)) == NULL )
+ return;
+
+ centry_put_string( centry, name );
+
+ fstrcpy(uname, alias);
+ (void)strupper_m(uname);
+ centry_end(centry, "NSS/AN/%s", uname);
+
+ DEBUG(10,("wcache_save_alias_username: %s -> %s\n", alias, name ));
+
+ centry_free(centry);
+}
+
+/***************************************************************************
+ ***************************************************************************/
+
+NTSTATUS resolve_username_to_alias( TALLOC_CTX *mem_ctx,
+ struct winbindd_domain *domain,
+ const char *name, char **alias )
+{
+ struct winbind_cache *cache = get_cache(domain);
+ struct cache_entry *centry = NULL;
+ NTSTATUS status;
+ char *upper_name;
+
+ if ( domain->internal )
+ return NT_STATUS_NOT_SUPPORTED;
+
+ if (!cache->tdb)
+ goto do_query;
+
+ upper_name = talloc_strdup_upper(mem_ctx, name);
+ if (upper_name == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ centry = wcache_fetch(cache, domain, "NSS/NA/%s", upper_name);
+
+ talloc_free(upper_name);
+
+ if (!centry)
+ goto do_query;
+
+ status = centry->status;
+
+ if (!NT_STATUS_IS_OK(status)) {
+ centry_free(centry);
+ return status;
+ }
+
+ *alias = centry_string( centry, mem_ctx );
+
+ centry_free(centry);
+
+ DEBUG(10,("resolve_username_to_alias: [Cached] - mapped %s to %s\n",
+ name, *alias ? *alias : "(none)"));
+
+ return (*alias) ? NT_STATUS_OK : NT_STATUS_OBJECT_NAME_NOT_FOUND;
+
+do_query:
+
+ /* If its not in cache and we are offline, then fail */
+
+ if (is_domain_offline(domain)) {
+ DEBUG(8,("resolve_username_to_alias: rejecting query "
+ "in offline mode\n"));
+ return NT_STATUS_NOT_FOUND;
+ }
+
+ status = nss_map_to_alias( mem_ctx, domain->name, name, alias );
+
+ if ( NT_STATUS_IS_OK( status ) ) {
+ wcache_save_username_alias(domain, status, name, *alias);
+ }
+
+ if ( NT_STATUS_EQUAL( status, NT_STATUS_NONE_MAPPED ) ) {
+ wcache_save_username_alias(domain, status, name, "(NULL)");
+ }
+
+ DEBUG(5,("resolve_username_to_alias: backend query returned %s\n",
+ nt_errstr(status)));
+
+ if ( NT_STATUS_EQUAL(status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) ) {
+ set_domain_offline( domain );
+ }
+
+ return status;
+}
+
+/***************************************************************************
+ ***************************************************************************/
+
+NTSTATUS resolve_alias_to_username( TALLOC_CTX *mem_ctx,
+ struct winbindd_domain *domain,
+ const char *alias, char **name )
+{
+ struct winbind_cache *cache = get_cache(domain);
+ struct cache_entry *centry = NULL;
+ NTSTATUS status;
+ char *upper_name;
+
+ if ( domain->internal )
+ return NT_STATUS_NOT_SUPPORTED;
+
+ if (!cache->tdb)
+ goto do_query;
+
+ upper_name = talloc_strdup(mem_ctx, alias);
+ if (upper_name == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ if (!strupper_m(upper_name)) {
+ talloc_free(upper_name);
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ centry = wcache_fetch(cache, domain, "NSS/AN/%s", upper_name);
+
+ talloc_free(upper_name);
+
+ if (!centry)
+ goto do_query;
+
+ status = centry->status;
+
+ if (!NT_STATUS_IS_OK(status)) {
+ centry_free(centry);
+ return status;
+ }
+
+ *name = centry_string( centry, mem_ctx );
+
+ centry_free(centry);
+
+ DEBUG(10,("resolve_alias_to_username: [Cached] - mapped %s to %s\n",
+ alias, *name ? *name : "(none)"));
+
+ return (*name) ? NT_STATUS_OK : NT_STATUS_OBJECT_NAME_NOT_FOUND;
+
+do_query:
+
+ /* If its not in cache and we are offline, then fail */
+
+ if (is_domain_offline(domain)) {
+ DEBUG(8,("resolve_alias_to_username: rejecting query "
+ "in offline mode\n"));
+ return NT_STATUS_NOT_FOUND;
+ }
+
+ /* an alias cannot contain a domain prefix or '@' */
+
+ if (strchr(alias, '\\') || strchr(alias, '@')) {
+ DEBUG(10,("resolve_alias_to_username: skipping fully "
+ "qualified name %s\n", alias));
+ return NT_STATUS_OBJECT_NAME_INVALID;
+ }
+
+ status = nss_map_from_alias( mem_ctx, domain->name, alias, name );
+
+ if ( NT_STATUS_IS_OK( status ) ) {
+ wcache_save_alias_username( domain, status, alias, *name );
+ }
+
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)) {
+ wcache_save_alias_username(domain, status, alias, "(NULL)");
+ }
+
+ DEBUG(5,("resolve_alias_to_username: backend query returned %s\n",
+ nt_errstr(status)));
+
+ if ( NT_STATUS_EQUAL(status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) ) {
+ set_domain_offline( domain );
+ }
+
+ return status;
+}
+
+NTSTATUS wcache_cached_creds_exist(struct winbindd_domain *domain, const struct dom_sid *sid)
+{
+ struct winbind_cache *cache = get_cache(domain);
+ int ret;
+ struct dom_sid_buf tmp;
+ fstring key_str;
+ uint32_t rid;
+
+ if (!cache->tdb) {
+ return NT_STATUS_INTERNAL_DB_ERROR;
+ }
+
+ if (is_null_sid(sid)) {
+ return NT_STATUS_INVALID_SID;
+ }
+
+ if (!(sid_peek_rid(sid, &rid)) || (rid == 0)) {
+ return NT_STATUS_INVALID_SID;
+ }
+
+ fstr_sprintf(key_str, "CRED/%s", dom_sid_str_buf(sid, &tmp));
+
+ ret = tdb_exists(cache->tdb, string_tdb_data(key_str));
+ if (ret != 1) {
+ return NT_STATUS_OBJECT_NAME_NOT_FOUND;
+ }
+
+ return NT_STATUS_OK;
+}
+
+/* Lookup creds for a SID - copes with old (unsalted) creds as well
+ as new salted ones. */
+
+NTSTATUS wcache_get_creds(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ const struct dom_sid *sid,
+ const uint8_t **cached_nt_pass,
+ const uint8_t **cached_salt)
+{
+ struct winbind_cache *cache = get_cache(domain);
+ struct cache_entry *centry = NULL;
+ NTSTATUS status;
+ uint32_t rid;
+ struct dom_sid_buf sidstr;
+
+ if (!cache->tdb) {
+ return NT_STATUS_INTERNAL_DB_ERROR;
+ }
+
+ if (is_null_sid(sid)) {
+ return NT_STATUS_INVALID_SID;
+ }
+
+ if (!(sid_peek_rid(sid, &rid)) || (rid == 0)) {
+ return NT_STATUS_INVALID_SID;
+ }
+
+ /* Try and get a salted cred first. If we can't
+ fall back to an unsalted cred. */
+
+ centry = wcache_fetch(cache, domain, "CRED/%s",
+ dom_sid_str_buf(sid, &sidstr));
+ if (!centry) {
+ DEBUG(10,("wcache_get_creds: entry for [CRED/%s] not found\n",
+ dom_sid_str_buf(sid, &sidstr)));
+ return NT_STATUS_OBJECT_NAME_NOT_FOUND;
+ }
+
+ /*
+ * We don't use the time element at this moment,
+ * but we have to consume it, so that we don't
+ * neet to change the disk format of the cache.
+ */
+ (void)centry_time(centry);
+
+ /* In the salted case this isn't actually the nt_hash itself,
+ but the MD5 of the salt + nt_hash. Let the caller
+ sort this out. It can tell as we only return the cached_salt
+ if we are returning a salted cred. */
+
+ *cached_nt_pass = (const uint8_t *)centry_hash16(centry, mem_ctx);
+ if (*cached_nt_pass == NULL) {
+
+ dom_sid_str_buf(sid, &sidstr);
+
+ /* Bad (old) cred cache. Delete and pretend we
+ don't have it. */
+ DEBUG(0,("wcache_get_creds: bad entry for [CRED/%s] - deleting\n",
+ sidstr.buf));
+ wcache_delete("CRED/%s", sidstr.buf);
+ centry_free(centry);
+ return NT_STATUS_OBJECT_NAME_NOT_FOUND;
+ }
+
+ /* We only have 17 bytes more data in the salted cred case. */
+ if (centry->len - centry->ofs == 17) {
+ *cached_salt = (const uint8_t *)centry_hash16(centry, mem_ctx);
+ } else {
+ *cached_salt = NULL;
+ }
+
+ dump_data_pw("cached_nt_pass", *cached_nt_pass, NT_HASH_LEN);
+ if (*cached_salt) {
+ dump_data_pw("cached_salt", *cached_salt, NT_HASH_LEN);
+ }
+
+ status = centry->status;
+
+ DEBUG(10,("wcache_get_creds: [Cached] - cached creds for user %s status: %s\n",
+ dom_sid_str_buf(sid, &sidstr),
+ nt_errstr(status) ));
+
+ centry_free(centry);
+ return status;
+}
+
+/* Store creds for a SID - only writes out new salted ones. */
+
+NTSTATUS wcache_save_creds(struct winbindd_domain *domain,
+ const struct dom_sid *sid,
+ const uint8_t nt_pass[NT_HASH_LEN])
+{
+ struct cache_entry *centry;
+ struct dom_sid_buf sid_str;
+ uint32_t rid;
+ uint8_t cred_salt[NT_HASH_LEN];
+ uint8_t salted_hash[NT_HASH_LEN];
+ gnutls_hash_hd_t hash_hnd = NULL;
+ int rc;
+
+ if (is_null_sid(sid)) {
+ return NT_STATUS_INVALID_SID;
+ }
+
+ if (!(sid_peek_rid(sid, &rid)) || (rid == 0)) {
+ return NT_STATUS_INVALID_SID;
+ }
+
+ centry = centry_start(domain, NT_STATUS_OK);
+ if (!centry) {
+ return NT_STATUS_INTERNAL_DB_ERROR;
+ }
+
+ dump_data_pw("nt_pass", nt_pass, NT_HASH_LEN);
+
+ centry_put_time(centry, time(NULL));
+
+ /* Create a salt and then salt the hash. */
+ generate_random_buffer(cred_salt, NT_HASH_LEN);
+
+ rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5);
+ if (rc < 0) {
+ centry_free(centry);
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
+ }
+
+ rc = gnutls_hash(hash_hnd, cred_salt, 16);
+ if (rc < 0) {
+ gnutls_hash_deinit(hash_hnd, NULL);
+ centry_free(centry);
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
+ }
+ rc = gnutls_hash(hash_hnd, nt_pass, 16);
+ if (rc < 0) {
+ gnutls_hash_deinit(hash_hnd, NULL);
+ centry_free(centry);
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
+ }
+ gnutls_hash_deinit(hash_hnd, salted_hash);
+
+ centry_put_hash16(centry, salted_hash);
+ centry_put_hash16(centry, cred_salt);
+ centry_end(centry, "CRED/%s", dom_sid_str_buf(sid, &sid_str));
+
+ DEBUG(10,("wcache_save_creds: %s\n", sid_str.buf));
+
+ centry_free(centry);
+
+ return NT_STATUS_OK;
+}
+
+
+/* Query display info. This is the basic user list fn */
+NTSTATUS wb_cache_query_user_list(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ uint32_t **prids)
+{
+ struct winbind_cache *cache = get_cache(domain);
+ struct cache_entry *centry = NULL;
+ uint32_t num_rids = 0;
+ uint32_t *rids = NULL;
+ NTSTATUS status;
+ unsigned int i, retry;
+ bool old_status = domain->online;
+
+ *prids = NULL;
+
+ if (!cache->tdb)
+ goto do_query;
+
+ centry = wcache_fetch(cache, domain, "UL/%s", domain->name);
+ if (!centry)
+ goto do_query;
+
+do_fetch_cache:
+ num_rids = centry_uint32(centry);
+
+ if (num_rids == 0) {
+ goto do_cached;
+ }
+
+ rids = talloc_array(mem_ctx, uint32_t, num_rids);
+ if (rids == NULL) {
+ centry_free(centry);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ for (i=0; i<num_rids; i++) {
+ rids[i] = centry_uint32(centry);
+ }
+
+do_cached:
+ status = centry->status;
+
+ DEBUG(10,("query_user_list: [Cached] - cached list for domain %s status: %s\n",
+ domain->name, nt_errstr(status) ));
+
+ centry_free(centry);
+ return status;
+
+do_query:
+
+ /* Put the query_user_list() in a retry loop. There appears to be
+ * some bug either with Windows 2000 or Samba's handling of large
+ * rpc replies. This manifests itself as sudden disconnection
+ * at a random point in the enumeration of a large (60k) user list.
+ * The retry loop simply tries the operation again. )-: It's not
+ * pretty but an acceptable workaround until we work out what the
+ * real problem is. */
+
+ retry = 0;
+ do {
+
+ DEBUG(10,("query_user_list: [Cached] - doing backend query for list for domain %s\n",
+ domain->name ));
+
+ rids = NULL;
+ status = domain->backend->query_user_list(domain, mem_ctx,
+ &rids);
+ num_rids = talloc_array_length(rids);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(3, ("query_user_list: returned 0x%08x, "
+ "retrying\n", NT_STATUS_V(status)));
+ }
+ reset_cm_connection_on_error(domain, NULL, status);
+ if (NT_STATUS_EQUAL(status, NT_STATUS_UNSUCCESSFUL)) {
+ DEBUG(3, ("query_user_list: flushing "
+ "connection cache\n"));
+ invalidate_cm_connection(domain);
+ }
+ if (NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) ||
+ NT_STATUS_EQUAL(status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
+ if (!domain->internal && old_status) {
+ set_domain_offline(domain);
+ }
+ /* store partial response. */
+ if (num_rids > 0) {
+ /*
+ * humm, what about the status used for cache?
+ * Should it be NT_STATUS_OK?
+ */
+ break;
+ }
+ /*
+ * domain is offline now, and there is no user entries,
+ * try to fetch from cache again.
+ */
+ if (cache->tdb && !domain->online && !domain->internal && old_status) {
+ centry = wcache_fetch(cache, domain, "UL/%s", domain->name);
+ /* partial response... */
+ if (!centry) {
+ goto skip_save;
+ } else {
+ goto do_fetch_cache;
+ }
+ } else {
+ goto skip_save;
+ }
+ }
+
+ } while (NT_STATUS_V(status) == NT_STATUS_V(NT_STATUS_UNSUCCESSFUL) &&
+ (retry++ < 5));
+
+ /* and save it */
+ refresh_sequence_number(domain);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ centry = centry_start(domain, status);
+ if (!centry)
+ goto skip_save;
+ centry_put_uint32(centry, num_rids);
+ for (i=0; i<num_rids; i++) {
+ centry_put_uint32(centry, rids[i]);
+ }
+ centry_end(centry, "UL/%s", domain->name);
+ centry_free(centry);
+
+ *prids = rids;
+
+skip_save:
+ return status;
+}
+
+/* list all domain groups */
+NTSTATUS wb_cache_enum_dom_groups(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ uint32_t *num_entries,
+ struct wb_acct_info **info)
+{
+ struct winbind_cache *cache = get_cache(domain);
+ struct cache_entry *centry = NULL;
+ NTSTATUS status;
+ unsigned int i;
+ bool old_status;
+
+ old_status = domain->online;
+ if (!cache->tdb)
+ goto do_query;
+
+ centry = wcache_fetch(cache, domain, "GL/%s/domain", domain->name);
+ if (!centry)
+ goto do_query;
+
+do_fetch_cache:
+ *num_entries = centry_uint32(centry);
+
+ if (*num_entries == 0)
+ goto do_cached;
+
+ (*info) = talloc_array(mem_ctx, struct wb_acct_info, *num_entries);
+ if (! (*info)) {
+ smb_panic_fn("enum_dom_groups out of memory");
+ }
+ for (i=0; i<(*num_entries); i++) {
+ (*info)[i].acct_name = centry_string(centry, (*info));
+ (*info)[i].acct_desc = centry_string(centry, (*info));
+ (*info)[i].rid = centry_uint32(centry);
+ }
+
+do_cached:
+ status = centry->status;
+
+ DEBUG(10,("enum_dom_groups: [Cached] - cached list for domain %s status: %s\n",
+ domain->name, nt_errstr(status) ));
+
+ centry_free(centry);
+ return status;
+
+do_query:
+ *num_entries = 0;
+ *info = NULL;
+
+ DEBUG(10,("enum_dom_groups: [Cached] - doing backend query for list for domain %s\n",
+ domain->name ));
+
+ status = domain->backend->enum_dom_groups(domain, mem_ctx, num_entries, info);
+
+ if (NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) ||
+ NT_STATUS_EQUAL(status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
+ if (!domain->internal && old_status) {
+ set_domain_offline(domain);
+ }
+ if (cache->tdb &&
+ !domain->online &&
+ !domain->internal &&
+ old_status) {
+ centry = wcache_fetch(cache, domain, "GL/%s/domain", domain->name);
+ if (centry) {
+ goto do_fetch_cache;
+ }
+ }
+ }
+ /* and save it */
+ refresh_sequence_number(domain);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ centry = centry_start(domain, status);
+ if (!centry)
+ goto skip_save;
+ centry_put_uint32(centry, *num_entries);
+ for (i=0; i<(*num_entries); i++) {
+ centry_put_string(centry, (*info)[i].acct_name);
+ centry_put_string(centry, (*info)[i].acct_desc);
+ centry_put_uint32(centry, (*info)[i].rid);
+ }
+ centry_end(centry, "GL/%s/domain", domain->name);
+ centry_free(centry);
+
+skip_save:
+ return status;
+}
+
+/* list all domain groups */
+NTSTATUS wb_cache_enum_local_groups(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ uint32_t *num_entries,
+ struct wb_acct_info **info)
+{
+ struct winbind_cache *cache = get_cache(domain);
+ struct cache_entry *centry = NULL;
+ NTSTATUS status;
+ unsigned int i;
+ bool old_status;
+
+ old_status = domain->online;
+ if (!cache->tdb)
+ goto do_query;
+
+ centry = wcache_fetch(cache, domain, "GL/%s/local", domain->name);
+ if (!centry)
+ goto do_query;
+
+do_fetch_cache:
+ *num_entries = centry_uint32(centry);
+
+ if (*num_entries == 0)
+ goto do_cached;
+
+ (*info) = talloc_array(mem_ctx, struct wb_acct_info, *num_entries);
+ if (! (*info)) {
+ smb_panic_fn("enum_dom_groups out of memory");
+ }
+ for (i=0; i<(*num_entries); i++) {
+ (*info)[i].acct_name = centry_string(centry, (*info));
+ (*info)[i].acct_desc = centry_string(centry, (*info));
+ (*info)[i].rid = centry_uint32(centry);
+ }
+
+do_cached:
+
+ /* If we are returning cached data and the domain controller
+ is down then we don't know whether the data is up to date
+ or not. Return NT_STATUS_MORE_PROCESSING_REQUIRED to
+ indicate this. */
+
+ if (wcache_server_down(domain)) {
+ DEBUG(10, ("enum_local_groups: returning cached user list and server was down\n"));
+ status = NT_STATUS_MORE_PROCESSING_REQUIRED;
+ } else
+ status = centry->status;
+
+ DEBUG(10,("enum_local_groups: [Cached] - cached list for domain %s status: %s\n",
+ domain->name, nt_errstr(status) ));
+
+ centry_free(centry);
+ return status;
+
+do_query:
+ *num_entries = 0;
+ *info = NULL;
+
+ DEBUG(10,("enum_local_groups: [Cached] - doing backend query for list for domain %s\n",
+ domain->name ));
+
+ status = domain->backend->enum_local_groups(domain, mem_ctx, num_entries, info);
+
+ if (NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) ||
+ NT_STATUS_EQUAL(status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
+ if (!domain->internal && old_status) {
+ set_domain_offline(domain);
+ }
+ if (cache->tdb &&
+ !domain->internal &&
+ !domain->online &&
+ old_status) {
+ centry = wcache_fetch(cache, domain, "GL/%s/local", domain->name);
+ if (centry) {
+ goto do_fetch_cache;
+ }
+ }
+ }
+ /* and save it */
+ refresh_sequence_number(domain);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ centry = centry_start(domain, status);
+ if (!centry)
+ goto skip_save;
+ centry_put_uint32(centry, *num_entries);
+ for (i=0; i<(*num_entries); i++) {
+ centry_put_string(centry, (*info)[i].acct_name);
+ centry_put_string(centry, (*info)[i].acct_desc);
+ centry_put_uint32(centry, (*info)[i].rid);
+ }
+ centry_end(centry, "GL/%s/local", domain->name);
+ centry_free(centry);
+
+skip_save:
+ return status;
+}
+
+struct wcache_name_to_sid_state {
+ struct dom_sid *sid;
+ enum lsa_SidType *type;
+ bool offline;
+ bool found;
+};
+
+static void wcache_name_to_sid_fn(const struct dom_sid *sid,
+ enum lsa_SidType type,
+ bool expired,
+ void *private_data)
+{
+ struct wcache_name_to_sid_state *state = private_data;
+
+ *state->sid = *sid;
+ *state->type = type;
+ state->found = (!expired || state->offline);
+}
+
+static NTSTATUS wcache_name_to_sid(struct winbindd_domain *domain,
+ const char *domain_name,
+ const char *name,
+ struct dom_sid *sid,
+ enum lsa_SidType *type)
+{
+ struct wcache_name_to_sid_state state = {
+ .sid = sid, .type = type, .found = false,
+ .offline = is_domain_offline(domain),
+ };
+ bool ok;
+
+ ok = namemap_cache_find_name(domain_name, name, wcache_name_to_sid_fn,
+ &state);
+ if (!ok) {
+ DBG_DEBUG("namemap_cache_find_name failed\n");
+ return NT_STATUS_NOT_FOUND;
+ }
+ if (!state.found) {
+ DBG_DEBUG("cache entry not found\n");
+ return NT_STATUS_NOT_FOUND;
+ }
+ if (*type == SID_NAME_UNKNOWN) {
+ return NT_STATUS_NONE_MAPPED;
+ }
+
+ return NT_STATUS_OK;
+}
+
+/* convert a single name to a sid in a domain */
+NTSTATUS wb_cache_name_to_sid(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ const char *domain_name,
+ const char *name,
+ uint32_t flags,
+ struct dom_sid *sid,
+ enum lsa_SidType *type)
+{
+ NTSTATUS status;
+ bool old_status;
+ const char *dom_name;
+
+ old_status = domain->online;
+
+ status = wcache_name_to_sid(domain, domain_name, name, sid, type);
+ if (!NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
+ return status;
+ }
+
+ ZERO_STRUCTP(sid);
+
+ DEBUG(10,("name_to_sid: [Cached] - doing backend query for name for domain %s\n",
+ domain->name ));
+
+ winbindd_domain_init_backend(domain);
+ status = domain->backend->name_to_sid(domain, mem_ctx, domain_name,
+ name, flags, &dom_name, sid, type);
+
+ if (NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) ||
+ NT_STATUS_EQUAL(status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
+ if (!domain->internal && old_status) {
+ set_domain_offline(domain);
+ }
+ if (!domain->internal &&
+ !domain->online &&
+ old_status) {
+ NTSTATUS cache_status;
+ cache_status = wcache_name_to_sid(domain, domain_name, name, sid, type);
+ return cache_status;
+ }
+ }
+ /* and save it */
+
+ if (domain->online &&
+ (NT_STATUS_IS_OK(status) || NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED))) {
+ enum lsa_SidType save_type = *type;
+
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)) {
+ save_type = SID_NAME_UNKNOWN;
+ }
+
+ wcache_save_name_to_sid(domain, status, domain_name, name, sid,
+ save_type);
+
+ /* Only save the reverse mapping if this was not a UPN */
+ if (!strchr(name, '@')) {
+ if (!strupper_m(discard_const_p(char, domain_name))) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+ (void)strlower_m(discard_const_p(char, name));
+ wcache_save_sid_to_name(domain, status, sid,
+ dom_name, name, save_type);
+ }
+ }
+
+ return status;
+}
+
+struct wcache_sid_to_name_state {
+ TALLOC_CTX *mem_ctx;
+ char **domain_name;
+ char **name;
+ enum lsa_SidType *type;
+ bool offline;
+ bool found;
+};
+
+static void wcache_sid_to_name_fn(const char *domain,
+ const char *name,
+ enum lsa_SidType type,
+ bool expired,
+ void *private_data)
+{
+ struct wcache_sid_to_name_state *state = private_data;
+
+ *state->domain_name = talloc_strdup(state->mem_ctx, domain);
+ if (*state->domain_name == NULL) {
+ return;
+ }
+ *state->name = talloc_strdup(state->mem_ctx, name);
+ if (*state->name == NULL) {
+ return;
+ }
+ *state->type = type;
+ state->found = (!expired || state->offline);
+}
+
+static NTSTATUS wcache_sid_to_name(struct winbindd_domain *domain,
+ const struct dom_sid *sid,
+ TALLOC_CTX *mem_ctx,
+ char **domain_name,
+ char **name,
+ enum lsa_SidType *type)
+{
+ struct wcache_sid_to_name_state state = {
+ .mem_ctx = mem_ctx, .found = false,
+ .domain_name = domain_name, .name = name, .type = type,
+ .offline = is_domain_offline(domain)
+ };
+ bool ok;
+
+ ok = namemap_cache_find_sid(sid, wcache_sid_to_name_fn, &state);
+ if (!ok) {
+ DBG_DEBUG("namemap_cache_find_name failed\n");
+ return NT_STATUS_NOT_FOUND;
+ }
+ if (!state.found) {
+ DBG_DEBUG("cache entry not found\n");
+ return NT_STATUS_NOT_FOUND;
+ }
+ if (*type == SID_NAME_UNKNOWN) {
+ return NT_STATUS_NONE_MAPPED;
+ }
+
+ return NT_STATUS_OK;
+}
+
+/* convert a sid to a user or group name. The sid is guaranteed to be in the domain
+ given */
+NTSTATUS wb_cache_sid_to_name(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ const struct dom_sid *sid,
+ char **domain_name,
+ char **name,
+ enum lsa_SidType *type)
+{
+ NTSTATUS status;
+ bool old_status;
+
+ old_status = domain->online;
+ status = wcache_sid_to_name(domain, sid, mem_ctx, domain_name, name,
+ type);
+ if (!NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
+ return status;
+ }
+
+ *name = NULL;
+ *domain_name = NULL;
+
+ DEBUG(10,("sid_to_name: [Cached] - doing backend query for name for domain %s\n",
+ domain->name ));
+
+ winbindd_domain_init_backend(domain);
+
+ status = domain->backend->sid_to_name(domain, mem_ctx, sid, domain_name, name, type);
+
+ if (NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) ||
+ NT_STATUS_EQUAL(status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
+ if (!domain->internal && old_status) {
+ set_domain_offline(domain);
+ }
+ if (!domain->internal &&
+ !domain->online &&
+ old_status) {
+ NTSTATUS cache_status;
+ cache_status = wcache_sid_to_name(domain, sid, mem_ctx,
+ domain_name, name, type);
+ return cache_status;
+ }
+ }
+ /* and save it */
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ wcache_save_sid_to_name(domain, status, sid, *domain_name, *name, *type);
+
+ /* We can't save the name to sid mapping here, as with sid history a
+ * later name2sid would give the wrong sid. */
+
+ return status;
+}
+
+NTSTATUS wb_cache_rids_to_names(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ const struct dom_sid *domain_sid,
+ uint32_t *rids,
+ size_t num_rids,
+ char **domain_name,
+ char ***names,
+ enum lsa_SidType **types)
+{
+ struct winbind_cache *cache = get_cache(domain);
+ size_t i;
+ NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
+ bool have_mapped;
+ bool have_unmapped;
+ bool old_status;
+
+ old_status = domain->online;
+ *domain_name = NULL;
+ *names = NULL;
+ *types = NULL;
+
+ if (!cache->tdb) {
+ goto do_query;
+ }
+
+ if (num_rids == 0) {
+ return NT_STATUS_OK;
+ }
+
+ *names = talloc_array(mem_ctx, char *, num_rids);
+ *types = talloc_array(mem_ctx, enum lsa_SidType, num_rids);
+
+ if ((*names == NULL) || (*types == NULL)) {
+ result = NT_STATUS_NO_MEMORY;
+ goto error;
+ }
+
+ have_mapped = have_unmapped = false;
+
+ for (i=0; i<num_rids; i++) {
+ struct dom_sid sid;
+ NTSTATUS status;
+ enum lsa_SidType type;
+ char *dom, *name;
+
+ if (!sid_compose(&sid, domain_sid, rids[i])) {
+ result = NT_STATUS_INTERNAL_ERROR;
+ goto error;
+ }
+
+ status = wcache_sid_to_name(domain, &sid, *names, &dom,
+ &name, &type);
+
+ (*types)[i] = SID_NAME_UNKNOWN;
+ (*names)[i] = talloc_strdup(*names, "");
+
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
+ /* not cached */
+ goto do_query;
+ }
+
+ if (NT_STATUS_IS_OK(status)) {
+ have_mapped = true;
+ (*types)[i] = type;
+
+ if (*domain_name == NULL) {
+ *domain_name = dom;
+ } else {
+ TALLOC_FREE(dom);
+ }
+
+ (*names)[i] = name;
+
+ } else if (NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)) {
+ have_unmapped = true;
+ } else {
+ /* something's definitely wrong */
+ result = status;
+ goto error;
+ }
+ }
+
+ if (!have_mapped) {
+ return NT_STATUS_NONE_MAPPED;
+ }
+ if (!have_unmapped) {
+ return NT_STATUS_OK;
+ }
+ return STATUS_SOME_UNMAPPED;
+
+ do_query:
+
+ TALLOC_FREE(*names);
+ TALLOC_FREE(*types);
+
+ result = domain->backend->rids_to_names(domain, mem_ctx, domain_sid,
+ rids, num_rids, domain_name,
+ names, types);
+
+ if (NT_STATUS_EQUAL(result, NT_STATUS_IO_TIMEOUT) ||
+ NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
+ if (!domain->internal && old_status) {
+ set_domain_offline(domain);
+ }
+ if (cache->tdb &&
+ !domain->internal &&
+ !domain->online &&
+ old_status) {
+ have_mapped = have_unmapped = false;
+
+ *names = talloc_array(mem_ctx, char *, num_rids);
+ if (*names == NULL) {
+ result = NT_STATUS_NO_MEMORY;
+ goto error;
+ }
+
+ *types = talloc_array(mem_ctx, enum lsa_SidType,
+ num_rids);
+ if (*types == NULL) {
+ result = NT_STATUS_NO_MEMORY;
+ goto error;
+ }
+
+ for (i=0; i<num_rids; i++) {
+ struct dom_sid sid;
+ NTSTATUS status;
+ enum lsa_SidType type;
+ char *dom, *name;
+
+ if (!sid_compose(&sid, domain_sid, rids[i])) {
+ result = NT_STATUS_INTERNAL_ERROR;
+ goto error;
+ }
+
+ status = wcache_sid_to_name(domain, &sid,
+ *names, &dom,
+ &name, &type);
+
+ (*types)[i] = SID_NAME_UNKNOWN;
+ (*names)[i] = talloc_strdup(*names, "");
+
+ if (NT_STATUS_IS_OK(status)) {
+ have_mapped = true;
+ (*types)[i] = type;
+
+ if (*domain_name == NULL) {
+ *domain_name = dom;
+ } else {
+ TALLOC_FREE(dom);
+ }
+
+ (*names)[i] = name;
+
+ } else if (NT_STATUS_EQUAL(
+ status,
+ NT_STATUS_NONE_MAPPED)) {
+ have_unmapped = true;
+ } else {
+ /* something's definitely wrong */
+ result = status;
+ goto error;
+ }
+ }
+
+ if (!have_mapped) {
+ return NT_STATUS_NONE_MAPPED;
+ }
+ if (!have_unmapped) {
+ return NT_STATUS_OK;
+ }
+ return STATUS_SOME_UNMAPPED;
+ }
+ }
+ /*
+ None of the queried rids has been found so save all negative entries
+ */
+ if (NT_STATUS_EQUAL(result, NT_STATUS_NONE_MAPPED)) {
+ for (i = 0; i < num_rids; i++) {
+ struct dom_sid sid;
+ const char *name = "";
+ const enum lsa_SidType type = SID_NAME_UNKNOWN;
+ NTSTATUS status = NT_STATUS_NONE_MAPPED;
+
+ if (!sid_compose(&sid, domain_sid, rids[i])) {
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
+ wcache_save_sid_to_name(domain, status, &sid, *domain_name,
+ name, type);
+ }
+
+ return result;
+ }
+
+ /*
+ Some or all of the queried rids have been found.
+ */
+ if (!NT_STATUS_IS_OK(result) &&
+ !NT_STATUS_EQUAL(result, STATUS_SOME_UNMAPPED)) {
+ return result;
+ }
+
+ refresh_sequence_number(domain);
+
+ for (i=0; i<num_rids; i++) {
+ struct dom_sid sid;
+ NTSTATUS status;
+
+ if (!sid_compose(&sid, domain_sid, rids[i])) {
+ result = NT_STATUS_INTERNAL_ERROR;
+ goto error;
+ }
+
+ status = (*types)[i] == SID_NAME_UNKNOWN ?
+ NT_STATUS_NONE_MAPPED : NT_STATUS_OK;
+
+ wcache_save_sid_to_name(domain, status, &sid, *domain_name,
+ (*names)[i], (*types)[i]);
+ }
+
+ return result;
+
+ error:
+ TALLOC_FREE(*names);
+ TALLOC_FREE(*types);
+ return result;
+}
+
+static NTSTATUS wcache_query_user(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ const struct dom_sid *user_sid,
+ struct wbint_userinfo *info)
+{
+ struct winbind_cache *cache = get_cache(domain);
+ struct cache_entry *centry = NULL;
+ NTSTATUS status;
+ struct dom_sid_buf sid_string;
+
+ if (cache->tdb == NULL) {
+ return NT_STATUS_NOT_FOUND;
+ }
+
+ centry = wcache_fetch(
+ cache, domain, "U/%s", dom_sid_str_buf(user_sid, &sid_string));
+ if (centry == NULL) {
+ return NT_STATUS_NOT_FOUND;
+ }
+
+ /* if status is not ok then this is a negative hit
+ and the rest of the data doesn't matter */
+ status = centry->status;
+ if (NT_STATUS_IS_OK(status)) {
+ info->domain_name = centry_string(centry, mem_ctx);
+ info->acct_name = centry_string(centry, mem_ctx);
+ info->full_name = centry_string(centry, mem_ctx);
+ info->homedir = centry_string(centry, mem_ctx);
+ info->shell = centry_string(centry, mem_ctx);
+ info->uid = centry_uint32(centry);
+ info->primary_gid = centry_uint32(centry);
+ info->primary_group_name = centry_string(centry, mem_ctx);
+ centry_sid(centry, &info->user_sid);
+ centry_sid(centry, &info->group_sid);
+ }
+
+ DEBUG(10,("query_user: [Cached] - cached info for domain %s status: "
+ "%s\n", domain->name, nt_errstr(status) ));
+
+ centry_free(centry);
+ return status;
+}
+
+
+/**
+* @brief Query a fullname from the username cache (for further gecos processing)
+*
+* @param domain A pointer to the winbindd_domain struct.
+* @param mem_ctx The talloc context.
+* @param user_sid The user sid.
+* @param full_name A pointer to the full_name string.
+*
+* @return NTSTATUS code
+*/
+NTSTATUS wcache_query_user_fullname(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ const struct dom_sid *user_sid,
+ const char **full_name)
+{
+ NTSTATUS status;
+ struct wbint_userinfo info;
+
+ status = wcache_query_user(domain, mem_ctx, user_sid, &info);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ if (info.full_name != NULL) {
+ *full_name = talloc_strdup(mem_ctx, info.full_name);
+ if (*full_name == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS wcache_lookup_usergroups(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ const struct dom_sid *user_sid,
+ uint32_t *pnum_sids,
+ struct dom_sid **psids)
+{
+ struct winbind_cache *cache = get_cache(domain);
+ struct cache_entry *centry = NULL;
+ NTSTATUS status;
+ uint32_t i, num_sids;
+ struct dom_sid *sids;
+ struct dom_sid_buf sid_string;
+
+ if (cache->tdb == NULL) {
+ return NT_STATUS_NOT_FOUND;
+ }
+
+ centry = wcache_fetch(
+ cache,
+ domain,
+ "UG/%s",
+ dom_sid_str_buf(user_sid, &sid_string));
+ if (centry == NULL) {
+ return NT_STATUS_NOT_FOUND;
+ }
+
+ num_sids = centry_uint32(centry);
+ sids = talloc_array(mem_ctx, struct dom_sid, num_sids);
+ if (sids == NULL) {
+ centry_free(centry);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ for (i=0; i<num_sids; i++) {
+ centry_sid(centry, &sids[i]);
+ }
+
+ status = centry->status;
+
+ DEBUG(10,("lookup_usergroups: [Cached] - cached info for domain %s "
+ "status: %s\n", domain->name, nt_errstr(status)));
+
+ centry_free(centry);
+
+ *pnum_sids = num_sids;
+ *psids = sids;
+ return status;
+}
+
+/* Lookup groups a user is a member of. */
+NTSTATUS wb_cache_lookup_usergroups(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ const struct dom_sid *user_sid,
+ uint32_t *num_groups,
+ struct dom_sid **user_gids)
+{
+ struct cache_entry *centry = NULL;
+ NTSTATUS status;
+ unsigned int i;
+ struct dom_sid_buf sid_string;
+ bool old_status;
+
+ old_status = domain->online;
+ status = wcache_lookup_usergroups(domain, mem_ctx, user_sid,
+ num_groups, user_gids);
+ if (!NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
+ return status;
+ }
+
+ (*num_groups) = 0;
+ (*user_gids) = NULL;
+
+ DEBUG(10,("lookup_usergroups: [Cached] - doing backend query for info for domain %s\n",
+ domain->name ));
+
+ status = domain->backend->lookup_usergroups(domain, mem_ctx, user_sid, num_groups, user_gids);
+
+ if (NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) ||
+ NT_STATUS_EQUAL(status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
+ if (!domain->internal && old_status) {
+ set_domain_offline(domain);
+ }
+ if (!domain->internal &&
+ !domain->online &&
+ old_status) {
+ NTSTATUS cache_status;
+ cache_status = wcache_lookup_usergroups(domain, mem_ctx, user_sid,
+ num_groups, user_gids);
+ return cache_status;
+ }
+ }
+ if ( NT_STATUS_EQUAL(status, NT_STATUS_SYNCHRONIZATION_REQUIRED) )
+ goto skip_save;
+
+ /* and save it */
+ refresh_sequence_number(domain);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ centry = centry_start(domain, status);
+ if (!centry)
+ goto skip_save;
+
+ centry_put_uint32(centry, *num_groups);
+ for (i=0; i<(*num_groups); i++) {
+ centry_put_sid(centry, &(*user_gids)[i]);
+ }
+
+ centry_end(centry, "UG/%s", dom_sid_str_buf(user_sid, &sid_string));
+ centry_free(centry);
+
+skip_save:
+ return status;
+}
+
+static char *wcache_make_sidlist(TALLOC_CTX *mem_ctx, uint32_t num_sids,
+ const struct dom_sid *sids)
+{
+ uint32_t i;
+ char *sidlist;
+
+ sidlist = talloc_strdup(mem_ctx, "");
+ if (sidlist == NULL) {
+ return NULL;
+ }
+ for (i=0; i<num_sids; i++) {
+ struct dom_sid_buf tmp;
+ sidlist = talloc_asprintf_append_buffer(
+ sidlist,
+ "/%s",
+ dom_sid_str_buf(&sids[i], &tmp));
+ if (sidlist == NULL) {
+ return NULL;
+ }
+ }
+ return sidlist;
+}
+
+static NTSTATUS wcache_lookup_useraliases(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ uint32_t num_sids,
+ const struct dom_sid *sids,
+ uint32_t *pnum_aliases,
+ uint32_t **paliases)
+{
+ struct winbind_cache *cache = get_cache(domain);
+ struct cache_entry *centry = NULL;
+ uint32_t i, num_aliases;
+ uint32_t *aliases;
+ NTSTATUS status;
+ char *sidlist;
+
+ if (cache->tdb == NULL) {
+ return NT_STATUS_NOT_FOUND;
+ }
+
+ if (num_sids == 0) {
+ *pnum_aliases = 0;
+ *paliases = NULL;
+ return NT_STATUS_OK;
+ }
+
+ /* We need to cache indexed by the whole list of SIDs, the aliases
+ * resulting might come from any of the SIDs. */
+
+ sidlist = wcache_make_sidlist(talloc_tos(), num_sids, sids);
+ if (sidlist == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ centry = wcache_fetch(cache, domain, "UA%s", sidlist);
+ TALLOC_FREE(sidlist);
+ if (centry == NULL) {
+ return NT_STATUS_NOT_FOUND;
+ }
+
+ num_aliases = centry_uint32(centry);
+ aliases = talloc_array(mem_ctx, uint32_t, num_aliases);
+ if (aliases == NULL) {
+ centry_free(centry);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ for (i=0; i<num_aliases; i++) {
+ aliases[i] = centry_uint32(centry);
+ }
+
+ status = centry->status;
+
+ DEBUG(10,("lookup_useraliases: [Cached] - cached info for domain: %s "
+ "status %s\n", domain->name, nt_errstr(status)));
+
+ centry_free(centry);
+
+ *pnum_aliases = num_aliases;
+ *paliases = aliases;
+
+ return status;
+}
+
+NTSTATUS wb_cache_lookup_useraliases(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ uint32_t num_sids,
+ const struct dom_sid *sids,
+ uint32_t *num_aliases,
+ uint32_t **alias_rids)
+{
+ struct cache_entry *centry = NULL;
+ NTSTATUS status;
+ char *sidlist;
+ uint32_t i;
+ bool old_status;
+
+ old_status = domain->online;
+ status = wcache_lookup_useraliases(domain, mem_ctx, num_sids, sids,
+ num_aliases, alias_rids);
+ if (!NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
+ return status;
+ }
+
+ (*num_aliases) = 0;
+ (*alias_rids) = NULL;
+
+ DEBUG(10,("lookup_usergroups: [Cached] - doing backend query for info "
+ "for domain %s\n", domain->name ));
+
+ sidlist = wcache_make_sidlist(talloc_tos(), num_sids, sids);
+ if (sidlist == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ status = domain->backend->lookup_useraliases(domain, mem_ctx,
+ num_sids, sids,
+ num_aliases, alias_rids);
+
+ if (NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) ||
+ NT_STATUS_EQUAL(status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
+ if (!domain->internal && old_status) {
+ set_domain_offline(domain);
+ }
+ if (!domain->internal &&
+ !domain->online &&
+ old_status) {
+ NTSTATUS cache_status;
+ cache_status = wcache_lookup_useraliases(domain, mem_ctx, num_sids,
+ sids, num_aliases, alias_rids);
+ return cache_status;
+ }
+ }
+ /* and save it */
+ refresh_sequence_number(domain);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ centry = centry_start(domain, status);
+ if (!centry)
+ goto skip_save;
+ centry_put_uint32(centry, *num_aliases);
+ for (i=0; i<(*num_aliases); i++)
+ centry_put_uint32(centry, (*alias_rids)[i]);
+ centry_end(centry, "UA%s", sidlist);
+ centry_free(centry);
+
+ skip_save:
+ return status;
+}
+
+static NTSTATUS wcache_lookup_groupmem(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ const struct dom_sid *group_sid,
+ uint32_t *num_names,
+ struct dom_sid **sid_mem, char ***names,
+ uint32_t **name_types)
+{
+ struct winbind_cache *cache = get_cache(domain);
+ struct cache_entry *centry = NULL;
+ NTSTATUS status;
+ unsigned int i;
+ struct dom_sid_buf sid_string;
+
+ if (cache->tdb == NULL) {
+ return NT_STATUS_NOT_FOUND;
+ }
+
+ centry = wcache_fetch(
+ cache,
+ domain,
+ "GM/%s",
+ dom_sid_str_buf(group_sid, &sid_string));
+ if (centry == NULL) {
+ return NT_STATUS_NOT_FOUND;
+ }
+
+ *sid_mem = NULL;
+ *names = NULL;
+ *name_types = NULL;
+
+ *num_names = centry_uint32(centry);
+ if (*num_names == 0) {
+ centry_free(centry);
+ return NT_STATUS_OK;
+ }
+
+ *sid_mem = talloc_array(mem_ctx, struct dom_sid, *num_names);
+ *names = talloc_array(mem_ctx, char *, *num_names);
+ *name_types = talloc_array(mem_ctx, uint32_t, *num_names);
+
+ if ((*sid_mem == NULL) || (*names == NULL) || (*name_types == NULL)) {
+ TALLOC_FREE(*sid_mem);
+ TALLOC_FREE(*names);
+ TALLOC_FREE(*name_types);
+ centry_free(centry);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ for (i=0; i<(*num_names); i++) {
+ centry_sid(centry, &(*sid_mem)[i]);
+ (*names)[i] = centry_string(centry, mem_ctx);
+ (*name_types)[i] = centry_uint32(centry);
+ }
+
+ status = centry->status;
+
+ DEBUG(10,("lookup_groupmem: [Cached] - cached info for domain %s "
+ "status: %s\n", domain->name, nt_errstr(status)));
+
+ centry_free(centry);
+ return status;
+}
+
+NTSTATUS wb_cache_lookup_groupmem(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ const struct dom_sid *group_sid,
+ enum lsa_SidType type,
+ uint32_t *num_names,
+ struct dom_sid **sid_mem,
+ char ***names,
+ uint32_t **name_types)
+{
+ struct cache_entry *centry = NULL;
+ NTSTATUS status;
+ unsigned int i;
+ struct dom_sid_buf sid_string;
+ bool old_status;
+
+ old_status = domain->online;
+ status = wcache_lookup_groupmem(domain, mem_ctx, group_sid, num_names,
+ sid_mem, names, name_types);
+ if (!NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
+ return status;
+ }
+
+ (*num_names) = 0;
+ (*sid_mem) = NULL;
+ (*names) = NULL;
+ (*name_types) = NULL;
+
+ DEBUG(10,("lookup_groupmem: [Cached] - doing backend query for info for domain %s\n",
+ domain->name ));
+
+ status = domain->backend->lookup_groupmem(domain, mem_ctx, group_sid,
+ type, num_names,
+ sid_mem, names, name_types);
+
+ if (NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) ||
+ NT_STATUS_EQUAL(status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
+ if (!domain->internal && old_status) {
+ set_domain_offline(domain);
+ }
+ if (!domain->internal &&
+ !domain->online &&
+ old_status) {
+ NTSTATUS cache_status;
+ cache_status = wcache_lookup_groupmem(domain, mem_ctx, group_sid,
+ num_names, sid_mem, names,
+ name_types);
+ return cache_status;
+ }
+ }
+ /* and save it */
+ refresh_sequence_number(domain);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ centry = centry_start(domain, status);
+ if (!centry)
+ goto skip_save;
+ centry_put_uint32(centry, *num_names);
+ for (i=0; i<(*num_names); i++) {
+ centry_put_sid(centry, &(*sid_mem)[i]);
+ centry_put_string(centry, (*names)[i]);
+ centry_put_uint32(centry, (*name_types)[i]);
+ }
+ centry_end(centry,
+ "GM/%s",
+ dom_sid_str_buf(group_sid, &sid_string));
+ centry_free(centry);
+
+skip_save:
+ return status;
+}
+
+/* find the sequence number for a domain */
+NTSTATUS wb_cache_sequence_number(struct winbindd_domain *domain,
+ uint32_t *seq)
+{
+ refresh_sequence_number(domain);
+
+ *seq = domain->sequence_number;
+
+ return NT_STATUS_OK;
+}
+
+/* enumerate trusted domains
+ * (we need to have the list of trustdoms in the cache when we go offline) -
+ * Guenther */
+NTSTATUS wb_cache_trusted_domains(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ struct netr_DomainTrustList *trusts)
+{
+ NTSTATUS status;
+ struct winbind_cache *cache;
+ struct winbindd_tdc_domain *dom_list = NULL;
+ size_t num_domains = 0;
+ bool retval = false;
+ size_t i;
+ bool old_status;
+
+ old_status = domain->online;
+ trusts->count = 0;
+ trusts->array = NULL;
+
+ cache = get_cache(domain);
+ if (!cache || !cache->tdb) {
+ goto do_query;
+ }
+
+ if (domain->online) {
+ goto do_query;
+ }
+
+ retval = wcache_tdc_fetch_list(&dom_list, &num_domains);
+ if (!retval || !num_domains || !dom_list) {
+ TALLOC_FREE(dom_list);
+ goto do_query;
+ }
+
+do_fetch_cache:
+ trusts->array = talloc_zero_array(mem_ctx, struct netr_DomainTrust, num_domains);
+ if (!trusts->array) {
+ TALLOC_FREE(dom_list);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ for (i = 0; i < num_domains; i++) {
+ struct netr_DomainTrust *trust;
+ struct dom_sid *sid;
+ struct winbindd_domain *dom;
+
+ dom = find_domain_from_name_noinit(dom_list[i].domain_name);
+ if (dom && dom->internal) {
+ continue;
+ }
+
+ trust = &trusts->array[trusts->count];
+ trust->netbios_name = talloc_strdup(trusts->array, dom_list[i].domain_name);
+ trust->dns_name = talloc_strdup(trusts->array, dom_list[i].dns_name);
+ sid = talloc(trusts->array, struct dom_sid);
+ if (!trust->netbios_name || !trust->dns_name ||
+ !sid) {
+ TALLOC_FREE(dom_list);
+ TALLOC_FREE(trusts->array);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ trust->trust_flags = dom_list[i].trust_flags;
+ trust->trust_attributes = dom_list[i].trust_attribs;
+ trust->trust_type = dom_list[i].trust_type;
+ sid_copy(sid, &dom_list[i].sid);
+ trust->sid = sid;
+ trusts->count++;
+ }
+
+ TALLOC_FREE(dom_list);
+ return NT_STATUS_OK;
+
+do_query:
+ DEBUG(10,("trusted_domains: [Cached] - doing backend query for info for domain %s\n",
+ domain->name ));
+
+ status = domain->backend->trusted_domains(domain, mem_ctx, trusts);
+
+ if (NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) ||
+ NT_STATUS_EQUAL(status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
+ if (!domain->internal && old_status) {
+ set_domain_offline(domain);
+ }
+ if (!domain->internal &&
+ !domain->online &&
+ old_status) {
+ retval = wcache_tdc_fetch_list(&dom_list, &num_domains);
+ if (retval && num_domains && dom_list) {
+ TALLOC_FREE(trusts->array);
+ trusts->count = 0;
+ goto do_fetch_cache;
+ }
+ }
+ }
+ /* no trusts gives NT_STATUS_NO_MORE_ENTRIES resetting to NT_STATUS_OK
+ * so that the generic centry handling still applies correctly -
+ * Guenther*/
+
+ if (!NT_STATUS_IS_ERR(status)) {
+ status = NT_STATUS_OK;
+ }
+ return status;
+}
+
+/* get lockout policy */
+NTSTATUS wb_cache_lockout_policy(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ struct samr_DomInfo12 *policy)
+{
+ struct winbind_cache *cache = get_cache(domain);
+ struct cache_entry *centry = NULL;
+ NTSTATUS status;
+ bool old_status;
+
+ old_status = domain->online;
+ if (!cache->tdb)
+ goto do_query;
+
+ centry = wcache_fetch(cache, domain, "LOC_POL/%s", domain->name);
+
+ if (!centry)
+ goto do_query;
+
+do_fetch_cache:
+ policy->lockout_duration = centry_nttime(centry);
+ policy->lockout_window = centry_nttime(centry);
+ policy->lockout_threshold = centry_uint16(centry);
+
+ status = centry->status;
+
+ DEBUG(10,("lockout_policy: [Cached] - cached info for domain %s status: %s\n",
+ domain->name, nt_errstr(status) ));
+
+ centry_free(centry);
+ return status;
+
+do_query:
+ ZERO_STRUCTP(policy);
+
+ DEBUG(10,("lockout_policy: [Cached] - doing backend query for info for domain %s\n",
+ domain->name ));
+
+ status = domain->backend->lockout_policy(domain, mem_ctx, policy);
+
+ if (NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) ||
+ NT_STATUS_EQUAL(status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
+ if (!domain->internal && old_status) {
+ set_domain_offline(domain);
+ }
+ if (cache->tdb &&
+ !domain->internal &&
+ !domain->online &&
+ old_status) {
+ centry = wcache_fetch(cache, domain, "LOC_POL/%s", domain->name);
+ if (centry) {
+ goto do_fetch_cache;
+ }
+ }
+ }
+ /* and save it */
+ refresh_sequence_number(domain);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ wcache_save_lockout_policy(domain, status, policy);
+
+ return status;
+}
+
+/* get password policy */
+NTSTATUS wb_cache_password_policy(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ struct samr_DomInfo1 *policy)
+{
+ struct winbind_cache *cache = get_cache(domain);
+ struct cache_entry *centry = NULL;
+ NTSTATUS status;
+ bool old_status;
+
+ old_status = domain->online;
+ if (!cache->tdb)
+ goto do_query;
+
+ centry = wcache_fetch(cache, domain, "PWD_POL/%s", domain->name);
+
+ if (!centry)
+ goto do_query;
+
+do_fetch_cache:
+ policy->min_password_length = centry_uint16(centry);
+ policy->password_history_length = centry_uint16(centry);
+ policy->password_properties = centry_uint32(centry);
+ policy->max_password_age = centry_nttime(centry);
+ policy->min_password_age = centry_nttime(centry);
+
+ status = centry->status;
+
+ DEBUG(10,("lockout_policy: [Cached] - cached info for domain %s status: %s\n",
+ domain->name, nt_errstr(status) ));
+
+ centry_free(centry);
+ return status;
+
+do_query:
+ ZERO_STRUCTP(policy);
+
+ DEBUG(10,("password_policy: [Cached] - doing backend query for info for domain %s\n",
+ domain->name ));
+
+ status = domain->backend->password_policy(domain, mem_ctx, policy);
+
+ if (NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) ||
+ NT_STATUS_EQUAL(status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
+ if (!domain->internal && old_status) {
+ set_domain_offline(domain);
+ }
+ if (cache->tdb &&
+ !domain->internal &&
+ !domain->online &&
+ old_status) {
+ centry = wcache_fetch(cache, domain, "PWD_POL/%s", domain->name);
+ if (centry) {
+ goto do_fetch_cache;
+ }
+ }
+ }
+ /* and save it */
+ refresh_sequence_number(domain);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ wcache_save_password_policy(domain, status, policy);
+
+ return status;
+}
+
+
+/* Invalidate cached user and group lists coherently */
+
+static int traverse_fn(TDB_CONTEXT *the_tdb, TDB_DATA kbuf, TDB_DATA dbuf,
+ void *state)
+{
+ if (strncmp((const char *)kbuf.dptr, "UL/", 3) == 0 ||
+ strncmp((const char *)kbuf.dptr, "GL/", 3) == 0)
+ tdb_delete(the_tdb, kbuf);
+
+ return 0;
+}
+
+/* Invalidate the getpwnam and getgroups entries for a winbindd domain */
+
+void wcache_invalidate_samlogon(struct winbindd_domain *domain,
+ const struct dom_sid *sid)
+{
+ fstring key_str;
+ struct dom_sid_buf sid_string;
+ struct winbind_cache *cache;
+
+ /* don't clear cached U/SID and UG/SID entries when we want to logon
+ * offline - gd */
+
+ if (lp_winbind_offline_logon()) {
+ return;
+ }
+
+ if (!domain)
+ return;
+
+ cache = get_cache(domain);
+
+ if (!cache->tdb) {
+ return;
+ }
+
+ /* Clear U/SID cache entry */
+ fstr_sprintf(key_str, "U/%s", dom_sid_str_buf(sid, &sid_string));
+ DEBUG(10, ("wcache_invalidate_samlogon: clearing %s\n", key_str));
+ tdb_delete(cache->tdb, string_tdb_data(key_str));
+
+ /* Clear UG/SID cache entry */
+ fstr_sprintf(key_str, "UG/%s", dom_sid_str_buf(sid, &sid_string));
+ DEBUG(10, ("wcache_invalidate_samlogon: clearing %s\n", key_str));
+ tdb_delete(cache->tdb, string_tdb_data(key_str));
+
+ /* Samba/winbindd never needs this. */
+ netsamlogon_clear_cached_user(sid);
+}
+
+bool wcache_invalidate_cache(void)
+{
+ struct winbindd_domain *domain;
+
+ for (domain = domain_list(); domain; domain = domain->next) {
+ struct winbind_cache *cache = get_cache(domain);
+
+ DEBUG(10, ("wcache_invalidate_cache: invalidating cache "
+ "entries for %s\n", domain->name));
+ if (cache) {
+ if (cache->tdb) {
+ tdb_traverse(cache->tdb, traverse_fn, NULL);
+ } else {
+ return false;
+ }
+ }
+ }
+ return true;
+}
+
+bool wcache_invalidate_cache_noinit(void)
+{
+ struct winbindd_domain *domain;
+
+ for (domain = domain_list(); domain; domain = domain->next) {
+ struct winbind_cache *cache;
+
+ /* Skip uninitialized domains. */
+ if (!domain->initialized && !domain->internal) {
+ continue;
+ }
+
+ cache = get_cache(domain);
+
+ DEBUG(10, ("wcache_invalidate_cache: invalidating cache "
+ "entries for %s\n", domain->name));
+ if (cache) {
+ if (cache->tdb) {
+ tdb_traverse(cache->tdb, traverse_fn, NULL);
+ /*
+ * Flushing cache has nothing to with domains.
+ * return here if we successfully flushed once.
+ * To avoid unnecessary traversing the cache.
+ */
+ return true;
+ } else {
+ return false;
+ }
+ }
+ }
+ return true;
+}
+
+static bool init_wcache(void)
+{
+ char *db_path;
+
+ if (wcache == NULL) {
+ wcache = SMB_XMALLOC_P(struct winbind_cache);
+ ZERO_STRUCTP(wcache);
+ }
+
+ if (wcache->tdb != NULL)
+ return true;
+
+ db_path = wcache_path();
+ if (db_path == NULL) {
+ return false;
+ }
+
+ /* when working offline we must not clear the cache on restart */
+ wcache->tdb = tdb_open_log(db_path,
+ WINBINDD_CACHE_TDB_DEFAULT_HASH_SIZE,
+ TDB_INCOMPATIBLE_HASH |
+ (lp_winbind_offline_logon() ? TDB_DEFAULT : (TDB_DEFAULT | TDB_CLEAR_IF_FIRST)),
+ O_RDWR|O_CREAT, 0600);
+ TALLOC_FREE(db_path);
+ if (wcache->tdb == NULL) {
+ DEBUG(0,("Failed to open winbindd_cache.tdb!\n"));
+ return false;
+ }
+
+ return true;
+}
+
+/************************************************************************
+ This is called by the parent to initialize the cache file.
+ We don't need sophisticated locking here as we know we're the
+ only opener.
+************************************************************************/
+
+bool initialize_winbindd_cache(void)
+{
+ bool cache_bad = false;
+ uint32_t vers = 0;
+ bool ok;
+
+ if (!init_wcache()) {
+ DEBUG(0,("initialize_winbindd_cache: init_wcache failed.\n"));
+ return false;
+ }
+
+ /* Check version number. */
+ ok = tdb_fetch_uint32(wcache->tdb, WINBINDD_CACHE_VERSION_KEYSTR, &vers);
+ if (!ok) {
+ DBG_DEBUG("Failed to get cache version\n");
+ cache_bad = true;
+ }
+ if (vers != WINBINDD_CACHE_VERSION) {
+ DBG_DEBUG("Invalid cache version %u != %u\n",
+ vers,
+ WINBINDD_CACHE_VERSION);
+ cache_bad = true;
+ }
+
+ if (cache_bad) {
+ char *db_path;
+
+ DEBUG(0,("initialize_winbindd_cache: clearing cache "
+ "and re-creating with version number %d\n",
+ WINBINDD_CACHE_VERSION ));
+
+ tdb_close(wcache->tdb);
+ wcache->tdb = NULL;
+
+ db_path = wcache_path();
+ if (db_path == NULL) {
+ return false;
+ }
+
+ if (unlink(db_path) == -1) {
+ DEBUG(0,("initialize_winbindd_cache: unlink %s failed %s ",
+ db_path,
+ strerror(errno) ));
+ TALLOC_FREE(db_path);
+ return false;
+ }
+ TALLOC_FREE(db_path);
+ if (!init_wcache()) {
+ DEBUG(0,("initialize_winbindd_cache: re-initialization "
+ "init_wcache failed.\n"));
+ return false;
+ }
+
+ /* Write the version. */
+ if (!tdb_store_uint32(wcache->tdb, WINBINDD_CACHE_VERSION_KEYSTR, WINBINDD_CACHE_VERSION)) {
+ DEBUG(0,("initialize_winbindd_cache: version number store failed %s\n",
+ tdb_errorstr(wcache->tdb) ));
+ return false;
+ }
+ }
+
+ tdb_close(wcache->tdb);
+ wcache->tdb = NULL;
+ return true;
+}
+
+void close_winbindd_cache(void)
+{
+ if (!wcache) {
+ return;
+ }
+ if (wcache->tdb) {
+ tdb_close(wcache->tdb);
+ wcache->tdb = NULL;
+ }
+}
+
+bool lookup_cached_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid,
+ char **domain_name, char **name,
+ enum lsa_SidType *type)
+{
+ struct winbindd_domain *domain;
+ NTSTATUS status;
+
+ domain = find_lookup_domain_from_sid(sid);
+ if (domain == NULL) {
+ return false;
+ }
+ status = wcache_sid_to_name(domain, sid, mem_ctx, domain_name, name,
+ type);
+ return NT_STATUS_IS_OK(status);
+}
+
+bool lookup_cached_name(const char *namespace,
+ const char *domain_name,
+ const char *name,
+ struct dom_sid *sid,
+ enum lsa_SidType *type)
+{
+ struct winbindd_domain *domain;
+ NTSTATUS status;
+ bool original_online_state;
+
+ domain = find_lookup_domain_from_name(namespace);
+ if (domain == NULL) {
+ return false;
+ }
+
+ /* If we are doing a cached logon, temporarily set the domain
+ offline so the cache won't expire the entry */
+
+ original_online_state = domain->online;
+ domain->online = false;
+ status = wcache_name_to_sid(domain, domain_name, name, sid, type);
+ domain->online = original_online_state;
+
+ return NT_STATUS_IS_OK(status);
+}
+
+/*
+ * Cache a name to sid without checking the sequence number.
+ * Used when caching from a trusted PAC.
+ */
+
+void cache_name2sid_trusted(struct winbindd_domain *domain,
+ const char *domain_name,
+ const char *name,
+ enum lsa_SidType type,
+ const struct dom_sid *sid)
+{
+ /*
+ * Ensure we store the mapping with the
+ * existing sequence number from the cache.
+ */
+ get_cache(domain);
+ (void)fetch_cache_seqnum(domain, time(NULL));
+ wcache_save_name_to_sid(domain,
+ NT_STATUS_OK,
+ domain_name,
+ name,
+ sid,
+ type);
+}
+
+void cache_name2sid(struct winbindd_domain *domain,
+ const char *domain_name, const char *name,
+ enum lsa_SidType type, const struct dom_sid *sid)
+{
+ refresh_sequence_number(domain);
+ wcache_save_name_to_sid(domain, NT_STATUS_OK, domain_name, name,
+ sid, type);
+}
+
+/*
+ * The original idea that this cache only contains centries has
+ * been blurred - now other stuff gets put in here. Ensure we
+ * ignore these things on cleanup.
+ */
+
+static int traverse_fn_cleanup(TDB_CONTEXT *the_tdb, TDB_DATA kbuf,
+ TDB_DATA dbuf, void *state)
+{
+ struct cache_entry *centry;
+
+ if (is_non_centry_key(kbuf)) {
+ return 0;
+ }
+
+ centry = wcache_fetch_raw((char *)kbuf.dptr);
+ if (!centry) {
+ return 0;
+ }
+
+ if (!NT_STATUS_IS_OK(centry->status)) {
+ DEBUG(10,("deleting centry %s\n", (const char *)kbuf.dptr));
+ tdb_delete(the_tdb, kbuf);
+ }
+
+ centry_free(centry);
+ return 0;
+}
+
+/* flush the cache */
+static void wcache_flush_cache(void)
+{
+ char *db_path;
+
+ if (!wcache)
+ return;
+ if (wcache->tdb) {
+ tdb_close(wcache->tdb);
+ wcache->tdb = NULL;
+ }
+ if (!winbindd_use_cache()) {
+ return;
+ }
+
+ db_path = wcache_path();
+ if (db_path == NULL) {
+ return;
+ }
+
+ /* when working offline we must not clear the cache on restart */
+ wcache->tdb = tdb_open_log(db_path,
+ WINBINDD_CACHE_TDB_DEFAULT_HASH_SIZE,
+ TDB_INCOMPATIBLE_HASH |
+ (lp_winbind_offline_logon() ? TDB_DEFAULT : (TDB_DEFAULT | TDB_CLEAR_IF_FIRST)),
+ O_RDWR|O_CREAT, 0600);
+ TALLOC_FREE(db_path);
+ if (!wcache->tdb) {
+ DEBUG(0,("Failed to open winbindd_cache.tdb!\n"));
+ return;
+ }
+
+ tdb_traverse(wcache->tdb, traverse_fn_cleanup, NULL);
+
+ DEBUG(10,("wcache_flush_cache success\n"));
+}
+
+/* Count cached creds */
+
+static int traverse_fn_cached_creds(TDB_CONTEXT *the_tdb, TDB_DATA kbuf, TDB_DATA dbuf,
+ void *state)
+{
+ int *cred_count = (int*)state;
+
+ if (strncmp((const char *)kbuf.dptr, "CRED/", 5) == 0) {
+ (*cred_count)++;
+ }
+ return 0;
+}
+
+NTSTATUS wcache_count_cached_creds(struct winbindd_domain *domain, int *count)
+{
+ struct winbind_cache *cache = get_cache(domain);
+
+ *count = 0;
+
+ if (!cache->tdb) {
+ return NT_STATUS_INTERNAL_DB_ERROR;
+ }
+
+ tdb_traverse(cache->tdb, traverse_fn_cached_creds, (void *)count);
+
+ return NT_STATUS_OK;
+}
+
+struct cred_list {
+ struct cred_list *prev, *next;
+ TDB_DATA key;
+ fstring name;
+ time_t created;
+};
+static struct cred_list *wcache_cred_list;
+
+static int traverse_fn_get_credlist(TDB_CONTEXT *the_tdb, TDB_DATA kbuf, TDB_DATA dbuf,
+ void *state)
+{
+ struct cred_list *cred;
+
+ if (strncmp((const char *)kbuf.dptr, "CRED/", 5) == 0) {
+
+ cred = SMB_MALLOC_P(struct cred_list);
+ if (cred == NULL) {
+ DEBUG(0,("traverse_fn_remove_first_creds: failed to malloc new entry for list\n"));
+ return -1;
+ }
+
+ ZERO_STRUCTP(cred);
+
+ /* save a copy of the key */
+
+ fstrcpy(cred->name, (const char *)kbuf.dptr);
+ DLIST_ADD(wcache_cred_list, cred);
+ }
+
+ return 0;
+}
+
+NTSTATUS wcache_remove_oldest_cached_creds(struct winbindd_domain *domain, const struct dom_sid *sid)
+{
+ struct winbind_cache *cache = get_cache(domain);
+ NTSTATUS status;
+ int ret;
+ struct cred_list *cred, *next, *oldest = NULL;
+
+ if (!cache->tdb) {
+ return NT_STATUS_INTERNAL_DB_ERROR;
+ }
+
+ /* we possibly already have an entry */
+ if (sid && NT_STATUS_IS_OK(wcache_cached_creds_exist(domain, sid))) {
+
+ fstring key_str;
+ struct dom_sid_buf tmp;
+
+ DEBUG(11,("we already have an entry, deleting that\n"));
+
+ fstr_sprintf(key_str, "CRED/%s", dom_sid_str_buf(sid, &tmp));
+
+ tdb_delete(cache->tdb, string_tdb_data(key_str));
+
+ return NT_STATUS_OK;
+ }
+
+ ret = tdb_traverse(cache->tdb, traverse_fn_get_credlist, NULL);
+ if (ret == 0) {
+ return NT_STATUS_OK;
+ } else if ((ret < 0) || (wcache_cred_list == NULL)) {
+ return NT_STATUS_OBJECT_NAME_NOT_FOUND;
+ }
+
+ ZERO_STRUCTP(oldest);
+
+ for (cred = wcache_cred_list; cred; cred = cred->next) {
+
+ TDB_DATA data;
+ time_t t;
+
+ data = tdb_fetch(cache->tdb, string_tdb_data(cred->name));
+ if (!data.dptr) {
+ DEBUG(10,("wcache_remove_oldest_cached_creds: entry for [%s] not found\n",
+ cred->name));
+ status = NT_STATUS_OBJECT_NAME_NOT_FOUND;
+ goto done;
+ }
+
+ t = IVAL(data.dptr, 0);
+ SAFE_FREE(data.dptr);
+
+ if (!oldest) {
+ oldest = SMB_MALLOC_P(struct cred_list);
+ if (oldest == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
+
+ fstrcpy(oldest->name, cred->name);
+ oldest->created = t;
+ continue;
+ }
+
+ if (t < oldest->created) {
+ fstrcpy(oldest->name, cred->name);
+ oldest->created = t;
+ }
+ }
+
+ if (tdb_delete(cache->tdb, string_tdb_data(oldest->name)) == 0) {
+ status = NT_STATUS_OK;
+ } else {
+ status = NT_STATUS_UNSUCCESSFUL;
+ }
+done:
+ for (cred = wcache_cred_list; cred; cred = next) {
+ next = cred->next;
+ DLIST_REMOVE(wcache_cred_list, cred);
+ SAFE_FREE(cred);
+ }
+ SAFE_FREE(oldest);
+
+ return status;
+}
+
+/* Change the global online/offline state. */
+bool set_global_winbindd_state_offline(void)
+{
+ bool ok;
+ uint8_t buf[4] = {0};
+ TDB_DATA data = {
+ .dptr = buf,
+ .dsize = sizeof(buf)
+ };
+ int rc;
+
+ DBG_ERR("Offline requested\n");
+
+ if (wcache == NULL || wcache->tdb == NULL) {
+ DBG_ERR("Winbind cache doesn't exist yet\n");
+ return false;
+ }
+
+ if (!lp_winbind_offline_logon()) {
+ DBG_DEBUG("Rejecting request to set winbind offline, "
+ "offline logons are disabled in smb.conf\n");
+ return false;
+ }
+
+ ok = get_global_winbindd_state_offline();
+ if (ok) {
+ return true;
+ }
+
+ PUSH_LE_U32(buf, 0, time(NULL));
+
+ rc = tdb_store_bystring(wcache->tdb,
+ "WINBINDD_OFFLINE",
+ data,
+ TDB_INSERT);
+ if (rc != 0) {
+ return false;
+ }
+
+ return true;
+
+}
+
+void set_global_winbindd_state_online(void)
+{
+ DEBUG(10,("set_global_winbindd_state_online: online requested.\n"));
+
+ if (!lp_winbind_offline_logon()) {
+ DBG_DEBUG("Rejecting request to set winbind online, "
+ "offline logons are disabled in smb.conf.\n");
+ return;
+ }
+
+ if (!wcache->tdb) {
+ return;
+ }
+
+ /* Ensure there is no key "WINBINDD_OFFLINE" in the cache tdb. */
+ tdb_delete_bystring(wcache->tdb, "WINBINDD_OFFLINE");
+}
+
+bool get_global_winbindd_state_offline(void)
+{
+ TDB_DATA data;
+
+ data = tdb_fetch_bystring(wcache->tdb, "WINBINDD_OFFLINE");
+ if (data.dptr == NULL || data.dsize != 4) {
+ DBG_DEBUG("Offline state not set.\n");
+ SAFE_FREE(data.dptr);
+ return false;
+ }
+
+ return true;
+}
+
+/***********************************************************************
+ Validate functions for all possible cache tdb keys.
+***********************************************************************/
+
+static struct cache_entry *create_centry_validate(const char *kstr, TDB_DATA data,
+ struct tdb_validation_status *state)
+{
+ struct cache_entry *centry;
+
+ centry = SMB_XMALLOC_P(struct cache_entry);
+ centry->data = (unsigned char *)smb_memdup(data.dptr, data.dsize);
+ if (!centry->data) {
+ SAFE_FREE(centry);
+ return NULL;
+ }
+ centry->len = data.dsize;
+ centry->ofs = 0;
+
+ if (centry->len < 16) {
+ /* huh? corrupt cache? */
+ DEBUG(0,("create_centry_validate: Corrupt cache for key %s "
+ "(len < 16) ?\n", kstr));
+ centry_free(centry);
+ state->bad_entry = true;
+ state->success = false;
+ return NULL;
+ }
+
+ centry->status = NT_STATUS(centry_uint32(centry));
+ centry->sequence_number = centry_uint32(centry);
+ centry->timeout = centry_uint64_t(centry);
+ return centry;
+}
+
+static int validate_seqnum(TALLOC_CTX *mem_ctx, const char *keystr, TDB_DATA dbuf,
+ struct tdb_validation_status *state)
+{
+ if (dbuf.dsize != 8) {
+ DEBUG(0,("validate_seqnum: Corrupt cache for key %s (len %u != 8) ?\n",
+ keystr, (unsigned int)dbuf.dsize ));
+ state->bad_entry = true;
+ return 1;
+ }
+ return 0;
+}
+
+static int validate_u(TALLOC_CTX *mem_ctx, const char *keystr, TDB_DATA dbuf,
+ struct tdb_validation_status *state)
+{
+ struct cache_entry *centry = create_centry_validate(keystr, dbuf, state);
+ struct dom_sid sid;
+
+ if (!centry) {
+ return 1;
+ }
+
+ (void)centry_string(centry, mem_ctx);
+ (void)centry_string(centry, mem_ctx);
+ (void)centry_string(centry, mem_ctx);
+ (void)centry_string(centry, mem_ctx);
+ (void)centry_string(centry, mem_ctx);
+ (void)centry_uint32(centry);
+ (void)centry_uint32(centry);
+ (void)centry_string(centry, mem_ctx);
+ (void)centry_sid(centry, &sid);
+ (void)centry_sid(centry, &sid);
+
+ centry_free(centry);
+
+ if (!(state->success)) {
+ return 1;
+ }
+ DEBUG(10,("validate_u: %s ok\n", keystr));
+ return 0;
+}
+
+static int validate_loc_pol(TALLOC_CTX *mem_ctx, const char *keystr, TDB_DATA dbuf,
+ struct tdb_validation_status *state)
+{
+ struct cache_entry *centry = create_centry_validate(keystr, dbuf, state);
+
+ if (!centry) {
+ return 1;
+ }
+
+ (void)centry_nttime(centry);
+ (void)centry_nttime(centry);
+ (void)centry_uint16(centry);
+
+ centry_free(centry);
+
+ if (!(state->success)) {
+ return 1;
+ }
+ DEBUG(10,("validate_loc_pol: %s ok\n", keystr));
+ return 0;
+}
+
+static int validate_pwd_pol(TALLOC_CTX *mem_ctx, const char *keystr, TDB_DATA dbuf,
+ struct tdb_validation_status *state)
+{
+ struct cache_entry *centry = create_centry_validate(keystr, dbuf, state);
+
+ if (!centry) {
+ return 1;
+ }
+
+ (void)centry_uint16(centry);
+ (void)centry_uint16(centry);
+ (void)centry_uint32(centry);
+ (void)centry_nttime(centry);
+ (void)centry_nttime(centry);
+
+ centry_free(centry);
+
+ if (!(state->success)) {
+ return 1;
+ }
+ DEBUG(10,("validate_pwd_pol: %s ok\n", keystr));
+ return 0;
+}
+
+static int validate_cred(TALLOC_CTX *mem_ctx, const char *keystr, TDB_DATA dbuf,
+ struct tdb_validation_status *state)
+{
+ struct cache_entry *centry = create_centry_validate(keystr, dbuf, state);
+
+ if (!centry) {
+ return 1;
+ }
+
+ (void)centry_time(centry);
+ (void)centry_hash16(centry, mem_ctx);
+
+ /* We only have 17 bytes more data in the salted cred case. */
+ if (centry->len - centry->ofs == 17) {
+ (void)centry_hash16(centry, mem_ctx);
+ }
+
+ centry_free(centry);
+
+ if (!(state->success)) {
+ return 1;
+ }
+ DEBUG(10,("validate_cred: %s ok\n", keystr));
+ return 0;
+}
+
+static int validate_ul(TALLOC_CTX *mem_ctx, const char *keystr, TDB_DATA dbuf,
+ struct tdb_validation_status *state)
+{
+ struct cache_entry *centry = create_centry_validate(keystr, dbuf, state);
+ int32_t num_entries, i;
+
+ if (!centry) {
+ return 1;
+ }
+
+ num_entries = (int32_t)centry_uint32(centry);
+
+ for (i=0; i< num_entries; i++) {
+ (void)centry_uint32(centry);
+ }
+
+ centry_free(centry);
+
+ if (!(state->success)) {
+ return 1;
+ }
+ DEBUG(10,("validate_ul: %s ok\n", keystr));
+ return 0;
+}
+
+static int validate_gl(TALLOC_CTX *mem_ctx, const char *keystr, TDB_DATA dbuf,
+ struct tdb_validation_status *state)
+{
+ struct cache_entry *centry = create_centry_validate(keystr, dbuf, state);
+ int32_t num_entries, i;
+
+ if (!centry) {
+ return 1;
+ }
+
+ num_entries = centry_uint32(centry);
+
+ for (i=0; i< num_entries; i++) {
+ (void)centry_string(centry, mem_ctx);
+ (void)centry_string(centry, mem_ctx);
+ (void)centry_uint32(centry);
+ }
+
+ centry_free(centry);
+
+ if (!(state->success)) {
+ return 1;
+ }
+ DEBUG(10,("validate_gl: %s ok\n", keystr));
+ return 0;
+}
+
+static int validate_ug(TALLOC_CTX *mem_ctx, const char *keystr, TDB_DATA dbuf,
+ struct tdb_validation_status *state)
+{
+ struct cache_entry *centry = create_centry_validate(keystr, dbuf, state);
+ int32_t num_groups, i;
+
+ if (!centry) {
+ return 1;
+ }
+
+ num_groups = centry_uint32(centry);
+
+ for (i=0; i< num_groups; i++) {
+ struct dom_sid sid;
+ centry_sid(centry, &sid);
+ }
+
+ centry_free(centry);
+
+ if (!(state->success)) {
+ return 1;
+ }
+ DEBUG(10,("validate_ug: %s ok\n", keystr));
+ return 0;
+}
+
+static int validate_ua(TALLOC_CTX *mem_ctx, const char *keystr, TDB_DATA dbuf,
+ struct tdb_validation_status *state)
+{
+ struct cache_entry *centry = create_centry_validate(keystr, dbuf, state);
+ int32_t num_aliases, i;
+
+ if (!centry) {
+ return 1;
+ }
+
+ num_aliases = centry_uint32(centry);
+
+ for (i=0; i < num_aliases; i++) {
+ (void)centry_uint32(centry);
+ }
+
+ centry_free(centry);
+
+ if (!(state->success)) {
+ return 1;
+ }
+ DEBUG(10,("validate_ua: %s ok\n", keystr));
+ return 0;
+}
+
+static int validate_gm(TALLOC_CTX *mem_ctx, const char *keystr, TDB_DATA dbuf,
+ struct tdb_validation_status *state)
+{
+ struct cache_entry *centry = create_centry_validate(keystr, dbuf, state);
+ int32_t num_names, i;
+
+ if (!centry) {
+ return 1;
+ }
+
+ num_names = centry_uint32(centry);
+
+ for (i=0; i< num_names; i++) {
+ struct dom_sid sid;
+ centry_sid(centry, &sid);
+ (void)centry_string(centry, mem_ctx);
+ (void)centry_uint32(centry);
+ }
+
+ centry_free(centry);
+
+ if (!(state->success)) {
+ return 1;
+ }
+ DEBUG(10,("validate_gm: %s ok\n", keystr));
+ return 0;
+}
+
+static int validate_dr(TALLOC_CTX *mem_ctx, const char *keystr, TDB_DATA dbuf,
+ struct tdb_validation_status *state)
+{
+ /* Can't say anything about this other than must be nonzero. */
+ if (dbuf.dsize == 0) {
+ DEBUG(0,("validate_dr: Corrupt cache for key %s (len == 0) ?\n",
+ keystr));
+ state->bad_entry = true;
+ state->success = false;
+ return 1;
+ }
+
+ DEBUG(10,("validate_dr: %s ok\n", keystr));
+ return 0;
+}
+
+static int validate_de(TALLOC_CTX *mem_ctx, const char *keystr, TDB_DATA dbuf,
+ struct tdb_validation_status *state)
+{
+ /* Can't say anything about this other than must be nonzero. */
+ if (dbuf.dsize == 0) {
+ DEBUG(0,("validate_de: Corrupt cache for key %s (len == 0) ?\n",
+ keystr));
+ state->bad_entry = true;
+ state->success = false;
+ return 1;
+ }
+
+ DEBUG(10,("validate_de: %s ok\n", keystr));
+ return 0;
+}
+
+static int validate_nss_an(TALLOC_CTX *mem_ctx, const char *keystr,
+ TDB_DATA dbuf,
+ struct tdb_validation_status *state)
+{
+ struct cache_entry *centry = create_centry_validate(keystr, dbuf, state);
+
+ if (!centry) {
+ return 1;
+ }
+
+ (void)centry_string( centry, mem_ctx );
+
+ centry_free(centry);
+
+ if (!(state->success)) {
+ return 1;
+ }
+ DEBUG(10,("validate_pwinfo: %s ok\n", keystr));
+ return 0;
+}
+
+static int validate_nss_na(TALLOC_CTX *mem_ctx, const char *keystr,
+ TDB_DATA dbuf,
+ struct tdb_validation_status *state)
+{
+ struct cache_entry *centry = create_centry_validate(keystr, dbuf, state);
+
+ if (!centry) {
+ return 1;
+ }
+
+ (void)centry_string( centry, mem_ctx );
+
+ centry_free(centry);
+
+ if (!(state->success)) {
+ return 1;
+ }
+ DBG_DEBUG("%s ok\n", keystr);
+ return 0;
+}
+
+static int validate_trustdomcache(TALLOC_CTX *mem_ctx, const char *keystr,
+ TDB_DATA dbuf,
+ struct tdb_validation_status *state)
+{
+ if (dbuf.dsize == 0) {
+ DEBUG(0, ("validate_trustdomcache: Corrupt cache for "
+ "key %s (len ==0) ?\n", keystr));
+ state->bad_entry = true;
+ state->success = false;
+ return 1;
+ }
+
+ DEBUG(10, ("validate_trustdomcache: %s ok\n", keystr));
+ DEBUGADD(10, (" Don't trust me, I am a DUMMY!\n"));
+ return 0;
+}
+
+static int validate_offline(TALLOC_CTX *mem_ctx, const char *keystr, TDB_DATA dbuf,
+ struct tdb_validation_status *state)
+{
+ if (dbuf.dsize != 4) {
+ DEBUG(0,("validate_offline: Corrupt cache for key %s (len %u != 4) ?\n",
+ keystr, (unsigned int)dbuf.dsize ));
+ state->bad_entry = true;
+ state->success = false;
+ return 1;
+ }
+ DEBUG(10,("validate_offline: %s ok\n", keystr));
+ return 0;
+}
+
+static int validate_ndr(TALLOC_CTX *mem_ctx, const char *keystr, TDB_DATA dbuf,
+ struct tdb_validation_status *state)
+{
+ /*
+ * Ignore validation for now. The proper way to do this is with a
+ * checksum. Just pure parsing does not really catch much.
+ */
+ return 0;
+}
+
+static int validate_cache_version(TALLOC_CTX *mem_ctx, const char *keystr, TDB_DATA dbuf,
+ struct tdb_validation_status *state)
+{
+ if (dbuf.dsize != 4) {
+ DEBUG(0, ("validate_cache_version: Corrupt cache for "
+ "key %s (len %u != 4) ?\n",
+ keystr, (unsigned int)dbuf.dsize));
+ state->bad_entry = true;
+ state->success = false;
+ return 1;
+ }
+
+ DEBUG(10, ("validate_cache_version: %s ok\n", keystr));
+ return 0;
+}
+
+/***********************************************************************
+ A list of all possible cache tdb keys with associated validation
+ functions.
+***********************************************************************/
+
+struct key_val_struct {
+ const char *keyname;
+ int (*validate_data_fn)(TALLOC_CTX *mem_ctx, const char *keystr, TDB_DATA dbuf, struct tdb_validation_status* state);
+} key_val[] = {
+ {"SEQNUM/", validate_seqnum},
+ {"U/", validate_u},
+ {"LOC_POL/", validate_loc_pol},
+ {"PWD_POL/", validate_pwd_pol},
+ {"CRED/", validate_cred},
+ {"UL/", validate_ul},
+ {"GL/", validate_gl},
+ {"UG/", validate_ug},
+ {"UA", validate_ua},
+ {"GM/", validate_gm},
+ {"DR/", validate_dr},
+ {"DE/", validate_de},
+ {"TRUSTDOMCACHE/", validate_trustdomcache},
+ {"NSS/NA/", validate_nss_na},
+ {"NSS/AN/", validate_nss_an},
+ {"WINBINDD_OFFLINE", validate_offline},
+ {"NDR/", validate_ndr},
+ {WINBINDD_CACHE_VERSION_KEYSTR, validate_cache_version},
+ {NULL, NULL}
+};
+
+/***********************************************************************
+ Function to look at every entry in the tdb and validate it as far as
+ possible.
+***********************************************************************/
+
+static int cache_traverse_validate_fn(TDB_CONTEXT *the_tdb, TDB_DATA kbuf, TDB_DATA dbuf, void *state)
+{
+ int i;
+ unsigned int max_key_len = 1024;
+ struct tdb_validation_status *v_state = (struct tdb_validation_status *)state;
+
+ /* Paranoia check. */
+ if (strncmp("UA/", (const char *)kbuf.dptr, 3) == 0 ||
+ strncmp("NDR/", (const char *)kbuf.dptr, 4) == 0) {
+ max_key_len = 1024 * 1024;
+ }
+ if (kbuf.dsize > max_key_len) {
+ DEBUG(0, ("cache_traverse_validate_fn: key length too large: "
+ "(%u) > (%u)\n\n",
+ (unsigned int)kbuf.dsize, (unsigned int)max_key_len));
+ return 1;
+ }
+
+ for (i = 0; key_val[i].keyname; i++) {
+ size_t namelen = strlen(key_val[i].keyname);
+ if (kbuf.dsize >= namelen && (
+ strncmp(key_val[i].keyname, (const char *)kbuf.dptr, namelen)) == 0) {
+ TALLOC_CTX *mem_ctx;
+ char *keystr;
+ int ret;
+
+ keystr = SMB_MALLOC_ARRAY(char, kbuf.dsize+1);
+ if (!keystr) {
+ return 1;
+ }
+ memcpy(keystr, kbuf.dptr, kbuf.dsize);
+ keystr[kbuf.dsize] = '\0';
+
+ mem_ctx = talloc_init("validate_ctx");
+ if (!mem_ctx) {
+ SAFE_FREE(keystr);
+ return 1;
+ }
+
+ ret = key_val[i].validate_data_fn(mem_ctx, keystr, dbuf,
+ v_state);
+
+ SAFE_FREE(keystr);
+ talloc_destroy(mem_ctx);
+ return ret;
+ }
+ }
+
+ DEBUG(0,("cache_traverse_validate_fn: unknown cache entry\nkey :\n"));
+ dump_data(0, (uint8_t *)kbuf.dptr, kbuf.dsize);
+ DEBUG(0,("data :\n"));
+ dump_data(0, (uint8_t *)dbuf.dptr, dbuf.dsize);
+ v_state->unknown_key = true;
+ v_state->success = false;
+ return 1; /* terminate. */
+}
+
+static void validate_panic(const char *const why)
+{
+ DEBUG(0,("validating cache: would panic %s\n", why ));
+ DEBUGADD(0, ("exiting instead (cache validation mode)\n"));
+ exit(47);
+}
+
+static int wbcache_update_centry_fn(TDB_CONTEXT *tdb,
+ TDB_DATA key,
+ TDB_DATA data,
+ void *state)
+{
+ uint64_t ctimeout;
+ TDB_DATA blob;
+
+ if (is_non_centry_key(key)) {
+ return 0;
+ }
+
+ if (data.dptr == NULL || data.dsize == 0) {
+ if (tdb_delete(tdb, key) < 0) {
+ DEBUG(0, ("tdb_delete for [%s] failed!\n",
+ key.dptr));
+ return 1;
+ }
+ }
+
+ /* add timeout to blob (uint64_t) */
+ blob.dsize = data.dsize + 8;
+
+ blob.dptr = SMB_XMALLOC_ARRAY(uint8_t, blob.dsize);
+ if (blob.dptr == NULL) {
+ return 1;
+ }
+ memset(blob.dptr, 0, blob.dsize);
+
+ /* copy status and seqnum */
+ memcpy(blob.dptr, data.dptr, 8);
+
+ /* add timeout */
+ ctimeout = lp_winbind_cache_time() + time(NULL);
+ SBVAL(blob.dptr, 8, ctimeout);
+
+ /* copy the rest */
+ memcpy(blob.dptr + 16, data.dptr + 8, data.dsize - 8);
+
+ if (tdb_store(tdb, key, blob, TDB_REPLACE) < 0) {
+ DEBUG(0, ("tdb_store to update [%s] failed!\n",
+ key.dptr));
+ SAFE_FREE(blob.dptr);
+ return 1;
+ }
+
+ SAFE_FREE(blob.dptr);
+ return 0;
+}
+
+static bool wbcache_upgrade_v1_to_v2(TDB_CONTEXT *tdb)
+{
+ int rc;
+
+ DEBUG(1, ("Upgrade to version 2 of the winbindd_cache.tdb\n"));
+
+ rc = tdb_traverse(tdb, wbcache_update_centry_fn, NULL);
+ if (rc < 0) {
+ return false;
+ }
+
+ return true;
+}
+
+/***********************************************************************
+ Try and validate every entry in the winbindd cache. If we fail here,
+ delete the cache tdb and return non-zero.
+***********************************************************************/
+
+int winbindd_validate_cache(void)
+{
+ int ret = -1;
+ char *tdb_path = NULL;
+ TDB_CONTEXT *tdb = NULL;
+ uint32_t vers_id;
+ bool ok;
+
+ DEBUG(10, ("winbindd_validate_cache: replacing panic function\n"));
+ smb_panic_fn = validate_panic;
+
+ tdb_path = wcache_path();
+ if (tdb_path == NULL) {
+ goto done;
+ }
+
+ tdb = tdb_open_log(tdb_path,
+ WINBINDD_CACHE_TDB_DEFAULT_HASH_SIZE,
+ TDB_INCOMPATIBLE_HASH |
+ ( lp_winbind_offline_logon()
+ ? TDB_DEFAULT
+ : TDB_DEFAULT | TDB_CLEAR_IF_FIRST ),
+ O_RDWR|O_CREAT,
+ 0600);
+ if (!tdb) {
+ DEBUG(0, ("winbindd_validate_cache: "
+ "error opening/initializing tdb\n"));
+ goto done;
+ }
+
+ /* Version check and upgrade code. */
+ if (!tdb_fetch_uint32(tdb, WINBINDD_CACHE_VERSION_KEYSTR, &vers_id)) {
+ DEBUG(10, ("Fresh database\n"));
+ tdb_store_uint32(tdb, WINBINDD_CACHE_VERSION_KEYSTR, WINBINDD_CACHE_VERSION);
+ vers_id = WINBINDD_CACHE_VERSION;
+ }
+
+ if (vers_id != WINBINDD_CACHE_VERSION) {
+ if (vers_id == WINBINDD_CACHE_VER1) {
+ ok = wbcache_upgrade_v1_to_v2(tdb);
+ if (!ok) {
+ DEBUG(10, ("winbindd_validate_cache: upgrade to version 2 failed.\n"));
+ unlink(tdb_path);
+ goto done;
+ }
+
+ tdb_store_uint32(tdb,
+ WINBINDD_CACHE_VERSION_KEYSTR,
+ WINBINDD_CACHE_VERSION);
+ vers_id = WINBINDD_CACHE_VER2;
+ }
+ }
+
+ tdb_close(tdb);
+
+ ret = tdb_validate_and_backup(tdb_path, cache_traverse_validate_fn);
+
+ if (ret != 0) {
+ DEBUG(10, ("winbindd_validate_cache: validation not successful.\n"));
+ DEBUGADD(10, ("removing tdb %s.\n", tdb_path));
+ unlink(tdb_path);
+ }
+
+done:
+ TALLOC_FREE(tdb_path);
+ DEBUG(10, ("winbindd_validate_cache: restoring panic function\n"));
+ smb_panic_fn = smb_panic;
+ return ret;
+}
+
+/***********************************************************************
+ Try and validate every entry in the winbindd cache.
+***********************************************************************/
+
+int winbindd_validate_cache_nobackup(void)
+{
+ int ret = -1;
+ char *tdb_path;
+
+ DEBUG(10, ("winbindd_validate_cache: replacing panic function\n"));
+ smb_panic_fn = validate_panic;
+
+ tdb_path = wcache_path();
+ if (tdb_path == NULL) {
+ goto err_panic_restore;
+ }
+
+ if (wcache == NULL || wcache->tdb == NULL) {
+ ret = tdb_validate_open(tdb_path, cache_traverse_validate_fn);
+ } else {
+ ret = tdb_validate(wcache->tdb, cache_traverse_validate_fn);
+ }
+
+ if (ret != 0) {
+ DEBUG(10, ("winbindd_validate_cache_nobackup: validation not "
+ "successful.\n"));
+ }
+
+ TALLOC_FREE(tdb_path);
+err_panic_restore:
+ DEBUG(10, ("winbindd_validate_cache_nobackup: restoring panic "
+ "function\n"));
+ smb_panic_fn = smb_panic;
+ return ret;
+}
+
+bool winbindd_cache_validate_and_initialize(void)
+{
+ close_winbindd_cache();
+
+ if (lp_winbind_offline_logon()) {
+ if (winbindd_validate_cache() < 0) {
+ DEBUG(0, ("winbindd cache tdb corrupt and no backup "
+ "could be restored.\n"));
+ }
+ }
+
+ return initialize_winbindd_cache();
+}
+
+/*********************************************************************
+ ********************************************************************/
+
+static bool add_wbdomain_to_tdc_array( struct winbindd_domain *new_dom,
+ struct winbindd_tdc_domain **domains,
+ size_t *num_domains )
+{
+ struct winbindd_tdc_domain *list = NULL;
+ size_t i, idx;
+ bool set_only = false;
+
+ /* don't allow duplicates */
+
+ idx = *num_domains;
+ list = *domains;
+
+ for ( i=0; i< (*num_domains); i++ ) {
+ if ( strequal( new_dom->name, list[i].domain_name ) ) {
+ DEBUG(10,("add_wbdomain_to_tdc_array: Found existing record for %s\n",
+ new_dom->name));
+ idx = i;
+ set_only = true;
+
+ break;
+ }
+ }
+
+ if ( !set_only ) {
+ if ( !*domains ) {
+ list = talloc_array( NULL, struct winbindd_tdc_domain, 1 );
+ idx = 0;
+ } else {
+ list = talloc_realloc( *domains, *domains,
+ struct winbindd_tdc_domain,
+ (*num_domains)+1);
+ idx = *num_domains;
+ }
+
+ ZERO_STRUCT( list[idx] );
+ }
+
+ if ( !list )
+ return false;
+
+ list[idx].domain_name = talloc_strdup(list, new_dom->name);
+ if (list[idx].domain_name == NULL) {
+ return false;
+ }
+ if (new_dom->alt_name != NULL) {
+ list[idx].dns_name = talloc_strdup(list, new_dom->alt_name);
+ if (list[idx].dns_name == NULL) {
+ return false;
+ }
+ }
+
+ if ( !is_null_sid( &new_dom->sid ) ) {
+ sid_copy( &list[idx].sid, &new_dom->sid );
+ } else {
+ sid_copy(&list[idx].sid, &global_sid_NULL);
+ }
+
+ if ( new_dom->domain_flags != 0x0 )
+ list[idx].trust_flags = new_dom->domain_flags;
+
+ if ( new_dom->domain_type != 0x0 )
+ list[idx].trust_type = new_dom->domain_type;
+
+ if ( new_dom->domain_trust_attribs != 0x0 )
+ list[idx].trust_attribs = new_dom->domain_trust_attribs;
+
+ if ( !set_only ) {
+ *domains = list;
+ *num_domains = idx + 1;
+ }
+
+ return true;
+}
+
+/*********************************************************************
+ ********************************************************************/
+
+static TDB_DATA make_tdc_key( const char *domain_name )
+{
+ char *keystr = NULL;
+ TDB_DATA key = { NULL, 0 };
+
+ if ( !domain_name ) {
+ DEBUG(5,("make_tdc_key: Keyname workgroup is NULL!\n"));
+ return key;
+ }
+
+ if (asprintf( &keystr, "TRUSTDOMCACHE/%s", domain_name ) == -1) {
+ return key;
+ }
+ key = string_term_tdb_data(keystr);
+
+ return key;
+}
+
+/*********************************************************************
+ ********************************************************************/
+
+static int pack_tdc_domains( struct winbindd_tdc_domain *domains,
+ size_t num_domains,
+ unsigned char **buf )
+{
+ unsigned char *buffer = NULL;
+ int len = 0;
+ int buflen = 0;
+ size_t i = 0;
+
+ DEBUG(10,("pack_tdc_domains: Packing %d trusted domains\n",
+ (int)num_domains));
+
+ buflen = 0;
+
+ again:
+ len = 0;
+
+ /* Store the number of array items first */
+ len += tdb_pack( buffer ? buffer+len : NULL,
+ buffer ? buflen-len : 0, "d",
+ num_domains );
+
+ /* now pack each domain trust record */
+ for ( i=0; i<num_domains; i++ ) {
+
+ struct dom_sid_buf tmp;
+
+ if ( buflen > 0 ) {
+ DEBUG(10,("pack_tdc_domains: Packing domain %s (%s)\n",
+ domains[i].domain_name,
+ domains[i].dns_name ? domains[i].dns_name : "UNKNOWN" ));
+ }
+
+ len += tdb_pack( buffer ? buffer+len : NULL,
+ buffer ? buflen-len : 0, "fffddd",
+ domains[i].domain_name,
+ domains[i].dns_name ? domains[i].dns_name : "",
+ dom_sid_str_buf(&domains[i].sid, &tmp),
+ domains[i].trust_flags,
+ domains[i].trust_attribs,
+ domains[i].trust_type );
+ }
+
+ if ( buflen < len ) {
+ SAFE_FREE(buffer);
+ if ( (buffer = SMB_MALLOC_ARRAY(unsigned char, len)) == NULL ) {
+ DEBUG(0,("pack_tdc_domains: failed to alloc buffer!\n"));
+ buflen = -1;
+ goto done;
+ }
+ buflen = len;
+ goto again;
+ }
+
+ *buf = buffer;
+
+ done:
+ return buflen;
+}
+
+/*********************************************************************
+ ********************************************************************/
+
+static size_t unpack_tdc_domains( unsigned char *buf, int buflen,
+ struct winbindd_tdc_domain **domains )
+{
+ fstring domain_name, dns_name, sid_string;
+ uint32_t type, attribs, flags;
+ int num_domains;
+ int len = 0;
+ int i;
+ struct winbindd_tdc_domain *list = NULL;
+
+ /* get the number of domains */
+ len += tdb_unpack( buf+len, buflen-len, "d", &num_domains);
+ if ( len == -1 ) {
+ DEBUG(5,("unpack_tdc_domains: Failed to unpack domain array\n"));
+ return 0;
+ }
+
+ list = talloc_array( NULL, struct winbindd_tdc_domain, num_domains );
+ if ( !list ) {
+ DEBUG(0,("unpack_tdc_domains: Failed to talloc() domain list!\n"));
+ return 0;
+ }
+
+ for ( i=0; i<num_domains; i++ ) {
+ int this_len;
+
+ this_len = tdb_unpack( buf+len, buflen-len, "fffddd",
+ domain_name,
+ dns_name,
+ sid_string,
+ &flags,
+ &attribs,
+ &type );
+
+ if ( this_len == -1 ) {
+ DEBUG(5,("unpack_tdc_domains: Failed to unpack domain array\n"));
+ TALLOC_FREE( list );
+ return 0;
+ }
+ len += this_len;
+
+ DEBUG(11,("unpack_tdc_domains: Unpacking domain %s (%s) "
+ "SID %s, flags = 0x%x, attribs = 0x%x, type = 0x%x\n",
+ domain_name, dns_name, sid_string,
+ flags, attribs, type));
+
+ list[i].domain_name = talloc_strdup( list, domain_name );
+ list[i].dns_name = NULL;
+ if (dns_name[0] != '\0') {
+ list[i].dns_name = talloc_strdup(list, dns_name);
+ }
+ if ( !string_to_sid( &(list[i].sid), sid_string ) ) {
+ DEBUG(10,("unpack_tdc_domains: no SID for domain %s\n",
+ domain_name));
+ }
+ list[i].trust_flags = flags;
+ list[i].trust_attribs = attribs;
+ list[i].trust_type = type;
+ }
+
+ *domains = list;
+
+ return num_domains;
+}
+
+/*********************************************************************
+ ********************************************************************/
+
+static bool wcache_tdc_store_list( struct winbindd_tdc_domain *domains, size_t num_domains )
+{
+ TDB_DATA key = make_tdc_key( lp_workgroup() );
+ TDB_DATA data = { NULL, 0 };
+ int ret;
+
+ if ( !key.dptr )
+ return false;
+
+ /* See if we were asked to delete the cache entry */
+
+ if ( !domains ) {
+ ret = tdb_delete( wcache->tdb, key );
+ goto done;
+ }
+
+ data.dsize = pack_tdc_domains( domains, num_domains, &data.dptr );
+
+ if ( !data.dptr ) {
+ ret = -1;
+ goto done;
+ }
+
+ ret = tdb_store( wcache->tdb, key, data, 0 );
+
+ done:
+ SAFE_FREE( data.dptr );
+ SAFE_FREE( key.dptr );
+
+ return ( ret == 0 );
+}
+
+/*********************************************************************
+ ********************************************************************/
+
+bool wcache_tdc_fetch_list( struct winbindd_tdc_domain **domains, size_t *num_domains )
+{
+ TDB_DATA key = make_tdc_key( lp_workgroup() );
+ TDB_DATA data = { NULL, 0 };
+
+ *domains = NULL;
+ *num_domains = 0;
+
+ if ( !key.dptr )
+ return false;
+
+ data = tdb_fetch( wcache->tdb, key );
+
+ SAFE_FREE( key.dptr );
+
+ if ( !data.dptr )
+ return false;
+
+ *num_domains = unpack_tdc_domains( data.dptr, data.dsize, domains );
+
+ SAFE_FREE( data.dptr );
+
+ if ( !*domains )
+ return false;
+
+ return true;
+}
+
+/*********************************************************************
+ ********************************************************************/
+
+bool wcache_tdc_add_domain( struct winbindd_domain *domain )
+{
+ struct winbindd_tdc_domain *dom_list = NULL;
+ size_t num_domains = 0;
+ bool ret = false;
+ struct dom_sid_buf buf;
+
+ DEBUG(10,("wcache_tdc_add_domain: Adding domain %s (%s), SID %s, "
+ "flags = 0x%x, attributes = 0x%x, type = 0x%x\n",
+ domain->name, domain->alt_name,
+ dom_sid_str_buf(&domain->sid, &buf),
+ domain->domain_flags,
+ domain->domain_trust_attribs,
+ domain->domain_type));
+
+ if ( !init_wcache() ) {
+ return false;
+ }
+
+ /* fetch the list */
+
+ wcache_tdc_fetch_list( &dom_list, &num_domains );
+
+ /* add the new domain */
+
+ if ( !add_wbdomain_to_tdc_array( domain, &dom_list, &num_domains ) ) {
+ goto done;
+ }
+
+ /* pack the domain */
+
+ if ( !wcache_tdc_store_list( dom_list, num_domains ) ) {
+ goto done;
+ }
+
+ /* Success */
+
+ ret = true;
+ done:
+ TALLOC_FREE( dom_list );
+
+ return ret;
+}
+
+static struct winbindd_tdc_domain *wcache_tdc_dup_domain(
+ TALLOC_CTX *mem_ctx, const struct winbindd_tdc_domain *src)
+{
+ struct winbindd_tdc_domain *dst;
+
+ dst = talloc(mem_ctx, struct winbindd_tdc_domain);
+ if (dst == NULL) {
+ goto fail;
+ }
+ dst->domain_name = talloc_strdup(dst, src->domain_name);
+ if (dst->domain_name == NULL) {
+ goto fail;
+ }
+
+ dst->dns_name = NULL;
+ if (src->dns_name != NULL) {
+ dst->dns_name = talloc_strdup(dst, src->dns_name);
+ if (dst->dns_name == NULL) {
+ goto fail;
+ }
+ }
+
+ sid_copy(&dst->sid, &src->sid);
+ dst->trust_flags = src->trust_flags;
+ dst->trust_type = src->trust_type;
+ dst->trust_attribs = src->trust_attribs;
+ return dst;
+fail:
+ TALLOC_FREE(dst);
+ return NULL;
+}
+
+/*********************************************************************
+ ********************************************************************/
+
+struct winbindd_tdc_domain * wcache_tdc_fetch_domain( TALLOC_CTX *ctx, const char *name )
+{
+ struct winbindd_tdc_domain *dom_list = NULL;
+ size_t num_domains = 0;
+ size_t i;
+ struct winbindd_tdc_domain *d = NULL;
+
+ DEBUG(10,("wcache_tdc_fetch_domain: Searching for domain %s\n", name));
+
+ if ( !init_wcache() ) {
+ return NULL;
+ }
+
+ /* fetch the list */
+
+ wcache_tdc_fetch_list( &dom_list, &num_domains );
+
+ for ( i=0; i<num_domains; i++ ) {
+ if ( strequal(name, dom_list[i].domain_name) ||
+ strequal(name, dom_list[i].dns_name) )
+ {
+ DEBUG(10,("wcache_tdc_fetch_domain: Found domain %s\n",
+ name));
+
+ d = wcache_tdc_dup_domain(ctx, &dom_list[i]);
+ break;
+ }
+ }
+
+ TALLOC_FREE( dom_list );
+
+ return d;
+}
+
+/*********************************************************************
+ ********************************************************************/
+
+void wcache_tdc_clear( void )
+{
+ if ( !init_wcache() )
+ return;
+
+ wcache_tdc_store_list( NULL, 0 );
+
+ return;
+}
+
+static bool wcache_ndr_key(TALLOC_CTX *mem_ctx, const char *domain_name,
+ uint32_t opnum, const DATA_BLOB *req,
+ TDB_DATA *pkey)
+{
+ char *key;
+ size_t keylen;
+
+ key = talloc_asprintf(mem_ctx, "NDR/%s/%d/", domain_name, (int)opnum);
+ if (key == NULL) {
+ return false;
+ }
+ keylen = talloc_get_size(key) - 1;
+
+ key = talloc_realloc(mem_ctx, key, char, keylen + req->length);
+ if (key == NULL) {
+ return false;
+ }
+ memcpy(key + keylen, req->data, req->length);
+
+ pkey->dptr = (uint8_t *)key;
+ pkey->dsize = talloc_get_size(key);
+ return true;
+}
+
+static bool wcache_opnum_cacheable(uint32_t opnum)
+{
+ switch (opnum) {
+ case NDR_WBINT_LOOKUPSID:
+ case NDR_WBINT_LOOKUPSIDS:
+ case NDR_WBINT_LOOKUPNAME:
+ case NDR_WBINT_SIDS2UNIXIDS:
+ case NDR_WBINT_UNIXIDS2SIDS:
+ case NDR_WBINT_GETNSSINFO:
+ case NDR_WBINT_LOOKUPUSERALIASES:
+ case NDR_WBINT_LOOKUPUSERGROUPS:
+ case NDR_WBINT_LOOKUPGROUPMEMBERS:
+ case NDR_WBINT_QUERYGROUPLIST:
+ case NDR_WBINT_QUERYUSERRIDLIST:
+ case NDR_WBINT_DSGETDCNAME:
+ case NDR_WBINT_LOOKUPRIDS:
+ return true;
+ }
+ return false;
+}
+
+bool wcache_fetch_ndr(TALLOC_CTX *mem_ctx, struct winbindd_domain *domain,
+ uint32_t opnum, const DATA_BLOB *req, DATA_BLOB *resp)
+{
+ TDB_DATA key, data;
+ bool ret = false;
+
+ if (!wcache_opnum_cacheable(opnum) ||
+ is_my_own_sam_domain(domain) ||
+ is_builtin_domain(domain)) {
+ return false;
+ }
+
+ if (wcache->tdb == NULL) {
+ return false;
+ }
+
+ if (!wcache_ndr_key(talloc_tos(), domain->name, opnum, req, &key)) {
+ return false;
+ }
+ data = tdb_fetch(wcache->tdb, key);
+ TALLOC_FREE(key.dptr);
+
+ if (data.dptr == NULL) {
+ return false;
+ }
+ if (data.dsize < 12) {
+ goto fail;
+ }
+
+ if (is_domain_online(domain)) {
+ uint32_t entry_seqnum, dom_seqnum, last_check;
+ uint64_t entry_timeout;
+
+ if (!wcache_fetch_seqnum(domain->name, &dom_seqnum,
+ &last_check)) {
+ goto fail;
+ }
+ entry_seqnum = IVAL(data.dptr, 0);
+ if (entry_seqnum != dom_seqnum) {
+ DEBUG(10, ("Entry has wrong sequence number: %d\n",
+ (int)entry_seqnum));
+ goto fail;
+ }
+ entry_timeout = BVAL(data.dptr, 4);
+ if (time(NULL) > (time_t)entry_timeout) {
+ DEBUG(10, ("Entry has timed out\n"));
+ goto fail;
+ }
+ }
+
+ resp->data = (uint8_t *)talloc_memdup(mem_ctx, data.dptr + 12,
+ data.dsize - 12);
+ if (resp->data == NULL) {
+ DEBUG(10, ("talloc failed\n"));
+ goto fail;
+ }
+ resp->length = data.dsize - 12;
+
+ ret = true;
+fail:
+ SAFE_FREE(data.dptr);
+ return ret;
+}
+
+void wcache_store_ndr(struct winbindd_domain *domain, uint32_t opnum,
+ const DATA_BLOB *req, const DATA_BLOB *resp)
+{
+ TDB_DATA key, data;
+ uint32_t dom_seqnum, last_check;
+ uint64_t timeout;
+
+ if (!wcache_opnum_cacheable(opnum) ||
+ is_my_own_sam_domain(domain) ||
+ is_builtin_domain(domain)) {
+ return;
+ }
+
+ if (wcache->tdb == NULL) {
+ return;
+ }
+
+ if (!wcache_fetch_seqnum(domain->name, &dom_seqnum, &last_check)) {
+ DEBUG(10, ("could not fetch seqnum for domain %s\n",
+ domain->name));
+ return;
+ }
+
+ if (!wcache_ndr_key(talloc_tos(), domain->name, opnum, req, &key)) {
+ return;
+ }
+
+ timeout = time(NULL) + lp_winbind_cache_time();
+
+ data.dsize = resp->length + 12;
+ data.dptr = talloc_array(key.dptr, uint8_t, data.dsize);
+ if (data.dptr == NULL) {
+ goto done;
+ }
+
+ SIVAL(data.dptr, 0, dom_seqnum);
+ SBVAL(data.dptr, 4, timeout);
+ memcpy(data.dptr + 12, resp->data, resp->length);
+
+ tdb_store(wcache->tdb, key, data, 0);
+
+done:
+ TALLOC_FREE(key.dptr);
+ return;
+}
diff --git a/source3/winbindd/winbindd_ccache_access.c b/source3/winbindd/winbindd_ccache_access.c
new file mode 100644
index 0000000..a73f936
--- /dev/null
+++ b/source3/winbindd/winbindd_ccache_access.c
@@ -0,0 +1,373 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ Winbind daemon - cached credentials funcions
+
+ Copyright (C) Robert O'Callahan 2006
+ Copyright (C) Jeremy Allison 2006 (minor fixes to fit into Samba and
+ protect against integer wrap).
+ Copyright (C) Andrew Bartlett 2011
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "winbindd.h"
+#include "auth/gensec/gensec.h"
+#include "auth_generic.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_WINBIND
+
+static bool client_can_access_ccache_entry(uid_t client_uid,
+ struct WINBINDD_MEMORY_CREDS *entry)
+{
+ if (client_uid == entry->uid || client_uid == 0) {
+ DEBUG(10, ("Access granted to uid %u\n", (unsigned int)client_uid));
+ return True;
+ }
+
+ DEBUG(1, ("Access denied to uid %u (expected %u)\n",
+ (unsigned int)client_uid, (unsigned int)entry->uid));
+ return False;
+}
+
+static NTSTATUS do_ntlm_auth_with_stored_pw(const char *namespace,
+ const char *domain,
+ const char *username,
+ const char *password,
+ const DATA_BLOB initial_msg,
+ const DATA_BLOB challenge_msg,
+ TALLOC_CTX *mem_ctx,
+ DATA_BLOB *auth_msg,
+ uint8_t session_key[16],
+ uint8_t *new_spnego)
+{
+ NTSTATUS status;
+ struct auth_generic_state *auth_generic_state = NULL;
+ DATA_BLOB reply, session_key_blob;
+
+ status = auth_generic_client_prepare(mem_ctx, &auth_generic_state);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("Could not start NTLMSSP client: %s\n",
+ nt_errstr(status)));
+ goto done;
+ }
+
+ status = auth_generic_set_username(auth_generic_state, username);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("Could not set username: %s\n",
+ nt_errstr(status)));
+ goto done;
+ }
+
+ status = auth_generic_set_domain(auth_generic_state, domain);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("Could not set domain: %s\n",
+ nt_errstr(status)));
+ goto done;
+ }
+
+ status = auth_generic_set_password(auth_generic_state, password);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("Could not set password: %s\n",
+ nt_errstr(status)));
+ goto done;
+ }
+
+ if (initial_msg.length == 0) {
+ gensec_want_feature(auth_generic_state->gensec_security,
+ GENSEC_FEATURE_SESSION_KEY);
+ }
+
+ status = auth_generic_client_start_by_name(auth_generic_state,
+ "ntlmssp_resume_ccache");
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("Could not start NTLMSSP resume mech: %s\n",
+ nt_errstr(status)));
+ goto done;
+ }
+
+ /*
+ * We inject the initial NEGOTIATE message our caller used
+ * in order to get the state machine into the correct position.
+ */
+ reply = data_blob_null;
+ status = gensec_update(auth_generic_state->gensec_security,
+ talloc_tos(), initial_msg, &reply);
+ data_blob_free(&reply);
+
+ if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
+ DEBUG(1, ("Failed to create initial message! [%s]\n",
+ nt_errstr(status)));
+ goto done;
+ }
+
+ /* Now we are ready to handle the server's actual response. */
+ status = gensec_update(auth_generic_state->gensec_security,
+ mem_ctx, challenge_msg, &reply);
+ if (!NT_STATUS_EQUAL(status, NT_STATUS_OK)) {
+ DEBUG(1, ("We didn't get a response to the challenge! [%s]\n",
+ nt_errstr(status)));
+ data_blob_free(&reply);
+ goto done;
+ }
+
+ status = gensec_session_key(auth_generic_state->gensec_security,
+ talloc_tos(), &session_key_blob);
+ if (!NT_STATUS_EQUAL(status, NT_STATUS_OK)) {
+ DEBUG(1, ("We didn't get the session key we requested! [%s]\n",
+ nt_errstr(status)));
+ data_blob_free(&reply);
+ goto done;
+ }
+
+ if (session_key_blob.length != 16) {
+ DEBUG(1, ("invalid session key length %d\n",
+ (int)session_key_blob.length));
+ data_blob_free(&reply);
+ goto done;
+ }
+ memcpy(session_key, session_key_blob.data, 16);
+ data_blob_free(&session_key_blob);
+ *auth_msg = reply;
+ *new_spnego = gensec_have_feature(auth_generic_state->gensec_security,
+ GENSEC_FEATURE_NEW_SPNEGO);
+ status = NT_STATUS_OK;
+
+done:
+ TALLOC_FREE(auth_generic_state);
+ return status;
+}
+
+static bool check_client_uid(struct winbindd_cli_state *state, uid_t uid)
+{
+ int ret;
+ uid_t ret_uid;
+ gid_t ret_gid;
+
+ ret_uid = (uid_t)-1;
+
+ ret = getpeereid(state->sock, &ret_uid, &ret_gid);
+ if (ret != 0) {
+ DEBUG(1, ("check_client_uid: Could not get socket peer uid: %s; "
+ "denying access\n", strerror(errno)));
+ return False;
+ }
+
+ if (uid != ret_uid && ret_uid != sec_initial_uid()) {
+ DEBUG(1, ("check_client_uid: Client lied about its uid: said %u, "
+ "actually was %u; denying access\n",
+ (unsigned int)uid, (unsigned int)ret_uid));
+ return False;
+ }
+
+ return True;
+}
+
+bool winbindd_ccache_ntlm_auth(struct winbindd_cli_state *state)
+{
+ struct winbindd_domain *domain;
+ fstring name_namespace, name_domain, name_user;
+ NTSTATUS result = NT_STATUS_NOT_SUPPORTED;
+ struct WINBINDD_MEMORY_CREDS *entry;
+ DATA_BLOB initial, challenge, auth;
+ uint32_t initial_blob_len, challenge_blob_len, extra_len;
+ bool ok;
+
+ /* Ensure null termination */
+ state->request->data.ccache_ntlm_auth.user[
+ sizeof(state->request->data.ccache_ntlm_auth.user)-1]='\0';
+
+ DEBUG(3, ("[%5lu]: perform NTLM auth on behalf of user %s\n", (unsigned long)state->pid,
+ state->request->data.ccache_ntlm_auth.user));
+
+ /* Parse domain and username */
+
+ ok = canonicalize_username(state->request->data.ccache_ntlm_auth.user,
+ name_namespace,
+ name_domain,
+ name_user);
+ if (!ok) {
+ DEBUG(5,("winbindd_ccache_ntlm_auth: cannot parse domain and user from name [%s]\n",
+ state->request->data.ccache_ntlm_auth.user));
+ return false;
+ }
+
+ domain = find_auth_domain(state->request->flags, name_domain);
+
+ if (domain == NULL) {
+ DEBUG(5,("winbindd_ccache_ntlm_auth: can't get domain [%s]\n",
+ name_domain));
+ return false;
+ }
+
+ if (!check_client_uid(state, state->request->data.ccache_ntlm_auth.uid)) {
+ return false;
+ }
+
+ /* validate blob lengths */
+ initial_blob_len = state->request->data.ccache_ntlm_auth.initial_blob_len;
+ challenge_blob_len = state->request->data.ccache_ntlm_auth.challenge_blob_len;
+ extra_len = state->request->extra_len;
+
+ if (initial_blob_len > extra_len || challenge_blob_len > extra_len ||
+ initial_blob_len + challenge_blob_len > extra_len ||
+ initial_blob_len + challenge_blob_len < initial_blob_len ||
+ initial_blob_len + challenge_blob_len < challenge_blob_len) {
+
+ DEBUG(10,("winbindd_dual_ccache_ntlm_auth: blob lengths overrun "
+ "or wrap. Buffer [%d+%d > %d]\n",
+ initial_blob_len,
+ challenge_blob_len,
+ extra_len));
+ goto process_result;
+ }
+
+ /* Parse domain and username */
+ ok = parse_domain_user(state->request->data.ccache_ntlm_auth.user,
+ name_namespace,
+ name_domain,
+ name_user);
+ if (!ok) {
+ DEBUG(10,("winbindd_dual_ccache_ntlm_auth: cannot parse "
+ "domain and user from name [%s]\n",
+ state->request->data.ccache_ntlm_auth.user));
+ goto process_result;
+ }
+
+ entry = find_memory_creds_by_name(state->request->data.ccache_ntlm_auth.user);
+ if (entry == NULL || entry->nt_hash == NULL || entry->lm_hash == NULL) {
+ DEBUG(10,("winbindd_dual_ccache_ntlm_auth: could not find "
+ "credentials for user %s\n",
+ state->request->data.ccache_ntlm_auth.user));
+ goto process_result;
+ }
+
+ DEBUG(10,("winbindd_dual_ccache_ntlm_auth: found ccache [%s]\n", entry->username));
+
+ if (!client_can_access_ccache_entry(state->request->data.ccache_ntlm_auth.uid, entry)) {
+ goto process_result;
+ }
+
+ if (initial_blob_len == 0 && challenge_blob_len == 0) {
+ /* this is just a probe to see if credentials are available. */
+ result = NT_STATUS_OK;
+ state->response->data.ccache_ntlm_auth.auth_blob_len = 0;
+ goto process_result;
+ }
+
+ initial = data_blob_const(state->request->extra_data.data,
+ initial_blob_len);
+ challenge = data_blob_const(
+ state->request->extra_data.data + initial_blob_len,
+ state->request->data.ccache_ntlm_auth.challenge_blob_len);
+
+ result = do_ntlm_auth_with_stored_pw(
+ name_namespace,
+ name_domain,
+ name_user,
+ entry->pass,
+ initial,
+ challenge,
+ talloc_tos(),
+ &auth,
+ state->response->data.ccache_ntlm_auth.session_key,
+ &state->response->data.ccache_ntlm_auth.new_spnego);
+
+ if (!NT_STATUS_IS_OK(result)) {
+ goto process_result;
+ }
+
+ state->response->extra_data.data = talloc_memdup(
+ state->mem_ctx, auth.data, auth.length);
+ if (!state->response->extra_data.data) {
+ result = NT_STATUS_NO_MEMORY;
+ goto process_result;
+ }
+ state->response->length += auth.length;
+ state->response->data.ccache_ntlm_auth.auth_blob_len = auth.length;
+
+ data_blob_free(&auth);
+
+ process_result:
+ return NT_STATUS_IS_OK(result);
+}
+
+bool winbindd_ccache_save(struct winbindd_cli_state *state)
+{
+ struct winbindd_domain *domain;
+ fstring name_namespace, name_domain, name_user;
+ NTSTATUS status;
+ bool ok;
+
+ /* Ensure null termination */
+ state->request->data.ccache_save.user[
+ sizeof(state->request->data.ccache_save.user)-1]='\0';
+ state->request->data.ccache_save.pass[
+ sizeof(state->request->data.ccache_save.pass)-1]='\0';
+
+ DEBUG(3, ("[%5lu]: save password of user %s\n",
+ (unsigned long)state->pid,
+ state->request->data.ccache_save.user));
+
+ /* Parse domain and username */
+
+ ok = canonicalize_username(state->request->data.ccache_save.user,
+ name_namespace,
+ name_domain,
+ name_user);
+ if (!ok) {
+ DEBUG(5,("winbindd_ccache_save: cannot parse domain and user "
+ "from name [%s]\n",
+ state->request->data.ccache_save.user));
+ return false;
+ }
+
+ /*
+ * The domain is checked here only for compatibility
+ * reasons. We used to do the winbindd memory ccache for
+ * ntlm_auth in the domain child. With that code, we had to
+ * make sure that we do have a domain around to send this
+ * to. Now we do the memory cache in the parent winbindd,
+ * where it would not matter if we have a domain or not.
+ */
+
+ domain = find_auth_domain(state->request->flags, name_domain);
+ if (domain == NULL) {
+ DEBUG(5, ("winbindd_ccache_save: can't get domain [%s]\n",
+ name_domain));
+ return false;
+ }
+
+ if (!check_client_uid(state, state->request->data.ccache_save.uid)) {
+ return false;
+ }
+
+ status = winbindd_add_memory_creds(
+ state->request->data.ccache_save.user,
+ state->request->data.ccache_save.uid,
+ state->request->data.ccache_save.pass);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("winbindd_add_memory_creds failed %s\n",
+ nt_errstr(status)));
+ return false;
+ }
+ return true;
+}
diff --git a/source3/winbindd/winbindd_change_machine_acct.c b/source3/winbindd/winbindd_change_machine_acct.c
new file mode 100644
index 0000000..83eb99b
--- /dev/null
+++ b/source3/winbindd/winbindd_change_machine_acct.c
@@ -0,0 +1,93 @@
+/*
+ Unix SMB/CIFS implementation.
+ async implementation of WINBINDD_CHANGE_MACHINE_ACCT
+ Copyright (C) Volker Lendecke 2009
+ Copyright (C) Guenther Deschner 2009
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "winbindd.h"
+#include "librpc/gen_ndr/ndr_winbind_c.h"
+
+struct winbindd_change_machine_acct_state {
+ uint8_t dummy;
+};
+
+static void winbindd_change_machine_acct_done(struct tevent_req *subreq);
+
+struct tevent_req *winbindd_change_machine_acct_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request)
+{
+ struct tevent_req *req, *subreq;
+ struct winbindd_change_machine_acct_state *state;
+ struct winbindd_domain *domain;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct winbindd_change_machine_acct_state);
+ if (req == NULL) {
+ return NULL;
+ }
+
+ domain = find_domain_from_name(request->domain_name);
+ if (domain == NULL) {
+ tevent_req_nterror(req, NT_STATUS_NO_SUCH_DOMAIN);
+ return tevent_req_post(req, ev);
+ }
+ if (domain->internal) {
+ /*
+ * Internal domains are passdb based, we can always
+ * contact them.
+ *
+ * This also protects us from changing the password on
+ * the AD DC without updating all the right databases.
+ * Do not remove this until that code is fixed.
+ */
+ tevent_req_done(req);
+ return tevent_req_post(req, ev);
+ }
+
+ subreq = dcerpc_wbint_ChangeMachineAccount_send(state, ev,
+ dom_child_handle(domain));
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+ tevent_req_set_callback(subreq, winbindd_change_machine_acct_done, req);
+ return req;
+}
+
+static void winbindd_change_machine_acct_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct winbindd_change_machine_acct_state *state = tevent_req_data(
+ req, struct winbindd_change_machine_acct_state);
+ NTSTATUS status, result;
+
+ status = dcerpc_wbint_ChangeMachineAccount_recv(subreq, state, &result);
+ if (any_nt_status_not_ok(status, result, &status)) {
+ tevent_req_nterror(req, status);
+ return;
+ }
+ tevent_req_done(req);
+}
+
+NTSTATUS winbindd_change_machine_acct_recv(struct tevent_req *req,
+ struct winbindd_response *presp)
+{
+ return tevent_req_simple_recv_ntstatus(req);
+}
diff --git a/source3/winbindd/winbindd_check_machine_acct.c b/source3/winbindd/winbindd_check_machine_acct.c
new file mode 100644
index 0000000..c657374
--- /dev/null
+++ b/source3/winbindd/winbindd_check_machine_acct.c
@@ -0,0 +1,96 @@
+/*
+ Unix SMB/CIFS implementation.
+ async implementation of WINBINDD_CHECK_MACHINE_ACCT
+ Copyright (C) Volker Lendecke 2009
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "winbindd.h"
+#include "librpc/gen_ndr/ndr_winbind_c.h"
+
+struct winbindd_check_machine_acct_state {
+ uint8_t dummy;
+};
+
+static void winbindd_check_machine_acct_done(struct tevent_req *subreq);
+
+struct tevent_req *winbindd_check_machine_acct_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request)
+{
+ struct tevent_req *req, *subreq;
+ struct winbindd_check_machine_acct_state *state;
+ struct winbindd_domain *domain;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct winbindd_check_machine_acct_state);
+ if (req == NULL) {
+ return NULL;
+ }
+
+ if (request->domain_name[0] == '\0') {
+ /* preserve old behavior, when no domain name is given */
+ domain = find_our_domain();
+ } else {
+ domain = find_domain_from_name(request->domain_name);
+ }
+ if (domain == NULL) {
+ tevent_req_nterror(req, NT_STATUS_NO_SUCH_DOMAIN);
+ return tevent_req_post(req, ev);
+ }
+ if (domain->internal) {
+ /*
+ * Internal domains are passdb based, we can always
+ * contact them.
+ */
+ tevent_req_done(req);
+ return tevent_req_post(req, ev);
+ }
+
+ subreq = dcerpc_wbint_CheckMachineAccount_send(state, ev,
+ dom_child_handle(domain));
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+ tevent_req_set_callback(subreq, winbindd_check_machine_acct_done, req);
+ return req;
+}
+
+static void winbindd_check_machine_acct_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct winbindd_check_machine_acct_state *state = tevent_req_data(
+ req, struct winbindd_check_machine_acct_state);
+ NTSTATUS status, result;
+
+ status = dcerpc_wbint_CheckMachineAccount_recv(subreq, state, &result);
+ if (any_nt_status_not_ok(status, result, &status)) {
+ tevent_req_nterror(req, status);
+ return;
+ }
+ tevent_req_done(req);
+}
+
+NTSTATUS winbindd_check_machine_acct_recv(struct tevent_req *req,
+ struct winbindd_response *presp)
+{
+ NTSTATUS status = tevent_req_simple_recv_ntstatus(req);
+
+ set_auth_errors(presp, status);
+ return status;
+}
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
new file mode 100644
index 0000000..e774bf9
--- /dev/null
+++ b/source3/winbindd/winbindd_cm.c
@@ -0,0 +1,3338 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ Winbind daemon connection manager
+
+ Copyright (C) Tim Potter 2001
+ Copyright (C) Andrew Bartlett 2002
+ Copyright (C) Gerald (Jerry) Carter 2003-2005.
+ Copyright (C) Volker Lendecke 2004-2005
+ Copyright (C) Jeremy Allison 2006
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+/*
+ We need to manage connections to domain controllers without having to
+ mess up the main winbindd code with other issues. The aim of the
+ connection manager is to:
+
+ - make connections to domain controllers and cache them
+ - re-establish connections when networks or servers go down
+ - centralise the policy on connection timeouts, domain controller
+ selection etc
+ - manage re-entrancy for when winbindd becomes able to handle
+ multiple outstanding rpc requests
+
+ Why not have connection management as part of the rpc layer like tng?
+ Good question. This code may morph into libsmb/rpc_cache.c or something
+ like that but at the moment it's simply staying as part of winbind. I
+ think the TNG architecture of forcing every user of the rpc layer to use
+ the connection caching system is a bad idea. It should be an optional
+ method of using the routines.
+
+ The TNG design is quite good but I disagree with some aspects of the
+ implementation. -tpot
+
+ */
+
+/*
+ TODO:
+
+ - I'm pretty annoyed by all the make_nmb_name() stuff. It should be
+ moved down into another function.
+
+ - Take care when destroying cli_structs as they can be shared between
+ various sam handles.
+
+ */
+
+#include "includes.h"
+#include "winbindd.h"
+#include "libsmb/namequery.h"
+#include "../libcli/auth/libcli_auth.h"
+#include "../librpc/gen_ndr/ndr_netlogon_c.h"
+#include "rpc_client/cli_pipe.h"
+#include "rpc_client/cli_netlogon.h"
+#include "../librpc/gen_ndr/ndr_samr_c.h"
+#include "../librpc/gen_ndr/ndr_lsa_c.h"
+#include "rpc_client/cli_lsarpc.h"
+#include "../librpc/gen_ndr/ndr_dssetup_c.h"
+#include "libads/sitename_cache.h"
+#include "libsmb/libsmb.h"
+#include "libsmb/clidgram.h"
+#include "ads.h"
+#include "secrets.h"
+#include "../libcli/security/security.h"
+#include "passdb.h"
+#include "messages.h"
+#include "auth/gensec/gensec.h"
+#include "../libcli/smb/smbXcli_base.h"
+#include "libcli/auth/netlogon_creds_cli.h"
+#include "auth.h"
+#include "rpc_server/rpc_ncacn_np.h"
+#include "auth/credentials/credentials.h"
+#include "lib/param/param.h"
+#include "lib/gencache.h"
+#include "lib/util/string_wrappers.h"
+#include "lib/global_contexts.h"
+#include "librpc/gen_ndr/ndr_winbind_c.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_WINBIND
+
+struct dc_name_ip {
+ fstring name;
+ struct sockaddr_storage ss;
+};
+
+extern struct winbindd_methods reconnect_methods;
+
+static NTSTATUS init_dc_connection_network(struct winbindd_domain *domain, bool need_rw_dc);
+static void set_dc_type_and_flags( struct winbindd_domain *domain );
+static bool set_dc_type_and_flags_trustinfo( struct winbindd_domain *domain );
+static bool get_dcs(TALLOC_CTX *mem_ctx, struct winbindd_domain *domain,
+ struct dc_name_ip **dcs, int *num_dcs,
+ uint32_t request_flags);
+
+void winbind_msg_domain_offline(struct messaging_context *msg_ctx,
+ void *private_data,
+ uint32_t msg_type,
+ struct server_id server_id,
+ DATA_BLOB *data)
+{
+ const char *domain_name = (const char *)data->data;
+ struct winbindd_domain *domain;
+
+ domain = find_domain_from_name_noinit(domain_name);
+ if (domain == NULL) {
+ DBG_DEBUG("Domain %s not found!\n", domain_name);
+ return;
+ }
+
+ DBG_DEBUG("Domain %s was %s, change to offline now.\n",
+ domain_name,
+ domain->online ? "online" : "offline");
+
+ domain->online = false;
+}
+
+void winbind_msg_domain_online(struct messaging_context *msg_ctx,
+ void *private_data,
+ uint32_t msg_type,
+ struct server_id server_id,
+ DATA_BLOB *data)
+{
+ const char *domain_name = (const char *)data->data;
+ struct winbindd_domain *domain;
+
+ domain = find_domain_from_name_noinit(domain_name);
+ if (domain == NULL) {
+ return;
+ }
+
+ SMB_ASSERT(wb_child_domain() == NULL);
+
+ DBG_DEBUG("Domain %s was %s, marking as online now!\n",
+ domain_name,
+ domain->online ? "online" : "offline");
+
+ domain->online = true;
+}
+
+/****************************************************************
+ Set domain offline and also add handler to put us back online
+ if we detect a DC.
+****************************************************************/
+
+void set_domain_offline(struct winbindd_domain *domain)
+{
+ pid_t parent_pid = getppid();
+
+ DEBUG(10,("set_domain_offline: called for domain %s\n",
+ domain->name ));
+
+ if (domain->internal) {
+ DEBUG(3,("set_domain_offline: domain %s is internal - logic error.\n",
+ domain->name ));
+ return;
+ }
+
+ domain->online = False;
+
+ /* Offline domains are always initialized. They're
+ re-initialized when they go back online. */
+
+ domain->initialized = True;
+
+ /* Send a message to the parent that the domain is offline. */
+ if (parent_pid > 1 && !domain->internal) {
+ messaging_send_buf(global_messaging_context(),
+ pid_to_procid(parent_pid),
+ MSG_WINBIND_DOMAIN_OFFLINE,
+ (uint8_t *)domain->name,
+ strlen(domain->name) + 1);
+ }
+
+ /* Send an offline message to the idmap child when our
+ primary domain goes offline */
+ if ( domain->primary ) {
+ pid_t idmap_pid = idmap_child_pid();
+
+ if (idmap_pid != 0) {
+ messaging_send_buf(global_messaging_context(),
+ pid_to_procid(idmap_pid),
+ MSG_WINBIND_OFFLINE,
+ (const uint8_t *)domain->name,
+ strlen(domain->name)+1);
+ }
+ }
+
+ return;
+}
+
+/****************************************************************
+ Set domain online - if allowed.
+****************************************************************/
+
+static void set_domain_online(struct winbindd_domain *domain)
+{
+ pid_t parent_pid = getppid();
+
+ DEBUG(10,("set_domain_online: called for domain %s\n",
+ domain->name ));
+
+ if (domain->internal) {
+ DEBUG(3,("set_domain_online: domain %s is internal - logic error.\n",
+ domain->name ));
+ return;
+ }
+
+ if (get_global_winbindd_state_offline()) {
+ DEBUG(10,("set_domain_online: domain %s remaining globally offline\n",
+ domain->name ));
+ return;
+ }
+
+ winbindd_set_locator_kdc_envs(domain);
+
+ /* If we are waiting to get a krb5 ticket, trigger immediately. */
+ ccache_regain_all_now();
+
+ /* Ok, we're out of any startup mode now... */
+ domain->startup = False;
+
+ if (domain->online == False) {
+ /* We were offline - now we're online. We default to
+ using the MS-RPC backend if we started offline,
+ and if we're going online for the first time we
+ should really re-initialize the backends and the
+ checks to see if we're talking to an AD or NT domain.
+ */
+
+ domain->initialized = False;
+
+ /* 'reconnect_methods' is the MS-RPC backend. */
+ if (domain->backend == &reconnect_methods) {
+ domain->backend = NULL;
+ }
+ }
+
+ domain->online = True;
+
+ /* Send a message to the parent that the domain is online. */
+ if (parent_pid > 1 && !domain->internal) {
+ messaging_send_buf(global_messaging_context(),
+ pid_to_procid(parent_pid),
+ MSG_WINBIND_DOMAIN_ONLINE,
+ (uint8_t *)domain->name,
+ strlen(domain->name) + 1);
+ }
+
+ /* Send an online message to the idmap child when our
+ primary domain comes online */
+
+ if ( domain->primary ) {
+ pid_t idmap_pid = idmap_child_pid();
+
+ if (idmap_pid != 0) {
+ messaging_send_buf(global_messaging_context(),
+ pid_to_procid(idmap_pid),
+ MSG_WINBIND_ONLINE,
+ (const uint8_t *)domain->name,
+ strlen(domain->name)+1);
+ }
+ }
+
+ return;
+}
+
+/****************************************************************
+ Requested to set a domain online.
+****************************************************************/
+
+void set_domain_online_request(struct winbindd_domain *domain)
+{
+ NTSTATUS status;
+
+ SMB_ASSERT(wb_child_domain() || idmap_child());
+
+ DEBUG(10,("set_domain_online_request: called for domain %s\n",
+ domain->name ));
+
+ if (get_global_winbindd_state_offline()) {
+ DEBUG(10,("set_domain_online_request: domain %s remaining globally offline\n",
+ domain->name ));
+ return;
+ }
+
+ if (domain->internal) {
+ DEBUG(10, ("set_domain_online_request: Internal domains are "
+ "always online\n"));
+ return;
+ }
+
+ /*
+ * This call takes care of setting the online flag to true if we
+ * connected, or tell the parent to ping us back if false. Bypasses
+ * online check so always does network calls.
+ */
+ status = init_dc_connection_network(domain, true);
+ DBG_DEBUG("init_dc_connection_network(), returned %s, called for "
+ "domain %s (online = %s)\n",
+ nt_errstr(status),
+ domain->name,
+ domain->online ? "true" : "false");
+}
+
+/****************************************************************
+ Add -ve connection cache entries for domain and realm.
+****************************************************************/
+
+static void winbind_add_failed_connection_entry(
+ const struct winbindd_domain *domain,
+ const char *server,
+ NTSTATUS result)
+{
+ add_failed_connection_entry(domain->name, server, result);
+ /* If this was the saf name for the last thing we talked to,
+ remove it. */
+ saf_delete(domain->name);
+ if (domain->alt_name != NULL) {
+ add_failed_connection_entry(domain->alt_name, server, result);
+ saf_delete(domain->alt_name);
+ }
+ winbindd_unset_locator_kdc_env(domain);
+}
+
+/* Choose between anonymous or authenticated connections. We need to use
+ an authenticated connection if DCs have the RestrictAnonymous registry
+ entry set > 0, or the "Additional restrictions for anonymous
+ connections" set in the win2k Local Security Policy.
+
+ Caller to free() result in domain, username, password
+*/
+
+static void cm_get_ipc_userpass(char **username, char **domain, char **password)
+{
+ *username = (char *)secrets_fetch(SECRETS_AUTH_USER, NULL);
+ *domain = (char *)secrets_fetch(SECRETS_AUTH_DOMAIN, NULL);
+ *password = (char *)secrets_fetch(SECRETS_AUTH_PASSWORD, NULL);
+
+ if (*username && **username) {
+
+ if (!*domain || !**domain)
+ *domain = smb_xstrdup(lp_workgroup());
+
+ if (!*password || !**password)
+ *password = smb_xstrdup("");
+
+ DEBUG(3, ("cm_get_ipc_userpass: Retrieved auth-user from secrets.tdb [%s\\%s]\n",
+ *domain, *username));
+
+ } else {
+ DEBUG(3, ("cm_get_ipc_userpass: No auth-user defined\n"));
+ *username = smb_xstrdup("");
+ *domain = smb_xstrdup("");
+ *password = smb_xstrdup("");
+ }
+}
+
+static NTSTATUS cm_get_ipc_credentials(TALLOC_CTX *mem_ctx,
+ struct cli_credentials **_creds)
+{
+
+ TALLOC_CTX *frame = talloc_stackframe();
+ NTSTATUS status = NT_STATUS_INTERNAL_ERROR;
+ struct loadparm_context *lp_ctx;
+ char *username = NULL;
+ char *netbios_domain = NULL;
+ char *password = NULL;
+ struct cli_credentials *creds = NULL;
+ bool ok;
+
+ cm_get_ipc_userpass(&username, &netbios_domain, &password);
+
+ lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
+ if (lp_ctx == NULL) {
+ DEBUG(1, ("loadparm_init_s3 failed\n"));
+ status = NT_STATUS_INTERNAL_ERROR;
+ goto fail;
+ }
+
+ creds = cli_credentials_init(mem_ctx);
+ if (creds == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto fail;
+ }
+
+ ok = cli_credentials_set_conf(creds, lp_ctx);
+ if (!ok) {
+ status = NT_STATUS_INTERNAL_ERROR;
+ goto fail;
+ }
+
+ cli_credentials_set_kerberos_state(creds,
+ CRED_USE_KERBEROS_DISABLED,
+ CRED_SPECIFIED);
+
+ ok = cli_credentials_set_domain(creds, netbios_domain, CRED_SPECIFIED);
+ if (!ok) {
+ status = NT_STATUS_NO_MEMORY;
+ goto fail;
+ }
+
+ ok = cli_credentials_set_username(creds, username, CRED_SPECIFIED);
+ if (!ok) {
+ status = NT_STATUS_NO_MEMORY;
+ goto fail;
+ }
+
+ ok = cli_credentials_set_password(creds, password, CRED_SPECIFIED);
+ if (!ok) {
+ status = NT_STATUS_NO_MEMORY;
+ goto fail;
+ }
+
+ *_creds = creds;
+ creds = NULL;
+ status = NT_STATUS_OK;
+ fail:
+ TALLOC_FREE(creds);
+ SAFE_FREE(username);
+ SAFE_FREE(netbios_domain);
+ SAFE_FREE(password);
+ TALLOC_FREE(frame);
+ return status;
+}
+
+static bool cm_is_ipc_credentials(struct cli_credentials *creds)
+{
+ TALLOC_CTX *frame = talloc_stackframe();
+ char *ipc_account = NULL;
+ char *ipc_domain = NULL;
+ char *ipc_password = NULL;
+ const char *creds_account = NULL;
+ const char *creds_domain = NULL;
+ const char *creds_password = NULL;
+ bool ret = false;
+
+ cm_get_ipc_userpass(&ipc_account, &ipc_domain, &ipc_password);
+
+ creds_account = cli_credentials_get_username(creds);
+ creds_domain = cli_credentials_get_domain(creds);
+ creds_password = cli_credentials_get_password(creds);
+
+ if (!strequal(ipc_domain, creds_domain)) {
+ goto done;
+ }
+
+ if (!strequal(ipc_account, creds_account)) {
+ goto done;
+ }
+
+ if (!strcsequal(ipc_password, creds_password)) {
+ goto done;
+ }
+
+ ret = true;
+ done:
+ SAFE_FREE(ipc_account);
+ SAFE_FREE(ipc_domain);
+ SAFE_FREE(ipc_password);
+ TALLOC_FREE(frame);
+ return ret;
+}
+
+static bool get_dc_name_via_netlogon(struct winbindd_domain *domain,
+ fstring dcname,
+ struct sockaddr_storage *dc_ss,
+ uint32_t request_flags)
+{
+ struct winbindd_domain *our_domain = NULL;
+ struct rpc_pipe_client *netlogon_pipe = NULL;
+ NTSTATUS result;
+ WERROR werr;
+ TALLOC_CTX *mem_ctx;
+ unsigned int orig_timeout;
+ const char *tmp = NULL;
+ const char *p;
+ struct dcerpc_binding_handle *b;
+
+ /* Hmmmm. We can only open one connection to the NETLOGON pipe at the
+ * moment.... */
+
+ if (IS_DC) {
+ return False;
+ }
+
+ if (domain->primary) {
+ return False;
+ }
+
+ our_domain = find_our_domain();
+
+ if ((mem_ctx = talloc_init("get_dc_name_via_netlogon")) == NULL) {
+ return False;
+ }
+
+ result = cm_connect_netlogon(our_domain, &netlogon_pipe);
+ if (!NT_STATUS_IS_OK(result)) {
+ talloc_destroy(mem_ctx);
+ return False;
+ }
+
+ b = netlogon_pipe->binding_handle;
+
+ /* This call can take a long time - allow the server to time out.
+ 35 seconds should do it. */
+
+ orig_timeout = rpccli_set_timeout(netlogon_pipe, 35000);
+
+ if (our_domain->active_directory) {
+ struct netr_DsRGetDCNameInfo *domain_info = NULL;
+
+ /*
+ * TODO request flags are not respected in the server
+ * (and in some cases, like REQUIRE_PDC, causes an error)
+ */
+ result = dcerpc_netr_DsRGetDCName(b,
+ mem_ctx,
+ our_domain->dcname,
+ domain->name,
+ NULL,
+ NULL,
+ request_flags|DS_RETURN_DNS_NAME,
+ &domain_info,
+ &werr);
+ if (NT_STATUS_IS_OK(result) && W_ERROR_IS_OK(werr)) {
+ tmp = talloc_strdup(
+ mem_ctx, domain_info->dc_unc);
+ if (tmp == NULL) {
+ DEBUG(0, ("talloc_strdup failed\n"));
+ talloc_destroy(mem_ctx);
+ return false;
+ }
+ if (domain->alt_name == NULL) {
+ domain->alt_name = talloc_strdup(domain,
+ domain_info->domain_name);
+ if (domain->alt_name == NULL) {
+ DEBUG(0, ("talloc_strdup failed\n"));
+ talloc_destroy(mem_ctx);
+ return false;
+ }
+ }
+ if (domain->forest_name == NULL) {
+ domain->forest_name = talloc_strdup(domain,
+ domain_info->forest_name);
+ if (domain->forest_name == NULL) {
+ DEBUG(0, ("talloc_strdup failed\n"));
+ talloc_destroy(mem_ctx);
+ return false;
+ }
+ }
+ }
+ } else {
+ result = dcerpc_netr_GetAnyDCName(b, mem_ctx,
+ our_domain->dcname,
+ domain->name,
+ &tmp,
+ &werr);
+ }
+
+ /* And restore our original timeout. */
+ rpccli_set_timeout(netlogon_pipe, orig_timeout);
+
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(10,("dcerpc_netr_GetAnyDCName failed: %s\n",
+ nt_errstr(result)));
+ talloc_destroy(mem_ctx);
+ return false;
+ }
+
+ if (!W_ERROR_IS_OK(werr)) {
+ DEBUG(10,("dcerpc_netr_GetAnyDCName failed: %s\n",
+ win_errstr(werr)));
+ talloc_destroy(mem_ctx);
+ return false;
+ }
+
+ /* dcerpc_netr_GetAnyDCName gives us a name with \\ */
+ p = strip_hostname(tmp);
+
+ fstrcpy(dcname, p);
+
+ talloc_destroy(mem_ctx);
+
+ DEBUG(10,("dcerpc_netr_GetAnyDCName returned %s\n", dcname));
+
+ if (!resolve_name(dcname, dc_ss, 0x20, true)) {
+ return False;
+ }
+
+ return True;
+}
+
+/**
+ * Helper function to assemble trust password and account name
+ */
+static NTSTATUS get_trust_credentials(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ bool netlogon,
+ struct cli_credentials **_creds)
+{
+ const struct winbindd_domain *creds_domain = NULL;
+ struct cli_credentials *creds;
+ NTSTATUS status;
+ bool force_machine_account = false;
+
+ /* If we are a DC and this is not our own domain */
+
+ if (!domain->active_directory) {
+ if (!netlogon) {
+ /*
+ * For non active directory domains
+ * we can only use NTLMSSP for SMB.
+ *
+ * But the trust account is not allowed
+ * to use SMB with NTLMSSP.
+ */
+ force_machine_account = true;
+ }
+ }
+
+ if (IS_DC && !force_machine_account) {
+ creds_domain = domain;
+ } else {
+ creds_domain = find_our_domain();
+ if (creds_domain == NULL) {
+ return NT_STATUS_INVALID_SERVER_STATE;
+ }
+ }
+
+ status = pdb_get_trust_credentials(creds_domain->name,
+ creds_domain->alt_name,
+ mem_ctx,
+ &creds);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto ipc_fallback;
+ }
+
+ if (creds_domain != domain) {
+ /*
+ * We can only use schannel against a direct trust
+ */
+ cli_credentials_set_secure_channel_type(creds,
+ SEC_CHAN_NULL);
+ }
+
+ *_creds = creds;
+ return NT_STATUS_OK;
+
+ ipc_fallback:
+ if (netlogon) {
+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+ }
+
+ status = cm_get_ipc_credentials(mem_ctx, &creds);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ *_creds = creds;
+ return NT_STATUS_OK;
+}
+
+/************************************************************************
+ Given a fd with a just-connected TCP connection to a DC, open a connection
+ to the pipe.
+************************************************************************/
+
+static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain,
+ const int sockfd,
+ const char *controller,
+ struct cli_state **cli,
+ bool *retry)
+{
+ bool try_ipc_auth = false;
+ const char *machine_principal = NULL;
+ const char *machine_realm = NULL;
+ const char *machine_account = NULL;
+ const char *machine_domain = NULL;
+ int flags = 0;
+ struct cli_credentials *creds = NULL;
+
+ struct named_mutex *mutex;
+
+ NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
+ NTSTATUS tmp_status;
+ NTSTATUS tcon_status = NT_STATUS_NETWORK_NAME_DELETED;
+
+ enum smb_signing_setting smb_sign_client_connections = lp_client_ipc_signing();
+
+ if (IS_AD_DC) {
+ if (domain->secure_channel_type == SEC_CHAN_NULL) {
+ /*
+ * Make sure we don't even try to
+ * connect to a foreign domain
+ * without a direct outbound trust.
+ */
+ return NT_STATUS_NO_TRUST_LSA_SECRET;
+ }
+
+ /*
+ * As AD DC we only use netlogon and lsa
+ * using schannel over an anonymous transport
+ * (ncacn_ip_tcp or ncacn_np).
+ *
+ * Currently we always establish the SMB connection,
+ * even if we don't use it, because we later use ncacn_ip_tcp.
+ *
+ * As we won't use the SMB connection there's no
+ * need to try kerberos. And NT4 domains expect
+ * an anonymous IPC$ connection anyway.
+ */
+ smb_sign_client_connections = SMB_SIGNING_OFF;
+ }
+
+ if (smb_sign_client_connections == SMB_SIGNING_DEFAULT) {
+ /*
+ * If we are connecting to our own AD domain, require
+ * smb signing to disrupt MITM attacks
+ */
+ if (domain->primary && lp_security() == SEC_ADS) {
+ smb_sign_client_connections = SMB_SIGNING_REQUIRED;
+ /*
+ * If we are in or are an AD domain and connecting to another
+ * AD domain in our forest
+ * then require smb signing to disrupt MITM attacks
+ */
+ } else if ((lp_security() == SEC_ADS)
+ && domain->active_directory
+ && (domain->domain_trust_attribs
+ & LSA_TRUST_ATTRIBUTE_WITHIN_FOREST)) {
+ smb_sign_client_connections = SMB_SIGNING_REQUIRED;
+ }
+ }
+
+ DEBUG(10,("cm_prepare_connection: connecting to DC %s for domain %s\n",
+ controller, domain->name ));
+
+ *retry = True;
+
+ mutex = grab_named_mutex(talloc_tos(), controller,
+ WINBIND_SERVER_MUTEX_WAIT_TIME);
+ if (mutex == NULL) {
+ close(sockfd);
+ DEBUG(0,("cm_prepare_connection: mutex grab failed for %s\n",
+ controller));
+ result = NT_STATUS_POSSIBLE_DEADLOCK;
+ goto done;
+ }
+
+ *cli = cli_state_create(NULL, sockfd, controller,
+ smb_sign_client_connections, flags);
+ if (*cli == NULL) {
+ close(sockfd);
+ DEBUG(1, ("Could not cli_initialize\n"));
+ result = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
+
+ cli_set_timeout(*cli, 10000); /* 10 seconds */
+
+ set_socket_options(sockfd, lp_socket_options());
+
+ result = smbXcli_negprot((*cli)->conn, (*cli)->timeout,
+ lp_client_ipc_min_protocol(),
+ lp_client_ipc_max_protocol());
+
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(1, ("cli_negprot failed: %s\n", nt_errstr(result)));
+ goto done;
+ }
+
+ if (smbXcli_conn_protocol((*cli)->conn) >= PROTOCOL_NT1 &&
+ smb1cli_conn_capabilities((*cli)->conn) & CAP_EXTENDED_SECURITY) {
+ try_ipc_auth = true;
+ } else if (smbXcli_conn_protocol((*cli)->conn) >= PROTOCOL_SMB2_02) {
+ try_ipc_auth = true;
+ } else if (smb_sign_client_connections == SMB_SIGNING_REQUIRED) {
+ /*
+ * If we are forcing on SMB signing, then we must
+ * require authentication unless this is a one-way
+ * trust, and we have no stored user/password
+ */
+ try_ipc_auth = true;
+ }
+
+ if (IS_AD_DC) {
+ /*
+ * As AD DC we only use netlogon and lsa
+ * using schannel over an anonymous transport
+ * (ncacn_ip_tcp or ncacn_np).
+ *
+ * Currently we always establish the SMB connection,
+ * even if we don't use it, because we later use ncacn_ip_tcp.
+ *
+ * As we won't use the SMB connection there's no
+ * need to try kerberos. And NT4 domains expect
+ * an anonymous IPC$ connection anyway.
+ */
+ try_ipc_auth = false;
+ }
+
+ if (try_ipc_auth) {
+ result = get_trust_credentials(domain, talloc_tos(), false, &creds);
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(1, ("get_trust_credentials(%s) failed: %s\n",
+ domain->name, nt_errstr(result)));
+ goto done;
+ }
+ } else {
+ /*
+ * Without SPNEGO or NTLMSSP (perhaps via SMB2) we
+ * would try and authentication with our machine
+ * account password and fail. This is very rare in
+ * the modern world however
+ */
+ creds = cli_credentials_init_anon(talloc_tos());
+ if (creds == NULL) {
+ result = NT_STATUS_NO_MEMORY;
+ DEBUG(1, ("cli_credentials_init_anon(%s) failed: %s\n",
+ domain->name, nt_errstr(result)));
+ goto done;
+ }
+ }
+
+ machine_principal = cli_credentials_get_principal(creds,
+ talloc_tos());
+ machine_realm = cli_credentials_get_realm(creds);
+ machine_account = cli_credentials_get_username(creds);
+ machine_domain = cli_credentials_get_domain(creds);
+
+ DEBUG(5, ("connecting to %s (%s, %s) with account [%s\\%s] principal "
+ "[%s] and realm [%s]\n",
+ controller, domain->name, domain->alt_name,
+ machine_domain, machine_account,
+ machine_principal, machine_realm));
+
+ if (cli_credentials_is_anonymous(creds)) {
+ goto anon_fallback;
+ }
+
+ winbindd_set_locator_kdc_envs(domain);
+
+ result = cli_session_setup_creds(*cli, creds);
+ if (NT_STATUS_IS_OK(result)) {
+ goto session_setup_done;
+ }
+
+ DEBUG(1, ("authenticated session setup to %s using %s failed with %s\n",
+ controller,
+ cli_credentials_get_unparsed_name(creds, talloc_tos()),
+ nt_errstr(result)));
+
+ /*
+ * If we are not going to validate the connection
+ * with SMB signing, then allow us to fall back to
+ * anonymous
+ */
+ if (NT_STATUS_EQUAL(result, NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT)
+ || NT_STATUS_EQUAL(result, NT_STATUS_TRUSTED_DOMAIN_FAILURE)
+ || NT_STATUS_EQUAL(result, NT_STATUS_INVALID_ACCOUNT_NAME)
+ || NT_STATUS_EQUAL(result, NT_STATUS_INVALID_COMPUTER_NAME)
+ || NT_STATUS_EQUAL(result, NT_STATUS_NO_SUCH_DOMAIN)
+ || NT_STATUS_EQUAL(result, NT_STATUS_NO_LOGON_SERVERS)
+ || NT_STATUS_EQUAL(result, NT_STATUS_LOGON_FAILURE))
+ {
+ if (!cm_is_ipc_credentials(creds)) {
+ goto ipc_fallback;
+ }
+
+ if (smb_sign_client_connections == SMB_SIGNING_REQUIRED) {
+ goto done;
+ }
+
+ goto anon_fallback;
+ }
+
+ goto done;
+
+ ipc_fallback:
+ TALLOC_FREE(creds);
+ tmp_status = cm_get_ipc_credentials(talloc_tos(), &creds);
+ if (!NT_STATUS_IS_OK(tmp_status)) {
+ result = tmp_status;
+ goto done;
+ }
+
+ if (cli_credentials_is_anonymous(creds)) {
+ goto anon_fallback;
+ }
+
+ machine_account = cli_credentials_get_username(creds);
+ machine_domain = cli_credentials_get_domain(creds);
+
+ DEBUG(5, ("connecting to %s from %s using NTLMSSP with username "
+ "[%s]\\[%s]\n", controller, lp_netbios_name(),
+ machine_domain, machine_account));
+
+ result = cli_session_setup_creds(*cli, creds);
+ if (NT_STATUS_IS_OK(result)) {
+ goto session_setup_done;
+ }
+
+ DEBUG(1, ("authenticated session setup to %s using %s failed with %s\n",
+ controller,
+ cli_credentials_get_unparsed_name(creds, talloc_tos()),
+ nt_errstr(result)));
+
+ /*
+ * If we are not going to validate the connection
+ * with SMB signing, then allow us to fall back to
+ * anonymous
+ */
+ if (NT_STATUS_EQUAL(result, NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT)
+ || NT_STATUS_EQUAL(result, NT_STATUS_TRUSTED_DOMAIN_FAILURE)
+ || NT_STATUS_EQUAL(result, NT_STATUS_INVALID_ACCOUNT_NAME)
+ || NT_STATUS_EQUAL(result, NT_STATUS_INVALID_COMPUTER_NAME)
+ || NT_STATUS_EQUAL(result, NT_STATUS_NO_SUCH_DOMAIN)
+ || NT_STATUS_EQUAL(result, NT_STATUS_NO_LOGON_SERVERS)
+ || NT_STATUS_EQUAL(result, NT_STATUS_LOGON_FAILURE))
+ {
+ goto anon_fallback;
+ }
+
+ goto done;
+
+ anon_fallback:
+ TALLOC_FREE(creds);
+
+ if (smb_sign_client_connections == SMB_SIGNING_REQUIRED) {
+ goto done;
+ }
+
+ /* Fall back to anonymous connection, this might fail later */
+ DEBUG(5,("cm_prepare_connection: falling back to anonymous "
+ "connection for DC %s\n",
+ controller ));
+
+ result = cli_session_setup_anon(*cli);
+ if (NT_STATUS_IS_OK(result)) {
+ DEBUG(5, ("Connected anonymously\n"));
+ goto session_setup_done;
+ }
+
+ DEBUG(1, ("anonymous session setup to %s failed with %s\n",
+ controller, nt_errstr(result)));
+
+ /* We can't session setup */
+ goto done;
+
+ session_setup_done:
+ TALLOC_FREE(creds);
+
+ /*
+ * This should be a short term hack until
+ * dynamic re-authentication is implemented.
+ *
+ * See Bug 9175 - winbindd doesn't recover from
+ * NT_STATUS_NETWORK_SESSION_EXPIRED
+ */
+ if (smbXcli_conn_protocol((*cli)->conn) >= PROTOCOL_SMB2_02) {
+ smbXcli_session_set_disconnect_expired((*cli)->smb2.session);
+ }
+
+ result = cli_tree_connect(*cli, "IPC$", "IPC", NULL);
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(1,("failed tcon_X with %s\n", nt_errstr(result)));
+ goto done;
+ }
+ tcon_status = result;
+
+ /* cache the server name for later connections */
+
+ saf_store(domain->name, controller);
+ if (domain->alt_name) {
+ saf_store(domain->alt_name, controller);
+ }
+
+ winbindd_set_locator_kdc_envs(domain);
+
+ TALLOC_FREE(mutex);
+ *retry = False;
+
+ result = NT_STATUS_OK;
+
+ done:
+ TALLOC_FREE(mutex);
+ TALLOC_FREE(creds);
+
+ if (NT_STATUS_IS_OK(result)) {
+ result = tcon_status;
+ }
+
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(1, ("Failed to prepare SMB connection to %s: %s\n",
+ controller, nt_errstr(result)));
+ winbind_add_failed_connection_entry(domain, controller, result);
+ if ((*cli) != NULL) {
+ cli_shutdown(*cli);
+ *cli = NULL;
+ }
+ }
+
+ return result;
+}
+
+/*******************************************************************
+ Add a dcname and sockaddr_storage pair to the end of a dc_name_ip
+ array.
+
+ Keeps the list unique by not adding duplicate entries.
+
+ @param[in] mem_ctx talloc memory context to allocate from
+ @param[in] domain_name domain of the DC
+ @param[in] dcname name of the DC to add to the list
+ @param[in] pss Internet address and port pair to add to the list
+ @param[in,out] dcs array of dc_name_ip structures to add to
+ @param[in,out] num_dcs number of dcs returned in the dcs array
+ @return true if the list was added to, false otherwise
+*******************************************************************/
+
+static bool add_one_dc_unique(TALLOC_CTX *mem_ctx, const char *domain_name,
+ const char *dcname, struct sockaddr_storage *pss,
+ struct dc_name_ip **dcs, int *num)
+{
+ int i = 0;
+
+ if (!NT_STATUS_IS_OK(check_negative_conn_cache(domain_name, dcname))) {
+ DEBUG(10, ("DC %s was in the negative conn cache\n", dcname));
+ return False;
+ }
+
+ /* Make sure there's no duplicates in the list */
+ for (i=0; i<*num; i++)
+ if (sockaddr_equal(
+ (struct sockaddr *)(void *)&(*dcs)[i].ss,
+ (struct sockaddr *)(void *)pss))
+ return False;
+
+ *dcs = talloc_realloc(mem_ctx, *dcs, struct dc_name_ip, (*num)+1);
+
+ if (*dcs == NULL)
+ return False;
+
+ fstrcpy((*dcs)[*num].name, dcname);
+ (*dcs)[*num].ss = *pss;
+ *num += 1;
+ return True;
+}
+
+static bool add_sockaddr_to_array(TALLOC_CTX *mem_ctx,
+ struct sockaddr_storage *pss, uint16_t port,
+ struct sockaddr_storage **addrs, int *num)
+{
+ *addrs = talloc_realloc(mem_ctx, *addrs, struct sockaddr_storage, (*num)+1);
+
+ if (*addrs == NULL) {
+ *num = 0;
+ return False;
+ }
+
+ (*addrs)[*num] = *pss;
+ set_sockaddr_port((struct sockaddr *)&(*addrs)[*num], port);
+
+ *num += 1;
+ return True;
+}
+
+#ifdef HAVE_ADS
+static bool dcip_check_name_ads(const struct winbindd_domain *domain,
+ struct samba_sockaddr *sa,
+ uint32_t request_flags,
+ TALLOC_CTX *mem_ctx,
+ char **namep)
+{
+ TALLOC_CTX *tmp_ctx = talloc_stackframe();
+ char *name = NULL;
+ ADS_STRUCT *ads = NULL;
+ ADS_STATUS ads_status;
+ char addr[INET6_ADDRSTRLEN];
+
+ print_sockaddr(addr, sizeof(addr), &sa->u.ss);
+
+ ads = ads_init(tmp_ctx,
+ domain->alt_name,
+ domain->name,
+ addr,
+ ADS_SASL_PLAIN);
+ if (ads == NULL) {
+ ads_status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
+ goto out;
+ }
+ ads->auth.flags |= ADS_AUTH_NO_BIND;
+ ads->config.flags |= request_flags;
+ ads->server.no_fallback = true;
+
+ ads_status = ads_connect(ads);
+ if (!ADS_ERR_OK(ads_status)) {
+ goto out;
+ }
+
+ /* We got a cldap packet. */
+ name = talloc_strdup(tmp_ctx, ads->config.ldap_server_name);
+ if (name == NULL) {
+ ads_status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
+ goto out;
+ }
+ namecache_store(name, 0x20, 1, sa);
+
+ DBG_DEBUG("CLDAP flags = 0x%"PRIx32"\n", ads->config.flags);
+
+ if (domain->primary && (ads->config.flags & NBT_SERVER_KDC)) {
+ if (ads_closest_dc(ads)) {
+ char *sitename = sitename_fetch(tmp_ctx,
+ ads->config.realm);
+
+ /* We're going to use this KDC for this realm/domain.
+ If we are using sites, then force the krb5 libs
+ to use this KDC. */
+
+ create_local_private_krb5_conf_for_domain(domain->alt_name,
+ domain->name,
+ sitename,
+ &sa->u.ss);
+
+ TALLOC_FREE(sitename);
+ } else {
+ /* use an off site KDC */
+ create_local_private_krb5_conf_for_domain(domain->alt_name,
+ domain->name,
+ NULL,
+ &sa->u.ss);
+ }
+ winbindd_set_locator_kdc_envs(domain);
+
+ /* Ensure we contact this DC also. */
+ saf_store(domain->name, name);
+ saf_store(domain->alt_name, name);
+ }
+
+ *namep = talloc_move(mem_ctx, &name);
+
+out:
+ TALLOC_FREE(tmp_ctx);
+
+ return ADS_ERR_OK(ads_status) ? true : false;
+}
+#endif
+
+/*******************************************************************
+ convert an ip to a name
+ For an AD Domain, it checks the requirements of the request flags.
+*******************************************************************/
+
+static bool dcip_check_name(TALLOC_CTX *mem_ctx,
+ const struct winbindd_domain *domain,
+ struct sockaddr_storage *pss,
+ char **name, uint32_t request_flags)
+{
+ struct samba_sockaddr sa = {0};
+ uint32_t nt_version = NETLOGON_NT_VERSION_1;
+ NTSTATUS status;
+ const char *dc_name;
+ fstring nbtname;
+#ifdef HAVE_ADS
+ bool is_ad_domain = false;
+#endif
+ bool ok = sockaddr_storage_to_samba_sockaddr(&sa, pss);
+ if (!ok) {
+ return false;
+ }
+
+#ifdef HAVE_ADS
+ /* For active directory servers, try to get the ldap server name.
+ None of these failures should be considered critical for now */
+
+ if ((lp_security() == SEC_ADS) && (domain->alt_name != NULL)) {
+ is_ad_domain = true;
+ } else if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC) {
+ is_ad_domain = domain->active_directory;
+ }
+
+ if (is_ad_domain) {
+ return dcip_check_name_ads(domain,
+ &sa,
+ request_flags,
+ mem_ctx,
+ name);
+ }
+#endif
+
+ {
+ size_t len = strlen(lp_netbios_name());
+ char my_acct_name[len+2];
+
+ snprintf(my_acct_name,
+ sizeof(my_acct_name),
+ "%s$",
+ lp_netbios_name());
+
+ status = nbt_getdc(global_messaging_context(), 10, &sa.u.ss,
+ domain->name, &domain->sid,
+ my_acct_name, ACB_WSTRUST,
+ nt_version, mem_ctx, &nt_version,
+ &dc_name, NULL);
+ }
+ if (NT_STATUS_IS_OK(status)) {
+ *name = talloc_strdup(mem_ctx, dc_name);
+ if (*name == NULL) {
+ return false;
+ }
+ namecache_store(*name, 0x20, 1, &sa);
+ return True;
+ }
+
+ /* try node status request */
+
+ if (name_status_find(domain->name, 0x1c, 0x20, &sa.u.ss, nbtname) ) {
+ namecache_store(nbtname, 0x20, 1, &sa);
+
+ if (name != NULL) {
+ *name = talloc_strdup(mem_ctx, nbtname);
+ if (*name == NULL) {
+ return false;
+ }
+ }
+
+ return true;
+ }
+ return False;
+}
+
+/*******************************************************************
+ Retrieve a list of IP addresses for domain controllers.
+
+ The array is sorted in the preferred connection order.
+
+ @param[in] mem_ctx talloc memory context to allocate from
+ @param[in] domain domain to retrieve DCs for
+ @param[out] dcs array of dcs that will be returned
+ @param[out] num_dcs number of dcs returned in the dcs array
+ @return always true
+*******************************************************************/
+
+static bool get_dcs(TALLOC_CTX *mem_ctx, struct winbindd_domain *domain,
+ struct dc_name_ip **dcs, int *num_dcs,
+ uint32_t request_flags)
+{
+ fstring dcname;
+ struct sockaddr_storage ss;
+ struct samba_sockaddr *sa_list = NULL;
+ size_t salist_size = 0;
+ size_t i;
+ bool is_our_domain;
+ enum security_types sec = (enum security_types)lp_security();
+
+ is_our_domain = strequal(domain->name, lp_workgroup());
+
+ /* If not our domain, get the preferred DC, by asking our primary DC */
+ if ( !is_our_domain
+ && get_dc_name_via_netlogon(domain, dcname, &ss, request_flags)
+ && add_one_dc_unique(mem_ctx, domain->name, dcname, &ss, dcs,
+ num_dcs) )
+ {
+ char addr[INET6_ADDRSTRLEN];
+ print_sockaddr(addr, sizeof(addr), &ss);
+ DEBUG(10, ("Retrieved DC %s at %s via netlogon\n",
+ dcname, addr));
+ return True;
+ }
+
+ if ((sec == SEC_ADS) && (domain->alt_name != NULL)) {
+ char *sitename = NULL;
+
+ /* We need to make sure we know the local site before
+ doing any DNS queries, as this will restrict the
+ get_sorted_dc_list() call below to only fetching
+ DNS records for the correct site. */
+
+ /* Find any DC to get the site record.
+ We deliberately don't care about the
+ return here. */
+
+ get_dc_name(domain->name, domain->alt_name, dcname, &ss);
+
+ sitename = sitename_fetch(mem_ctx, domain->alt_name);
+ if (sitename) {
+
+ /* Do the site-specific AD dns lookup first. */
+ (void)get_sorted_dc_list(mem_ctx,
+ domain->alt_name,
+ sitename,
+ &sa_list,
+ &salist_size,
+ true);
+
+ /* Add ips to the DC array. We don't look up the name
+ of the DC in this function, but we fill in the char*
+ of the ip now to make the failed connection cache
+ work */
+ for ( i=0; i<salist_size; i++ ) {
+ char addr[INET6_ADDRSTRLEN];
+ print_sockaddr(addr, sizeof(addr),
+ &sa_list[i].u.ss);
+ add_one_dc_unique(mem_ctx,
+ domain->name,
+ addr,
+ &sa_list[i].u.ss,
+ dcs,
+ num_dcs);
+ }
+
+ TALLOC_FREE(sa_list);
+ TALLOC_FREE(sitename);
+ salist_size = 0;
+ }
+
+ /* Now we add DCs from the main AD DNS lookup. */
+ (void)get_sorted_dc_list(mem_ctx,
+ domain->alt_name,
+ NULL,
+ &sa_list,
+ &salist_size,
+ true);
+
+ for ( i=0; i<salist_size; i++ ) {
+ char addr[INET6_ADDRSTRLEN];
+ print_sockaddr(addr, sizeof(addr),
+ &sa_list[i].u.ss);
+ add_one_dc_unique(mem_ctx,
+ domain->name,
+ addr,
+ &sa_list[i].u.ss,
+ dcs,
+ num_dcs);
+ }
+
+ TALLOC_FREE(sa_list);
+ salist_size = 0;
+ }
+
+ /* Try standard netbios queries if no ADS and fall back to DNS queries
+ * if alt_name is available */
+ if (*num_dcs == 0) {
+ (void)get_sorted_dc_list(mem_ctx,
+ domain->name,
+ NULL,
+ &sa_list,
+ &salist_size,
+ false);
+ if (salist_size == 0) {
+ if (domain->alt_name != NULL) {
+ (void)get_sorted_dc_list(mem_ctx,
+ domain->alt_name,
+ NULL,
+ &sa_list,
+ &salist_size,
+ true);
+ }
+ }
+
+ for ( i=0; i<salist_size; i++ ) {
+ char addr[INET6_ADDRSTRLEN];
+ print_sockaddr(addr, sizeof(addr),
+ &sa_list[i].u.ss);
+ add_one_dc_unique(mem_ctx,
+ domain->name,
+ addr,
+ &sa_list[i].u.ss,
+ dcs,
+ num_dcs);
+ }
+
+ TALLOC_FREE(sa_list);
+ salist_size = 0;
+ }
+
+ return True;
+}
+
+/*******************************************************************
+ Find and make a connection to a DC in the given domain.
+
+ @param[in] mem_ctx talloc memory context to allocate from
+ @param[in] domain domain to find a dc in
+ @param[out] dcname NetBIOS or FQDN of DC that's connected to
+ @param[out] pss DC Internet address and port
+ @param[out] fd fd of the open socket connected to the newly found dc
+ @return true when a DC connection is made, false otherwise
+*******************************************************************/
+
+static bool find_new_dc(TALLOC_CTX *mem_ctx,
+ struct winbindd_domain *domain,
+ char **dcname, struct sockaddr_storage *pss, int *fd,
+ uint32_t request_flags)
+{
+ struct dc_name_ip *dcs = NULL;
+ int num_dcs = 0;
+
+ const char **dcnames = NULL;
+ size_t num_dcnames = 0;
+
+ struct sockaddr_storage *addrs = NULL;
+ int num_addrs = 0;
+
+ int i;
+ size_t fd_index;
+
+ NTSTATUS status;
+
+ *fd = -1;
+
+ again:
+ if (!get_dcs(mem_ctx, domain, &dcs, &num_dcs, request_flags) || (num_dcs == 0))
+ return False;
+
+ for (i=0; i<num_dcs; i++) {
+
+ if (!add_string_to_array(mem_ctx, dcs[i].name,
+ &dcnames, &num_dcnames)) {
+ return False;
+ }
+ if (!add_sockaddr_to_array(mem_ctx, &dcs[i].ss, TCP_SMB_PORT,
+ &addrs, &num_addrs)) {
+ return False;
+ }
+ }
+
+ if ((num_dcnames == 0) || (num_dcnames != num_addrs))
+ return False;
+
+ if ((addrs == NULL) || (dcnames == NULL))
+ return False;
+
+ status = smbsock_any_connect(addrs, dcnames, NULL, NULL, NULL,
+ num_addrs, 0, 10, fd, &fd_index, NULL);
+ if (!NT_STATUS_IS_OK(status)) {
+ for (i=0; i<num_dcs; i++) {
+ char ab[INET6_ADDRSTRLEN];
+ print_sockaddr(ab, sizeof(ab), &dcs[i].ss);
+ DEBUG(10, ("find_new_dc: smbsock_any_connect failed for "
+ "domain %s address %s. Error was %s\n",
+ domain->name, ab, nt_errstr(status) ));
+ winbind_add_failed_connection_entry(domain,
+ dcs[i].name, NT_STATUS_UNSUCCESSFUL);
+ }
+ return False;
+ }
+
+ *pss = addrs[fd_index];
+
+ if (*dcnames[fd_index] != '\0' && !is_ipaddress(dcnames[fd_index])) {
+ /* Ok, we've got a name for the DC */
+ *dcname = talloc_strdup(mem_ctx, dcnames[fd_index]);
+ if (*dcname == NULL) {
+ return false;
+ }
+ return true;
+ }
+
+ /* Try to figure out the name */
+ if (dcip_check_name(mem_ctx, domain, pss, dcname, request_flags)) {
+ return True;
+ }
+
+ /* We can not continue without the DC's name */
+ winbind_add_failed_connection_entry(domain, dcs[fd_index].name,
+ NT_STATUS_UNSUCCESSFUL);
+
+ /* Throw away all arrays as we're doing this again. */
+ TALLOC_FREE(dcs);
+ num_dcs = 0;
+
+ TALLOC_FREE(dcnames);
+ num_dcnames = 0;
+
+ TALLOC_FREE(addrs);
+ num_addrs = 0;
+
+ if (*fd != -1) {
+ close(*fd);
+ *fd = -1;
+ }
+
+ goto again;
+}
+
+static char *current_dc_key(TALLOC_CTX *mem_ctx, const char *domain_name)
+{
+ return talloc_asprintf_strupper_m(mem_ctx, "CURRENT_DCNAME/%s",
+ domain_name);
+}
+
+static void store_current_dc_in_gencache(const char *domain_name,
+ const char *dc_name,
+ struct cli_state *cli)
+{
+ char addr[INET6_ADDRSTRLEN];
+ char *key = NULL;
+ char *value = NULL;
+
+ if (!cli_state_is_connected(cli)) {
+ return;
+ }
+
+ print_sockaddr(addr, sizeof(addr),
+ smbXcli_conn_remote_sockaddr(cli->conn));
+
+ key = current_dc_key(talloc_tos(), domain_name);
+ if (key == NULL) {
+ goto done;
+ }
+
+ value = talloc_asprintf(talloc_tos(), "%s %s", addr, dc_name);
+ if (value == NULL) {
+ goto done;
+ }
+
+ gencache_set(key, value, 0x7fffffff);
+done:
+ TALLOC_FREE(value);
+ TALLOC_FREE(key);
+}
+
+bool fetch_current_dc_from_gencache(TALLOC_CTX *mem_ctx,
+ const char *domain_name,
+ char **p_dc_name, char **p_dc_ip)
+{
+ char *key, *p;
+ char *value = NULL;
+ bool ret = false;
+ char *dc_name = NULL;
+ char *dc_ip = NULL;
+
+ key = current_dc_key(talloc_tos(), domain_name);
+ if (key == NULL) {
+ goto done;
+ }
+ if (!gencache_get(key, mem_ctx, &value, NULL)) {
+ goto done;
+ }
+ p = strchr(value, ' ');
+ if (p == NULL) {
+ goto done;
+ }
+ dc_ip = talloc_strndup(mem_ctx, value, p - value);
+ if (dc_ip == NULL) {
+ goto done;
+ }
+ dc_name = talloc_strdup(mem_ctx, p+1);
+ if (dc_name == NULL) {
+ goto done;
+ }
+
+ if (p_dc_ip != NULL) {
+ *p_dc_ip = dc_ip;
+ dc_ip = NULL;
+ }
+ if (p_dc_name != NULL) {
+ *p_dc_name = dc_name;
+ dc_name = NULL;
+ }
+ ret = true;
+done:
+ TALLOC_FREE(dc_name);
+ TALLOC_FREE(dc_ip);
+ TALLOC_FREE(key);
+ TALLOC_FREE(value);
+ return ret;
+}
+
+NTSTATUS wb_open_internal_pipe(TALLOC_CTX *mem_ctx,
+ const struct ndr_interface_table *table,
+ struct rpc_pipe_client **ret_pipe)
+{
+ struct rpc_pipe_client *cli = NULL;
+ const struct auth_session_info *session_info = NULL;
+ NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
+
+
+ session_info = get_session_info_system();
+ SMB_ASSERT(session_info != NULL);
+
+ status = rpc_pipe_open_local_np(
+ mem_ctx, table, NULL, NULL, NULL, NULL, session_info, &cli);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ if (ret_pipe) {
+ *ret_pipe = cli;
+ }
+
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS cm_open_connection(struct winbindd_domain *domain,
+ struct winbindd_cm_conn *new_conn,
+ bool need_rw_dc)
+{
+ TALLOC_CTX *mem_ctx;
+ NTSTATUS result;
+ char *saf_servername;
+ int retries;
+ uint32_t request_flags = need_rw_dc ? DS_WRITABLE_REQUIRED : 0;
+
+ if ((mem_ctx = talloc_init("cm_open_connection")) == NULL) {
+ set_domain_offline(domain);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ saf_servername = saf_fetch(mem_ctx, domain->name );
+
+ /* we have to check the server affinity cache here since
+ later we select a DC based on response time and not preference */
+
+ /* Check the negative connection cache
+ before talking to it. It going down may have
+ triggered the reconnection. */
+
+ if (saf_servername && NT_STATUS_IS_OK(check_negative_conn_cache(domain->name, saf_servername))) {
+ struct sockaddr_storage ss;
+ char *dcname = NULL;
+ bool resolved = true;
+
+ DEBUG(10, ("cm_open_connection: saf_servername is '%s' for domain %s\n",
+ saf_servername, domain->name));
+
+ /* convert an ip address to a name */
+ if (is_ipaddress(saf_servername)) {
+ if (!interpret_string_addr(&ss, saf_servername,
+ AI_NUMERICHOST)) {
+ TALLOC_FREE(mem_ctx);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+ } else {
+ if (!resolve_name(saf_servername, &ss, 0x20, true)) {
+ resolved = false;
+ }
+ }
+
+ if (resolved && dcip_check_name(mem_ctx, domain, &ss, &dcname, request_flags)) {
+ domain->dcname = talloc_strdup(domain,
+ dcname);
+ if (domain->dcname == NULL) {
+ TALLOC_FREE(mem_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ domain->dcaddr = ss;
+ } else {
+ winbind_add_failed_connection_entry(domain, saf_servername,
+ NT_STATUS_UNSUCCESSFUL);
+ }
+ }
+
+ for (retries = 0; retries < 3; retries++) {
+ int fd = -1;
+ bool retry = False;
+ char *dcname = NULL;
+
+ result = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
+
+ DEBUG(10, ("cm_open_connection: dcname is '%s' for domain %s\n",
+ domain->dcname ? domain->dcname : "", domain->name));
+
+ if (domain->dcname != NULL &&
+ NT_STATUS_IS_OK(check_negative_conn_cache(domain->name,
+ domain->dcname)))
+ {
+ NTSTATUS status;
+
+ status = smbsock_connect(&domain->dcaddr, 0,
+ NULL, -1, NULL, -1,
+ &fd, NULL, 10);
+ if (!NT_STATUS_IS_OK(status)) {
+ fd = -1;
+ }
+ }
+
+ if ((fd == -1) &&
+ !find_new_dc(mem_ctx, domain, &dcname, &domain->dcaddr, &fd, request_flags))
+ {
+ /* This is the one place where we will
+ set the global winbindd offline state
+ to true, if a "WINBINDD_OFFLINE" entry
+ is found in the winbindd cache. */
+ set_global_winbindd_state_offline();
+ break;
+ }
+ if (dcname != NULL) {
+ talloc_free(domain->dcname);
+
+ domain->dcname = talloc_move(domain, &dcname);
+ if (domain->dcname == NULL) {
+ result = NT_STATUS_NO_MEMORY;
+ break;
+ }
+ }
+
+ new_conn->cli = NULL;
+
+ result = cm_prepare_connection(domain, fd, domain->dcname,
+ &new_conn->cli, &retry);
+ if (!NT_STATUS_IS_OK(result)) {
+ /* Don't leak the smb connection socket */
+ if (fd != -1) {
+ close(fd);
+ fd = -1;
+ }
+ }
+
+ if (!retry)
+ break;
+ }
+
+ if (NT_STATUS_IS_OK(result)) {
+ bool seal_pipes = true;
+
+ winbindd_set_locator_kdc_envs(domain);
+
+ if (domain->online == False) {
+ /* We're changing state from offline to online. */
+ set_global_winbindd_state_online();
+ }
+ set_domain_online(domain);
+
+ /*
+ * Much as I hate global state, this seems to be the point
+ * where we can be certain that we have a proper connection to
+ * a DC. wbinfo --dc-info needs that information, store it in
+ * gencache with a looong timeout. This will need revisiting
+ * once we start to connect to multiple DCs, wbcDcInfo is
+ * already prepared for that.
+ */
+ store_current_dc_in_gencache(domain->name, domain->dcname,
+ new_conn->cli);
+
+ seal_pipes = lp_winbind_sealed_pipes();
+ seal_pipes = lp_parm_bool(-1, "winbind sealed pipes",
+ domain->name,
+ seal_pipes);
+
+ if (seal_pipes) {
+ new_conn->auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
+ } else {
+ new_conn->auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
+ }
+ } else {
+ /* Ensure we setup the retry handler. */
+ set_domain_offline(domain);
+ }
+
+ talloc_destroy(mem_ctx);
+ return result;
+}
+
+/* Close down all open pipes on a connection. */
+
+void invalidate_cm_connection(struct winbindd_domain *domain)
+{
+ NTSTATUS result;
+ struct winbindd_cm_conn *conn = &domain->conn;
+
+ domain->sequence_number = DOM_SEQUENCE_NONE;
+ domain->last_seq_check = 0;
+ domain->last_status = NT_STATUS_SERVER_DISABLED;
+
+ /* We're closing down a possibly dead
+ connection. Don't have impossibly long (10s) timeouts. */
+
+ if (conn->cli) {
+ cli_set_timeout(conn->cli, 1000); /* 1 second. */
+ }
+
+ if (conn->samr_pipe != NULL) {
+ if (is_valid_policy_hnd(&conn->sam_connect_handle)) {
+ dcerpc_samr_Close(conn->samr_pipe->binding_handle,
+ talloc_tos(),
+ &conn->sam_connect_handle,
+ &result);
+ }
+ TALLOC_FREE(conn->samr_pipe);
+ /* Ok, it must be dead. Drop timeout to 0.5 sec. */
+ if (conn->cli) {
+ cli_set_timeout(conn->cli, 500);
+ }
+ }
+
+ if (conn->lsa_pipe != NULL) {
+ if (is_valid_policy_hnd(&conn->lsa_policy)) {
+ dcerpc_lsa_Close(conn->lsa_pipe->binding_handle,
+ talloc_tos(),
+ &conn->lsa_policy,
+ &result);
+ }
+ TALLOC_FREE(conn->lsa_pipe);
+ /* Ok, it must be dead. Drop timeout to 0.5 sec. */
+ if (conn->cli) {
+ cli_set_timeout(conn->cli, 500);
+ }
+ }
+
+ if (conn->lsa_pipe_tcp != NULL) {
+ if (is_valid_policy_hnd(&conn->lsa_policy)) {
+ dcerpc_lsa_Close(conn->lsa_pipe_tcp->binding_handle,
+ talloc_tos(),
+ &conn->lsa_policy,
+ &result);
+ }
+ TALLOC_FREE(conn->lsa_pipe_tcp);
+ /* Ok, it must be dead. Drop timeout to 0.5 sec. */
+ if (conn->cli) {
+ cli_set_timeout(conn->cli, 500);
+ }
+ }
+
+ if (conn->netlogon_pipe != NULL) {
+ TALLOC_FREE(conn->netlogon_pipe);
+ /* Ok, it must be dead. Drop timeout to 0.5 sec. */
+ if (conn->cli) {
+ cli_set_timeout(conn->cli, 500);
+ }
+ }
+
+ conn->auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
+ TALLOC_FREE(conn->netlogon_creds_ctx);
+
+ if (conn->cli) {
+ cli_shutdown(conn->cli);
+ }
+
+ conn->cli = NULL;
+}
+
+void close_conns_after_fork(void)
+{
+ struct winbindd_domain *domain;
+ struct winbindd_cli_state *cli_state;
+
+ for (domain = domain_list(); domain; domain = domain->next) {
+ /*
+ * first close the low level SMB TCP connection
+ * so that we don't generate any SMBclose
+ * requests in invalidate_cm_connection()
+ */
+ if (cli_state_is_connected(domain->conn.cli)) {
+ smbXcli_conn_disconnect(domain->conn.cli->conn, NT_STATUS_OK);
+ }
+
+ invalidate_cm_connection(domain);
+ }
+
+ for (cli_state = winbindd_client_list();
+ cli_state != NULL;
+ cli_state = cli_state->next) {
+ if (cli_state->sock >= 0) {
+ close(cli_state->sock);
+ cli_state->sock = -1;
+ }
+ }
+}
+
+static bool connection_ok(struct winbindd_domain *domain)
+{
+ bool ok;
+
+ ok = cli_state_is_connected(domain->conn.cli);
+ if (!ok) {
+ DEBUG(3, ("connection_ok: Connection to %s for domain %s is not connected\n",
+ domain->dcname, domain->name));
+ return False;
+ }
+
+ if (!domain->online) {
+ DEBUG(3, ("connection_ok: Domain %s is offline\n", domain->name));
+ return False;
+ }
+
+ return True;
+}
+
+/* Initialize a new connection up to the RPC BIND.
+ Bypass online status check so always does network calls. */
+
+static NTSTATUS init_dc_connection_network(struct winbindd_domain *domain, bool need_rw_dc)
+{
+ NTSTATUS result;
+ bool skip_connection = domain->internal;
+ if (need_rw_dc && domain->rodc) {
+ skip_connection = false;
+ }
+
+ /* Internal connections never use the network. */
+ if (dom_sid_equal(&domain->sid, &global_sid_Builtin)) {
+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+ }
+
+ /* Still ask the internal LSA and SAMR server about the local domain */
+ if (skip_connection || connection_ok(domain)) {
+ if (!domain->initialized) {
+ set_dc_type_and_flags(domain);
+ }
+ return NT_STATUS_OK;
+ }
+
+ invalidate_cm_connection(domain);
+
+ if (!domain->primary && !domain->initialized) {
+ /*
+ * Before we connect to a trust, work out if it is an
+ * AD domain by asking our own domain.
+ */
+ set_dc_type_and_flags_trustinfo(domain);
+ }
+
+ result = cm_open_connection(domain, &domain->conn, need_rw_dc);
+
+ if (NT_STATUS_IS_OK(result) && !domain->initialized) {
+ set_dc_type_and_flags(domain);
+ }
+
+ return result;
+}
+
+NTSTATUS init_dc_connection(struct winbindd_domain *domain, bool need_rw_dc)
+{
+ if (dom_sid_equal(&domain->sid, &global_sid_Builtin)) {
+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+ }
+
+ SMB_ASSERT(wb_child_domain() || idmap_child());
+
+ return init_dc_connection_network(domain, need_rw_dc);
+}
+
+static NTSTATUS init_dc_connection_rpc(struct winbindd_domain *domain, bool need_rw_dc)
+{
+ NTSTATUS status;
+
+ status = init_dc_connection(domain, need_rw_dc);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ if (!domain->internal && domain->conn.cli == NULL) {
+ /* happens for trusted domains without inbound trust */
+ return NT_STATUS_TRUSTED_DOMAIN_FAILURE;
+ }
+
+ return NT_STATUS_OK;
+}
+
+/******************************************************************************
+ Set the trust flags (direction and forest location) for a domain
+******************************************************************************/
+
+static bool set_dc_type_and_flags_trustinfo( struct winbindd_domain *domain )
+{
+ struct winbindd_domain *our_domain;
+ NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
+ WERROR werr;
+ struct netr_DomainTrustList trusts;
+ int i;
+ uint32_t flags = (NETR_TRUST_FLAG_IN_FOREST |
+ NETR_TRUST_FLAG_OUTBOUND |
+ NETR_TRUST_FLAG_INBOUND);
+ struct rpc_pipe_client *cli;
+ TALLOC_CTX *mem_ctx = NULL;
+ struct dcerpc_binding_handle *b;
+
+ if (IS_DC) {
+ /*
+ * On a DC we loaded all trusts
+ * from configuration and never learn
+ * new domains.
+ */
+ return true;
+ }
+
+ DEBUG(5, ("set_dc_type_and_flags_trustinfo: domain %s\n", domain->name ));
+
+ /* Our primary domain doesn't need to worry about trust flags.
+ Force it to go through the network setup */
+ if ( domain->primary ) {
+ return False;
+ }
+
+ mem_ctx = talloc_stackframe();
+ our_domain = find_our_domain();
+ if (our_domain->internal) {
+ result = init_dc_connection(our_domain, false);
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(3,("set_dc_type_and_flags_trustinfo: "
+ "Not able to make a connection to our domain: %s\n",
+ nt_errstr(result)));
+ TALLOC_FREE(mem_ctx);
+ return false;
+ }
+ }
+
+ /* This won't work unless our domain is AD */
+ if ( !our_domain->active_directory ) {
+ TALLOC_FREE(mem_ctx);
+ return False;
+ }
+
+ if (our_domain->internal) {
+ result = wb_open_internal_pipe(mem_ctx, &ndr_table_netlogon, &cli);
+ } else if (!connection_ok(our_domain)) {
+ DEBUG(3,("set_dc_type_and_flags_trustinfo: "
+ "No connection to our domain!\n"));
+ TALLOC_FREE(mem_ctx);
+ return False;
+ } else {
+ result = cm_connect_netlogon(our_domain, &cli);
+ }
+
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(5, ("set_dc_type_and_flags_trustinfo: Could not open "
+ "a connection to %s for PIPE_NETLOGON (%s)\n",
+ domain->name, nt_errstr(result)));
+ TALLOC_FREE(mem_ctx);
+ return False;
+ }
+ b = cli->binding_handle;
+
+ /* Use DsEnumerateDomainTrusts to get us the trust direction and type. */
+ result = dcerpc_netr_DsrEnumerateDomainTrusts(b, mem_ctx,
+ cli->desthost,
+ flags,
+ &trusts,
+ &werr);
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(0,("set_dc_type_and_flags_trustinfo: "
+ "failed to query trusted domain list: %s\n",
+ nt_errstr(result)));
+ TALLOC_FREE(mem_ctx);
+ return false;
+ }
+ if (!W_ERROR_IS_OK(werr)) {
+ DEBUG(0,("set_dc_type_and_flags_trustinfo: "
+ "failed to query trusted domain list: %s\n",
+ win_errstr(werr)));
+ TALLOC_FREE(mem_ctx);
+ return false;
+ }
+
+ /* Now find the domain name and get the flags */
+
+ for ( i=0; i<trusts.count; i++ ) {
+ if ( strequal( domain->name, trusts.array[i].netbios_name) ) {
+ domain->domain_flags = trusts.array[i].trust_flags;
+ domain->domain_type = trusts.array[i].trust_type;
+ domain->domain_trust_attribs = trusts.array[i].trust_attributes;
+
+ if ( domain->domain_type == LSA_TRUST_TYPE_UPLEVEL )
+ domain->active_directory = True;
+
+ /* This flag is only set if the domain is *our*
+ primary domain and the primary domain is in
+ native mode */
+
+ domain->native_mode = (domain->domain_flags & NETR_TRUST_FLAG_NATIVE);
+
+ DEBUG(5, ("set_dc_type_and_flags_trustinfo: domain %s is %sin "
+ "native mode.\n", domain->name,
+ domain->native_mode ? "" : "NOT "));
+
+ DEBUG(5,("set_dc_type_and_flags_trustinfo: domain %s is %s"
+ "running active directory.\n", domain->name,
+ domain->active_directory ? "" : "NOT "));
+
+ domain->can_do_ncacn_ip_tcp = domain->active_directory;
+
+ domain->initialized = True;
+
+ break;
+ }
+ }
+
+ TALLOC_FREE(mem_ctx);
+
+ return domain->initialized;
+}
+
+/******************************************************************************
+ We can 'sense' certain things about the DC by it's replies to certain
+ questions.
+
+ This tells us if this particular remote server is Active Directory, and if it
+ is native mode.
+******************************************************************************/
+
+static void set_dc_type_and_flags_connect( struct winbindd_domain *domain )
+{
+ NTSTATUS status, result;
+ WERROR werr;
+ TALLOC_CTX *mem_ctx = NULL;
+ struct rpc_pipe_client *cli = NULL;
+ struct policy_handle pol;
+ union dssetup_DsRoleInfo info;
+ union lsa_PolicyInformation *lsa_info = NULL;
+
+ if (!domain->internal && !connection_ok(domain)) {
+ return;
+ }
+
+ mem_ctx = talloc_init("set_dc_type_and_flags on domain %s\n",
+ domain->name);
+ if (!mem_ctx) {
+ DEBUG(1, ("set_dc_type_and_flags_connect: talloc_init() failed\n"));
+ return;
+ }
+
+ DEBUG(5, ("set_dc_type_and_flags_connect: domain %s\n", domain->name ));
+
+ if (domain->internal) {
+ status = wb_open_internal_pipe(mem_ctx,
+ &ndr_table_dssetup,
+ &cli);
+ } else {
+ status = cli_rpc_pipe_open_noauth(domain->conn.cli,
+ &ndr_table_dssetup,
+ &cli);
+ }
+
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(5, ("set_dc_type_and_flags_connect: Could not bind to "
+ "PI_DSSETUP on domain %s: (%s)\n",
+ domain->name, nt_errstr(status)));
+
+ /* if this is just a non-AD domain we need to continue
+ * identifying so that we can in the end return with
+ * domain->initialized = True - gd */
+
+ goto no_dssetup;
+ }
+
+ status = dcerpc_dssetup_DsRoleGetPrimaryDomainInformation(cli->binding_handle, mem_ctx,
+ DS_ROLE_BASIC_INFORMATION,
+ &info,
+ &werr);
+ TALLOC_FREE(cli);
+
+ if (NT_STATUS_IS_OK(status)) {
+ result = werror_to_ntstatus(werr);
+ }
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(5, ("set_dc_type_and_flags_connect: rpccli_ds_getprimarydominfo "
+ "on domain %s failed: (%s)\n",
+ domain->name, nt_errstr(status)));
+
+ /* older samba3 DCs will return DCERPC_FAULT_OP_RNG_ERROR for
+ * every opcode on the DSSETUP pipe, continue with
+ * no_dssetup mode here as well to get domain->initialized
+ * set - gd */
+
+ if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
+ goto no_dssetup;
+ }
+
+ TALLOC_FREE(mem_ctx);
+ return;
+ }
+
+ if ((info.basic.flags & DS_ROLE_PRIMARY_DS_RUNNING) &&
+ !(info.basic.flags & DS_ROLE_PRIMARY_DS_MIXED_MODE)) {
+ domain->native_mode = True;
+ } else {
+ domain->native_mode = False;
+ }
+
+no_dssetup:
+ if (domain->internal) {
+ status = wb_open_internal_pipe(mem_ctx,
+ &ndr_table_lsarpc,
+ &cli);
+ } else {
+ status = cli_rpc_pipe_open_noauth(domain->conn.cli,
+ &ndr_table_lsarpc, &cli);
+ }
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(5, ("set_dc_type_and_flags_connect: Could not bind to "
+ "PI_LSARPC on domain %s: (%s)\n",
+ domain->name, nt_errstr(status)));
+ TALLOC_FREE(cli);
+ TALLOC_FREE(mem_ctx);
+ return;
+ }
+
+ status = rpccli_lsa_open_policy2(cli, mem_ctx, True,
+ SEC_FLAG_MAXIMUM_ALLOWED, &pol);
+
+ if (NT_STATUS_IS_OK(status)) {
+ /* This particular query is exactly what Win2k clients use
+ to determine that the DC is active directory */
+ status = dcerpc_lsa_QueryInfoPolicy2(cli->binding_handle, mem_ctx,
+ &pol,
+ LSA_POLICY_INFO_DNS,
+ &lsa_info,
+ &result);
+ }
+
+ if (NT_STATUS_IS_OK(status) && NT_STATUS_IS_OK(result)) {
+ domain->active_directory = True;
+
+ if (lsa_info->dns.name.string) {
+ if (!strequal(domain->name, lsa_info->dns.name.string))
+ {
+ DEBUG(1, ("set_dc_type_and_flags_connect: DC "
+ "for domain %s claimed it was a DC "
+ "for domain %s, refusing to "
+ "initialize\n",
+ domain->name,
+ lsa_info->dns.name.string));
+ TALLOC_FREE(cli);
+ TALLOC_FREE(mem_ctx);
+ return;
+ }
+ talloc_free(domain->name);
+ domain->name = talloc_strdup(domain,
+ lsa_info->dns.name.string);
+ if (domain->name == NULL) {
+ goto done;
+ }
+ }
+
+ if (lsa_info->dns.dns_domain.string) {
+ if (domain->alt_name != NULL &&
+ !strequal(domain->alt_name,
+ lsa_info->dns.dns_domain.string))
+ {
+ DEBUG(1, ("set_dc_type_and_flags_connect: DC "
+ "for domain %s (%s) claimed it was "
+ "a DC for domain %s, refusing to "
+ "initialize\n",
+ domain->alt_name, domain->name,
+ lsa_info->dns.dns_domain.string));
+ TALLOC_FREE(cli);
+ TALLOC_FREE(mem_ctx);
+ return;
+ }
+ talloc_free(domain->alt_name);
+ domain->alt_name =
+ talloc_strdup(domain,
+ lsa_info->dns.dns_domain.string);
+ if (domain->alt_name == NULL) {
+ goto done;
+ }
+ }
+
+ /* See if we can set some domain trust flags about
+ ourself */
+
+ if (lsa_info->dns.dns_forest.string) {
+ talloc_free(domain->forest_name);
+ domain->forest_name =
+ talloc_strdup(domain,
+ lsa_info->dns.dns_forest.string);
+ if (domain->forest_name == NULL) {
+ goto done;
+ }
+
+ if (strequal(domain->forest_name, domain->alt_name)) {
+ domain->domain_flags |= NETR_TRUST_FLAG_TREEROOT;
+ }
+ }
+
+ if (lsa_info->dns.sid) {
+ if (!is_null_sid(&domain->sid) &&
+ !dom_sid_equal(&domain->sid,
+ lsa_info->dns.sid))
+ {
+ struct dom_sid_buf buf1, buf2;
+ DEBUG(1, ("set_dc_type_and_flags_connect: DC "
+ "for domain %s (%s) claimed it was "
+ "a DC for domain %s, refusing to "
+ "initialize\n",
+ dom_sid_str_buf(&domain->sid, &buf1),
+ domain->name,
+ dom_sid_str_buf(lsa_info->dns.sid,
+ &buf2)));
+ TALLOC_FREE(cli);
+ TALLOC_FREE(mem_ctx);
+ return;
+ }
+ sid_copy(&domain->sid, lsa_info->dns.sid);
+ }
+ } else {
+ domain->active_directory = False;
+
+ status = rpccli_lsa_open_policy(cli, mem_ctx, True,
+ SEC_FLAG_MAXIMUM_ALLOWED,
+ &pol);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+
+ status = dcerpc_lsa_QueryInfoPolicy(cli->binding_handle, mem_ctx,
+ &pol,
+ LSA_POLICY_INFO_ACCOUNT_DOMAIN,
+ &lsa_info,
+ &result);
+ if (NT_STATUS_IS_OK(status) && NT_STATUS_IS_OK(result)) {
+
+ if (lsa_info->account_domain.name.string) {
+ if (!strequal(domain->name,
+ lsa_info->account_domain.name.string))
+ {
+ DEBUG(1,
+ ("set_dc_type_and_flags_connect: "
+ "DC for domain %s claimed it was"
+ " a DC for domain %s, refusing "
+ "to initialize\n", domain->name,
+ lsa_info->
+ account_domain.name.string));
+ TALLOC_FREE(cli);
+ TALLOC_FREE(mem_ctx);
+ return;
+ }
+ talloc_free(domain->name);
+ domain->name =
+ talloc_strdup(domain,
+ lsa_info->account_domain.name.string);
+ }
+
+ if (lsa_info->account_domain.sid) {
+ if (!is_null_sid(&domain->sid) &&
+ !dom_sid_equal(&domain->sid,
+ lsa_info->account_domain.sid))
+ {
+ struct dom_sid_buf buf1, buf2;
+ DEBUG(1,
+ ("set_dc_type_and_flags_connect: "
+ "DC for domain %s (%s) claimed "
+ "it was a DC for domain %s, "
+ "refusing to initialize\n",
+ dom_sid_str_buf(
+ &domain->sid, &buf1),
+ domain->name,
+ dom_sid_str_buf(
+ lsa_info->account_domain.sid,
+ &buf2)));
+ TALLOC_FREE(cli);
+ TALLOC_FREE(mem_ctx);
+ return;
+ }
+ sid_copy(&domain->sid, lsa_info->account_domain.sid);
+ }
+ }
+ }
+done:
+
+ DEBUG(5, ("set_dc_type_and_flags_connect: domain %s is %sin native mode.\n",
+ domain->name, domain->native_mode ? "" : "NOT "));
+
+ DEBUG(5,("set_dc_type_and_flags_connect: domain %s is %srunning active directory.\n",
+ domain->name, domain->active_directory ? "" : "NOT "));
+
+ domain->can_do_ncacn_ip_tcp = domain->active_directory;
+
+ TALLOC_FREE(cli);
+
+ TALLOC_FREE(mem_ctx);
+
+ domain->initialized = True;
+}
+
+/**********************************************************************
+ Set the domain_flags (trust attributes, domain operating modes, etc...
+***********************************************************************/
+
+static void set_dc_type_and_flags( struct winbindd_domain *domain )
+{
+ if (IS_DC) {
+ /*
+ * On a DC we loaded all trusts
+ * from configuration and never learn
+ * new domains.
+ */
+ return;
+ }
+
+ /* we always have to contact our primary domain */
+
+ if ( domain->primary || domain->internal) {
+ DEBUG(10,("set_dc_type_and_flags: setting up flags for "
+ "primary or internal domain\n"));
+ set_dc_type_and_flags_connect( domain );
+ return;
+ }
+
+ /* Use our DC to get the information if possible */
+
+ if ( !set_dc_type_and_flags_trustinfo( domain ) ) {
+ /* Otherwise, fallback to contacting the
+ domain directly */
+ set_dc_type_and_flags_connect( domain );
+ }
+
+ return;
+}
+
+
+
+/**********************************************************************
+***********************************************************************/
+
+static NTSTATUS cm_get_schannel_creds(struct winbindd_domain *domain,
+ struct netlogon_creds_cli_context **ppdc)
+{
+ NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
+ struct rpc_pipe_client *netlogon_pipe;
+
+ *ppdc = NULL;
+
+ if ((!IS_DC) && (!domain->primary)) {
+ return NT_STATUS_TRUSTED_DOMAIN_FAILURE;
+ }
+
+ if (domain->conn.netlogon_creds_ctx != NULL) {
+ *ppdc = domain->conn.netlogon_creds_ctx;
+ return NT_STATUS_OK;
+ }
+
+ result = cm_connect_netlogon_secure(domain, &netlogon_pipe, ppdc);
+ if (!NT_STATUS_IS_OK(result)) {
+ return result;
+ }
+
+ return NT_STATUS_OK;
+}
+
+NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
+ bool need_rw_dc,
+ struct rpc_pipe_client **cli, struct policy_handle *sam_handle)
+{
+ struct winbindd_cm_conn *conn;
+ NTSTATUS status, result;
+ struct netlogon_creds_cli_context *p_creds;
+ struct cli_credentials *creds = NULL;
+ bool retry = false; /* allow one retry attempt for expired session */
+ const char *remote_name = NULL;
+ const struct sockaddr_storage *remote_sockaddr = NULL;
+ bool sealed_pipes = true;
+ bool strong_key = true;
+
+ if (sid_check_is_our_sam(&domain->sid)) {
+ if (domain->rodc == false || need_rw_dc == false) {
+ return open_internal_samr_conn(mem_ctx, domain, cli, sam_handle);
+ }
+ }
+
+ if (IS_AD_DC) {
+ /*
+ * In theory we should not use SAMR within
+ * winbindd at all, but that's a larger task to
+ * remove this and avoid breaking existing
+ * setups.
+ *
+ * At least as AD DC we have the restriction
+ * to avoid SAMR against trusted domains,
+ * as there're no existing setups.
+ */
+ return NT_STATUS_REQUEST_NOT_ACCEPTED;
+ }
+
+retry:
+ status = init_dc_connection_rpc(domain, need_rw_dc);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ conn = &domain->conn;
+
+ if (rpccli_is_connected(conn->samr_pipe)) {
+ goto done;
+ }
+
+ TALLOC_FREE(conn->samr_pipe);
+
+ /*
+ * No SAMR pipe yet. Attempt to get an NTLMSSP SPNEGO authenticated
+ * sign and sealed pipe using the machine account password by
+ * preference. If we can't - try schannel, if that fails, try
+ * anonymous.
+ */
+
+ result = get_trust_credentials(domain, talloc_tos(), false, &creds);
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(10, ("cm_connect_sam: No user available for "
+ "domain %s, trying schannel\n", domain->name));
+ goto schannel;
+ }
+
+ if (cli_credentials_is_anonymous(creds)) {
+ goto anonymous;
+ }
+
+ remote_name = smbXcli_conn_remote_name(conn->cli->conn);
+ remote_sockaddr = smbXcli_conn_remote_sockaddr(conn->cli->conn);
+
+ /*
+ * We have an authenticated connection. Use a SPNEGO
+ * authenticated SAMR pipe with sign & seal.
+ */
+ status = cli_rpc_pipe_open_with_creds(conn->cli,
+ &ndr_table_samr,
+ NCACN_NP,
+ DCERPC_AUTH_TYPE_SPNEGO,
+ conn->auth_level,
+ remote_name,
+ remote_sockaddr,
+ creds,
+ &conn->samr_pipe);
+
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_SESSION_EXPIRED)
+ && !retry) {
+ invalidate_cm_connection(domain);
+ retry = true;
+ goto retry;
+ }
+
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(10,("cm_connect_sam: failed to connect to SAMR "
+ "pipe for domain %s using NTLMSSP "
+ "authenticated pipe: user %s. Error was "
+ "%s\n", domain->name,
+ cli_credentials_get_unparsed_name(creds, talloc_tos()),
+ nt_errstr(status)));
+ goto schannel;
+ }
+
+ DEBUG(10,("cm_connect_sam: connected to SAMR pipe for "
+ "domain %s using NTLMSSP authenticated "
+ "pipe: user %s\n", domain->name,
+ cli_credentials_get_unparsed_name(creds, talloc_tos())));
+
+ status = dcerpc_samr_Connect2(conn->samr_pipe->binding_handle, mem_ctx,
+ conn->samr_pipe->desthost,
+ SEC_FLAG_MAXIMUM_ALLOWED,
+ &conn->sam_connect_handle,
+ &result);
+
+ if (NT_STATUS_EQUAL(status, NT_STATUS_IO_DEVICE_ERROR) && !retry) {
+ invalidate_cm_connection(domain);
+ TALLOC_FREE(conn->samr_pipe);
+ retry = true;
+ goto retry;
+ }
+
+ if (NT_STATUS_IS_OK(status) && NT_STATUS_IS_OK(result)) {
+ goto open_domain;
+ }
+ if (NT_STATUS_IS_OK(status)) {
+ status = result;
+ }
+
+ DEBUG(10,("cm_connect_sam: ntlmssp-sealed dcerpc_samr_Connect2 "
+ "failed for domain %s, error was %s. Trying schannel\n",
+ domain->name, nt_errstr(status) ));
+ TALLOC_FREE(conn->samr_pipe);
+
+ schannel:
+
+ /* Fall back to schannel if it's a W2K pre-SP1 box. */
+
+ status = cm_get_schannel_creds(domain, &p_creds);
+ if (!NT_STATUS_IS_OK(status)) {
+ /* If this call fails - conn->cli can now be NULL ! */
+ DEBUG(10, ("cm_connect_sam: Could not get schannel auth info "
+ "for domain %s (error %s), trying anon\n",
+ domain->name,
+ nt_errstr(status) ));
+ goto anonymous;
+ }
+ TALLOC_FREE(creds);
+ status = cli_rpc_pipe_open_schannel_with_creds(
+ conn->cli, &ndr_table_samr, NCACN_NP, p_creds,
+ remote_name,
+ remote_sockaddr,
+ &conn->samr_pipe);
+
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_SESSION_EXPIRED)
+ && !retry) {
+ invalidate_cm_connection(domain);
+ retry = true;
+ goto retry;
+ }
+
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(10,("cm_connect_sam: failed to connect to SAMR pipe for "
+ "domain %s using schannel. Error was %s\n",
+ domain->name, nt_errstr(status) ));
+ goto anonymous;
+ }
+ DEBUG(10,("cm_connect_sam: connected to SAMR pipe for domain %s using "
+ "schannel.\n", domain->name ));
+
+ status = dcerpc_samr_Connect2(conn->samr_pipe->binding_handle, mem_ctx,
+ conn->samr_pipe->desthost,
+ SEC_FLAG_MAXIMUM_ALLOWED,
+ &conn->sam_connect_handle,
+ &result);
+
+ if (NT_STATUS_EQUAL(status, NT_STATUS_IO_DEVICE_ERROR) && !retry) {
+ invalidate_cm_connection(domain);
+ TALLOC_FREE(conn->samr_pipe);
+ retry = true;
+ goto retry;
+ }
+
+ if (NT_STATUS_IS_OK(status) && NT_STATUS_IS_OK(result)) {
+ goto open_domain;
+ }
+ if (NT_STATUS_IS_OK(status)) {
+ status = result;
+ }
+ DEBUG(10,("cm_connect_sam: schannel-sealed dcerpc_samr_Connect2 failed "
+ "for domain %s, error was %s. Trying anonymous\n",
+ domain->name, nt_errstr(status) ));
+ TALLOC_FREE(conn->samr_pipe);
+
+ anonymous:
+
+ sealed_pipes = lp_winbind_sealed_pipes();
+ sealed_pipes = lp_parm_bool(-1, "winbind sealed pipes",
+ domain->name,
+ sealed_pipes);
+ strong_key = lp_require_strong_key();
+ strong_key = lp_parm_bool(-1, "require strong key",
+ domain->name,
+ strong_key);
+
+ /* Finally fall back to anonymous. */
+ if (sealed_pipes || strong_key) {
+ status = NT_STATUS_DOWNGRADE_DETECTED;
+ DEBUG(1, ("Unwilling to make SAMR connection to domain %s "
+ "without connection level security, "
+ "must set 'winbind sealed pipes:%s = false' and "
+ "'require strong key:%s = false' to proceed: %s\n",
+ domain->name, domain->name, domain->name,
+ nt_errstr(status)));
+ goto done;
+ }
+ status = cli_rpc_pipe_open_noauth(conn->cli, &ndr_table_samr,
+ &conn->samr_pipe);
+
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_SESSION_EXPIRED)
+ && !retry) {
+ invalidate_cm_connection(domain);
+ retry = true;
+ goto retry;
+ }
+
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+
+ status = dcerpc_samr_Connect2(conn->samr_pipe->binding_handle, mem_ctx,
+ conn->samr_pipe->desthost,
+ SEC_FLAG_MAXIMUM_ALLOWED,
+ &conn->sam_connect_handle,
+ &result);
+
+ if (NT_STATUS_EQUAL(status, NT_STATUS_IO_DEVICE_ERROR) && !retry) {
+ invalidate_cm_connection(domain);
+ TALLOC_FREE(conn->samr_pipe);
+ retry = true;
+ goto retry;
+ }
+
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(10,("cm_connect_sam: rpccli_samr_Connect2 failed "
+ "for domain %s Error was %s\n",
+ domain->name, nt_errstr(status) ));
+ goto done;
+ }
+ if (!NT_STATUS_IS_OK(result)) {
+ status = result;
+ DEBUG(10,("cm_connect_sam: dcerpc_samr_Connect2 failed "
+ "for domain %s Error was %s\n",
+ domain->name, nt_errstr(result)));
+ goto done;
+ }
+
+ open_domain:
+ status = dcerpc_samr_OpenDomain(conn->samr_pipe->binding_handle,
+ mem_ctx,
+ &conn->sam_connect_handle,
+ SEC_FLAG_MAXIMUM_ALLOWED,
+ &domain->sid,
+ &conn->sam_domain_handle,
+ &result);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+
+ status = result;
+ done:
+
+ if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
+ /*
+ * if we got access denied, we might just have no access rights
+ * to talk to the remote samr server server (e.g. when we are a
+ * PDC and we are connecting a w2k8 pdc via an interdomain
+ * trust). In that case do not invalidate the whole connection
+ * stack
+ */
+ TALLOC_FREE(conn->samr_pipe);
+ ZERO_STRUCT(conn->sam_domain_handle);
+ return status;
+ } else if (!NT_STATUS_IS_OK(status)) {
+ invalidate_cm_connection(domain);
+ return status;
+ }
+
+ *cli = conn->samr_pipe;
+ *sam_handle = conn->sam_domain_handle;
+ return status;
+}
+
+/**********************************************************************
+ open an schanneld ncacn_ip_tcp connection to LSA
+***********************************************************************/
+
+static NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ struct rpc_pipe_client **cli)
+{
+ struct winbindd_cm_conn *conn;
+ struct netlogon_creds_cli_context *p_creds = NULL;
+ NTSTATUS status;
+ const char *remote_name = NULL;
+ const struct sockaddr_storage *remote_sockaddr = NULL;
+
+ DEBUG(10,("cm_connect_lsa_tcp\n"));
+
+ status = init_dc_connection_rpc(domain, false);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ conn = &domain->conn;
+
+ /*
+ * rpccli_is_connected handles more error cases
+ */
+ if (rpccli_is_connected(conn->lsa_pipe_tcp) &&
+ conn->lsa_pipe_tcp->transport->transport == NCACN_IP_TCP &&
+ conn->lsa_pipe_tcp->auth->auth_level >= DCERPC_AUTH_LEVEL_INTEGRITY) {
+ goto done;
+ }
+
+ TALLOC_FREE(conn->lsa_pipe_tcp);
+
+ status = cm_get_schannel_creds(domain, &p_creds);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+
+ remote_name = smbXcli_conn_remote_name(conn->cli->conn);
+ remote_sockaddr = smbXcli_conn_remote_sockaddr(conn->cli->conn);
+
+ status = cli_rpc_pipe_open_schannel_with_creds(
+ conn->cli,
+ &ndr_table_lsarpc,
+ NCACN_IP_TCP,
+ p_creds,
+ remote_name,
+ remote_sockaddr,
+ &conn->lsa_pipe_tcp);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(10,("cli_rpc_pipe_open_schannel_with_key failed: %s\n",
+ nt_errstr(status)));
+ goto done;
+ }
+
+ done:
+ if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(conn->lsa_pipe_tcp);
+ return status;
+ }
+
+ *cli = conn->lsa_pipe_tcp;
+
+ return status;
+}
+
+NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
+ struct rpc_pipe_client **cli, struct policy_handle *lsa_policy)
+{
+ struct winbindd_cm_conn *conn;
+ NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
+ struct netlogon_creds_cli_context *p_creds;
+ struct cli_credentials *creds = NULL;
+ bool retry = false; /* allow one retry attempt for expired session */
+ const char *remote_name = NULL;
+ const struct sockaddr_storage *remote_sockaddr = NULL;
+ bool sealed_pipes = true;
+ bool strong_key = true;
+
+retry:
+ result = init_dc_connection_rpc(domain, false);
+ if (!NT_STATUS_IS_OK(result))
+ return result;
+
+ conn = &domain->conn;
+
+ if (rpccli_is_connected(conn->lsa_pipe)) {
+ goto done;
+ }
+
+ TALLOC_FREE(conn->lsa_pipe);
+
+ if (IS_AD_DC) {
+ /*
+ * Make sure we only use schannel as AD DC.
+ */
+ goto schannel;
+ }
+
+ result = get_trust_credentials(domain, talloc_tos(), false, &creds);
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(10, ("cm_connect_lsa: No user available for "
+ "domain %s, trying schannel\n", domain->name));
+ goto schannel;
+ }
+
+ if (cli_credentials_is_anonymous(creds)) {
+ goto anonymous;
+ }
+
+ remote_name = smbXcli_conn_remote_name(conn->cli->conn);
+ remote_sockaddr = smbXcli_conn_remote_sockaddr(conn->cli->conn);
+
+ /*
+ * We have an authenticated connection. Use a SPNEGO
+ * authenticated LSA pipe with sign & seal.
+ */
+ result = cli_rpc_pipe_open_with_creds
+ (conn->cli, &ndr_table_lsarpc, NCACN_NP,
+ DCERPC_AUTH_TYPE_SPNEGO,
+ conn->auth_level,
+ remote_name,
+ remote_sockaddr,
+ creds,
+ &conn->lsa_pipe);
+
+ if (NT_STATUS_EQUAL(result, NT_STATUS_NETWORK_SESSION_EXPIRED)
+ && !retry) {
+ invalidate_cm_connection(domain);
+ retry = true;
+ goto retry;
+ }
+
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(10,("cm_connect_lsa: failed to connect to LSA pipe for "
+ "domain %s using NTLMSSP authenticated pipe: user "
+ "%s. Error was %s. Trying schannel.\n",
+ domain->name,
+ cli_credentials_get_unparsed_name(creds, talloc_tos()),
+ nt_errstr(result)));
+ goto schannel;
+ }
+
+ DEBUG(10,("cm_connect_lsa: connected to LSA pipe for domain %s using "
+ "NTLMSSP authenticated pipe: user %s\n",
+ domain->name, cli_credentials_get_unparsed_name(creds, talloc_tos())));
+
+ result = rpccli_lsa_open_policy(conn->lsa_pipe, mem_ctx, True,
+ SEC_FLAG_MAXIMUM_ALLOWED,
+ &conn->lsa_policy);
+ if (NT_STATUS_EQUAL(result, NT_STATUS_IO_DEVICE_ERROR) && !retry) {
+ invalidate_cm_connection(domain);
+ TALLOC_FREE(conn->lsa_pipe);
+ retry = true;
+ goto retry;
+ }
+
+ if (NT_STATUS_IS_OK(result)) {
+ goto done;
+ }
+
+ DEBUG(10,("cm_connect_lsa: rpccli_lsa_open_policy failed, trying "
+ "schannel\n"));
+
+ TALLOC_FREE(conn->lsa_pipe);
+
+ schannel:
+
+ /* Fall back to schannel if it's a W2K pre-SP1 box. */
+
+ result = cm_get_schannel_creds(domain, &p_creds);
+ if (!NT_STATUS_IS_OK(result)) {
+ /* If this call fails - conn->cli can now be NULL ! */
+ DEBUG(10, ("cm_connect_lsa: Could not get schannel auth info "
+ "for domain %s (error %s), trying anon\n",
+ domain->name,
+ nt_errstr(result) ));
+ goto anonymous;
+ }
+
+ TALLOC_FREE(creds);
+ result = cli_rpc_pipe_open_schannel_with_creds(
+ conn->cli, &ndr_table_lsarpc, NCACN_NP, p_creds,
+ remote_name,
+ remote_sockaddr,
+ &conn->lsa_pipe);
+
+ if (NT_STATUS_EQUAL(result, NT_STATUS_NETWORK_SESSION_EXPIRED)
+ && !retry) {
+ invalidate_cm_connection(domain);
+ retry = true;
+ goto retry;
+ }
+
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(10,("cm_connect_lsa: failed to connect to LSA pipe for "
+ "domain %s using schannel. Error was %s\n",
+ domain->name, nt_errstr(result) ));
+ goto anonymous;
+ }
+ DEBUG(10,("cm_connect_lsa: connected to LSA pipe for domain %s using "
+ "schannel.\n", domain->name ));
+
+ result = rpccli_lsa_open_policy(conn->lsa_pipe, mem_ctx, True,
+ SEC_FLAG_MAXIMUM_ALLOWED,
+ &conn->lsa_policy);
+
+ if (NT_STATUS_EQUAL(result, NT_STATUS_IO_DEVICE_ERROR) && !retry) {
+ invalidate_cm_connection(domain);
+ TALLOC_FREE(conn->lsa_pipe);
+ retry = true;
+ goto retry;
+ }
+
+ if (NT_STATUS_IS_OK(result)) {
+ goto done;
+ }
+
+ if (IS_AD_DC) {
+ /*
+ * Make sure we only use schannel as AD DC.
+ */
+ goto done;
+ }
+
+ DEBUG(10,("cm_connect_lsa: rpccli_lsa_open_policy failed, trying "
+ "anonymous\n"));
+
+ TALLOC_FREE(conn->lsa_pipe);
+
+ anonymous:
+
+ if (IS_AD_DC) {
+ /*
+ * Make sure we only use schannel as AD DC.
+ */
+ goto done;
+ }
+
+ sealed_pipes = lp_winbind_sealed_pipes();
+ sealed_pipes = lp_parm_bool(-1, "winbind sealed pipes",
+ domain->name,
+ sealed_pipes);
+ strong_key = lp_require_strong_key();
+ strong_key = lp_parm_bool(-1, "require strong key",
+ domain->name,
+ strong_key);
+
+ /* Finally fall back to anonymous. */
+ if (sealed_pipes || strong_key) {
+ result = NT_STATUS_DOWNGRADE_DETECTED;
+ DEBUG(1, ("Unwilling to make LSA connection to domain %s "
+ "without connection level security, "
+ "must set 'winbind sealed pipes:%s = false' and "
+ "'require strong key:%s = false' to proceed: %s\n",
+ domain->name, domain->name, domain->name,
+ nt_errstr(result)));
+ goto done;
+ }
+
+ result = cli_rpc_pipe_open_noauth(conn->cli,
+ &ndr_table_lsarpc,
+ &conn->lsa_pipe);
+
+ if (NT_STATUS_EQUAL(result, NT_STATUS_NETWORK_SESSION_EXPIRED)
+ && !retry) {
+ invalidate_cm_connection(domain);
+ retry = true;
+ goto retry;
+ }
+
+ if (!NT_STATUS_IS_OK(result)) {
+ goto done;
+ }
+
+ result = rpccli_lsa_open_policy(conn->lsa_pipe, mem_ctx, True,
+ SEC_FLAG_MAXIMUM_ALLOWED,
+ &conn->lsa_policy);
+
+ if (NT_STATUS_EQUAL(result, NT_STATUS_IO_DEVICE_ERROR) && !retry) {
+ invalidate_cm_connection(domain);
+ TALLOC_FREE(conn->lsa_pipe);
+ retry = true;
+ goto retry;
+ }
+
+ done:
+ if (!NT_STATUS_IS_OK(result)) {
+ invalidate_cm_connection(domain);
+ return result;
+ }
+
+ *cli = conn->lsa_pipe;
+ *lsa_policy = conn->lsa_policy;
+ return result;
+}
+
+/****************************************************************************
+Open a LSA connection to a DC, suiteable for LSA lookup calls.
+****************************************************************************/
+
+NTSTATUS cm_connect_lsat(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ struct rpc_pipe_client **cli,
+ struct policy_handle *lsa_policy)
+{
+ NTSTATUS status;
+
+ if (domain->can_do_ncacn_ip_tcp) {
+ status = cm_connect_lsa_tcp(domain, mem_ctx, cli);
+ if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) ||
+ NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR) ||
+ NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED)) {
+ invalidate_cm_connection(domain);
+ status = cm_connect_lsa_tcp(domain, mem_ctx, cli);
+ }
+ if (NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ /*
+ * we tried twice to connect via ncan_ip_tcp and schannel and
+ * failed - maybe it is a trusted domain we can't connect to ?
+ * do not try tcp next time - gd
+ *
+ * This also prevents NETLOGON over TCP
+ */
+ domain->can_do_ncacn_ip_tcp = false;
+ }
+
+ status = cm_connect_lsa(domain, mem_ctx, cli, lsa_policy);
+
+ return status;
+}
+
+/****************************************************************************
+ Open the netlogon pipe to this DC.
+****************************************************************************/
+
+static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain,
+ enum dcerpc_transport_t transport,
+ struct rpc_pipe_client **cli)
+{
+ struct messaging_context *msg_ctx = global_messaging_context();
+ struct winbindd_cm_conn *conn;
+ NTSTATUS result;
+ enum netr_SchannelType sec_chan_type;
+ struct cli_credentials *creds = NULL;
+
+ *cli = NULL;
+
+ if (IS_AD_DC) {
+ if (domain->secure_channel_type == SEC_CHAN_NULL) {
+ /*
+ * Make sure we don't even try to
+ * connect to a foreign domain
+ * without a direct outbound trust.
+ */
+ return NT_STATUS_NO_TRUST_LSA_SECRET;
+ }
+ }
+
+ result = init_dc_connection_rpc(domain, domain->rodc);
+ if (!NT_STATUS_IS_OK(result)) {
+ return result;
+ }
+
+ conn = &domain->conn;
+
+ if (rpccli_is_connected(conn->netlogon_pipe)) {
+ *cli = conn->netlogon_pipe;
+ return NT_STATUS_OK;
+ }
+
+ TALLOC_FREE(conn->netlogon_pipe);
+ TALLOC_FREE(conn->netlogon_creds_ctx);
+
+ result = get_trust_credentials(domain, talloc_tos(), true, &creds);
+ if (!NT_STATUS_IS_OK(result)) {
+ DBG_DEBUG("No user available for domain %s when trying "
+ "schannel\n", domain->name);
+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+ }
+
+ if (cli_credentials_is_anonymous(creds)) {
+ DBG_WARNING("get_trust_credential only gave anonymous for %s, "
+ "unable to make get NETLOGON credentials\n",
+ domain->name);
+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+ }
+
+ sec_chan_type = cli_credentials_get_secure_channel_type(creds);
+ if (sec_chan_type == SEC_CHAN_NULL) {
+ const char *remote_name =
+ smbXcli_conn_remote_name(conn->cli->conn);
+ const struct sockaddr_storage *remote_sockaddr =
+ smbXcli_conn_remote_sockaddr(conn->cli->conn);
+
+ if (transport == NCACN_IP_TCP) {
+ DBG_NOTICE("get_secure_channel_type gave SEC_CHAN_NULL "
+ "for %s, deny NCACN_IP_TCP and let the "
+ "caller fallback to NCACN_NP.\n",
+ domain->name);
+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+ }
+
+ DBG_NOTICE("get_secure_channel_type gave SEC_CHAN_NULL for %s, "
+ "fallback to noauth on NCACN_NP.\n",
+ domain->name);
+
+ result = cli_rpc_pipe_open_noauth_transport(
+ conn->cli,
+ transport,
+ &ndr_table_netlogon,
+ remote_name,
+ remote_sockaddr,
+ &conn->netlogon_pipe);
+ if (!NT_STATUS_IS_OK(result)) {
+ invalidate_cm_connection(domain);
+ return result;
+ }
+
+ *cli = conn->netlogon_pipe;
+ return NT_STATUS_OK;
+ }
+
+ result = rpccli_create_netlogon_creds_ctx(creds,
+ domain->dcname,
+ msg_ctx,
+ domain,
+ &conn->netlogon_creds_ctx);
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(1, ("rpccli_create_netlogon_creds failed for %s, "
+ "unable to create NETLOGON credentials: %s\n",
+ domain->name, nt_errstr(result)));
+ return result;
+ }
+
+ result = rpccli_connect_netlogon(
+ conn->cli, transport,
+ conn->netlogon_creds_ctx, conn->netlogon_force_reauth, creds,
+ &conn->netlogon_pipe);
+ conn->netlogon_force_reauth = false;
+ if (!NT_STATUS_IS_OK(result)) {
+ DBG_DEBUG("rpccli_connect_netlogon failed: %s\n",
+ nt_errstr(result));
+ return result;
+ }
+
+ *cli = conn->netlogon_pipe;
+ return NT_STATUS_OK;
+}
+
+/****************************************************************************
+Open a NETLOGON connection to a DC, suiteable for SamLogon calls.
+****************************************************************************/
+
+NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
+ struct rpc_pipe_client **cli)
+{
+ NTSTATUS status;
+
+ status = init_dc_connection_rpc(domain, domain->rodc);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ if (domain->active_directory && domain->can_do_ncacn_ip_tcp) {
+ status = cm_connect_netlogon_transport(domain, NCACN_IP_TCP, cli);
+ if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) ||
+ NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR) ||
+ NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED)) {
+ invalidate_cm_connection(domain);
+ status = cm_connect_netlogon_transport(domain, NCACN_IP_TCP, cli);
+ }
+ if (NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ /*
+ * we tried twice to connect via ncan_ip_tcp and schannel and
+ * failed - maybe it is a trusted domain we can't connect to ?
+ * do not try tcp next time - gd
+ *
+ * This also prevents LSA over TCP
+ */
+ domain->can_do_ncacn_ip_tcp = false;
+ }
+
+ status = cm_connect_netlogon_transport(domain, NCACN_NP, cli);
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_SESSION_EXPIRED)) {
+ /*
+ * SMB2 session expired, needs reauthentication. Drop
+ * connection and retry.
+ */
+ invalidate_cm_connection(domain);
+ status = cm_connect_netlogon_transport(domain, NCACN_NP, cli);
+ }
+
+ return status;
+}
+
+NTSTATUS cm_connect_netlogon_secure(struct winbindd_domain *domain,
+ struct rpc_pipe_client **cli,
+ struct netlogon_creds_cli_context **ppdc)
+{
+ NTSTATUS status;
+
+ if (domain->secure_channel_type == SEC_CHAN_NULL) {
+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+ }
+
+ status = cm_connect_netlogon(domain, cli);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ if (domain->conn.netlogon_creds_ctx == NULL) {
+ return NT_STATUS_TRUSTED_DOMAIN_FAILURE;
+ }
+
+ *ppdc = domain->conn.netlogon_creds_ctx;
+ return NT_STATUS_OK;
+}
+
+void winbind_msg_ip_dropped(struct messaging_context *msg_ctx,
+ void *private_data,
+ uint32_t msg_type,
+ struct server_id server_id,
+ DATA_BLOB *data)
+{
+ struct winbindd_domain *domain;
+ char *freeit = NULL;
+ char *addr;
+
+ if ((data == NULL)
+ || (data->data == NULL)
+ || (data->length == 0)
+ || (data->data[data->length-1] != '\0')) {
+ DEBUG(1, ("invalid msg_ip_dropped message: not a valid "
+ "string\n"));
+ return;
+ }
+
+ addr = (char *)data->data;
+ DEBUG(10, ("IP %s dropped\n", addr));
+
+ if (!is_ipaddress(addr)) {
+ char *slash;
+ /*
+ * Some code sends us ip addresses with the /netmask
+ * suffix
+ */
+ slash = strchr(addr, '/');
+ if (slash == NULL) {
+ DEBUG(1, ("invalid msg_ip_dropped message: %s",
+ addr));
+ return;
+ }
+ freeit = talloc_strndup(talloc_tos(), addr, slash-addr);
+ if (freeit == NULL) {
+ DEBUG(1, ("talloc failed\n"));
+ return;
+ }
+ addr = freeit;
+ DEBUG(10, ("Stripped /netmask to IP %s\n", addr));
+ }
+
+ for (domain = domain_list(); domain != NULL; domain = domain->next) {
+ char sockaddr[INET6_ADDRSTRLEN];
+
+ if (!cli_state_is_connected(domain->conn.cli)) {
+ continue;
+ }
+
+ print_sockaddr(sockaddr, sizeof(sockaddr),
+ smbXcli_conn_local_sockaddr(domain->conn.cli->conn));
+
+ if (strequal(sockaddr, addr)) {
+ smbXcli_conn_disconnect(domain->conn.cli->conn, NT_STATUS_OK);
+ }
+ }
+ TALLOC_FREE(freeit);
+}
+
+void winbind_msg_disconnect_dc(struct messaging_context *msg_ctx,
+ void *private_data,
+ uint32_t msg_type,
+ struct server_id server_id,
+ DATA_BLOB *data)
+{
+ struct winbindd_domain *domain;
+
+ for (domain = domain_list(); domain; domain = domain->next) {
+ if (domain->internal) {
+ continue;
+ }
+ invalidate_cm_connection(domain);
+ }
+}
diff --git a/source3/winbindd/winbindd_cred_cache.c b/source3/winbindd/winbindd_cred_cache.c
new file mode 100644
index 0000000..bdc1604
--- /dev/null
+++ b/source3/winbindd/winbindd_cred_cache.c
@@ -0,0 +1,1061 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ Winbind daemon - krb5 credential cache functions
+ and in-memory cache functions.
+
+ Copyright (C) Guenther Deschner 2005-2006
+ Copyright (C) Jeremy Allison 2006
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "winbindd.h"
+#include "../libcli/auth/libcli_auth.h"
+#include "smb_krb5.h"
+#include "libads/kerberos_proto.h"
+#include "lib/global_contexts.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_WINBIND
+
+/* uncomment this to do fast debugging on the krb5 ticket renewal event */
+#ifdef DEBUG_KRB5_TKT_RENEWAL
+#undef DEBUG_KRB5_TKT_RENEWAL
+#endif
+
+#define MAX_CCACHES 100
+
+static struct WINBINDD_CCACHE_ENTRY *ccache_list;
+static void krb5_ticket_gain_handler(struct tevent_context *,
+ struct tevent_timer *,
+ struct timeval,
+ void *);
+static void add_krb5_ticket_gain_handler_event(struct WINBINDD_CCACHE_ENTRY *,
+ struct timeval);
+
+/* The Krb5 ticket refresh handler should be scheduled
+ at one-half of the period from now till the tkt
+ expiration */
+
+static time_t krb5_event_refresh_time(time_t end_time)
+{
+ time_t rest = end_time - time(NULL);
+ return end_time - rest/2;
+}
+
+/****************************************************************
+ Find an entry by name.
+****************************************************************/
+
+static struct WINBINDD_CCACHE_ENTRY *get_ccache_by_username(const char *username)
+{
+ struct WINBINDD_CCACHE_ENTRY *entry;
+
+ for (entry = ccache_list; entry; entry = entry->next) {
+ if (strequal(entry->username, username)) {
+ return entry;
+ }
+ }
+ return NULL;
+}
+
+/****************************************************************
+ How many do we have ?
+****************************************************************/
+
+static int ccache_entry_count(void)
+{
+ struct WINBINDD_CCACHE_ENTRY *entry;
+ int i = 0;
+
+ for (entry = ccache_list; entry; entry = entry->next) {
+ i++;
+ }
+ return i;
+}
+
+void ccache_remove_all_after_fork(void)
+{
+ struct WINBINDD_CCACHE_ENTRY *cur, *next;
+
+ for (cur = ccache_list; cur; cur = next) {
+ next = cur->next;
+ DLIST_REMOVE(ccache_list, cur);
+ TALLOC_FREE(cur->event);
+ TALLOC_FREE(cur);
+ }
+
+ return;
+}
+
+/****************************************************************
+ Do the work of refreshing the ticket.
+****************************************************************/
+
+static void krb5_ticket_refresh_handler(struct tevent_context *event_ctx,
+ struct tevent_timer *te,
+ struct timeval now,
+ void *private_data)
+{
+ struct WINBINDD_CCACHE_ENTRY *entry =
+ talloc_get_type_abort(private_data, struct WINBINDD_CCACHE_ENTRY);
+#ifdef HAVE_KRB5
+ int ret;
+ time_t new_start;
+ time_t expire_time = 0;
+ struct WINBINDD_MEMORY_CREDS *cred_ptr = entry->cred_ptr;
+#endif
+
+ DBG_DEBUG("event called for: %s, %s\n",
+ entry->ccname, entry->username);
+
+ TALLOC_FREE(entry->event);
+
+#ifdef HAVE_KRB5
+
+ /* Kinit again if we have the user password and we can't renew the old
+ * tgt anymore
+ * NB
+ * This happens when machine are put to sleep for a very long time. */
+
+ if (entry->renew_until < time(NULL)) {
+rekinit:
+ if (cred_ptr && cred_ptr->pass) {
+
+ set_effective_uid(entry->uid);
+
+ ret = kerberos_kinit_password_ext(entry->principal_name,
+ cred_ptr->pass,
+ 0, /* hm, can we do time correction here ? */
+ &entry->refresh_time,
+ &entry->renew_until,
+ entry->ccname,
+ False, /* no PAC required anymore */
+ True,
+ WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
+ NULL,
+ NULL,
+ NULL,
+ NULL);
+ gain_root_privilege();
+
+ if (ret) {
+ DEBUG(3,("krb5_ticket_refresh_handler: "
+ "could not re-kinit: %s\n",
+ error_message(ret)));
+ /* destroy the ticket because we cannot rekinit
+ * it, ignore error here */
+ ads_kdestroy(entry->ccname);
+
+ /* Don't break the ticket refresh chain: retry
+ * refreshing ticket sometime later when KDC is
+ * unreachable -- BoYang. More error code handling
+ * here?
+ * */
+
+ if ((ret == KRB5_KDC_UNREACH)
+ || (ret == KRB5_REALM_CANT_RESOLVE)) {
+#if defined(DEBUG_KRB5_TKT_RENEWAL)
+ new_start = time(NULL) + 30;
+#else
+ new_start = time(NULL) +
+ MAX(30, lp_winbind_cache_time());
+#endif
+ add_krb5_ticket_gain_handler_event(entry,
+ timeval_set(new_start, 0));
+ return;
+ }
+ TALLOC_FREE(entry->event);
+ return;
+ }
+
+ DEBUG(10,("krb5_ticket_refresh_handler: successful re-kinit "
+ "for: %s in ccache: %s\n",
+ entry->principal_name, entry->ccname));
+
+#if defined(DEBUG_KRB5_TKT_RENEWAL)
+ new_start = time(NULL) + 30;
+#else
+ /* The tkt should be refreshed at one-half the period
+ from now to the expiration time */
+ expire_time = entry->refresh_time;
+ new_start = krb5_event_refresh_time(entry->refresh_time);
+#endif
+ goto done;
+ } else {
+ /* can this happen?
+ * No cached credentials
+ * destroy ticket and refresh chain
+ * */
+ ads_kdestroy(entry->ccname);
+ TALLOC_FREE(entry->event);
+ return;
+ }
+ }
+
+ set_effective_uid(entry->uid);
+
+ ret = smb_krb5_renew_ticket(entry->ccname,
+ entry->canon_principal,
+ entry->service,
+ &new_start);
+#if defined(DEBUG_KRB5_TKT_RENEWAL)
+ new_start = time(NULL) + 30;
+#else
+ expire_time = new_start;
+ new_start = krb5_event_refresh_time(new_start);
+#endif
+
+ gain_root_privilege();
+
+ if (ret) {
+ DEBUG(3,("krb5_ticket_refresh_handler: "
+ "could not renew tickets: %s\n",
+ error_message(ret)));
+ /* maybe we are beyond the renewing window */
+
+ /* evil rises here, we refresh ticket failed,
+ * but the ticket might be expired. Therefore,
+ * When we refresh ticket failed, destory the
+ * ticket */
+
+ ads_kdestroy(entry->ccname);
+
+ /* avoid breaking the renewal chain: retry in
+ * lp_winbind_cache_time() seconds when the KDC was not
+ * available right now.
+ * the return code can be KRB5_REALM_CANT_RESOLVE.
+ * More error code handling here? */
+
+ if ((ret == KRB5_KDC_UNREACH)
+ || (ret == KRB5_REALM_CANT_RESOLVE)) {
+#if defined(DEBUG_KRB5_TKT_RENEWAL)
+ new_start = time(NULL) + 30;
+#else
+ new_start = time(NULL) +
+ MAX(30, lp_winbind_cache_time());
+#endif
+ /* ticket is destroyed here, we have to regain it
+ * if it is possible */
+ add_krb5_ticket_gain_handler_event(entry,
+ timeval_set(new_start, 0));
+ return;
+ }
+
+ /* This is evil, if the ticket was already expired.
+ * renew ticket function returns KRB5KRB_AP_ERR_TKT_EXPIRED.
+ * But there is still a chance that we can rekinit it.
+ *
+ * This happens when user login in online mode, and then network
+ * down or something cause winbind goes offline for a very long time,
+ * and then goes online again. ticket expired, renew failed.
+ * This happens when machine are put to sleep for a long time,
+ * but shorter than entry->renew_util.
+ * NB
+ * Looks like the KDC is reachable, we want to rekinit as soon as
+ * possible instead of waiting some time later. */
+ if ((ret == KRB5KRB_AP_ERR_TKT_EXPIRED)
+ || (ret == KRB5_FCC_NOFILE)) goto rekinit;
+
+ return;
+ }
+
+done:
+ /* in cases that ticket will be unrenewable soon, we don't try to renew ticket
+ * but try to regain ticket if it is possible */
+ if (entry->renew_until && expire_time
+ && (entry->renew_until <= expire_time)) {
+ /* try to regain ticket 10 seconds before expiration */
+ expire_time -= 10;
+ add_krb5_ticket_gain_handler_event(entry,
+ timeval_set(expire_time, 0));
+ return;
+ }
+
+ if (entry->refresh_time == 0) {
+ entry->refresh_time = new_start;
+ }
+ entry->event = tevent_add_timer(global_event_context(), entry,
+ timeval_set(new_start, 0),
+ krb5_ticket_refresh_handler,
+ entry);
+
+#endif
+}
+
+/****************************************************************
+ Do the work of regaining a ticket when coming from offline auth.
+****************************************************************/
+
+static void krb5_ticket_gain_handler(struct tevent_context *event_ctx,
+ struct tevent_timer *te,
+ struct timeval now,
+ void *private_data)
+{
+ struct WINBINDD_CCACHE_ENTRY *entry =
+ talloc_get_type_abort(private_data, struct WINBINDD_CCACHE_ENTRY);
+#ifdef HAVE_KRB5
+ int ret;
+ struct timeval t;
+ struct WINBINDD_MEMORY_CREDS *cred_ptr = entry->cred_ptr;
+ struct winbindd_domain *domain = NULL;
+#endif
+
+ DBG_DEBUG("event called for: %s, %s\n",
+ entry->ccname, entry->username);
+
+ TALLOC_FREE(entry->event);
+
+#ifdef HAVE_KRB5
+
+ if (!cred_ptr || !cred_ptr->pass) {
+ DEBUG(10,("krb5_ticket_gain_handler: no memory creds\n"));
+ return;
+ }
+
+ if ((domain = find_domain_from_name(entry->realm)) == NULL) {
+ DEBUG(0,("krb5_ticket_gain_handler: unknown domain\n"));
+ return;
+ }
+
+ if (!domain->online) {
+ goto retry_later;
+ }
+
+ set_effective_uid(entry->uid);
+
+ ret = kerberos_kinit_password_ext(entry->principal_name,
+ cred_ptr->pass,
+ 0, /* hm, can we do time correction here ? */
+ &entry->refresh_time,
+ &entry->renew_until,
+ entry->ccname,
+ False, /* no PAC required anymore */
+ True,
+ WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
+ NULL,
+ NULL,
+ NULL,
+ NULL);
+ gain_root_privilege();
+
+ if (ret) {
+ DEBUG(3,("krb5_ticket_gain_handler: "
+ "could not kinit: %s\n",
+ error_message(ret)));
+ /* evil. If we cannot do it, destroy any the __maybe__
+ * __existing__ ticket */
+ ads_kdestroy(entry->ccname);
+ goto retry_later;
+ }
+
+ DEBUG(10,("krb5_ticket_gain_handler: "
+ "successful kinit for: %s in ccache: %s\n",
+ entry->principal_name, entry->ccname));
+
+ goto got_ticket;
+
+ retry_later:
+
+#if defined(DEBUG_KRB5_TKT_RENEWAL)
+ t = timeval_set(time(NULL) + 30, 0);
+#else
+ t = timeval_current_ofs(MAX(30, lp_winbind_cache_time()), 0);
+#endif
+
+ add_krb5_ticket_gain_handler_event(entry, t);
+ return;
+
+ got_ticket:
+
+#if defined(DEBUG_KRB5_TKT_RENEWAL)
+ t = timeval_set(time(NULL) + 30, 0);
+#else
+ t = timeval_set(krb5_event_refresh_time(entry->refresh_time), 0);
+#endif
+
+ if (entry->refresh_time == 0) {
+ entry->refresh_time = t.tv_sec;
+ }
+ entry->event = tevent_add_timer(global_event_context(),
+ entry,
+ t,
+ krb5_ticket_refresh_handler,
+ entry);
+
+ return;
+#endif
+}
+
+/**************************************************************
+ The gain initial ticket case is recognised as entry->refresh_time
+ is always zero.
+**************************************************************/
+
+static void add_krb5_ticket_gain_handler_event(struct WINBINDD_CCACHE_ENTRY *entry,
+ struct timeval t)
+{
+ entry->refresh_time = 0;
+ entry->event = tevent_add_timer(global_event_context(),
+ entry,
+ t,
+ krb5_ticket_gain_handler,
+ entry);
+}
+
+void ccache_regain_all_now(void)
+{
+ struct WINBINDD_CCACHE_ENTRY *cur;
+ struct timeval t = timeval_current();
+
+ for (cur = ccache_list; cur; cur = cur->next) {
+ struct tevent_timer *new_event;
+
+ /*
+ * if refresh_time is 0, we know that the
+ * the event has the krb5_ticket_gain_handler
+ */
+ if (cur->refresh_time == 0) {
+ new_event = tevent_add_timer(global_event_context(),
+ cur,
+ t,
+ krb5_ticket_gain_handler,
+ cur);
+ } else {
+ new_event = tevent_add_timer(global_event_context(),
+ cur,
+ t,
+ krb5_ticket_refresh_handler,
+ cur);
+ }
+
+ if (!new_event) {
+ continue;
+ }
+
+ TALLOC_FREE(cur->event);
+ cur->event = new_event;
+ }
+
+ return;
+}
+
+/****************************************************************
+ Check if an ccache entry exists.
+****************************************************************/
+
+bool ccache_entry_exists(const char *username)
+{
+ struct WINBINDD_CCACHE_ENTRY *entry = get_ccache_by_username(username);
+ return (entry != NULL);
+}
+
+/****************************************************************
+ Ensure we're changing the correct entry.
+****************************************************************/
+
+bool ccache_entry_identical(const char *username,
+ uid_t uid,
+ const char *ccname)
+{
+ struct WINBINDD_CCACHE_ENTRY *entry = get_ccache_by_username(username);
+
+ if (!entry) {
+ return False;
+ }
+
+ if (entry->uid != uid) {
+ DEBUG(0,("cache_entry_identical: uid's differ: %u != %u\n",
+ (unsigned int)entry->uid, (unsigned int)uid));
+ return False;
+ }
+ if (!strcsequal(entry->ccname, ccname)) {
+ DEBUG(0,("cache_entry_identical: "
+ "ccnames differ: (cache) %s != (client) %s\n",
+ entry->ccname, ccname));
+ return False;
+ }
+ return True;
+}
+
+NTSTATUS add_ccache_to_list(const char *princ_name,
+ const char *ccname,
+ const char *username,
+ const char *pass,
+ const char *realm,
+ uid_t uid,
+ time_t create_time,
+ time_t ticket_end,
+ time_t renew_until,
+ bool postponed_request,
+ const char *canon_principal,
+ const char *canon_realm)
+{
+ struct WINBINDD_CCACHE_ENTRY *entry = NULL;
+ struct timeval t;
+ NTSTATUS ntret;
+
+ if ((username == NULL && princ_name == NULL) ||
+ ccname == NULL || uid == (uid_t)-1) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ if (ccache_entry_count() + 1 > MAX_CCACHES) {
+ DEBUG(10,("add_ccache_to_list: "
+ "max number of ccaches reached\n"));
+ return NT_STATUS_NO_MORE_ENTRIES;
+ }
+
+ /* Reference count old entries */
+ entry = get_ccache_by_username(username);
+ if (entry) {
+ /* Check cached entries are identical. */
+ if (!ccache_entry_identical(username, uid, ccname)) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+ entry->ref_count++;
+ DEBUG(10,("add_ccache_to_list: "
+ "ref count on entry %s is now %d\n",
+ username, entry->ref_count));
+ /* FIXME: in this case we still might want to have a krb5 cred
+ * event handler created - gd
+ * Add ticket refresh handler here */
+
+ if (!lp_winbind_refresh_tickets() || renew_until <= 0) {
+ return NT_STATUS_OK;
+ }
+
+ if (!entry->event) {
+ if (postponed_request) {
+ t = timeval_current_ofs(MAX(30, lp_winbind_cache_time()), 0);
+ add_krb5_ticket_gain_handler_event(entry, t);
+ } else {
+ /* Renew at 1/2 the ticket expiration time */
+#if defined(DEBUG_KRB5_TKT_RENEWAL)
+ t = timeval_set(time(NULL)+30, 0);
+#else
+ t = timeval_set(krb5_event_refresh_time(ticket_end),
+ 0);
+#endif
+ if (!entry->refresh_time) {
+ entry->refresh_time = t.tv_sec;
+ }
+ entry->event = tevent_add_timer(global_event_context(),
+ entry,
+ t,
+ krb5_ticket_refresh_handler,
+ entry);
+ }
+
+ if (!entry->event) {
+ ntret = remove_ccache(username);
+ if (!NT_STATUS_IS_OK(ntret)) {
+ DEBUG(0, ("add_ccache_to_list: Failed to remove krb5 "
+ "ccache %s for user %s\n", entry->ccname,
+ entry->username));
+ DEBUG(0, ("add_ccache_to_list: error is %s\n",
+ nt_errstr(ntret)));
+ return ntret;
+ }
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ DEBUG(10,("add_ccache_to_list: added krb5_ticket handler\n"));
+
+ }
+
+ /*
+ * If we're set up to renew our krb5 tickets, we must
+ * cache the credentials in memory for the ticket
+ * renew function (or increase the reference count
+ * if we're logging in more than once). Fix inspired
+ * by patch from Ian Gordon <ian.gordon@strath.ac.uk>
+ * for bugid #9098.
+ */
+
+ ntret = winbindd_add_memory_creds(username, uid, pass);
+ DEBUG(10, ("winbindd_add_memory_creds returned: %s\n",
+ nt_errstr(ntret)));
+
+ return NT_STATUS_OK;
+ }
+
+ entry = talloc(NULL, struct WINBINDD_CCACHE_ENTRY);
+ if (!entry) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ ZERO_STRUCTP(entry);
+
+ if (username) {
+ entry->username = talloc_strdup(entry, username);
+ if (!entry->username) {
+ goto no_mem;
+ }
+ }
+ if (princ_name) {
+ entry->principal_name = talloc_strdup(entry, princ_name);
+ if (!entry->principal_name) {
+ goto no_mem;
+ }
+ }
+ if (canon_principal != NULL) {
+ entry->canon_principal = talloc_strdup(entry, canon_principal);
+ if (entry->canon_principal == NULL) {
+ goto no_mem;
+ }
+ }
+ if (canon_realm != NULL) {
+ entry->canon_realm = talloc_strdup(entry, canon_realm);
+ if (entry->canon_realm == NULL) {
+ goto no_mem;
+ }
+ }
+
+ entry->ccname = talloc_strdup(entry, ccname);
+ if (!entry->ccname) {
+ goto no_mem;
+ }
+
+ entry->realm = talloc_strdup(entry, realm);
+ if (!entry->realm) {
+ goto no_mem;
+ }
+
+ entry->service = talloc_asprintf(entry,
+ "%s/%s@%s",
+ KRB5_TGS_NAME,
+ canon_realm,
+ canon_realm);
+ if (entry->service == NULL) {
+ goto no_mem;
+ }
+
+ entry->create_time = create_time;
+ entry->renew_until = renew_until;
+ entry->uid = uid;
+ entry->ref_count = 1;
+
+ if (!lp_winbind_refresh_tickets() || renew_until <= 0) {
+ goto add_entry;
+ }
+
+ if (postponed_request) {
+ t = timeval_current_ofs(MAX(30, lp_winbind_cache_time()), 0);
+ add_krb5_ticket_gain_handler_event(entry, t);
+ } else {
+ /* Renew at 1/2 the ticket expiration time */
+#if defined(DEBUG_KRB5_TKT_RENEWAL)
+ t = timeval_set(time(NULL)+30, 0);
+#else
+ t = timeval_set(krb5_event_refresh_time(ticket_end), 0);
+#endif
+ if (entry->refresh_time == 0) {
+ entry->refresh_time = t.tv_sec;
+ }
+ entry->event = tevent_add_timer(global_event_context(),
+ entry,
+ t,
+ krb5_ticket_refresh_handler,
+ entry);
+ }
+
+ if (!entry->event) {
+ goto no_mem;
+ }
+
+ DEBUG(10,("add_ccache_to_list: added krb5_ticket handler\n"));
+
+ add_entry:
+
+ DLIST_ADD(ccache_list, entry);
+
+ DBG_DEBUG("Added ccache [%s] for user [%s] and service [%s]\n",
+ entry->ccname, entry->username, entry->service);
+
+ if (entry->event) {
+ /*
+ * If we're set up to renew our krb5 tickets, we must
+ * cache the credentials in memory for the ticket
+ * renew function. Fix inspired by patch from
+ * Ian Gordon <ian.gordon@strath.ac.uk> for
+ * bugid #9098.
+ */
+
+ ntret = winbindd_add_memory_creds(username, uid, pass);
+ DEBUG(10, ("winbindd_add_memory_creds returned: %s\n",
+ nt_errstr(ntret)));
+ }
+
+ return NT_STATUS_OK;
+
+ no_mem:
+
+ TALLOC_FREE(entry);
+ return NT_STATUS_NO_MEMORY;
+}
+
+/*******************************************************************
+ Remove a WINBINDD_CCACHE_ENTRY entry and the krb5 ccache if no longer
+ referenced.
+ *******************************************************************/
+
+NTSTATUS remove_ccache(const char *username)
+{
+ struct WINBINDD_CCACHE_ENTRY *entry = get_ccache_by_username(username);
+ NTSTATUS status = NT_STATUS_OK;
+#ifdef HAVE_KRB5
+ krb5_error_code ret;
+#endif
+
+ if (!entry) {
+ return NT_STATUS_OBJECT_NAME_NOT_FOUND;
+ }
+
+ if (entry->ref_count <= 0) {
+ DEBUG(0,("remove_ccache: logic error. "
+ "ref count for user %s = %d\n",
+ username, entry->ref_count));
+ return NT_STATUS_INTERNAL_DB_CORRUPTION;
+ }
+
+ entry->ref_count--;
+
+ if (entry->ref_count > 0) {
+ DEBUG(10,("remove_ccache: entry %s ref count now %d\n",
+ username, entry->ref_count));
+ return NT_STATUS_OK;
+ }
+
+ /* no references any more */
+
+ DLIST_REMOVE(ccache_list, entry);
+ TALLOC_FREE(entry->event); /* unregisters events */
+
+#ifdef HAVE_KRB5
+ ret = ads_kdestroy(entry->ccname);
+
+ /* we ignore the error when there has been no credential cache */
+ if (ret == KRB5_FCC_NOFILE) {
+ ret = 0;
+ } else if (ret) {
+ DEBUG(0,("remove_ccache: "
+ "failed to destroy user krb5 ccache %s with: %s\n",
+ entry->ccname, error_message(ret)));
+ } else {
+ DEBUG(10,("remove_ccache: "
+ "successfully destroyed krb5 ccache %s for user %s\n",
+ entry->ccname, username));
+ }
+ status = krb5_to_nt_status(ret);
+#endif
+
+ TALLOC_FREE(entry);
+ DEBUG(10,("remove_ccache: removed ccache for user %s\n", username));
+
+ return status;
+}
+
+/*******************************************************************
+ In memory credentials cache code.
+*******************************************************************/
+
+static struct WINBINDD_MEMORY_CREDS *memory_creds_list;
+
+/***********************************************************
+ Find an entry on the list by name.
+***********************************************************/
+
+struct WINBINDD_MEMORY_CREDS *find_memory_creds_by_name(const char *username)
+{
+ struct WINBINDD_MEMORY_CREDS *p;
+
+ for (p = memory_creds_list; p; p = p->next) {
+ if (strequal(p->username, username)) {
+ return p;
+ }
+ }
+ return NULL;
+}
+
+/***********************************************************
+ Store the required creds and mlock them.
+***********************************************************/
+
+static NTSTATUS store_memory_creds(struct WINBINDD_MEMORY_CREDS *memcredp,
+ const char *pass)
+{
+#if !defined(HAVE_MLOCK)
+ return NT_STATUS_OK;
+#else
+ /* new_entry->nt_hash is the base pointer for the block
+ of memory pointed into by new_entry->lm_hash and
+ new_entry->pass (if we're storing plaintext). */
+
+ memcredp->len = NT_HASH_LEN + LM_HASH_LEN;
+ if (pass) {
+ memcredp->len += strlen(pass)+1;
+ }
+
+
+#if defined(LINUX)
+ /* aligning the memory on on x86_64 and compiling
+ with gcc 4.1 using -O2 causes a segv in the
+ next memset() --jerry */
+ memcredp->nt_hash = SMB_MALLOC_ARRAY(unsigned char, memcredp->len);
+#else
+ /* On non-linux platforms, mlock()'d memory must be aligned */
+ memcredp->nt_hash = SMB_MEMALIGN_ARRAY(unsigned char,
+ getpagesize(), memcredp->len);
+#endif
+ if (!memcredp->nt_hash) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ memset(memcredp->nt_hash, 0x0, memcredp->len);
+
+ memcredp->lm_hash = memcredp->nt_hash + NT_HASH_LEN;
+
+#ifdef DEBUG_PASSWORD
+ DEBUG(10,("mlocking memory: %p\n", memcredp->nt_hash));
+#endif
+ if ((mlock(memcredp->nt_hash, memcredp->len)) == -1) {
+ DEBUG(0,("failed to mlock memory: %s (%d)\n",
+ strerror(errno), errno));
+ SAFE_FREE(memcredp->nt_hash);
+ return map_nt_error_from_unix(errno);
+ }
+
+#ifdef DEBUG_PASSWORD
+ DEBUG(10,("mlocked memory: %p\n", memcredp->nt_hash));
+#endif
+
+ if (pass) {
+ /* Create and store the password hashes. */
+ E_md4hash(pass, memcredp->nt_hash);
+ E_deshash(pass, memcredp->lm_hash);
+
+ memcredp->pass = (char *)memcredp->lm_hash + LM_HASH_LEN;
+ memcpy(memcredp->pass, pass,
+ memcredp->len - NT_HASH_LEN - LM_HASH_LEN);
+ }
+
+ return NT_STATUS_OK;
+#endif
+}
+
+/***********************************************************
+ Destroy existing creds.
+***********************************************************/
+
+static NTSTATUS delete_memory_creds(struct WINBINDD_MEMORY_CREDS *memcredp)
+{
+#if !defined(HAVE_MUNLOCK)
+ return NT_STATUS_OK;
+#else
+ if (munlock(memcredp->nt_hash, memcredp->len) == -1) {
+ DEBUG(0,("failed to munlock memory: %s (%d)\n",
+ strerror(errno), errno));
+ return map_nt_error_from_unix(errno);
+ }
+ memset(memcredp->nt_hash, '\0', memcredp->len);
+ SAFE_FREE(memcredp->nt_hash);
+ memcredp->nt_hash = NULL;
+ memcredp->lm_hash = NULL;
+ memcredp->pass = NULL;
+ memcredp->len = 0;
+ return NT_STATUS_OK;
+#endif
+}
+
+/***********************************************************
+ Replace the required creds with new ones (password change).
+***********************************************************/
+
+static NTSTATUS winbindd_replace_memory_creds_internal(struct WINBINDD_MEMORY_CREDS *memcredp,
+ const char *pass)
+{
+ NTSTATUS status = delete_memory_creds(memcredp);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ return store_memory_creds(memcredp, pass);
+}
+
+/*************************************************************
+ Store credentials in memory in a list.
+*************************************************************/
+
+static NTSTATUS winbindd_add_memory_creds_internal(const char *username,
+ uid_t uid,
+ const char *pass)
+{
+ /* Shortcut to ensure we don't store if no mlock. */
+#if !defined(HAVE_MLOCK) || !defined(HAVE_MUNLOCK)
+ return NT_STATUS_OK;
+#else
+ NTSTATUS status;
+ struct WINBINDD_MEMORY_CREDS *memcredp = NULL;
+
+ memcredp = find_memory_creds_by_name(username);
+ if (uid == (uid_t)-1) {
+ DEBUG(0,("winbindd_add_memory_creds_internal: "
+ "invalid uid for user %s.\n", username));
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ if (memcredp) {
+ /* Already exists. Increment the reference count and replace stored creds. */
+ if (uid != memcredp->uid) {
+ DEBUG(0,("winbindd_add_memory_creds_internal: "
+ "uid %u for user %s doesn't "
+ "match stored uid %u. Replacing.\n",
+ (unsigned int)uid, username,
+ (unsigned int)memcredp->uid));
+ memcredp->uid = uid;
+ }
+ memcredp->ref_count++;
+ DEBUG(10,("winbindd_add_memory_creds_internal: "
+ "ref count for user %s is now %d\n",
+ username, memcredp->ref_count));
+ return winbindd_replace_memory_creds_internal(memcredp, pass);
+ }
+
+ memcredp = talloc_zero(NULL, struct WINBINDD_MEMORY_CREDS);
+ if (!memcredp) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ memcredp->username = talloc_strdup(memcredp, username);
+ if (!memcredp->username) {
+ talloc_destroy(memcredp);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ status = store_memory_creds(memcredp, pass);
+ if (!NT_STATUS_IS_OK(status)) {
+ talloc_destroy(memcredp);
+ return status;
+ }
+
+ memcredp->uid = uid;
+ memcredp->ref_count = 1;
+ DLIST_ADD(memory_creds_list, memcredp);
+
+ DEBUG(10,("winbindd_add_memory_creds_internal: "
+ "added entry for user %s\n", username));
+
+ return NT_STATUS_OK;
+#endif
+}
+
+/*************************************************************
+ Store users credentials in memory. If we also have a
+ struct WINBINDD_CCACHE_ENTRY for this username with a
+ refresh timer, then store the plaintext of the password
+ and associate the new credentials with the struct WINBINDD_CCACHE_ENTRY.
+*************************************************************/
+
+NTSTATUS winbindd_add_memory_creds(const char *username,
+ uid_t uid,
+ const char *pass)
+{
+ struct WINBINDD_CCACHE_ENTRY *entry = get_ccache_by_username(username);
+ NTSTATUS status;
+
+ status = winbindd_add_memory_creds_internal(username, uid, pass);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ if (entry) {
+ struct WINBINDD_MEMORY_CREDS *memcredp = NULL;
+ memcredp = find_memory_creds_by_name(username);
+ if (memcredp) {
+ entry->cred_ptr = memcredp;
+ }
+ }
+
+ return status;
+}
+
+/*************************************************************
+ Decrement the in-memory ref count - delete if zero.
+*************************************************************/
+
+NTSTATUS winbindd_delete_memory_creds(const char *username)
+{
+ struct WINBINDD_MEMORY_CREDS *memcredp = NULL;
+ struct WINBINDD_CCACHE_ENTRY *entry = NULL;
+ NTSTATUS status = NT_STATUS_OK;
+
+ memcredp = find_memory_creds_by_name(username);
+ entry = get_ccache_by_username(username);
+
+ if (!memcredp) {
+ DEBUG(10,("winbindd_delete_memory_creds: unknown user %s\n",
+ username));
+ return NT_STATUS_OBJECT_NAME_NOT_FOUND;
+ }
+
+ if (memcredp->ref_count <= 0) {
+ DEBUG(0,("winbindd_delete_memory_creds: logic error. "
+ "ref count for user %s = %d\n",
+ username, memcredp->ref_count));
+ status = NT_STATUS_INTERNAL_DB_CORRUPTION;
+ }
+
+ memcredp->ref_count--;
+ if (memcredp->ref_count <= 0) {
+ delete_memory_creds(memcredp);
+ DLIST_REMOVE(memory_creds_list, memcredp);
+ talloc_destroy(memcredp);
+ DEBUG(10,("winbindd_delete_memory_creds: "
+ "deleted entry for user %s\n",
+ username));
+ } else {
+ DEBUG(10,("winbindd_delete_memory_creds: "
+ "entry for user %s ref_count now %d\n",
+ username, memcredp->ref_count));
+ }
+
+ if (entry) {
+ /* Ensure we have no dangling references to this. */
+ entry->cred_ptr = NULL;
+ }
+
+ return status;
+}
+
+/***********************************************************
+ Replace the required creds with new ones (password change).
+***********************************************************/
+
+NTSTATUS winbindd_replace_memory_creds(const char *username,
+ const char *pass)
+{
+ struct WINBINDD_MEMORY_CREDS *memcredp = NULL;
+
+ memcredp = find_memory_creds_by_name(username);
+ if (!memcredp) {
+ DEBUG(10,("winbindd_replace_memory_creds: unknown user %s\n",
+ username));
+ return NT_STATUS_OBJECT_NAME_NOT_FOUND;
+ }
+
+ DEBUG(10,("winbindd_replace_memory_creds: replaced creds for user %s\n",
+ username));
+
+ return winbindd_replace_memory_creds_internal(memcredp, pass);
+}
diff --git a/source3/winbindd/winbindd_creds.c b/source3/winbindd/winbindd_creds.c
new file mode 100644
index 0000000..97262bb
--- /dev/null
+++ b/source3/winbindd/winbindd_creds.c
@@ -0,0 +1,147 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ Winbind daemon - cached credentials funcions
+
+ Copyright (C) Guenther Deschner 2005
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "winbindd.h"
+#include "../libcli/auth/libcli_auth.h"
+#include "../libcli/security/security.h"
+#include "libsmb/samlogon_cache.h"
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_WINBIND
+
+#define MAX_CACHED_LOGINS 10
+
+NTSTATUS winbindd_get_creds(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ const struct dom_sid *sid,
+ struct netr_SamInfo3 **info3,
+ const uint8_t **cached_nt_pass,
+ const uint8_t **cred_salt)
+{
+ struct netr_SamInfo3 *info;
+ NTSTATUS status;
+
+ status = wcache_get_creds(domain, mem_ctx, sid, cached_nt_pass, cred_salt);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ info = netsamlogon_cache_get(mem_ctx, sid);
+ if (info == NULL) {
+ return NT_STATUS_OBJECT_NAME_NOT_FOUND;
+ }
+
+ *info3 = info;
+
+ return NT_STATUS_OK;
+}
+
+
+NTSTATUS winbindd_store_creds(struct winbindd_domain *domain,
+ const char *user,
+ const char *pass,
+ struct netr_SamInfo3 *info3)
+{
+ NTSTATUS status;
+ uchar nt_pass[NT_HASH_LEN];
+ struct dom_sid cred_sid;
+
+ if (info3 != NULL) {
+
+ sid_compose(&cred_sid, info3->base.domain_sid,
+ info3->base.rid);
+ info3->base.user_flags |= NETLOGON_CACHED_ACCOUNT;
+
+ } else if (user != NULL) {
+
+ /* do lookup ourself */
+
+ enum lsa_SidType type;
+
+ if (!lookup_cached_name(domain->name, /* namespace */
+ domain->name,
+ user,
+ &cred_sid,
+ &type)) {
+ return NT_STATUS_NO_SUCH_USER;
+ }
+ } else {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ if (pass) {
+
+ int count = 0;
+
+ status = wcache_count_cached_creds(domain, &count);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ DEBUG(11,("we have %d cached creds\n", count));
+
+ if (count + 1 > MAX_CACHED_LOGINS) {
+
+ DEBUG(10,("need to delete the oldest cached login\n"));
+
+ status = wcache_remove_oldest_cached_creds(domain, &cred_sid);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(10,("failed to remove oldest cached cred: %s\n",
+ nt_errstr(status)));
+ return status;
+ }
+ }
+
+ E_md4hash(pass, nt_pass);
+
+ dump_data_pw("nt_pass", nt_pass, NT_HASH_LEN);
+
+ status = wcache_save_creds(domain, &cred_sid, nt_pass);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ }
+
+ if (info3 != NULL && user != NULL) {
+ if (!netsamlogon_cache_store(user, info3)) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
+ }
+
+ return NT_STATUS_OK;
+}
+
+NTSTATUS winbindd_update_creds_by_info3(struct winbindd_domain *domain,
+ const char *user,
+ const char *pass,
+ struct netr_SamInfo3 *info3)
+{
+ return winbindd_store_creds(domain, user, pass, info3);
+}
+
+NTSTATUS winbindd_update_creds_by_name(struct winbindd_domain *domain,
+ const char *user,
+ const char *pass)
+{
+ return winbindd_store_creds(domain, user, pass, NULL);
+}
+
+
diff --git a/source3/winbindd/winbindd_domain.c b/source3/winbindd/winbindd_domain.c
new file mode 100644
index 0000000..b102773
--- /dev/null
+++ b/source3/winbindd/winbindd_domain.c
@@ -0,0 +1,37 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ Winbind domain child functions
+
+ Copyright (C) Stefan Metzmacher 2007
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "winbindd.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_WINBIND
+
+void setup_domain_child(struct winbindd_domain *domain)
+{
+ int i;
+
+ for (i=0; i<lp_winbind_max_domain_connections(); i++) {
+ setup_child(domain, &domain->children[i],
+ "log.wb", domain->name);
+ domain->children[i].domain = domain;
+ }
+}
diff --git a/source3/winbindd/winbindd_domain_info.c b/source3/winbindd/winbindd_domain_info.c
new file mode 100644
index 0000000..c4364d9
--- /dev/null
+++ b/source3/winbindd/winbindd_domain_info.c
@@ -0,0 +1,141 @@
+/*
+ * Unix SMB/CIFS implementation.
+ * async implementation of WINBINDD_DOMAIN_INFO
+ * Copyright (C) Volker Lendecke 2018
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "includes.h"
+#include "winbindd.h"
+#include "lib/util/string_wrappers.h"
+#include "lib/global_contexts.h"
+#include "librpc/gen_ndr/ndr_winbind_c.h"
+
+struct winbindd_domain_info_state {
+ struct winbindd_domain *domain;
+ uint32_t in;
+ uint32_t out;
+};
+
+static void winbindd_domain_info_done(struct tevent_req *subreq);
+
+struct tevent_req *winbindd_domain_info_send(
+ TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request)
+{
+ struct tevent_req *req, *subreq;
+ struct winbindd_domain_info_state *state;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct winbindd_domain_info_state);
+ if (req == NULL) {
+ return NULL;
+ }
+
+ DEBUG(3, ("[%5lu]: domain_info [%s]\n", (unsigned long)cli->pid,
+ cli->request->domain_name));
+
+ state->domain = find_domain_from_name_noinit(
+ cli->request->domain_name);
+
+ if (state->domain == NULL) {
+ DEBUG(3, ("Did not find domain [%s]\n",
+ cli->request->domain_name));
+ tevent_req_nterror(req, NT_STATUS_NO_SUCH_DOMAIN);
+ return tevent_req_post(req, ev);
+ }
+
+ if (state->domain->initialized) {
+ tevent_req_done(req);
+ return tevent_req_post(req, ev);
+ }
+
+ /*
+ * Send a ping down. This implicitly initializes the domain.
+ */
+
+ state->in = cli->pid;
+ state->out = 0;
+ subreq = dcerpc_wbint_Ping_send(state,
+ global_event_context(),
+ dom_child_handle(state->domain),
+ state->in,
+ &state->out);
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+ tevent_req_set_callback(subreq, winbindd_domain_info_done, req);
+
+ return req;
+}
+
+static void winbindd_domain_info_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct winbindd_domain_info_state *state = tevent_req_data(
+ req, struct winbindd_domain_info_state);
+ NTSTATUS status, result;
+
+ status = dcerpc_wbint_Ping_recv(subreq, state, &result);
+ TALLOC_FREE(subreq);
+ if (tevent_req_nterror(req, status)) {
+ DBG_NOTICE("dcerpc_wbint_Ping call failed: %s\n",
+ nt_errstr(status));
+ return;
+ }
+
+ if (tevent_req_nterror(req, result)) {
+ DBG_NOTICE("dcerpc_wbint_Ping failed: %s\n",
+ nt_errstr(result));
+ return;
+ }
+
+ if (!state->domain->initialized) {
+ DBG_INFO("dcerpc_wbint_Ping did not initialize domain %s\n",
+ state->domain->name);
+ tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
+ return;
+ }
+
+ tevent_req_done(req);
+}
+
+NTSTATUS winbindd_domain_info_recv(struct tevent_req *req,
+ struct winbindd_response *response)
+{
+ struct winbindd_domain_info_state *state = tevent_req_data(
+ req, struct winbindd_domain_info_state);
+ struct winbindd_domain *domain = state->domain;
+ NTSTATUS status;
+
+ if (tevent_req_is_nterror(req, &status)) {
+ DBG_NOTICE("winbindd_domain_info failed: %s\n",
+ nt_errstr(status));
+ return status;
+ }
+
+ fstrcpy(response->data.domain_info.name, domain->name);
+ fstrcpy(response->data.domain_info.alt_name, domain->alt_name);
+ sid_to_fstring(response->data.domain_info.sid, &domain->sid);
+
+ response->data.domain_info.native_mode = domain->native_mode;
+ response->data.domain_info.active_directory = domain->active_directory;
+ response->data.domain_info.primary = domain->primary;
+
+ return NT_STATUS_OK;
+}
diff --git a/source3/winbindd/winbindd_dsgetdcname.c b/source3/winbindd/winbindd_dsgetdcname.c
new file mode 100644
index 0000000..9dadeab
--- /dev/null
+++ b/source3/winbindd/winbindd_dsgetdcname.c
@@ -0,0 +1,200 @@
+/*
+ Unix SMB/CIFS implementation.
+ async implementation of WINBINDD_DSGETDCNAME
+ Copyright (C) Volker Lendecke 2009
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "util/debug.h"
+#include "winbindd.h"
+#include "librpc/gen_ndr/ndr_winbind_c.h"
+#include "lib/util/string_wrappers.h"
+
+struct winbindd_dsgetdcname_state {
+ struct GUID guid;
+ struct netr_DsRGetDCNameInfo *dc_info;
+};
+
+static uint32_t get_dsgetdc_flags(uint32_t wbc_flags);
+static void winbindd_dsgetdcname_done(struct tevent_req *subreq);
+
+struct tevent_req *winbindd_dsgetdcname_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request)
+{
+ struct tevent_req *req, *subreq;
+ struct dcerpc_binding_handle *child_binding_handle = NULL;
+ struct winbindd_dsgetdcname_state *state;
+ struct GUID *guid_ptr = NULL;
+ uint32_t ds_flags = 0;
+ NTSTATUS status;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct winbindd_dsgetdcname_state);
+ if (req == NULL) {
+ return NULL;
+ }
+
+ D_NOTICE("[%s (%u)] Winbind external command DSGETDCNAME start.\n",
+ cli->client_name,
+ (unsigned int)cli->pid);
+
+ request->data.dsgetdcname.domain_name
+ [sizeof(request->data.dsgetdcname.domain_name)-1] = '\0';
+ request->data.dsgetdcname.site_name
+ [sizeof(request->data.dsgetdcname.site_name)-1] = '\0';
+ request->data.dsgetdcname.domain_guid
+ [sizeof(request->data.dsgetdcname.domain_guid)-1] = '\0';
+
+ D_NOTICE("Calling DsGetDcName for domain '%s'.\n",
+ request->data.dsgetdcname.domain_name);
+
+ ds_flags = get_dsgetdc_flags(request->data.dsgetdcname.flags);
+
+ status = GUID_from_string(request->data.dsgetdcname.domain_guid,
+ &state->guid);
+ if (NT_STATUS_IS_OK(status) && !GUID_all_zero(&state->guid)) {
+ guid_ptr = &state->guid;
+ }
+
+ child_binding_handle = locator_child_handle();
+
+ subreq = dcerpc_wbint_DsGetDcName_send(
+ state, ev, child_binding_handle,
+ request->data.dsgetdcname.domain_name, guid_ptr,
+ request->data.dsgetdcname.site_name,
+ ds_flags, &state->dc_info);
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+ tevent_req_set_callback(subreq, winbindd_dsgetdcname_done, req);
+ return req;
+}
+
+static void winbindd_dsgetdcname_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct winbindd_dsgetdcname_state *state = tevent_req_data(
+ req, struct winbindd_dsgetdcname_state);
+ NTSTATUS status, result;
+
+ status = dcerpc_wbint_DsGetDcName_recv(subreq, state, &result);
+ TALLOC_FREE(subreq);
+ if (any_nt_status_not_ok(status, result, &status)) {
+ tevent_req_nterror(req, status);
+ return;
+ }
+ tevent_req_done(req);
+}
+
+NTSTATUS winbindd_dsgetdcname_recv(struct tevent_req *req,
+ struct winbindd_response *response)
+{
+ struct winbindd_dsgetdcname_state *state = tevent_req_data(
+ req, struct winbindd_dsgetdcname_state);
+ struct GUID_txt_buf guid_str_buf;
+ char *guid_str;
+ NTSTATUS status;
+
+ D_NOTICE("Winbind external command DSGETDCNAME end.\n");
+ if (tevent_req_is_nterror(req, &status)) {
+ D_WARNING("Failed with: %s\n", nt_errstr(status));
+ return status;
+ }
+
+ fstrcpy(response->data.dsgetdcname.dc_unc,
+ state->dc_info->dc_unc);
+ fstrcpy(response->data.dsgetdcname.dc_address,
+ state->dc_info->dc_address);
+ response->data.dsgetdcname.dc_address_type =
+ state->dc_info->dc_address_type;
+
+ guid_str = GUID_buf_string(&state->dc_info->domain_guid,
+ &guid_str_buf);
+ fstrcpy(response->data.dsgetdcname.domain_guid, guid_str);
+
+ fstrcpy(response->data.dsgetdcname.domain_name,
+ state->dc_info->domain_name);
+ fstrcpy(response->data.dsgetdcname.forest_name,
+ state->dc_info->forest_name);
+ response->data.dsgetdcname.dc_flags = state->dc_info->dc_flags;
+ fstrcpy(response->data.dsgetdcname.dc_site_name,
+ state->dc_info->dc_site_name);
+ fstrcpy(response->data.dsgetdcname.client_site_name,
+ state->dc_info->client_site_name);
+
+ return NT_STATUS_OK;
+}
+
+static uint32_t get_dsgetdc_flags(uint32_t wbc_flags)
+{
+ struct wbc_flag_map {
+ uint32_t wbc_dc_flag;
+ uint32_t ds_dc_flags;
+ } lookup_dc_flags[] = {
+ { WBC_LOOKUP_DC_FORCE_REDISCOVERY,
+ DS_FORCE_REDISCOVERY },
+ { WBC_LOOKUP_DC_DS_REQUIRED,
+ DS_DIRECTORY_SERVICE_REQUIRED },
+ { WBC_LOOKUP_DC_DS_PREFERRED,
+ DS_DIRECTORY_SERVICE_PREFERRED},
+ { WBC_LOOKUP_DC_GC_SERVER_REQUIRED,
+ DS_GC_SERVER_REQUIRED },
+ { WBC_LOOKUP_DC_PDC_REQUIRED,
+ DS_PDC_REQUIRED},
+ { WBC_LOOKUP_DC_BACKGROUND_ONLY,
+ DS_BACKGROUND_ONLY },
+ { WBC_LOOKUP_DC_IP_REQUIRED,
+ DS_IP_REQUIRED },
+ { WBC_LOOKUP_DC_KDC_REQUIRED,
+ DS_KDC_REQUIRED },
+ { WBC_LOOKUP_DC_TIMESERV_REQUIRED,
+ DS_TIMESERV_REQUIRED },
+ { WBC_LOOKUP_DC_WRITABLE_REQUIRED,
+ DS_WRITABLE_REQUIRED },
+ { WBC_LOOKUP_DC_GOOD_TIMESERV_PREFERRED,
+ DS_GOOD_TIMESERV_PREFERRED },
+ { WBC_LOOKUP_DC_AVOID_SELF,
+ DS_AVOID_SELF },
+ { WBC_LOOKUP_DC_ONLY_LDAP_NEEDED,
+ DS_ONLY_LDAP_NEEDED },
+ { WBC_LOOKUP_DC_IS_FLAT_NAME,
+ DS_IS_FLAT_NAME },
+ { WBC_LOOKUP_DC_IS_DNS_NAME,
+ DS_IS_DNS_NAME },
+ { WBC_LOOKUP_DC_TRY_NEXTCLOSEST_SITE,
+ DS_TRY_NEXTCLOSEST_SITE },
+ { WBC_LOOKUP_DC_DS_6_REQUIRED,
+ DS_DIRECTORY_SERVICE_6_REQUIRED },
+ { WBC_LOOKUP_DC_RETURN_DNS_NAME,
+ DS_RETURN_DNS_NAME },
+ { WBC_LOOKUP_DC_RETURN_FLAT_NAME,
+ DS_RETURN_FLAT_NAME }
+ };
+
+ uint32_t ds_flags = 0;
+ size_t i = 0;
+
+ for (i=0; i<ARRAY_SIZE(lookup_dc_flags); i++) {
+ if (wbc_flags & lookup_dc_flags[i].wbc_dc_flag) {
+ ds_flags |= lookup_dc_flags[i].ds_dc_flags;
+ }
+ }
+
+ return ds_flags;
+}
diff --git a/source3/winbindd/winbindd_dual.c b/source3/winbindd/winbindd_dual.c
new file mode 100644
index 0000000..3ab3e63
--- /dev/null
+++ b/source3/winbindd/winbindd_dual.c
@@ -0,0 +1,2063 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ Winbind child daemons
+
+ Copyright (C) Andrew Tridgell 2002
+ Copyright (C) Volker Lendecke 2004,2005
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+/*
+ * We fork a child per domain to be able to act non-blocking in the main
+ * winbind daemon. A domain controller thousands of miles away being being
+ * slow replying with a 10.000 user list should not hold up netlogon calls
+ * that can be handled locally.
+ */
+
+#include "includes.h"
+#include "winbindd.h"
+#include "rpc_client/rpc_client.h"
+#include "nsswitch/wb_reqtrans.h"
+#include "secrets.h"
+#include "../lib/util/select.h"
+#include "winbindd_traceid.h"
+#include "../libcli/security/security.h"
+#include "system/select.h"
+#include "messages.h"
+#include "../lib/util/tevent_unix.h"
+#include "lib/param/loadparm.h"
+#include "lib/util/sys_rw.h"
+#include "lib/util/sys_rw_data.h"
+#include "passdb.h"
+#include "lib/util/string_wrappers.h"
+#include "lib/global_contexts.h"
+#include "idmap.h"
+#include "libcli/auth/netlogon_creds_cli.h"
+#include "../lib/util/pidfile.h"
+#include "librpc/gen_ndr/ndr_winbind_c.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_WINBIND
+
+static void forall_domain_children(bool (*fn)(struct winbindd_child *c,
+ void *private_data),
+ void *private_data)
+{
+ struct winbindd_domain *d;
+
+ for (d = domain_list(); d != NULL; d = d->next) {
+ int i;
+
+ for (i = 0; i < lp_winbind_max_domain_connections(); i++) {
+ struct winbindd_child *c = &d->children[i];
+ bool ok;
+
+ if (c->pid == 0) {
+ continue;
+ }
+
+ ok = fn(c, private_data);
+ if (!ok) {
+ return;
+ }
+ }
+ }
+}
+
+static void forall_children(bool (*fn)(struct winbindd_child *c,
+ void *private_data),
+ void *private_data)
+{
+ struct winbindd_child *c;
+ bool ok;
+
+ c = idmap_child();
+ if (c->pid != 0) {
+ ok = fn(c, private_data);
+ if (!ok) {
+ return;
+ }
+ }
+
+ c = locator_child();
+ if (c->pid != 0) {
+ ok = fn(c, private_data);
+ if (!ok) {
+ return;
+ }
+ }
+
+ forall_domain_children(fn, private_data);
+}
+
+/* Read some data from a client connection */
+
+static NTSTATUS child_read_request(int sock, struct winbindd_request *wreq)
+{
+ NTSTATUS status;
+
+ status = read_data_ntstatus(sock, (char *)wreq, sizeof(*wreq));
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(3, ("child_read_request: read_data failed: %s\n",
+ nt_errstr(status)));
+ return status;
+ }
+
+ if (wreq->extra_len == 0) {
+ wreq->extra_data.data = NULL;
+ return NT_STATUS_OK;
+ }
+
+ DEBUG(10, ("Need to read %d extra bytes\n", (int)wreq->extra_len));
+
+ wreq->extra_data.data = SMB_MALLOC_ARRAY(char, wreq->extra_len + 1);
+ if (wreq->extra_data.data == NULL) {
+ DEBUG(0, ("malloc failed\n"));
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ /* Ensure null termination */
+ wreq->extra_data.data[wreq->extra_len] = '\0';
+
+ status = read_data_ntstatus(sock, wreq->extra_data.data,
+ wreq->extra_len);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("Could not read extra data: %s\n",
+ nt_errstr(status)));
+ }
+ return status;
+}
+
+static NTSTATUS child_write_response(int sock, struct winbindd_response *wrsp)
+{
+ struct iovec iov[2];
+ int iov_count;
+
+ iov[0].iov_base = (void *)wrsp;
+ iov[0].iov_len = sizeof(struct winbindd_response);
+ iov_count = 1;
+
+ if (wrsp->length > sizeof(struct winbindd_response)) {
+ iov[1].iov_base = (void *)wrsp->extra_data.data;
+ iov[1].iov_len = wrsp->length-iov[0].iov_len;
+ iov_count = 2;
+ }
+
+ DEBUG(10, ("Writing %d bytes to parent\n", (int)wrsp->length));
+
+ if (write_data_iov(sock, iov, iov_count) != wrsp->length) {
+ DEBUG(0, ("Could not write result\n"));
+ return NT_STATUS_INVALID_HANDLE;
+ }
+
+ return NT_STATUS_OK;
+}
+
+/*
+ * Do winbind child async request. This is not simply wb_simple_trans. We have
+ * to do the queueing ourselves because while a request is queued, the child
+ * might have crashed, and we have to re-fork it in the _trigger function.
+ */
+
+struct wb_child_request_state {
+ struct tevent_context *ev;
+ struct tevent_req *queue_subreq;
+ struct tevent_req *subreq;
+ struct winbindd_child *child;
+ struct winbindd_request *request;
+ struct winbindd_response *response;
+};
+
+static bool fork_domain_child(struct winbindd_child *child);
+
+static void wb_child_request_waited(struct tevent_req *subreq);
+static void wb_child_request_done(struct tevent_req *subreq);
+static void wb_child_request_orphaned(struct tevent_req *subreq);
+
+static void wb_child_request_cleanup(struct tevent_req *req,
+ enum tevent_req_state req_state);
+
+struct tevent_req *wb_child_request_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_child *child,
+ struct winbindd_request *request)
+{
+ struct tevent_req *req;
+ struct wb_child_request_state *state;
+ struct tevent_req *subreq;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct wb_child_request_state);
+ if (req == NULL) {
+ return NULL;
+ }
+
+ state->ev = ev;
+ state->child = child;
+
+ /*
+ * We have to make a copy of "request", because our caller
+ * might drop us via talloc_free().
+ *
+ * The talloc_move() magic in wb_child_request_cleanup() keeps
+ * all the requests, but if we are sitting deep within
+ * writev_send() down to the client, we have given it the
+ * pointer to "request". As our caller lost interest, it will
+ * just free "request", while writev_send still references it.
+ */
+
+ state->request = talloc_memdup(state, request, sizeof(*request));
+ if (tevent_req_nomem(state->request, req)) {
+ return tevent_req_post(req, ev);
+ }
+
+ state->request->traceid = debug_traceid_get();
+
+ if (request->extra_data.data != NULL) {
+ state->request->extra_data.data = talloc_memdup(
+ state->request,
+ request->extra_data.data,
+ request->extra_len);
+ if (tevent_req_nomem(state->request->extra_data.data, req)) {
+ return tevent_req_post(req, ev);
+ }
+ }
+
+ subreq = tevent_queue_wait_send(state, ev, child->queue);
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+ tevent_req_set_callback(subreq, wb_child_request_waited, req);
+ state->queue_subreq = subreq;
+
+ tevent_req_set_cleanup_fn(req, wb_child_request_cleanup);
+
+ return req;
+}
+
+static void wb_child_request_waited(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct wb_child_request_state *state = tevent_req_data(
+ req, struct wb_child_request_state);
+ bool ok;
+
+ ok = tevent_queue_wait_recv(subreq);
+ if (!ok) {
+ tevent_req_oom(req);
+ return;
+ }
+ /*
+ * We need to keep state->queue_subreq
+ * in order to block the queue.
+ */
+ subreq = NULL;
+
+ if ((state->child->sock == -1) && (!fork_domain_child(state->child))) {
+ tevent_req_error(req, errno);
+ return;
+ }
+
+ tevent_fd_set_flags(state->child->monitor_fde, 0);
+
+ subreq = wb_simple_trans_send(state, global_event_context(), NULL,
+ state->child->sock, state->request);
+ if (tevent_req_nomem(subreq, req)) {
+ return;
+ }
+
+ state->subreq = subreq;
+ tevent_req_set_callback(subreq, wb_child_request_done, req);
+ tevent_req_set_endtime(req, state->ev, timeval_current_ofs(300, 0));
+}
+
+static void wb_child_request_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct wb_child_request_state *state = tevent_req_data(
+ req, struct wb_child_request_state);
+ int ret, err;
+
+ ret = wb_simple_trans_recv(subreq, state, &state->response, &err);
+ /* Freeing the subrequest is deferred until the cleanup function,
+ * which has to know whether a subrequest exists, and consequently
+ * decide whether to shut down the pipe to the child process.
+ */
+ if (ret == -1) {
+ tevent_req_error(req, err);
+ return;
+ }
+ tevent_req_done(req);
+}
+
+static void wb_child_request_orphaned(struct tevent_req *subreq)
+{
+ struct winbindd_child *child =
+ (struct winbindd_child *)tevent_req_callback_data_void(subreq);
+
+ DBG_WARNING("cleanup orphaned subreq[%p]\n", subreq);
+ TALLOC_FREE(subreq);
+
+ if (child->domain != NULL) {
+ /*
+ * If the child is attached to a domain,
+ * we need to make sure the domain queue
+ * can move forward, after the orphaned
+ * request is done.
+ */
+ tevent_queue_start(child->domain->queue);
+ }
+}
+
+int wb_child_request_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
+ struct winbindd_response **presponse, int *err)
+{
+ struct wb_child_request_state *state = tevent_req_data(
+ req, struct wb_child_request_state);
+
+ if (tevent_req_is_unix_error(req, err)) {
+ return -1;
+ }
+ *presponse = talloc_move(mem_ctx, &state->response);
+ return 0;
+}
+
+static void wb_child_request_cleanup(struct tevent_req *req,
+ enum tevent_req_state req_state)
+{
+ struct wb_child_request_state *state =
+ tevent_req_data(req, struct wb_child_request_state);
+
+ if (state->subreq == NULL) {
+ /* nothing to cleanup */
+ return;
+ }
+
+ if (req_state == TEVENT_REQ_RECEIVED) {
+ struct tevent_req *subreq = NULL;
+
+ /*
+ * Our caller gave up, but we need to keep
+ * the low level request (wb_simple_trans)
+ * in order to maintain the parent child protocol.
+ *
+ * We also need to keep the child queue blocked
+ * until we got the response from the child.
+ */
+
+ subreq = talloc_move(state->child->queue, &state->subreq);
+ talloc_move(subreq, &state->queue_subreq);
+ talloc_move(subreq, &state->request);
+ tevent_req_set_callback(subreq,
+ wb_child_request_orphaned,
+ state->child);
+
+ DBG_WARNING("keep orphaned subreq[%p]\n", subreq);
+ return;
+ }
+
+ TALLOC_FREE(state->subreq);
+ TALLOC_FREE(state->queue_subreq);
+
+ tevent_fd_set_flags(state->child->monitor_fde, TEVENT_FD_READ);
+
+ if (state->child->domain != NULL) {
+ /*
+ * If the child is attached to a domain,
+ * we need to make sure the domain queue
+ * can move forward, after the request
+ * is done.
+ */
+ tevent_queue_start(state->child->domain->queue);
+ }
+
+ if (req_state == TEVENT_REQ_DONE) {
+ /* transmitted request and got response */
+ return;
+ }
+
+ /*
+ * Failed to transmit and receive response, or request
+ * cancelled while being serviced.
+ * The basic parent/child communication broke, close
+ * our socket
+ */
+ TALLOC_FREE(state->child->monitor_fde);
+ close(state->child->sock);
+ state->child->sock = -1;
+}
+
+static void child_socket_readable(struct tevent_context *ev,
+ struct tevent_fd *fde,
+ uint16_t flags,
+ void *private_data)
+{
+ struct winbindd_child *child = private_data;
+
+ if ((flags & TEVENT_FD_READ) == 0) {
+ return;
+ }
+
+ TALLOC_FREE(child->monitor_fde);
+
+ /*
+ * We're only active when there is no outstanding child
+ * request. Arriving here means the child closed its socket,
+ * it died. Do the same here.
+ */
+
+ SMB_ASSERT(child->sock != -1);
+
+ close(child->sock);
+ child->sock = -1;
+}
+
+static struct winbindd_child *choose_domain_child(struct winbindd_domain *domain)
+{
+ struct winbindd_child *shortest = &domain->children[0];
+ struct winbindd_child *current;
+ int i;
+
+ for (i=0; i<lp_winbind_max_domain_connections(); i++) {
+ size_t shortest_len, current_len;
+
+ current = &domain->children[i];
+ current_len = tevent_queue_length(current->queue);
+
+ if (current_len == 0) {
+ /* idle child */
+ return current;
+ }
+
+ shortest_len = tevent_queue_length(shortest->queue);
+
+ if (current_len < shortest_len) {
+ shortest = current;
+ }
+ }
+
+ return shortest;
+}
+
+struct dcerpc_binding_handle *dom_child_handle(struct winbindd_domain *domain)
+{
+ return domain->binding_handle;
+}
+
+struct wb_domain_request_state {
+ struct tevent_context *ev;
+ struct tevent_queue_entry *queue_entry;
+ struct winbindd_domain *domain;
+ struct winbindd_child *child;
+ struct winbindd_request *request;
+ struct winbindd_request *init_req;
+ struct winbindd_response *response;
+ struct tevent_req *pending_subreq;
+ struct wbint_InitConnection r;
+};
+
+static void wb_domain_request_cleanup(struct tevent_req *req,
+ enum tevent_req_state req_state)
+{
+ struct wb_domain_request_state *state = tevent_req_data(
+ req, struct wb_domain_request_state);
+
+ /*
+ * If we're completely done or got a failure.
+ * we should remove ourself from the domain queue,
+ * after removing the child subreq from the child queue
+ * and give the next one in the queue the chance
+ * to check for an idle child.
+ */
+ TALLOC_FREE(state->pending_subreq);
+ TALLOC_FREE(state->queue_entry);
+ tevent_queue_start(state->domain->queue);
+}
+
+static void wb_domain_request_trigger(struct tevent_req *req,
+ void *private_data);
+static void wb_domain_request_gotdc(struct tevent_req *subreq);
+static void wb_domain_request_initialized(struct tevent_req *subreq);
+static void wb_domain_request_done(struct tevent_req *subreq);
+
+struct tevent_req *wb_domain_request_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_domain *domain,
+ struct winbindd_request *request)
+{
+ struct tevent_req *req;
+ struct wb_domain_request_state *state;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct wb_domain_request_state);
+ if (req == NULL) {
+ return NULL;
+ }
+
+ state->domain = domain;
+ state->ev = ev;
+ state->request = request;
+
+ tevent_req_set_cleanup_fn(req, wb_domain_request_cleanup);
+
+ state->queue_entry = tevent_queue_add_entry(
+ domain->queue, state->ev, req,
+ wb_domain_request_trigger, NULL);
+ if (tevent_req_nomem(state->queue_entry, req)) {
+ return tevent_req_post(req, ev);
+ }
+
+ return req;
+}
+
+static void wb_domain_request_trigger(struct tevent_req *req,
+ void *private_data)
+{
+ struct wb_domain_request_state *state = tevent_req_data(
+ req, struct wb_domain_request_state);
+ struct winbindd_domain *domain = state->domain;
+ struct tevent_req *subreq = NULL;
+ size_t shortest_queue_length;
+
+ state->child = choose_domain_child(domain);
+ shortest_queue_length = tevent_queue_length(state->child->queue);
+ if (shortest_queue_length > 0) {
+ /*
+ * All children are busy, we need to stop
+ * the queue and untrigger our own queue
+ * entry. Once a pending request
+ * is done it calls tevent_queue_start
+ * and we get retriggered.
+ */
+ state->child = NULL;
+ tevent_queue_stop(state->domain->queue);
+ tevent_queue_entry_untrigger(state->queue_entry);
+ return;
+ }
+
+ if (domain->initialized) {
+ subreq = wb_child_request_send(state, state->ev, state->child,
+ state->request);
+ if (tevent_req_nomem(subreq, req)) {
+ return;
+ }
+ tevent_req_set_callback(subreq, wb_domain_request_done, req);
+ state->pending_subreq = subreq;
+
+ /*
+ * Once the domain is initialized and
+ * once we placed our real request into the child queue,
+ * we can remove ourself from the domain queue
+ * and give the next one in the queue the chance
+ * to check for an idle child.
+ */
+ TALLOC_FREE(state->queue_entry);
+ return;
+ }
+
+ state->init_req = talloc_zero(state, struct winbindd_request);
+ if (tevent_req_nomem(state->init_req, req)) {
+ return;
+ }
+
+ if (IS_DC || domain->primary || domain->internal) {
+ /* The primary domain has to find the DC name itself */
+ state->r.in.dcname = talloc_strdup(state, "");
+ if (tevent_req_nomem(state->r.in.dcname, req)) {
+ return;
+ }
+
+ subreq = dcerpc_wbint_InitConnection_r_send(state,
+ state->ev,
+ state->child->binding_handle,
+ &state->r);
+ if (tevent_req_nomem(subreq, req)) {
+ return;
+ }
+ tevent_req_set_callback(subreq, wb_domain_request_initialized,
+ req);
+ state->pending_subreq = subreq;
+ return;
+ }
+
+ /*
+ * This is *not* the primary domain,
+ * let's ask our DC about a DC name.
+ *
+ * We prefer getting a dns name in dc_unc,
+ * which is indicated by DS_RETURN_DNS_NAME.
+ * For NT4 domains we still get the netbios name.
+ */
+ subreq = wb_dsgetdcname_send(state, state->ev,
+ state->domain->name,
+ NULL, /* domain_guid */
+ NULL, /* site_name */
+ DS_RETURN_DNS_NAME); /* flags */
+ if (tevent_req_nomem(subreq, req)) {
+ return;
+ }
+ tevent_req_set_callback(subreq, wb_domain_request_gotdc, req);
+ state->pending_subreq = subreq;
+ return;
+}
+
+static void wb_domain_request_gotdc(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct wb_domain_request_state *state = tevent_req_data(
+ req, struct wb_domain_request_state);
+ struct netr_DsRGetDCNameInfo *dcinfo = NULL;
+ NTSTATUS status;
+ const char *dcname = NULL;
+
+ state->pending_subreq = NULL;
+
+ status = wb_dsgetdcname_recv(subreq, state, &dcinfo);
+ TALLOC_FREE(subreq);
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+ dcname = dcinfo->dc_unc;
+ while (dcname != NULL && *dcname == '\\') {
+ dcname++;
+ }
+
+ state->r.in.dcname = talloc_strdup(state, dcname);
+ if (tevent_req_nomem(state->r.in.dcname, req)) {
+ return;
+ }
+
+ TALLOC_FREE(dcinfo);
+
+ subreq = dcerpc_wbint_InitConnection_r_send(state,
+ state->ev,
+ state->child->binding_handle,
+ &state->r);
+ if (tevent_req_nomem(subreq, req)) {
+ return;
+ }
+ tevent_req_set_callback(subreq, wb_domain_request_initialized, req);
+ state->pending_subreq = subreq;
+}
+
+static void wb_domain_request_initialized(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct wb_domain_request_state *state = tevent_req_data(
+ req, struct wb_domain_request_state);
+ NTSTATUS status;
+
+ state->pending_subreq = NULL;
+
+ status = dcerpc_wbint_InitConnection_r_recv(subreq, state);
+ TALLOC_FREE(subreq);
+ if (NT_STATUS_IS_ERR(status)) {
+ tevent_req_error(req, map_errno_from_nt_status(status));
+ return;
+ }
+
+ status = state->r.out.result;
+ if (NT_STATUS_IS_ERR(status)) {
+ tevent_req_error(req, map_errno_from_nt_status(status));
+ return;
+ }
+
+ state->domain->sid = *state->r.out.sid;
+
+ talloc_free(state->domain->name);
+ state->domain->name = talloc_strdup(state->domain, *state->r.out.name);
+ if (state->domain->name == NULL) {
+ tevent_req_error(req, ENOMEM);
+ return;
+ }
+
+ if (*state->r.out.alt_name != NULL &&
+ strlen(*state->r.out.alt_name) > 0) {
+ talloc_free(state->domain->alt_name);
+
+ state->domain->alt_name = talloc_strdup(state->domain,
+ *state->r.out.alt_name);
+ if (state->domain->alt_name == NULL) {
+ tevent_req_error(req, ENOMEM);
+ return;
+ }
+ }
+
+ state->domain->native_mode =
+ (*state->r.out.flags & WB_DOMINFO_DOMAIN_NATIVE);
+ state->domain->active_directory =
+ (*state->r.out.flags & WB_DOMINFO_DOMAIN_AD);
+ state->domain->initialized = true;
+
+ subreq = wb_child_request_send(state, state->ev, state->child,
+ state->request);
+ if (tevent_req_nomem(subreq, req)) {
+ return;
+ }
+ tevent_req_set_callback(subreq, wb_domain_request_done, req);
+ state->pending_subreq = subreq;
+
+ /*
+ * Once the domain is initialized and
+ * once we placed our real request into the child queue,
+ * we can remove ourself from the domain queue
+ * and give the next one in the queue the chance
+ * to check for an idle child.
+ */
+ TALLOC_FREE(state->queue_entry);
+}
+
+static void wb_domain_request_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct wb_domain_request_state *state = tevent_req_data(
+ req, struct wb_domain_request_state);
+ int ret, err;
+
+ state->pending_subreq = NULL;
+
+ ret = wb_child_request_recv(subreq, talloc_tos(), &state->response,
+ &err);
+ TALLOC_FREE(subreq);
+ if (ret == -1) {
+ tevent_req_error(req, err);
+ return;
+ }
+ tevent_req_done(req);
+}
+
+int wb_domain_request_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
+ struct winbindd_response **presponse, int *err)
+{
+ struct wb_domain_request_state *state = tevent_req_data(
+ req, struct wb_domain_request_state);
+
+ if (tevent_req_is_unix_error(req, err)) {
+ return -1;
+ }
+ *presponse = talloc_move(mem_ctx, &state->response);
+ return 0;
+}
+
+static void child_process_request(struct winbindd_child *child,
+ struct winbindd_cli_state *state)
+{
+ struct winbindd_domain *domain = child->domain;
+
+ /* Free response data - we may be interrupted and receive another
+ command before being able to send this data off. */
+
+ state->response->result = WINBINDD_ERROR;
+ state->response->length = sizeof(struct winbindd_response);
+
+ /* as all requests in the child are sync, we can use talloc_tos() */
+ state->mem_ctx = talloc_tos();
+
+ /* Process command */
+ state->response->result = winbindd_dual_ndrcmd(domain, state);
+}
+
+void setup_child(struct winbindd_domain *domain, struct winbindd_child *child,
+ const char *logprefix,
+ const char *logname)
+{
+ const struct loadparm_substitution *lp_sub =
+ loadparm_s3_global_substitution();
+
+ if (logprefix && logname) {
+ char *logbase = NULL;
+
+ if (*lp_logfile(talloc_tos(), lp_sub)) {
+ char *end = NULL;
+
+ if (asprintf(&logbase, "%s", lp_logfile(talloc_tos(), lp_sub)) < 0) {
+ smb_panic("Internal error: asprintf failed");
+ }
+
+ if ((end = strrchr_m(logbase, '/'))) {
+ *end = '\0';
+ }
+ } else {
+ if (asprintf(&logbase, "%s", get_dyn_LOGFILEBASE()) < 0) {
+ smb_panic("Internal error: asprintf failed");
+ }
+ }
+
+ if (asprintf(&child->logfilename, "%s/%s-%s",
+ logbase, logprefix, logname) < 0) {
+ SAFE_FREE(logbase);
+ smb_panic("Internal error: asprintf failed");
+ }
+
+ SAFE_FREE(logbase);
+ } else {
+ smb_panic("Internal error: logprefix == NULL && "
+ "logname == NULL");
+ }
+
+ child->pid = 0;
+ child->sock = -1;
+ child->domain = domain;
+ child->queue = tevent_queue_create(NULL, "winbind_child");
+ SMB_ASSERT(child->queue != NULL);
+
+ child->binding_handle = wbint_binding_handle(NULL, NULL, child);
+ SMB_ASSERT(child->binding_handle != NULL);
+}
+
+struct winbind_child_died_state {
+ pid_t pid;
+ struct winbindd_child *child;
+};
+
+static bool winbind_child_died_fn(struct winbindd_child *child,
+ void *private_data)
+{
+ struct winbind_child_died_state *state = private_data;
+
+ if (child->pid == state->pid) {
+ state->child = child;
+ return false;
+ }
+ return true;
+}
+
+void winbind_child_died(pid_t pid)
+{
+ struct winbind_child_died_state state = { .pid = pid };
+
+ forall_children(winbind_child_died_fn, &state);
+
+ if (state.child == NULL) {
+ DEBUG(5, ("Already reaped child %u died\n", (unsigned int)pid));
+ return;
+ }
+
+ state.child->pid = 0;
+}
+
+/* Ensure any negative cache entries with the netbios or realm names are removed. */
+
+void winbindd_flush_negative_conn_cache(struct winbindd_domain *domain)
+{
+ flush_negative_conn_cache_for_domain(domain->name);
+ if (domain->alt_name != NULL) {
+ flush_negative_conn_cache_for_domain(domain->alt_name);
+ }
+}
+
+/*
+ * Parent winbindd process sets its own debug level first and then
+ * sends a message to all the winbindd children to adjust their debug
+ * level to that of parents.
+ */
+
+struct winbind_msg_relay_state {
+ struct messaging_context *msg_ctx;
+ uint32_t msg_type;
+ DATA_BLOB *data;
+};
+
+static bool winbind_msg_relay_fn(struct winbindd_child *child,
+ void *private_data)
+{
+ struct winbind_msg_relay_state *state = private_data;
+
+ DBG_DEBUG("sending message to pid %u.\n",
+ (unsigned int)child->pid);
+
+ messaging_send(state->msg_ctx, pid_to_procid(child->pid),
+ state->msg_type, state->data);
+ return true;
+}
+
+void winbind_msg_debug(struct messaging_context *msg_ctx,
+ void *private_data,
+ uint32_t msg_type,
+ struct server_id server_id,
+ DATA_BLOB *data)
+{
+ struct winbind_msg_relay_state state = {
+ .msg_ctx = msg_ctx, .msg_type = msg_type, .data = data
+ };
+
+ DEBUG(10,("winbind_msg_debug: got debug message.\n"));
+
+ debug_message(msg_ctx, private_data, MSG_DEBUG, server_id, data);
+
+ forall_children(winbind_msg_relay_fn, &state);
+}
+
+void winbind_disconnect_dc_parent(struct messaging_context *msg_ctx,
+ void *private_data,
+ uint32_t msg_type,
+ struct server_id server_id,
+ DATA_BLOB *data)
+{
+ struct winbind_msg_relay_state state = {
+ .msg_ctx = msg_ctx, .msg_type = msg_type, .data = data
+ };
+
+ DBG_DEBUG("Got disconnect_dc message\n");
+
+ forall_children(winbind_msg_relay_fn, &state);
+}
+
+static void winbindd_msg_reload_services_child(struct messaging_context *msg,
+ void *private_data,
+ uint32_t msg_type,
+ struct server_id server_id,
+ DATA_BLOB *data)
+{
+ DBG_DEBUG("Got reload-config message\n");
+ winbindd_reload_services_file((const char *)private_data);
+}
+
+/* React on 'smbcontrol winbindd reload-config' in the same way as on SIGHUP*/
+void winbindd_msg_reload_services_parent(struct messaging_context *msg,
+ void *private_data,
+ uint32_t msg_type,
+ struct server_id server_id,
+ DATA_BLOB *data)
+{
+ struct winbind_msg_relay_state state = {
+ .msg_ctx = msg,
+ .msg_type = msg_type,
+ .data = data,
+ };
+
+ DBG_DEBUG("Got reload-config message\n");
+
+ /* Flush various caches */
+ winbindd_flush_caches();
+
+ winbindd_reload_services_file((const char *)private_data);
+
+ forall_children(winbind_msg_relay_fn, &state);
+}
+
+/* Set our domains as offline and forward the offline message to our children. */
+
+struct winbind_msg_on_offline_state {
+ struct messaging_context *msg_ctx;
+ uint32_t msg_type;
+};
+
+static bool winbind_msg_on_offline_fn(struct winbindd_child *child,
+ void *private_data)
+{
+ struct winbind_msg_on_offline_state *state = private_data;
+
+ if (child->domain->internal) {
+ return true;
+ }
+
+ /*
+ * Each winbindd child should only process requests for one
+ * domain - make sure we only set it online / offline for that
+ * domain.
+ */
+ DBG_DEBUG("sending message to pid %u for domain %s.\n",
+ (unsigned int)child->pid, child->domain->name);
+
+ messaging_send_buf(state->msg_ctx,
+ pid_to_procid(child->pid),
+ state->msg_type,
+ (const uint8_t *)child->domain->name,
+ strlen(child->domain->name)+1);
+
+ return true;
+}
+
+void winbind_msg_offline(struct messaging_context *msg_ctx,
+ void *private_data,
+ uint32_t msg_type,
+ struct server_id server_id,
+ DATA_BLOB *data)
+{
+ struct winbind_msg_on_offline_state state = {
+ .msg_ctx = msg_ctx,
+ .msg_type = MSG_WINBIND_OFFLINE,
+ };
+ struct winbindd_domain *domain;
+
+ DEBUG(10,("winbind_msg_offline: got offline message.\n"));
+
+ if (!lp_winbind_offline_logon()) {
+ DEBUG(10,("winbind_msg_offline: rejecting offline message.\n"));
+ return;
+ }
+
+ /* Set our global state as offline. */
+ if (!set_global_winbindd_state_offline()) {
+ DEBUG(10,("winbind_msg_offline: offline request failed.\n"));
+ return;
+ }
+
+ /* Set all our domains as offline. */
+ for (domain = domain_list(); domain; domain = domain->next) {
+ if (domain->internal) {
+ continue;
+ }
+ DEBUG(5,("winbind_msg_offline: marking %s offline.\n", domain->name));
+ domain->online = false;
+ }
+
+ forall_domain_children(winbind_msg_on_offline_fn, &state);
+}
+
+/* Set our domains as online and forward the online message to our children. */
+
+void winbind_msg_online(struct messaging_context *msg_ctx,
+ void *private_data,
+ uint32_t msg_type,
+ struct server_id server_id,
+ DATA_BLOB *data)
+{
+ struct winbind_msg_on_offline_state state = {
+ .msg_ctx = msg_ctx,
+ .msg_type = MSG_WINBIND_ONLINE,
+ };
+
+ DEBUG(10,("winbind_msg_online: got online message.\n"));
+
+ if (!lp_winbind_offline_logon()) {
+ DEBUG(10,("winbind_msg_online: rejecting online message.\n"));
+ return;
+ }
+
+ /* Set our global state as online. */
+ set_global_winbindd_state_online();
+
+ smb_nscd_flush_user_cache();
+ smb_nscd_flush_group_cache();
+
+ /* Tell all our child domains to go online online. */
+ forall_domain_children(winbind_msg_on_offline_fn, &state);
+}
+
+static const char *collect_onlinestatus(TALLOC_CTX *mem_ctx)
+{
+ struct winbindd_domain *domain;
+ char *buf = NULL;
+
+ if ((buf = talloc_asprintf(mem_ctx, "global:%s ",
+ get_global_winbindd_state_offline() ?
+ "Offline":"Online")) == NULL) {
+ return NULL;
+ }
+
+ for (domain = domain_list(); domain; domain = domain->next) {
+ if ((buf = talloc_asprintf_append_buffer(buf, "%s:%s ",
+ domain->name,
+ domain->online ?
+ "Online":"Offline")) == NULL) {
+ return NULL;
+ }
+ }
+
+ buf = talloc_asprintf_append_buffer(buf, "\n");
+
+ DEBUG(5,("collect_onlinestatus: %s", buf));
+
+ return buf;
+}
+
+void winbind_msg_onlinestatus(struct messaging_context *msg_ctx,
+ void *private_data,
+ uint32_t msg_type,
+ struct server_id server_id,
+ DATA_BLOB *data)
+{
+ TALLOC_CTX *mem_ctx;
+ const char *message;
+
+ DEBUG(5,("winbind_msg_onlinestatus received.\n"));
+
+ mem_ctx = talloc_init("winbind_msg_onlinestatus");
+ if (mem_ctx == NULL) {
+ return;
+ }
+
+ message = collect_onlinestatus(mem_ctx);
+ if (message == NULL) {
+ talloc_destroy(mem_ctx);
+ return;
+ }
+
+ messaging_send_buf(msg_ctx, server_id, MSG_WINBIND_ONLINESTATUS,
+ (const uint8_t *)message, strlen(message) + 1);
+
+ talloc_destroy(mem_ctx);
+}
+
+void winbind_msg_dump_domain_list(struct messaging_context *msg_ctx,
+ void *private_data,
+ uint32_t msg_type,
+ struct server_id server_id,
+ DATA_BLOB *data)
+{
+ TALLOC_CTX *mem_ctx;
+ const char *message = NULL;
+ const char *domain = NULL;
+ char *s = NULL;
+ NTSTATUS status;
+ struct winbindd_domain *dom = NULL;
+
+ DEBUG(5,("winbind_msg_dump_domain_list received.\n"));
+
+ mem_ctx = talloc_init("winbind_msg_dump_domain_list");
+ if (!mem_ctx) {
+ return;
+ }
+
+ if (data->length > 0) {
+ domain = (const char *)data->data;
+ }
+
+ if (domain) {
+
+ DEBUG(5,("winbind_msg_dump_domain_list for domain: %s\n",
+ domain));
+
+ message = NDR_PRINT_STRUCT_STRING(mem_ctx, winbindd_domain,
+ find_domain_from_name_noinit(domain));
+ if (!message) {
+ talloc_destroy(mem_ctx);
+ return;
+ }
+
+ messaging_send_buf(msg_ctx, server_id,
+ MSG_WINBIND_DUMP_DOMAIN_LIST,
+ (const uint8_t *)message, strlen(message) + 1);
+
+ talloc_destroy(mem_ctx);
+
+ return;
+ }
+
+ DEBUG(5,("winbind_msg_dump_domain_list all domains\n"));
+
+ for (dom = domain_list(); dom; dom=dom->next) {
+ message = NDR_PRINT_STRUCT_STRING(mem_ctx, winbindd_domain, dom);
+ if (!message) {
+ talloc_destroy(mem_ctx);
+ return;
+ }
+
+ s = talloc_asprintf_append(s, "%s\n", message);
+ if (!s) {
+ talloc_destroy(mem_ctx);
+ return;
+ }
+ }
+
+ status = messaging_send_buf(msg_ctx, server_id,
+ MSG_WINBIND_DUMP_DOMAIN_LIST,
+ (uint8_t *)s, strlen(s) + 1);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0,("failed to send message: %s\n",
+ nt_errstr(status)));
+ }
+
+ talloc_destroy(mem_ctx);
+}
+
+static void account_lockout_policy_handler(struct tevent_context *ctx,
+ struct tevent_timer *te,
+ struct timeval now,
+ void *private_data)
+{
+ struct winbindd_child *child =
+ (struct winbindd_child *)private_data;
+ TALLOC_CTX *mem_ctx = NULL;
+ struct samr_DomInfo12 lockout_policy;
+ NTSTATUS result;
+
+ DEBUG(10,("account_lockout_policy_handler called\n"));
+
+ TALLOC_FREE(child->lockout_policy_event);
+
+ if ( !winbindd_can_contact_domain( child->domain ) ) {
+ DEBUG(10,("account_lockout_policy_handler: Removing myself since I "
+ "do not have an incoming trust to domain %s\n",
+ child->domain->name));
+
+ return;
+ }
+
+ mem_ctx = talloc_init("account_lockout_policy_handler ctx");
+ if (!mem_ctx) {
+ result = NT_STATUS_NO_MEMORY;
+ } else {
+ result = wb_cache_lockout_policy(child->domain, mem_ctx,
+ &lockout_policy);
+ }
+ TALLOC_FREE(mem_ctx);
+
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(10,("account_lockout_policy_handler: lockout_policy failed error %s\n",
+ nt_errstr(result)));
+ }
+
+ child->lockout_policy_event = tevent_add_timer(global_event_context(), NULL,
+ timeval_current_ofs(3600, 0),
+ account_lockout_policy_handler,
+ child);
+}
+
+static time_t get_machine_password_timeout(void)
+{
+ /* until we have gpo support use lp setting */
+ return lp_machine_password_timeout();
+}
+
+static bool calculate_next_machine_pwd_change(const char *domain,
+ struct timeval *t)
+{
+ time_t pass_last_set_time;
+ time_t timeout;
+ time_t next_change;
+ struct timeval tv;
+ char *pw;
+
+ pw = secrets_fetch_machine_password(domain,
+ &pass_last_set_time,
+ NULL);
+
+ if (pw == NULL) {
+ DEBUG(0,("cannot fetch own machine password ????"));
+ return false;
+ }
+
+ SAFE_FREE(pw);
+
+ timeout = get_machine_password_timeout();
+ if (timeout == 0) {
+ DEBUG(10,("machine password never expires\n"));
+ return false;
+ }
+
+ tv.tv_sec = pass_last_set_time;
+ DEBUG(10, ("password last changed %s\n",
+ timeval_string(talloc_tos(), &tv, false)));
+ tv.tv_sec += timeout;
+ DEBUGADD(10, ("password valid until %s\n",
+ timeval_string(talloc_tos(), &tv, false)));
+
+ if (time(NULL) < (pass_last_set_time + timeout)) {
+ next_change = pass_last_set_time + timeout;
+ DEBUG(10,("machine password still valid until: %s\n",
+ http_timestring(talloc_tos(), next_change)));
+ *t = timeval_set(next_change, 0);
+
+ if (lp_clustering()) {
+ uint8_t randbuf;
+ /*
+ * When having a cluster, we have several
+ * winbinds racing for the password change. In
+ * the machine_password_change_handler()
+ * function we check if someone else was
+ * faster when the event triggers. We add a
+ * 255-second random delay here, so that we
+ * don't run to change the password at the
+ * exact same moment.
+ */
+ generate_random_buffer(&randbuf, sizeof(randbuf));
+ DEBUG(10, ("adding %d seconds randomness\n",
+ (int)randbuf));
+ t->tv_sec += randbuf;
+ }
+ return true;
+ }
+
+ DEBUG(10,("machine password expired, needs immediate change\n"));
+
+ *t = timeval_zero();
+
+ return true;
+}
+
+static void machine_password_change_handler(struct tevent_context *ctx,
+ struct tevent_timer *te,
+ struct timeval now,
+ void *private_data)
+{
+ struct messaging_context *msg_ctx = global_messaging_context();
+ struct winbindd_child *child =
+ (struct winbindd_child *)private_data;
+ struct rpc_pipe_client *netlogon_pipe = NULL;
+ struct netlogon_creds_cli_context *netlogon_creds_ctx = NULL;
+ NTSTATUS result;
+ struct timeval next_change;
+
+ DEBUG(10,("machine_password_change_handler called\n"));
+
+ TALLOC_FREE(child->machine_password_change_event);
+
+ if (!calculate_next_machine_pwd_change(child->domain->name,
+ &next_change)) {
+ DEBUG(10, ("calculate_next_machine_pwd_change failed\n"));
+ return;
+ }
+
+ DEBUG(10, ("calculate_next_machine_pwd_change returned %s\n",
+ timeval_string(talloc_tos(), &next_change, false)));
+
+ if (!timeval_expired(&next_change)) {
+ DEBUG(10, ("Someone else has already changed the pw\n"));
+ goto done;
+ }
+
+ if (!winbindd_can_contact_domain(child->domain)) {
+ DEBUG(10,("machine_password_change_handler: Removing myself since I "
+ "do not have an incoming trust to domain %s\n",
+ child->domain->name));
+ return;
+ }
+
+ result = cm_connect_netlogon_secure(child->domain,
+ &netlogon_pipe,
+ &netlogon_creds_ctx);
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(10,("machine_password_change_handler: "
+ "failed to connect netlogon pipe: %s\n",
+ nt_errstr(result)));
+ return;
+ }
+
+ result = trust_pw_change(netlogon_creds_ctx,
+ msg_ctx,
+ netlogon_pipe->binding_handle,
+ child->domain->name,
+ child->domain->dcname,
+ false); /* force */
+
+ DEBUG(10, ("machine_password_change_handler: "
+ "trust_pw_change returned %s\n",
+ nt_errstr(result)));
+
+ if (NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) ) {
+ DEBUG(3,("machine_password_change_handler: password set returned "
+ "ACCESS_DENIED. Maybe the trust account "
+ "password was changed and we didn't know it. "
+ "Killing connections to domain %s\n",
+ child->domain->name));
+ invalidate_cm_connection(child->domain);
+ }
+
+ if (!calculate_next_machine_pwd_change(child->domain->name,
+ &next_change)) {
+ DEBUG(10, ("calculate_next_machine_pwd_change failed\n"));
+ return;
+ }
+
+ DEBUG(10, ("calculate_next_machine_pwd_change returned %s\n",
+ timeval_string(talloc_tos(), &next_change, false)));
+
+ if (!NT_STATUS_IS_OK(result)) {
+ struct timeval tmp;
+ /*
+ * In case of failure, give the DC a minute to recover
+ */
+ tmp = timeval_current_ofs(60, 0);
+ next_change = timeval_max(&next_change, &tmp);
+ }
+
+done:
+ child->machine_password_change_event = tevent_add_timer(global_event_context(), NULL,
+ next_change,
+ machine_password_change_handler,
+ child);
+}
+
+/* Deal with a request to go offline. */
+
+static void child_msg_offline(struct messaging_context *msg,
+ void *private_data,
+ uint32_t msg_type,
+ struct server_id server_id,
+ DATA_BLOB *data)
+{
+ struct winbindd_domain *domain;
+ struct winbindd_domain *primary_domain = NULL;
+ const char *domainname = (const char *)data->data;
+
+ if (data->data == NULL || data->length == 0) {
+ return;
+ }
+
+ DEBUG(5,("child_msg_offline received for domain %s.\n", domainname));
+
+ if (!lp_winbind_offline_logon()) {
+ DEBUG(10,("child_msg_offline: rejecting offline message.\n"));
+ return;
+ }
+
+ primary_domain = find_our_domain();
+
+ /* Mark the requested domain offline. */
+
+ for (domain = domain_list(); domain; domain = domain->next) {
+ if (domain->internal) {
+ continue;
+ }
+ if (strequal(domain->name, domainname)) {
+ DEBUG(5,("child_msg_offline: marking %s offline.\n", domain->name));
+ set_domain_offline(domain);
+ /* we are in the trusted domain, set the primary domain
+ * offline too */
+ if (domain != primary_domain) {
+ set_domain_offline(primary_domain);
+ }
+ }
+ }
+}
+
+/* Deal with a request to go online. */
+
+static void child_msg_online(struct messaging_context *msg,
+ void *private_data,
+ uint32_t msg_type,
+ struct server_id server_id,
+ DATA_BLOB *data)
+{
+ struct winbindd_domain *domain;
+ struct winbindd_domain *primary_domain = NULL;
+ const char *domainname = (const char *)data->data;
+
+ if (data->data == NULL || data->length == 0) {
+ return;
+ }
+
+ DEBUG(5,("child_msg_online received for domain %s.\n", domainname));
+
+ if (!lp_winbind_offline_logon()) {
+ DEBUG(10,("child_msg_online: rejecting online message.\n"));
+ return;
+ }
+
+ primary_domain = find_our_domain();
+
+ /* Set our global state as online. */
+ set_global_winbindd_state_online();
+
+ /* Try and mark everything online - delete any negative cache entries
+ to force a reconnect now. */
+
+ for (domain = domain_list(); domain; domain = domain->next) {
+ if (domain->internal) {
+ continue;
+ }
+ if (strequal(domain->name, domainname)) {
+ DEBUG(5,("child_msg_online: requesting %s to go online.\n", domain->name));
+ winbindd_flush_negative_conn_cache(domain);
+ set_domain_online_request(domain);
+
+ /* we can be in trusted domain, which will contact primary domain
+ * we have to bring primary domain online in trusted domain process
+ * see, winbindd_dual_pam_auth() --> winbindd_dual_pam_auth_samlogon()
+ * --> contact_domain = find_our_domain()
+ * */
+ if (domain != primary_domain) {
+ winbindd_flush_negative_conn_cache(primary_domain);
+ set_domain_online_request(primary_domain);
+ }
+ }
+ }
+}
+
+struct winbindd_reinit_after_fork_state {
+ const struct winbindd_child *myself;
+};
+
+static bool winbindd_reinit_after_fork_fn(struct winbindd_child *child,
+ void *private_data)
+{
+ struct winbindd_reinit_after_fork_state *state = private_data;
+
+ if (child == state->myself) {
+ return true;
+ }
+
+ /* Destroy all possible events in child list. */
+ TALLOC_FREE(child->lockout_policy_event);
+ TALLOC_FREE(child->machine_password_change_event);
+
+ /*
+ * Children should never be able to send each other messages,
+ * all messages must go through the parent.
+ */
+ child->pid = (pid_t)0;
+
+ /*
+ * Close service sockets to all other children
+ */
+ if (child->sock != -1) {
+ close(child->sock);
+ child->sock = -1;
+ }
+
+ return true;
+}
+
+NTSTATUS winbindd_reinit_after_fork(const struct winbindd_child *myself,
+ const char *logfilename)
+{
+ struct winbindd_reinit_after_fork_state state = { .myself = myself };
+ struct winbindd_domain *domain;
+ NTSTATUS status;
+
+ status = reinit_after_fork(
+ global_messaging_context(),
+ global_event_context(),
+ true, NULL);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0,("reinit_after_fork() failed\n"));
+ return status;
+ }
+ initialize_password_db(true, global_event_context());
+
+ close_conns_after_fork();
+
+ if (logfilename != NULL) {
+ lp_set_logfile(logfilename);
+ reopen_logs();
+ }
+
+ if (!winbindd_setup_sig_term_handler(false)) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if (!winbindd_setup_sig_hup_handler(logfilename)) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ /* Stop zombies in children */
+ CatchChild();
+
+ /* Don't handle the same messages as our parent. */
+ messaging_deregister(global_messaging_context(),
+ MSG_SMB_CONF_UPDATED, NULL);
+ messaging_deregister(global_messaging_context(),
+ MSG_SHUTDOWN, NULL);
+ messaging_deregister(global_messaging_context(),
+ MSG_WINBIND_OFFLINE, NULL);
+ messaging_deregister(global_messaging_context(),
+ MSG_WINBIND_ONLINE, NULL);
+ messaging_deregister(global_messaging_context(),
+ MSG_WINBIND_ONLINESTATUS, NULL);
+ messaging_deregister(global_messaging_context(),
+ MSG_WINBIND_DUMP_DOMAIN_LIST, NULL);
+ messaging_deregister(global_messaging_context(),
+ MSG_DEBUG, NULL);
+
+ messaging_deregister(global_messaging_context(),
+ MSG_WINBIND_DOMAIN_OFFLINE, NULL);
+ messaging_deregister(global_messaging_context(),
+ MSG_WINBIND_DOMAIN_ONLINE, NULL);
+
+ /* We have destroyed all events in the winbindd_event_context
+ * in reinit_after_fork(), so clean out all possible pending
+ * event pointers. */
+
+ /* Deal with check_online_events. */
+
+ for (domain = domain_list(); domain; domain = domain->next) {
+ TALLOC_FREE(domain->check_online_event);
+ }
+
+ /* Ensure we're not handling a credential cache event inherited
+ * from our parent. */
+
+ ccache_remove_all_after_fork();
+
+ forall_children(winbindd_reinit_after_fork_fn, &state);
+
+ return NT_STATUS_OK;
+}
+
+/*
+ * In a child there will be only one domain, reference that here.
+ */
+static struct winbindd_domain *child_domain;
+
+struct winbindd_domain *wb_child_domain(void)
+{
+ return child_domain;
+}
+
+struct child_handler_state {
+ struct winbindd_child *child;
+ struct winbindd_cli_state cli;
+};
+
+static void child_handler(struct tevent_context *ev, struct tevent_fd *fde,
+ uint16_t flags, void *private_data)
+{
+ struct child_handler_state *state =
+ (struct child_handler_state *)private_data;
+ NTSTATUS status;
+ uint64_t parent_traceid;
+
+ /* fetch a request from the main daemon */
+ status = child_read_request(state->cli.sock, state->cli.request);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ /* we lost contact with our parent */
+ _exit(0);
+ }
+
+ /* read traceid from request */
+ parent_traceid = state->cli.request->traceid;
+ debug_traceid_set(parent_traceid);
+
+ DEBUG(4,("child daemon request %d\n",
+ (int)state->cli.request->cmd));
+
+ ZERO_STRUCTP(state->cli.response);
+ state->cli.request->null_term = '\0';
+ state->cli.mem_ctx = talloc_tos();
+ child_process_request(state->child, &state->cli);
+
+ DEBUG(4, ("Finished processing child request %d\n",
+ (int)state->cli.request->cmd));
+
+ SAFE_FREE(state->cli.request->extra_data.data);
+
+ status = child_write_response(state->cli.sock, state->cli.response);
+ if (!NT_STATUS_IS_OK(status)) {
+ exit(1);
+ }
+}
+
+static bool fork_domain_child(struct winbindd_child *child)
+{
+ int fdpair[2];
+ struct child_handler_state state;
+ struct winbindd_request request;
+ struct winbindd_response response;
+ struct winbindd_domain *primary_domain = NULL;
+ NTSTATUS status;
+ ssize_t nwritten;
+ struct tevent_fd *fde;
+
+ if (child->domain) {
+ DEBUG(10, ("fork_domain_child called for domain '%s'\n",
+ child->domain->name));
+ } else {
+ DEBUG(10, ("fork_domain_child called without domain.\n"));
+ }
+
+ if (socketpair(AF_UNIX, SOCK_STREAM, 0, fdpair) != 0) {
+ DEBUG(0, ("Could not open child pipe: %s\n",
+ strerror(errno)));
+ return False;
+ }
+
+ ZERO_STRUCT(state);
+ state.child = child;
+ state.cli.pid = getpid();
+ state.cli.request = &request;
+ state.cli.response = &response;
+
+ child->pid = fork();
+
+ if (child->pid == -1) {
+ DEBUG(0, ("Could not fork: %s\n", strerror(errno)));
+ close(fdpair[0]);
+ close(fdpair[1]);
+ return False;
+ }
+
+ if (child->pid != 0) {
+ /* Parent */
+ ssize_t nread;
+ int rc;
+
+ close(fdpair[0]);
+
+ nread = sys_read(fdpair[1], &status, sizeof(status));
+ if (nread != sizeof(status)) {
+ DEBUG(1, ("fork_domain_child: Could not read child status: "
+ "nread=%d, error=%s\n", (int)nread,
+ strerror(errno)));
+ close(fdpair[1]);
+ return false;
+ }
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("fork_domain_child: Child status is %s\n",
+ nt_errstr(status)));
+ close(fdpair[1]);
+ return false;
+ }
+
+ child->monitor_fde = tevent_add_fd(global_event_context(),
+ global_event_context(),
+ fdpair[1],
+ TEVENT_FD_READ,
+ child_socket_readable,
+ child);
+ if (child->monitor_fde == NULL) {
+ DBG_WARNING("tevent_add_fd failed\n");
+ close(fdpair[1]);
+ return false;
+ }
+
+ rc = set_blocking(fdpair[1], false);
+ if (rc < 0) {
+ close(fdpair[1]);
+ return false;
+ }
+
+ child->sock = fdpair[1];
+
+ return true;
+ }
+
+ /* Child */
+ child_domain = child->domain;
+
+ DEBUG(10, ("Child process %d\n", (int)getpid()));
+
+ state.cli.sock = fdpair[0];
+ close(fdpair[1]);
+
+ status = winbindd_reinit_after_fork(child, child->logfilename);
+
+ /* setup callbacks again, one of them is removed in reinit_after_fork */
+ if (lp_winbind_debug_traceid()) {
+ winbind_debug_traceid_setup(global_event_context());
+ }
+
+ nwritten = sys_write(state.cli.sock, &status, sizeof(status));
+ if (nwritten != sizeof(status)) {
+ DEBUG(1, ("fork_domain_child: Could not write status: "
+ "nwritten=%d, error=%s\n", (int)nwritten,
+ strerror(errno)));
+ _exit(0);
+ }
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("winbindd_reinit_after_fork failed: %s\n",
+ nt_errstr(status)));
+ _exit(0);
+ }
+
+ if (child_domain != NULL) {
+ setproctitle("domain child [%s]", child_domain->name);
+ } else if (is_idmap_child(child)) {
+ setproctitle("idmap child");
+ }
+
+ /* Handle online/offline messages. */
+ messaging_register(global_messaging_context(), NULL,
+ MSG_WINBIND_OFFLINE, child_msg_offline);
+ messaging_register(global_messaging_context(), NULL,
+ MSG_WINBIND_ONLINE, child_msg_online);
+ messaging_register(global_messaging_context(), NULL,
+ MSG_DEBUG, debug_message);
+ messaging_register(global_messaging_context(), NULL,
+ MSG_WINBIND_IP_DROPPED,
+ winbind_msg_ip_dropped);
+ messaging_register(global_messaging_context(), NULL,
+ MSG_WINBIND_DISCONNECT_DC,
+ winbind_msg_disconnect_dc);
+ messaging_register(
+ global_messaging_context(),
+ child->logfilename,
+ MSG_SMB_CONF_UPDATED,
+ winbindd_msg_reload_services_child);
+
+ primary_domain = find_our_domain();
+
+ if (primary_domain == NULL) {
+ smb_panic("no primary domain found");
+ }
+
+ /* It doesn't matter if we allow cache login,
+ * try to bring domain online after fork. */
+ if ( child->domain ) {
+ child->domain->startup = True;
+ child->domain->startup_time = time_mono(NULL);
+ /* we can be in primary domain or in trusted domain
+ * If we are in trusted domain, set the primary domain
+ * in start-up mode */
+ if (!(child->domain->internal)) {
+ set_domain_online_request(child->domain);
+ if (!(child->domain->primary)) {
+ primary_domain->startup = True;
+ primary_domain->startup_time = time_mono(NULL);
+ set_domain_online_request(primary_domain);
+ }
+ }
+ }
+
+ /* We might be in the idmap child...*/
+ if (child->domain && !(child->domain->internal) &&
+ lp_winbind_offline_logon()) {
+
+ set_domain_online_request(child->domain);
+
+ if (primary_domain && (primary_domain != child->domain)) {
+ /* We need to talk to the primary
+ * domain as well as the trusted
+ * domain inside a trusted domain
+ * child.
+ * See the code in :
+ * set_dc_type_and_flags_trustinfo()
+ * for details.
+ */
+ set_domain_online_request(primary_domain);
+ }
+
+ child->lockout_policy_event = tevent_add_timer(
+ global_event_context(), NULL, timeval_zero(),
+ account_lockout_policy_handler,
+ child);
+ }
+
+ if (child->domain && child->domain->primary &&
+ !USE_KERBEROS_KEYTAB &&
+ lp_server_role() == ROLE_DOMAIN_MEMBER) {
+
+ struct timeval next_change;
+
+ if (calculate_next_machine_pwd_change(child->domain->name,
+ &next_change)) {
+ child->machine_password_change_event = tevent_add_timer(
+ global_event_context(), NULL, next_change,
+ machine_password_change_handler,
+ child);
+ }
+ }
+
+ fde = tevent_add_fd(global_event_context(), NULL, state.cli.sock,
+ TEVENT_FD_READ, child_handler, &state);
+ if (fde == NULL) {
+ DEBUG(1, ("tevent_add_fd failed\n"));
+ _exit(1);
+ }
+
+ while (1) {
+
+ int ret;
+ TALLOC_CTX *frame = talloc_stackframe();
+
+ ret = tevent_loop_once(global_event_context());
+ if (ret != 0) {
+ DEBUG(1, ("tevent_loop_once failed: %s\n",
+ strerror(errno)));
+ _exit(1);
+ }
+
+ if (child->domain && child->domain->startup &&
+ (time_mono(NULL) > child->domain->startup_time + 30)) {
+ /* No longer in "startup" mode. */
+ DEBUG(10,("fork_domain_child: domain %s no longer in 'startup' mode.\n",
+ child->domain->name ));
+ child->domain->startup = False;
+ }
+
+ TALLOC_FREE(frame);
+ }
+}
+
+void winbind_msg_ip_dropped_parent(struct messaging_context *msg_ctx,
+ void *private_data,
+ uint32_t msg_type,
+ struct server_id server_id,
+ DATA_BLOB *data)
+{
+ struct winbind_msg_relay_state state = {
+ .msg_ctx = msg_ctx,
+ .msg_type = msg_type,
+ .data = data,
+ };
+
+ winbind_msg_ip_dropped(msg_ctx, private_data, msg_type,
+ server_id, data);
+
+ forall_children(winbind_msg_relay_fn, &state);
+}
+
+void winbindd_terminate(bool is_parent)
+{
+ if (is_parent) {
+ /* When parent goes away we should
+ * remove the socket file. Not so
+ * when children terminate.
+ */
+ char *path = NULL;
+
+ if (asprintf(&path, "%s/%s",
+ lp_winbindd_socket_directory(), WINBINDD_SOCKET_NAME) > 0) {
+ unlink(path);
+ SAFE_FREE(path);
+ }
+ }
+
+ idmap_close();
+
+ netlogon_creds_cli_close_global_db();
+
+#if 0
+ if (interactive) {
+ TALLOC_CTX *mem_ctx = talloc_init("end_description");
+ char *description = talloc_describe_all(mem_ctx);
+
+ DEBUG(3, ("tallocs left:\n%s\n", description));
+ talloc_destroy(mem_ctx);
+ }
+#endif
+
+ if (is_parent) {
+ pidfile_unlink(lp_pid_directory(), "winbindd");
+ }
+
+ exit(0);
+}
+
+static void winbindd_sig_term_handler(struct tevent_context *ev,
+ struct tevent_signal *se,
+ int signum,
+ int count,
+ void *siginfo,
+ void *private_data)
+{
+ bool *p = talloc_get_type_abort(private_data, bool);
+ bool is_parent = *p;
+
+ TALLOC_FREE(p);
+
+ DEBUG(0,("Got sig[%d] terminate (is_parent=%d)\n",
+ signum, is_parent));
+ winbindd_terminate(is_parent);
+}
+
+bool winbindd_setup_sig_term_handler(bool parent)
+{
+ struct tevent_signal *se;
+ bool *is_parent;
+
+ is_parent = talloc(global_event_context(), bool);
+ if (!is_parent) {
+ return false;
+ }
+
+ *is_parent = parent;
+
+ se = tevent_add_signal(global_event_context(),
+ is_parent,
+ SIGTERM, 0,
+ winbindd_sig_term_handler,
+ is_parent);
+ if (!se) {
+ DEBUG(0,("failed to setup SIGTERM handler"));
+ talloc_free(is_parent);
+ return false;
+ }
+
+ se = tevent_add_signal(global_event_context(),
+ is_parent,
+ SIGINT, 0,
+ winbindd_sig_term_handler,
+ is_parent);
+ if (!se) {
+ DEBUG(0,("failed to setup SIGINT handler"));
+ talloc_free(is_parent);
+ return false;
+ }
+
+ se = tevent_add_signal(global_event_context(),
+ is_parent,
+ SIGQUIT, 0,
+ winbindd_sig_term_handler,
+ is_parent);
+ if (!se) {
+ DEBUG(0,("failed to setup SIGINT handler"));
+ talloc_free(is_parent);
+ return false;
+ }
+
+ return true;
+}
+
+static void flush_caches_noinit(void)
+{
+ /*
+ * We need to invalidate cached user list entries on a SIGHUP
+ * otherwise cached access denied errors due to restrict anonymous
+ * hang around until the sequence number changes.
+ * NB
+ * Skip uninitialized domains when flush cache.
+ * If domain is not initialized, it means it is never
+ * used or never become online. look, wcache_invalidate_cache()
+ * -> get_cache() -> init_dc_connection(). It causes a lot of traffic
+ * for unused domains and large traffic for primay domain's DC if there
+ * are many domains..
+ */
+
+ if (!wcache_invalidate_cache_noinit()) {
+ DEBUG(0, ("invalidating the cache failed; revalidate the cache\n"));
+ if (!winbindd_cache_validate_and_initialize()) {
+ exit(1);
+ }
+ }
+}
+
+static void winbindd_sig_hup_handler(struct tevent_context *ev,
+ struct tevent_signal *se,
+ int signum,
+ int count,
+ void *siginfo,
+ void *private_data)
+{
+ const char *file = (const char *)private_data;
+
+ DEBUG(1,("Reloading services after SIGHUP\n"));
+ flush_caches_noinit();
+ winbindd_reload_services_file(file);
+}
+
+bool winbindd_setup_sig_hup_handler(const char *lfile)
+{
+ struct tevent_signal *se;
+ char *file = NULL;
+
+ if (lfile) {
+ file = talloc_strdup(global_event_context(),
+ lfile);
+ if (!file) {
+ return false;
+ }
+ }
+
+ se = tevent_add_signal(global_event_context(),
+ global_event_context(),
+ SIGHUP, 0,
+ winbindd_sig_hup_handler,
+ file);
+ if (!se) {
+ return false;
+ }
+
+ return true;
+}
diff --git a/source3/winbindd/winbindd_dual_ndr.c b/source3/winbindd/winbindd_dual_ndr.c
new file mode 100644
index 0000000..48b5297
--- /dev/null
+++ b/source3/winbindd/winbindd_dual_ndr.c
@@ -0,0 +1,615 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ Provide parent->child communication based on NDR marshalling
+
+ Copyright (C) Volker Lendecke 2009
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+/*
+ * This file implements an RPC between winbind parent and child processes,
+ * leveraging the autogenerated marshalling routines for MSRPC. This is not
+ * MSRPC, as it does not go through the whole DCERPC fragmentation, we just
+ * leverage much the same infrastructure we already have for it.
+ */
+
+#include "includes.h"
+#include "winbindd/winbindd.h"
+#include "winbindd/winbindd_proto.h"
+#include "ntdomain.h"
+#include "librpc/rpc/dcesrv_core.h"
+#include "librpc/gen_ndr/ndr_winbind.h"
+#include "rpc_server/rpc_config.h"
+#include "rpc_server/rpc_server.h"
+#include "rpc_dce.h"
+#include "lib/tsocket/tsocket.h"
+
+struct wbint_bh_state {
+ struct winbindd_domain *domain;
+ struct winbindd_child *child;
+};
+
+static bool wbint_bh_is_connected(struct dcerpc_binding_handle *h)
+{
+ struct wbint_bh_state *hs = dcerpc_binding_handle_data(h,
+ struct wbint_bh_state);
+
+ if ((hs->domain == NULL) && (hs->child == NULL)) {
+ return false;
+ }
+
+ return true;
+}
+
+static uint32_t wbint_bh_set_timeout(struct dcerpc_binding_handle *h,
+ uint32_t timeout)
+{
+ /* TODO: implement timeouts */
+ return UINT32_MAX;
+}
+
+struct wbint_bh_raw_call_state {
+ struct winbindd_domain *domain;
+ uint32_t opnum;
+ DATA_BLOB in_data;
+ struct winbindd_request request;
+ struct winbindd_response *response;
+ DATA_BLOB out_data;
+};
+
+static void wbint_bh_raw_call_child_done(struct tevent_req *subreq);
+static void wbint_bh_raw_call_domain_done(struct tevent_req *subreq);
+
+static struct tevent_req *wbint_bh_raw_call_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct dcerpc_binding_handle *h,
+ const struct GUID *object,
+ uint32_t opnum,
+ uint32_t in_flags,
+ const uint8_t *in_data,
+ size_t in_length)
+{
+ struct wbint_bh_state *hs =
+ dcerpc_binding_handle_data(h,
+ struct wbint_bh_state);
+ struct tevent_req *req;
+ struct wbint_bh_raw_call_state *state;
+ bool ok;
+ struct tevent_req *subreq;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct wbint_bh_raw_call_state);
+ if (req == NULL) {
+ return NULL;
+ }
+ state->domain = hs->domain;
+ state->opnum = opnum;
+ state->in_data.data = discard_const_p(uint8_t, in_data);
+ state->in_data.length = in_length;
+
+ ok = wbint_bh_is_connected(h);
+ if (!ok) {
+ tevent_req_nterror(req, NT_STATUS_CONNECTION_DISCONNECTED);
+ return tevent_req_post(req, ev);
+ }
+
+ if ((state->domain != NULL)
+ && wcache_fetch_ndr(state, state->domain, state->opnum,
+ &state->in_data, &state->out_data)) {
+ DBG_DEBUG("Got opnum %"PRIu32" for domain %s from cache\n",
+ state->opnum, state->domain->name);
+ tevent_req_done(req);
+ return tevent_req_post(req, ev);
+ }
+
+ state->request.cmd = WINBINDD_DUAL_NDRCMD;
+ state->request.data.ndrcmd = state->opnum;
+ state->request.extra_data.data = (char *)state->in_data.data;
+ state->request.extra_len = state->in_data.length;
+
+ if (hs->child != NULL) {
+ subreq = wb_child_request_send(state, ev, hs->child,
+ &state->request);
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+ tevent_req_set_callback(
+ subreq, wbint_bh_raw_call_child_done, req);
+ return req;
+ }
+
+ subreq = wb_domain_request_send(state, ev, hs->domain,
+ &state->request);
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+ tevent_req_set_callback(subreq, wbint_bh_raw_call_domain_done, req);
+
+ return req;
+}
+
+static void wbint_bh_raw_call_child_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req =
+ tevent_req_callback_data(subreq,
+ struct tevent_req);
+ struct wbint_bh_raw_call_state *state =
+ tevent_req_data(req,
+ struct wbint_bh_raw_call_state);
+ int ret, err;
+
+ ret = wb_child_request_recv(subreq, state, &state->response, &err);
+ TALLOC_FREE(subreq);
+ if (ret == -1) {
+ NTSTATUS status = map_nt_error_from_unix(err);
+ tevent_req_nterror(req, status);
+ return;
+ }
+
+ state->out_data = data_blob_talloc(state,
+ state->response->extra_data.data,
+ state->response->length - sizeof(struct winbindd_response));
+ if (state->response->extra_data.data && !state->out_data.data) {
+ tevent_req_oom(req);
+ return;
+ }
+
+ if (state->domain != NULL) {
+ wcache_store_ndr(state->domain, state->opnum,
+ &state->in_data, &state->out_data);
+ }
+
+ tevent_req_done(req);
+}
+
+static void wbint_bh_raw_call_domain_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req =
+ tevent_req_callback_data(subreq,
+ struct tevent_req);
+ struct wbint_bh_raw_call_state *state =
+ tevent_req_data(req,
+ struct wbint_bh_raw_call_state);
+ int ret, err;
+
+ ret = wb_domain_request_recv(subreq, state, &state->response, &err);
+ TALLOC_FREE(subreq);
+ if (ret == -1) {
+ NTSTATUS status = map_nt_error_from_unix(err);
+ tevent_req_nterror(req, status);
+ return;
+ }
+
+ state->out_data = data_blob_talloc(state,
+ state->response->extra_data.data,
+ state->response->length - sizeof(struct winbindd_response));
+ if (state->response->extra_data.data && !state->out_data.data) {
+ tevent_req_oom(req);
+ return;
+ }
+
+ if (state->domain != NULL) {
+ wcache_store_ndr(state->domain, state->opnum,
+ &state->in_data, &state->out_data);
+ }
+
+ tevent_req_done(req);
+}
+
+static NTSTATUS wbint_bh_raw_call_recv(struct tevent_req *req,
+ TALLOC_CTX *mem_ctx,
+ uint8_t **out_data,
+ size_t *out_length,
+ uint32_t *out_flags)
+{
+ struct wbint_bh_raw_call_state *state =
+ tevent_req_data(req,
+ struct wbint_bh_raw_call_state);
+ NTSTATUS status;
+
+ if (tevent_req_is_nterror(req, &status)) {
+ tevent_req_received(req);
+ return status;
+ }
+
+ *out_data = talloc_move(mem_ctx, &state->out_data.data);
+ *out_length = state->out_data.length;
+ *out_flags = 0;
+ tevent_req_received(req);
+ return NT_STATUS_OK;
+}
+
+struct wbint_bh_disconnect_state {
+ uint8_t _dummy;
+};
+
+static struct tevent_req *wbint_bh_disconnect_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct dcerpc_binding_handle *h)
+{
+ struct wbint_bh_state *hs = dcerpc_binding_handle_data(h,
+ struct wbint_bh_state);
+ struct tevent_req *req;
+ struct wbint_bh_disconnect_state *state;
+ bool ok;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct wbint_bh_disconnect_state);
+ if (req == NULL) {
+ return NULL;
+ }
+
+ ok = wbint_bh_is_connected(h);
+ if (!ok) {
+ tevent_req_nterror(req, NT_STATUS_CONNECTION_DISCONNECTED);
+ return tevent_req_post(req, ev);
+ }
+
+ /*
+ * TODO: do a real async disconnect ...
+ */
+ hs->domain = NULL;
+ hs->child = NULL;
+
+ tevent_req_done(req);
+ return tevent_req_post(req, ev);
+}
+
+static NTSTATUS wbint_bh_disconnect_recv(struct tevent_req *req)
+{
+ NTSTATUS status;
+
+ if (tevent_req_is_nterror(req, &status)) {
+ tevent_req_received(req);
+ return status;
+ }
+
+ tevent_req_received(req);
+ return NT_STATUS_OK;
+}
+
+static bool wbint_bh_ref_alloc(struct dcerpc_binding_handle *h)
+{
+ return true;
+}
+
+static void wbint_bh_do_ndr_print(struct dcerpc_binding_handle *h,
+ int ndr_flags,
+ const void *_struct_ptr,
+ const struct ndr_interface_call *call)
+{
+ void *struct_ptr = discard_const(_struct_ptr);
+
+ if (DEBUGLEVEL < 10) {
+ return;
+ }
+
+ if (ndr_flags & NDR_IN) {
+ ndr_print_function_debug(call->ndr_print,
+ call->name,
+ ndr_flags,
+ struct_ptr);
+ }
+ if (ndr_flags & NDR_OUT) {
+ ndr_print_function_debug(call->ndr_print,
+ call->name,
+ ndr_flags,
+ struct_ptr);
+ }
+}
+
+static const struct dcerpc_binding_handle_ops wbint_bh_ops = {
+ .name = "wbint",
+ .is_connected = wbint_bh_is_connected,
+ .set_timeout = wbint_bh_set_timeout,
+ .raw_call_send = wbint_bh_raw_call_send,
+ .raw_call_recv = wbint_bh_raw_call_recv,
+ .disconnect_send = wbint_bh_disconnect_send,
+ .disconnect_recv = wbint_bh_disconnect_recv,
+
+ .ref_alloc = wbint_bh_ref_alloc,
+ .do_ndr_print = wbint_bh_do_ndr_print,
+};
+
+static NTSTATUS make_internal_ncacn_conn(TALLOC_CTX *mem_ctx,
+ const struct ndr_interface_table *table,
+ struct dcerpc_ncacn_conn **_out)
+{
+ struct dcerpc_ncacn_conn *ncacn_conn = NULL;
+
+ ncacn_conn = talloc_zero(mem_ctx, struct dcerpc_ncacn_conn);
+ if (ncacn_conn == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ ncacn_conn->p.mem_ctx = mem_ctx;
+
+ *_out = ncacn_conn;
+
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS find_ncalrpc_default_endpoint(struct dcesrv_context *dce_ctx,
+ struct dcesrv_endpoint **ep)
+{
+ TALLOC_CTX *tmp_ctx = NULL;
+ struct dcerpc_binding *binding = NULL;
+ NTSTATUS status;
+
+ tmp_ctx = talloc_new(dce_ctx);
+ if (tmp_ctx == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ /*
+ * Some services use a rpcint binding handle in their initialization,
+ * before the server is fully initialized. Search the NCALRPC endpoint
+ * with and without endpoint
+ */
+ status = dcerpc_parse_binding(tmp_ctx, "ncalrpc:", &binding);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto out;
+ }
+
+ status = dcesrv_find_endpoint(dce_ctx, binding, ep);
+ if (NT_STATUS_IS_OK(status)) {
+ goto out;
+ }
+
+ status = dcerpc_parse_binding(tmp_ctx, "ncalrpc:[WINBIND]", &binding);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto out;
+ }
+
+ status = dcesrv_find_endpoint(dce_ctx, binding, ep);
+ if (NT_STATUS_IS_OK(status)) {
+ goto out;
+ }
+
+ status = dcerpc_parse_binding(tmp_ctx, "ncalrpc:[DEFAULT]", &binding);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto out;
+ }
+
+ status = dcesrv_find_endpoint(dce_ctx, binding, ep);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto out;
+ }
+
+out:
+ talloc_free(tmp_ctx);
+ return status;
+}
+
+static NTSTATUS make_internal_dcesrv_connection(TALLOC_CTX *mem_ctx,
+ const struct ndr_interface_table *ndr_table,
+ struct dcerpc_ncacn_conn *ncacn_conn,
+ struct dcesrv_connection **_out)
+{
+ struct dcesrv_connection *conn = NULL;
+ struct dcesrv_connection_context *context = NULL;
+ struct dcesrv_endpoint *endpoint = NULL;
+ NTSTATUS status;
+
+ conn = talloc_zero(mem_ctx, struct dcesrv_connection);
+ if (conn == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ conn->dce_ctx = global_dcesrv_context();
+ conn->preferred_transfer = &ndr_transfer_syntax_ndr;
+ conn->transport.private_data = ncacn_conn;
+
+ status = find_ncalrpc_default_endpoint(conn->dce_ctx, &endpoint);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto fail;
+ }
+ conn->endpoint = endpoint;
+
+ conn->default_auth_state = talloc_zero(conn, struct dcesrv_auth);
+ if (conn->default_auth_state == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto fail;
+ }
+ conn->default_auth_state->auth_finished = true;
+
+ context = talloc_zero(conn, struct dcesrv_connection_context);
+ if (context == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto fail;
+ }
+ context->conn = conn;
+ context->context_id = 0;
+ context->transfer_syntax = *(conn->preferred_transfer);
+ context->iface = find_interface_by_syntax_id(
+ conn->endpoint, &ndr_table->syntax_id);
+ if (context->iface == NULL) {
+ status = NT_STATUS_RPC_INTERFACE_NOT_FOUND;
+ goto fail;
+ }
+
+ DLIST_ADD(conn->contexts, context);
+
+ *_out = conn;
+
+ return NT_STATUS_OK;
+fail:
+ talloc_free(conn);
+ return status;
+}
+
+static NTSTATUS set_remote_addresses(struct dcesrv_connection *conn,
+ int sock)
+{
+ struct sockaddr_storage st = { 0 };
+ struct sockaddr *sar = (struct sockaddr *)&st;
+ struct tsocket_address *remote = NULL;
+ struct tsocket_address *local = NULL;
+ socklen_t sa_len = sizeof(st);
+ NTSTATUS status;
+ int ret;
+
+ ZERO_STRUCT(st);
+ ret = getpeername(sock, sar, &sa_len);
+ if (ret != 0) {
+ status = map_nt_error_from_unix(ret);
+ DBG_ERR("getpeername failed: %s", nt_errstr(status));
+ return status;
+ }
+
+ ret = tsocket_address_bsd_from_sockaddr(conn, sar, sa_len, &remote);
+ if (ret != 0) {
+ status = map_nt_error_from_unix(ret);
+ DBG_ERR("tsocket_address_bsd_from_sockaddr failed: %s",
+ nt_errstr(status));
+ return status;
+ }
+
+ ZERO_STRUCT(st);
+ ret = getsockname(sock, sar, &sa_len);
+ if (ret != 0) {
+ status = map_nt_error_from_unix(ret);
+ DBG_ERR("getsockname failed: %s", nt_errstr(status));
+ return status;
+ }
+
+ ret = tsocket_address_bsd_from_sockaddr(conn, sar, sa_len, &local);
+ if (ret != 0) {
+ status = map_nt_error_from_unix(ret);
+ DBG_ERR("tsocket_address_bsd_from_sockaddr failed: %s",
+ nt_errstr(status));
+ return status;
+ }
+
+ conn->local_address = talloc_move(conn, &local);
+ conn->remote_address = talloc_move(conn, &remote);
+
+ return NT_STATUS_OK;
+}
+
+/* initialise a wbint binding handle */
+struct dcerpc_binding_handle *wbint_binding_handle(TALLOC_CTX *mem_ctx,
+ struct winbindd_domain *domain,
+ struct winbindd_child *child)
+{
+ struct dcerpc_binding_handle *h;
+ struct wbint_bh_state *hs;
+
+ h = dcerpc_binding_handle_create(mem_ctx,
+ &wbint_bh_ops,
+ NULL,
+ &ndr_table_winbind,
+ &hs,
+ struct wbint_bh_state,
+ __location__);
+ if (h == NULL) {
+ return NULL;
+ }
+ hs->domain = domain;
+ hs->child = child;
+
+ return h;
+}
+
+enum winbindd_result winbindd_dual_ndrcmd(struct winbindd_domain *domain,
+ struct winbindd_cli_state *state)
+{
+ struct dcerpc_ncacn_conn *ncacn_conn = NULL;
+ struct dcesrv_connection *dcesrv_conn = NULL;
+ struct dcesrv_call_state *dcesrv_call = NULL;
+ struct data_blob_list_item *rep = NULL;
+ struct dcesrv_context_callbacks *cb = NULL;
+ uint32_t opnum = state->request->data.ndrcmd;
+ TALLOC_CTX *mem_ctx;
+ NTSTATUS status;
+
+ DBG_DEBUG("Running command %s (domain '%s')\n",
+ ndr_table_winbind.calls[opnum].name,
+ domain ? domain->name : "(null)");
+
+ mem_ctx = talloc_stackframe();
+ if (mem_ctx == NULL) {
+ DBG_ERR("No memory");
+ return WINBINDD_ERROR;
+ }
+
+ status = make_internal_ncacn_conn(mem_ctx,
+ &ndr_table_winbind,
+ &ncacn_conn);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto out;
+ }
+
+ status = make_internal_dcesrv_connection(ncacn_conn,
+ &ndr_table_winbind,
+ ncacn_conn,
+ &dcesrv_conn);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto out;
+ }
+
+ status = set_remote_addresses(dcesrv_conn, state->sock);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto out;
+ }
+
+ dcesrv_call = talloc_zero(dcesrv_conn, struct dcesrv_call_state);
+ if (dcesrv_call == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto out;
+ }
+
+ dcesrv_call->conn = dcesrv_conn;
+ dcesrv_call->context = dcesrv_conn->contexts;
+ dcesrv_call->auth_state = dcesrv_conn->default_auth_state;
+
+ ZERO_STRUCT(dcesrv_call->pkt);
+ dcesrv_call->pkt.u.bind.assoc_group_id = 0;
+
+ cb = dcesrv_call->conn->dce_ctx->callbacks;
+ status = cb->assoc_group.find(
+ dcesrv_call, cb->assoc_group.private_data);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto out;
+ }
+
+ ZERO_STRUCT(dcesrv_call->pkt);
+ dcesrv_call->pkt.u.request.opnum = opnum;
+ dcesrv_call->pkt.u.request.context_id = 0;
+ dcesrv_call->pkt.u.request.stub_and_verifier =
+ data_blob_const(state->request->extra_data.data,
+ state->request->extra_len);
+
+ status = dcesrv_call_dispatch_local(dcesrv_call);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto out;
+ }
+
+ rep = dcesrv_call->replies;
+ DLIST_REMOVE(dcesrv_call->replies, rep);
+
+ state->response->extra_data.data = talloc_steal(state->mem_ctx,
+ rep->blob.data);
+ state->response->length += rep->blob.length;
+
+ talloc_free(rep);
+
+out:
+ talloc_free(mem_ctx);
+ if (NT_STATUS_IS_OK(status)) {
+ return WINBINDD_OK;
+ }
+ return WINBINDD_ERROR;
+}
diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c
new file mode 100644
index 0000000..ffa4ad9
--- /dev/null
+++ b/source3/winbindd/winbindd_dual_srv.c
@@ -0,0 +1,2071 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ In-Child server implementation of the routines defined in wbint.idl
+
+ Copyright (C) Volker Lendecke 2009
+ Copyright (C) Guenther Deschner 2009
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "winbindd/winbindd.h"
+#include "winbindd/winbindd_proto.h"
+#include "rpc_client/cli_pipe.h"
+#include "ntdomain.h"
+#include "librpc/rpc/dcesrv_core.h"
+#include "librpc/gen_ndr/ndr_winbind.h"
+#include "librpc/gen_ndr/ndr_winbind_scompat.h"
+#include "../librpc/gen_ndr/ndr_netlogon_c.h"
+#include "../librpc/gen_ndr/ndr_lsa_c.h"
+#include "idmap.h"
+#include "../libcli/security/security.h"
+#include "../libcli/auth/netlogon_creds_cli.h"
+#include "passdb.h"
+#include "../source4/dsdb/samdb/samdb.h"
+#include "rpc_client/cli_netlogon.h"
+#include "rpc_client/util_netlogon.h"
+#include "libsmb/dsgetdcname.h"
+#include "lib/global_contexts.h"
+
+NTSTATUS _wbint_Ping(struct pipes_struct *p, struct wbint_Ping *r)
+{
+ *r->out.out_data = r->in.in_data;
+ return NT_STATUS_OK;
+}
+
+NTSTATUS _wbint_InitConnection(struct pipes_struct *p,
+ struct wbint_InitConnection *r)
+{
+ struct winbindd_domain *domain = wb_child_domain();
+
+ if (r->in.dcname != NULL && strlen(r->in.dcname) > 0) {
+ TALLOC_FREE(domain->dcname);
+ domain->dcname = talloc_strdup(domain, r->in.dcname);
+ if (domain->dcname == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+
+ init_dc_connection(domain, false);
+
+ if (!domain->initialized) {
+ /*
+ * If we return error here we can't do any cached
+ * authentication, but we may be in disconnected mode and can't
+ * initialize correctly. Do what the previous code did and just
+ * return without initialization, once we go online we'll
+ * re-initialize.
+ */
+ DBG_INFO("%s returning without initialization online = %d\n",
+ domain->name, (int)domain->online);
+ }
+
+ *r->out.name = talloc_strdup(p->mem_ctx, domain->name);
+ if (*r->out.name == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if (domain->alt_name != NULL) {
+ *r->out.alt_name = talloc_strdup(p->mem_ctx, domain->alt_name);
+ if (*r->out.alt_name == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+
+ r->out.sid = dom_sid_dup(p->mem_ctx, &domain->sid);
+ if (r->out.sid == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ *r->out.flags = 0;
+ if (domain->native_mode) {
+ *r->out.flags |= WB_DOMINFO_DOMAIN_NATIVE;
+ }
+ if (domain->active_directory) {
+ *r->out.flags |= WB_DOMINFO_DOMAIN_AD;
+ }
+ if (domain->primary) {
+ *r->out.flags |= WB_DOMINFO_DOMAIN_PRIMARY;
+ }
+
+ return NT_STATUS_OK;
+}
+
+bool reset_cm_connection_on_error(struct winbindd_domain *domain,
+ struct dcerpc_binding_handle *b,
+ NTSTATUS status)
+{
+ if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) ||
+ NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR) ||
+ NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED)) {
+ invalidate_cm_connection(domain);
+ domain->conn.netlogon_force_reauth = true;
+ return true;
+ }
+
+ if (NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) ||
+ NT_STATUS_EQUAL(status, NT_STATUS_IO_DEVICE_ERROR))
+ {
+ invalidate_cm_connection(domain);
+ /* We invalidated the connection. */
+ return true;
+ }
+
+ if (b != NULL && !dcerpc_binding_handle_is_connected(b)) {
+ invalidate_cm_connection(domain);
+ return true;
+ }
+
+ return false;
+}
+
+NTSTATUS _wbint_LookupSid(struct pipes_struct *p, struct wbint_LookupSid *r)
+{
+ struct winbindd_domain *domain = wb_child_domain();
+ char *dom_name;
+ char *name;
+ enum lsa_SidType type;
+ NTSTATUS status;
+
+ if (domain == NULL) {
+ return NT_STATUS_REQUEST_NOT_ACCEPTED;
+ }
+
+ status = wb_cache_sid_to_name(domain, p->mem_ctx, r->in.sid,
+ &dom_name, &name, &type);
+ reset_cm_connection_on_error(domain, NULL, status);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ *r->out.domain = dom_name;
+ *r->out.name = name;
+ *r->out.type = type;
+ return NT_STATUS_OK;
+}
+
+NTSTATUS _wbint_LookupSids(struct pipes_struct *p, struct wbint_LookupSids *r)
+{
+ struct winbindd_domain *domain = wb_child_domain();
+ struct lsa_RefDomainList *domains = r->out.domains;
+ NTSTATUS status;
+ bool retry = false;
+
+ if (domain == NULL) {
+ return NT_STATUS_REQUEST_NOT_ACCEPTED;
+ }
+
+ /*
+ * This breaks the winbindd_domain->methods abstraction: This
+ * is only called for remote domains, and both winbindd_msrpc
+ * and winbindd_ad call into lsa_lookupsids anyway. Caching is
+ * done at the wbint RPC layer.
+ */
+again:
+ status = rpc_lookup_sids(p->mem_ctx, domain, r->in.sids,
+ &domains, &r->out.names);
+
+ if (domains != NULL) {
+ r->out.domains = domains;
+ }
+
+ if (!retry && reset_cm_connection_on_error(domain, NULL, status)) {
+ retry = true;
+ goto again;
+ }
+
+ return status;
+}
+
+NTSTATUS _wbint_LookupName(struct pipes_struct *p, struct wbint_LookupName *r)
+{
+ struct winbindd_domain *domain = wb_child_domain();
+ NTSTATUS status;
+
+ if (domain == NULL) {
+ return NT_STATUS_REQUEST_NOT_ACCEPTED;
+ }
+
+ status = wb_cache_name_to_sid(domain, p->mem_ctx, r->in.domain,
+ r->in.name, r->in.flags,
+ r->out.sid, r->out.type);
+ reset_cm_connection_on_error(domain, NULL, status);
+ return status;
+}
+
+NTSTATUS _wbint_Sids2UnixIDs(struct pipes_struct *p,
+ struct wbint_Sids2UnixIDs *r)
+{
+ uint32_t i;
+
+ struct lsa_DomainInfo *d;
+ struct wbint_TransID *ids;
+ uint32_t num_ids;
+
+ struct id_map **id_map_ptrs = NULL;
+ struct idmap_domain *dom;
+ NTSTATUS status = NT_STATUS_NO_MEMORY;
+
+ if (r->in.domains->count != 1) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ d = &r->in.domains->domains[0];
+ ids = r->in.ids->ids;
+ num_ids = r->in.ids->num_ids;
+
+ dom = idmap_find_domain_with_sid(d->name.string, d->sid);
+ if (dom == NULL) {
+ struct dom_sid_buf buf;
+ DEBUG(10, ("idmap domain %s:%s not found\n",
+ d->name.string,
+ dom_sid_str_buf(d->sid, &buf)));
+
+ for (i=0; i<num_ids; i++) {
+
+ ids[i].xid = (struct unixid) {
+ .id = UINT32_MAX,
+ .type = ID_TYPE_NOT_SPECIFIED
+ };
+ }
+
+ return NT_STATUS_OK;
+ }
+
+ id_map_ptrs = id_map_ptrs_init(talloc_tos(), num_ids);
+ if (id_map_ptrs == NULL) {
+ goto nomem;
+ }
+
+ /*
+ * Convert the input data into a list of id_map structs
+ * suitable for handing in to the idmap sids_to_unixids
+ * method.
+ */
+
+ for (i=0; i<num_ids; i++) {
+ struct id_map *m = id_map_ptrs[i];
+
+ sid_compose(m->sid, d->sid, ids[i].rid);
+ m->status = ID_UNKNOWN;
+ m->xid = (struct unixid) { .type = ids[i].type_hint };
+ }
+
+ status = dom->methods->sids_to_unixids(dom, id_map_ptrs);
+
+ if (NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED)) {
+ /*
+ * This is okay. We need to transfer the mapped ones
+ * up to our caller. The individual mappings carry the
+ * information whether they are mapped or not.
+ */
+ status = NT_STATUS_OK;
+ }
+
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(10, ("sids_to_unixids returned %s\n",
+ nt_errstr(status)));
+ goto done;
+ }
+
+ /*
+ * Extract the results for handing them back to the caller.
+ */
+
+ for (i=0; i<num_ids; i++) {
+ struct id_map *m = id_map_ptrs[i];
+
+ if (m->status == ID_REQUIRE_TYPE) {
+ ids[i].xid.id = UINT32_MAX;
+ ids[i].xid.type = ID_TYPE_WB_REQUIRE_TYPE;
+ continue;
+ }
+
+ if (!idmap_unix_id_is_in_range(m->xid.id, dom)) {
+ DBG_DEBUG("id %"PRIu32" is out of range "
+ "%"PRIu32"-%"PRIu32" for domain %s\n",
+ m->xid.id, dom->low_id, dom->high_id,
+ dom->name);
+ m->status = ID_UNMAPPED;
+ }
+
+ if (m->status == ID_MAPPED) {
+ ids[i].xid = m->xid;
+ } else {
+ ids[i].xid.id = UINT32_MAX;
+ ids[i].xid.type = ID_TYPE_NOT_SPECIFIED;
+ }
+ }
+
+ goto done;
+nomem:
+ status = NT_STATUS_NO_MEMORY;
+done:
+ TALLOC_FREE(id_map_ptrs);
+ return status;
+}
+
+NTSTATUS _wbint_UnixIDs2Sids(struct pipes_struct *p,
+ struct wbint_UnixIDs2Sids *r)
+{
+ struct id_map **maps;
+ NTSTATUS status;
+ uint32_t i;
+
+ maps = id_map_ptrs_init(talloc_tos(), r->in.num_ids);
+ if (maps == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ for (i=0; i<r->in.num_ids; i++) {
+ maps[i]->status = ID_UNKNOWN;
+ maps[i]->xid = r->in.xids[i];
+ }
+
+ status = idmap_backend_unixids_to_sids(maps, r->in.domain_name,
+ r->in.domain_sid);
+ if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(maps);
+ return status;
+ }
+
+ for (i=0; i<r->in.num_ids; i++) {
+ if (maps[i]->status == ID_MAPPED) {
+ r->out.xids[i] = maps[i]->xid;
+ sid_copy(&r->out.sids[i], maps[i]->sid);
+ } else {
+ r->out.sids[i] = (struct dom_sid) { 0 };
+ }
+ }
+
+ TALLOC_FREE(maps);
+
+ return NT_STATUS_OK;
+}
+
+NTSTATUS _wbint_AllocateUid(struct pipes_struct *p, struct wbint_AllocateUid *r)
+{
+ struct unixid xid;
+ NTSTATUS status;
+
+ status = idmap_allocate_uid(&xid);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ *r->out.uid = xid.id;
+ return NT_STATUS_OK;
+}
+
+NTSTATUS _wbint_AllocateGid(struct pipes_struct *p, struct wbint_AllocateGid *r)
+{
+ struct unixid xid;
+ NTSTATUS status;
+
+ status = idmap_allocate_gid(&xid);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ *r->out.gid = xid.id;
+ return NT_STATUS_OK;
+}
+
+NTSTATUS _wbint_GetNssInfo(struct pipes_struct *p, struct wbint_GetNssInfo *r)
+{
+ struct idmap_domain *domain;
+ NTSTATUS status;
+
+ domain = idmap_find_domain(r->in.info->domain_name);
+ if ((domain == NULL) || (domain->query_user == NULL)) {
+ return NT_STATUS_REQUEST_NOT_ACCEPTED;
+ }
+
+ status = domain->query_user(domain, r->in.info);
+ return status;
+}
+
+NTSTATUS _wbint_LookupUserAliases(struct pipes_struct *p,
+ struct wbint_LookupUserAliases *r)
+{
+ struct winbindd_domain *domain = wb_child_domain();
+ NTSTATUS status;
+
+ if (domain == NULL) {
+ return NT_STATUS_REQUEST_NOT_ACCEPTED;
+ }
+
+ status = wb_cache_lookup_useraliases(domain, p->mem_ctx,
+ r->in.sids->num_sids,
+ r->in.sids->sids,
+ &r->out.rids->num_rids,
+ &r->out.rids->rids);
+ reset_cm_connection_on_error(domain, NULL, status);
+ return status;
+}
+
+NTSTATUS _wbint_LookupUserGroups(struct pipes_struct *p,
+ struct wbint_LookupUserGroups *r)
+{
+ struct winbindd_domain *domain = wb_child_domain();
+ NTSTATUS status;
+
+ if (domain == NULL) {
+ return NT_STATUS_REQUEST_NOT_ACCEPTED;
+ }
+
+ status = wb_cache_lookup_usergroups(domain, p->mem_ctx, r->in.sid,
+ &r->out.sids->num_sids,
+ &r->out.sids->sids);
+ reset_cm_connection_on_error(domain, NULL, status);
+ return status;
+}
+
+NTSTATUS _wbint_QuerySequenceNumber(struct pipes_struct *p,
+ struct wbint_QuerySequenceNumber *r)
+{
+ struct winbindd_domain *domain = wb_child_domain();
+ NTSTATUS status;
+
+ if (domain == NULL) {
+ return NT_STATUS_REQUEST_NOT_ACCEPTED;
+ }
+
+ status = wb_cache_sequence_number(domain, r->out.sequence);
+ reset_cm_connection_on_error(domain, NULL, status);
+ return status;
+}
+
+NTSTATUS _wbint_LookupGroupMembers(struct pipes_struct *p,
+ struct wbint_LookupGroupMembers *r)
+{
+ struct winbindd_domain *domain = wb_child_domain();
+ uint32_t i, num_names;
+ struct dom_sid *sid_mem;
+ char **names;
+ uint32_t *name_types;
+ NTSTATUS status;
+
+ if (domain == NULL) {
+ return NT_STATUS_REQUEST_NOT_ACCEPTED;
+ }
+
+ status = wb_cache_lookup_groupmem(domain, p->mem_ctx, r->in.sid,
+ r->in.type, &num_names, &sid_mem,
+ &names, &name_types);
+ reset_cm_connection_on_error(domain, NULL, status);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ r->out.members->num_principals = num_names;
+ r->out.members->principals = talloc_array(
+ r->out.members, struct wbint_Principal, num_names);
+ if (r->out.members->principals == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ for (i=0; i<num_names; i++) {
+ struct wbint_Principal *m = &r->out.members->principals[i];
+ sid_copy(&m->sid, &sid_mem[i]);
+ m->name = talloc_move(r->out.members->principals, &names[i]);
+ m->type = (enum lsa_SidType)name_types[i];
+ }
+
+ return NT_STATUS_OK;
+}
+
+NTSTATUS _wbint_QueryGroupList(struct pipes_struct *p,
+ struct wbint_QueryGroupList *r)
+{
+ TALLOC_CTX *frame = NULL;
+ struct winbindd_domain *domain = wb_child_domain();
+ uint32_t i;
+ uint32_t num_local_groups = 0;
+ struct wb_acct_info *local_groups = NULL;
+ uint32_t num_dom_groups = 0;
+ struct wb_acct_info *dom_groups = NULL;
+ uint32_t ti = 0;
+ uint64_t num_total = 0;
+ struct wbint_Principal *result;
+ NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
+ bool include_local_groups = false;
+
+ if (domain == NULL) {
+ return NT_STATUS_REQUEST_NOT_ACCEPTED;
+ }
+
+ frame = talloc_stackframe();
+
+ switch (lp_server_role()) {
+ case ROLE_ACTIVE_DIRECTORY_DC:
+ if (domain->internal) {
+ /*
+ * we want to include local groups
+ * for BUILTIN and WORKGROUP
+ */
+ include_local_groups = true;
+ }
+ break;
+ default:
+ /*
+ * We might include local groups in more
+ * setups later, but that requires more work
+ * elsewhere.
+ */
+ break;
+ }
+
+ if (include_local_groups) {
+ status = wb_cache_enum_local_groups(domain, frame,
+ &num_local_groups,
+ &local_groups);
+ reset_cm_connection_on_error(domain, NULL, status);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto out;
+ }
+ }
+
+ status = wb_cache_enum_dom_groups(domain, frame,
+ &num_dom_groups,
+ &dom_groups);
+ reset_cm_connection_on_error(domain, NULL, status);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto out;
+ }
+
+ num_total = num_local_groups + num_dom_groups;
+ if (num_total > UINT32_MAX) {
+ status = NT_STATUS_INTERNAL_ERROR;
+ goto out;
+ }
+
+ result = talloc_array(frame, struct wbint_Principal, num_total);
+ if (result == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto out;
+ }
+
+ for (i = 0; i < num_local_groups; i++) {
+ struct wb_acct_info *lg = &local_groups[i];
+ struct wbint_Principal *rg = &result[ti++];
+
+ sid_compose(&rg->sid, &domain->sid, lg->rid);
+ rg->type = SID_NAME_ALIAS;
+ rg->name = talloc_strdup(result, lg->acct_name);
+ if (rg->name == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto out;
+ }
+ }
+ num_local_groups = 0;
+
+ for (i = 0; i < num_dom_groups; i++) {
+ struct wb_acct_info *dg = &dom_groups[i];
+ struct wbint_Principal *rg = &result[ti++];
+
+ sid_compose(&rg->sid, &domain->sid, dg->rid);
+ rg->type = SID_NAME_DOM_GRP;
+ rg->name = talloc_strdup(result, dg->acct_name);
+ if (rg->name == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto out;
+ }
+ }
+ num_dom_groups = 0;
+
+ r->out.groups->num_principals = ti;
+ r->out.groups->principals = talloc_move(r->out.groups, &result);
+
+ status = NT_STATUS_OK;
+out:
+ TALLOC_FREE(frame);
+ return status;
+}
+
+NTSTATUS _wbint_QueryUserRidList(struct pipes_struct *p,
+ struct wbint_QueryUserRidList *r)
+{
+ struct winbindd_domain *domain = wb_child_domain();
+ NTSTATUS status;
+
+ if (domain == NULL) {
+ return NT_STATUS_REQUEST_NOT_ACCEPTED;
+ }
+
+ /*
+ * Right now this is overkill. We should add a backend call
+ * just querying the rids.
+ */
+
+ status = wb_cache_query_user_list(domain, p->mem_ctx,
+ &r->out.rids->rids);
+ reset_cm_connection_on_error(domain, NULL, status);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ r->out.rids->num_rids = talloc_array_length(r->out.rids->rids);
+
+ return NT_STATUS_OK;
+}
+
+NTSTATUS _wbint_DsGetDcName(struct pipes_struct *p, struct wbint_DsGetDcName *r)
+{
+ struct winbindd_domain *domain = wb_child_domain();
+ struct rpc_pipe_client *netlogon_pipe;
+ struct netr_DsRGetDCNameInfo *dc_info;
+ NTSTATUS status;
+ WERROR werr;
+ unsigned int orig_timeout;
+ struct dcerpc_binding_handle *b;
+ bool retry = false;
+ bool try_dsrgetdcname = false;
+
+ if (domain == NULL) {
+ return dsgetdcname(p->mem_ctx, global_messaging_context(),
+ r->in.domain_name, r->in.domain_guid,
+ r->in.site_name ? r->in.site_name : "",
+ r->in.flags,
+ r->out.dc_info);
+ }
+
+ if (domain->active_directory) {
+ try_dsrgetdcname = true;
+ }
+
+reconnect:
+ status = cm_connect_netlogon(domain, &netlogon_pipe);
+
+ reset_cm_connection_on_error(domain, NULL, status);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(10, ("Can't contact the NETLOGON pipe\n"));
+ return status;
+ }
+
+ b = netlogon_pipe->binding_handle;
+
+ /* This call can take a long time - allow the server to time out.
+ 35 seconds should do it. */
+
+ orig_timeout = rpccli_set_timeout(netlogon_pipe, 35000);
+
+ if (try_dsrgetdcname) {
+ status = dcerpc_netr_DsRGetDCName(b,
+ p->mem_ctx, domain->dcname,
+ r->in.domain_name, NULL, r->in.domain_guid,
+ r->in.flags, r->out.dc_info, &werr);
+ if (NT_STATUS_IS_OK(status) && W_ERROR_IS_OK(werr)) {
+ goto done;
+ }
+ if (!retry &&
+ reset_cm_connection_on_error(domain, NULL, status))
+ {
+ retry = true;
+ goto reconnect;
+ }
+ try_dsrgetdcname = false;
+ retry = false;
+ }
+
+ /*
+ * Fallback to less capable methods
+ */
+
+ dc_info = talloc_zero(r->out.dc_info, struct netr_DsRGetDCNameInfo);
+ if (dc_info == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
+
+ if (r->in.flags & DS_PDC_REQUIRED) {
+ status = dcerpc_netr_GetDcName(b,
+ p->mem_ctx, domain->dcname,
+ r->in.domain_name, &dc_info->dc_unc, &werr);
+ } else {
+ status = dcerpc_netr_GetAnyDCName(b,
+ p->mem_ctx, domain->dcname,
+ r->in.domain_name, &dc_info->dc_unc, &werr);
+ }
+
+ if (!retry && reset_cm_connection_on_error(domain, b, status)) {
+ retry = true;
+ goto reconnect;
+ }
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(10, ("dcerpc_netr_Get[Any]DCName failed: %s\n",
+ nt_errstr(status)));
+ goto done;
+ }
+ if (!W_ERROR_IS_OK(werr)) {
+ DEBUG(10, ("dcerpc_netr_Get[Any]DCName failed: %s\n",
+ win_errstr(werr)));
+ status = werror_to_ntstatus(werr);
+ goto done;
+ }
+
+ *r->out.dc_info = dc_info;
+ status = NT_STATUS_OK;
+
+done:
+ /* And restore our original timeout. */
+ rpccli_set_timeout(netlogon_pipe, orig_timeout);
+
+ return status;
+}
+
+NTSTATUS _wbint_LookupRids(struct pipes_struct *p, struct wbint_LookupRids *r)
+{
+ struct winbindd_domain *domain = wb_child_domain();
+ char *domain_name;
+ char **names;
+ enum lsa_SidType *types;
+ struct wbint_Principal *result;
+ NTSTATUS status;
+ uint32_t i;
+
+ if (domain == NULL) {
+ return NT_STATUS_REQUEST_NOT_ACCEPTED;
+ }
+
+ status = wb_cache_rids_to_names(domain, talloc_tos(), r->in.domain_sid,
+ r->in.rids->rids, r->in.rids->num_rids,
+ &domain_name, &names, &types);
+ reset_cm_connection_on_error(domain, NULL, status);
+ if (!NT_STATUS_IS_OK(status) &&
+ !NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED)) {
+ return status;
+ }
+
+ *r->out.domain_name = talloc_move(r->out.domain_name, &domain_name);
+
+ result = talloc_array(p->mem_ctx, struct wbint_Principal,
+ r->in.rids->num_rids);
+ if (result == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ for (i=0; i<r->in.rids->num_rids; i++) {
+ sid_compose(&result[i].sid, r->in.domain_sid,
+ r->in.rids->rids[i]);
+ result[i].type = types[i];
+ result[i].name = talloc_move(result, &names[i]);
+ }
+ TALLOC_FREE(types);
+ TALLOC_FREE(names);
+
+ r->out.names->num_principals = r->in.rids->num_rids;
+ r->out.names->principals = result;
+ return NT_STATUS_OK;
+}
+
+NTSTATUS _wbint_CheckMachineAccount(struct pipes_struct *p,
+ struct wbint_CheckMachineAccount *r)
+{
+ struct winbindd_domain *domain;
+ int num_retries = 0;
+ NTSTATUS status;
+
+ domain = wb_child_domain();
+ if (domain == NULL) {
+ return NT_STATUS_REQUEST_NOT_ACCEPTED;
+ }
+
+again:
+ invalidate_cm_connection(domain);
+ domain->conn.netlogon_force_reauth = true;
+
+ {
+ struct rpc_pipe_client *netlogon_pipe = NULL;
+ struct netlogon_creds_cli_context *netlogon_creds_ctx = NULL;
+ status = cm_connect_netlogon_secure(domain,
+ &netlogon_pipe,
+ &netlogon_creds_ctx);
+ }
+
+ /* There is a race condition between fetching the trust account
+ password and the periodic machine password change. So it's
+ possible that the trust account password has been changed on us.
+ We are returned NT_STATUS_ACCESS_DENIED if this happens. */
+
+#define MAX_RETRIES 3
+
+ if ((num_retries < MAX_RETRIES)
+ && NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
+ num_retries++;
+ goto again;
+ }
+
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(3, ("could not open handle to NETLOGON pipe\n"));
+ goto done;
+ }
+
+ /* Pass back result code - zero for success, other values for
+ specific failures. */
+
+ DEBUG(3,("domain %s secret is %s\n", domain->name,
+ NT_STATUS_IS_OK(status) ? "good" : "bad"));
+
+ done:
+ DEBUG(NT_STATUS_IS_OK(status) ? 5 : 2,
+ ("Checking the trust account password for domain %s returned %s\n",
+ domain->name, nt_errstr(status)));
+
+ return status;
+}
+
+NTSTATUS _wbint_ChangeMachineAccount(struct pipes_struct *p,
+ struct wbint_ChangeMachineAccount *r)
+{
+ struct messaging_context *msg_ctx = global_messaging_context();
+ struct winbindd_domain *domain;
+ NTSTATUS status;
+ struct rpc_pipe_client *netlogon_pipe = NULL;
+ struct netlogon_creds_cli_context *netlogon_creds_ctx = NULL;
+
+ domain = wb_child_domain();
+ if (domain == NULL) {
+ return NT_STATUS_REQUEST_NOT_ACCEPTED;
+ }
+
+ status = cm_connect_netlogon_secure(domain,
+ &netlogon_pipe,
+ &netlogon_creds_ctx);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(3, ("could not open handle to NETLOGON pipe\n"));
+ goto done;
+ }
+
+ status = trust_pw_change(netlogon_creds_ctx,
+ msg_ctx,
+ netlogon_pipe->binding_handle,
+ domain->name,
+ domain->dcname,
+ true); /* force */
+
+ /* Pass back result code - zero for success, other values for
+ specific failures. */
+
+ DEBUG(3,("domain %s secret %s\n", domain->name,
+ NT_STATUS_IS_OK(status) ? "changed" : "unchanged"));
+
+ done:
+ DEBUG(NT_STATUS_IS_OK(status) ? 5 : 2,
+ ("Changing the trust account password for domain %s returned %s\n",
+ domain->name, nt_errstr(status)));
+
+ return status;
+}
+
+NTSTATUS _wbint_PingDc(struct pipes_struct *p, struct wbint_PingDc *r)
+{
+ NTSTATUS status;
+ struct winbindd_domain *domain;
+ struct rpc_pipe_client *netlogon_pipe;
+ union netr_CONTROL_QUERY_INFORMATION info;
+ WERROR werr;
+ fstring logon_server;
+ struct dcerpc_binding_handle *b;
+ bool retry = false;
+
+ domain = wb_child_domain();
+ if (domain == NULL) {
+ return NT_STATUS_REQUEST_NOT_ACCEPTED;
+ }
+
+reconnect:
+ status = cm_connect_netlogon(domain, &netlogon_pipe);
+ reset_cm_connection_on_error(domain, NULL, status);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(3, ("could not open handle to NETLOGON pipe: %s\n",
+ nt_errstr(status)));
+ return status;
+ }
+
+ b = netlogon_pipe->binding_handle;
+
+ fstr_sprintf(logon_server, "\\\\%s", domain->dcname);
+ *r->out.dcname = talloc_strdup(p->mem_ctx, domain->dcname);
+ if (*r->out.dcname == NULL) {
+ DEBUG(2, ("Could not allocate memory\n"));
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ /*
+ * This provokes a WERR_NOT_SUPPORTED error message. This is
+ * documented in the wspp docs. I could not get a successful
+ * call to work, but the main point here is testing that the
+ * netlogon pipe works.
+ */
+ status = dcerpc_netr_LogonControl(b, p->mem_ctx,
+ logon_server, NETLOGON_CONTROL_QUERY,
+ 2, &info, &werr);
+
+ if (!retry && reset_cm_connection_on_error(domain, b, status)) {
+ retry = true;
+ goto reconnect;
+ }
+
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(2, ("dcerpc_netr_LogonControl failed: %s\n",
+ nt_errstr(status)));
+ return status;
+ }
+
+ if (!W_ERROR_EQUAL(werr, WERR_NOT_SUPPORTED)) {
+ DEBUG(2, ("dcerpc_netr_LogonControl returned %s, expected "
+ "WERR_NOT_SUPPORTED\n",
+ win_errstr(werr)));
+ return werror_to_ntstatus(werr);
+ }
+
+ DEBUG(5, ("winbindd_dual_ping_dc succeeded\n"));
+ return NT_STATUS_OK;
+}
+
+NTSTATUS _winbind_DsrUpdateReadOnlyServerDnsRecords(struct pipes_struct *p,
+ struct winbind_DsrUpdateReadOnlyServerDnsRecords *r)
+{
+ struct winbindd_domain *domain;
+ NTSTATUS status;
+ struct rpc_pipe_client *netlogon_pipe = NULL;
+ struct netlogon_creds_cli_context *netlogon_creds_ctx = NULL;
+ struct dcerpc_binding_handle *b = NULL;
+ bool retry = false;
+
+ domain = wb_child_domain();
+ if (domain == NULL) {
+ return NT_STATUS_REQUEST_NOT_ACCEPTED;
+ }
+
+reconnect:
+ status = cm_connect_netlogon_secure(domain,
+ &netlogon_pipe,
+ &netlogon_creds_ctx);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(3, ("could not open handle to NETLOGON pipe\n"));
+ goto done;
+ }
+
+ b = netlogon_pipe->binding_handle;
+
+ status = netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords(netlogon_creds_ctx,
+ netlogon_pipe->binding_handle,
+ r->in.site_name,
+ r->in.dns_ttl,
+ r->in.dns_names);
+
+ if (!retry && reset_cm_connection_on_error(domain, b, status)) {
+ retry = true;
+ goto reconnect;
+ }
+
+ /* Pass back result code - zero for success, other values for
+ specific failures. */
+
+ DEBUG(3,("DNS records for domain %s %s\n", domain->name,
+ NT_STATUS_IS_OK(status) ? "changed" : "unchanged"));
+
+ done:
+ DEBUG(NT_STATUS_IS_OK(status) ? 5 : 2,
+ ("Update of DNS records via RW DC %s returned %s\n",
+ domain->name, nt_errstr(status)));
+
+ return status;
+}
+
+NTSTATUS _winbind_SamLogon(struct pipes_struct *p,
+ struct winbind_SamLogon *r)
+{
+ struct dcesrv_call_state *dce_call = p->dce_call;
+ struct dcesrv_connection *dcesrv_conn = dce_call->conn;
+ const struct tsocket_address *local_address =
+ dcesrv_connection_get_local_address(dcesrv_conn);
+ const struct tsocket_address *remote_address =
+ dcesrv_connection_get_remote_address(dcesrv_conn);
+ struct winbindd_domain *domain;
+ NTSTATUS status;
+ struct netr_IdentityInfo *identity_info = NULL;
+ DATA_BLOB lm_response, nt_response;
+ DATA_BLOB challenge = data_blob_null;
+ uint32_t flags = 0;
+ uint16_t validation_level;
+ union netr_Validation *validation = NULL;
+ bool interactive = false;
+
+ /*
+ * Make sure we start with authoritative=true,
+ * it will only set to false if we don't know the
+ * domain.
+ */
+ r->out.authoritative = true;
+
+ domain = wb_child_domain();
+ if (domain == NULL) {
+ return NT_STATUS_REQUEST_NOT_ACCEPTED;
+ }
+
+ switch (r->in.validation_level) {
+ case 3:
+ case 6:
+ break;
+ default:
+ return NT_STATUS_REQUEST_NOT_ACCEPTED;
+ }
+
+ switch (r->in.logon_level) {
+ case NetlogonInteractiveInformation:
+ case NetlogonServiceInformation:
+ case NetlogonInteractiveTransitiveInformation:
+ case NetlogonServiceTransitiveInformation:
+ if (r->in.logon.password == NULL) {
+ return NT_STATUS_REQUEST_NOT_ACCEPTED;
+ }
+
+ interactive = true;
+ identity_info = &r->in.logon.password->identity_info;
+
+ challenge = data_blob_null;
+ lm_response = data_blob_talloc(p->mem_ctx,
+ r->in.logon.password->lmpassword.hash,
+ sizeof(r->in.logon.password->lmpassword.hash));
+ nt_response = data_blob_talloc(p->mem_ctx,
+ r->in.logon.password->ntpassword.hash,
+ sizeof(r->in.logon.password->ntpassword.hash));
+ break;
+
+ case NetlogonNetworkInformation:
+ case NetlogonNetworkTransitiveInformation:
+ if (r->in.logon.network == NULL) {
+ return NT_STATUS_REQUEST_NOT_ACCEPTED;
+ }
+
+ interactive = false;
+ identity_info = &r->in.logon.network->identity_info;
+
+ challenge = data_blob_talloc(p->mem_ctx,
+ r->in.logon.network->challenge,
+ 8);
+ lm_response = data_blob_talloc(p->mem_ctx,
+ r->in.logon.network->lm.data,
+ r->in.logon.network->lm.length);
+ nt_response = data_blob_talloc(p->mem_ctx,
+ r->in.logon.network->nt.data,
+ r->in.logon.network->nt.length);
+ break;
+
+ case NetlogonGenericInformation:
+ if (r->in.logon.generic == NULL) {
+ return NT_STATUS_REQUEST_NOT_ACCEPTED;
+ }
+
+ identity_info = &r->in.logon.generic->identity_info;
+ /*
+ * Not implemented here...
+ */
+ return NT_STATUS_REQUEST_NOT_ACCEPTED;
+
+ default:
+ return NT_STATUS_REQUEST_NOT_ACCEPTED;
+ }
+
+ status = winbind_dual_SamLogon(domain, p->mem_ctx,
+ interactive,
+ identity_info->parameter_control,
+ identity_info->account_name.string,
+ identity_info->domain_name.string,
+ identity_info->workstation.string,
+ identity_info->logon_id,
+ "SamLogon",
+ 0,
+ challenge,
+ lm_response, nt_response,
+ remote_address,
+ local_address,
+ &r->out.authoritative,
+ true, /* skip_sam */
+ &flags,
+ &validation_level,
+ &validation);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ switch (r->in.validation_level) {
+ case 3:
+ status = map_validation_to_info3(p->mem_ctx,
+ validation_level,
+ validation,
+ &r->out.validation.sam3);
+ TALLOC_FREE(validation);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ return NT_STATUS_OK;
+ case 6:
+ status = map_validation_to_info6(p->mem_ctx,
+ validation_level,
+ validation,
+ &r->out.validation.sam6);
+ TALLOC_FREE(validation);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ return NT_STATUS_OK;
+ }
+
+ smb_panic(__location__);
+ return NT_STATUS_INTERNAL_ERROR;
+}
+
+static WERROR _winbind_LogonControl_REDISCOVER(struct pipes_struct *p,
+ struct winbindd_domain *domain,
+ struct winbind_LogonControl *r)
+{
+ NTSTATUS status;
+ struct rpc_pipe_client *netlogon_pipe = NULL;
+ struct netlogon_creds_cli_context *netlogon_creds_ctx = NULL;
+ struct netr_NETLOGON_INFO_2 *info2 = NULL;
+ WERROR check_result = WERR_INTERNAL_ERROR;
+
+ info2 = talloc_zero(p->mem_ctx, struct netr_NETLOGON_INFO_2);
+ if (info2 == NULL) {
+ return WERR_NOT_ENOUGH_MEMORY;
+ }
+
+ if (domain->internal) {
+ check_result = WERR_OK;
+ goto check_return;
+ }
+
+ /*
+ * For now we just force a reconnect
+ *
+ * TODO: take care of the optional '\dcname'
+ */
+ invalidate_cm_connection(domain);
+ domain->conn.netlogon_force_reauth = true;
+ status = cm_connect_netlogon_secure(domain,
+ &netlogon_pipe,
+ &netlogon_creds_ctx);
+ reset_cm_connection_on_error(domain, NULL, status);
+ if (NT_STATUS_EQUAL(status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
+ status = NT_STATUS_NO_LOGON_SERVERS;
+ }
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(2, ("%s: domain[%s/%s] cm_connect_netlogon() returned %s\n",
+ __func__, domain->name, domain->alt_name,
+ nt_errstr(status)));
+ /*
+ * Here we return a top level error!
+ * This is different than TC_QUERY or TC_VERIFY.
+ */
+ return ntstatus_to_werror(status);
+ }
+ check_result = WERR_OK;
+
+check_return:
+ info2->pdc_connection_status = WERR_OK;
+ if (domain->dcname != NULL) {
+ info2->flags |= NETLOGON_HAS_IP;
+ info2->flags |= NETLOGON_HAS_TIMESERV;
+ info2->trusted_dc_name = talloc_asprintf(info2, "\\\\%s",
+ domain->dcname);
+ if (info2->trusted_dc_name == NULL) {
+ return WERR_NOT_ENOUGH_MEMORY;
+ }
+ } else {
+ info2->trusted_dc_name = talloc_strdup(info2, "");
+ if (info2->trusted_dc_name == NULL) {
+ return WERR_NOT_ENOUGH_MEMORY;
+ }
+ }
+ info2->tc_connection_status = check_result;
+
+ if (!W_ERROR_IS_OK(info2->pdc_connection_status)) {
+ DEBUG(2, ("%s: domain[%s/%s] dcname[%s] "
+ "pdc_connection[%s] tc_connection[%s]\n",
+ __func__, domain->name, domain->alt_name,
+ domain->dcname,
+ win_errstr(info2->pdc_connection_status),
+ win_errstr(info2->tc_connection_status)));
+ }
+
+ r->out.query->info2 = info2;
+
+ DEBUG(5, ("%s: succeeded.\n", __func__));
+ return WERR_OK;
+}
+
+static WERROR _winbind_LogonControl_TC_QUERY(struct pipes_struct *p,
+ struct winbindd_domain *domain,
+ struct winbind_LogonControl *r)
+{
+ NTSTATUS status;
+ struct rpc_pipe_client *netlogon_pipe = NULL;
+ struct netlogon_creds_cli_context *netlogon_creds_ctx = NULL;
+ struct netr_NETLOGON_INFO_2 *info2 = NULL;
+ WERROR check_result = WERR_INTERNAL_ERROR;
+
+ info2 = talloc_zero(p->mem_ctx, struct netr_NETLOGON_INFO_2);
+ if (info2 == NULL) {
+ return WERR_NOT_ENOUGH_MEMORY;
+ }
+
+ if (domain->internal) {
+ check_result = WERR_OK;
+ goto check_return;
+ }
+
+ status = cm_connect_netlogon_secure(domain,
+ &netlogon_pipe,
+ &netlogon_creds_ctx);
+ reset_cm_connection_on_error(domain, NULL, status);
+ if (NT_STATUS_EQUAL(status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
+ status = NT_STATUS_NO_LOGON_SERVERS;
+ }
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(3, ("could not open handle to NETLOGON pipe: %s\n",
+ nt_errstr(status)));
+ check_result = ntstatus_to_werror(status);
+ goto check_return;
+ }
+ check_result = WERR_OK;
+
+check_return:
+ info2->pdc_connection_status = WERR_OK;
+ if (domain->dcname != NULL) {
+ info2->flags |= NETLOGON_HAS_IP;
+ info2->flags |= NETLOGON_HAS_TIMESERV;
+ info2->trusted_dc_name = talloc_asprintf(info2, "\\\\%s",
+ domain->dcname);
+ if (info2->trusted_dc_name == NULL) {
+ return WERR_NOT_ENOUGH_MEMORY;
+ }
+ } else {
+ info2->trusted_dc_name = talloc_strdup(info2, "");
+ if (info2->trusted_dc_name == NULL) {
+ return WERR_NOT_ENOUGH_MEMORY;
+ }
+ }
+ info2->tc_connection_status = check_result;
+
+ if (!W_ERROR_IS_OK(info2->pdc_connection_status)) {
+ DEBUG(2, ("%s: domain[%s/%s] dcname[%s] "
+ "pdc_connection[%s] tc_connection[%s]\n",
+ __func__, domain->name, domain->alt_name,
+ domain->dcname,
+ win_errstr(info2->pdc_connection_status),
+ win_errstr(info2->tc_connection_status)));
+ }
+
+ r->out.query->info2 = info2;
+
+ DEBUG(5, ("%s: succeeded.\n", __func__));
+ return WERR_OK;
+}
+
+static WERROR _winbind_LogonControl_TC_VERIFY(struct pipes_struct *p,
+ struct winbindd_domain *domain,
+ struct winbind_LogonControl *r)
+{
+ TALLOC_CTX *frame = talloc_stackframe();
+ NTSTATUS status;
+ NTSTATUS result;
+ struct lsa_String trusted_domain_name = {};
+ struct lsa_StringLarge trusted_domain_name_l = {};
+ struct rpc_pipe_client *local_lsa_pipe = NULL;
+ struct policy_handle local_lsa_policy = {};
+ struct dcerpc_binding_handle *local_lsa = NULL;
+ struct rpc_pipe_client *netlogon_pipe = NULL;
+ struct netlogon_creds_cli_context *netlogon_creds_ctx = NULL;
+ struct cli_credentials *creds = NULL;
+ struct samr_Password *cur_nt_hash = NULL;
+ uint32_t trust_attributes = 0;
+ struct samr_Password new_owf_password = {};
+ bool cmp_new = false;
+ struct samr_Password old_owf_password = {};
+ bool cmp_old = false;
+ const struct lsa_TrustDomainInfoInfoEx *local_tdo = NULL;
+ bool fetch_fti = false;
+ struct lsa_ForestTrustInformation *new_fti = NULL;
+ struct netr_TrustInfo *trust_info = NULL;
+ struct netr_NETLOGON_INFO_2 *info2 = NULL;
+ struct dcerpc_binding_handle *b = NULL;
+ WERROR check_result = WERR_INTERNAL_ERROR;
+ WERROR verify_result = WERR_INTERNAL_ERROR;
+ bool retry = false;
+
+ trusted_domain_name.string = domain->name;
+ trusted_domain_name_l.string = domain->name;
+
+ info2 = talloc_zero(p->mem_ctx, struct netr_NETLOGON_INFO_2);
+ if (info2 == NULL) {
+ TALLOC_FREE(frame);
+ return WERR_NOT_ENOUGH_MEMORY;
+ }
+
+ if (domain->internal) {
+ check_result = WERR_OK;
+ goto check_return;
+ }
+
+ status = pdb_get_trust_credentials(domain->name,
+ domain->alt_name,
+ frame,
+ &creds);
+ if (NT_STATUS_IS_OK(status)) {
+ cur_nt_hash = cli_credentials_get_nt_hash(creds, frame);
+ TALLOC_FREE(creds);
+ }
+
+ if (!domain->primary) {
+ union lsa_TrustedDomainInfo *tdi = NULL;
+
+ status = open_internal_lsa_conn(frame, &local_lsa_pipe,
+ &local_lsa_policy);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0,("%s:%s: open_internal_lsa_conn() failed - %s\n",
+ __location__, __func__, nt_errstr(status)));
+ TALLOC_FREE(frame);
+ return WERR_INTERNAL_ERROR;
+ }
+ local_lsa = local_lsa_pipe->binding_handle;
+
+ status = dcerpc_lsa_QueryTrustedDomainInfoByName(local_lsa, frame,
+ &local_lsa_policy,
+ &trusted_domain_name,
+ LSA_TRUSTED_DOMAIN_INFO_INFO_EX,
+ &tdi, &result);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0,("%s:%s: local_lsa.QueryTrustedDomainInfoByName(%s) failed - %s\n",
+ __location__, __func__, domain->name, nt_errstr(status)));
+ TALLOC_FREE(frame);
+ return WERR_INTERNAL_ERROR;
+ }
+ if (NT_STATUS_EQUAL(result, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
+ DEBUG(1,("%s:%s: domain[%s] not found via LSA, might be removed already.\n",
+ __location__, __func__, domain->name));
+ TALLOC_FREE(frame);
+ return WERR_NO_SUCH_DOMAIN;
+ }
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(0,("%s:%s: local_lsa.QueryTrustedDomainInfoByName(%s) returned %s\n",
+ __location__, __func__, domain->name, nt_errstr(result)));
+ TALLOC_FREE(frame);
+ return WERR_INTERNAL_ERROR;
+ }
+ if (tdi == NULL) {
+ DEBUG(0,("%s:%s: local_lsa.QueryTrustedDomainInfoByName() "
+ "returned no trusted domain information\n",
+ __location__, __func__));
+ TALLOC_FREE(frame);
+ return WERR_INTERNAL_ERROR;
+ }
+
+ local_tdo = &tdi->info_ex;
+ trust_attributes = local_tdo->trust_attributes;
+ }
+
+ if (trust_attributes & LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) {
+ struct lsa_ForestTrustInformation *old_fti = NULL;
+
+ status = dcerpc_lsa_lsaRQueryForestTrustInformation(local_lsa, frame,
+ &local_lsa_policy,
+ &trusted_domain_name,
+ LSA_FOREST_TRUST_DOMAIN_INFO,
+ &old_fti, &result);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0,("%s:%s: local_lsa.lsaRQueryForestTrustInformation(%s) failed %s\n",
+ __location__, __func__, domain->name, nt_errstr(status)));
+ TALLOC_FREE(frame);
+ return WERR_INTERNAL_ERROR;
+ }
+ if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_FOUND)) {
+ DEBUG(2,("%s: no forest trust information available for domain[%s] yet.\n",
+ __func__, domain->name));
+ old_fti = NULL;
+ fetch_fti = true;
+ result = NT_STATUS_OK;
+ }
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(0,("%s:%s: local_lsa.lsaRQueryForestTrustInformation(%s) returned %s\n",
+ __location__, __func__, domain->name, nt_errstr(result)));
+ TALLOC_FREE(frame);
+ return WERR_INTERNAL_ERROR;
+ }
+
+ TALLOC_FREE(old_fti);
+ }
+
+reconnect:
+ status = cm_connect_netlogon_secure(domain,
+ &netlogon_pipe,
+ &netlogon_creds_ctx);
+ reset_cm_connection_on_error(domain, NULL, status);
+ if (NT_STATUS_EQUAL(status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
+ status = NT_STATUS_NO_LOGON_SERVERS;
+ }
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(3, ("could not open handle to NETLOGON pipe: %s\n",
+ nt_errstr(status)));
+ check_result = ntstatus_to_werror(status);
+ goto check_return;
+ }
+ check_result = WERR_OK;
+ b = netlogon_pipe->binding_handle;
+
+ if (cur_nt_hash == NULL) {
+ verify_result = WERR_NO_TRUST_LSA_SECRET;
+ goto verify_return;
+ }
+
+ if (fetch_fti) {
+ status = netlogon_creds_cli_GetForestTrustInformation(netlogon_creds_ctx,
+ b, frame,
+ &new_fti);
+ if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
+ status = NT_STATUS_NOT_SUPPORTED;
+ }
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
+ new_fti = NULL;
+ status = NT_STATUS_OK;
+ }
+ if (!NT_STATUS_IS_OK(status)) {
+ if (!retry &&
+ reset_cm_connection_on_error(domain, b, status))
+ {
+ retry = true;
+ goto reconnect;
+ }
+ DEBUG(2, ("netlogon_creds_cli_GetForestTrustInformation(%s)"
+ "failed: %s\n",
+ domain->name, nt_errstr(status)));
+ check_result = ntstatus_to_werror(status);
+ goto check_return;
+ }
+ }
+
+ if (new_fti != NULL) {
+ struct lsa_ForestTrustInformation old_fti = {};
+ struct lsa_ForestTrustInformation *merged_fti = NULL;
+ struct lsa_ForestTrustCollisionInfo *collision_info = NULL;
+
+ status = dsdb_trust_merge_forest_info(frame, local_tdo,
+ &old_fti, new_fti,
+ &merged_fti);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0,("%s:%s: dsdb_trust_merge_forest_info(%s) failed %s\n",
+ __location__, __func__,
+ domain->name, nt_errstr(status)));
+ TALLOC_FREE(frame);
+ return ntstatus_to_werror(status);
+ }
+
+ status = dcerpc_lsa_lsaRSetForestTrustInformation(local_lsa, frame,
+ &local_lsa_policy,
+ &trusted_domain_name_l,
+ LSA_FOREST_TRUST_DOMAIN_INFO,
+ merged_fti,
+ 0, /* check_only=0 => store it! */
+ &collision_info,
+ &result);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0,("%s:%s: local_lsa.lsaRSetForestTrustInformation(%s) failed %s\n",
+ __location__, __func__, domain->name, nt_errstr(status)));
+ TALLOC_FREE(frame);
+ return WERR_INTERNAL_ERROR;
+ }
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(0,("%s:%s: local_lsa.lsaRSetForestTrustInformation(%s) returned %s\n",
+ __location__, __func__, domain->name, nt_errstr(result)));
+ TALLOC_FREE(frame);
+ return ntstatus_to_werror(result);
+ }
+ }
+
+ status = netlogon_creds_cli_ServerGetTrustInfo(netlogon_creds_ctx,
+ b, frame,
+ &new_owf_password,
+ &old_owf_password,
+ &trust_info);
+ if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
+ status = NT_STATUS_NOT_SUPPORTED;
+ }
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
+ DEBUG(5, ("netlogon_creds_cli_ServerGetTrustInfo failed: %s\n",
+ nt_errstr(status)));
+ verify_result = WERR_OK;
+ goto verify_return;
+ }
+ if (!NT_STATUS_IS_OK(status)) {
+ if (!retry && reset_cm_connection_on_error(domain, b, status)) {
+ retry = true;
+ goto reconnect;
+ }
+ DEBUG(2, ("netlogon_creds_cli_ServerGetTrustInfo failed: %s\n",
+ nt_errstr(status)));
+
+ if (!dcerpc_binding_handle_is_connected(b)) {
+ check_result = ntstatus_to_werror(status);
+ goto check_return;
+ } else {
+ verify_result = ntstatus_to_werror(status);
+ goto verify_return;
+ }
+ }
+
+ if (trust_info != NULL && trust_info->count >= 1) {
+ uint32_t diff = trust_info->data[0] ^ trust_attributes;
+
+ if (diff & LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) {
+ verify_result = WERR_DOMAIN_TRUST_INCONSISTENT;
+ goto verify_return;
+ }
+ }
+
+ cmp_new = mem_equal_const_time(new_owf_password.hash,
+ cur_nt_hash->hash,
+ sizeof(cur_nt_hash->hash));
+ cmp_old = mem_equal_const_time(old_owf_password.hash,
+ cur_nt_hash->hash,
+ sizeof(cur_nt_hash->hash));
+ if (!cmp_new && !cmp_old) {
+ DEBUG(1,("%s:Error: credentials for domain[%s/%s] doesn't match "
+ "any password known to dcname[%s]\n",
+ __func__, domain->name, domain->alt_name,
+ domain->dcname));
+ verify_result = WERR_WRONG_PASSWORD;
+ goto verify_return;
+ }
+
+ if (!cmp_new) {
+ DEBUG(2,("%s:Warning: credentials for domain[%s/%s] only match "
+ "against the old password known to dcname[%s]\n",
+ __func__, domain->name, domain->alt_name,
+ domain->dcname));
+ }
+
+ verify_result = WERR_OK;
+ goto verify_return;
+
+check_return:
+ verify_result = check_result;
+verify_return:
+ info2->flags |= NETLOGON_VERIFY_STATUS_RETURNED;
+ info2->pdc_connection_status = verify_result;
+ if (domain->dcname != NULL) {
+ info2->flags |= NETLOGON_HAS_IP;
+ info2->flags |= NETLOGON_HAS_TIMESERV;
+ info2->trusted_dc_name = talloc_asprintf(info2, "\\\\%s",
+ domain->dcname);
+ if (info2->trusted_dc_name == NULL) {
+ TALLOC_FREE(frame);
+ return WERR_NOT_ENOUGH_MEMORY;
+ }
+ } else {
+ info2->trusted_dc_name = talloc_strdup(info2, "");
+ if (info2->trusted_dc_name == NULL) {
+ TALLOC_FREE(frame);
+ return WERR_NOT_ENOUGH_MEMORY;
+ }
+ }
+ info2->tc_connection_status = check_result;
+
+ if (!W_ERROR_IS_OK(info2->pdc_connection_status)) {
+ DEBUG(2, ("%s: domain[%s/%s] dcname[%s] "
+ "pdc_connection[%s] tc_connection[%s]\n",
+ __func__, domain->name, domain->alt_name,
+ domain->dcname,
+ win_errstr(info2->pdc_connection_status),
+ win_errstr(info2->tc_connection_status)));
+ }
+
+ r->out.query->info2 = info2;
+
+ DEBUG(5, ("%s: succeeded.\n", __func__));
+ TALLOC_FREE(frame);
+ return WERR_OK;
+}
+
+static WERROR _winbind_LogonControl_CHANGE_PASSWORD(struct pipes_struct *p,
+ struct winbindd_domain *domain,
+ struct winbind_LogonControl *r)
+{
+ struct messaging_context *msg_ctx = global_messaging_context();
+ NTSTATUS status;
+ struct rpc_pipe_client *netlogon_pipe = NULL;
+ struct netlogon_creds_cli_context *netlogon_creds_ctx = NULL;
+ struct cli_credentials *creds = NULL;
+ struct samr_Password *cur_nt_hash = NULL;
+ struct netr_NETLOGON_INFO_1 *info1 = NULL;
+ struct dcerpc_binding_handle *b;
+ WERROR change_result = WERR_OK;
+ bool retry = false;
+
+ info1 = talloc_zero(p->mem_ctx, struct netr_NETLOGON_INFO_1);
+ if (info1 == NULL) {
+ return WERR_NOT_ENOUGH_MEMORY;
+ }
+
+ if (domain->internal) {
+ return WERR_NOT_SUPPORTED;
+ }
+
+ status = pdb_get_trust_credentials(domain->name,
+ domain->alt_name,
+ p->mem_ctx,
+ &creds);
+ if (NT_STATUS_IS_OK(status)) {
+ cur_nt_hash = cli_credentials_get_nt_hash(creds, p->mem_ctx);
+ TALLOC_FREE(creds);
+ }
+
+reconnect:
+ status = cm_connect_netlogon_secure(domain,
+ &netlogon_pipe,
+ &netlogon_creds_ctx);
+ reset_cm_connection_on_error(domain, NULL, status);
+ if (NT_STATUS_EQUAL(status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
+ status = NT_STATUS_NO_LOGON_SERVERS;
+ }
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(2, ("%s: domain[%s/%s] cm_connect_netlogon() returned %s\n",
+ __func__, domain->name, domain->alt_name,
+ nt_errstr(status)));
+ /*
+ * Here we return a top level error!
+ * This is different than TC_QUERY or TC_VERIFY.
+ */
+ return ntstatus_to_werror(status);
+ }
+ b = netlogon_pipe->binding_handle;
+
+ if (cur_nt_hash == NULL) {
+ change_result = WERR_NO_TRUST_LSA_SECRET;
+ goto change_return;
+ }
+ TALLOC_FREE(cur_nt_hash);
+
+ status = trust_pw_change(netlogon_creds_ctx,
+ msg_ctx, b, domain->name,
+ domain->dcname,
+ true); /* force */
+ if (!NT_STATUS_IS_OK(status)) {
+ if (!retry && reset_cm_connection_on_error(domain, b, status)) {
+ retry = true;
+ goto reconnect;
+ }
+
+ DEBUG(1, ("trust_pw_change(%s): %s\n",
+ domain->name, nt_errstr(status)));
+
+ change_result = ntstatus_to_werror(status);
+ goto change_return;
+ }
+
+ change_result = WERR_OK;
+
+change_return:
+ info1->pdc_connection_status = change_result;
+
+ if (!W_ERROR_IS_OK(info1->pdc_connection_status)) {
+ DEBUG(2, ("%s: domain[%s/%s] dcname[%s] "
+ "pdc_connection[%s]\n",
+ __func__, domain->name, domain->alt_name,
+ domain->dcname,
+ win_errstr(info1->pdc_connection_status)));
+ }
+
+ r->out.query->info1 = info1;
+
+ DEBUG(5, ("%s: succeeded.\n", __func__));
+ return WERR_OK;
+}
+
+WERROR _winbind_LogonControl(struct pipes_struct *p,
+ struct winbind_LogonControl *r)
+{
+ struct winbindd_domain *domain;
+
+ domain = wb_child_domain();
+ if (domain == NULL) {
+ return WERR_NO_SUCH_DOMAIN;
+ }
+
+ switch (r->in.function_code) {
+ case NETLOGON_CONTROL_REDISCOVER:
+ if (r->in.level != 2) {
+ return WERR_INVALID_PARAMETER;
+ }
+ return _winbind_LogonControl_REDISCOVER(p, domain, r);
+ case NETLOGON_CONTROL_TC_QUERY:
+ if (r->in.level != 2) {
+ return WERR_INVALID_PARAMETER;
+ }
+ return _winbind_LogonControl_TC_QUERY(p, domain, r);
+ case NETLOGON_CONTROL_TC_VERIFY:
+ if (r->in.level != 2) {
+ return WERR_INVALID_PARAMETER;
+ }
+ return _winbind_LogonControl_TC_VERIFY(p, domain, r);
+ case NETLOGON_CONTROL_CHANGE_PASSWORD:
+ if (r->in.level != 1) {
+ return WERR_INVALID_PARAMETER;
+ }
+ return _winbind_LogonControl_CHANGE_PASSWORD(p, domain, r);
+ default:
+ break;
+ }
+
+ DEBUG(4, ("%s: function_code[0x%x] not supported\n",
+ __func__, r->in.function_code));
+ return WERR_NOT_SUPPORTED;
+}
+
+WERROR _winbind_GetForestTrustInformation(struct pipes_struct *p,
+ struct winbind_GetForestTrustInformation *r)
+{
+ TALLOC_CTX *frame = talloc_stackframe();
+ NTSTATUS status, result;
+ struct winbindd_domain *domain;
+ struct rpc_pipe_client *netlogon_pipe = NULL;
+ struct netlogon_creds_cli_context *netlogon_creds_ctx = NULL;
+ struct dcerpc_binding_handle *b;
+ bool retry = false;
+ struct lsa_String trusted_domain_name = {};
+ struct lsa_StringLarge trusted_domain_name_l = {};
+ union lsa_TrustedDomainInfo *tdi = NULL;
+ const struct lsa_TrustDomainInfoInfoEx *tdo = NULL;
+ struct lsa_ForestTrustInformation _old_fti = {};
+ struct lsa_ForestTrustInformation *old_fti = NULL;
+ struct lsa_ForestTrustInformation *new_fti = NULL;
+ struct lsa_ForestTrustInformation *merged_fti = NULL;
+ struct lsa_ForestTrustCollisionInfo *collision_info = NULL;
+ bool update_fti = false;
+ struct rpc_pipe_client *local_lsa_pipe;
+ struct policy_handle local_lsa_policy;
+ struct dcerpc_binding_handle *local_lsa = NULL;
+
+ domain = wb_child_domain();
+ if (domain == NULL) {
+ TALLOC_FREE(frame);
+ return WERR_NO_SUCH_DOMAIN;
+ }
+
+ /*
+ * checking for domain->internal and domain->primary
+ * makes sure we only do some work when running as DC.
+ */
+
+ if (domain->internal) {
+ TALLOC_FREE(frame);
+ return WERR_NO_SUCH_DOMAIN;
+ }
+
+ if (domain->primary) {
+ TALLOC_FREE(frame);
+ return WERR_NO_SUCH_DOMAIN;
+ }
+
+ trusted_domain_name.string = domain->name;
+ trusted_domain_name_l.string = domain->name;
+
+ status = open_internal_lsa_conn(frame, &local_lsa_pipe,
+ &local_lsa_policy);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0,("%s:%s: open_internal_lsa_conn() failed - %s\n",
+ __location__, __func__, nt_errstr(status)));
+ TALLOC_FREE(frame);
+ return WERR_INTERNAL_ERROR;
+ }
+ local_lsa = local_lsa_pipe->binding_handle;
+
+ status = dcerpc_lsa_QueryTrustedDomainInfoByName(local_lsa, frame,
+ &local_lsa_policy,
+ &trusted_domain_name,
+ LSA_TRUSTED_DOMAIN_INFO_INFO_EX,
+ &tdi, &result);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0,("%s:%s: local_lsa.QueryTrustedDomainInfoByName(%s) failed - %s\n",
+ __location__, __func__, domain->name, nt_errstr(status)));
+ TALLOC_FREE(frame);
+ return WERR_INTERNAL_ERROR;
+ }
+ if (NT_STATUS_EQUAL(result, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
+ DEBUG(1,("%s:%s: domain[%s] not found via LSA, might be removed already.\n",
+ __location__, __func__, domain->name));
+ TALLOC_FREE(frame);
+ return WERR_NO_SUCH_DOMAIN;
+ }
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(0,("%s:%s: local_lsa.QueryTrustedDomainInfoByName(%s) returned %s\n",
+ __location__, __func__, domain->name, nt_errstr(result)));
+ TALLOC_FREE(frame);
+ return WERR_INTERNAL_ERROR;
+ }
+ if (tdi == NULL) {
+ DEBUG(0,("%s:%s: local_lsa.QueryTrustedDomainInfoByName() "
+ "returned no trusted domain information\n",
+ __location__, __func__));
+ TALLOC_FREE(frame);
+ return WERR_INTERNAL_ERROR;
+ }
+
+ tdo = &tdi->info_ex;
+
+ if (!(tdo->trust_attributes & LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE)) {
+ DEBUG(2,("%s: tdo[%s/%s] is no forest trust attributes[0x%08X]\n",
+ __func__, tdo->netbios_name.string,
+ tdo->domain_name.string,
+ (unsigned)tdo->trust_attributes));
+ TALLOC_FREE(frame);
+ return WERR_NO_SUCH_DOMAIN;
+ }
+
+ if (r->in.flags & ~DS_GFTI_UPDATE_TDO) {
+ TALLOC_FREE(frame);
+ return WERR_INVALID_FLAGS;
+ }
+
+reconnect:
+ status = cm_connect_netlogon_secure(domain,
+ &netlogon_pipe,
+ &netlogon_creds_ctx);
+ reset_cm_connection_on_error(domain, NULL, status);
+ if (NT_STATUS_EQUAL(status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
+ status = NT_STATUS_NO_LOGON_SERVERS;
+ }
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(3, ("could not open handle to NETLOGON pipe: %s\n",
+ nt_errstr(status)));
+ TALLOC_FREE(frame);
+ return ntstatus_to_werror(status);
+ }
+ b = netlogon_pipe->binding_handle;
+
+ status = netlogon_creds_cli_GetForestTrustInformation(netlogon_creds_ctx,
+ b, p->mem_ctx,
+ &new_fti);
+ if (!NT_STATUS_IS_OK(status)) {
+ if (!retry && reset_cm_connection_on_error(domain, b, status)) {
+ retry = true;
+ goto reconnect;
+ }
+ DEBUG(2, ("netlogon_creds_cli_GetForestTrustInformation(%s) failed: %s\n",
+ domain->name, nt_errstr(status)));
+ TALLOC_FREE(frame);
+ return ntstatus_to_werror(status);
+ }
+
+ *r->out.forest_trust_info = new_fti;
+
+ if (r->in.flags & DS_GFTI_UPDATE_TDO) {
+ update_fti = true;
+ }
+
+ status = dcerpc_lsa_lsaRQueryForestTrustInformation(local_lsa, frame,
+ &local_lsa_policy,
+ &trusted_domain_name,
+ LSA_FOREST_TRUST_DOMAIN_INFO,
+ &old_fti, &result);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0,("%s:%s: local_lsa.lsaRQueryForestTrustInformation(%s) failed %s\n",
+ __location__, __func__, domain->name, nt_errstr(status)));
+ TALLOC_FREE(frame);
+ return WERR_INTERNAL_ERROR;
+ }
+ if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_FOUND)) {
+ DEBUG(2,("%s: no forest trust information available for domain[%s] yet.\n",
+ __func__, domain->name));
+ update_fti = true;
+ old_fti = &_old_fti;
+ result = NT_STATUS_OK;
+ }
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(0,("%s:%s: local_lsa.lsaRQueryForestTrustInformation(%s) returned %s\n",
+ __location__, __func__, domain->name, nt_errstr(result)));
+ TALLOC_FREE(frame);
+ return WERR_INTERNAL_ERROR;
+ }
+
+ if (old_fti == NULL) {
+ DEBUG(0,("%s:%s: local_lsa.lsaRQueryForestTrustInformation() "
+ "returned success without returning forest trust information\n",
+ __location__, __func__));
+ TALLOC_FREE(frame);
+ return WERR_INTERNAL_ERROR;
+ }
+
+ if (!update_fti) {
+ goto done;
+ }
+
+ status = dsdb_trust_merge_forest_info(frame, tdo, old_fti, new_fti,
+ &merged_fti);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0,("%s:%s: dsdb_trust_merge_forest_info(%s) failed %s\n",
+ __location__, __func__, domain->name, nt_errstr(status)));
+ TALLOC_FREE(frame);
+ return ntstatus_to_werror(status);
+ }
+
+ status = dcerpc_lsa_lsaRSetForestTrustInformation(local_lsa, frame,
+ &local_lsa_policy,
+ &trusted_domain_name_l,
+ LSA_FOREST_TRUST_DOMAIN_INFO,
+ merged_fti,
+ 0, /* check_only=0 => store it! */
+ &collision_info,
+ &result);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0,("%s:%s: local_lsa.lsaRSetForestTrustInformation(%s) failed %s\n",
+ __location__, __func__, domain->name, nt_errstr(status)));
+ TALLOC_FREE(frame);
+ return WERR_INTERNAL_ERROR;
+ }
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(0,("%s:%s: local_lsa.lsaRSetForestTrustInformation(%s) returned %s\n",
+ __location__, __func__, domain->name, nt_errstr(result)));
+ TALLOC_FREE(frame);
+ return ntstatus_to_werror(result);
+ }
+
+done:
+ DEBUG(5, ("_winbind_GetForestTrustInformation succeeded\n"));
+ TALLOC_FREE(frame);
+ return WERR_OK;
+}
+
+NTSTATUS _winbind_SendToSam(struct pipes_struct *p, struct winbind_SendToSam *r)
+{
+ struct winbindd_domain *domain;
+ NTSTATUS status;
+ struct rpc_pipe_client *netlogon_pipe;
+ struct netlogon_creds_cli_context *netlogon_creds_ctx = NULL;
+ struct dcerpc_binding_handle *b = NULL;
+ bool retry = false;
+
+ DEBUG(5, ("_winbind_SendToSam received\n"));
+ domain = wb_child_domain();
+ if (domain == NULL) {
+ return NT_STATUS_REQUEST_NOT_ACCEPTED;
+ }
+
+reconnect:
+ status = cm_connect_netlogon_secure(domain,
+ &netlogon_pipe,
+ &netlogon_creds_ctx);
+ reset_cm_connection_on_error(domain, NULL, status);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(3, ("could not open handle to NETLOGON pipe\n"));
+ return status;
+ }
+
+ b = netlogon_pipe->binding_handle;
+
+ status = netlogon_creds_cli_SendToSam(netlogon_creds_ctx,
+ b,
+ &r->in.message);
+ if (!retry && reset_cm_connection_on_error(domain, b, status)) {
+ retry = true;
+ goto reconnect;
+ }
+
+ return status;
+}
+
+NTSTATUS _wbint_ListTrustedDomains(struct pipes_struct *p,
+ struct wbint_ListTrustedDomains *r)
+{
+ struct winbindd_domain *domain = wb_child_domain();
+ uint32_t i, n;
+ NTSTATUS result;
+ struct netr_DomainTrustList trusts;
+ struct netr_DomainTrustList *out = NULL;
+ pid_t client_pid;
+
+ if (domain == NULL) {
+ return NT_STATUS_REQUEST_NOT_ACCEPTED;
+ }
+
+ /* Cut client_pid to 32bit */
+ client_pid = r->in.client_pid;
+ if ((uint64_t)client_pid != r->in.client_pid) {
+ DBG_DEBUG("pid out of range\n");
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ DBG_NOTICE("[%s %"PRIu32"]: list trusted domains\n",
+ r->in.client_name, client_pid);
+
+ result = wb_cache_trusted_domains(domain, p->mem_ctx, &trusts);
+ if (!NT_STATUS_IS_OK(result)) {
+ DBG_NOTICE("wb_cache_trusted_domains returned %s\n",
+ nt_errstr(result));
+ return result;
+ }
+
+ out = talloc_zero(p->mem_ctx, struct netr_DomainTrustList);
+ if (out == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ r->out.domains = out;
+
+ for (i=0; i<trusts.count; i++) {
+ if (trusts.array[i].sid == NULL) {
+ continue;
+ }
+ if (dom_sid_equal(trusts.array[i].sid, &global_sid_NULL)) {
+ continue;
+ }
+
+ n = out->count;
+ out->array = talloc_realloc(out, out->array,
+ struct netr_DomainTrust,
+ n + 1);
+ if (out->array == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ out->count = n + 1;
+
+ out->array[n].netbios_name = talloc_steal(
+ out->array, trusts.array[i].netbios_name);
+ if (out->array[n].netbios_name == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ out->array[n].dns_name = talloc_steal(
+ out->array, trusts.array[i].dns_name);
+ if (out->array[n].dns_name == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ out->array[n].sid = dom_sid_dup(out->array,
+ trusts.array[i].sid);
+ if (out->array[n].sid == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ out->array[n].trust_flags = trusts.array[i].trust_flags;
+ out->array[n].trust_type = trusts.array[i].trust_type;
+ out->array[n].trust_attributes = trusts.array[i].trust_attributes;
+ }
+
+ return NT_STATUS_OK;
+}
+
+#include "librpc/gen_ndr/ndr_winbind_scompat.c"
diff --git a/source3/winbindd/winbindd_endgrent.c b/source3/winbindd/winbindd_endgrent.c
new file mode 100644
index 0000000..6fdeb8f
--- /dev/null
+++ b/source3/winbindd/winbindd_endgrent.c
@@ -0,0 +1,54 @@
+/*
+ Unix SMB/CIFS implementation.
+ async implementation of WINBINDD_ENDGRENT
+ Copyright (C) Volker Lendecke 2009
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "winbindd.h"
+
+struct winbindd_endgrent_state {
+ uint8_t dummy;
+};
+
+struct tevent_req *winbindd_endgrent_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request)
+{
+ struct tevent_req *req;
+ struct winbindd_endgrent_state *state;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct winbindd_endgrent_state);
+ if (req == NULL) {
+ return NULL;
+ }
+ D_NOTICE("[%s (%u)] Winbind external command ENDGRENT start.\n",
+ cli->client_name,
+ (unsigned int)cli->pid);
+
+ TALLOC_FREE(cli->grent_state);
+ tevent_req_done(req);
+ return tevent_req_post(req, ev);
+}
+
+NTSTATUS winbindd_endgrent_recv(struct tevent_req *req,
+ struct winbindd_response *presp)
+{
+ D_NOTICE("Winbind external command ENDGRENT end.\n");
+ return NT_STATUS_OK;
+}
diff --git a/source3/winbindd/winbindd_endpwent.c b/source3/winbindd/winbindd_endpwent.c
new file mode 100644
index 0000000..a7c14cb
--- /dev/null
+++ b/source3/winbindd/winbindd_endpwent.c
@@ -0,0 +1,55 @@
+/*
+ Unix SMB/CIFS implementation.
+ async implementation of WINBINDD_ENDPWENT
+ Copyright (C) Volker Lendecke 2009
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "winbindd.h"
+
+struct winbindd_endpwent_state {
+ uint8_t dummy;
+};
+
+struct tevent_req *winbindd_endpwent_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request)
+{
+ struct tevent_req *req;
+ struct winbindd_endpwent_state *state;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct winbindd_endpwent_state);
+ if (req == NULL) {
+ return NULL;
+ }
+
+ D_NOTICE("[%s (%u)] Winbind external command ENDPWENT start.\n",
+ cli->client_name,
+ (unsigned int)cli->pid);
+
+ TALLOC_FREE(cli->pwent_state);
+ tevent_req_done(req);
+ return tevent_req_post(req, ev);
+}
+
+NTSTATUS winbindd_endpwent_recv(struct tevent_req *req,
+ struct winbindd_response *presp)
+{
+ D_NOTICE("Winbind external command ENDPWENT end.\n");
+ return NT_STATUS_OK;
+}
diff --git a/source3/winbindd/winbindd_getdcname.c b/source3/winbindd/winbindd_getdcname.c
new file mode 100644
index 0000000..690e840
--- /dev/null
+++ b/source3/winbindd/winbindd_getdcname.c
@@ -0,0 +1,95 @@
+/*
+ Unix SMB/CIFS implementation.
+ async implementation of WINBINDD_GETDCNAME
+ Copyright (C) Volker Lendecke 2009
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "winbindd.h"
+#include "librpc/gen_ndr/ndr_winbind_c.h"
+#include "lib/util/string_wrappers.h"
+
+struct winbindd_getdcname_state {
+ struct netr_DsRGetDCNameInfo *dcinfo;
+};
+
+static void winbindd_getdcname_done(struct tevent_req *subreq);
+
+struct tevent_req *winbindd_getdcname_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request)
+{
+ struct tevent_req *req, *subreq;
+ struct winbindd_getdcname_state *state;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct winbindd_getdcname_state);
+ if (req == NULL) {
+ return NULL;
+ }
+
+ request->domain_name[sizeof(request->domain_name)-1] = '\0';
+
+ D_NOTICE("[%s (%u)] Winbind external command GETDCNAME start.\n"
+ "Search DCNAME for domain %s.\n",
+ cli->client_name,
+ (unsigned int)cli->pid,
+ request->domain_name);
+
+ subreq = wb_dsgetdcname_send(state, ev, request->domain_name, NULL,
+ NULL, 0);
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+ tevent_req_set_callback(subreq, winbindd_getdcname_done, req);
+ return req;
+}
+
+static void winbindd_getdcname_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct winbindd_getdcname_state *state = tevent_req_data(
+ req, struct winbindd_getdcname_state);
+ NTSTATUS status;
+
+ status = wb_dsgetdcname_recv(subreq, state, &state->dcinfo);
+ TALLOC_FREE(subreq);
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+ tevent_req_done(req);
+}
+
+NTSTATUS winbindd_getdcname_recv(struct tevent_req *req,
+ struct winbindd_response *response)
+{
+ struct winbindd_getdcname_state *state = tevent_req_data(
+ req, struct winbindd_getdcname_state);
+ NTSTATUS status;
+
+ if (tevent_req_is_nterror(req, &status)) {
+ D_WARNING("getdcname failed: %s\n", nt_errstr(status));
+ return status;
+ }
+ fstrcpy(response->data.dc_name, strip_hostname(state->dcinfo->dc_unc));
+
+ D_NOTICE("Winbind external command GETDCNAME end.\n"
+ "Got DCNAME '%s'.\n",
+ response->data.dc_name);
+ return NT_STATUS_OK;
+}
diff --git a/source3/winbindd/winbindd_getgrent.c b/source3/winbindd/winbindd_getgrent.c
new file mode 100644
index 0000000..e8e2b66
--- /dev/null
+++ b/source3/winbindd/winbindd_getgrent.c
@@ -0,0 +1,213 @@
+/*
+ Unix SMB/CIFS implementation.
+ async implementation of WINBINDD_GETGRENT
+ Copyright (C) Volker Lendecke 2009
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "winbindd.h"
+
+struct winbindd_getgrent_state {
+ struct tevent_context *ev;
+ struct winbindd_cli_state *cli;
+ uint32_t max_groups;
+ uint32_t num_groups;
+ struct winbindd_gr *groups;
+ struct db_context **members;
+};
+
+static void winbindd_getgrent_done(struct tevent_req *subreq);
+
+struct tevent_req *winbindd_getgrent_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request)
+{
+ struct tevent_req *req, *subreq;
+ struct winbindd_getgrent_state *state;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct winbindd_getgrent_state);
+ if (req == NULL) {
+ return NULL;
+ }
+ state->ev = ev;
+ state->num_groups = 0;
+ state->cli = cli;
+
+ D_NOTICE("[%s (%u)] Winbind external command GETGRENT start.\n"
+ "The caller (%s) provided room for %"PRIu32" entries.\n",
+ cli->client_name,
+ (unsigned int)cli->pid,
+ cli->client_name,
+ request->data.num_entries);
+
+ if (cli->grent_state == NULL) {
+ D_NOTICE("The grent state from winbindd client state is NULL.\n");
+ tevent_req_nterror(req, NT_STATUS_NO_MORE_ENTRIES);
+ return tevent_req_post(req, ev);
+ }
+
+ state->max_groups = MIN(500, request->data.num_entries);
+ if (state->max_groups == 0) {
+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ return tevent_req_post(req, ev);
+ }
+
+ state->groups = talloc_zero_array(state, struct winbindd_gr,
+ state->max_groups);
+ if (tevent_req_nomem(state->groups, req)) {
+ return tevent_req_post(req, ev);
+ }
+
+ state->members = talloc_array(state, struct db_context *,
+ state->max_groups);
+ if (tevent_req_nomem(state->members, req)) {
+ TALLOC_FREE(state->groups);
+ return tevent_req_post(req, ev);
+ }
+
+ subreq = wb_next_grent_send(state, ev, lp_winbind_expand_groups(),
+ cli->grent_state,
+ &state->groups[state->num_groups]);
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+ tevent_req_set_callback(subreq, winbindd_getgrent_done, req);
+ return req;
+}
+
+static void winbindd_getgrent_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct winbindd_getgrent_state *state = tevent_req_data(
+ req, struct winbindd_getgrent_state);
+ NTSTATUS status;
+
+ status = wb_next_grent_recv(subreq, state,
+ &state->members[state->num_groups]);
+ TALLOC_FREE(subreq);
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NO_MORE_ENTRIES)) {
+ D_WARNING("winbindd_getgrent_done: done with %"PRIu32" groups\n",
+ state->num_groups);
+ TALLOC_FREE(state->cli->grent_state);
+ tevent_req_done(req);
+ return;
+ }
+ if (!NT_STATUS_IS_OK(status)) {
+ tevent_req_nterror(req, status);
+ return;
+ }
+ state->num_groups += 1;
+ if (state->num_groups >= state->max_groups) {
+ D_DEBUG("winbindd_getgrent_done: Got enough groups: %"PRIu32"\n",
+ state->num_groups);
+ tevent_req_done(req);
+ return;
+ }
+ if (state->cli->grent_state == NULL) {
+ D_DEBUG("winbindd_getgrent_done: endgrent called in between\n");
+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ return;
+ }
+ subreq = wb_next_grent_send(state, state->ev,
+ lp_winbind_expand_groups(),
+ state->cli->grent_state,
+ &state->groups[state->num_groups]);
+ if (tevent_req_nomem(subreq, req)) {
+ return;
+ }
+ tevent_req_set_callback(subreq, winbindd_getgrent_done, req);
+}
+
+NTSTATUS winbindd_getgrent_recv(struct tevent_req *req,
+ struct winbindd_response *response)
+{
+ struct winbindd_getgrent_state *state = tevent_req_data(
+ req, struct winbindd_getgrent_state);
+ NTSTATUS status;
+ char **memberstrings;
+ char *result;
+ size_t base_memberofs, total_memberlen;
+ uint32_t i;
+
+ if (tevent_req_is_nterror(req, &status)) {
+ TALLOC_FREE(state->cli->grent_state);
+ D_WARNING("getgrent failed: %s\n", nt_errstr(status));
+ return status;
+ }
+
+ if (state->num_groups == 0) {
+ return NT_STATUS_NO_MORE_ENTRIES;
+ }
+
+ memberstrings = talloc_array(talloc_tos(), char *, state->num_groups);
+ if (memberstrings == NULL) {
+ TALLOC_FREE(state->cli->grent_state);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ total_memberlen = 0;
+
+ for (i=0; i<state->num_groups; i++) {
+ int num_members;
+
+ status = winbindd_print_groupmembers(
+ state->members[i], memberstrings, &num_members,
+ &memberstrings[i]);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(memberstrings);
+ TALLOC_FREE(state->cli->grent_state);
+ return status;
+ }
+ TALLOC_FREE(state->members[i]);
+
+ state->groups[i].num_gr_mem = num_members;
+ state->groups[i].gr_mem_ofs = total_memberlen;
+
+ total_memberlen += talloc_get_size(memberstrings[i]);
+ }
+
+ base_memberofs = state->num_groups * sizeof(struct winbindd_gr);
+
+ result = talloc_realloc(state, state->groups, char,
+ base_memberofs + total_memberlen);
+ if (result == NULL) {
+ TALLOC_FREE(state->cli->grent_state);
+ return NT_STATUS_NO_MEMORY;
+ }
+ state->groups = (struct winbindd_gr *)result;
+
+ for (i=0; i<state->num_groups; i++) {
+ memcpy(result + base_memberofs + state->groups[i].gr_mem_ofs,
+ memberstrings[i], talloc_get_size(memberstrings[i]));
+ TALLOC_FREE(memberstrings[i]);
+ }
+
+ TALLOC_FREE(memberstrings);
+
+ response->data.num_entries = state->num_groups;
+ response->length += talloc_get_size(result);
+ response->extra_data.data = talloc_move(response, &result);
+
+ D_NOTICE("Winbind external command GETGRENT end.\n"
+ "Received %"PRIu32" entries.\n",
+ response->data.num_entries);
+
+ return NT_STATUS_OK;
+}
diff --git a/source3/winbindd/winbindd_getgrgid.c b/source3/winbindd/winbindd_getgrgid.c
new file mode 100644
index 0000000..4edd81b
--- /dev/null
+++ b/source3/winbindd/winbindd_getgrgid.c
@@ -0,0 +1,156 @@
+/*
+ Unix SMB/CIFS implementation.
+ async implementation of WINBINDD_GETGRGID
+ Copyright (C) Volker Lendecke 2009
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "winbindd.h"
+#include "libcli/security/dom_sid.h"
+
+struct winbindd_getgrgid_state {
+ struct tevent_context *ev;
+ struct unixid xid;
+ struct dom_sid *sid;
+ const char *domname;
+ const char *name;
+ gid_t gid;
+ struct db_context *members;
+};
+
+static void winbindd_getgrgid_gid2sid_done(struct tevent_req *subreq);
+static void winbindd_getgrgid_done(struct tevent_req *subreq);
+
+struct tevent_req *winbindd_getgrgid_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request)
+{
+ struct tevent_req *req, *subreq;
+ struct winbindd_getgrgid_state *state;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct winbindd_getgrgid_state);
+ if (req == NULL) {
+ return NULL;
+ }
+ state->ev = ev;
+
+ D_NOTICE("[%s (%u)] Winbind external command GETGRGID start.\n"
+ "gid=%u\n",
+ cli->client_name,
+ (unsigned int)cli->pid,
+ (int)request->data.gid);
+
+ state->xid = (struct unixid) {
+ .id = request->data.uid, .type = ID_TYPE_GID };
+
+ subreq = wb_xids2sids_send(state, ev, &state->xid, 1);
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+ tevent_req_set_callback(subreq, winbindd_getgrgid_gid2sid_done,
+ req);
+ return req;
+}
+
+static void winbindd_getgrgid_gid2sid_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct winbindd_getgrgid_state *state = tevent_req_data(
+ req, struct winbindd_getgrgid_state);
+ NTSTATUS status;
+
+ status = wb_xids2sids_recv(subreq, state, &state->sid);
+ TALLOC_FREE(subreq);
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+ if (is_null_sid(state->sid)) {
+ tevent_req_nterror(req, NT_STATUS_NO_SUCH_GROUP);
+ return;
+ }
+
+ subreq = wb_getgrsid_send(state, state->ev, state->sid,
+ lp_winbind_expand_groups());
+ if (tevent_req_nomem(subreq, req)) {
+ return;
+ }
+ tevent_req_set_callback(subreq, winbindd_getgrgid_done, req);
+}
+
+static void winbindd_getgrgid_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct winbindd_getgrgid_state *state = tevent_req_data(
+ req, struct winbindd_getgrgid_state);
+ NTSTATUS status;
+
+ status = wb_getgrsid_recv(subreq, state, &state->domname, &state->name,
+ &state->gid, &state->members);
+ TALLOC_FREE(subreq);
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+ tevent_req_done(req);
+}
+
+NTSTATUS winbindd_getgrgid_recv(struct tevent_req *req,
+ struct winbindd_response *response)
+{
+ struct winbindd_getgrgid_state *state = tevent_req_data(
+ req, struct winbindd_getgrgid_state);
+ NTSTATUS status;
+ int num_members;
+ char *buf;
+
+ if (tevent_req_is_nterror(req, &status)) {
+ struct dom_sid_buf sidbuf;
+ D_WARNING("Could not convert sid %s: %s\n",
+ dom_sid_str_buf(state->sid, &sidbuf),
+ nt_errstr(status));
+ return status;
+ }
+
+ if (!fill_grent(talloc_tos(), &response->data.gr, state->domname,
+ state->name, state->gid)) {
+ D_WARNING("fill_grent failed\n");
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ status = winbindd_print_groupmembers(state->members, response,
+ &num_members, &buf);
+ if (!NT_STATUS_IS_OK(status)) {
+ D_WARNING("Failed with %s.\n", nt_errstr(status));
+ return status;
+ }
+
+ response->data.gr.num_gr_mem = (uint32_t)num_members;
+
+ /* Group membership lives at start of extra data */
+
+ response->data.gr.gr_mem_ofs = 0;
+ response->extra_data.data = buf;
+ response->length += talloc_get_size(response->extra_data.data);
+
+ D_NOTICE("Winbind external command GETGRGID end.\n"
+ "Returning %"PRIu32" group member(s).\n",
+ response->data.gr.num_gr_mem);
+
+ return NT_STATUS_OK;
+}
diff --git a/source3/winbindd/winbindd_getgrnam.c b/source3/winbindd/winbindd_getgrnam.c
new file mode 100644
index 0000000..20ac70c
--- /dev/null
+++ b/source3/winbindd/winbindd_getgrnam.c
@@ -0,0 +1,206 @@
+/*
+ Unix SMB/CIFS implementation.
+ async implementation of WINBINDD_GETGRNAM
+ Copyright (C) Volker Lendecke 2009
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "winbindd.h"
+#include "libcli/security/dom_sid.h"
+#include "lib/util/string_wrappers.h"
+
+struct winbindd_getgrnam_state {
+ struct tevent_context *ev;
+ fstring name_namespace, name_domain, name_group;
+ struct dom_sid sid;
+ const char *domname;
+ const char *name;
+ gid_t gid;
+ struct db_context *members;
+};
+
+static void winbindd_getgrnam_lookupname_done(struct tevent_req *subreq);
+static void winbindd_getgrnam_done(struct tevent_req *subreq);
+
+struct tevent_req *winbindd_getgrnam_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request)
+{
+ struct tevent_req *req, *subreq;
+ struct winbindd_getgrnam_state *state;
+ char *tmp;
+ NTSTATUS nt_status;
+ bool ok;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct winbindd_getgrnam_state);
+ if (req == NULL) {
+ return NULL;
+ }
+ state->ev = ev;
+
+ /* Ensure null termination */
+ request->data.groupname[sizeof(request->data.groupname)-1]='\0';
+
+ D_NOTICE("[%s (%u)] Winbind external command GETGRNAM start.\n"
+ "Searching group name '%s'.\n",
+ cli->client_name,
+ (unsigned int)cli->pid,
+ request->data.groupname);
+
+ nt_status = normalize_name_unmap(state, request->data.groupname, &tmp);
+ /* If we didn't map anything in the above call, just reset the
+ tmp pointer to the original string */
+ if (!NT_STATUS_IS_OK(nt_status) &&
+ !NT_STATUS_EQUAL(nt_status, NT_STATUS_FILE_RENAMED))
+ {
+ tmp = request->data.groupname;
+ }
+
+ /* Parse domain and groupname */
+
+ ok = parse_domain_user(tmp,
+ state->name_namespace,
+ state->name_domain,
+ state->name_group);
+ if (!ok) {
+ DBG_INFO("Could not parse domain user: %s\n", tmp);
+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ return tevent_req_post(req, ev);
+ }
+
+ /* if no domain or our local domain and no local tdb group, default to
+ * our local domain for aliases */
+
+ if ( !*(state->name_domain) || strequal(state->name_domain,
+ get_global_sam_name()) ) {
+ fstrcpy(state->name_domain, get_global_sam_name());
+ }
+
+ subreq = wb_lookupname_send(state, ev,
+ state->name_namespace,
+ state->name_domain,
+ state->name_group,
+ 0);
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+ tevent_req_set_callback(subreq, winbindd_getgrnam_lookupname_done,
+ req);
+ return req;
+}
+
+static void winbindd_getgrnam_lookupname_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct winbindd_getgrnam_state *state = tevent_req_data(
+ req, struct winbindd_getgrnam_state);
+ enum lsa_SidType type;
+ NTSTATUS status;
+
+ status = wb_lookupname_recv(subreq, &state->sid, &type);
+ TALLOC_FREE(subreq);
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+
+ switch (type) {
+ case SID_NAME_DOM_GRP:
+ case SID_NAME_ALIAS:
+ case SID_NAME_WKN_GRP:
+ /*
+ * Also give user types a chance:
+ * These might be user sids mapped to the ID_TYPE_BOTH,
+ * and in that case we should construct a group struct.
+ */
+ case SID_NAME_USER:
+ case SID_NAME_COMPUTER:
+ break;
+ default:
+ tevent_req_nterror(req, NT_STATUS_NO_SUCH_GROUP);
+ return;
+ }
+
+ subreq = wb_getgrsid_send(state, state->ev, &state->sid,
+ lp_winbind_expand_groups());
+ if (tevent_req_nomem(subreq, req)) {
+ return;
+ }
+ tevent_req_set_callback(subreq, winbindd_getgrnam_done, req);
+}
+
+static void winbindd_getgrnam_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct winbindd_getgrnam_state *state = tevent_req_data(
+ req, struct winbindd_getgrnam_state);
+ NTSTATUS status;
+
+ status = wb_getgrsid_recv(subreq, state, &state->domname, &state->name,
+ &state->gid, &state->members);
+ TALLOC_FREE(subreq);
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+ tevent_req_done(req);
+}
+
+NTSTATUS winbindd_getgrnam_recv(struct tevent_req *req,
+ struct winbindd_response *response)
+{
+ struct winbindd_getgrnam_state *state = tevent_req_data(
+ req, struct winbindd_getgrnam_state);
+ NTSTATUS status;
+ int num_members;
+ char *buf;
+
+ if (tevent_req_is_nterror(req, &status)) {
+ struct dom_sid_buf sidbuf;
+ D_WARNING("Could not convert sid %s: %s\n",
+ dom_sid_str_buf(&state->sid, &sidbuf),
+ nt_errstr(status));
+ return status;
+ }
+
+ if (!fill_grent(talloc_tos(), &response->data.gr, state->domname,
+ state->name, state->gid)) {
+ D_WARNING("fill_grent failed\n");
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ status = winbindd_print_groupmembers(state->members, response,
+ &num_members, &buf);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ response->data.gr.num_gr_mem = (uint32_t)num_members;
+
+ /* Group membership lives at start of extra data */
+
+ response->data.gr.gr_mem_ofs = 0;
+ response->extra_data.data = buf;
+ response->length += talloc_get_size(response->extra_data.data);
+
+ D_NOTICE("Winbind external command GETGRNAM end.\n"
+ "Returning %"PRIu32" memmber(s).\n",
+ response->data.gr.num_gr_mem);
+
+ return NT_STATUS_OK;
+}
diff --git a/source3/winbindd/winbindd_getgroups.c b/source3/winbindd/winbindd_getgroups.c
new file mode 100644
index 0000000..c2603cc
--- /dev/null
+++ b/source3/winbindd/winbindd_getgroups.c
@@ -0,0 +1,283 @@
+/*
+ Unix SMB/CIFS implementation.
+ async implementation of WINBINDD_GETGROUPS
+ Copyright (C) Volker Lendecke 2009
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "winbindd.h"
+#include "passdb/lookup_sid.h" /* only for LOOKUP_NAME_NO_NSS flag */
+#include "libcli/security/dom_sid.h"
+
+struct winbindd_getgroups_state {
+ struct tevent_context *ev;
+ fstring namespace;
+ fstring domname;
+ fstring username;
+ struct dom_sid sid;
+ enum lsa_SidType type;
+ uint32_t num_sids;
+ struct dom_sid *sids;
+ uint32_t num_gids;
+ gid_t *gids;
+};
+
+static void winbindd_getgroups_lookupname_done(struct tevent_req *subreq);
+static void winbindd_getgroups_gettoken_done(struct tevent_req *subreq);
+static void winbindd_getgroups_sid2gid_done(struct tevent_req *subreq);
+
+struct tevent_req *winbindd_getgroups_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request)
+{
+ struct tevent_req *req, *subreq;
+ struct winbindd_getgroups_state *state;
+ char *domuser, *mapped_user;
+ NTSTATUS status;
+ bool ok;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct winbindd_getgroups_state);
+ if (req == NULL) {
+ return NULL;
+ }
+ state->ev = ev;
+
+ /* Ensure null termination */
+ request->data.username[sizeof(request->data.username)-1]='\0';
+
+ D_NOTICE("[%s (%u)] Winbind external command GETGROUPS start.\n"
+ "Searching groups for username '%s'.\n",
+ cli->client_name,
+ (unsigned int)cli->pid,
+ request->data.username);
+
+ domuser = request->data.username;
+
+ status = normalize_name_unmap(state, domuser, &mapped_user);
+
+ if (NT_STATUS_IS_OK(status)
+ || NT_STATUS_EQUAL(status, NT_STATUS_FILE_RENAMED)) {
+ /* normalize_name_unmapped did something */
+ domuser = mapped_user;
+ }
+
+ ok = parse_domain_user(domuser,
+ state->namespace,
+ state->domname,
+ state->username);
+ if (!ok) {
+ D_WARNING("Could not parse domain user: %s\n", domuser);
+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ return tevent_req_post(req, ev);
+ }
+
+ subreq = wb_lookupname_send(state, ev,
+ state->namespace,
+ state->domname,
+ state->username,
+ LOOKUP_NAME_NO_NSS);
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+ tevent_req_set_callback(subreq, winbindd_getgroups_lookupname_done,
+ req);
+ return req;
+}
+
+static void winbindd_getgroups_lookupname_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct winbindd_getgroups_state *state = tevent_req_data(
+ req, struct winbindd_getgroups_state);
+ NTSTATUS status;
+
+ status = wb_lookupname_recv(subreq, &state->sid, &state->type);
+ TALLOC_FREE(subreq);
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+
+ subreq = wb_gettoken_send(state, state->ev, &state->sid, true);
+ if (tevent_req_nomem(subreq, req)) {
+ return;
+ }
+ tevent_req_set_callback(subreq, winbindd_getgroups_gettoken_done, req);
+}
+
+static void winbindd_getgroups_gettoken_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct winbindd_getgroups_state *state = tevent_req_data(
+ req, struct winbindd_getgroups_state);
+ NTSTATUS status;
+
+ status = wb_gettoken_recv(subreq, state, &state->num_sids,
+ &state->sids);
+ TALLOC_FREE(subreq);
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+
+ /*
+ * Convert the group SIDs to gids. state->sids[0] contains the user
+ * sid. If the idmap backend uses ID_TYPE_BOTH, we might need the
+ * the id of the user sid in the list of group sids, so map the
+ * complete token.
+ */
+
+ subreq = wb_sids2xids_send(state, state->ev,
+ state->sids, state->num_sids);
+ if (tevent_req_nomem(subreq, req)) {
+ return;
+ }
+ tevent_req_set_callback(subreq, winbindd_getgroups_sid2gid_done, req);
+}
+
+static void winbindd_getgroups_sid2gid_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct winbindd_getgroups_state *state = tevent_req_data(
+ req, struct winbindd_getgroups_state);
+ NTSTATUS status;
+ struct unixid *xids;
+ uint32_t i;
+
+ xids = talloc_array(state, struct unixid, state->num_sids);
+ if (tevent_req_nomem(xids, req)) {
+ return;
+ }
+ for (i=0; i < state->num_sids; i++) {
+ xids[i].type = ID_TYPE_NOT_SPECIFIED;
+ xids[i].id = UINT32_MAX;
+ }
+
+ status = wb_sids2xids_recv(subreq, xids, state->num_sids);
+ TALLOC_FREE(subreq);
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED) ||
+ NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED))
+ {
+ status = NT_STATUS_OK;
+ }
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+
+ state->gids = talloc_array(state, gid_t, state->num_sids);
+ if (tevent_req_nomem(state->gids, req)) {
+ return;
+ }
+ state->num_gids = 0;
+
+ for (i=0; i < state->num_sids; i++) {
+ bool include_gid = false;
+ const char *debug_missing = NULL;
+
+ switch (xids[i].type) {
+ case ID_TYPE_NOT_SPECIFIED:
+ debug_missing = "not specified";
+ break;
+ case ID_TYPE_UID:
+ if (i != 0) {
+ debug_missing = "uid";
+ }
+ break;
+ case ID_TYPE_GID:
+ case ID_TYPE_BOTH:
+ include_gid = true;
+ break;
+ case ID_TYPE_WB_REQUIRE_TYPE:
+ /*
+ * these are internal between winbindd
+ * parent and child.
+ */
+ smb_panic(__location__);
+ break;
+ }
+
+ if (!include_gid) {
+ struct dom_sid_buf sidbuf;
+
+ if (debug_missing == NULL) {
+ continue;
+ }
+
+ D_WARNING("WARNING: skipping unix id (%"PRIu32") for sid %s "
+ "from group list because the idmap type "
+ "is %s. "
+ "This might be a security problem when ACLs "
+ "contain DENY ACEs!\n",
+ (unsigned)xids[i].id,
+ dom_sid_str_buf(&state->sids[i], &sidbuf),
+ debug_missing);
+ continue;
+ }
+
+ state->gids[state->num_gids] = (gid_t)xids[i].id;
+ state->num_gids += 1;
+ }
+
+ /*
+ * This should not fail, as it does not do any reallocation,
+ * just updating the talloc size.
+ */
+ state->gids = talloc_realloc(state, state->gids, gid_t, state->num_gids);
+ if (tevent_req_nomem(state->gids, req)) {
+ return;
+ }
+
+ tevent_req_done(req);
+}
+
+NTSTATUS winbindd_getgroups_recv(struct tevent_req *req,
+ struct winbindd_response *response)
+{
+ struct winbindd_getgroups_state *state = tevent_req_data(
+ req, struct winbindd_getgroups_state);
+ NTSTATUS status;
+ uint32_t i;
+
+ if (tevent_req_is_nterror(req, &status)) {
+ struct dom_sid_buf buf;
+ D_WARNING("Could not convert sid %s: %s\n",
+ dom_sid_str_buf(&state->sid, &buf),
+ nt_errstr(status));
+ return status;
+ }
+
+ response->data.num_entries = state->num_gids;
+
+ D_NOTICE("Winbind external command GETGROUPS end.\n"
+ "Received %"PRIu32" entries.\n",
+ response->data.num_entries);
+ if (CHECK_DEBUGLVL(DBGLVL_NOTICE)) {
+ for (i = 0; i < state->num_gids; i++) {
+ D_NOTICE("%"PRIu32": GID %u\n", i, state->gids[i]);
+ }
+ }
+
+ if (state->num_gids > 0) {
+ response->extra_data.data = talloc_move(response,
+ &state->gids);
+ response->length += state->num_gids * sizeof(gid_t);
+ }
+
+ return NT_STATUS_OK;
+}
diff --git a/source3/winbindd/winbindd_getpwent.c b/source3/winbindd/winbindd_getpwent.c
new file mode 100644
index 0000000..5a78883
--- /dev/null
+++ b/source3/winbindd/winbindd_getpwent.c
@@ -0,0 +1,162 @@
+/*
+ Unix SMB/CIFS implementation.
+ async implementation of WINBINDD_GETPWENT
+ Copyright (C) Volker Lendecke 2009
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "winbindd.h"
+
+struct winbindd_getpwent_state {
+ struct tevent_context *ev;
+ struct winbindd_cli_state *cli;
+ uint32_t max_users;
+ uint32_t num_users;
+ struct winbindd_pw *users;
+};
+
+static void winbindd_getpwent_done(struct tevent_req *subreq);
+
+struct tevent_req *winbindd_getpwent_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request)
+{
+ struct tevent_req *req, *subreq;
+ struct winbindd_getpwent_state *state;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct winbindd_getpwent_state);
+ if (req == NULL) {
+ return NULL;
+ }
+ state->ev = ev;
+ state->num_users = 0;
+ state->cli = cli;
+
+ D_NOTICE("[%s (%u)] Winbind external command GETPWENT start.\n"
+ "The caller (%s) provided room for %d entries.\n",
+ cli->client_name,
+ (unsigned int)cli->pid,
+ cli->client_name,
+ request->data.num_entries);
+
+ if (cli->pwent_state == NULL) {
+ tevent_req_nterror(req, NT_STATUS_NO_MORE_ENTRIES);
+ return tevent_req_post(req, ev);
+ }
+
+ state->max_users = MIN(500, request->data.num_entries);
+ if (state->max_users == 0) {
+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ return tevent_req_post(req, ev);
+ }
+
+ state->users = talloc_zero_array(state, struct winbindd_pw,
+ state->max_users);
+ if (tevent_req_nomem(state->users, req)) {
+ return tevent_req_post(req, ev);
+ }
+
+ subreq = wb_next_pwent_send(state, ev, cli->pwent_state,
+ &state->users[state->num_users]);
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+ tevent_req_set_callback(subreq, winbindd_getpwent_done, req);
+ return req;
+}
+
+static void winbindd_getpwent_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct winbindd_getpwent_state *state = tevent_req_data(
+ req, struct winbindd_getpwent_state);
+ NTSTATUS status;
+
+ status = wb_next_pwent_recv(subreq);
+ TALLOC_FREE(subreq);
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NO_MORE_ENTRIES)) {
+ D_DEBUG("winbindd_getpwent_done: done with %"PRIu32" users\n",
+ state->num_users);
+ TALLOC_FREE(state->cli->pwent_state);
+ tevent_req_done(req);
+ return;
+ }
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+ state->num_users += 1;
+ if (state->num_users >= state->max_users) {
+ D_DEBUG("winbindd_getpwent_done: Got enough users: %"PRIu32"\n",
+ state->num_users);
+ tevent_req_done(req);
+ return;
+ }
+ if (state->cli->pwent_state == NULL) {
+ D_DEBUG("winbindd_getpwent_done: endpwent called in between\n");
+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ return;
+ }
+ subreq = wb_next_pwent_send(state, state->ev, state->cli->pwent_state,
+ &state->users[state->num_users]);
+ if (tevent_req_nomem(subreq, req)) {
+ return;
+ }
+ tevent_req_set_callback(subreq, winbindd_getpwent_done, req);
+}
+
+NTSTATUS winbindd_getpwent_recv(struct tevent_req *req,
+ struct winbindd_response *response)
+{
+ struct winbindd_getpwent_state *state = tevent_req_data(
+ req, struct winbindd_getpwent_state);
+ NTSTATUS status;
+ uint32_t i;
+
+ if (tevent_req_is_nterror(req, &status)) {
+ TALLOC_FREE(state->cli->pwent_state);
+ D_WARNING("getpwent failed: %s\n", nt_errstr(status));
+ return status;
+ }
+
+ D_NOTICE("Winbind external command GETPWENT end.\n"
+ "Received %"PRIu32" entries.\n"
+ "(name:passwd:uid:gid:gecos:dir:shell)\n",
+ state->num_users);
+
+ if (state->num_users == 0) {
+ return NT_STATUS_NO_MORE_ENTRIES;
+ }
+
+ for (i = 0; i < state->num_users; i++) {
+ D_NOTICE("%"PRIu32": %s:%s:%u:%u:%s:%s:%s\n",
+ i,
+ state->users[i].pw_name,
+ state->users[i].pw_passwd,
+ (unsigned int)state->users[i].pw_uid,
+ (unsigned int)state->users[i].pw_gid,
+ state->users[i].pw_gecos,
+ state->users[i].pw_dir,
+ state->users[i].pw_shell
+ );
+ }
+ response->data.num_entries = state->num_users;
+ response->extra_data.data = talloc_move(response, &state->users);
+ response->length += state->num_users * sizeof(struct winbindd_pw);
+ return NT_STATUS_OK;
+}
diff --git a/source3/winbindd/winbindd_getpwnam.c b/source3/winbindd/winbindd_getpwnam.c
new file mode 100644
index 0000000..6dd0d84
--- /dev/null
+++ b/source3/winbindd/winbindd_getpwnam.c
@@ -0,0 +1,162 @@
+/*
+ Unix SMB/CIFS implementation.
+ async implementation of WINBINDD_GETPWNAM
+ Copyright (C) Volker Lendecke 2009
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "winbindd.h"
+#include "passdb/lookup_sid.h" /* only for LOOKUP_NAME_NO_NSS flag */
+#include "libcli/security/dom_sid.h"
+
+struct winbindd_getpwnam_state {
+ struct tevent_context *ev;
+ fstring namespace;
+ fstring domname;
+ fstring username;
+ struct dom_sid sid;
+ enum lsa_SidType type;
+ struct winbindd_pw pw;
+};
+
+static void winbindd_getpwnam_lookupname_done(struct tevent_req *subreq);
+static void winbindd_getpwnam_done(struct tevent_req *subreq);
+
+struct tevent_req *winbindd_getpwnam_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request)
+{
+ struct tevent_req *req, *subreq;
+ struct winbindd_getpwnam_state *state;
+ char *domuser, *mapped_user;
+ NTSTATUS status;
+ bool ok;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct winbindd_getpwnam_state);
+ if (req == NULL) {
+ return NULL;
+ }
+ state->ev = ev;
+
+ /* Ensure null termination */
+ request->data.username[sizeof(request->data.username)-1]='\0';
+
+ D_NOTICE("[%s (%u)] Winbind external command GETPWNAM start.\n"
+ "Query username '%s'.\n",
+ cli->client_name,
+ (unsigned int)cli->pid,
+ request->data.username);
+
+ domuser = request->data.username;
+
+ status = normalize_name_unmap(state, domuser, &mapped_user);
+
+ if (NT_STATUS_IS_OK(status)
+ || NT_STATUS_EQUAL(status, NT_STATUS_FILE_RENAMED)) {
+ /* normalize_name_unmapped did something */
+ domuser = mapped_user;
+ }
+
+ ok = parse_domain_user(domuser,
+ state->namespace,
+ state->domname,
+ state->username);
+ if (!ok) {
+ D_WARNING("Could not parse domain user: %s\n", domuser);
+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ return tevent_req_post(req, ev);
+ }
+
+ subreq = wb_lookupname_send(state, ev,
+ state->namespace,
+ state->domname,
+ state->username,
+ LOOKUP_NAME_NO_NSS);
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+ tevent_req_set_callback(subreq, winbindd_getpwnam_lookupname_done,
+ req);
+ return req;
+}
+
+static void winbindd_getpwnam_lookupname_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct winbindd_getpwnam_state *state = tevent_req_data(
+ req, struct winbindd_getpwnam_state);
+ NTSTATUS status;
+
+ status = wb_lookupname_recv(subreq, &state->sid, &state->type);
+ TALLOC_FREE(subreq);
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+
+ subreq = wb_getpwsid_send(state, state->ev, &state->sid, &state->pw);
+ if (tevent_req_nomem(subreq, req)) {
+ return;
+ }
+ tevent_req_set_callback(subreq, winbindd_getpwnam_done, req);
+}
+
+static void winbindd_getpwnam_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ NTSTATUS status;
+
+ status = wb_getpwsid_recv(subreq);
+ TALLOC_FREE(subreq);
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+ tevent_req_done(req);
+}
+
+NTSTATUS winbindd_getpwnam_recv(struct tevent_req *req,
+ struct winbindd_response *response)
+{
+ struct winbindd_getpwnam_state *state = tevent_req_data(
+ req, struct winbindd_getpwnam_state);
+ NTSTATUS status;
+
+ if (tevent_req_is_nterror(req, &status)) {
+ struct dom_sid_buf buf;
+ D_WARNING("Could not convert sid %s: %s\n",
+ dom_sid_str_buf(&state->sid, &buf),
+ nt_errstr(status));
+ return status;
+ }
+ response->data.pw = state->pw;
+
+ D_NOTICE("Winbind external command GETPWNAM end.\n"
+ "(name:passwd:uid:gid:gecos:dir:shell)\n"
+ "%s:%s:%u:%u:%s:%s:%s\n",
+ state->pw.pw_name,
+ state->pw.pw_passwd,
+ (unsigned int)state->pw.pw_uid,
+ (unsigned int)state->pw.pw_gid,
+ state->pw.pw_gecos,
+ state->pw.pw_dir,
+ state->pw.pw_shell
+ );
+
+ return NT_STATUS_OK;
+}
diff --git a/source3/winbindd/winbindd_getpwsid.c b/source3/winbindd/winbindd_getpwsid.c
new file mode 100644
index 0000000..8e0a3e3
--- /dev/null
+++ b/source3/winbindd/winbindd_getpwsid.c
@@ -0,0 +1,109 @@
+/*
+ Unix SMB/CIFS implementation.
+ async implementation of WINBINDD_GETPWSID
+ Copyright (C) Volker Lendecke 2009
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "winbindd.h"
+#include "../libcli/security/security.h"
+
+struct winbindd_getpwsid_state {
+ struct dom_sid sid;
+ struct winbindd_pw pw;
+};
+
+static void winbindd_getpwsid_done(struct tevent_req *subreq);
+
+struct tevent_req *winbindd_getpwsid_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request)
+{
+ struct tevent_req *req, *subreq;
+ struct winbindd_getpwsid_state *state;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct winbindd_getpwsid_state);
+ if (req == NULL) {
+ return NULL;
+ }
+
+ /* Ensure null termination */
+ request->data.sid[sizeof(request->data.sid)-1]='\0';
+
+ D_NOTICE("[%s (%u)] Winbind external command GETPWSID start.\n"
+ "sid=%s\n",
+ cli->client_name,
+ (unsigned int)cli->pid,
+ request->data.sid);
+
+ if (!string_to_sid(&state->sid, request->data.sid)) {
+ D_WARNING("Could not get convert sid %s from string\n",
+ request->data.sid);
+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ return tevent_req_post(req, ev);
+ }
+
+ subreq = wb_getpwsid_send(state, ev, &state->sid, &state->pw);
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+ tevent_req_set_callback(subreq, winbindd_getpwsid_done, req);
+ return req;
+}
+
+static void winbindd_getpwsid_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ NTSTATUS status;
+
+ status = wb_getpwsid_recv(subreq);
+ TALLOC_FREE(subreq);
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+ tevent_req_done(req);
+}
+
+NTSTATUS winbindd_getpwsid_recv(struct tevent_req *req,
+ struct winbindd_response *response)
+{
+ struct winbindd_getpwsid_state *state = tevent_req_data(
+ req, struct winbindd_getpwsid_state);
+ NTSTATUS status;
+
+ if (tevent_req_is_nterror(req, &status)) {
+ D_WARNING("Failed with %s.\n", nt_errstr(status));
+ return status;
+ }
+ response->data.pw = state->pw;
+
+ D_NOTICE("Winbind external command GETPWSID end.\n"
+ "(name:passwd:uid:gid:gecos:dir:shell)\n"
+ "%s:%s:%u:%u:%s:%s:%s\n",
+ state->pw.pw_name,
+ state->pw.pw_passwd,
+ (unsigned int)state->pw.pw_uid,
+ (unsigned int)state->pw.pw_gid,
+ state->pw.pw_gecos,
+ state->pw.pw_dir,
+ state->pw.pw_shell
+ );
+
+ return NT_STATUS_OK;
+}
diff --git a/source3/winbindd/winbindd_getpwuid.c b/source3/winbindd/winbindd_getpwuid.c
new file mode 100644
index 0000000..509e013
--- /dev/null
+++ b/source3/winbindd/winbindd_getpwuid.c
@@ -0,0 +1,137 @@
+/*
+ Unix SMB/CIFS implementation.
+ async implementation of WINBINDD_GETPWUID
+ Copyright (C) Volker Lendecke 2009
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "winbindd.h"
+#include "libcli/security/dom_sid.h"
+
+struct winbindd_getpwuid_state {
+ struct tevent_context *ev;
+ struct unixid xid;
+ struct dom_sid *sid;
+ struct winbindd_pw pw;
+};
+
+static void winbindd_getpwuid_uid2sid_done(struct tevent_req *subreq);
+static void winbindd_getpwuid_done(struct tevent_req *subreq);
+
+struct tevent_req *winbindd_getpwuid_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request)
+{
+ struct tevent_req *req, *subreq;
+ struct winbindd_getpwuid_state *state;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct winbindd_getpwuid_state);
+ if (req == NULL) {
+ return NULL;
+ }
+ state->ev = ev;
+
+ D_NOTICE("[%s (%u)] Winbind external command GETPWUID start.\n"
+ "Search UID %u.\n",
+ cli->client_name,
+ (unsigned int)cli->pid,
+ (int)request->data.uid);
+
+ state->xid = (struct unixid) {
+ .id = request->data.uid, .type = ID_TYPE_UID };
+
+ subreq = wb_xids2sids_send(state, ev, &state->xid, 1);
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+ tevent_req_set_callback(subreq, winbindd_getpwuid_uid2sid_done,
+ req);
+ return req;
+}
+
+static void winbindd_getpwuid_uid2sid_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct winbindd_getpwuid_state *state = tevent_req_data(
+ req, struct winbindd_getpwuid_state);
+ NTSTATUS status;
+
+ status = wb_xids2sids_recv(subreq, state, &state->sid);
+ TALLOC_FREE(subreq);
+ if (tevent_req_nterror(req, status)) {
+ D_WARNING("Failed with %s.\n", nt_errstr(status));
+ return;
+ }
+ if (is_null_sid(state->sid)) {
+ tevent_req_nterror(req, NT_STATUS_NO_SUCH_USER);
+ D_WARNING("Failed with NT_STATUS_NO_SUCH_USER.\n");
+ return;
+ }
+
+ subreq = wb_getpwsid_send(state, state->ev, state->sid, &state->pw);
+ if (tevent_req_nomem(subreq, req)) {
+ return;
+ }
+ tevent_req_set_callback(subreq, winbindd_getpwuid_done, req);
+}
+
+static void winbindd_getpwuid_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ NTSTATUS status;
+
+ status = wb_getpwsid_recv(subreq);
+ TALLOC_FREE(subreq);
+ if (tevent_req_nterror(req, status)) {
+ D_WARNING("Failed with %s.\n", nt_errstr(status));
+ return;
+ }
+ tevent_req_done(req);
+}
+
+NTSTATUS winbindd_getpwuid_recv(struct tevent_req *req,
+ struct winbindd_response *response)
+{
+ struct winbindd_getpwuid_state *state = tevent_req_data(
+ req, struct winbindd_getpwuid_state);
+ NTSTATUS status;
+
+ if (tevent_req_is_nterror(req, &status)) {
+ struct dom_sid_buf buf;
+ D_WARNING("Could not convert sid %s: %s\n",
+ dom_sid_str_buf(state->sid, &buf),
+ nt_errstr(status));
+ return status;
+ }
+ response->data.pw = state->pw;
+ D_NOTICE("Winbind external command GETPWUID end.\n"
+ "(name:passwd:uid:gid:gecos:dir:shell)\n"
+ "%s:%s:%u:%u:%s:%s:%s\n",
+ state->pw.pw_name,
+ state->pw.pw_passwd,
+ (unsigned int)state->pw.pw_uid,
+ (unsigned int)state->pw.pw_gid,
+ state->pw.pw_gecos,
+ state->pw.pw_dir,
+ state->pw.pw_shell
+ );
+
+ return NT_STATUS_OK;
+}
diff --git a/source3/winbindd/winbindd_getsidaliases.c b/source3/winbindd/winbindd_getsidaliases.c
new file mode 100644
index 0000000..bf8fcdd
--- /dev/null
+++ b/source3/winbindd/winbindd_getsidaliases.c
@@ -0,0 +1,160 @@
+/*
+ Unix SMB/CIFS implementation.
+ async implementation of WINBINDD_GETSIDALIASES
+ Copyright (C) Volker Lendecke 2009
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "winbindd.h"
+#include "../libcli/security/security.h"
+
+struct winbindd_getsidaliases_state {
+ struct dom_sid sid;
+ uint32_t num_aliases;
+ uint32_t *aliases;
+};
+
+static void winbindd_getsidaliases_done(struct tevent_req *subreq);
+
+struct tevent_req *winbindd_getsidaliases_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request)
+{
+ struct tevent_req *req, *subreq;
+ struct winbindd_getsidaliases_state *state;
+ struct winbindd_domain *domain;
+ uint32_t num_sids, i;
+ struct dom_sid *sids;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct winbindd_getsidaliases_state);
+ if (req == NULL) {
+ return NULL;
+ }
+
+ /* Ensure null termination */
+ request->data.sid[sizeof(request->data.sid)-1]='\0';
+
+ if (!string_to_sid(&state->sid, request->data.sid)) {
+ D_WARNING("Could not get convert sid %s from string\n",
+ request->data.sid);
+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ return tevent_req_post(req, ev);
+ }
+
+ domain = find_domain_from_sid_noinit(&state->sid);
+ if (domain == NULL) {
+ D_WARNING("could not find domain entry for sid %s\n",
+ request->data.sid);
+ tevent_req_nterror(req, NT_STATUS_NO_SUCH_DOMAIN);
+ return tevent_req_post(req, ev);
+ }
+
+ num_sids = 0;
+ sids = NULL;
+
+ if (request->extra_data.data != NULL) {
+ if (request->extra_data.data[request->extra_len-1] != '\0') {
+ D_WARNING("Got non-NULL terminated sidlist\n");
+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ return tevent_req_post(req, ev);
+ }
+ if (!parse_sidlist(state, request->extra_data.data,
+ &sids, &num_sids)) {
+ D_WARNING("Could not parse SID list: %s\n",
+ request->extra_data.data);
+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ return tevent_req_post(req, ev);
+ }
+ }
+
+ D_NOTICE("[%s (%u)] Winbind external command GETSIDALIASES start.\n"
+ "sid=%s\n",
+ cli->client_name,
+ (unsigned int)cli->pid,
+ request->data.sid);
+ if (CHECK_DEBUGLVL(DBGLVL_DEBUG)) {
+ for (i = 0; i < num_sids; i++) {
+ struct dom_sid_buf sidstr;
+ D_NOTICE("%"PRIu32": %s\n",
+ i, dom_sid_str_buf(&sids[i], &sidstr));
+ }
+ }
+
+ subreq = wb_lookupuseraliases_send(state, ev, domain, num_sids, sids);
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+ tevent_req_set_callback(subreq, winbindd_getsidaliases_done, req);
+ return req;
+}
+
+static void winbindd_getsidaliases_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct winbindd_getsidaliases_state *state = tevent_req_data(
+ req, struct winbindd_getsidaliases_state);
+ NTSTATUS status;
+
+ status = wb_lookupuseraliases_recv(subreq, state, &state->num_aliases,
+ &state->aliases);
+ TALLOC_FREE(subreq);
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+ tevent_req_done(req);
+}
+
+NTSTATUS winbindd_getsidaliases_recv(struct tevent_req *req,
+ struct winbindd_response *response)
+{
+ struct winbindd_getsidaliases_state *state = tevent_req_data(
+ req, struct winbindd_getsidaliases_state);
+ NTSTATUS status;
+ uint32_t i;
+ char *sidlist;
+
+ if (tevent_req_is_nterror(req, &status)) {
+ D_WARNING("Failed with %s.\n", nt_errstr(status));
+ return status;
+ }
+
+ sidlist = talloc_strdup(response, "");
+
+ D_NOTICE("Winbind external command GETSIDALIASES end.\n"
+ "Received %"PRIu32" alias(es).\n",
+ state->num_aliases);
+ for (i=0; i<state->num_aliases; i++) {
+ struct dom_sid sid;
+ struct dom_sid_buf tmp;
+ sid_compose(&sid, &state->sid, state->aliases[i]);
+
+ talloc_asprintf_addbuf(
+ &sidlist, "%s\n", dom_sid_str_buf(&sid, &tmp));
+ D_NOTICE("%"PRIu32": %s\n", i, dom_sid_str_buf(&sid, &tmp));
+ }
+
+ if (sidlist == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ response->extra_data.data = sidlist;
+ response->length += talloc_get_size(sidlist);
+ response->data.num_entries = state->num_aliases;
+ return NT_STATUS_OK;
+}
diff --git a/source3/winbindd/winbindd_getuserdomgroups.c b/source3/winbindd/winbindd_getuserdomgroups.c
new file mode 100644
index 0000000..75eb437
--- /dev/null
+++ b/source3/winbindd/winbindd_getuserdomgroups.c
@@ -0,0 +1,123 @@
+/*
+ Unix SMB/CIFS implementation.
+ async implementation of WINBINDD_GETUSERDOMGROUPS
+ Copyright (C) Volker Lendecke 2009
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "winbindd.h"
+#include "../libcli/security/security.h"
+
+struct winbindd_getuserdomgroups_state {
+ struct dom_sid sid;
+ uint32_t num_sids;
+ struct dom_sid *sids;
+};
+
+static void winbindd_getuserdomgroups_done(struct tevent_req *subreq);
+
+struct tevent_req *winbindd_getuserdomgroups_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request)
+{
+ struct tevent_req *req, *subreq;
+ struct winbindd_getuserdomgroups_state *state;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct winbindd_getuserdomgroups_state);
+ if (req == NULL) {
+ return NULL;
+ }
+
+ /* Ensure null termination */
+ request->data.sid[sizeof(request->data.sid)-1]='\0';
+
+ D_NOTICE("[%s (%u)] Winbind external command GETUSERDOMGROUPS start.\n"
+ "sid=%s\n",
+ cli->client_name,
+ (unsigned int)cli->pid,
+ request->data.sid);
+
+ if (!string_to_sid(&state->sid, request->data.sid)) {
+ D_WARNING("Could not get convert sid %s from string\n",
+ request->data.sid);
+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ return tevent_req_post(req, ev);
+ }
+
+ subreq = wb_gettoken_send(state, ev, &state->sid, false);
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+ tevent_req_set_callback(subreq, winbindd_getuserdomgroups_done, req);
+ return req;
+}
+
+static void winbindd_getuserdomgroups_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct winbindd_getuserdomgroups_state *state = tevent_req_data(
+ req, struct winbindd_getuserdomgroups_state);
+ NTSTATUS status;
+
+ status = wb_gettoken_recv(subreq, state, &state->num_sids,
+ &state->sids);
+ TALLOC_FREE(subreq);
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+ tevent_req_done(req);
+}
+
+NTSTATUS winbindd_getuserdomgroups_recv(struct tevent_req *req,
+ struct winbindd_response *response)
+{
+ struct winbindd_getuserdomgroups_state *state = tevent_req_data(
+ req, struct winbindd_getuserdomgroups_state);
+ NTSTATUS status;
+ uint32_t i;
+ char *sidlist;
+
+ if (tevent_req_is_nterror(req, &status)) {
+ D_WARNING("Failed with %s.\n", nt_errstr(status));
+ return status;
+ }
+
+ sidlist = talloc_strdup(response, "");
+ if (sidlist == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ D_NOTICE("Winbind external command GETUSERDOMGROUPS end.\n"
+ "Received %"PRIu32" entries.\n",
+ state->num_sids);
+ for (i=0; i<state->num_sids; i++) {
+ struct dom_sid_buf tmp;
+ sidlist = talloc_asprintf_append_buffer(
+ sidlist, "%s\n",
+ dom_sid_str_buf(&state->sids[i], &tmp));
+ if (sidlist == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ D_NOTICE("%"PRIu32": %s\n",
+ i, dom_sid_str_buf(&state->sids[i], &tmp));
+ }
+ response->extra_data.data = sidlist;
+ response->length += talloc_get_size(sidlist);
+ response->data.num_entries = state->num_sids;
+ return NT_STATUS_OK;
+}
diff --git a/source3/winbindd/winbindd_getusersids.c b/source3/winbindd/winbindd_getusersids.c
new file mode 100644
index 0000000..a285c1f
--- /dev/null
+++ b/source3/winbindd/winbindd_getusersids.c
@@ -0,0 +1,128 @@
+/*
+ Unix SMB/CIFS implementation.
+ async implementation of WINBINDD_GETUSERSIDS
+ Copyright (C) Volker Lendecke 2009
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "winbindd.h"
+#include "../libcli/security/security.h"
+
+struct winbindd_getusersids_state {
+ struct dom_sid sid;
+ uint32_t num_sids;
+ struct dom_sid *sids;
+};
+
+static void winbindd_getusersids_done(struct tevent_req *subreq);
+
+struct tevent_req *winbindd_getusersids_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request)
+{
+ struct tevent_req *req, *subreq;
+ struct winbindd_getusersids_state *state;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct winbindd_getusersids_state);
+ if (req == NULL) {
+ return NULL;
+ }
+
+ /* Ensure null termination */
+ request->data.sid[sizeof(request->data.sid)-1]='\0';
+
+ D_NOTICE("[%s (%u)] Winbind external command GETUSERSIDS start.\n"
+ "sid=%s\n",
+ cli->client_name,
+ (unsigned int)cli->pid,
+ request->data.sid);
+
+ if (!string_to_sid(&state->sid, request->data.sid)) {
+ D_WARNING("Returning NT_STATUS_INVALID_PARAMETER.\n"
+ "Could not get convert sid %s from string\n",
+ request->data.sid);
+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ return tevent_req_post(req, ev);
+ }
+
+ subreq = wb_gettoken_send(state, ev, &state->sid, true);
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+ tevent_req_set_callback(subreq, winbindd_getusersids_done, req);
+ return req;
+}
+
+static void winbindd_getusersids_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct winbindd_getusersids_state *state = tevent_req_data(
+ req, struct winbindd_getusersids_state);
+ NTSTATUS status;
+
+ status = wb_gettoken_recv(subreq, state, &state->num_sids,
+ &state->sids);
+ TALLOC_FREE(subreq);
+ if (tevent_req_nterror(req, status)) {
+ D_WARNING("wb_gettoken_recv failed with %s.\n",
+ nt_errstr(status));
+ return;
+ }
+ tevent_req_done(req);
+}
+
+NTSTATUS winbindd_getusersids_recv(struct tevent_req *req,
+ struct winbindd_response *response)
+{
+ struct winbindd_getusersids_state *state = tevent_req_data(
+ req, struct winbindd_getusersids_state);
+ struct dom_sid_buf sidbuf;
+ NTSTATUS status;
+ uint32_t i;
+ char *result;
+
+ if (tevent_req_is_nterror(req, &status)) {
+ D_WARNING("Could not convert sid %s: %s\n",
+ dom_sid_str_buf(&state->sid, &sidbuf),
+ nt_errstr(status));
+ return status;
+ }
+
+ result = talloc_strdup(response, "");
+ if (result == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ D_NOTICE("Winbind external command GETUSERSIDS end.\n"
+ "Got %"PRIu32" SID(s).\n", state->num_sids);
+ for (i=0; i<state->num_sids; i++) {
+ D_NOTICE("%"PRIu32": %s\n",
+ i,
+ dom_sid_str_buf(&state->sids[i], &sidbuf));
+ talloc_asprintf_addbuf(
+ &result,
+ "%s\n",
+ dom_sid_str_buf(&state->sids[i], &sidbuf));
+ }
+
+ response->data.num_entries = state->num_sids;
+ response->extra_data.data = result;
+ response->length += talloc_get_size(result);
+ return NT_STATUS_OK;
+}
diff --git a/source3/winbindd/winbindd_gpupdate.c b/source3/winbindd/winbindd_gpupdate.c
new file mode 100644
index 0000000..1032251
--- /dev/null
+++ b/source3/winbindd/winbindd_gpupdate.c
@@ -0,0 +1,117 @@
+/*
+ * Unix SMB/CIFS implementation.
+ * Group Policy Update event for winbindd
+ * Copyright (C) David Mulder 2017
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+#include "includes.h"
+#include "param/param.h"
+#include "param/loadparm.h"
+#include "winbindd.h"
+#include "lib/global_contexts.h"
+
+/*
+ * gpupdate_interval()
+ * return Random integer between 5400 and 7200, the group policy update
+ * interval in seconds
+ *
+ * Group Policy should be updated every 90 minutes in the background,
+ * with a random offset between 0 and 30 minutes. This ensures mutiple
+ * clients will not update at the same time.
+ */
+#define GPUPDATE_INTERVAL (90*60)
+#define GPUPDATE_RAND_OFFSET (30*60)
+static uint32_t gpupdate_interval(void)
+{
+ int rand_int_offset = generate_random() % GPUPDATE_RAND_OFFSET;
+ return GPUPDATE_INTERVAL+rand_int_offset;
+}
+
+struct gpupdate_state {
+ TALLOC_CTX *ctx;
+ struct loadparm_context *lp_ctx;
+};
+
+static void gpupdate_callback(struct tevent_context *ev,
+ struct tevent_timer *tim,
+ struct timeval current_time,
+ void *private_data)
+{
+ struct tevent_timer *time_event;
+ struct timeval schedule;
+ struct tevent_req *req = NULL;
+ struct gpupdate_state *data =
+ talloc_get_type_abort(private_data, struct gpupdate_state);
+ const char *const *gpupdate_cmd =
+ lpcfg_gpo_update_command(data->lp_ctx);
+ const char *smbconf = lp_default_path();
+
+ /* Execute gpupdate */
+ req = samba_runcmd_send(data->ctx, ev, timeval_zero(), 2, 0,
+ gpupdate_cmd,
+ "-s",
+ smbconf,
+ "--target=Computer",
+ "--machine-pass",
+ NULL);
+ if (req == NULL) {
+ DEBUG(0, ("Failed to execute the gpupdate command\n"));
+ return;
+ }
+
+ /* Schedule the next event */
+ schedule = tevent_timeval_current_ofs(gpupdate_interval(), 0);
+ time_event = tevent_add_timer(ev, data->ctx, schedule,
+ gpupdate_callback, data);
+ if (time_event == NULL) {
+ DEBUG(0, ("Failed scheduling the next gpupdate event\n"));
+ }
+}
+
+void gpupdate_init(void)
+{
+ struct tevent_timer *time_event;
+ struct timeval schedule;
+ TALLOC_CTX * ctx = talloc_new(global_event_context());
+ struct gpupdate_state *data = talloc(ctx, struct gpupdate_state);
+ struct loadparm_context *lp_ctx =
+ loadparm_init_s3(NULL, loadparm_s3_helpers());
+
+ /*
+ * Check if gpupdate is enabled for winbind, if not
+ * return without scheduling any events.
+ */
+ if (!lpcfg_apply_group_policies(lp_ctx)) {
+ return;
+ }
+
+ /*
+ * Execute the first event immediately, future events
+ * will execute on the gpupdate interval, which is every
+ * 90 to 120 minutes (at random).
+ */
+ schedule = tevent_timeval_current_ofs(0, 0);
+ data->ctx = ctx;
+ data->lp_ctx = lp_ctx;
+ if (data->lp_ctx == NULL) {
+ smb_panic("Could not load smb.conf\n");
+ }
+ time_event = tevent_add_timer(global_event_context(), data->ctx,
+ schedule, gpupdate_callback, data);
+ if (time_event == NULL) {
+ DEBUG(0, ("Failed scheduling the gpupdate event\n"));
+ }
+}
+
diff --git a/source3/winbindd/winbindd_group.c b/source3/winbindd/winbindd_group.c
new file mode 100644
index 0000000..a90889e
--- /dev/null
+++ b/source3/winbindd/winbindd_group.c
@@ -0,0 +1,154 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ Winbind daemon for ntdom nss module
+
+ Copyright (C) Tim Potter 2000
+ Copyright (C) Jeremy Allison 2001.
+ Copyright (C) Gerald (Jerry) Carter 2003.
+ Copyright (C) Volker Lendecke 2005
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "winbindd.h"
+#include "lib/dbwrap/dbwrap.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_WINBIND
+
+/* Fill a grent structure from various other information */
+
+bool fill_grent(TALLOC_CTX *mem_ctx, struct winbindd_gr *gr,
+ const char *dom_name, const char *gr_name, gid_t unix_gid)
+{
+ const char *full_group_name;
+ char *mapped_name = NULL;
+ NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
+
+ nt_status = normalize_name_map(mem_ctx, dom_name, gr_name,
+ &mapped_name);
+
+ D_DEBUG("Filling domain '%s' and group '%s'.\n", dom_name, gr_name);
+ /* Basic whitespace replacement */
+ if (NT_STATUS_IS_OK(nt_status)) {
+ full_group_name = fill_domain_username_talloc(mem_ctx, dom_name,
+ mapped_name, true);
+ }
+ /* Mapped to an aliase */
+ else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_FILE_RENAMED)) {
+ full_group_name = mapped_name;
+ }
+ /* no change */
+ else {
+ full_group_name = fill_domain_username_talloc(mem_ctx, dom_name,
+ gr_name, True );
+ }
+
+ if (full_group_name == NULL) {
+ D_DEBUG("Returning false, since there is no full group name.\n");
+ return false;
+ }
+
+ gr->gr_gid = unix_gid;
+
+ /* Group name and password */
+
+ strlcpy(gr->gr_name, full_group_name, sizeof(gr->gr_name));
+ strlcpy(gr->gr_passwd, "x", sizeof(gr->gr_passwd));
+
+ D_DEBUG("Returning true. Full group name is '%s'.\n", gr_name);
+ return True;
+}
+
+struct getgr_countmem {
+ int num;
+ size_t len;
+};
+
+static int getgr_calc_memberlen(struct db_record *rec, void *private_data)
+{
+ struct getgr_countmem *buf = private_data;
+ TDB_DATA data = dbwrap_record_get_value(rec);
+ size_t len;
+
+ buf->num += 1;
+
+ len = buf->len + data.dsize;
+ if (len < buf->len) {
+ return 0;
+ }
+ buf->len = len;
+ return 0;
+}
+
+struct getgr_stringmem {
+ size_t ofs;
+ char *buf;
+};
+
+static int getgr_unparse_members(struct db_record *rec, void *private_data)
+{
+ struct getgr_stringmem *buf = private_data;
+ TDB_DATA data = dbwrap_record_get_value(rec);
+ int len;
+
+ len = data.dsize-1;
+
+ memcpy(buf->buf + buf->ofs, data.dptr, len);
+ buf->ofs += len;
+ buf->buf[buf->ofs] = ',';
+ buf->ofs += 1;
+ return 0;
+}
+
+NTSTATUS winbindd_print_groupmembers(struct db_context *members,
+ TALLOC_CTX *mem_ctx,
+ int *num_members, char **result)
+{
+ struct getgr_countmem c;
+ struct getgr_stringmem m;
+ int count;
+ NTSTATUS status;
+
+ c.num = 0;
+ c.len = 0;
+
+ status = dbwrap_traverse(members, getgr_calc_memberlen, &c, &count);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_NOTICE("dbwrap_traverse failed: %s\n", nt_errstr(status));
+ return status;
+ }
+
+ m.ofs = 0;
+ m.buf = talloc_array(mem_ctx, char, c.len);
+ if (m.buf == NULL) {
+ D_WARNING("talloc failed\n");
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ status = dbwrap_traverse(members, getgr_unparse_members, &m, &count);
+ if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(m.buf);
+ DBG_NOTICE("dbwrap_traverse failed: %s\n", nt_errstr(status));
+ return status;
+ }
+ m.buf[c.len-1] = '\0';
+
+ *num_members = c.num;
+ *result = m.buf;
+ D_DEBUG("Returning %d member(s).\n", *num_members);
+ return NT_STATUS_OK;
+}
diff --git a/source3/winbindd/winbindd_idmap.c b/source3/winbindd/winbindd_idmap.c
new file mode 100644
index 0000000..e6d2c28
--- /dev/null
+++ b/source3/winbindd/winbindd_idmap.c
@@ -0,0 +1,418 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ Async helpers for blocking functions
+
+ Copyright (C) Volker Lendecke 2005
+ Copyright (C) Gerald Carter 2006
+ Copyright (C) Simo Sorce 2007
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "winbindd.h"
+#include "../libcli/security/security.h"
+#include "passdb/lookup_sid.h"
+#include "lib/global_contexts.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_WINBIND
+
+static struct winbindd_child static_idmap_child;
+
+/*
+ * Map idmap ranges to domain names, taken from smb.conf. This is
+ * stored in the parent winbind and used to assemble xids2sids/sids2xids calls
+ * into per-idmap-domain chunks.
+ */
+static struct wb_parent_idmap_config static_parent_idmap_config;
+
+struct winbindd_child *idmap_child(void)
+{
+ return &static_idmap_child;
+}
+
+bool is_idmap_child(const struct winbindd_child *child)
+{
+ if (child == &static_idmap_child) {
+ return true;
+ }
+
+ return false;
+}
+
+pid_t idmap_child_pid(void)
+{
+ return static_idmap_child.pid;
+}
+
+struct dcerpc_binding_handle *idmap_child_handle(void)
+{
+ /*
+ * The caller needs to use wb_parent_idmap_setup_send/recv
+ * before talking to the idmap child!
+ */
+ SMB_ASSERT(static_parent_idmap_config.num_doms > 0);
+ return static_idmap_child.binding_handle;
+}
+
+static void init_idmap_child_done(struct tevent_req *subreq);
+
+void init_idmap_child(void)
+{
+ struct tevent_req *subreq = NULL;
+
+ subreq = wb_parent_idmap_setup_send(global_event_context(),
+ global_event_context());
+ if (subreq == NULL) {
+ /*
+ * This is only an optimization, so we're free to
+ * to ignore errors
+ */
+ DBG_ERR("wb_parent_idmap_setup_send() failed\n");
+ return;
+ }
+ tevent_req_set_callback(subreq, init_idmap_child_done, NULL);
+ DBG_DEBUG("wb_parent_idmap_setup_send() started\n");
+}
+
+static void init_idmap_child_done(struct tevent_req *subreq)
+{
+ const struct wb_parent_idmap_config *cfg = NULL;
+ NTSTATUS status;
+
+ status = wb_parent_idmap_setup_recv(subreq, &cfg);
+ TALLOC_FREE(subreq);
+ if (!NT_STATUS_IS_OK(status)) {
+ /*
+ * This is only an optimization, so we're free to
+ * to ignore errors
+ */
+ DBG_ERR("wb_parent_idmap_setup_recv() failed %s\n",
+ nt_errstr(status));
+ return;
+ }
+
+ DBG_DEBUG("wb_parent_idmap_setup_recv() finished\n");
+}
+
+struct wb_parent_idmap_setup_state {
+ struct tevent_context *ev;
+ struct wb_parent_idmap_config *cfg;
+ size_t dom_idx;
+};
+
+static void wb_parent_idmap_setup_cleanup(struct tevent_req *req,
+ enum tevent_req_state req_state)
+{
+ struct wb_parent_idmap_setup_state *state =
+ tevent_req_data(req,
+ struct wb_parent_idmap_setup_state);
+
+ if (req_state == TEVENT_REQ_DONE) {
+ state->cfg = NULL;
+ return;
+ }
+
+ if (state->cfg == NULL) {
+ return;
+ }
+
+ state->cfg->num_doms = 0;
+ TALLOC_FREE(state->cfg->doms);
+ state->cfg = NULL;
+}
+
+static void wb_parent_idmap_setup_queue_wait_done(struct tevent_req *subreq);
+static bool wb_parent_idmap_setup_scan_config(const char *domname,
+ void *private_data);
+static void wb_parent_idmap_setup_lookupname_next(struct tevent_req *req);
+static void wb_parent_idmap_setup_lookupname_done(struct tevent_req *subreq);
+
+struct tevent_req *wb_parent_idmap_setup_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev)
+{
+ struct tevent_req *req = NULL;
+ struct wb_parent_idmap_setup_state *state = NULL;
+ struct tevent_req *subreq = NULL;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct wb_parent_idmap_setup_state);
+ if (req == NULL) {
+ return NULL;
+ }
+ *state = (struct wb_parent_idmap_setup_state) {
+ .ev = ev,
+ .cfg = &static_parent_idmap_config,
+ .dom_idx = 0,
+ };
+
+ if (state->cfg->queue == NULL) {
+ state->cfg->queue = tevent_queue_create(NULL,
+ "wb_parent_idmap_config_queue");
+ if (tevent_req_nomem(state->cfg->queue, req)) {
+ return tevent_req_post(req, ev);
+ }
+ }
+
+ subreq = tevent_queue_wait_send(state, state->ev, state->cfg->queue);
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+ tevent_req_set_callback(subreq,
+ wb_parent_idmap_setup_queue_wait_done,
+ req);
+
+ return req;
+}
+
+static void wb_parent_idmap_setup_queue_wait_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req =
+ tevent_req_callback_data(subreq,
+ struct tevent_req);
+ struct wb_parent_idmap_setup_state *state =
+ tevent_req_data(req,
+ struct wb_parent_idmap_setup_state);
+ bool ok;
+
+ /*
+ * Note we don't call TALLOC_FREE(subreq) here in order to block the
+ * queue until tevent_req_received() in wb_parent_idmap_setup_recv()
+ * will destroy it implicitly.
+ */
+ ok = tevent_queue_wait_recv(subreq);
+ if (!ok) {
+ DBG_ERR("tevent_queue_wait_recv() failed\n");
+ tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
+ return;
+ }
+
+ if (state->cfg->num_doms != 0) {
+ /*
+ * If we're not the first one we're done.
+ */
+ tevent_req_done(req);
+ return;
+ }
+
+ /*
+ * From this point we start changing state->cfg,
+ * which is &static_parent_idmap_config,
+ * so we better setup a cleanup function
+ * to undo the changes on failure.
+ */
+ tevent_req_set_cleanup_fn(req, wb_parent_idmap_setup_cleanup);
+
+ /*
+ * Put the passdb idmap domain first. We always need to try
+ * there first.
+ */
+ state->cfg->doms = talloc_zero_array(NULL,
+ struct wb_parent_idmap_config_dom,
+ 1);
+ if (tevent_req_nomem(state->cfg->doms, req)) {
+ return;
+ }
+ state->cfg->doms[0].low_id = 0;
+ state->cfg->doms[0].high_id = UINT_MAX;
+ state->cfg->doms[0].name = talloc_strdup(state->cfg->doms,
+ get_global_sam_name());
+ if (tevent_req_nomem(state->cfg->doms[0].name, req)) {
+ return;
+ }
+ state->cfg->num_doms += 1;
+
+ lp_scan_idmap_domains(wb_parent_idmap_setup_scan_config, req);
+ if (!tevent_req_is_in_progress(req)) {
+ return;
+ }
+
+ wb_parent_idmap_setup_lookupname_next(req);
+}
+
+static bool wb_parent_idmap_setup_scan_config(const char *domname,
+ void *private_data)
+{
+ struct tevent_req *req =
+ talloc_get_type_abort(private_data,
+ struct tevent_req);
+ struct wb_parent_idmap_setup_state *state =
+ tevent_req_data(req,
+ struct wb_parent_idmap_setup_state);
+ struct wb_parent_idmap_config_dom *map = NULL;
+ size_t i;
+ const char *range;
+ unsigned low_id, high_id;
+ int ret;
+
+ range = idmap_config_const_string(domname, "range", NULL);
+ if (range == NULL) {
+ DBG_DEBUG("No range for domain %s found\n", domname);
+ return false;
+ }
+
+ ret = sscanf(range, "%u - %u", &low_id, &high_id);
+ if (ret != 2) {
+ DBG_DEBUG("Invalid range spec \"%s\" for domain %s\n",
+ range, domname);
+ return false;
+ }
+
+ if (low_id > high_id) {
+ DBG_DEBUG("Invalid range %u - %u for domain %s\n",
+ low_id, high_id, domname);
+ return false;
+ }
+
+ for (i=0; i<state->cfg->num_doms; i++) {
+ if (strequal(domname, state->cfg->doms[i].name)) {
+ map = &state->cfg->doms[i];
+ break;
+ }
+ }
+
+ if (map == NULL) {
+ struct wb_parent_idmap_config_dom *tmp;
+ char *name;
+
+ name = talloc_strdup(state, domname);
+ if (name == NULL) {
+ DBG_ERR("talloc failed\n");
+ return false;
+ }
+
+ tmp = talloc_realloc(
+ NULL, state->cfg->doms, struct wb_parent_idmap_config_dom,
+ state->cfg->num_doms+1);
+ if (tmp == NULL) {
+ DBG_ERR("talloc failed\n");
+ return false;
+ }
+ state->cfg->doms = tmp;
+
+ map = &state->cfg->doms[state->cfg->num_doms];
+ state->cfg->num_doms += 1;
+ ZERO_STRUCTP(map);
+ map->name = talloc_move(state->cfg->doms, &name);
+ }
+
+ map->low_id = low_id;
+ map->high_id = high_id;
+
+ return false;
+}
+
+static void wb_parent_idmap_setup_lookupname_next(struct tevent_req *req)
+{
+ struct wb_parent_idmap_setup_state *state =
+ tevent_req_data(req,
+ struct wb_parent_idmap_setup_state);
+ struct wb_parent_idmap_config_dom *dom =
+ &state->cfg->doms[state->dom_idx];
+ struct tevent_req *subreq = NULL;
+
+ next_domain:
+ if (state->dom_idx == state->cfg->num_doms) {
+ /*
+ * We're done, so start the idmap child
+ */
+ setup_child(NULL, &static_idmap_child, "log.winbindd", "idmap");
+ tevent_req_done(req);
+ return;
+ }
+
+ if (strequal(dom->name, "*")) {
+ state->dom_idx++;
+ goto next_domain;
+ }
+
+ subreq = wb_lookupname_send(state,
+ state->ev,
+ dom->name,
+ dom->name,
+ "",
+ LOOKUP_NAME_NO_NSS);
+ if (tevent_req_nomem(subreq, req)) {
+ return;
+ }
+ tevent_req_set_callback(subreq,
+ wb_parent_idmap_setup_lookupname_done,
+ req);
+}
+
+static void wb_parent_idmap_setup_lookupname_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req =
+ tevent_req_callback_data(subreq,
+ struct tevent_req);
+ struct wb_parent_idmap_setup_state *state =
+ tevent_req_data(req,
+ struct wb_parent_idmap_setup_state);
+ struct wb_parent_idmap_config_dom *dom =
+ &state->cfg->doms[state->dom_idx];
+ enum lsa_SidType type;
+ NTSTATUS status;
+
+ status = wb_lookupname_recv(subreq, &dom->sid, &type);
+ TALLOC_FREE(subreq);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_ERR("Lookup domain name '%s' failed '%s'\n",
+ dom->name,
+ nt_errstr(status));
+
+ state->dom_idx++;
+ wb_parent_idmap_setup_lookupname_next(req);
+ return;
+ }
+
+ if (type != SID_NAME_DOMAIN) {
+ struct dom_sid_buf buf;
+
+ DBG_ERR("SID %s for idmap domain name '%s' "
+ "not a domain SID\n",
+ dom_sid_str_buf(&dom->sid, &buf),
+ dom->name);
+
+ ZERO_STRUCT(dom->sid);
+ }
+
+ state->dom_idx++;
+ wb_parent_idmap_setup_lookupname_next(req);
+
+ return;
+}
+
+NTSTATUS wb_parent_idmap_setup_recv(struct tevent_req *req,
+ const struct wb_parent_idmap_config **_cfg)
+{
+ const struct wb_parent_idmap_config *cfg = &static_parent_idmap_config;
+ NTSTATUS status;
+
+ *_cfg = NULL;
+
+ if (tevent_req_is_nterror(req, &status)) {
+ tevent_req_received(req);
+ return status;
+ }
+
+ /*
+ * Note state->cfg is already set to NULL by
+ * wb_parent_idmap_setup_cleanup()
+ */
+ *_cfg = cfg;
+ tevent_req_received(req);
+ return NT_STATUS_OK;
+}
diff --git a/source3/winbindd/winbindd_irpc.c b/source3/winbindd/winbindd_irpc.c
new file mode 100644
index 0000000..232772d
--- /dev/null
+++ b/source3/winbindd/winbindd_irpc.c
@@ -0,0 +1,891 @@
+/*
+ Unix SMB/CIFS implementation.
+ async implementation of commands submitted over IRPC
+ Copyright (C) Volker Lendecke 2009
+ Copyright (C) Guenther Deschner 2009
+ Copyright (C) Andrew Bartlett 2014
+ Copyright (C) Andrew Tridgell 2009
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "winbindd.h"
+#include "librpc/gen_ndr/ndr_winbind_c.h"
+#include "source4/lib/messaging/irpc.h"
+#include "librpc/gen_ndr/ndr_winbind.h"
+#include "librpc/gen_ndr/ndr_lsa.h"
+#include "librpc/gen_ndr/ndr_lsa_c.h"
+#include "libcli/security/dom_sid.h"
+#include "passdb/lookup_sid.h" /* only for LOOKUP_NAME_NO_NSS flag */
+#include "librpc/gen_ndr/ndr_irpc.h"
+#include "librpc/gen_ndr/ndr_netlogon.h"
+#include "lib/global_contexts.h"
+#include "lib/param/param.h"
+#include "messages.h"
+
+struct imessaging_context *winbind_imessaging_context(void)
+{
+ static struct imessaging_context *msg = NULL;
+ struct messaging_context *msg_ctx;
+ struct server_id myself;
+ struct loadparm_context *lp_ctx;
+
+ if (msg != NULL) {
+ return msg;
+ }
+
+ msg_ctx = global_messaging_context();
+ if (msg_ctx == NULL) {
+ smb_panic("global_messaging_context failed\n");
+ }
+ myself = messaging_server_id(msg_ctx);
+
+ lp_ctx = loadparm_init_s3(NULL, loadparm_s3_helpers());
+ if (lp_ctx == NULL) {
+ smb_panic("Could not load smb.conf to init winbindd's imessaging context.\n");
+ }
+
+ /*
+ * Note we MUST use the NULL context here, not the autofree context,
+ * to avoid side effects in forked children exiting.
+ */
+ msg = imessaging_init(NULL, lp_ctx, myself, global_event_context());
+ talloc_unlink(NULL, lp_ctx);
+
+ if (msg == NULL) {
+ smb_panic("Could not init winbindd's messaging context.\n");
+ }
+ return msg;
+}
+
+struct wb_irpc_forward_state {
+ struct irpc_message *msg;
+ const char *opname;
+ struct dcesrv_call_state *dce_call;
+};
+
+/*
+ called when the forwarded rpc request is finished
+ */
+static void wb_irpc_forward_callback(struct tevent_req *subreq)
+{
+ struct wb_irpc_forward_state *st =
+ tevent_req_callback_data(subreq,
+ struct wb_irpc_forward_state);
+ const char *opname = st->opname;
+ NTSTATUS status;
+
+ status = dcerpc_binding_handle_call_recv(subreq);
+ TALLOC_FREE(subreq);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0,("RPC callback failed for %s - %s\n",
+ opname, nt_errstr(status)));
+ irpc_send_reply(st->msg, status);
+ return;
+ }
+
+ irpc_send_reply(st->msg, status);
+}
+
+
+
+/**
+ * Forward a RPC call using IRPC to another task
+ */
+
+static NTSTATUS wb_irpc_forward_rpc_call(struct irpc_message *msg, TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ void *r, uint32_t callid,
+ const char *opname,
+ struct winbindd_domain *domain,
+ uint32_t timeout)
+{
+ struct wb_irpc_forward_state *st;
+ struct dcerpc_binding_handle *binding_handle;
+ struct tevent_req *subreq;
+
+ st = talloc(mem_ctx, struct wb_irpc_forward_state);
+ if (st == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ st->msg = msg;
+ st->opname = opname;
+
+ binding_handle = dom_child_handle(domain);
+ if (binding_handle == NULL) {
+ DEBUG(0,("%s: Failed to forward request to winbind handler for %s\n",
+ opname, domain->name));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ /* reset timeout for the handle */
+ dcerpc_binding_handle_set_timeout(binding_handle, timeout);
+
+ /* forward the call */
+ subreq = dcerpc_binding_handle_call_send(st, ev,
+ binding_handle,
+ NULL, &ndr_table_winbind,
+ callid,
+ msg, r);
+ if (subreq == NULL) {
+ DEBUG(0,("%s: Failed to forward request to winbind handler for %s\n",
+ opname, domain->name));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ /* mark the request as replied async */
+ msg->defer_reply = true;
+
+ /* setup the callback */
+ tevent_req_set_callback(subreq, wb_irpc_forward_callback, st);
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS wb_irpc_DsrUpdateReadOnlyServerDnsRecords(struct irpc_message *msg,
+ struct winbind_DsrUpdateReadOnlyServerDnsRecords *req)
+{
+ struct winbindd_domain *domain = find_our_domain();
+ if (domain == NULL) {
+ return NT_STATUS_NO_SUCH_DOMAIN;
+ }
+
+ DEBUG(5, ("wb_irpc_DsrUpdateReadOnlyServerDnsRecords called\n"));
+
+ return wb_irpc_forward_rpc_call(msg, msg,
+ global_event_context(),
+ req, NDR_WINBIND_DSRUPDATEREADONLYSERVERDNSRECORDS,
+ "winbind_DsrUpdateReadOnlyServerDnsRecords",
+ domain, IRPC_CALL_TIMEOUT);
+}
+
+static NTSTATUS wb_irpc_SamLogon(struct irpc_message *msg,
+ struct winbind_SamLogon *req)
+{
+ struct winbindd_domain *domain;
+ struct netr_IdentityInfo *identity_info;
+ const char *target_domain_name = NULL;
+ const char *account_name = NULL;
+
+ /*
+ * Make sure we start with authoritative=true,
+ * it will only set to false if we don't know the
+ * domain.
+ */
+ req->out.authoritative = true;
+
+ switch (req->in.logon_level) {
+ case NetlogonInteractiveInformation:
+ case NetlogonServiceInformation:
+ case NetlogonInteractiveTransitiveInformation:
+ case NetlogonServiceTransitiveInformation:
+ if (req->in.logon.password == NULL) {
+ return NT_STATUS_REQUEST_NOT_ACCEPTED;
+ }
+ identity_info = &req->in.logon.password->identity_info;
+ break;
+
+ case NetlogonNetworkInformation:
+ case NetlogonNetworkTransitiveInformation:
+ if (req->in.logon.network == NULL) {
+ return NT_STATUS_REQUEST_NOT_ACCEPTED;
+ }
+
+ identity_info = &req->in.logon.network->identity_info;
+ break;
+
+ case NetlogonGenericInformation:
+ if (req->in.logon.generic == NULL) {
+ return NT_STATUS_REQUEST_NOT_ACCEPTED;
+ }
+
+ identity_info = &req->in.logon.generic->identity_info;
+ break;
+
+ default:
+ return NT_STATUS_REQUEST_NOT_ACCEPTED;
+ }
+
+ target_domain_name = identity_info->domain_name.string;
+ if (target_domain_name == NULL) {
+ target_domain_name = "";
+ }
+
+ account_name = identity_info->account_name.string;
+ if (account_name == NULL) {
+ account_name = "";
+ }
+
+ if (IS_DC && target_domain_name[0] == '\0') {
+ const char *p = NULL;
+
+ p = strchr_m(account_name, '@');
+ if (p != NULL) {
+ target_domain_name = p + 1;
+ }
+ }
+
+ if (IS_DC && target_domain_name[0] == '\0') {
+ DBG_ERR("target_domain[%s] account[%s]\n",
+ target_domain_name, account_name);
+ return NT_STATUS_REQUEST_NOT_ACCEPTED;
+ }
+
+ domain = find_auth_domain(0, target_domain_name);
+ if (domain == NULL) {
+ DBG_INFO("target_domain[%s] for account[%s] not known\n",
+ target_domain_name, account_name);
+ req->out.result = NT_STATUS_NO_SUCH_USER;
+ req->out.authoritative = 0;
+ return NT_STATUS_OK;
+ }
+
+ DEBUG(5, ("wb_irpc_SamLogon called\n"));
+
+ return wb_irpc_forward_rpc_call(msg, msg,
+ global_event_context(),
+ req, NDR_WINBIND_SAMLOGON,
+ "winbind_SamLogon",
+ domain, IRPC_CALL_TIMEOUT);
+}
+
+static NTSTATUS wb_irpc_LogonControl(struct irpc_message *msg,
+ struct winbind_LogonControl *req)
+{
+ TALLOC_CTX *frame = talloc_stackframe();
+ char *domain_name = NULL;
+ struct winbindd_domain *domain = NULL;
+
+ DEBUG(5, ("wb_irpc_LogonControl called\n"));
+
+ switch (req->in.function_code) {
+ case NETLOGON_CONTROL_REDISCOVER:
+ case NETLOGON_CONTROL_TC_QUERY:
+ case NETLOGON_CONTROL_CHANGE_PASSWORD:
+ case NETLOGON_CONTROL_TC_VERIFY:
+ if (req->in.data->domain == NULL) {
+ TALLOC_FREE(frame);
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ domain_name = talloc_strdup(frame, req->in.data->domain);
+ if (domain_name == NULL) {
+ req->out.result = WERR_NOT_ENOUGH_MEMORY;
+ TALLOC_FREE(frame);
+ return NT_STATUS_OK;
+ }
+
+ break;
+ default:
+ TALLOC_FREE(frame);
+ return NT_STATUS_NOT_IMPLEMENTED;
+ }
+
+ if (req->in.function_code == NETLOGON_CONTROL_REDISCOVER) {
+ char *p = NULL;
+
+ /*
+ * NETLOGON_CONTROL_REDISCOVER
+ * get's an optional \dcname appended to the domain name
+ */
+ p = strchr_m(domain_name, '\\');
+ if (p != NULL) {
+ *p = '\0';
+ }
+ }
+
+ domain = find_domain_from_name_noinit(domain_name);
+ if (domain == NULL) {
+ req->out.result = WERR_NO_SUCH_DOMAIN;
+ TALLOC_FREE(frame);
+ return NT_STATUS_OK;
+ }
+
+ TALLOC_FREE(frame);
+ return wb_irpc_forward_rpc_call(msg, msg,
+ global_event_context(),
+ req, NDR_WINBIND_LOGONCONTROL,
+ "winbind_LogonControl",
+ domain, 45 /* timeout */);
+}
+
+static NTSTATUS wb_irpc_GetForestTrustInformation(struct irpc_message *msg,
+ struct winbind_GetForestTrustInformation *req)
+{
+ struct winbindd_domain *domain = NULL;
+
+ if (req->in.trusted_domain_name == NULL) {
+ req->out.result = WERR_NO_SUCH_DOMAIN;
+ return NT_STATUS_OK;
+ }
+
+ domain = find_trust_from_name_noinit(req->in.trusted_domain_name);
+ if (domain == NULL) {
+ req->out.result = WERR_NO_SUCH_DOMAIN;
+ return NT_STATUS_OK;
+ }
+
+ /*
+ * checking for domain->internal and domain->primary
+ * makes sure we only do some work when running as DC.
+ */
+
+ if (domain->internal) {
+ req->out.result = WERR_NO_SUCH_DOMAIN;
+ return NT_STATUS_OK;
+ }
+
+ if (domain->primary) {
+ req->out.result = WERR_NO_SUCH_DOMAIN;
+ return NT_STATUS_OK;
+ }
+
+ DEBUG(5, ("wb_irpc_GetForestTrustInformation called\n"));
+
+ return wb_irpc_forward_rpc_call(msg, msg,
+ global_event_context(),
+ req, NDR_WINBIND_GETFORESTTRUSTINFORMATION,
+ "winbind_GetForestTrustInformation",
+ domain, 45 /* timeout */);
+}
+
+static NTSTATUS wb_irpc_SendToSam(struct irpc_message *msg,
+ struct winbind_SendToSam *req)
+{
+ /* TODO make sure that it is RWDC */
+ struct winbindd_domain *domain = find_our_domain();
+ if (domain == NULL) {
+ return NT_STATUS_NO_SUCH_DOMAIN;
+ }
+
+ DEBUG(5, ("wb_irpc_SendToSam called\n"));
+
+ return wb_irpc_forward_rpc_call(msg, msg,
+ global_event_context(),
+ req, NDR_WINBIND_SENDTOSAM,
+ "winbind_SendToSam",
+ domain, IRPC_CALL_TIMEOUT);
+}
+
+struct wb_irpc_lsa_LookupSids3_state {
+ struct irpc_message *msg;
+ struct lsa_LookupSids3 *req;
+};
+
+static void wb_irpc_lsa_LookupSids3_done(struct tevent_req *subreq);
+
+static NTSTATUS wb_irpc_lsa_LookupSids3_call(struct irpc_message *msg,
+ struct lsa_LookupSids3 *req)
+{
+ struct wb_irpc_lsa_LookupSids3_state *state = NULL;
+ struct tevent_req *subreq = NULL;
+ struct dom_sid *sids = NULL;
+ uint32_t i;
+
+ state = talloc_zero(msg, struct wb_irpc_lsa_LookupSids3_state);
+ if (state == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ state->msg = msg;
+ state->req = req;
+
+ state->req->out.domains = talloc_zero(state->msg,
+ struct lsa_RefDomainList *);
+ if (state->req->out.domains == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ state->req->out.names = talloc_zero(state->msg,
+ struct lsa_TransNameArray2);
+ if (state->req->out.names == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ state->req->out.count = talloc_zero(state->msg, uint32_t);
+ if (state->req->out.count == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ state->req->out.names->names = talloc_zero_array(state->msg,
+ struct lsa_TranslatedName2,
+ req->in.sids->num_sids);
+ if (state->req->out.names->names == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ sids = talloc_zero_array(state, struct dom_sid,
+ req->in.sids->num_sids);
+ if (sids == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ for (i = 0; i < req->in.sids->num_sids; i++) {
+ if (req->in.sids->sids[i].sid == NULL) {
+ return NT_STATUS_REQUEST_NOT_ACCEPTED;
+ }
+
+ sids[i] = *req->in.sids->sids[i].sid;
+ }
+
+ subreq = wb_lookupsids_send(msg,
+ global_event_context(),
+ sids, req->in.sids->num_sids);
+ if (subreq == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ tevent_req_set_callback(subreq, wb_irpc_lsa_LookupSids3_done, state);
+ msg->defer_reply = true;
+
+ return NT_STATUS_OK;
+}
+
+static void wb_irpc_lsa_LookupSids3_done(struct tevent_req *subreq)
+{
+ struct wb_irpc_lsa_LookupSids3_state *state =
+ tevent_req_callback_data(subreq,
+ struct wb_irpc_lsa_LookupSids3_state);
+ struct lsa_RefDomainList *domains = NULL;
+ struct lsa_TransNameArray *names = NULL;
+ NTSTATUS status;
+ uint32_t i;
+
+ status = wb_lookupsids_recv(subreq, state->msg,
+ &domains, &names);
+ TALLOC_FREE(subreq);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0,("RPC callback failed for %s - %s\n",
+ __func__, nt_errstr(status)));
+ irpc_send_reply(state->msg, status);
+ return;
+ }
+
+ if (names->count > state->req->in.sids->num_sids) {
+ status = NT_STATUS_INTERNAL_ERROR;
+ DEBUG(0,("RPC callback failed for %s - %s\n",
+ __func__, nt_errstr(status)));
+ irpc_send_reply(state->msg, status);
+ return;
+ }
+
+ *state->req->out.domains = domains;
+ for (i = 0; i < names->count; i++) {
+ struct lsa_TranslatedName2 *n2 =
+ &state->req->out.names->names[i];
+
+ n2->sid_type = names->names[i].sid_type;
+ n2->name = names->names[i].name;
+ n2->sid_index = names->names[i].sid_index;
+ n2->unknown = 0;
+
+ if (n2->sid_type != SID_NAME_UNKNOWN) {
+ (*state->req->out.count)++;
+ }
+ }
+ state->req->out.names->count = names->count;
+
+ if (*state->req->out.count == 0) {
+ state->req->out.result = NT_STATUS_NONE_MAPPED;
+ } else if (*state->req->out.count != names->count) {
+ state->req->out.result = NT_STATUS_SOME_NOT_MAPPED;
+ } else {
+ state->req->out.result = NT_STATUS_OK;
+ }
+
+ irpc_send_reply(state->msg, NT_STATUS_OK);
+ return;
+}
+
+struct wb_irpc_lsa_LookupNames4_name {
+ void *state;
+ uint32_t idx;
+ const char *namespace;
+ const char *domain;
+ char *name;
+ struct dom_sid sid;
+ enum lsa_SidType type;
+ struct dom_sid *authority_sid;
+};
+
+struct wb_irpc_lsa_LookupNames4_state {
+ struct irpc_message *msg;
+ struct lsa_LookupNames4 *req;
+ struct wb_irpc_lsa_LookupNames4_name *names;
+ uint32_t num_pending;
+ uint32_t num_domain_sids;
+ struct dom_sid *domain_sids;
+};
+
+static void wb_irpc_lsa_LookupNames4_done(struct tevent_req *subreq);
+
+static NTSTATUS wb_irpc_lsa_LookupNames4_call(struct irpc_message *msg,
+ struct lsa_LookupNames4 *req)
+{
+ struct wb_irpc_lsa_LookupNames4_state *state = NULL;
+ struct tevent_req *subreq = NULL;
+ uint32_t i;
+
+
+ state = talloc_zero(msg, struct wb_irpc_lsa_LookupNames4_state);
+ if (state == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ state->msg = msg;
+ state->req = req;
+
+ state->req->out.domains = talloc_zero(state->msg,
+ struct lsa_RefDomainList *);
+ if (state->req->out.domains == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ state->req->out.sids = talloc_zero(state->msg,
+ struct lsa_TransSidArray3);
+ if (state->req->out.sids == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ state->req->out.count = talloc_zero(state->msg, uint32_t);
+ if (state->req->out.count == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ state->req->out.sids->sids = talloc_zero_array(state->msg,
+ struct lsa_TranslatedSid3,
+ req->in.num_names);
+ if (state->req->out.sids->sids == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ state->names = talloc_zero_array(state,
+ struct wb_irpc_lsa_LookupNames4_name,
+ req->in.num_names);
+ if (state->names == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ for (i = 0; i < req->in.num_names; i++) {
+ struct wb_irpc_lsa_LookupNames4_name *nstate =
+ &state->names[i];
+ char *p = NULL;
+
+ if (req->in.names[i].string == NULL) {
+ DBG_ERR("%s: name[%s] NT_STATUS_REQUEST_NOT_ACCEPTED.\n",
+ __location__, req->in.names[i].string);
+ return NT_STATUS_REQUEST_NOT_ACCEPTED;
+ }
+ nstate->state = state;
+ nstate->idx = i;
+ nstate->name = talloc_strdup(state->names,
+ req->in.names[i].string);
+ if (nstate->name == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ nstate->type = SID_NAME_UNKNOWN;
+
+ /* cope with the name being a fully qualified name */
+ p = strchr(nstate->name, '\\');
+ if (p != NULL) {
+ *p = 0;
+ nstate->domain = nstate->name;
+ nstate->namespace = nstate->domain;
+ nstate->name = p+1;
+ } else if ((p = strchr(nstate->name, '@')) != NULL) {
+ /* upn */
+ nstate->domain = "";
+ nstate->namespace = p + 1;
+ } else {
+ /*
+ * TODO: select the domain based on
+ * req->in.level and req->in.client_revision
+ *
+ * For now we don't allow this.
+ */
+ DBG_ERR("%s: name[%s] NT_STATUS_REQUEST_NOT_ACCEPTED.\n",
+ __location__, nstate->name);
+ return NT_STATUS_REQUEST_NOT_ACCEPTED;
+ }
+
+ subreq = wb_lookupname_send(msg,
+ global_event_context(),
+ nstate->namespace,
+ nstate->domain,
+ nstate->name,
+ LOOKUP_NAME_NO_NSS);
+ if (subreq == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ tevent_req_set_callback(subreq,
+ wb_irpc_lsa_LookupNames4_done,
+ nstate);
+ state->num_pending++;
+ }
+
+ msg->defer_reply = true;
+
+ return NT_STATUS_OK;
+}
+
+static void wb_irpc_lsa_LookupNames4_domains_done(struct tevent_req *subreq);
+
+static void wb_irpc_lsa_LookupNames4_done(struct tevent_req *subreq)
+{
+ struct wb_irpc_lsa_LookupNames4_name *nstate =
+ (struct wb_irpc_lsa_LookupNames4_name *)
+ tevent_req_callback_data_void(subreq);
+ struct wb_irpc_lsa_LookupNames4_state *state =
+ talloc_get_type_abort(nstate->state,
+ struct wb_irpc_lsa_LookupNames4_state);
+ struct dom_sid_buf buf;
+ NTSTATUS status;
+
+ SMB_ASSERT(state->num_pending > 0);
+ state->num_pending--;
+ status = wb_lookupname_recv(subreq, &nstate->sid, &nstate->type);
+ TALLOC_FREE(subreq);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0,("RPC callback failed for %s - %s\n",
+ __func__, nt_errstr(status)));
+ irpc_send_reply(state->msg, status);
+ return;
+ }
+
+ status = dom_sid_split_rid(state, &nstate->sid,
+ &nstate->authority_sid, NULL);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_ERR("dom_sid_split_rid(%s) failed - %s\n",
+ dom_sid_str_buf(&nstate->sid, &buf),
+ nt_errstr(status));
+ irpc_send_reply(state->msg, status);
+ return;
+ }
+
+ status = add_sid_to_array_unique(state,
+ nstate->authority_sid,
+ &state->domain_sids,
+ &state->num_domain_sids);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_ERR("add_sid_to_array_unique(%s) failed - %s\n",
+ dom_sid_str_buf(nstate->authority_sid, &buf),
+ nt_errstr(status));
+ irpc_send_reply(state->msg, status);
+ return;
+ }
+
+ if (state->num_pending > 0) {
+ /*
+ * wait for more...
+ */
+ return;
+ }
+
+ /*
+ * Now resolve all domains back to a name
+ * to get a good lsa_RefDomainList
+ */
+ subreq = wb_lookupsids_send(state,
+ global_event_context(),
+ state->domain_sids,
+ state->num_domain_sids);
+ if (subreq == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ DBG_ERR("wb_lookupsids_send - %s\n",
+ nt_errstr(status));
+ irpc_send_reply(state->msg, status);
+ return;
+ }
+ tevent_req_set_callback(subreq,
+ wb_irpc_lsa_LookupNames4_domains_done,
+ state);
+
+ return;
+}
+
+static void wb_irpc_lsa_LookupNames4_domains_done(struct tevent_req *subreq)
+{
+ struct wb_irpc_lsa_LookupNames4_state *state =
+ tevent_req_callback_data(subreq,
+ struct wb_irpc_lsa_LookupNames4_state);
+ struct lsa_RefDomainList *domains = NULL;
+ struct lsa_TransNameArray *names = NULL;
+ NTSTATUS status;
+ uint32_t i;
+
+ status = wb_lookupsids_recv(subreq, state->msg,
+ &domains, &names);
+ TALLOC_FREE(subreq);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0,("RPC callback failed for %s - %s\n",
+ __func__, nt_errstr(status)));
+ irpc_send_reply(state->msg, status);
+ return;
+ }
+
+ *state->req->out.domains = domains;
+ for (i = 0; i < state->req->in.num_names; i++) {
+ struct wb_irpc_lsa_LookupNames4_name *nstate =
+ &state->names[i];
+ struct lsa_TranslatedSid3 *s3 =
+ &state->req->out.sids->sids[i];
+ uint32_t di;
+
+ s3->sid_type = nstate->type;
+ if (s3->sid_type != SID_NAME_UNKNOWN) {
+ s3->sid = &nstate->sid;
+ } else {
+ s3->sid = NULL;
+ }
+ s3->sid_index = UINT32_MAX;
+ for (di = 0; di < domains->count; di++) {
+ bool match;
+
+ if (domains->domains[di].sid == NULL) {
+ continue;
+ }
+
+ match = dom_sid_equal(nstate->authority_sid,
+ domains->domains[di].sid);
+ if (match) {
+ s3->sid_index = di;
+ break;
+ }
+ }
+ if (s3->sid_type != SID_NAME_UNKNOWN) {
+ (*state->req->out.count)++;
+ }
+ }
+ state->req->out.sids->count = state->req->in.num_names;
+
+ if (*state->req->out.count == 0) {
+ state->req->out.result = NT_STATUS_NONE_MAPPED;
+ } else if (*state->req->out.count != state->req->in.num_names) {
+ state->req->out.result = NT_STATUS_SOME_NOT_MAPPED;
+ } else {
+ state->req->out.result = NT_STATUS_OK;
+ }
+
+ irpc_send_reply(state->msg, NT_STATUS_OK);
+ return;
+}
+
+struct wb_irpc_GetDCName_state {
+ struct irpc_message *msg;
+ struct wbint_DsGetDcName *req;
+};
+
+static void wb_irpc_GetDCName_done(struct tevent_req *subreq);
+
+static NTSTATUS wb_irpc_GetDCName(struct irpc_message *msg,
+ struct wbint_DsGetDcName *req)
+{
+
+ struct tevent_req *subreq = NULL;
+ struct wb_irpc_GetDCName_state *state = NULL;
+
+ state = talloc_zero(msg, struct wb_irpc_GetDCName_state);
+ if (state == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ state->msg = msg;
+ state->req = req;
+
+ subreq = wb_dsgetdcname_send(msg,
+ global_event_context(),
+ req->in.domain_name,
+ req->in.domain_guid,
+ req->in.site_name,
+ req->in.flags);
+ if (subreq == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ tevent_req_set_callback(subreq,
+ wb_irpc_GetDCName_done,
+ state);
+
+ msg->defer_reply = true;
+
+ return NT_STATUS_OK;
+}
+
+static void wb_irpc_GetDCName_done(struct tevent_req *subreq)
+{
+ struct wb_irpc_GetDCName_state *state = tevent_req_callback_data(
+ subreq, struct wb_irpc_GetDCName_state);
+ NTSTATUS status;
+
+ status = wb_dsgetdcname_recv(subreq, state->msg,
+ state->req->out.dc_info);
+ TALLOC_FREE(subreq);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_INFO("RPC callback failed for %s - %s\n", "DSGETDCNAME",
+ nt_errstr(status));
+ }
+
+ state->req->out.result = status;
+
+ irpc_send_reply(state->msg, NT_STATUS_OK);
+}
+
+NTSTATUS wb_irpc_register(void)
+{
+ NTSTATUS status;
+
+ status = IRPC_REGISTER(winbind_imessaging_context(), winbind, WINBIND_DSRUPDATEREADONLYSERVERDNSRECORDS,
+ wb_irpc_DsrUpdateReadOnlyServerDnsRecords, NULL);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ status = IRPC_REGISTER(winbind_imessaging_context(), winbind, WINBIND_SAMLOGON,
+ wb_irpc_SamLogon, NULL);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ status = IRPC_REGISTER(winbind_imessaging_context(), winbind,
+ WINBIND_LOGONCONTROL,
+ wb_irpc_LogonControl, NULL);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ status = IRPC_REGISTER(winbind_imessaging_context(), winbind,
+ WINBIND_GETFORESTTRUSTINFORMATION,
+ wb_irpc_GetForestTrustInformation, NULL);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ status = IRPC_REGISTER(winbind_imessaging_context(), winbind, WINBIND_SENDTOSAM,
+ wb_irpc_SendToSam, NULL);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ status = IRPC_REGISTER(winbind_imessaging_context(),
+ lsarpc, LSA_LOOKUPSIDS3,
+ wb_irpc_lsa_LookupSids3_call, NULL);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ status = IRPC_REGISTER(winbind_imessaging_context(),
+ lsarpc, LSA_LOOKUPNAMES4,
+ wb_irpc_lsa_LookupNames4_call, NULL);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ status = IRPC_REGISTER(winbind_imessaging_context(),
+ winbind, WBINT_DSGETDCNAME,
+ wb_irpc_GetDCName, NULL);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ return NT_STATUS_OK;
+}
diff --git a/source3/winbindd/winbindd_list_groups.c b/source3/winbindd/winbindd_list_groups.c
new file mode 100644
index 0000000..272c638
--- /dev/null
+++ b/source3/winbindd/winbindd_list_groups.c
@@ -0,0 +1,233 @@
+/*
+ Unix SMB/CIFS implementation.
+ async implementation of WINBINDD_LIST_GROUPS
+ Copyright (C) Volker Lendecke 2009
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "util/debug.h"
+#include "winbindd.h"
+#include "librpc/gen_ndr/ndr_winbind_c.h"
+
+struct winbindd_list_groups_domstate {
+ struct tevent_req *subreq;
+ struct winbindd_domain *domain;
+ struct wbint_Principals groups;
+};
+
+struct winbindd_list_groups_state {
+ uint32_t num_received;
+ /* All domains */
+ uint32_t num_domains;
+ struct winbindd_list_groups_domstate *domains;
+};
+
+static void winbindd_list_groups_done(struct tevent_req *subreq);
+
+struct tevent_req *winbindd_list_groups_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request)
+{
+ struct tevent_req *req;
+ struct winbindd_list_groups_state *state;
+ struct winbindd_domain *domain;
+ uint32_t i;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct winbindd_list_groups_state);
+ if (req == NULL) {
+ return NULL;
+ }
+
+ D_NOTICE("[%s (%u)] Winbind external command LIST_GROUPS start.\n"
+ "WBFLAG_FROM_NSS is %s, winbind enum groups is %d.\n",
+ cli->client_name,
+ (unsigned int)cli->pid,
+ request->wb_flags & WBFLAG_FROM_NSS ? "Set" : "Unset",
+ lp_winbind_enum_groups());
+
+ if (request->wb_flags & WBFLAG_FROM_NSS && !lp_winbind_enum_groups()) {
+ tevent_req_done(req);
+ return tevent_req_post(req, ev);
+ }
+
+ /* Ensure null termination */
+ request->domain_name[sizeof(request->domain_name)-1]='\0';
+
+ if (request->domain_name[0] != '\0') {
+ state->num_domains = 1;
+ D_DEBUG("List groups for domain %s.\n", request->domain_name);
+ } else {
+ state->num_domains = 0;
+ for (domain = domain_list(); domain; domain = domain->next) {
+ state->num_domains += 1;
+ }
+ D_DEBUG("List groups for %"PRIu32" domain(s).\n", state->num_domains);
+ }
+
+ state->domains = talloc_array(state,
+ struct winbindd_list_groups_domstate,
+ state->num_domains);
+ if (tevent_req_nomem(state->domains, req)) {
+ return tevent_req_post(req, ev);
+ }
+
+ if (request->domain_name[0] != '\0') {
+ ZERO_STRUCT(state->domains[0].groups);
+
+ state->domains[0].domain = find_domain_from_name_noinit(
+ request->domain_name);
+ if (state->domains[0].domain == NULL) {
+ tevent_req_nterror(req, NT_STATUS_NO_SUCH_DOMAIN);
+ return tevent_req_post(req, ev);
+ }
+ } else {
+ i = 0;
+ for (domain = domain_list(); domain; domain = domain->next) {
+ ZERO_STRUCT(state->domains[i].groups);
+
+ state->domains[i].domain = domain;
+ i++;
+ }
+ }
+
+ for (i=0; i<state->num_domains; i++) {
+ struct winbindd_list_groups_domstate *d = &state->domains[i];
+
+ d->subreq = dcerpc_wbint_QueryGroupList_send(
+ state->domains, ev, dom_child_handle(d->domain),
+ &d->groups);
+ if (tevent_req_nomem(d->subreq, req)) {
+ TALLOC_FREE(state->domains);
+ return tevent_req_post(req, ev);
+ }
+ tevent_req_set_callback(d->subreq, winbindd_list_groups_done,
+ req);
+ }
+ state->num_received = 0;
+ return req;
+}
+
+static void winbindd_list_groups_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct winbindd_list_groups_state *state = tevent_req_data(
+ req, struct winbindd_list_groups_state);
+ NTSTATUS status, result;
+ uint32_t i;
+
+ status = dcerpc_wbint_QueryGroupList_recv(subreq, state->domains,
+ &result);
+
+ for (i=0; i<state->num_domains; i++) {
+ if (subreq == state->domains[i].subreq) {
+ break;
+ }
+ }
+ if (i < state->num_domains) {
+ struct winbindd_list_groups_domstate *d = &state->domains[i];
+
+ D_DEBUG("Domain %s returned %"PRIu32" groups\n", d->domain->name,
+ d->groups.num_principals);
+
+ d->subreq = NULL;
+
+ if (!NT_STATUS_IS_OK(status) || !NT_STATUS_IS_OK(result)) {
+ D_WARNING("list_groups for domain %s failed\n",
+ d->domain->name);
+ d->groups.num_principals = 0;
+ }
+ }
+
+ TALLOC_FREE(subreq);
+
+ state->num_received += 1;
+
+ if (state->num_received >= state->num_domains) {
+ tevent_req_done(req);
+ }
+}
+
+NTSTATUS winbindd_list_groups_recv(struct tevent_req *req,
+ struct winbindd_response *response)
+{
+ struct winbindd_list_groups_state *state = tevent_req_data(
+ req, struct winbindd_list_groups_state);
+ NTSTATUS status;
+ char *result;
+ uint32_t i, j, num_entries = 0;
+ size_t len;
+
+ D_NOTICE("Winbind external command LIST_GROUPS end.\n");
+ if (tevent_req_is_nterror(req, &status)) {
+ D_WARNING("Failed with %s.\n", nt_errstr(status));
+ return status;
+ }
+
+ len = 0;
+ response->data.num_entries = 0;
+ for (i=0; i<state->num_domains; i++) {
+ struct winbindd_list_groups_domstate *d = &state->domains[i];
+
+ for (j=0; j<d->groups.num_principals; j++) {
+ const char *name;
+ name = fill_domain_username_talloc(response, d->domain->name,
+ d->groups.principals[j].name,
+ True);
+ if (name == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ len += strlen(name)+1;
+ }
+ response->data.num_entries += d->groups.num_principals;
+ }
+
+ result = talloc_array(response, char, len+1);
+ if (result == 0) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ len = 0;
+ for (i=0; i<state->num_domains; i++) {
+ struct winbindd_list_groups_domstate *d = &state->domains[i];
+
+ for (j=0; j<d->groups.num_principals; j++) {
+ const char *name;
+ size_t this_len;
+ name = fill_domain_username_talloc(response, d->domain->name,
+ d->groups.principals[j].name,
+ True);
+ if (name == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ this_len = strlen(name);
+ memcpy(result+len, name, this_len);
+ len += this_len;
+ result[len] = ',';
+ len += 1;
+ num_entries++;
+ }
+ }
+ result[len-1] = '\0';
+
+ response->data.num_entries = num_entries;
+ response->extra_data.data = result;
+ response->length += len;
+
+ return NT_STATUS_OK;
+}
diff --git a/source3/winbindd/winbindd_list_users.c b/source3/winbindd/winbindd_list_users.c
new file mode 100644
index 0000000..7acc3f7
--- /dev/null
+++ b/source3/winbindd/winbindd_list_users.c
@@ -0,0 +1,210 @@
+/*
+ Unix SMB/CIFS implementation.
+ async implementation of WINBINDD_LIST_USERS
+ Copyright (C) Volker Lendecke 2009
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "winbindd.h"
+#include "librpc/gen_ndr/ndr_winbind_c.h"
+#include "lib/util/strv.h"
+
+struct winbindd_list_users_domstate {
+ struct tevent_req *subreq;
+ struct winbindd_domain *domain;
+ char *users;
+};
+
+struct winbindd_list_users_state {
+ size_t num_received;
+ /* All domains */
+ size_t num_domains;
+ struct winbindd_list_users_domstate *domains;
+};
+
+static void winbindd_list_users_done(struct tevent_req *subreq);
+
+struct tevent_req *winbindd_list_users_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request)
+{
+ struct tevent_req *req;
+ struct winbindd_list_users_state *state;
+ struct winbindd_domain *domain;
+ size_t i;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct winbindd_list_users_state);
+ if (req == NULL) {
+ return NULL;
+ }
+ D_NOTICE("[%s (%u)] Winbind external command LIST_USERS start.\n"
+ "WBFLAG_FROM_NSS is %s, winbind enum users is %d.\n",
+ cli->client_name,
+ (unsigned int)cli->pid,
+ request->wb_flags & WBFLAG_FROM_NSS ? "Set" : "Unset",
+ lp_winbind_enum_users());
+
+ if (request->wb_flags & WBFLAG_FROM_NSS && !lp_winbind_enum_users()) {
+ tevent_req_done(req);
+ return tevent_req_post(req, ev);
+ }
+
+ /* Ensure null termination */
+ request->domain_name[sizeof(request->domain_name)-1]='\0';
+
+ D_NOTICE("Listing users for domain %s\n", request->domain_name);
+ if (request->domain_name[0] != '\0') {
+ state->num_domains = 1;
+ } else {
+ state->num_domains = 0;
+ for (domain = domain_list(); domain; domain = domain->next) {
+ state->num_domains += 1;
+ }
+ }
+
+ state->domains = talloc_array(state,
+ struct winbindd_list_users_domstate,
+ state->num_domains);
+ if (tevent_req_nomem(state->domains, req)) {
+ return tevent_req_post(req, ev);
+ }
+
+ if (request->domain_name[0] != '\0') {
+ state->domains[0].domain = find_domain_from_name_noinit(
+ request->domain_name);
+ if (state->domains[0].domain == NULL) {
+ tevent_req_nterror(req, NT_STATUS_NO_SUCH_DOMAIN);
+ return tevent_req_post(req, ev);
+ }
+ } else {
+ i = 0;
+ for (domain = domain_list(); domain; domain = domain->next) {
+ state->domains[i++].domain = domain;
+ }
+ }
+
+ for (i=0; i<state->num_domains; i++) {
+ struct winbindd_list_users_domstate *d = &state->domains[i];
+
+ d->subreq = wb_query_user_list_send(
+ state->domains, ev, d->domain);
+ if (tevent_req_nomem(d->subreq, req)) {
+ TALLOC_FREE(state->domains);
+ return tevent_req_post(req, ev);
+ }
+ tevent_req_set_callback(d->subreq, winbindd_list_users_done,
+ req);
+ }
+ state->num_received = 0;
+ return req;
+}
+
+static void winbindd_list_users_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct winbindd_list_users_state *state = tevent_req_data(
+ req, struct winbindd_list_users_state);
+ struct winbindd_list_users_domstate *d;
+ NTSTATUS status;
+ size_t i;
+
+ for (i=0; i<state->num_domains; i++) {
+ if (subreq == state->domains[i].subreq) {
+ break;
+ }
+ }
+ if (i == state->num_domains) {
+ tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
+ return;
+ }
+
+ d = &state->domains[i];
+
+ status = wb_query_user_list_recv(subreq, state->domains,
+ &d->users);
+ TALLOC_FREE(subreq);
+ if (!NT_STATUS_IS_OK(status)) {
+ /*
+ * Just skip this domain
+ */
+ d->users = NULL;
+ }
+
+ state->num_received += 1;
+
+ if (state->num_received >= state->num_domains) {
+ tevent_req_done(req);
+ }
+}
+
+NTSTATUS winbindd_list_users_recv(struct tevent_req *req,
+ struct winbindd_response *response)
+{
+ struct winbindd_list_users_state *state = tevent_req_data(
+ req, struct winbindd_list_users_state);
+ NTSTATUS status;
+ char *result;
+ size_t i, len;
+
+ D_NOTICE("Winbind external command LIST_USERS end.\n");
+ if (tevent_req_is_nterror(req, &status)) {
+ D_WARNING("Failed with %s.\n", nt_errstr(status));
+ return status;
+ }
+
+ result = NULL;
+
+ for (i=0; i<state->num_domains; i++) {
+ struct winbindd_list_users_domstate *d = &state->domains[i];
+ int ret;
+
+ if (d->users == NULL) {
+ continue;
+ }
+
+ ret = strv_append(state, &result, d->users);
+ if (ret != 0) {
+ return map_nt_error_from_unix(ret);
+ }
+ }
+
+ len = talloc_get_size(result);
+
+ response->extra_data.data = talloc_steal(response, result);
+ response->length += len;
+ response->data.num_entries = 0;
+
+ if (result != NULL && len >= 1) {
+ len -= 1;
+ response->data.num_entries = 1;
+
+ for (i=0; i<len; i++) {
+ if (result[i] == '\0') {
+ result[i] = ',';
+ response->data.num_entries += 1;
+ }
+ }
+ }
+
+ D_NOTICE("Got %"PRIu32" user(s):\n%s\n",
+ response->data.num_entries,
+ result);
+
+ return NT_STATUS_OK;
+}
diff --git a/source3/winbindd/winbindd_locator.c b/source3/winbindd/winbindd_locator.c
new file mode 100644
index 0000000..653ee93
--- /dev/null
+++ b/source3/winbindd/winbindd_locator.c
@@ -0,0 +1,45 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ Winbind daemon - miscellaneous other functions
+
+ Copyright (C) Tim Potter 2000
+ Copyright (C) Andrew Bartlett 2002
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "winbindd.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_WINBIND
+
+
+static struct winbindd_child static_locator_child;
+
+struct winbindd_child *locator_child(void)
+{
+ return &static_locator_child;
+}
+
+struct dcerpc_binding_handle *locator_child_handle(void)
+{
+ return static_locator_child.binding_handle;
+}
+
+void init_locator_child(void)
+{
+ setup_child(NULL, &static_locator_child, "log.winbindd", "locator");
+}
diff --git a/source3/winbindd/winbindd_lookupname.c b/source3/winbindd/winbindd_lookupname.c
new file mode 100644
index 0000000..f7af104
--- /dev/null
+++ b/source3/winbindd/winbindd_lookupname.c
@@ -0,0 +1,130 @@
+/*
+ Unix SMB/CIFS implementation.
+ async implementation of WINBINDD_LOOKUPNAME
+ Copyright (C) Volker Lendecke 2009
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "winbindd.h"
+#include "libcli/security/dom_sid.h"
+
+struct winbindd_lookupname_state {
+ struct tevent_context *ev;
+ struct dom_sid sid;
+ enum lsa_SidType type;
+};
+
+static void winbindd_lookupname_done(struct tevent_req *subreq);
+
+struct tevent_req *winbindd_lookupname_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request)
+{
+ struct tevent_req *req, *subreq;
+ struct winbindd_lookupname_state *state;
+ char *p = NULL;
+ const char *domname = NULL;
+ const char *name = NULL;
+ const char *namespace = NULL;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct winbindd_lookupname_state);
+ if (req == NULL) {
+ return NULL;
+ }
+
+ D_NOTICE("[%s (%u)] Winbind external command LOOKUPNAME start.\n",
+ cli->client_name,
+ (unsigned int)cli->pid);
+
+ state->ev = ev;
+
+ /* Ensure null termination */
+ request->data.name.dom_name[
+ sizeof(request->data.name.dom_name)-1]='\0';
+ request->data.name.name[sizeof(request->data.name.name)-1]='\0';
+
+ if (strlen(request->data.name.dom_name) == 0) {
+ /* cope with the name being a fully qualified name */
+ p = strstr(request->data.name.name, lp_winbind_separator());
+ if (p != NULL) {
+ *p = '\0';
+ domname = request->data.name.name;
+ namespace = domname;
+ name = p + 1;
+ } else {
+ p = strchr(request->data.name.name, '@');
+ if (p != NULL) {
+ /* upn */
+ namespace = p + 1;
+ } else {
+ namespace = "";
+ }
+ domname = "";
+ name = request->data.name.name;
+ }
+ } else {
+ domname = request->data.name.dom_name;
+ namespace = domname;
+ name = request->data.name.name;
+ }
+
+ D_NOTICE("lookupname %s%s%s\n", domname, lp_winbind_separator(), name);
+
+ subreq = wb_lookupname_send(state, ev, namespace, domname, name, 0);
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+ tevent_req_set_callback(subreq, winbindd_lookupname_done, req);
+ return req;
+}
+
+static void winbindd_lookupname_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct winbindd_lookupname_state *state = tevent_req_data(
+ req, struct winbindd_lookupname_state);
+ NTSTATUS status;
+
+ status = wb_lookupname_recv(subreq, &state->sid, &state->type);
+ TALLOC_FREE(subreq);
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+ tevent_req_done(req);
+}
+
+NTSTATUS winbindd_lookupname_recv(struct tevent_req *req,
+ struct winbindd_response *response)
+{
+ struct winbindd_lookupname_state *state = tevent_req_data(
+ req, struct winbindd_lookupname_state);
+ NTSTATUS status;
+
+ D_NOTICE("Winbind external command LOOKUPNAME end.\n");
+ if (tevent_req_is_nterror(req, &status)) {
+ struct dom_sid_buf buf;
+ D_WARNING("Could not convert SID %s, error is %s\n",
+ dom_sid_str_buf(&state->sid, &buf),
+ nt_errstr(status));
+ return status;
+ }
+ sid_to_fstring(response->data.sid.sid, &state->sid);
+ response->data.sid.type = state->type;
+ return NT_STATUS_OK;
+}
diff --git a/source3/winbindd/winbindd_lookuprids.c b/source3/winbindd/winbindd_lookuprids.c
new file mode 100644
index 0000000..fc8fa46
--- /dev/null
+++ b/source3/winbindd/winbindd_lookuprids.c
@@ -0,0 +1,200 @@
+/*
+ Unix SMB/CIFS implementation.
+ async implementation of WINBINDD_LOOKUPRIDS
+ Copyright (C) Volker Lendecke 2009
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "winbindd.h"
+#include "librpc/gen_ndr/ndr_winbind_c.h"
+#include "../libcli/security/security.h"
+#include "lib/util/smb_strtox.h"
+#include "lib/util/string_wrappers.h"
+
+struct winbindd_lookuprids_state {
+ struct tevent_context *ev;
+ struct dom_sid domain_sid;
+ const char *domain_name;
+ struct wbint_RidArray rids;
+ struct wbint_Principals names;
+};
+
+static bool parse_ridlist(TALLOC_CTX *mem_ctx, char *ridstr,
+ uint32_t **prids, uint32_t *pnum_rids);
+
+static void winbindd_lookuprids_done(struct tevent_req *subreq);
+
+struct tevent_req *winbindd_lookuprids_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request)
+{
+ struct tevent_req *req, *subreq;
+ struct winbindd_lookuprids_state *state;
+ struct winbindd_domain *domain;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct winbindd_lookuprids_state);
+ if (req == NULL) {
+ return NULL;
+ }
+ state->ev = ev;
+
+ /* Ensure null termination */
+ request->data.sid[sizeof(request->data.sid)-1]='\0';
+
+ DEBUG(3, ("lookuprids (%s)\n", request->data.sid));
+
+ if (!string_to_sid(&state->domain_sid, request->data.sid)) {
+ DEBUG(5, ("%s not a SID\n", request->data.sid));
+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ return tevent_req_post(req, ev);
+ }
+
+ domain = find_lookup_domain_from_sid(&state->domain_sid);
+ if (domain == NULL) {
+ struct dom_sid_buf buf;
+ DEBUG(5, ("Domain for sid %s not found\n",
+ dom_sid_str_buf(&state->domain_sid, &buf)));
+ tevent_req_nterror(req, NT_STATUS_NO_SUCH_DOMAIN);
+ return tevent_req_post(req, ev);
+ }
+
+ if (request->extra_data.data[request->extra_len-1] != '\0') {
+ DEBUG(5, ("extra_data not 0-terminated\n"));
+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ return tevent_req_post(req, ev);
+ }
+
+ if (!parse_ridlist(state, request->extra_data.data,
+ &state->rids.rids, &state->rids.num_rids)) {
+ DEBUG(5, ("parse_ridlist failed\n"));
+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ return tevent_req_post(req, ev);
+ }
+
+ subreq = dcerpc_wbint_LookupRids_send(
+ state, ev, dom_child_handle(domain), &state->domain_sid,
+ &state->rids, &state->domain_name, &state->names);
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+ tevent_req_set_callback(subreq, winbindd_lookuprids_done, req);
+ return req;
+}
+
+static void winbindd_lookuprids_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct winbindd_lookuprids_state *state = tevent_req_data(
+ req, struct winbindd_lookuprids_state);
+ NTSTATUS status, result;
+
+ status = dcerpc_wbint_LookupRids_recv(subreq, state, &result);
+ TALLOC_FREE(subreq);
+ if (any_nt_status_not_ok(status, result, &status)) {
+ tevent_req_nterror(req, status);
+ return;
+ }
+ tevent_req_done(req);
+}
+
+NTSTATUS winbindd_lookuprids_recv(struct tevent_req *req,
+ struct winbindd_response *response)
+{
+ struct winbindd_lookuprids_state *state = tevent_req_data(
+ req, struct winbindd_lookuprids_state);
+ NTSTATUS status;
+ char *result;
+ uint32_t i;
+
+ if (tevent_req_is_nterror(req, &status)) {
+ DEBUG(5, ("Lookuprids failed: %s\n",nt_errstr(status)));
+ return status;
+ }
+
+ result = talloc_strdup(response, "");
+ if (result == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ for (i=0; i<state->names.num_principals; i++) {
+ struct wbint_Principal *p = &state->names.principals[i];
+
+ result = talloc_asprintf_append_buffer(
+ result, "%d %s\n", (int)p->type, p->name);
+ if (result == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+
+ fstrcpy(response->data.domain_name, state->domain_name);
+ response->extra_data.data = result;
+ response->length += talloc_get_size(result);
+ return NT_STATUS_OK;
+}
+
+static bool parse_ridlist(TALLOC_CTX *mem_ctx, char *ridstr,
+ uint32_t **prids, uint32_t *pnum_rids)
+{
+ uint32_t i, num_rids;
+ uint32_t *rids;
+ char *p;
+
+ if (ridstr == NULL) {
+ return false;
+ }
+
+ p = ridstr;
+ num_rids = 0;
+
+ /* count rids */
+
+ while ((p = strchr(p, '\n')) != NULL) {
+ p += 1;
+ num_rids += 1;
+ }
+
+ if (num_rids == 0) {
+ *pnum_rids = 0;
+ *prids = NULL;
+ return true;
+ }
+
+ rids = talloc_array(mem_ctx, uint32_t, num_rids);
+ if (rids == NULL) {
+ return false;
+ }
+
+ p = ridstr;
+
+ for (i=0; i<num_rids; i++) {
+ char *q;
+ int error = 0;
+
+ rids[i] = smb_strtoul(p, &q, 10, &error, SMB_STR_STANDARD);
+ if (error != 0 || *q != '\n') {
+ DEBUG(0, ("Got invalid ridstr: %s\n", p));
+ return false;
+ }
+ p = q+1;
+ }
+
+ *pnum_rids = num_rids;
+ *prids = rids;
+ return true;
+}
diff --git a/source3/winbindd/winbindd_lookupsid.c b/source3/winbindd/winbindd_lookupsid.c
new file mode 100644
index 0000000..e20966b
--- /dev/null
+++ b/source3/winbindd/winbindd_lookupsid.c
@@ -0,0 +1,104 @@
+/*
+ Unix SMB/CIFS implementation.
+ async implementation of WINBINDD_LOOKUPSID
+ Copyright (C) Volker Lendecke 2009
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "winbindd.h"
+#include "../libcli/security/security.h"
+#include "lib/util/string_wrappers.h"
+
+struct winbindd_lookupsid_state {
+ struct dom_sid sid;
+ enum lsa_SidType type;
+ const char *domname;
+ const char *name;
+};
+
+static void winbindd_lookupsid_done(struct tevent_req *subreq);
+
+struct tevent_req *winbindd_lookupsid_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request)
+{
+ struct tevent_req *req, *subreq;
+ struct winbindd_lookupsid_state *state;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct winbindd_lookupsid_state);
+ if (req == NULL) {
+ return NULL;
+ }
+
+ /* Ensure null termination */
+ request->data.sid[sizeof(request->data.sid)-1]='\0';
+
+ DEBUG(3, ("lookupsid %s\n", request->data.sid));
+
+ if (!string_to_sid(&state->sid, request->data.sid)) {
+ DEBUG(5, ("%s not a SID\n", request->data.sid));
+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ return tevent_req_post(req, ev);
+ }
+
+ subreq = wb_lookupsid_send(state, ev, &state->sid);
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+ tevent_req_set_callback(subreq, winbindd_lookupsid_done, req);
+ return req;
+}
+
+static void winbindd_lookupsid_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct winbindd_lookupsid_state *state = tevent_req_data(
+ req, struct winbindd_lookupsid_state);
+ NTSTATUS status;
+
+ status = wb_lookupsid_recv(subreq, state, &state->type,
+ &state->domname, &state->name);
+ TALLOC_FREE(subreq);
+ if (!NT_STATUS_IS_OK(status)) {
+ tevent_req_nterror(req, status);
+ return;
+ }
+ tevent_req_done(req);
+}
+
+NTSTATUS winbindd_lookupsid_recv(struct tevent_req *req,
+ struct winbindd_response *response)
+{
+ struct winbindd_lookupsid_state *state = tevent_req_data(
+ req, struct winbindd_lookupsid_state);
+ NTSTATUS status;
+
+ if (tevent_req_is_nterror(req, &status)) {
+ struct dom_sid_buf buf;
+ DEBUG(5, ("Could not lookup sid %s: %s\n",
+ dom_sid_str_buf(&state->sid, &buf),
+ nt_errstr(status)));
+ return status;
+ }
+
+ fstrcpy(response->data.name.dom_name, state->domname);
+ fstrcpy(response->data.name.name, state->name);
+ response->data.name.type = state->type;
+ return NT_STATUS_OK;
+}
diff --git a/source3/winbindd/winbindd_lookupsids.c b/source3/winbindd/winbindd_lookupsids.c
new file mode 100644
index 0000000..a289fd8
--- /dev/null
+++ b/source3/winbindd/winbindd_lookupsids.c
@@ -0,0 +1,144 @@
+/*
+ Unix SMB/CIFS implementation.
+ async implementation of WINBINDD_LOOKUPSIDS
+ Copyright (C) Volker Lendecke 2011
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "winbindd.h"
+#include "../libcli/security/security.h"
+
+struct winbindd_lookupsids_state {
+ struct dom_sid *sids;
+ uint32_t num_sids;
+ struct lsa_RefDomainList *domains;
+ struct lsa_TransNameArray *names;
+};
+
+static void winbindd_lookupsids_done(struct tevent_req *subreq);
+
+struct tevent_req *winbindd_lookupsids_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request)
+{
+ struct tevent_req *req, *subreq;
+ struct winbindd_lookupsids_state *state;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct winbindd_lookupsids_state);
+ if (req == NULL) {
+ return NULL;
+ }
+
+ DEBUG(3, ("lookupsids\n"));
+
+ if (request->extra_len == 0) {
+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ return tevent_req_post(req, ev);
+ }
+ if (request->extra_data.data[request->extra_len-1] != '\0') {
+ DEBUG(10, ("Got invalid sids list\n"));
+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ return tevent_req_post(req, ev);
+ }
+ if (!parse_sidlist(state, request->extra_data.data,
+ &state->sids, &state->num_sids)) {
+ DEBUG(10, ("parse_sidlist failed\n"));
+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ return tevent_req_post(req, ev);
+ }
+ subreq = wb_lookupsids_send(state, ev, state->sids, state->num_sids);
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+ tevent_req_set_callback(subreq, winbindd_lookupsids_done, req);
+ return req;
+}
+
+static void winbindd_lookupsids_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct winbindd_lookupsids_state *state = tevent_req_data(
+ req, struct winbindd_lookupsids_state);
+ NTSTATUS status;
+
+ status = wb_lookupsids_recv(subreq, state, &state->domains,
+ &state->names);
+ TALLOC_FREE(subreq);
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+ tevent_req_done(req);
+}
+
+NTSTATUS winbindd_lookupsids_recv(struct tevent_req *req,
+ struct winbindd_response *response)
+{
+ struct winbindd_lookupsids_state *state = tevent_req_data(
+ req, struct winbindd_lookupsids_state);
+ NTSTATUS status;
+ char *result;
+ uint32_t i;
+
+ if (tevent_req_is_nterror(req, &status)) {
+ DEBUG(5, ("wb_lookupsids failed: %s\n", nt_errstr(status)));
+ return status;
+ }
+
+ result = talloc_asprintf(response, "%d\n", (int)state->domains->count);
+ if (result == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ for (i=0; i<state->domains->count; i++) {
+ struct dom_sid_buf sid_str;
+
+ result = talloc_asprintf_append_buffer(
+ result, "%s %s\n",
+ dom_sid_str_buf(state->domains->domains[i].sid,
+ &sid_str),
+ state->domains->domains[i].name.string);
+ if (result == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+
+ result = talloc_asprintf_append_buffer(
+ result, "%d\n", (int)state->names->count);
+ if (result == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ for (i=0; i<state->names->count; i++) {
+ struct lsa_TranslatedName *name;
+
+ name = &state->names->names[i];
+
+ result = talloc_asprintf_append_buffer(
+ result, "%d %d %s\n",
+ (int)name->sid_index, (int)name->sid_type,
+ name->name.string);
+ if (result == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+
+ response->extra_data.data = result;
+ response->length += talloc_get_size(result);
+ return NT_STATUS_OK;
+}
diff --git a/source3/winbindd/winbindd_misc.c b/source3/winbindd/winbindd_misc.c
new file mode 100644
index 0000000..3155a22
--- /dev/null
+++ b/source3/winbindd/winbindd_misc.c
@@ -0,0 +1,477 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ Winbind daemon - miscellaneous other functions
+
+ Copyright (C) Tim Potter 2000
+ Copyright (C) Andrew Bartlett 2002
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "winbindd.h"
+#include "libcli/security/dom_sid.h"
+#include "lib/util/string_wrappers.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_WINBIND
+
+static char *get_trust_type_string(TALLOC_CTX *mem_ctx,
+ struct winbindd_tdc_domain *tdc,
+ struct winbindd_domain *domain)
+{
+ enum netr_SchannelType secure_channel_type = SEC_CHAN_NULL;
+ char *s = NULL;
+
+ if (domain != NULL) {
+ secure_channel_type = domain->secure_channel_type;
+ }
+
+ switch (secure_channel_type) {
+ case SEC_CHAN_NULL: {
+ if (domain == NULL) {
+ DBG_ERR("Missing domain [%s]\n",
+ tdc->domain_name);
+ return NULL;
+ }
+ if (domain->routing_domain == NULL) {
+ DBG_ERR("Missing routing for domain [%s]\n",
+ tdc->domain_name);
+ return NULL;
+ }
+ s = talloc_asprintf(mem_ctx, "Routed (via %s)",
+ domain->routing_domain->name);
+ if (s == NULL) {
+ return NULL;
+ }
+ break;
+ }
+
+ case SEC_CHAN_LOCAL:
+ s = talloc_strdup(mem_ctx, "Local");
+ if (s == NULL) {
+ return NULL;
+ }
+ break;
+
+ case SEC_CHAN_WKSTA:
+ s = talloc_strdup(mem_ctx, "Workstation");
+ if (s == NULL) {
+ return NULL;
+ }
+ break;
+
+ case SEC_CHAN_BDC: {
+ int role = lp_server_role();
+
+ if (role == ROLE_DOMAIN_PDC || role == ROLE_IPA_DC) {
+ s = talloc_strdup(mem_ctx, "PDC");
+ if (s == NULL) {
+ return NULL;
+ }
+ break;
+ }
+
+ if (role == ROLE_DOMAIN_BDC) {
+ s = talloc_strdup(mem_ctx, "BDC");
+ if (s == NULL) {
+ return NULL;
+ }
+ break;
+ }
+
+ s = talloc_strdup(mem_ctx, "RWDC");
+ if (s == NULL) {
+ return NULL;
+ }
+ break;
+ }
+
+ case SEC_CHAN_RODC:
+ s = talloc_strdup(mem_ctx, "RODC");
+ if (s == NULL) {
+ return NULL;
+ }
+ break;
+
+ case SEC_CHAN_DNS_DOMAIN:
+ if (tdc->trust_attribs & LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN) {
+ s = talloc_strdup(mem_ctx, "External");
+ if (s == NULL) {
+ return NULL;
+ }
+ break;
+ }
+ if (tdc->trust_attribs & LSA_TRUST_ATTRIBUTE_WITHIN_FOREST) {
+ s = talloc_strdup(mem_ctx, "In Forest");
+ if (s == NULL) {
+ return NULL;
+ }
+ break;
+ }
+ if (tdc->trust_attribs & LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL) {
+ s = talloc_strdup(mem_ctx, "External");
+ if (s == NULL) {
+ return NULL;
+ }
+ break;
+ }
+ if (tdc->trust_attribs & LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) {
+ s = talloc_strdup(mem_ctx, "Forest");
+ if (s == NULL) {
+ return NULL;
+ }
+ break;
+ }
+ s = talloc_strdup(mem_ctx, "External");
+ if (s == NULL) {
+ return NULL;
+ }
+ break;
+
+ case SEC_CHAN_DOMAIN:
+ s = talloc_strdup(mem_ctx, "External");
+ if (s == NULL) {
+ return NULL;
+ }
+ break;
+
+ default:
+ DBG_ERR("Unhandled secure_channel_type %d for domain[%s]\n",
+ secure_channel_type, tdc->domain_name);
+ return NULL;
+ }
+
+ return s;
+}
+
+static bool trust_is_inbound(struct winbindd_tdc_domain *domain)
+{
+ if (domain->trust_flags & NETR_TRUST_FLAG_INBOUND) {
+ return true;
+ }
+ return false;
+}
+
+static bool trust_is_outbound(struct winbindd_tdc_domain *domain)
+{
+ if (domain->trust_flags & NETR_TRUST_FLAG_OUTBOUND) {
+ return true;
+ }
+ return false;
+}
+
+static bool trust_is_transitive(struct winbindd_tdc_domain *domain)
+{
+ bool transitive = false;
+
+ /*
+ * Beware: order matters
+ */
+
+ if (domain->trust_attribs & LSA_TRUST_ATTRIBUTE_WITHIN_FOREST) {
+ transitive = true;
+ }
+
+ if (domain->trust_attribs & LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) {
+ transitive = true;
+ }
+
+ if (domain->trust_attribs & LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE) {
+ transitive = false;
+ }
+
+ if (domain->trust_attribs & LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN) {
+ transitive = false;
+ }
+
+ if (domain->trust_flags & NETR_TRUST_FLAG_PRIMARY) {
+ transitive = true;
+ }
+
+ return transitive;
+}
+
+bool winbindd_list_trusted_domains(struct winbindd_cli_state *state)
+{
+ struct winbindd_tdc_domain *dom_list = NULL;
+ size_t num_domains = 0;
+ int extra_data_len = 0;
+ char *extra_data = NULL;
+ size_t i = 0;
+ bool ret = false;
+
+ DBG_NOTICE("[%s (%u)]: list trusted domains\n",
+ state->client_name,
+ (unsigned int)state->pid);
+
+ if( !wcache_tdc_fetch_list( &dom_list, &num_domains )) {
+ goto done;
+ }
+
+ extra_data = talloc_strdup(state->mem_ctx, "");
+ if (extra_data == NULL) {
+ goto done;
+ }
+
+ for ( i = 0; i < num_domains; i++ ) {
+ struct winbindd_domain *domain;
+ bool is_online = true;
+ struct winbindd_tdc_domain *d = NULL;
+ char *trust_type = NULL;
+ struct dom_sid_buf buf;
+
+ d = &dom_list[i];
+ domain = find_domain_from_name_noinit(d->domain_name);
+ if (domain) {
+ is_online = domain->online;
+ }
+
+ trust_type = get_trust_type_string(talloc_tos(), d, domain);
+ if (trust_type == NULL) {
+ continue;
+ }
+
+ extra_data = talloc_asprintf_append_buffer(
+ extra_data,
+ "%s\\%s\\%s\\%s\\%s\\%s\\%s\\%s\n",
+ d->domain_name,
+ d->dns_name ? d->dns_name : "",
+ dom_sid_str_buf(&d->sid, &buf),
+ trust_type,
+ trust_is_transitive(d) ? "Yes" : "No",
+ trust_is_inbound(d) ? "Yes" : "No",
+ trust_is_outbound(d) ? "Yes" : "No",
+ is_online ? "Online" : "Offline" );
+
+ TALLOC_FREE(trust_type);
+ }
+
+ state->response->data.num_entries = num_domains;
+
+ extra_data_len = strlen(extra_data);
+ if (extra_data_len > 0) {
+
+ /* Strip the last \n */
+ extra_data[extra_data_len-1] = '\0';
+
+ state->response->extra_data.data = extra_data;
+ state->response->length += extra_data_len;
+ }
+
+ ret = true;
+done:
+ TALLOC_FREE( dom_list );
+ return ret;
+}
+
+bool winbindd_dc_info(struct winbindd_cli_state *cli)
+{
+ struct winbindd_domain *domain;
+ char *dc_name, *dc_ip;
+
+ cli->request->domain_name[sizeof(cli->request->domain_name)-1] = '\0';
+
+ DBG_NOTICE("[%s (%u)]: domain_info [%s]\n",
+ cli->client_name,
+ (unsigned int)cli->pid,
+ cli->request->domain_name);
+
+ if (cli->request->domain_name[0] != '\0') {
+ domain = find_trust_from_name_noinit(
+ cli->request->domain_name);
+ if (domain == NULL) {
+ DEBUG(10, ("Could not find domain %s\n",
+ cli->request->domain_name));
+ return false;
+ }
+ } else {
+ domain = find_our_domain();
+ }
+
+ if (!fetch_current_dc_from_gencache(
+ talloc_tos(), domain->name, &dc_name, &dc_ip)) {
+ DEBUG(10, ("fetch_current_dc_from_gencache(%s) failed\n",
+ domain->name));
+ return false;
+ }
+
+ cli->response->data.num_entries = 1;
+ cli->response->extra_data.data = talloc_asprintf(
+ cli->mem_ctx, "%s\n%s\n", dc_name, dc_ip);
+
+ TALLOC_FREE(dc_name);
+ TALLOC_FREE(dc_ip);
+
+ if (cli->response->extra_data.data == NULL) {
+ return false;
+ }
+
+ /* must add one to length to copy the 0 for string termination */
+ cli->response->length +=
+ strlen((char *)cli->response->extra_data.data) + 1;
+
+ return true;
+}
+
+bool winbindd_ping(struct winbindd_cli_state *state)
+{
+ DBG_NOTICE("[%s (%u)]: ping\n",
+ state->client_name,
+ (unsigned int)state->pid);
+ return true;
+}
+
+/* List various tidbits of information */
+
+bool winbindd_info(struct winbindd_cli_state *state)
+{
+
+ DBG_NOTICE("[%s (%u)]: request misc info\n",
+ state->client_name,
+ (unsigned int)state->pid);
+
+ state->response->data.info.winbind_separator = *lp_winbind_separator();
+ fstrcpy(state->response->data.info.samba_version, samba_version_string());
+ return true;
+}
+
+/* Tell the client the current interface version */
+
+bool winbindd_interface_version(struct winbindd_cli_state *state)
+{
+ DBG_NOTICE("[%s (%u)]: request interface version (version = %d)\n",
+ state->client_name,
+ (unsigned int)state->pid,
+ WINBIND_INTERFACE_VERSION);
+
+ state->response->data.interface_version = WINBIND_INTERFACE_VERSION;
+ return true;
+}
+
+/* What domain are we a member of? */
+
+bool winbindd_domain_name(struct winbindd_cli_state *state)
+{
+ DBG_NOTICE("[%s (%u)]: request domain name\n",
+ state->client_name,
+ (unsigned int)state->pid);
+
+ fstrcpy(state->response->data.domain_name, lp_workgroup());
+ return true;
+}
+
+/* What's my name again? */
+
+bool winbindd_netbios_name(struct winbindd_cli_state *state)
+{
+ DBG_NOTICE("[%s (%u)]: request netbios name\n",
+ state->client_name,
+ (unsigned int)state->pid);
+
+ fstrcpy(state->response->data.netbios_name, lp_netbios_name());
+ return true;
+}
+
+/* Where can I find the privileged pipe? */
+
+char *get_winbind_priv_pipe_dir(void)
+{
+ return state_path(talloc_tos(), WINBINDD_PRIV_SOCKET_SUBDIR);
+}
+
+bool winbindd_priv_pipe_dir(struct winbindd_cli_state *state)
+{
+ char *priv_dir;
+
+ DBG_NOTICE("[%s (%u)]: request location of privileged pipe\n",
+ state->client_name,
+ (unsigned int)state->pid);
+
+ priv_dir = get_winbind_priv_pipe_dir();
+ state->response->extra_data.data = talloc_move(state->mem_ctx,
+ &priv_dir);
+
+ /* must add one to length to copy the 0 for string termination */
+ state->response->length +=
+ strlen((char *)state->response->extra_data.data) + 1;
+
+ DBG_NOTICE("[%s (%u)]: response location of privileged pipe: %s\n",
+ state->client_name,
+ (unsigned int)state->pid,
+ priv_dir);
+
+ return true;
+}
+
+static void winbindd_setup_max_fds(void)
+{
+ int num_fds = MAX_OPEN_FUDGEFACTOR;
+ int actual_fds;
+
+ num_fds += lp_winbind_max_clients();
+ /* Add some more to account for 2 sockets open
+ when the client transitions from unprivileged
+ to privileged socket
+ */
+ num_fds += lp_winbind_max_clients() / 10;
+
+ /* Add one socket per child process
+ (yeah there are child processes other than the
+ domain children but only domain children can vary
+ with configuration
+ */
+ num_fds += lp_winbind_max_domain_connections() *
+ (lp_allow_trusted_domains() ? WINBIND_MAX_DOMAINS_HINT : 1);
+
+ actual_fds = set_maxfiles(num_fds);
+
+ if (actual_fds < num_fds) {
+ DEBUG(1, ("winbindd_setup_max_fds: Information only: "
+ "requested %d open files, %d are available.\n",
+ num_fds, actual_fds));
+ }
+}
+
+bool winbindd_reload_services_file(const char *lfile)
+{
+ const struct loadparm_substitution *lp_sub =
+ loadparm_s3_global_substitution();
+ bool ret;
+
+ if (lp_loaded()) {
+ char *fname = lp_next_configfile(talloc_tos(), lp_sub);
+
+ if (file_exist(fname) && !strcsequal(fname,get_dyn_CONFIGFILE())) {
+ set_dyn_CONFIGFILE(fname);
+ }
+ TALLOC_FREE(fname);
+ }
+
+ reopen_logs();
+ ret = lp_load_global(get_dyn_CONFIGFILE());
+
+ /* if this is a child, restore the logfile to the special
+ name - <domain>, idmap, etc. */
+ if (lfile && *lfile) {
+ lp_set_logfile(lfile);
+ }
+
+ reopen_logs();
+ load_interfaces();
+ winbindd_setup_max_fds();
+
+ return(ret);
+}
diff --git a/source3/winbindd/winbindd_msrpc.c b/source3/winbindd/winbindd_msrpc.c
new file mode 100644
index 0000000..2926bd6
--- /dev/null
+++ b/source3/winbindd/winbindd_msrpc.c
@@ -0,0 +1,1069 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ Winbind rpc backend functions
+
+ Copyright (C) Tim Potter 2000-2001,2003
+ Copyright (C) Andrew Tridgell 2001
+ Copyright (C) Volker Lendecke 2005
+ Copyright (C) Guenther Deschner 2008 (pidl conversion)
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "winbindd.h"
+#include "winbindd_rpc.h"
+
+#include "../librpc/gen_ndr/ndr_samr_c.h"
+#include "rpc_client/cli_pipe.h"
+#include "rpc_client/cli_samr.h"
+#include "rpc_client/cli_lsarpc.h"
+#include "../libcli/security/security.h"
+#include "libsmb/samlogon_cache.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_WINBIND
+
+static NTSTATUS winbindd_lookup_names(TALLOC_CTX *mem_ctx,
+ struct winbindd_domain *domain,
+ uint32_t num_names,
+ const char **names,
+ const char ***domains,
+ struct dom_sid **sids,
+ enum lsa_SidType **types);
+
+/* Query display info for a domain. This returns enough information plus a
+ bit extra to give an overview of domain users for the User Manager
+ application. */
+static NTSTATUS msrpc_query_user_list(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ uint32_t **prids)
+{
+ struct rpc_pipe_client *samr_pipe = NULL;
+ struct policy_handle dom_pol;
+ uint32_t *rids = NULL;
+ TALLOC_CTX *tmp_ctx;
+ NTSTATUS status;
+
+ DEBUG(3, ("msrpc_query_user_list\n"));
+
+ tmp_ctx = talloc_stackframe();
+ if (tmp_ctx == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if ( !winbindd_can_contact_domain( domain ) ) {
+ DEBUG(10,("query_user_list: No incoming trust for domain %s\n",
+ domain->name));
+ status = NT_STATUS_OK;
+ goto done;
+ }
+
+ status = cm_connect_sam(domain, tmp_ctx, false, &samr_pipe, &dom_pol);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+
+ status = rpc_query_user_list(tmp_ctx,
+ samr_pipe,
+ &dom_pol,
+ &domain->sid,
+ &rids);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+
+ if (prids) {
+ *prids = talloc_move(mem_ctx, &rids);
+ }
+
+done:
+ TALLOC_FREE(rids);
+ TALLOC_FREE(tmp_ctx);
+ return status;
+}
+
+/* list all domain groups */
+static NTSTATUS msrpc_enum_dom_groups(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ uint32_t *pnum_info,
+ struct wb_acct_info **pinfo)
+{
+ struct rpc_pipe_client *samr_pipe;
+ struct policy_handle dom_pol;
+ struct wb_acct_info *info = NULL;
+ uint32_t num_info = 0;
+ TALLOC_CTX *tmp_ctx;
+ NTSTATUS status;
+
+ DEBUG(3,("msrpc_enum_dom_groups\n"));
+
+ if (pnum_info) {
+ *pnum_info = 0;
+ }
+
+ tmp_ctx = talloc_stackframe();
+ if (tmp_ctx == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if ( !winbindd_can_contact_domain( domain ) ) {
+ DEBUG(10,("enum_domain_groups: No incoming trust for domain %s\n",
+ domain->name));
+ status = NT_STATUS_OK;
+ goto done;
+ }
+
+ status = cm_connect_sam(domain, tmp_ctx, false, &samr_pipe, &dom_pol);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+
+ status = rpc_enum_dom_groups(tmp_ctx,
+ samr_pipe,
+ &dom_pol,
+ &num_info,
+ &info);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+
+ if (pnum_info) {
+ *pnum_info = num_info;
+ }
+
+ if (pinfo) {
+ *pinfo = talloc_move(mem_ctx, &info);
+ }
+
+done:
+ TALLOC_FREE(tmp_ctx);
+ return status;
+}
+
+/* List all domain groups */
+
+static NTSTATUS msrpc_enum_local_groups(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ uint32_t *pnum_info,
+ struct wb_acct_info **pinfo)
+{
+ struct rpc_pipe_client *samr_pipe;
+ struct policy_handle dom_pol;
+ struct wb_acct_info *info = NULL;
+ uint32_t num_info = 0;
+ TALLOC_CTX *tmp_ctx;
+ NTSTATUS status;
+
+ DEBUG(3,("msrpc_enum_local_groups\n"));
+
+ if (pnum_info) {
+ *pnum_info = 0;
+ }
+
+ tmp_ctx = talloc_stackframe();
+ if (tmp_ctx == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if ( !winbindd_can_contact_domain( domain ) ) {
+ DEBUG(10,("enum_local_groups: No incoming trust for domain %s\n",
+ domain->name));
+ status = NT_STATUS_OK;
+ goto done;
+ }
+
+ status = cm_connect_sam(domain, tmp_ctx, false, &samr_pipe, &dom_pol);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+
+ status = rpc_enum_local_groups(mem_ctx,
+ samr_pipe,
+ &dom_pol,
+ &num_info,
+ &info);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+
+ if (pnum_info) {
+ *pnum_info = num_info;
+ }
+
+ if (pinfo) {
+ *pinfo = talloc_move(mem_ctx, &info);
+ }
+
+done:
+ TALLOC_FREE(tmp_ctx);
+ return status;
+}
+
+/* convert a single name to a sid in a domain */
+static NTSTATUS msrpc_name_to_sid(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ const char *domain_name,
+ const char *name,
+ uint32_t flags,
+ const char **pdom_name,
+ struct dom_sid *sid,
+ enum lsa_SidType *type)
+{
+ NTSTATUS result;
+ struct dom_sid *sids = NULL;
+ enum lsa_SidType *types = NULL;
+ char *full_name = NULL;
+ const char *names[1];
+ const char **domains;
+ NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL;
+ char *mapped_name = NULL;
+
+ if (name == NULL || *name=='\0') {
+ full_name = talloc_asprintf(mem_ctx, "%s", domain_name);
+ } else if (domain_name == NULL || *domain_name == '\0') {
+ full_name = talloc_asprintf(mem_ctx, "%s", name);
+ } else {
+ full_name = talloc_asprintf(mem_ctx, "%s\\%s", domain_name, name);
+ }
+ if (!full_name) {
+ DEBUG(0, ("talloc_asprintf failed!\n"));
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ DEBUG(3, ("msrpc_name_to_sid: name=%s\n", full_name));
+
+ name_map_status = normalize_name_unmap(mem_ctx, full_name,
+ &mapped_name);
+
+ /* Reset the full_name pointer if we mapped anything */
+
+ if (NT_STATUS_IS_OK(name_map_status) ||
+ NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED))
+ {
+ full_name = mapped_name;
+ }
+
+ DEBUG(3,("name_to_sid [rpc] %s for domain %s\n",
+ full_name?full_name:"", domain_name ));
+
+ names[0] = full_name;
+
+ result = winbindd_lookup_names(mem_ctx, domain, 1,
+ names, &domains,
+ &sids, &types);
+ if (!NT_STATUS_IS_OK(result))
+ return result;
+
+ /* Return rid and type if lookup successful */
+
+ if (pdom_name != NULL) {
+ const char *dom_name;
+
+ dom_name = talloc_strdup(mem_ctx, domains[0]);
+ if (dom_name == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ *pdom_name = dom_name;
+ }
+
+ sid_copy(sid, &sids[0]);
+ *type = types[0];
+
+ return NT_STATUS_OK;
+}
+
+/*
+ convert a domain SID to a user or group name
+*/
+static NTSTATUS msrpc_sid_to_name(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ const struct dom_sid *sid,
+ char **domain_name,
+ char **name,
+ enum lsa_SidType *type)
+{
+ char **domains;
+ char **names;
+ enum lsa_SidType *types = NULL;
+ NTSTATUS result;
+ NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL;
+ char *mapped_name = NULL;
+ struct dom_sid_buf buf;
+
+ DEBUG(3, ("msrpc_sid_to_name: %s for domain %s\n",
+ dom_sid_str_buf(sid, &buf),
+ domain->name));
+
+ result = winbindd_lookup_sids(mem_ctx,
+ domain,
+ 1,
+ sid,
+ &domains,
+ &names,
+ &types);
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(2,("msrpc_sid_to_name: failed to lookup sids: %s\n",
+ nt_errstr(result)));
+ return result;
+ }
+
+
+ *type = (enum lsa_SidType)types[0];
+ *domain_name = domains[0];
+ *name = names[0];
+
+ DEBUG(5,("Mapped sid to [%s]\\[%s]\n", domains[0], *name));
+
+ name_map_status = normalize_name_map(mem_ctx, domain->name, *name,
+ &mapped_name);
+ if (NT_STATUS_IS_OK(name_map_status) ||
+ NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED))
+ {
+ *name = mapped_name;
+ DEBUG(5,("returning mapped name -- %s\n", *name));
+ }
+
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS msrpc_rids_to_names(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ const struct dom_sid *sid,
+ uint32_t *rids,
+ size_t num_rids,
+ char **domain_name,
+ char ***names,
+ enum lsa_SidType **types)
+{
+ char **domains;
+ NTSTATUS result;
+ struct dom_sid *sids;
+ size_t i;
+ char **ret_names;
+
+ DEBUG(3, ("msrpc_rids_to_names: domain %s\n", domain->name ));
+
+ if (num_rids) {
+ sids = talloc_array(mem_ctx, struct dom_sid, num_rids);
+ if (sids == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ } else {
+ sids = NULL;
+ }
+
+ for (i=0; i<num_rids; i++) {
+ if (!sid_compose(&sids[i], sid, rids[i])) {
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+ }
+
+ result = winbindd_lookup_sids(mem_ctx,
+ domain,
+ num_rids,
+ sids,
+ &domains,
+ names,
+ types);
+
+ if (!NT_STATUS_IS_OK(result) &&
+ !NT_STATUS_EQUAL(result, STATUS_SOME_UNMAPPED)) {
+ return result;
+ }
+
+ ret_names = *names;
+ for (i=0; i<num_rids; i++) {
+ NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL;
+ char *mapped_name = NULL;
+
+ if ((*types)[i] != SID_NAME_UNKNOWN) {
+ name_map_status = normalize_name_map(mem_ctx,
+ domain->name,
+ ret_names[i],
+ &mapped_name);
+ if (NT_STATUS_IS_OK(name_map_status) ||
+ NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED))
+ {
+ ret_names[i] = mapped_name;
+ }
+
+ *domain_name = domains[i];
+ }
+ }
+
+ return result;
+}
+
+/* Lookup groups a user is a member of. I wish Unix had a call like this! */
+static NTSTATUS msrpc_lookup_usergroups(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ const struct dom_sid *user_sid,
+ uint32_t *pnum_groups,
+ struct dom_sid **puser_grpsids)
+{
+ struct rpc_pipe_client *samr_pipe;
+ struct policy_handle dom_pol;
+ struct dom_sid *user_grpsids = NULL;
+ struct dom_sid_buf buf;
+ uint32_t num_groups = 0;
+ TALLOC_CTX *tmp_ctx;
+ NTSTATUS status;
+
+ DEBUG(3,("msrpc_lookup_usergroups sid=%s\n",
+ dom_sid_str_buf(user_sid, &buf)));
+
+ *pnum_groups = 0;
+
+ tmp_ctx = talloc_stackframe();
+ if (tmp_ctx == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ /* Check if we have a cached user_info_3 */
+ status = lookup_usergroups_cached(tmp_ctx,
+ user_sid,
+ &num_groups,
+ &user_grpsids);
+ if (NT_STATUS_IS_OK(status)) {
+ goto cached;
+ }
+
+ if ( !winbindd_can_contact_domain( domain ) ) {
+ DEBUG(10,("lookup_usergroups: No incoming trust for domain %s\n",
+ domain->name));
+
+ /* Tell the cache manager not to remember this one */
+ status = NT_STATUS_SYNCHRONIZATION_REQUIRED;
+ goto done;
+ }
+
+ /* no cache; hit the wire */
+ status = cm_connect_sam(domain, tmp_ctx, false, &samr_pipe, &dom_pol);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+
+ status = rpc_lookup_usergroups(tmp_ctx,
+ samr_pipe,
+ &dom_pol,
+ &domain->sid,
+ user_sid,
+ &num_groups,
+ &user_grpsids);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+
+cached:
+ *pnum_groups = num_groups;
+
+ if (puser_grpsids) {
+ *puser_grpsids = talloc_move(mem_ctx, &user_grpsids);
+ }
+
+done:
+ TALLOC_FREE(tmp_ctx);
+ return status;
+ return NT_STATUS_OK;
+}
+
+#define MAX_SAM_ENTRIES_W2K 0x400 /* 1024 */
+
+static NTSTATUS msrpc_lookup_useraliases(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ uint32_t num_sids, const struct dom_sid *sids,
+ uint32_t *pnum_aliases,
+ uint32_t **palias_rids)
+{
+ struct rpc_pipe_client *samr_pipe;
+ struct policy_handle dom_pol;
+ uint32_t num_aliases = 0;
+ uint32_t *alias_rids = NULL;
+ TALLOC_CTX *tmp_ctx;
+ NTSTATUS status;
+
+ DEBUG(3,("msrpc_lookup_useraliases\n"));
+
+ if (pnum_aliases) {
+ *pnum_aliases = 0;
+ }
+
+ tmp_ctx = talloc_stackframe();
+ if (tmp_ctx == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if (!winbindd_can_contact_domain(domain)) {
+ DEBUG(10,("msrpc_lookup_useraliases: No incoming trust for domain %s\n",
+ domain->name));
+ /* Tell the cache manager not to remember this one */
+ status = NT_STATUS_SYNCHRONIZATION_REQUIRED;
+ goto done;
+ }
+
+ status = cm_connect_sam(domain, tmp_ctx, false, &samr_pipe, &dom_pol);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+
+ status = rpc_lookup_useraliases(tmp_ctx,
+ samr_pipe,
+ &dom_pol,
+ num_sids,
+ sids,
+ &num_aliases,
+ &alias_rids);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+
+ if (pnum_aliases) {
+ *pnum_aliases = num_aliases;
+ }
+
+ if (palias_rids) {
+ *palias_rids = talloc_move(mem_ctx, &alias_rids);
+ }
+
+done:
+ TALLOC_FREE(tmp_ctx);
+ return status;
+}
+
+
+/* Lookup group membership given a rid. */
+static NTSTATUS msrpc_lookup_groupmem(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ const struct dom_sid *group_sid,
+ enum lsa_SidType type,
+ uint32_t *num_names,
+ struct dom_sid **sid_mem,
+ char ***names,
+ uint32_t **name_types)
+{
+ NTSTATUS status, result;
+ uint32_t i, total_names = 0;
+ struct policy_handle dom_pol, group_pol;
+ uint32_t des_access = SEC_FLAG_MAXIMUM_ALLOWED;
+ uint32_t *rid_mem = NULL;
+ uint32_t group_rid;
+ unsigned int j, r;
+ struct rpc_pipe_client *cli;
+ unsigned int orig_timeout;
+ struct samr_RidAttrArray *rids = NULL;
+ struct dcerpc_binding_handle *b;
+ struct dom_sid_buf buf;
+
+ DEBUG(3,("msrpc_lookup_groupmem: %s sid=%s\n", domain->name,
+ dom_sid_str_buf(group_sid, &buf)));
+
+ if ( !winbindd_can_contact_domain( domain ) ) {
+ DEBUG(10,("lookup_groupmem: No incoming trust for domain %s\n",
+ domain->name));
+ return NT_STATUS_OK;
+ }
+
+ if (!sid_peek_check_rid(&domain->sid, group_sid, &group_rid))
+ return NT_STATUS_UNSUCCESSFUL;
+
+ *num_names = 0;
+
+ result = cm_connect_sam(domain, mem_ctx, false, &cli, &dom_pol);
+ if (!NT_STATUS_IS_OK(result))
+ return result;
+
+ b = cli->binding_handle;
+
+ status = dcerpc_samr_OpenGroup(b, mem_ctx,
+ &dom_pol,
+ des_access,
+ group_rid,
+ &group_pol,
+ &result);
+ if (any_nt_status_not_ok(status, result, &status)) {
+ return status;
+ }
+
+ /* Step #1: Get a list of user rids that are the members of the
+ group. */
+
+ /* This call can take a long time - allow the server to time out.
+ 35 seconds should do it. */
+
+ orig_timeout = rpccli_set_timeout(cli, 35000);
+
+ status = dcerpc_samr_QueryGroupMember(b, mem_ctx,
+ &group_pol,
+ &rids,
+ &result);
+
+ /* And restore our original timeout. */
+ rpccli_set_timeout(cli, orig_timeout);
+
+ {
+ NTSTATUS _result;
+ dcerpc_samr_Close(b, mem_ctx, &group_pol, &_result);
+ }
+
+ if (any_nt_status_not_ok(status, result, &status)) {
+ return status;
+ }
+
+ if (!rids || !rids->count) {
+ names = NULL;
+ name_types = NULL;
+ sid_mem = NULL;
+ return NT_STATUS_OK;
+ }
+
+ *num_names = rids->count;
+ rid_mem = rids->rids;
+
+ /* Step #2: Convert list of rids into list of usernames. Do this
+ in bunches of ~1000 to avoid crashing NT4. It looks like there
+ is a buffer overflow or something like that lurking around
+ somewhere. */
+
+#define MAX_LOOKUP_RIDS 900
+
+ *names = talloc_zero_array(mem_ctx, char *, *num_names);
+ *name_types = talloc_zero_array(mem_ctx, uint32_t, *num_names);
+ *sid_mem = talloc_zero_array(mem_ctx, struct dom_sid, *num_names);
+
+ for (j=0;j<(*num_names);j++)
+ sid_compose(&(*sid_mem)[j], &domain->sid, rid_mem[j]);
+
+ if (*num_names>0 && (!*names || !*name_types))
+ return NT_STATUS_NO_MEMORY;
+
+ for (i = 0; i < *num_names; i += MAX_LOOKUP_RIDS) {
+ int num_lookup_rids = MIN(*num_names - i, MAX_LOOKUP_RIDS);
+ struct lsa_Strings tmp_names;
+ struct samr_Ids tmp_types;
+
+ /* Lookup a chunk of rids */
+
+ status = dcerpc_samr_LookupRids(b, mem_ctx,
+ &dom_pol,
+ num_lookup_rids,
+ &rid_mem[i],
+ &tmp_names,
+ &tmp_types,
+ &result);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ /* see if we have a real error (and yes the
+ STATUS_SOME_UNMAPPED is the one returned from 2k) */
+
+ if (!NT_STATUS_IS_OK(result) &&
+ !NT_STATUS_EQUAL(result, STATUS_SOME_UNMAPPED))
+ return result;
+
+ /* Copy result into array. The talloc system will take
+ care of freeing the temporary arrays later on. */
+
+ if (tmp_names.count != num_lookup_rids) {
+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
+ }
+ if (tmp_types.count != num_lookup_rids) {
+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
+ }
+
+ for (r=0; r<tmp_names.count; r++) {
+ if (tmp_types.ids[r] == SID_NAME_UNKNOWN) {
+ continue;
+ }
+ if (total_names >= *num_names) {
+ break;
+ }
+ (*names)[total_names] = fill_domain_username_talloc(
+ mem_ctx, domain->name,
+ tmp_names.names[r].string, true);
+ (*name_types)[total_names] = tmp_types.ids[r];
+ total_names += 1;
+ }
+ }
+
+ *num_names = total_names;
+
+ return NT_STATUS_OK;
+}
+
+/* get a list of trusted domains */
+static NTSTATUS msrpc_trusted_domains(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ struct netr_DomainTrustList *ptrust_list)
+{
+ struct rpc_pipe_client *lsa_pipe;
+ struct policy_handle lsa_policy;
+ struct netr_DomainTrust *trusts = NULL;
+ uint32_t num_trusts = 0;
+ TALLOC_CTX *tmp_ctx;
+ NTSTATUS status;
+
+ DEBUG(3,("msrpc_trusted_domains\n"));
+
+ if (ptrust_list) {
+ ZERO_STRUCTP(ptrust_list);
+ }
+
+ tmp_ctx = talloc_stackframe();
+ if (tmp_ctx == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ status = cm_connect_lsa(domain, tmp_ctx, &lsa_pipe, &lsa_policy);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+
+ status = rpc_trusted_domains(tmp_ctx,
+ lsa_pipe,
+ &lsa_policy,
+ &num_trusts,
+ &trusts);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+
+ if (ptrust_list) {
+ ptrust_list->count = num_trusts;
+ ptrust_list->array = talloc_move(mem_ctx, &trusts);
+ }
+
+done:
+ TALLOC_FREE(tmp_ctx);
+ return status;
+}
+
+/* find the lockout policy for a domain */
+static NTSTATUS msrpc_lockout_policy(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ struct samr_DomInfo12 *lockout_policy)
+{
+ NTSTATUS status, result;
+ struct rpc_pipe_client *cli;
+ struct policy_handle dom_pol;
+ union samr_DomainInfo *info = NULL;
+ struct dcerpc_binding_handle *b;
+
+ DEBUG(3, ("msrpc_lockout_policy: fetch lockout policy for %s\n", domain->name));
+
+ if ( !winbindd_can_contact_domain( domain ) ) {
+ DEBUG(10,("msrpc_lockout_policy: No incoming trust for domain %s\n",
+ domain->name));
+ return NT_STATUS_NOT_SUPPORTED;
+ }
+
+ status = cm_connect_sam(domain, mem_ctx, false, &cli, &dom_pol);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+
+ b = cli->binding_handle;
+
+ status = dcerpc_samr_QueryDomainInfo(b, mem_ctx,
+ &dom_pol,
+ DomainLockoutInformation,
+ &info,
+ &result);
+ if (any_nt_status_not_ok(status, result, &status)) {
+ return status;
+ }
+
+ *lockout_policy = info->info12;
+
+ DEBUG(10,("msrpc_lockout_policy: lockout_threshold %d\n",
+ info->info12.lockout_threshold));
+
+ done:
+
+ return status;
+}
+
+/* find the password policy for a domain */
+static NTSTATUS msrpc_password_policy(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ struct samr_DomInfo1 *password_policy)
+{
+ NTSTATUS status, result;
+ struct rpc_pipe_client *cli;
+ struct policy_handle dom_pol;
+ union samr_DomainInfo *info = NULL;
+ struct dcerpc_binding_handle *b;
+
+ DEBUG(3, ("msrpc_password_policy: fetch password policy for %s\n",
+ domain->name));
+
+ if ( !winbindd_can_contact_domain( domain ) ) {
+ DEBUG(10,("msrpc_password_policy: No incoming trust for domain %s\n",
+ domain->name));
+ return NT_STATUS_NOT_SUPPORTED;
+ }
+
+ status = cm_connect_sam(domain, mem_ctx, false, &cli, &dom_pol);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+
+ b = cli->binding_handle;
+
+ status = dcerpc_samr_QueryDomainInfo(b, mem_ctx,
+ &dom_pol,
+ DomainPasswordInformation,
+ &info,
+ &result);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+ if (!NT_STATUS_IS_OK(result)) {
+ goto done;
+ }
+
+ *password_policy = info->info1;
+
+ DEBUG(10,("msrpc_password_policy: min_length_password %d\n",
+ info->info1.min_password_length));
+
+ done:
+
+ return status;
+}
+
+static enum lsa_LookupNamesLevel winbindd_lookup_level(
+ struct winbindd_domain *domain)
+{
+ enum lsa_LookupNamesLevel level = LSA_LOOKUP_NAMES_DOMAINS_ONLY;
+
+ if (domain->internal) {
+ level = LSA_LOOKUP_NAMES_ALL;
+ } else if (domain->secure_channel_type == SEC_CHAN_DNS_DOMAIN) {
+ if (domain->domain_flags & NETR_TRUST_FLAG_IN_FOREST) {
+ /*
+ * TODO:
+ *
+ * Depending on what we want to resolve. We need to use:
+ * 1. LsapLookupXForestReferral(5)/LSA_LOOKUP_NAMES_FOREST_TRUSTS_ONLY
+ * if we want to pass the request into the direction of the forest
+ * root domain. The forest root domain uses
+ * LsapLookupXForestResolve(6)/LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2
+ * when passing the request to trusted forests.
+ * 2. LsapLookupGC(4)/LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY
+ * if we're not a GC and want to resolve a name within our own forest.
+ *
+ * As we don't support more than one domain in our own forest
+ * and always try to be a GC for now, we just set
+ * LSA_LOOKUP_NAMES_FOREST_TRUSTS_ONLY.
+ */
+ level = LSA_LOOKUP_NAMES_FOREST_TRUSTS_ONLY;
+ } else if (domain->domain_trust_attribs & LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) {
+ /*
+ * This is LsapLookupXForestResolve(6)/LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2
+ */
+ level = LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2;
+ } else {
+ /*
+ * This is LsapLookupTDL(3)/LSA_LOOKUP_NAMES_PRIMARY_DOMAIN_ONLY
+ */
+ level = LSA_LOOKUP_NAMES_PRIMARY_DOMAIN_ONLY;
+ }
+ } else if (domain->secure_channel_type == SEC_CHAN_DOMAIN) {
+ /*
+ * This is LsapLookupTDL(3)/LSA_LOOKUP_NAMES_PRIMARY_DOMAIN_ONLY
+ */
+ level = LSA_LOOKUP_NAMES_PRIMARY_DOMAIN_ONLY;
+ } else if (domain->rodc) {
+ level = LSA_LOOKUP_NAMES_RODC_REFERRAL_TO_FULL_DC;
+ } else {
+ /*
+ * This is LsapLookupPDC(2)/LSA_LOOKUP_NAMES_DOMAINS_ONLY
+ */
+ level = LSA_LOOKUP_NAMES_DOMAINS_ONLY;
+ }
+
+ return level;
+}
+
+NTSTATUS winbindd_lookup_sids(TALLOC_CTX *mem_ctx,
+ struct winbindd_domain *domain,
+ uint32_t num_sids,
+ const struct dom_sid *sids,
+ char ***domains,
+ char ***names,
+ enum lsa_SidType **types)
+{
+ NTSTATUS status;
+ NTSTATUS result;
+ struct rpc_pipe_client *cli = NULL;
+ struct dcerpc_binding_handle *b = NULL;
+ struct policy_handle lsa_policy;
+ unsigned int orig_timeout;
+ bool use_lookupsids3 = false;
+ bool retried = false;
+ enum lsa_LookupNamesLevel level = LSA_LOOKUP_NAMES_ALL;
+
+ connect:
+ status = cm_connect_lsat(domain, mem_ctx, &cli, &lsa_policy);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ b = cli->binding_handle;
+
+ if (cli->transport->transport == NCACN_IP_TCP) {
+ use_lookupsids3 = true;
+ }
+
+ level = winbindd_lookup_level(domain);
+
+ /*
+ * This call can take a long time
+ * allow the server to time out.
+ * 35 seconds should do it.
+ */
+ orig_timeout = dcerpc_binding_handle_set_timeout(b, 35000);
+
+ status = dcerpc_lsa_lookup_sids_generic(b,
+ mem_ctx,
+ &lsa_policy,
+ num_sids,
+ sids,
+ level,
+ domains,
+ names,
+ types,
+ use_lookupsids3,
+ &result);
+
+ /* And restore our original timeout. */
+ dcerpc_binding_handle_set_timeout(b, orig_timeout);
+
+ if (reset_cm_connection_on_error(domain, b, status)) {
+ /*
+ * This can happen if the schannel key is not
+ * valid anymore, we need to invalidate the
+ * all connections to the dc and reestablish
+ * a netlogon connection first.
+ */
+ domain->can_do_ncacn_ip_tcp = domain->active_directory;
+ if (!retried) {
+ retried = true;
+ goto connect;
+ }
+ status = NT_STATUS_ACCESS_DENIED;
+ }
+
+ if (any_nt_status_not_ok(status, result, &status)) {
+ return status;
+ }
+
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS winbindd_lookup_names(TALLOC_CTX *mem_ctx,
+ struct winbindd_domain *domain,
+ uint32_t num_names,
+ const char **names,
+ const char ***domains,
+ struct dom_sid **sids,
+ enum lsa_SidType **types)
+{
+ NTSTATUS status;
+ NTSTATUS result;
+ struct rpc_pipe_client *cli = NULL;
+ struct dcerpc_binding_handle *b = NULL;
+ struct policy_handle lsa_policy;
+ unsigned int orig_timeout = 0;
+ bool use_lookupnames4 = false;
+ bool retried = false;
+ enum lsa_LookupNamesLevel level = LSA_LOOKUP_NAMES_ALL;
+
+ connect:
+ status = cm_connect_lsat(domain, mem_ctx, &cli, &lsa_policy);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ b = cli->binding_handle;
+
+ if (cli->transport->transport == NCACN_IP_TCP) {
+ use_lookupnames4 = true;
+ }
+
+ level = winbindd_lookup_level(domain);
+
+ /*
+ * This call can take a long time
+ * allow the server to time out.
+ * 35 seconds should do it.
+ */
+ orig_timeout = dcerpc_binding_handle_set_timeout(b, 35000);
+
+ status = dcerpc_lsa_lookup_names_generic(b,
+ mem_ctx,
+ &lsa_policy,
+ num_names,
+ (const char **) names,
+ domains,
+ level,
+ sids,
+ types,
+ use_lookupnames4,
+ &result);
+
+ /* And restore our original timeout. */
+ dcerpc_binding_handle_set_timeout(b, orig_timeout);
+
+ if (reset_cm_connection_on_error(domain, b, status)) {
+ /*
+ * This can happen if the schannel key is not
+ * valid anymore, we need to invalidate the
+ * all connections to the dc and reestablish
+ * a netlogon connection first.
+ */
+ if (!retried) {
+ retried = true;
+ goto connect;
+ }
+ status = NT_STATUS_ACCESS_DENIED;
+ }
+
+ if (any_nt_status_not_ok(status, result, &status)) {
+ return status;
+ }
+
+ return NT_STATUS_OK;
+}
+
+/* the rpc backend methods are exposed via this structure */
+struct winbindd_methods msrpc_methods = {
+ False,
+ msrpc_query_user_list,
+ msrpc_enum_dom_groups,
+ msrpc_enum_local_groups,
+ msrpc_name_to_sid,
+ msrpc_sid_to_name,
+ msrpc_rids_to_names,
+ msrpc_lookup_usergroups,
+ msrpc_lookup_useraliases,
+ msrpc_lookup_groupmem,
+ msrpc_lockout_policy,
+ msrpc_password_policy,
+ msrpc_trusted_domains,
+};
diff --git a/source3/winbindd/winbindd_ndr.c b/source3/winbindd/winbindd_ndr.c
new file mode 100644
index 0000000..7b48ddb
--- /dev/null
+++ b/source3/winbindd/winbindd_ndr.c
@@ -0,0 +1,162 @@
+/*
+ * Unix SMB/CIFS implementation.
+ * winbindd debug helper
+ * Copyright (C) Guenther Deschner 2008
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "includes.h"
+#include "winbindd.h"
+#include "../librpc/gen_ndr/ndr_netlogon.h"
+#include "../librpc/gen_ndr/ndr_security.h"
+#include "../librpc/gen_ndr/ndr_lsa.h"
+#include "../librpc/ndr/libndr.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_WINBIND
+
+/****************************************************************
+****************************************************************/
+
+void ndr_print_winbindd_child(struct ndr_print *ndr,
+ const char *name,
+ const struct winbindd_child *r)
+{
+ ndr_print_struct(ndr, name, "winbindd_child");
+ ndr->depth++;
+ ndr_print_uint32(ndr, "pid", (uint32_t)r->pid);
+#if 0
+ ndr_print_winbindd_domain(ndr, "domain", r->domain);
+#else
+ ndr_print_ptr(ndr, "domain", r->domain);
+#endif
+ ndr_print_string(ndr, "logfilename", r->logfilename);
+ /* struct fd_event event; */
+ ndr_print_ptr(ndr, "lockout_policy_event", r->lockout_policy_event);
+ ndr->depth--;
+}
+
+/****************************************************************
+****************************************************************/
+
+void ndr_print_winbindd_cm_conn(struct ndr_print *ndr,
+ const char *name,
+ const struct winbindd_cm_conn *r)
+{
+ ndr_print_struct(ndr, name, "winbindd_cm_conn");
+ ndr->depth++;
+ ndr_print_ptr(ndr, "cli", r->cli);
+ ndr_print_ptr(ndr, "samr_pipe", r->samr_pipe);
+ ndr_print_policy_handle(ndr, "sam_connect_handle", &r->sam_connect_handle);
+ ndr_print_policy_handle(ndr, "sam_domain_handle", &r->sam_domain_handle);
+ ndr_print_ptr(ndr, "lsa_pipe", r->lsa_pipe);
+ ndr_print_policy_handle(ndr, "lsa_policy", &r->lsa_policy);
+ ndr_print_ptr(ndr, "netlogon_pipe", r->netlogon_pipe);
+ ndr->depth--;
+}
+
+/****************************************************************
+****************************************************************/
+
+#ifdef HAVE_ADS
+extern struct winbindd_methods ads_methods;
+extern struct winbindd_methods reconnect_ads_methods;
+#endif
+extern struct winbindd_methods msrpc_methods;
+extern struct winbindd_methods builtin_passdb_methods;
+extern struct winbindd_methods sam_passdb_methods;
+extern struct winbindd_methods reconnect_methods;
+
+void ndr_print_winbindd_methods(struct ndr_print *ndr,
+ const char *name,
+ const struct winbindd_methods *r)
+{
+ ndr_print_struct(ndr, name, "winbindd_methods");
+ ndr->depth++;
+
+ if (r == NULL) {
+ ndr_print_string(ndr, name, "(NULL)");
+ ndr->depth--;
+ return;
+ }
+
+ if (r == &msrpc_methods) {
+ ndr_print_string(ndr, name, "msrpc_methods");
+#ifdef HAVE_ADS
+ } else if (r == &ads_methods) {
+ ndr_print_string(ndr, name, "ads_methods");
+ } else if (r == &reconnect_ads_methods) {
+ ndr_print_string(ndr, name, "reconnect_ads_methods");
+#endif
+ } else if (r == &builtin_passdb_methods) {
+ ndr_print_string(ndr, name, "builtin_passdb_methods");
+ } else if (r == &sam_passdb_methods) {
+ ndr_print_string(ndr, name, "sam_passdb_methods");
+ } else if (r == &reconnect_methods) {
+ ndr_print_string(ndr, name, "reconnect_methods");
+ } else {
+ ndr_print_string(ndr, name, "UNKNOWN");
+ }
+ ndr->depth--;
+}
+
+/****************************************************************
+****************************************************************/
+
+void ndr_print_winbindd_domain(struct ndr_print *ndr,
+ const char *name,
+ const struct winbindd_domain *r)
+{
+ int i;
+ if (!r) {
+ return;
+ }
+
+ ndr_print_struct(ndr, name, "winbindd_domain");
+ ndr->depth++;
+ ndr_print_string(ndr, "name", r->name);
+ ndr_print_string(ndr, "alt_name", r->alt_name);
+ ndr_print_string(ndr, "forest_name", r->forest_name);
+ ndr_print_dom_sid(ndr, "sid", &r->sid);
+ ndr_print_netr_TrustFlags(ndr, "domain_flags", r->domain_flags);
+ ndr_print_lsa_TrustType(ndr, "domain_type", r->domain_type);
+ ndr_print_lsa_TrustAttributes(ndr, "domain_trust_attribs", r->domain_trust_attribs);
+ ndr_print_bool(ndr, "initialized", r->initialized);
+ ndr_print_bool(ndr, "native_mode", r->native_mode);
+ ndr_print_bool(ndr, "active_directory", r->active_directory);
+ ndr_print_bool(ndr, "primary", r->primary);
+ ndr_print_bool(ndr, "internal", r->internal);
+ ndr_print_bool(ndr, "online", r->online);
+ ndr_print_time_t(ndr, "startup_time", r->startup_time);
+ ndr_print_bool(ndr, "startup", r->startup);
+ ndr_print_winbindd_methods(ndr, "backend", r->backend);
+ ndr_print_ptr(ndr,
+ "backend_data.samr_pipes",
+ r->backend_data.samr_pipes);
+ ndr_print_ptr(ndr,
+ "backend_data.ads_conn",
+ r->backend_data.ads_conn);
+ ndr_print_string(ndr, "dcname", r->dcname);
+ ndr_print_sockaddr_storage(ndr, "dcaddr", &r->dcaddr);
+ ndr_print_time_t(ndr, "last_seq_check", r->last_seq_check);
+ ndr_print_uint32(ndr, "sequence_number", r->sequence_number);
+ ndr_print_NTSTATUS(ndr, "last_status", r->last_status);
+ ndr_print_winbindd_cm_conn(ndr, "conn", &r->conn);
+ for (i=0; i<lp_winbind_max_domain_connections(); i++) {
+ ndr_print_winbindd_child(ndr, "children", &r->children[i]);
+ }
+ ndr_print_ptr(ndr, "check_online_event", r->check_online_event);
+ ndr->depth--;
+}
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
new file mode 100644
index 0000000..b1acc7e
--- /dev/null
+++ b/source3/winbindd/winbindd_pam.c
@@ -0,0 +1,3556 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ Winbind daemon - pam auth funcions
+
+ Copyright (C) Andrew Tridgell 2000
+ Copyright (C) Tim Potter 2001
+ Copyright (C) Andrew Bartlett 2001-2002
+ Copyright (C) Guenther Deschner 2005
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "ntdomain.h"
+#include "winbindd.h"
+#include "libsmb/namequery.h"
+#include "../libcli/auth/libcli_auth.h"
+#include "libcli/auth/pam_errors.h"
+#include "../librpc/gen_ndr/ndr_samr_c.h"
+#include "librpc/rpc/dcesrv_core.h"
+#include "librpc/gen_ndr/ndr_winbind.h"
+#include "rpc_client/cli_pipe.h"
+#include "rpc_client/cli_samr.h"
+#include "../librpc/gen_ndr/ndr_netlogon.h"
+#include "rpc_client/cli_netlogon.h"
+#include "smb_krb5.h"
+#include "../libcli/security/security.h"
+#include "ads.h"
+#include "../librpc/gen_ndr/krb5pac.h"
+#include "passdb/machine_sid.h"
+#include "auth.h"
+#include "../lib/tsocket/tsocket.h"
+#include "auth/kerberos/pac_utils.h"
+#include "auth/gensec/gensec.h"
+#include "librpc/crypto/gse_krb5.h"
+#include "lib/afs/afs_funcs.h"
+#include "libsmb/samlogon_cache.h"
+#include "rpc_client/util_netlogon.h"
+#include "param/param.h"
+#include "messaging/messaging.h"
+#include "lib/util/string_wrappers.h"
+#include "lib/crypto/gnutls_helpers.h"
+
+#include "lib/crypto/gnutls_helpers.h"
+#include <gnutls/crypto.h>
+#include "lib/global_contexts.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_WINBIND
+
+#define LOGON_KRB5_FAIL_CLOCK_SKEW 0x02000000
+
+static NTSTATUS append_info3_as_txt(TALLOC_CTX *mem_ctx,
+ struct winbindd_response *resp,
+ uint16_t validation_level,
+ union netr_Validation *validation)
+{
+ struct netr_SamInfo3 *info3 = NULL;
+ char *ex = NULL;
+ uint32_t i;
+ NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
+ TALLOC_CTX *frame = talloc_stackframe();
+
+ status = map_validation_to_info3(frame,
+ validation_level,
+ validation,
+ &info3);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto out;
+ }
+
+ resp->data.auth.info3.logon_time =
+ nt_time_to_unix(info3->base.logon_time);
+ resp->data.auth.info3.logoff_time =
+ nt_time_to_unix(info3->base.logoff_time);
+ resp->data.auth.info3.kickoff_time =
+ nt_time_to_unix(info3->base.kickoff_time);
+ resp->data.auth.info3.pass_last_set_time =
+ nt_time_to_unix(info3->base.last_password_change);
+ resp->data.auth.info3.pass_can_change_time =
+ nt_time_to_unix(info3->base.allow_password_change);
+ resp->data.auth.info3.pass_must_change_time =
+ nt_time_to_unix(info3->base.force_password_change);
+
+ resp->data.auth.info3.logon_count = info3->base.logon_count;
+ resp->data.auth.info3.bad_pw_count = info3->base.bad_password_count;
+
+ resp->data.auth.info3.user_rid = info3->base.rid;
+ resp->data.auth.info3.group_rid = info3->base.primary_gid;
+ sid_to_fstring(resp->data.auth.info3.dom_sid, info3->base.domain_sid);
+
+ resp->data.auth.info3.num_groups = info3->base.groups.count;
+ resp->data.auth.info3.user_flgs = info3->base.user_flags;
+
+ resp->data.auth.info3.acct_flags = info3->base.acct_flags;
+ resp->data.auth.info3.num_other_sids = info3->sidcount;
+
+ fstrcpy(resp->data.auth.info3.user_name,
+ info3->base.account_name.string);
+ fstrcpy(resp->data.auth.info3.full_name,
+ info3->base.full_name.string);
+ fstrcpy(resp->data.auth.info3.logon_script,
+ info3->base.logon_script.string);
+ fstrcpy(resp->data.auth.info3.profile_path,
+ info3->base.profile_path.string);
+ fstrcpy(resp->data.auth.info3.home_dir,
+ info3->base.home_directory.string);
+ fstrcpy(resp->data.auth.info3.dir_drive,
+ info3->base.home_drive.string);
+
+ fstrcpy(resp->data.auth.info3.logon_srv,
+ info3->base.logon_server.string);
+ fstrcpy(resp->data.auth.info3.logon_dom,
+ info3->base.logon_domain.string);
+
+ resp->data.auth.validation_level = validation_level;
+ if (validation_level == 6) {
+ fstrcpy(resp->data.auth.info6.dns_domainname,
+ validation->sam6->dns_domainname.string);
+ fstrcpy(resp->data.auth.info6.principal_name,
+ validation->sam6->principal_name.string);
+ }
+
+ ex = talloc_strdup(frame, "");
+ if (ex == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto out;
+ }
+
+ for (i=0; i < info3->base.groups.count; i++) {
+ ex = talloc_asprintf_append_buffer(ex, "0x%08X:0x%08X\n",
+ info3->base.groups.rids[i].rid,
+ info3->base.groups.rids[i].attributes);
+ if (ex == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto out;
+ }
+ }
+
+ for (i=0; i < info3->sidcount; i++) {
+ struct dom_sid_buf sidbuf;
+
+ ex = talloc_asprintf_append_buffer(
+ ex,
+ "%s:0x%08X\n",
+ dom_sid_str_buf(info3->sids[i].sid, &sidbuf),
+ info3->sids[i].attributes);
+ if (ex == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto out;
+ }
+ }
+
+ resp->length += talloc_get_size(ex);
+ resp->extra_data.data = talloc_move(mem_ctx, &ex);
+
+ status = NT_STATUS_OK;
+out:
+ TALLOC_FREE(frame);
+ return status;
+}
+
+static NTSTATUS append_info3_as_ndr(TALLOC_CTX *mem_ctx,
+ struct winbindd_response *resp,
+ struct netr_SamInfo3 *info3)
+{
+ DATA_BLOB blob;
+ enum ndr_err_code ndr_err;
+
+ ndr_err = ndr_push_struct_blob(&blob, mem_ctx, info3,
+ (ndr_push_flags_fn_t)ndr_push_netr_SamInfo3);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ DEBUG(0,("append_info3_as_ndr: failed to append\n"));
+ return ndr_map_error2ntstatus(ndr_err);
+ }
+
+ resp->extra_data.data = blob.data;
+ resp->length += blob.length;
+
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS append_unix_username(uint16_t validation_level,
+ union netr_Validation *validation,
+ const char *name_domain,
+ const char *name_user,
+ TALLOC_CTX *mem_ctx,
+ char **_unix_username)
+{
+ TALLOC_CTX *tmp_ctx = NULL;
+ const char *nt_username = NULL;
+ const char *nt_domain = NULL;
+ char *unix_username = NULL;
+ struct netr_SamBaseInfo *base_info = NULL;
+ NTSTATUS status;
+
+ tmp_ctx = talloc_new(mem_ctx);
+ if (tmp_ctx == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ /* We've been asked to return the unix username, per
+ 'winbind use default domain' settings and the like */
+
+ switch (validation_level) {
+ case 3:
+ base_info = &validation->sam3->base;
+ break;
+ case 6:
+ base_info = &validation->sam6->base;
+ break;
+ default:
+ DBG_ERR("Invalid validation level %d\n", validation_level);
+ status = NT_STATUS_INTERNAL_ERROR;
+ goto out;
+ }
+
+ nt_domain = talloc_strdup(tmp_ctx, base_info->logon_domain.string);
+ if (!nt_domain) {
+ /* If the server didn't give us one, just use the one
+ * we sent them */
+ nt_domain = name_domain;
+ }
+
+ nt_username = talloc_strdup(tmp_ctx, base_info->account_name.string);
+ if (!nt_username) {
+ /* If the server didn't give us one, just use the one
+ * we sent them */
+ nt_username = name_user;
+ }
+
+ unix_username = fill_domain_username_talloc(tmp_ctx,
+ nt_domain,
+ nt_username,
+ true);
+ if (unix_username == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto out;
+ }
+
+ DBG_INFO("Setting unix username to [%s]\n", unix_username);
+
+ *_unix_username = talloc_move(mem_ctx, &unix_username);
+
+ status = NT_STATUS_OK;
+out:
+ TALLOC_FREE(tmp_ctx);
+
+ return status;
+}
+
+static NTSTATUS append_afs_token(uint16_t validation_level,
+ union netr_Validation *validation,
+ const char *name_domain,
+ const char *name_user,
+ TALLOC_CTX *mem_ctx,
+ DATA_BLOB *_blob)
+{
+ TALLOC_CTX *tmp_ctx = NULL;
+ char *afsname = NULL;
+ char *cell;
+ char *token;
+ struct netr_SamBaseInfo *base_info = NULL;
+ NTSTATUS status;
+
+ tmp_ctx = talloc_new(mem_ctx);
+ if (tmp_ctx == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ switch (validation_level) {
+ case 3:
+ base_info = &validation->sam3->base;
+ break;
+ case 6:
+ base_info = &validation->sam6->base;
+ break;
+ default:
+ DBG_ERR("Invalid validation level %d\n", validation_level);
+ status = NT_STATUS_INTERNAL_ERROR;
+ goto out;
+ }
+
+ afsname = talloc_strdup(tmp_ctx, lp_afs_username_map());
+ if (afsname == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto out;
+ }
+
+ afsname = talloc_string_sub(tmp_ctx,
+ lp_afs_username_map(),
+ "%D", name_domain);
+ afsname = talloc_string_sub(tmp_ctx, afsname,
+ "%u", name_user);
+ afsname = talloc_string_sub(tmp_ctx, afsname,
+ "%U", name_user);
+
+ {
+ struct dom_sid user_sid;
+ struct dom_sid_buf sidstr;
+
+ sid_compose(&user_sid, base_info->domain_sid, base_info->rid);
+ afsname = talloc_string_sub(
+ tmp_ctx,
+ afsname,
+ "%s",
+ dom_sid_str_buf(&user_sid, &sidstr));
+ }
+
+ if (afsname == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto out;
+ }
+
+ if (!strlower_m(afsname)) {
+ status = NT_STATUS_INVALID_PARAMETER;
+ goto out;
+ }
+
+ DEBUG(10, ("Generating token for user %s\n", afsname));
+
+ cell = strchr(afsname, '@');
+
+ if (cell == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto out;
+ }
+
+ *cell = '\0';
+ cell += 1;
+
+ token = afs_createtoken_str(afsname, cell);
+ if (token == NULL) {
+ status = NT_STATUS_OK;
+ goto out;
+ }
+
+ talloc_steal(mem_ctx, token);
+ *_blob = data_blob_string_const_null(token);
+
+ status = NT_STATUS_OK;
+out:
+ TALLOC_FREE(tmp_ctx);
+
+ return status;
+}
+
+NTSTATUS extra_data_to_sid_array(const char *group_sid,
+ TALLOC_CTX *mem_ctx,
+ struct wbint_SidArray **_sid_array)
+{
+ TALLOC_CTX *tmp_ctx = NULL;
+ struct wbint_SidArray *sid_array = NULL;
+ struct dom_sid *require_membership_of_sid = NULL;
+ uint32_t num_require_membership_of_sid = 0;
+ char *req_sid = NULL;
+ const char *p = NULL;
+ NTSTATUS status;
+
+ if (_sid_array == NULL) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ *_sid_array = NULL;
+
+ tmp_ctx = talloc_new(mem_ctx);
+ if (tmp_ctx == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ sid_array = talloc_zero(tmp_ctx, struct wbint_SidArray);
+ if (sid_array == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto fail;
+ }
+
+ if (!group_sid || !group_sid[0]) {
+ /* NO sid supplied, all users may access */
+ status = NT_STATUS_OK;
+ /*
+ * Always return an allocated wbint_SidArray,
+ * even if the array is empty.
+ */
+ goto out;
+ }
+
+ num_require_membership_of_sid = 0;
+ require_membership_of_sid = NULL;
+ p = group_sid;
+
+ while (next_token_talloc(tmp_ctx, &p, &req_sid, ",")) {
+ struct dom_sid sid;
+
+ if (!string_to_sid(&sid, req_sid)) {
+ DBG_ERR("check_info3_in_group: could not parse %s "
+ "as a SID!\n", req_sid);
+ status = NT_STATUS_INVALID_PARAMETER;
+ goto fail;
+ }
+
+ status = add_sid_to_array(tmp_ctx, &sid,
+ &require_membership_of_sid,
+ &num_require_membership_of_sid);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_ERR("add_sid_to_array failed\n");
+ goto fail;
+ }
+ }
+
+ sid_array->num_sids = num_require_membership_of_sid;
+ sid_array->sids = talloc_move(sid_array, &require_membership_of_sid);
+
+ status = NT_STATUS_OK;
+out:
+ *_sid_array = talloc_move(mem_ctx, &sid_array);
+
+fail:
+ TALLOC_FREE(tmp_ctx);
+
+ return status;
+}
+
+static NTSTATUS check_info3_in_group(struct netr_SamInfo3 *info3,
+ struct wbint_SidArray *sid_array)
+/**
+ * Check whether a user belongs to a group or list of groups.
+ *
+ * @param mem_ctx talloc memory context.
+ * @param info3 user information, including group membership info.
+ * @param group_sid One or more groups , separated by commas.
+ *
+ * @return NT_STATUS_OK on success,
+ * NT_STATUS_LOGON_FAILURE if the user does not belong,
+ * or other NT_STATUS_IS_ERR(status) for other kinds of failure.
+ */
+{
+ size_t i;
+ struct security_token *token;
+ NTSTATUS status;
+
+ /* Parse the 'required group' SID */
+
+ if (sid_array == NULL || sid_array->num_sids == 0) {
+ /* NO sid supplied, all users may access */
+ return NT_STATUS_OK;
+ }
+
+ token = talloc_zero(talloc_tos(), struct security_token);
+ if (token == NULL) {
+ DEBUG(0, ("talloc failed\n"));
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ status = sid_array_from_info3(talloc_tos(), info3,
+ &token->sids,
+ &token->num_sids,
+ true);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ if (!NT_STATUS_IS_OK(status = add_aliases(get_global_sam_sid(),
+ token))
+ || !NT_STATUS_IS_OK(status = add_aliases(&global_sid_Builtin,
+ token))) {
+ DEBUG(3, ("could not add aliases: %s\n",
+ nt_errstr(status)));
+ return status;
+ }
+
+ security_token_debug(DBGC_CLASS, 10, token);
+
+ for (i=0; i<sid_array->num_sids; i++) {
+ struct dom_sid_buf buf;
+ DEBUG(10, ("Checking SID %s\n",
+ dom_sid_str_buf(&sid_array->sids[i],
+ &buf)));
+ if (nt_token_check_sid(&sid_array->sids[i],
+ token)) {
+ DEBUG(10, ("Access ok\n"));
+ return NT_STATUS_OK;
+ }
+ }
+
+ /* Do not distinguish this error from a wrong username/pw */
+
+ return NT_STATUS_LOGON_FAILURE;
+}
+
+struct winbindd_domain *find_auth_domain(uint8_t flags,
+ const char *domain_name)
+{
+ struct winbindd_domain *domain;
+
+ if (IS_DC) {
+ domain = find_domain_from_name_noinit(domain_name);
+ if (domain == NULL) {
+ DEBUG(3, ("Authentication for domain [%s] refused "
+ "as it is not a trusted domain\n",
+ domain_name));
+ return NULL;
+ }
+
+ if (domain->secure_channel_type != SEC_CHAN_NULL) {
+ return domain;
+ }
+
+ return domain->routing_domain;
+ }
+
+ if (strequal(domain_name, get_global_sam_name())) {
+ return find_domain_from_name_noinit(domain_name);
+ }
+
+ if (lp_winbind_use_krb5_enterprise_principals()) {
+ /*
+ * If we use enterprise principals
+ * we always go trough our primary domain
+ * and follow the WRONG_REALM replies.
+ */
+ flags &= ~WBFLAG_PAM_CONTACT_TRUSTDOM;
+ }
+
+ /* we can auth against trusted domains */
+ if (flags & WBFLAG_PAM_CONTACT_TRUSTDOM) {
+ domain = find_domain_from_name_noinit(domain_name);
+ if (domain == NULL) {
+ DEBUG(3, ("Authentication for domain [%s] skipped "
+ "as it is not a trusted domain\n",
+ domain_name));
+ } else {
+ return domain;
+ }
+ }
+
+ return find_our_domain();
+}
+
+static NTSTATUS get_password_policy(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ struct samr_DomInfo1 **_policy)
+{
+ NTSTATUS status;
+ struct samr_DomInfo1 *policy = NULL;
+
+ if ( !winbindd_can_contact_domain( domain ) ) {
+ DBG_INFO("No inbound trust to contact domain %s\n",
+ domain->name);
+ return NT_STATUS_NOT_SUPPORTED;
+ }
+
+ policy = talloc_zero(mem_ctx, struct samr_DomInfo1);
+ if (policy == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ status = wb_cache_password_policy(domain, mem_ctx, policy);
+ if (NT_STATUS_IS_ERR(status)) {
+ TALLOC_FREE(policy);
+ return status;
+ }
+
+ *_policy = talloc_move(mem_ctx, &policy);
+
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS get_max_bad_attempts_from_lockout_policy(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ uint16_t *lockout_threshold)
+{
+ NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
+ struct samr_DomInfo12 lockout_policy;
+
+ *lockout_threshold = 0;
+
+ status = wb_cache_lockout_policy(domain, mem_ctx, &lockout_policy);
+ if (NT_STATUS_IS_ERR(status)) {
+ return status;
+ }
+
+ *lockout_threshold = lockout_policy.lockout_threshold;
+
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS get_pwd_properties(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ uint32_t *password_properties)
+{
+ NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
+ struct samr_DomInfo1 password_policy;
+
+ *password_properties = 0;
+
+ status = wb_cache_password_policy(domain, mem_ctx, &password_policy);
+ if (NT_STATUS_IS_ERR(status)) {
+ return status;
+ }
+
+ *password_properties = password_policy.password_properties;
+
+ return NT_STATUS_OK;
+}
+
+#ifdef HAVE_KRB5
+
+static const char *generate_krb5_ccache(TALLOC_CTX *mem_ctx,
+ const char *type,
+ uid_t uid,
+ const char **user_ccache_file)
+{
+ /* accept FILE and WRFILE as krb5_cc_type from the client and then
+ * build the full ccname string based on the user's uid here -
+ * Guenther*/
+
+ const char *gen_cc = NULL;
+
+ if (uid != -1) {
+ if (strequal(type, "FILE")) {
+ gen_cc = talloc_asprintf(
+ mem_ctx, "FILE:/tmp/krb5cc_%d", uid);
+ }
+ if (strequal(type, "WRFILE")) {
+ gen_cc = talloc_asprintf(
+ mem_ctx, "WRFILE:/tmp/krb5cc_%d", uid);
+ }
+ if (strequal(type, "KEYRING")) {
+ gen_cc = talloc_asprintf(
+ mem_ctx, "KEYRING:persistent:%d", uid);
+ }
+ if (strequal(type, "KCM")) {
+ gen_cc = talloc_asprintf(mem_ctx,
+ "KCM:%d",
+ uid);
+ }
+
+ if (strnequal(type, "FILE:/", 6) ||
+ strnequal(type, "WRFILE:/", 8) ||
+ strnequal(type, "DIR:/", 5)) {
+
+ /* we allow only one "%u" substitution */
+
+ char *p;
+
+ p = strchr(type, '%');
+ if (p != NULL) {
+
+ p++;
+
+ if (p != NULL && *p == 'u' && strchr(p, '%') == NULL) {
+ char uid_str[sizeof("18446744073709551615")];
+
+ snprintf(uid_str, sizeof(uid_str), "%u", uid);
+
+ gen_cc = talloc_string_sub2(mem_ctx,
+ type,
+ "%u",
+ uid_str,
+ /* remove_unsafe_characters */
+ false,
+ /* replace_once */
+ true,
+ /* allow_trailing_dollar */
+ false);
+ }
+ }
+ }
+ }
+
+ *user_ccache_file = gen_cc;
+
+ if (gen_cc == NULL) {
+ gen_cc = talloc_strdup(mem_ctx, "MEMORY:winbindd_pam_ccache");
+ }
+ if (gen_cc == NULL) {
+ DEBUG(0,("out of memory\n"));
+ return NULL;
+ }
+
+ DEBUG(10, ("using ccache: %s%s\n", gen_cc,
+ (*user_ccache_file == NULL) ? " (internal)":""));
+
+ return gen_cc;
+}
+
+#endif
+
+uid_t get_uid_from_request(struct winbindd_request *request)
+{
+ uid_t uid;
+
+ uid = request->data.auth.uid;
+
+ if (uid == (uid_t)-1) {
+ DEBUG(1,("invalid uid: '%u'\n", (unsigned int)uid));
+ return -1;
+ }
+ return uid;
+}
+
+/**********************************************************************
+ Authenticate a user with a clear text password using Kerberos and fill up
+ ccache if required
+ **********************************************************************/
+
+static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
+ struct winbindd_domain *domain,
+ const char *user,
+ const char *pass,
+ const char *krb5_cc_type,
+ uid_t uid,
+ struct netr_SamInfo6 **info6,
+ const char **_krb5ccname)
+{
+#ifdef HAVE_KRB5
+ NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
+ krb5_error_code krb5_ret;
+ const char *cc = NULL;
+ const char *principal_s = NULL;
+ char *realm = NULL;
+ fstring name_namespace, name_domain, name_user;
+ time_t ticket_lifetime = 0;
+ time_t renewal_until = 0;
+ time_t time_offset = 0;
+ const char *user_ccache_file;
+ struct PAC_LOGON_INFO *logon_info = NULL;
+ struct PAC_UPN_DNS_INFO *upn_dns_info = NULL;
+ struct PAC_DATA *pac_data = NULL;
+ struct PAC_DATA_CTR *pac_data_ctr = NULL;
+ const char *local_service;
+ uint32_t i;
+ struct netr_SamInfo6 *info6_copy = NULL;
+ char *canon_principal = NULL;
+ char *canon_realm = NULL;
+ bool ok;
+
+ *info6 = NULL;
+
+ if (domain->alt_name == NULL) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ if (_krb5ccname != NULL) {
+ *_krb5ccname = NULL;
+ }
+
+ /* 1st step:
+ * prepare a krb5_cc_cache string for the user */
+
+ if (uid == -1) {
+ DEBUG(0,("no valid uid\n"));
+ }
+
+ cc = generate_krb5_ccache(mem_ctx,
+ krb5_cc_type,
+ uid,
+ &user_ccache_file);
+ if (cc == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+
+ /* 2nd step:
+ * get kerberos properties */
+
+ if (domain->backend_data.ads_conn != NULL) {
+ time_offset = domain->backend_data.ads_conn->auth.time_offset;
+ }
+
+
+ /* 3rd step:
+ * do kerberos auth and setup ccache as the user */
+
+ ok = parse_domain_user(user, name_namespace, name_domain, name_user);
+ if (!ok) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ realm = talloc_strdup(mem_ctx, domain->alt_name);
+ if (realm == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if (!strupper_m(realm)) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ if (lp_winbind_use_krb5_enterprise_principals() &&
+ name_namespace[0] != '\0')
+ {
+ principal_s = talloc_asprintf(mem_ctx,
+ "%s@%s@%s",
+ name_user,
+ name_namespace,
+ realm);
+ } else {
+ principal_s = talloc_asprintf(mem_ctx,
+ "%s@%s",
+ name_user,
+ realm);
+ }
+ if (principal_s == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ local_service = talloc_asprintf(mem_ctx, "%s$@%s",
+ lp_netbios_name(), lp_realm());
+ if (local_service == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+
+ /* if this is a user ccache, we need to act as the user to let the krb5
+ * library handle the chown, etc. */
+
+ /************************ ENTERING NON-ROOT **********************/
+
+ if (user_ccache_file != NULL) {
+ set_effective_uid(uid);
+ DEBUG(10,("winbindd_raw_kerberos_login: uid is %d\n", uid));
+ }
+
+ result = kerberos_return_pac(mem_ctx,
+ principal_s,
+ pass,
+ time_offset,
+ &ticket_lifetime,
+ &renewal_until,
+ cc,
+ true,
+ true,
+ WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
+ NULL,
+ local_service,
+ &canon_principal,
+ &canon_realm,
+ &pac_data_ctr);
+ if (user_ccache_file != NULL) {
+ gain_root_privilege();
+ }
+
+ /************************ RETURNED TO ROOT **********************/
+
+ if (!NT_STATUS_IS_OK(result)) {
+ goto failed;
+ }
+
+ if (pac_data_ctr == NULL) {
+ goto failed;
+ }
+
+ pac_data = pac_data_ctr->pac_data;
+ if (pac_data == NULL) {
+ goto failed;
+ }
+
+ for (i=0; i < pac_data->num_buffers; i++) {
+
+ if (pac_data->buffers[i].type == PAC_TYPE_LOGON_INFO) {
+ logon_info = pac_data->buffers[i].info->logon_info.info;
+ continue;
+ }
+
+ if (pac_data->buffers[i].type == PAC_TYPE_UPN_DNS_INFO) {
+ upn_dns_info = &pac_data->buffers[i].info->upn_dns_info;
+ continue;
+ }
+ }
+
+ if (logon_info == NULL) {
+ DEBUG(10,("Missing logon_info in ticket of %s\n",
+ principal_s));
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ DEBUG(10,("winbindd_raw_kerberos_login: winbindd validated ticket of %s\n",
+ principal_s));
+
+ result = create_info6_from_pac(mem_ctx, logon_info,
+ upn_dns_info, &info6_copy);
+ if (!NT_STATUS_IS_OK(result)) {
+ goto failed;
+ }
+
+ /* if we had a user's ccache then return that string for the pam
+ * environment */
+
+ if (user_ccache_file != NULL) {
+
+ if (_krb5ccname != NULL) {
+ *_krb5ccname = talloc_steal(mem_ctx, user_ccache_file);
+ }
+
+ result = add_ccache_to_list(principal_s,
+ cc,
+ user,
+ pass,
+ realm,
+ uid,
+ time(NULL),
+ ticket_lifetime,
+ renewal_until,
+ false,
+ canon_principal,
+ canon_realm);
+
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(10,("winbindd_raw_kerberos_login: failed to add ccache to list: %s\n",
+ nt_errstr(result)));
+ }
+ } else {
+
+ /* need to delete the memory cred cache, it is not used anymore */
+
+ krb5_ret = ads_kdestroy(cc);
+ if (krb5_ret) {
+ DEBUG(3,("winbindd_raw_kerberos_login: "
+ "could not destroy krb5 credential cache: "
+ "%s\n", error_message(krb5_ret)));
+ }
+
+ }
+ *info6 = info6_copy;
+ return NT_STATUS_OK;
+
+failed:
+ /*
+ * Do not delete an existing valid credential cache, if the user
+ * e.g. enters a wrong password
+ */
+ if ((strequal(krb5_cc_type, "FILE") || strequal(krb5_cc_type, "WRFILE"))
+ && user_ccache_file != NULL) {
+ return result;
+ }
+
+ /* we could have created a new credential cache with a valid tgt in it
+ * but we werent able to get or verify the service ticket for this
+ * local host and therefor didn't get the PAC, we need to remove that
+ * cache entirely now */
+
+ krb5_ret = ads_kdestroy(cc);
+ if (krb5_ret) {
+ DEBUG(3,("winbindd_raw_kerberos_login: "
+ "could not destroy krb5 credential cache: "
+ "%s\n", error_message(krb5_ret)));
+ }
+
+ if (!NT_STATUS_IS_OK(remove_ccache(user))) {
+ DEBUG(3,("winbindd_raw_kerberos_login: "
+ "could not remove ccache for user %s\n",
+ user));
+ }
+
+ return result;
+#else
+ return NT_STATUS_NOT_SUPPORTED;
+#endif /* HAVE_KRB5 */
+}
+
+/****************************************************************
+****************************************************************/
+
+bool check_request_flags(uint32_t flags)
+{
+ uint32_t flags_edata = WBFLAG_PAM_AFS_TOKEN |
+ WBFLAG_PAM_INFO3_TEXT |
+ WBFLAG_PAM_INFO3_NDR;
+
+ if ( ( (flags & flags_edata) == WBFLAG_PAM_AFS_TOKEN) ||
+ ( (flags & flags_edata) == WBFLAG_PAM_INFO3_NDR) ||
+ ( (flags & flags_edata) == WBFLAG_PAM_INFO3_TEXT)||
+ !(flags & flags_edata) ) {
+ return true;
+ }
+
+ DEBUG(1, ("check_request_flags: invalid request flags[0x%08X]\n",
+ flags));
+
+ return false;
+}
+
+/****************************************************************
+****************************************************************/
+
+NTSTATUS append_auth_data(TALLOC_CTX *mem_ctx,
+ struct winbindd_response *resp,
+ uint32_t request_flags,
+ uint16_t validation_level,
+ union netr_Validation *validation,
+ const char *name_domain,
+ const char *name_user)
+{
+ struct netr_SamInfo3 *info3 = NULL;
+ NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
+
+ result = map_validation_to_info3(talloc_tos(),
+ validation_level,
+ validation,
+ &info3);
+ if (!NT_STATUS_IS_OK(result)) {
+ goto out;
+ }
+
+ if (request_flags & WBFLAG_PAM_USER_SESSION_KEY) {
+ memcpy(resp->data.auth.user_session_key,
+ info3->base.key.key,
+ sizeof(resp->data.auth.user_session_key)
+ /* 16 */);
+ }
+
+ if (request_flags & WBFLAG_PAM_LMKEY) {
+ memcpy(resp->data.auth.first_8_lm_hash,
+ info3->base.LMSessKey.key,
+ sizeof(resp->data.auth.first_8_lm_hash)
+ /* 8 */);
+ }
+
+ if (request_flags & WBFLAG_PAM_UNIX_NAME) {
+ char *unix_username = NULL;
+ result = append_unix_username(validation_level,
+ validation,
+ name_domain,
+ name_user,
+ mem_ctx,
+ &unix_username);
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(10,("Failed to append Unix Username: %s\n",
+ nt_errstr(result)));
+ goto out;
+ }
+ fstrcpy(resp->data.auth.unix_username, unix_username);
+ TALLOC_FREE(unix_username);
+ }
+
+ /* currently, anything from here on potentially overwrites extra_data. */
+
+ if (request_flags & WBFLAG_PAM_INFO3_NDR) {
+ result = append_info3_as_ndr(mem_ctx, resp, info3);
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(10,("Failed to append INFO3 (NDR): %s\n",
+ nt_errstr(result)));
+ goto out;
+ }
+ }
+
+ if (request_flags & WBFLAG_PAM_INFO3_TEXT) {
+ result = append_info3_as_txt(mem_ctx, resp,
+ validation_level,
+ validation);
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(10,("Failed to append INFO3 (TXT): %s\n",
+ nt_errstr(result)));
+ goto out;
+ }
+ }
+
+ if (request_flags & WBFLAG_PAM_AFS_TOKEN) {
+ DATA_BLOB blob = data_blob_null;
+ result = append_afs_token(validation_level,
+ validation,
+ name_domain,
+ name_user,
+ mem_ctx,
+ &blob);
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(10,("Failed to append AFS token: %s\n",
+ nt_errstr(result)));
+ goto out;
+ }
+ resp->extra_data.data = blob.data;
+ resp->length += blob.length;
+ }
+
+ result = NT_STATUS_OK;
+out:
+ TALLOC_FREE(info3);
+ return result;
+}
+
+static NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain,
+ bool krb5_auth,
+ const char *user,
+ const char *pass,
+ const char *krb5_cc_type,
+ uid_t uid,
+ TALLOC_CTX *mem_ctx,
+ uint16_t *_validation_level,
+ union netr_Validation **_validation,
+ const char **_krb5ccname)
+{
+ TALLOC_CTX *tmp_ctx = NULL;
+ NTSTATUS result = NT_STATUS_LOGON_FAILURE;
+ uint16_t max_allowed_bad_attempts;
+ fstring name_namespace, name_domain, name_user;
+ struct dom_sid sid;
+ enum lsa_SidType type;
+ uchar new_nt_pass[NT_HASH_LEN];
+ const uint8_t *cached_nt_pass;
+ const uint8_t *cached_salt;
+ struct netr_SamInfo3 *my_info3;
+ time_t kickoff_time, must_change_time;
+ bool password_good = false;
+ bool ok;
+#ifdef HAVE_KRB5
+ struct winbindd_tdc_domain *tdc_domain = NULL;
+#endif
+
+ if (_validation == NULL) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+ *_validation = NULL;
+
+ if (_krb5ccname != NULL) {
+ *_krb5ccname = NULL;
+ }
+
+ DEBUG(10,("winbindd_dual_pam_auth_cached\n"));
+
+ tmp_ctx = talloc_new(mem_ctx);
+ if (tmp_ctx == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ /* Parse domain and username */
+
+ ok = parse_domain_user(user, name_namespace, name_domain, name_user);
+ if (!ok) {
+ DBG_DEBUG("parse_domain_user failed\n");
+ result = NT_STATUS_NO_SUCH_USER;
+ goto out;
+ }
+
+ if (!lookup_cached_name(name_namespace,
+ name_domain,
+ name_user,
+ &sid,
+ &type)) {
+ DEBUG(10,("winbindd_dual_pam_auth_cached: no such user in the cache\n"));
+ result = NT_STATUS_NO_SUCH_USER;
+ goto out;
+ }
+
+ if (type != SID_NAME_USER) {
+ DEBUG(10,("winbindd_dual_pam_auth_cached: not a user (%s)\n", sid_type_lookup(type)));
+ result = NT_STATUS_LOGON_FAILURE;
+ goto out;
+ }
+
+ result = winbindd_get_creds(domain,
+ tmp_ctx,
+ &sid,
+ &my_info3,
+ &cached_nt_pass,
+ &cached_salt);
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get creds: %s\n", nt_errstr(result)));
+ goto out;
+ }
+
+ E_md4hash(pass, new_nt_pass);
+
+ dump_data_pw("new_nt_pass", new_nt_pass, NT_HASH_LEN);
+ dump_data_pw("cached_nt_pass", cached_nt_pass, NT_HASH_LEN);
+ if (cached_salt) {
+ dump_data_pw("cached_salt", cached_salt, NT_HASH_LEN);
+ }
+
+ if (cached_salt) {
+ /* In this case we didn't store the nt_hash itself,
+ but the MD5 combination of salt + nt_hash. */
+ uchar salted_hash[NT_HASH_LEN];
+ gnutls_hash_hd_t hash_hnd = NULL;
+ int rc;
+
+ rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5);
+ if (rc < 0) {
+ result = gnutls_error_to_ntstatus(
+ rc, NT_STATUS_HASH_NOT_SUPPORTED);
+ goto out;
+ }
+
+ rc = gnutls_hash(hash_hnd, cached_salt, 16);
+ if (rc < 0) {
+ gnutls_hash_deinit(hash_hnd, NULL);
+ result = gnutls_error_to_ntstatus(
+ rc, NT_STATUS_HASH_NOT_SUPPORTED);
+ goto out;
+ }
+ rc = gnutls_hash(hash_hnd, new_nt_pass, 16);
+ if (rc < 0) {
+ gnutls_hash_deinit(hash_hnd, NULL);
+ result = gnutls_error_to_ntstatus(
+ rc, NT_STATUS_HASH_NOT_SUPPORTED);
+ goto out;
+ }
+ gnutls_hash_deinit(hash_hnd, salted_hash);
+
+ password_good = mem_equal_const_time(cached_nt_pass, salted_hash,
+ NT_HASH_LEN);
+ } else {
+ /* Old cached cred - direct store of nt_hash (bad bad bad !). */
+ password_good = mem_equal_const_time(cached_nt_pass, new_nt_pass,
+ NT_HASH_LEN);
+ }
+
+ if (password_good) {
+
+ /* User *DOES* know the password, update logon_time and reset
+ * bad_pw_count */
+
+ my_info3->base.user_flags |= NETLOGON_CACHED_ACCOUNT;
+
+ if (my_info3->base.acct_flags & ACB_AUTOLOCK) {
+ result = NT_STATUS_ACCOUNT_LOCKED_OUT;
+ goto out;
+ }
+
+ if (my_info3->base.acct_flags & ACB_DISABLED) {
+ result = NT_STATUS_ACCOUNT_DISABLED;
+ goto out;
+ }
+
+ if (my_info3->base.acct_flags & ACB_WSTRUST) {
+ result = NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT;
+ goto out;
+ }
+
+ if (my_info3->base.acct_flags & ACB_SVRTRUST) {
+ result = NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT;
+ goto out;
+ }
+
+ if (my_info3->base.acct_flags & ACB_DOMTRUST) {
+ result = NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT;
+ goto out;
+ }
+
+ if (!(my_info3->base.acct_flags & ACB_NORMAL)) {
+ DEBUG(0,("winbindd_dual_pam_auth_cached: whats wrong with that one?: 0x%08x\n",
+ my_info3->base.acct_flags));
+ result = NT_STATUS_LOGON_FAILURE;
+ goto out;
+ }
+
+ kickoff_time = nt_time_to_unix(my_info3->base.kickoff_time);
+ if (kickoff_time != 0 && time(NULL) > kickoff_time) {
+ result = NT_STATUS_ACCOUNT_EXPIRED;
+ goto out;
+ }
+
+ must_change_time = nt_time_to_unix(my_info3->base.force_password_change);
+ if (must_change_time != 0 && must_change_time < time(NULL)) {
+ /* we allow grace logons when the password has expired */
+ my_info3->base.user_flags |= NETLOGON_GRACE_LOGON;
+ /* return NT_STATUS_PASSWORD_EXPIRED; */
+ goto success;
+ }
+
+#ifdef HAVE_KRB5
+ if ((krb5_auth) &&
+ ((tdc_domain = wcache_tdc_fetch_domain(tmp_ctx, name_domain)) != NULL) &&
+ ((tdc_domain->trust_type & LSA_TRUST_TYPE_UPLEVEL) ||
+ /* used to cope with the case winbindd starting without network. */
+ !strequal(tdc_domain->domain_name, tdc_domain->dns_name))) {
+ const char *cc = NULL;
+ char *realm = NULL;
+ const char *principal_s = NULL;
+ const char *user_ccache_file;
+
+ if (domain->alt_name == NULL) {
+ result = NT_STATUS_INVALID_PARAMETER;
+ goto out;
+ }
+
+ if (uid == -1) {
+ DEBUG(0,("winbindd_dual_pam_auth_cached: invalid uid\n"));
+ result = NT_STATUS_INVALID_PARAMETER;
+ goto out;
+ }
+
+ cc = generate_krb5_ccache(tmp_ctx,
+ krb5_cc_type,
+ uid,
+ &user_ccache_file);
+ if (cc == NULL) {
+ result = NT_STATUS_NO_MEMORY;
+ goto out;
+ }
+
+ realm = talloc_strdup(tmp_ctx, domain->alt_name);
+ if (realm == NULL) {
+ result = NT_STATUS_NO_MEMORY;
+ goto out;
+ }
+
+ if (!strupper_m(realm)) {
+ result = NT_STATUS_INVALID_PARAMETER;
+ goto out;
+ }
+
+ principal_s = talloc_asprintf(tmp_ctx, "%s@%s", name_user, realm);
+ if (principal_s == NULL) {
+ result = NT_STATUS_NO_MEMORY;
+ goto out;
+ }
+
+ if (user_ccache_file != NULL) {
+
+ if (_krb5ccname != NULL) {
+ *_krb5ccname = talloc_move(mem_ctx,
+ &user_ccache_file);
+ }
+
+ result = add_ccache_to_list(principal_s,
+ cc,
+ user,
+ pass,
+ realm,
+ uid,
+ time(NULL),
+ time(NULL) + lp_winbind_cache_time(),
+ time(NULL) + WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
+ true,
+ principal_s,
+ realm);
+
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(10,("winbindd_dual_pam_auth_cached: failed "
+ "to add ccache to list: %s\n",
+ nt_errstr(result)));
+ }
+ }
+ }
+#endif /* HAVE_KRB5 */
+ success:
+ /* FIXME: we possibly should handle logon hours as well (does xp when
+ * offline?) see auth/auth_sam.c:sam_account_ok for details */
+
+ unix_to_nt_time(&my_info3->base.logon_time, time(NULL));
+ my_info3->base.bad_password_count = 0;
+
+ result = winbindd_update_creds_by_info3(domain,
+ user,
+ pass,
+ my_info3);
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(1,("winbindd_dual_pam_auth_cached: failed to update creds: %s\n",
+ nt_errstr(result)));
+ goto out;
+ }
+
+ result = map_info3_to_validation(mem_ctx,
+ my_info3,
+ _validation_level,
+ _validation);
+ if (!NT_STATUS_IS_OK(result)) {
+ DBG_ERR("map_info3_to_validation failed: %s\n",
+ nt_errstr(result));
+ goto out;
+ }
+
+ result = NT_STATUS_OK;
+ goto out;
+ }
+
+ /* User does *NOT* know the correct password, modify info3 accordingly, but only if online */
+ if (domain->online == false) {
+ goto failed;
+ }
+
+ /* failure of this is not critical */
+ result = get_max_bad_attempts_from_lockout_policy(domain, tmp_ctx, &max_allowed_bad_attempts);
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get max_allowed_bad_attempts. "
+ "Won't be able to honour account lockout policies\n"));
+ }
+
+ /* increase counter */
+ my_info3->base.bad_password_count++;
+
+ if (max_allowed_bad_attempts == 0) {
+ goto failed;
+ }
+
+ /* lockout user */
+ if (my_info3->base.bad_password_count >= max_allowed_bad_attempts) {
+
+ uint32_t password_properties;
+
+ result = get_pwd_properties(domain, tmp_ctx, &password_properties);
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get password properties.\n"));
+ }
+
+ if ((my_info3->base.rid != DOMAIN_RID_ADMINISTRATOR) ||
+ (password_properties & DOMAIN_PASSWORD_LOCKOUT_ADMINS)) {
+ my_info3->base.acct_flags |= ACB_AUTOLOCK;
+ }
+ }
+
+failed:
+ result = winbindd_update_creds_by_info3(domain, user, NULL, my_info3);
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(0,("winbindd_dual_pam_auth_cached: failed to update creds %s\n",
+ nt_errstr(result)));
+ }
+
+ result = NT_STATUS_LOGON_FAILURE;
+
+out:
+ TALLOC_FREE(tmp_ctx);
+
+ return result;
+}
+
+static NTSTATUS winbindd_dual_pam_auth_kerberos(struct winbindd_domain *domain,
+ const char *user,
+ const char *pass,
+ const char *krb5_cc_type,
+ uid_t uid,
+ TALLOC_CTX *mem_ctx,
+ uint16_t *_validation_level,
+ union netr_Validation **_validation,
+ const char **_krb5ccname)
+{
+ struct netr_SamInfo6 *info6 = NULL;
+ struct winbindd_domain *contact_domain;
+ fstring name_namespace, name_domain, name_user;
+ NTSTATUS result;
+ bool ok;
+
+ DEBUG(10,("winbindd_dual_pam_auth_kerberos\n"));
+
+ /* Parse domain and username */
+
+ ok = parse_domain_user(user,
+ name_namespace,
+ name_domain,
+ name_user);
+ if (!ok) {
+ result = NT_STATUS_INVALID_PARAMETER;
+ goto done;
+ }
+
+ /* what domain should we contact? */
+
+ if (lp_winbind_use_krb5_enterprise_principals()) {
+ contact_domain = find_auth_domain(0, name_namespace);
+ } else {
+ contact_domain = find_domain_from_name(name_namespace);
+ }
+ if (contact_domain == NULL) {
+ DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
+ user, name_domain, name_user, name_namespace));
+ result = NT_STATUS_NO_SUCH_USER;
+ goto done;
+ }
+
+ if (contact_domain->initialized &&
+ contact_domain->active_directory) {
+ goto try_login;
+ }
+
+ if (!contact_domain->initialized) {
+ init_dc_connection(contact_domain, false);
+ }
+
+ if (!contact_domain->active_directory) {
+ DEBUG(3,("krb5 auth requested but domain (%s) is not Active Directory\n",
+ contact_domain->name));
+ return NT_STATUS_INVALID_LOGON_TYPE;
+ }
+try_login:
+ result = winbindd_raw_kerberos_login(
+ mem_ctx,
+ contact_domain,
+ user,
+ pass,
+ krb5_cc_type,
+ uid,
+ &info6,
+ _krb5ccname);
+ if (!NT_STATUS_IS_OK(result)) {
+ goto done;
+ }
+
+ result = map_info6_to_validation(mem_ctx,
+ info6,
+ _validation_level,
+ _validation);
+ TALLOC_FREE(info6);
+ if (!NT_STATUS_IS_OK(result)) {
+ DBG_ERR("map_info6_to_validation failed: %s\n",
+ nt_errstr(result));
+ }
+
+done:
+ return result;
+}
+
+static NTSTATUS winbindd_dual_auth_passdb(TALLOC_CTX *mem_ctx,
+ uint32_t logon_parameters,
+ const char *domain,
+ const char *user,
+ const uint64_t logon_id,
+ const char *client_name,
+ const int client_pid,
+ const DATA_BLOB *challenge,
+ const DATA_BLOB *lm_resp,
+ const DATA_BLOB *nt_resp,
+ const struct tsocket_address *remote,
+ const struct tsocket_address *local,
+ bool interactive,
+ uint8_t *pauthoritative,
+ struct netr_SamInfo3 **pinfo3)
+{
+ struct auth_context *auth_context;
+ struct auth_serversupplied_info *server_info;
+ struct auth_usersupplied_info *user_info = NULL;
+ struct netr_SamInfo3 *info3;
+ NTSTATUS status;
+ bool ok;
+ TALLOC_CTX *frame = talloc_stackframe();
+
+ /*
+ * We are authoritative by default
+ */
+ *pauthoritative = 1;
+
+ status = make_user_info(frame, &user_info, user, user, domain, domain,
+ lp_netbios_name(), remote, local,
+ "winbind",
+ lm_resp, nt_resp, NULL, NULL,
+ NULL, AUTH_PASSWORD_RESPONSE);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(10, ("make_user_info failed: %s\n", nt_errstr(status)));
+ TALLOC_FREE(frame);
+ return status;
+ }
+
+ user_info->logon_parameters = logon_parameters;
+ user_info->logon_id = logon_id;
+ user_info->auth_description = talloc_asprintf(
+ frame, "PASSDB, %s, %d", client_name, client_pid);
+ if (user_info->auth_description == NULL) {
+ TALLOC_FREE(frame);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ /* We don't want to come back to winbindd or to do PAM account checks */
+ user_info->flags |= USER_INFO_INFO3_AND_NO_AUTHZ;
+
+ if (interactive) {
+ user_info->flags |= USER_INFO_INTERACTIVE_LOGON;
+ }
+
+ status = make_auth3_context_for_winbind(frame, &auth_context);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_ERR("make_auth3_context_for_winbind failed: %s\n",
+ nt_errstr(status));
+ TALLOC_FREE(frame);
+ return status;
+ }
+
+ ok = auth3_context_set_challenge(auth_context,
+ challenge->data, "fixed");
+ if (!ok) {
+ TALLOC_FREE(frame);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ status = auth_check_ntlm_password(mem_ctx,
+ auth_context,
+ user_info,
+ &server_info,
+ pauthoritative);
+ if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(frame);
+ return status;
+ }
+
+ info3 = talloc_zero(mem_ctx, struct netr_SamInfo3);
+ if (info3 == NULL) {
+ TALLOC_FREE(frame);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ status = serverinfo_to_SamInfo3(server_info, info3);
+ if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(frame);
+ TALLOC_FREE(info3);
+ DEBUG(0, ("serverinfo_to_SamInfo3 failed: %s\n",
+ nt_errstr(status)));
+ return status;
+ }
+
+ *pinfo3 = info3;
+ DBG_DEBUG("Authenticating user %s\\%s returned %s\n",
+ domain,
+ user,
+ nt_errstr(status));
+ TALLOC_FREE(frame);
+ return status;
+}
+
+static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ uint32_t logon_parameters,
+ const char *username,
+ const char *password,
+ const char *domainname,
+ const char *workstation,
+ const uint64_t logon_id,
+ bool plaintext_given,
+ DATA_BLOB chal,
+ DATA_BLOB lm_response,
+ DATA_BLOB nt_response,
+ bool interactive,
+ uint8_t *authoritative,
+ uint32_t *flags,
+ uint16_t *_validation_level,
+ union netr_Validation **_validation)
+{
+ int attempts = 0;
+ int netr_attempts = 0;
+ bool retry = false;
+ bool valid_result = false;
+ NTSTATUS result;
+ enum netr_LogonInfoClass logon_type_i;
+ enum netr_LogonInfoClass logon_type_n;
+ uint16_t validation_level = UINT16_MAX;
+ union netr_Validation *validation = NULL;
+ TALLOC_CTX *base_ctx = NULL;
+ struct netr_SamBaseInfo *base_info = NULL;
+
+ do {
+ struct rpc_pipe_client *netlogon_pipe;
+ struct netlogon_creds_cli_context *netlogon_creds_ctx = NULL;
+
+ /*
+ * We should always reset authoritative to 1
+ * before calling a server again.
+ *
+ * Otherwise we could treat a local problem as
+ * non-authoritative.
+ */
+ *authoritative = 1;
+
+ retry = false;
+
+ result = cm_connect_netlogon_secure(domain, &netlogon_pipe,
+ &netlogon_creds_ctx);
+
+ if (NT_STATUS_EQUAL(result,
+ NT_STATUS_CANT_ACCESS_DOMAIN_INFO)) {
+ /*
+ * This means we don't have a trust account.
+ */
+ *authoritative = 0;
+ result = NT_STATUS_NO_SUCH_USER;
+ break;
+ }
+
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(3,("Could not open handle to NETLOGON pipe "
+ "(error: %s, attempts: %d)\n",
+ nt_errstr(result), netr_attempts));
+
+ reset_cm_connection_on_error(domain, NULL, result);
+
+ /* After the first retry always close the connection */
+ if (netr_attempts > 0) {
+ DEBUG(3, ("This is again a problem for this "
+ "particular call, forcing the close "
+ "of this connection\n"));
+ invalidate_cm_connection(domain);
+ }
+
+ /* After the second retry failover to the next DC */
+ if (netr_attempts > 1) {
+ /*
+ * If the netlogon server is not reachable then
+ * it is possible that the DC is rebuilding
+ * sysvol and shutdown netlogon for that time.
+ * We should failover to the next dc.
+ */
+ DEBUG(3, ("This is the third problem for this "
+ "particular call, adding DC to the "
+ "negative cache list: %s %s\n", domain->name, domain->dcname));
+ add_failed_connection_entry(domain->name,
+ domain->dcname,
+ result);
+ saf_delete(domain->name);
+ }
+
+ /* Only allow 3 retries */
+ if (netr_attempts < 3) {
+ DEBUG(3, ("The connection to netlogon "
+ "failed, retrying\n"));
+ netr_attempts++;
+ retry = true;
+ continue;
+ }
+ return result;
+ }
+
+ logon_type_i = NetlogonInteractiveInformation;
+ logon_type_n = NetlogonNetworkInformation;
+ if (domain->domain_trust_attribs & LSA_TRUST_ATTRIBUTE_WITHIN_FOREST) {
+ logon_type_i = NetlogonInteractiveTransitiveInformation;
+ logon_type_n = NetlogonNetworkTransitiveInformation;
+ }
+
+ if (domain->domain_trust_attribs & LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) {
+ logon_type_i = NetlogonInteractiveTransitiveInformation;
+ logon_type_n = NetlogonNetworkTransitiveInformation;
+ }
+
+ if (domain->domain_trust_attribs & LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE) {
+ logon_type_i = NetlogonInteractiveInformation;
+ logon_type_n = NetlogonNetworkInformation;
+ }
+
+ if (domain->domain_trust_attribs & LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN) {
+ logon_type_i = NetlogonInteractiveInformation;
+ logon_type_n = NetlogonNetworkInformation;
+ }
+
+ netr_attempts = 0;
+ if (plaintext_given) {
+ result = rpccli_netlogon_password_logon(
+ netlogon_creds_ctx,
+ netlogon_pipe->binding_handle,
+ mem_ctx,
+ logon_parameters,
+ domainname,
+ username,
+ password,
+ workstation,
+ logon_id,
+ logon_type_i,
+ authoritative,
+ flags,
+ &validation_level,
+ &validation);
+ } else if (interactive) {
+ result = rpccli_netlogon_interactive_logon(
+ netlogon_creds_ctx,
+ netlogon_pipe->binding_handle,
+ mem_ctx,
+ logon_parameters,
+ username,
+ domainname,
+ workstation,
+ logon_id,
+ lm_response,
+ nt_response,
+ logon_type_i,
+ authoritative,
+ flags,
+ &validation_level,
+ &validation);
+ } else {
+ result = rpccli_netlogon_network_logon(
+ netlogon_creds_ctx,
+ netlogon_pipe->binding_handle,
+ mem_ctx,
+ logon_parameters,
+ username,
+ domainname,
+ workstation,
+ logon_id,
+ chal,
+ lm_response,
+ nt_response,
+ logon_type_n,
+ authoritative,
+ flags,
+ &validation_level,
+ &validation);
+ }
+
+ /*
+ * we increment this after the "feature negotiation"
+ * for can_do_samlogon_ex and can_do_validation6
+ */
+ attempts += 1;
+
+ /* We have to try a second time as cm_connect_netlogon
+ might not yet have noticed that the DC has killed
+ our connection. */
+
+ retry = reset_cm_connection_on_error(domain,
+ netlogon_pipe->binding_handle,
+ result);
+ if (retry) {
+ DBG_PREFIX(attempts > 1 ? DBGLVL_NOTICE : DBGLVL_INFO, (
+ "This is problem %d for this "
+ "particular call,"
+ "DOMAIN[%s] DC[%s] - %s\n",
+ attempts,
+ domain->name,
+ domain->dcname,
+ nt_errstr(result)));
+ continue;
+ }
+
+ valid_result = true;
+
+ if (NT_STATUS_EQUAL(result, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
+ /*
+ * Got DCERPC_FAULT_OP_RNG_ERROR for SamLogon
+ * (no Ex). This happens against old Samba
+ * DCs, if LogonSamLogonEx() fails with an error
+ * e.g. NT_STATUS_NO_SUCH_USER or NT_STATUS_WRONG_PASSWORD.
+ *
+ * The server will log something like this:
+ * api_net_sam_logon_ex: Failed to marshall NET_R_SAM_LOGON_EX.
+ *
+ * This sets the whole connection into a fault_state mode
+ * and all following request get NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE.
+ *
+ * This also happens to our retry with LogonSamLogonWithFlags()
+ * and LogonSamLogon().
+ *
+ * In order to recover from this situation, we need to
+ * drop the connection.
+ */
+ invalidate_cm_connection(domain);
+ result = NT_STATUS_LOGON_FAILURE;
+ break;
+ }
+
+ } while ( (attempts < 3) && retry );
+
+ if (!valid_result) {
+ /*
+ * This matches what windows does. In a chain of transitive
+ * trusts the ACCESS_DENIED/authoritative=0 is not propagated
+ * instead of NT_STATUS_NO_LOGON_SERVERS/authoritative=1 is
+ * passed along the chain if there's no other DC is available.
+ */
+ DBG_WARNING("Mapping %s/authoritative=%u to "
+ "NT_STATUS_NO_LOGON_SERVERS/authoritative=1 for"
+ "USERNAME[%s] USERDOMAIN[%s] REMOTE-DOMAIN[%s] \n",
+ nt_errstr(result),
+ *authoritative,
+ username,
+ domainname,
+ domain->name);
+ *authoritative = 1;
+ return NT_STATUS_NO_LOGON_SERVERS;
+ }
+
+ if (!NT_STATUS_IS_OK(result)) {
+ return result;
+ }
+
+ switch (validation_level) {
+ case 3:
+ base_ctx = validation->sam3;
+ base_info = &validation->sam3->base;
+ break;
+ case 6:
+ base_ctx = validation->sam6;
+ base_info = &validation->sam6->base;
+ break;
+ default:
+ smb_panic(__location__);
+ }
+
+ if (base_info->acct_flags == 0 || base_info->account_name.string == NULL) {
+ struct dom_sid user_sid;
+ struct dom_sid_buf sid_buf;
+ const char *acct_flags_src = "server";
+ const char *acct_name_src = "server";
+
+ /*
+ * Handle the case where a NT4 DC does not fill in the acct_flags in
+ * the samlogon reply info3. Yes, in 2021, there are still admins
+ * arround with real NT4 DCs.
+ *
+ * We used to call dcerpc_samr_QueryUserInfo(level=16) to fetch
+ * acct_flags, but as NT4 DCs reject authentication with workstation
+ * accounts with NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT, even if
+ * MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT is specified, we only ever got
+ * ACB_NORMAL back (maybe with ACB_PWNOEXP in addition).
+ *
+ * For network logons NT4 DCs also skip the
+ * account_name, so we have to fallback to the
+ * one given by the client.
+ */
+
+ if (base_info->acct_flags == 0) {
+ base_info->acct_flags = ACB_NORMAL;
+ if (base_info->force_password_change == NTTIME_MAX) {
+ base_info->acct_flags |= ACB_PWNOEXP;
+ }
+ acct_flags_src = "calculated";
+ }
+
+ if (base_info->account_name.string == NULL) {
+ base_info->account_name.string = talloc_strdup(base_ctx,
+ username);
+ if (base_info->account_name.string == NULL) {
+ TALLOC_FREE(validation);
+ return NT_STATUS_NO_MEMORY;
+ }
+ acct_name_src = "client";
+ }
+
+ sid_compose(&user_sid, base_info->domain_sid, base_info->rid);
+
+ DBG_DEBUG("Fallback to %s_acct_flags[0x%x] %s_acct_name[%s] for %s\n",
+ acct_flags_src,
+ base_info->acct_flags,
+ acct_name_src,
+ base_info->account_name.string,
+ dom_sid_str_buf(&user_sid, &sid_buf));
+ }
+
+ *_validation_level = validation_level;
+ *_validation = validation;
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS nt_dual_auth_passdb(TALLOC_CTX *mem_ctx,
+ fstring name_user,
+ fstring name_domain,
+ const char *pass,
+ uint64_t logon_id,
+ const char *client_name,
+ const int client_pid,
+ const struct tsocket_address *remote,
+ const struct tsocket_address *local,
+ uint8_t *authoritative,
+ struct netr_SamInfo3 **info3)
+{
+ unsigned char local_nt_response[24];
+ uchar chal[8];
+ DATA_BLOB chal_blob;
+ DATA_BLOB lm_resp;
+ DATA_BLOB nt_resp;
+
+ /* do password magic */
+
+ generate_random_buffer(chal, sizeof(chal));
+ chal_blob = data_blob_const(chal, sizeof(chal));
+
+ if (lp_client_ntlmv2_auth()) {
+ DATA_BLOB server_chal;
+ DATA_BLOB names_blob;
+ server_chal = data_blob_const(chal, 8);
+
+ /* note that the 'workgroup' here is for the local
+ machine. The 'server name' must match the
+ 'workstation' passed to the actual SamLogon call.
+ */
+ names_blob = NTLMv2_generate_names_blob(mem_ctx,
+ lp_netbios_name(),
+ lp_workgroup());
+
+ if (!SMBNTLMv2encrypt(mem_ctx, name_user, name_domain,
+ pass, &server_chal, &names_blob,
+ &lm_resp, &nt_resp, NULL, NULL)) {
+ data_blob_free(&names_blob);
+ DEBUG(0, ("SMBNTLMv2encrypt() failed!\n"));
+ return NT_STATUS_NO_MEMORY;
+ }
+ data_blob_free(&names_blob);
+ } else {
+ int rc;
+ lm_resp = data_blob_null;
+
+ rc = SMBNTencrypt(pass, chal, local_nt_response);
+ if (rc != 0) {
+ DEBUG(0, ("SMBNTencrypt() failed!\n"));
+ return gnutls_error_to_ntstatus(rc,
+ NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
+ }
+
+ nt_resp = data_blob_talloc(mem_ctx, local_nt_response,
+ sizeof(local_nt_response));
+ }
+
+ return winbindd_dual_auth_passdb(talloc_tos(), 0, name_domain,
+ name_user, logon_id, client_name,
+ client_pid, &chal_blob, &lm_resp,
+ &nt_resp, remote, local,
+ true, /* interactive */
+ authoritative, info3);
+}
+
+static NTSTATUS winbindd_dual_pam_auth_samlogon(
+ TALLOC_CTX *mem_ctx,
+ struct winbindd_domain *domain,
+ const char *user,
+ const char *pass,
+ uint64_t logon_id,
+ const char *client_name,
+ const int client_pid,
+ uint32_t request_flags,
+ const struct tsocket_address *remote,
+ const struct tsocket_address *local,
+ uint16_t *_validation_level,
+ union netr_Validation **_validation)
+{
+ fstring name_namespace, name_domain, name_user;
+ NTSTATUS result;
+ uint8_t authoritative = 1;
+ uint32_t flags = 0;
+ uint16_t validation_level = 0;
+ union netr_Validation *validation = NULL;
+ bool ok;
+
+ DEBUG(10,("winbindd_dual_pam_auth_samlogon\n"));
+
+ /* Parse domain and username */
+
+ ok = parse_domain_user(user, name_namespace, name_domain, name_user);
+ if (!ok) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ /*
+ * We check against domain->name instead of
+ * name_domain, as find_auth_domain() ->
+ * find_domain_from_name_noinit() already decided
+ * that we are in a child for the correct domain.
+ *
+ * name_domain can also be lp_realm()
+ * we need to check against domain->name.
+ */
+ if (strequal(domain->name, get_global_sam_name())) {
+ struct netr_SamInfo3 *info3 = NULL;
+
+ result = nt_dual_auth_passdb(mem_ctx, name_user, name_domain,
+ pass, logon_id, client_name,
+ client_pid, remote, local,
+ &authoritative, &info3);
+
+ /*
+ * We need to try the remote NETLOGON server if this is
+ * not authoritative (for example on the RODC).
+ */
+ if (authoritative != 0) {
+ if (!NT_STATUS_IS_OK(result)) {
+ return result;
+ }
+ result = map_info3_to_validation(mem_ctx,
+ info3,
+ &validation_level,
+ &validation);
+ TALLOC_FREE(info3);
+ if (!NT_STATUS_IS_OK(result)) {
+ return result;
+ }
+
+ goto done;
+ }
+ }
+
+ /* check authentication loop */
+
+ result = winbind_samlogon_retry_loop(domain,
+ mem_ctx,
+ 0,
+ name_user,
+ pass,
+ name_domain,
+ lp_netbios_name(),
+ logon_id,
+ true, /* plaintext_given */
+ data_blob_null,
+ data_blob_null, data_blob_null,
+ true, /* interactive */
+ &authoritative,
+ &flags,
+ &validation_level,
+ &validation);
+ if (!NT_STATUS_IS_OK(result)) {
+ return result;
+ }
+
+done:
+ *_validation_level = validation_level;
+ *_validation = validation;
+
+ return NT_STATUS_OK;
+}
+
+/*
+ * @brief generate an authentication message in the logs.
+ *
+ */
+static void log_authentication(
+ TALLOC_CTX *mem_ctx,
+ const struct winbindd_domain *domain,
+ const char *client_name,
+ pid_t client_pid,
+ uint16_t validation_level,
+ union netr_Validation *validation,
+ const struct timeval start_time,
+ const uint64_t logon_id,
+ const char *command,
+ const char *user_name,
+ const char *domain_name,
+ const char *workstation,
+ const DATA_BLOB lm_resp,
+ const DATA_BLOB nt_resp,
+ const struct tsocket_address *remote,
+ const struct tsocket_address *local,
+ NTSTATUS result)
+{
+ struct auth_usersupplied_info *ui = NULL;
+ struct dom_sid *sid = NULL;
+ struct loadparm_context *lp_ctx = NULL;
+ struct imessaging_context *msg_ctx = NULL;
+ struct netr_SamBaseInfo *base_info = NULL;
+
+ if (validation != NULL) {
+ switch (validation_level) {
+ case 3:
+ base_info = &validation->sam3->base;
+ break;
+ case 6:
+ base_info = &validation->sam6->base;
+ break;
+ default:
+ DBG_WARNING("Unexpected validation level '%d'\n",
+ validation_level);
+ break;
+ }
+ }
+
+ ui = talloc_zero(mem_ctx, struct auth_usersupplied_info);
+ ui->logon_id = logon_id;
+ ui->service_description = "winbind";
+ ui->password.response.nt.length = nt_resp.length;
+ ui->password.response.nt.data = nt_resp.data;
+ ui->password.response.lanman.length = lm_resp.length;
+ ui->password.response.lanman.data = lm_resp.data;
+ if (nt_resp.length == 0 && lm_resp.length == 0) {
+ ui->password_state = AUTH_PASSWORD_PLAIN;
+ } else {
+ ui->password_state = AUTH_PASSWORD_RESPONSE;
+ }
+ /*
+ * In the event of a failure ui->auth_description will be null,
+ * the logging code handles this correctly so it can be ignored.
+ */
+ ui->auth_description = talloc_asprintf(
+ ui,
+ "%s, %s, %d",
+ command,
+ client_name,
+ client_pid);
+ if (ui->auth_description == NULL) {
+ DBG_ERR("OOM Unable to create auth_description");
+ }
+ ui->client.account_name = user_name;
+ ui->client.domain_name = domain_name;
+ ui->workstation_name = workstation;
+ ui->remote_host = remote;
+ ui->local_host = local;
+
+ if (base_info != NULL) {
+ sid = dom_sid_dup(ui, base_info->domain_sid);
+ if (sid != NULL) {
+ sid_append_rid(sid, base_info->rid);
+ }
+ }
+
+ if (lp_auth_event_notification()) {
+ lp_ctx = loadparm_init_s3(ui, loadparm_s3_helpers());
+ msg_ctx = imessaging_client_init(
+ ui, lp_ctx, global_event_context());
+ }
+ log_authentication_event(
+ msg_ctx,
+ lp_ctx,
+ &start_time,
+ ui,
+ result,
+ base_info != NULL ? base_info->logon_domain.string : "",
+ base_info != NULL ? base_info->account_name.string : "",
+ sid);
+ TALLOC_FREE(ui);
+}
+
+NTSTATUS _wbint_PamAuth(struct pipes_struct *p,
+ struct wbint_PamAuth *r)
+{
+ struct winbindd_domain *domain = wb_child_domain();
+ NTSTATUS result = NT_STATUS_LOGON_FAILURE;
+ NTSTATUS krb5_result = NT_STATUS_OK;
+ fstring name_namespace, name_domain, name_user;
+ char *mapped_user = NULL;
+ const char *domain_user = NULL;
+ uint16_t validation_level = UINT16_MAX;
+ union netr_Validation *validation = NULL;
+ struct netr_SamBaseInfo *base_info = NULL;
+ NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL;
+ bool ok;
+ uint64_t logon_id = 0;
+ const struct timeval start_time = timeval_current();
+ const struct tsocket_address *remote = NULL;
+ const struct tsocket_address *local = NULL;
+ const char *krb5ccname = NULL;
+ uid_t uid;
+ pid_t client_pid;
+
+ if (domain == NULL) {
+ return NT_STATUS_REQUEST_NOT_ACCEPTED;
+ }
+
+ /* Cut client_pid to 32bit */
+ client_pid = r->in.client_pid;
+ if ((uint64_t)client_pid != r->in.client_pid) {
+ DBG_DEBUG("pid out of range\n");
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ /* Cut uid to 32bit */
+ uid = r->in.info->uid;
+ if ((uint64_t)uid != r->in.info->uid) {
+ DBG_DEBUG("uid out of range\n");
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ /*
+ * Generate a logon_id for this session.
+ */
+ logon_id = generate_random_u64();
+ remote = dcesrv_connection_get_remote_address(p->dce_call->conn);
+ local = dcesrv_connection_get_local_address(p->dce_call->conn);
+ DEBUG(3, ("[%"PRIu32"]: dual pam auth %s\n", client_pid,
+ r->in.info->username));
+
+ /* Parse domain and username */
+
+ name_map_status = normalize_name_unmap(p->mem_ctx,
+ r->in.info->username,
+ &mapped_user);
+
+ /* If the name normalization didn't actually do anything,
+ just use the original name */
+
+ if (!NT_STATUS_IS_OK(name_map_status) &&
+ !NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED))
+ {
+ mapped_user = discard_const(r->in.info->username);
+ }
+
+ ok = parse_domain_user(mapped_user,
+ name_namespace,
+ name_domain,
+ name_user);
+ if (!ok) {
+ result = NT_STATUS_INVALID_PARAMETER;
+ goto done;
+ }
+
+ if (mapped_user != r->in.info->username) {
+ domain_user = talloc_asprintf(talloc_tos(),
+ "%s%c%s",
+ name_domain,
+ *lp_winbind_separator(),
+ name_user);
+ if (domain_user == NULL) {
+ result = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
+ r->in.info->username = domain_user;
+ }
+
+ if (!domain->online) {
+ result = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
+ if (domain->startup) {
+ /* Logons are very important to users. If we're offline and
+ we get a request within the first 30 seconds of startup,
+ try very hard to find a DC and go online. */
+
+ DEBUG(10,("winbindd_dual_pam_auth: domain: %s offline and auth "
+ "request in startup mode.\n", domain->name ));
+
+ winbindd_flush_negative_conn_cache(domain);
+ result = init_dc_connection(domain, false);
+ }
+ }
+
+ DEBUG(10,("winbindd_dual_pam_auth: domain: %s last was %s\n", domain->name, domain->online ? "online":"offline"));
+
+ /* Check for Kerberos authentication */
+ if (domain->online && (r->in.flags & WBFLAG_PAM_KRB5)) {
+ result = winbindd_dual_pam_auth_kerberos(
+ domain,
+ r->in.info->username,
+ r->in.info->password,
+ r->in.info->krb5_cc_type,
+ uid,
+ p->mem_ctx,
+ &validation_level,
+ &validation,
+ &krb5ccname);
+
+ /* save for later */
+ krb5_result = result;
+
+ if (NT_STATUS_IS_OK(result)) {
+ DEBUG(10,("winbindd_dual_pam_auth_kerberos succeeded\n"));
+ goto process_result;
+ }
+
+ DBG_DEBUG("winbindd_dual_pam_auth_kerberos failed: %s\n",
+ nt_errstr(result));
+
+ if (NT_STATUS_EQUAL(result, NT_STATUS_NO_LOGON_SERVERS) ||
+ NT_STATUS_EQUAL(result, NT_STATUS_IO_TIMEOUT) ||
+ NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
+ DEBUG(10,("winbindd_dual_pam_auth_kerberos setting domain to offline\n"));
+ set_domain_offline( domain );
+ goto cached_logon;
+ }
+
+ /* there are quite some NT_STATUS errors where there is no
+ * point in retrying with a samlogon, we explictly have to take
+ * care not to increase the bad logon counter on the DC */
+
+ if (NT_STATUS_EQUAL(result, NT_STATUS_ACCOUNT_DISABLED) ||
+ NT_STATUS_EQUAL(result, NT_STATUS_ACCOUNT_EXPIRED) ||
+ NT_STATUS_EQUAL(result, NT_STATUS_ACCOUNT_LOCKED_OUT) ||
+ NT_STATUS_EQUAL(result, NT_STATUS_INVALID_LOGON_HOURS) ||
+ NT_STATUS_EQUAL(result, NT_STATUS_INVALID_WORKSTATION) ||
+ NT_STATUS_EQUAL(result, NT_STATUS_LOGON_FAILURE) ||
+ NT_STATUS_EQUAL(result, NT_STATUS_NO_SUCH_USER) ||
+ NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_EXPIRED) ||
+ NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_MUST_CHANGE) ||
+ NT_STATUS_EQUAL(result, NT_STATUS_WRONG_PASSWORD)) {
+ goto done;
+ }
+
+ if (r->in.flags & WBFLAG_PAM_FALLBACK_AFTER_KRB5) {
+ DEBUG(3,("falling back to samlogon\n"));
+ goto sam_logon;
+ } else {
+ goto cached_logon;
+ }
+ }
+
+sam_logon:
+ /* Check for Samlogon authentication */
+ if (domain->online) {
+ result = winbindd_dual_pam_auth_samlogon(
+ p->mem_ctx,
+ domain,
+ r->in.info->username,
+ r->in.info->password,
+ logon_id,
+ r->in.client_name,
+ client_pid,
+ r->in.flags,
+ remote,
+ local,
+ &validation_level,
+ &validation);
+
+ if (NT_STATUS_IS_OK(result)) {
+ DEBUG(10,("winbindd_dual_pam_auth_samlogon succeeded\n"));
+
+ switch (validation_level) {
+ case 3:
+ base_info = &validation->sam3->base;
+ break;
+ case 6:
+ base_info = &validation->sam6->base;
+ break;
+ default:
+ DBG_ERR("Bad validation level %d\n",
+ validation_level);
+ result = NT_STATUS_INTERNAL_ERROR;
+ goto done;
+ }
+
+ /* add the Krb5 err if we have one */
+ if ( NT_STATUS_EQUAL(krb5_result, NT_STATUS_TIME_DIFFERENCE_AT_DC ) ) {
+ base_info->user_flags |= LOGON_KRB5_FAIL_CLOCK_SKEW;
+ }
+
+ goto process_result;
+ }
+
+ DEBUG(10,("winbindd_dual_pam_auth_samlogon failed: %s\n",
+ nt_errstr(result)));
+
+ if (NT_STATUS_EQUAL(result, NT_STATUS_NO_LOGON_SERVERS) ||
+ NT_STATUS_EQUAL(result, NT_STATUS_IO_TIMEOUT) ||
+ NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND))
+ {
+ DEBUG(10,("winbindd_dual_pam_auth_samlogon setting domain to offline\n"));
+ set_domain_offline( domain );
+ goto cached_logon;
+ }
+
+ if (domain->online) {
+ /* We're still online - fail. */
+ goto done;
+ }
+ }
+
+cached_logon:
+ /* Check for Cached logons */
+ if (!domain->online && (r->in.flags & WBFLAG_PAM_CACHED_LOGIN) &&
+ lp_winbind_offline_logon()) {
+ result = winbindd_dual_pam_auth_cached(domain,
+ (r->in.flags & WBFLAG_PAM_KRB5),
+ r->in.info->username,
+ r->in.info->password,
+ r->in.info->krb5_cc_type,
+ uid,
+ p->mem_ctx,
+ &validation_level,
+ &validation,
+ &krb5ccname);
+
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(10,("winbindd_dual_pam_auth_cached failed: %s\n", nt_errstr(result)));
+ goto done;
+ }
+ DEBUG(10,("winbindd_dual_pam_auth_cached succeeded\n"));
+ }
+
+process_result:
+
+ if (NT_STATUS_IS_OK(result)) {
+ struct dom_sid user_sid;
+ TALLOC_CTX *base_ctx = NULL;
+ struct netr_SamInfo3 *info3 = NULL;
+
+ switch (validation_level) {
+ case 3:
+ base_ctx = validation->sam3;
+ base_info = &validation->sam3->base;
+ break;
+ case 6:
+ base_ctx = validation->sam6;
+ base_info = &validation->sam6->base;
+ break;
+ default:
+ DBG_ERR("Bad validation level %d\n", validation_level);
+ result = NT_STATUS_INTERNAL_ERROR;
+ goto done;
+ }
+
+ sid_compose(&user_sid, base_info->domain_sid, base_info->rid);
+
+ if (base_info->full_name.string == NULL) {
+ struct netr_SamInfo3 *cached_info3;
+
+ cached_info3 = netsamlogon_cache_get(p->mem_ctx,
+ &user_sid);
+ if (cached_info3 != NULL &&
+ cached_info3->base.full_name.string != NULL) {
+ base_info->full_name.string = talloc_strdup(
+ base_ctx,
+ cached_info3->base.full_name.string);
+ if (base_info->full_name.string == NULL) {
+ result = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
+ } else {
+
+ /* this might fail so we don't check the return code */
+ wcache_query_user_fullname(domain,
+ base_ctx,
+ &user_sid,
+ &base_info->full_name.string);
+ }
+ }
+
+ result = map_validation_to_info3(talloc_tos(),
+ validation_level,
+ validation,
+ &info3);
+ if (!NT_STATUS_IS_OK(result)) {
+ goto done;
+ }
+
+ wcache_invalidate_samlogon(find_domain_from_name(name_domain),
+ &user_sid);
+ netsamlogon_cache_store(name_user, info3);
+
+ /* save name_to_sid info as early as possible (only if
+ this is our primary domain so we don't invalidate
+ the cache entry by storing the seq_num for the wrong
+ domain). */
+ if ( domain->primary ) {
+ cache_name2sid(domain, name_domain, name_user,
+ SID_NAME_USER, &user_sid);
+ }
+
+ /* Check if the user is in the right group */
+
+ result = check_info3_in_group(info3,
+ r->in.require_membership_of_sid);
+ if (!NT_STATUS_IS_OK(result)) {
+ char *s = NDR_PRINT_STRUCT_STRING(p->mem_ctx,
+ wbint_SidArray,
+ r->in.require_membership_of_sid);
+ DBG_NOTICE("User %s is not in the required groups:\n",
+ r->in.info->username);
+ DEBUGADD(DBGLVL_NOTICE, ("%s", s));
+ DEBUGADD(DBGLVL_NOTICE,
+ ("Plaintext authentication is rejected\n"));
+ goto done;
+ }
+
+ if (!is_allowed_domain(info3->base.logon_domain.string)) {
+ DBG_NOTICE("Authentication failed for user [%s] "
+ "from firewalled domain [%s]\n",
+ info3->base.account_name.string,
+ info3->base.logon_domain.string);
+ result = NT_STATUS_AUTHENTICATION_FIREWALL_FAILED;
+ goto done;
+ }
+
+ r->out.validation = talloc_zero(p->mem_ctx,
+ struct wbint_Validation);
+ if (r->out.validation == NULL) {
+ result = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
+
+ r->out.validation->level = validation_level;
+ r->out.validation->validation = talloc_steal(r->out.validation,
+ validation);
+ r->out.validation->krb5ccname = talloc_steal(r->out.validation,
+ krb5ccname);
+ if ((r->in.flags & WBFLAG_PAM_CACHED_LOGIN)
+ && lp_winbind_offline_logon()) {
+
+ result = winbindd_store_creds(domain,
+ r->in.info->username,
+ r->in.info->password,
+ info3);
+ }
+
+ result = NT_STATUS_OK;
+ }
+
+done:
+ /* give us a more useful (more correct?) error code */
+ if ((NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) ||
+ (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)))) {
+ result = NT_STATUS_NO_LOGON_SERVERS;
+ }
+
+ DBG_PREFIX(NT_STATUS_IS_OK(result) ? 5 : 2,
+ ("Plain-text authentication for user %s returned %s"
+ " (PAM: %d)\n",
+ r->in.info->username,
+ nt_errstr(result),
+ nt_status_to_pam(result)));
+
+ /*
+ * Log the winbind pam authentication, the logon_id will tie this to
+ * any of the logons invoked from this request.
+ */
+
+ log_authentication(
+ p->mem_ctx,
+ domain,
+ r->in.client_name,
+ client_pid,
+ validation_level,
+ validation,
+ start_time,
+ logon_id,
+ "PAM_AUTH",
+ name_user,
+ name_domain,
+ NULL,
+ data_blob_null,
+ data_blob_null,
+ remote,
+ local,
+ result);
+
+ return result;
+}
+
+NTSTATUS winbind_dual_SamLogon(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ bool interactive,
+ uint32_t logon_parameters,
+ const char *name_user,
+ const char *name_domain,
+ const char *workstation,
+ const uint64_t logon_id,
+ const char* client_name,
+ const int client_pid,
+ DATA_BLOB chal_blob,
+ DATA_BLOB lm_response,
+ DATA_BLOB nt_response,
+ const struct tsocket_address *remote,
+ const struct tsocket_address *local,
+ uint8_t *authoritative,
+ bool skip_sam,
+ uint32_t *flags,
+ uint16_t *_validation_level,
+ union netr_Validation **_validation)
+{
+ uint16_t validation_level = 0;
+ union netr_Validation *validation = NULL;
+ NTSTATUS result;
+
+ /*
+ * We check against domain->name instead of
+ * name_domain, as find_auth_domain() ->
+ * find_domain_from_name_noinit() already decided
+ * that we are in a child for the correct domain.
+ *
+ * name_domain can also be lp_realm()
+ * we need to check against domain->name.
+ */
+ if (!skip_sam && strequal(domain->name, get_global_sam_name())) {
+ struct netr_SamInfo3 *info3 = NULL;
+
+ result = winbindd_dual_auth_passdb(
+ talloc_tos(),
+ logon_parameters,
+ name_domain, name_user,
+ logon_id,
+ client_name,
+ client_pid,
+ &chal_blob, &lm_response, &nt_response,
+ remote,
+ local,
+ interactive,
+ authoritative,
+ &info3);
+ if (NT_STATUS_IS_OK(result)) {
+ result = map_info3_to_validation(mem_ctx,
+ info3,
+ &validation_level,
+ &validation);
+ TALLOC_FREE(info3);
+ if (!NT_STATUS_IS_OK(result)) {
+ goto done;
+ }
+ }
+
+ /*
+ * We need to try the remote NETLOGON server if this is
+ * not authoritative.
+ */
+ if (*authoritative != 0) {
+ *flags = 0;
+ goto process_result;
+ }
+ }
+
+ result = winbind_samlogon_retry_loop(domain,
+ mem_ctx,
+ logon_parameters,
+ name_user,
+ NULL, /* password */
+ name_domain,
+ /* Bug #3248 - found by Stefan Burkei. */
+ workstation, /* We carefully set this above so use it... */
+ logon_id,
+ false, /* plaintext_given */
+ chal_blob,
+ lm_response,
+ nt_response,
+ interactive,
+ authoritative,
+ flags,
+ &validation_level,
+ &validation);
+ if (!NT_STATUS_IS_OK(result)) {
+ goto done;
+ }
+
+process_result:
+
+ if (NT_STATUS_IS_OK(result)) {
+ struct dom_sid user_sid;
+ TALLOC_CTX *base_ctx = NULL;
+ struct netr_SamBaseInfo *base_info = NULL;
+ struct netr_SamInfo3 *info3 = NULL;
+
+ switch (validation_level) {
+ case 3:
+ base_ctx = validation->sam3;
+ base_info = &validation->sam3->base;
+ break;
+ case 6:
+ base_ctx = validation->sam6;
+ base_info = &validation->sam6->base;
+ break;
+ default:
+ result = NT_STATUS_INTERNAL_ERROR;
+ goto done;
+ }
+
+ sid_compose(&user_sid, base_info->domain_sid, base_info->rid);
+
+ if (base_info->full_name.string == NULL) {
+ struct netr_SamInfo3 *cached_info3;
+
+ cached_info3 = netsamlogon_cache_get(mem_ctx,
+ &user_sid);
+ if (cached_info3 != NULL &&
+ cached_info3->base.full_name.string != NULL)
+ {
+ base_info->full_name.string = talloc_strdup(
+ base_ctx,
+ cached_info3->base.full_name.string);
+ } else {
+
+ /* this might fail so we don't check the return code */
+ wcache_query_user_fullname(domain,
+ base_ctx,
+ &user_sid,
+ &base_info->full_name.string);
+ }
+ }
+
+ result = map_validation_to_info3(talloc_tos(),
+ validation_level,
+ validation,
+ &info3);
+ if (!NT_STATUS_IS_OK(result)) {
+ goto done;
+ }
+ wcache_invalidate_samlogon(find_domain_from_name(name_domain),
+ &user_sid);
+ netsamlogon_cache_store(name_user, info3);
+ TALLOC_FREE(info3);
+ }
+
+done:
+
+ /* give us a more useful (more correct?) error code */
+ if ((NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) ||
+ (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)))) {
+ result = NT_STATUS_NO_LOGON_SERVERS;
+ }
+
+ DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
+ ("NTLM CRAP authentication for user [%s]\\[%s] returned %s\n",
+ name_domain,
+ name_user,
+ nt_errstr(result)));
+
+ if (!NT_STATUS_IS_OK(result)) {
+ return result;
+ }
+
+ *_validation_level = validation_level;
+ *_validation = validation;
+ return NT_STATUS_OK;
+}
+
+NTSTATUS _wbint_PamAuthCrap(struct pipes_struct *p, struct wbint_PamAuthCrap *r)
+{
+ struct winbindd_domain *domain = wb_child_domain();
+ NTSTATUS result;
+ uint64_t logon_id = 0;
+ uint8_t authoritative = 1;
+ uint32_t flags = 0;
+ uint16_t validation_level = UINT16_MAX;
+ union netr_Validation *validation = NULL;
+ const struct timeval start_time = timeval_current();
+ const struct tsocket_address *remote = NULL;
+ const struct tsocket_address *local = NULL;
+ struct netr_SamInfo3 *info3 = NULL;
+ pid_t client_pid;
+
+ if (domain == NULL) {
+ return NT_STATUS_REQUEST_NOT_ACCEPTED;
+ }
+
+ /* Cut client_pid to 32bit */
+ client_pid = r->in.client_pid;
+ if ((uint64_t)client_pid != r->in.client_pid) {
+ DBG_DEBUG("pid out of range\n");
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ logon_id = generate_random_u64();
+ remote = dcesrv_connection_get_remote_address(p->dce_call->conn);
+ local = dcesrv_connection_get_local_address(p->dce_call->conn);
+
+ DBG_NOTICE("[%"PRIu32"]: pam auth crap domain: %s user: %s\n",
+ client_pid, r->in.domain, r->in.user);
+
+ result = winbind_dual_SamLogon(domain,
+ p->mem_ctx,
+ false, /* interactive */
+ r->in.logon_parameters,
+ r->in.user,
+ r->in.domain,
+ r->in.workstation,
+ logon_id,
+ r->in.client_name,
+ client_pid,
+ r->in.chal,
+ r->in.lm_resp,
+ r->in.nt_resp,
+ remote,
+ local,
+ &authoritative,
+ false,
+ &flags,
+ &validation_level,
+ &validation);
+ if (!NT_STATUS_IS_OK(result)) {
+ goto done;
+ }
+
+ result = map_validation_to_info3(p->mem_ctx,
+ validation_level,
+ validation,
+ &info3);
+ if (!NT_STATUS_IS_OK(result)) {
+ goto done;
+ }
+
+ /* Check if the user is in the right group */
+ result = check_info3_in_group(info3, r->in.require_membership_of_sid);
+ if (!NT_STATUS_IS_OK(result)) {
+ char *s = NDR_PRINT_STRUCT_STRING(p->mem_ctx,
+ wbint_SidArray,
+ r->in.require_membership_of_sid);
+ DBG_NOTICE("User %s is not in the required groups:\n",
+ r->in.user);
+ DEBUGADD(DBGLVL_NOTICE, ("%s", s));
+ DEBUGADD(DBGLVL_NOTICE,
+ ("CRAP authentication is rejected\n"));
+ goto done;
+ }
+
+ if (!is_allowed_domain(info3->base.logon_domain.string)) {
+ DBG_NOTICE("Authentication failed for user [%s] "
+ "from firewalled domain [%s]\n",
+ info3->base.account_name.string,
+ info3->base.logon_domain.string);
+ result = NT_STATUS_AUTHENTICATION_FIREWALL_FAILED;
+ goto done;
+ }
+
+ r->out.validation = talloc_zero(p->mem_ctx,
+ struct wbint_PamAuthCrapValidation);
+ if (r->out.validation == NULL) {
+ result = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
+
+ r->out.validation->level = validation_level;
+ r->out.validation->validation = talloc_move(r->out.validation,
+ &validation);
+done:
+
+ if (r->in.flags & WBFLAG_PAM_NT_STATUS_SQUASH) {
+ result = nt_status_squash(result);
+ }
+
+ *r->out.authoritative = authoritative;
+
+ /*
+ * Log the winbind pam authentication, the logon_id will tie this to
+ * any of the logons invoked from this request.
+ */
+ log_authentication(
+ p->mem_ctx,
+ domain,
+ r->in.client_name,
+ client_pid,
+ r->out.validation->level,
+ r->out.validation->validation,
+ start_time,
+ logon_id,
+ "NTLM_AUTH",
+ r->in.user,
+ r->in.domain,
+ r->in.workstation,
+ r->in.lm_resp,
+ r->in.nt_resp,
+ remote,
+ local,
+ result);
+
+ return result;
+}
+
+NTSTATUS _wbint_PamAuthChangePassword(struct pipes_struct *p,
+ struct wbint_PamAuthChangePassword *r)
+{
+ struct winbindd_domain *contact_domain = wb_child_domain();
+ struct policy_handle dom_pol;
+ struct rpc_pipe_client *cli = NULL;
+ bool got_info = false;
+ struct samr_DomInfo1 *info = NULL;
+ struct userPwdChangeFailureInformation *reject = NULL;
+ NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
+ NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
+ fstring namespace, domain, user;
+ struct dcerpc_binding_handle *b = NULL;
+ bool ok;
+ pid_t client_pid;
+
+ ZERO_STRUCT(dom_pol);
+
+ if (contact_domain == NULL) {
+ return NT_STATUS_REQUEST_NOT_ACCEPTED;
+ }
+
+ /* Cut client_pid to 32bit */
+ client_pid = r->in.client_pid;
+ if ((uint64_t)client_pid != r->in.client_pid) {
+ DBG_DEBUG("pid out of range\n");
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ DBG_NOTICE("[%"PRIu32"]: dual pam chauthtok %s\n",
+ client_pid, r->in.user);
+
+ ok = parse_domain_user(r->in.user,
+ namespace,
+ domain,
+ user);
+ if (!ok) {
+ goto done;
+ }
+
+ if (!is_allowed_domain(domain)) {
+ DBG_NOTICE("Authentication failed for user [%s] "
+ "from firewalled domain [%s]\n",
+ user, domain);
+ result = NT_STATUS_AUTHENTICATION_FIREWALL_FAILED;
+ goto done;
+ }
+
+ /* Initialize reject reason */
+ *r->out.reject_reason = Undefined;
+
+ /* Get sam handle */
+
+ result = cm_connect_sam(contact_domain,
+ p->mem_ctx,
+ true,
+ &cli,
+ &dom_pol);
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(1, ("could not get SAM handle on DC for %s\n", domain));
+ goto done;
+ }
+
+ b = cli->binding_handle;
+
+ status = dcerpc_samr_chgpasswd_user4(cli->binding_handle,
+ p->mem_ctx,
+ cli->srv_name_slash,
+ user,
+ r->in.old_password,
+ r->in.new_password,
+ &result);
+ if (NT_STATUS_IS_OK(status) && NT_STATUS_IS_OK(result)) {
+ /* Password successfully changed. */
+ goto done;
+ }
+ if (!NT_STATUS_IS_OK(status)) {
+ if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE) ||
+ NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED) ||
+ NT_STATUS_EQUAL(status, NT_STATUS_NOT_IMPLEMENTED)) {
+ /* DO NOT FALLBACK TO RC4 */
+ if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED) {
+ result = NT_STATUS_STRONG_CRYPTO_NOT_SUPPORTED;
+ goto process_result;
+ }
+ }
+ } else {
+ /* Password change was unsuccessful. */
+ if (!NT_STATUS_IS_OK(result)) {
+ goto done;
+ }
+ }
+
+ result = rpccli_samr_chgpasswd_user3(cli,
+ p->mem_ctx,
+ user,
+ r->in.new_password,
+ r->in.old_password,
+ &info,
+ &reject);
+
+ /* Windows 2003 returns NT_STATUS_PASSWORD_RESTRICTION */
+
+ if (NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_RESTRICTION) ) {
+
+ *r->out.dominfo = talloc_steal(p->mem_ctx, info);
+ *r->out.reject_reason = reject->extendedFailureReason;
+
+ got_info = true;
+ }
+
+ /* atm the pidl generated rpccli_samr_ChangePasswordUser3 function will
+ * return with NT_STATUS_BUFFER_TOO_SMALL for w2k dcs as w2k just
+ * returns with 4byte error code (NT_STATUS_NOT_SUPPORTED) which is too
+ * short to comply with the samr_ChangePasswordUser3 idl - gd */
+
+ /* only fallback when the chgpasswd_user3 call is not supported */
+ if (NT_STATUS_EQUAL(result, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE) ||
+ NT_STATUS_EQUAL(result, NT_STATUS_NOT_SUPPORTED) ||
+ NT_STATUS_EQUAL(result, NT_STATUS_BUFFER_TOO_SMALL) ||
+ NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
+
+ DEBUG(10,("Password change with chgpasswd_user3 failed with: %s, retrying chgpasswd_user2\n",
+ nt_errstr(result)));
+
+ result = rpccli_samr_chgpasswd_user2(cli,
+ p->mem_ctx,
+ user,
+ r->in.new_password,
+ r->in.old_password);
+
+ /* Windows 2000 returns NT_STATUS_ACCOUNT_RESTRICTION.
+ Map to the same status code as Windows 2003. */
+
+ if ( NT_STATUS_EQUAL(NT_STATUS_ACCOUNT_RESTRICTION, result ) ) {
+ result = NT_STATUS_PASSWORD_RESTRICTION;
+ }
+ }
+
+done:
+
+ if (NT_STATUS_IS_OK(result)
+ && (r->in.flags & WBFLAG_PAM_CACHED_LOGIN)
+ && lp_winbind_offline_logon()) {
+ result = winbindd_update_creds_by_name(contact_domain, user,
+ r->in.new_password);
+ /* Again, this happens when we login from gdm or xdm
+ * and the password expires, *BUT* cached crendentials
+ * doesn't exist. winbindd_update_creds_by_name()
+ * returns NT_STATUS_NO_SUCH_USER.
+ * This is not a failure.
+ * --- BoYang
+ * */
+ if (NT_STATUS_EQUAL(result, NT_STATUS_NO_SUCH_USER)) {
+ result = NT_STATUS_OK;
+ }
+
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(10, ("Failed to store creds: %s\n",
+ nt_errstr(result)));
+ goto process_result;
+ }
+ }
+
+ if (!NT_STATUS_IS_OK(result) && !got_info && contact_domain) {
+
+ NTSTATUS policy_ret;
+
+ policy_ret = get_password_policy(contact_domain,
+ p->mem_ctx,
+ &info);
+
+ /* failure of this is non critical, it will just provide no
+ * additional information to the client why the change has
+ * failed - Guenther */
+
+ if (!NT_STATUS_IS_OK(policy_ret)) {
+ DEBUG(10,("Failed to get password policies: %s\n", nt_errstr(policy_ret)));
+ goto process_result;
+ }
+
+ *r->out.dominfo = talloc_steal(p->mem_ctx, info);
+ }
+
+process_result:
+
+ if (strequal(contact_domain->name, get_global_sam_name())) {
+ /* FIXME: internal rpc pipe does not cache handles yet */
+ if (b) {
+ if (is_valid_policy_hnd(&dom_pol)) {
+ NTSTATUS _result;
+ dcerpc_samr_Close(b,
+ p->mem_ctx,
+ &dom_pol,
+ &_result);
+ }
+ TALLOC_FREE(cli);
+ }
+ }
+
+ DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
+ ("Password change for user [%s]\\[%s] returned %s (PAM: %d)\n",
+ domain,
+ user,
+ nt_errstr(result),
+ nt_status_to_pam(result)));
+
+ return result;
+}
+
+NTSTATUS _wbint_PamLogOff(struct pipes_struct *p, struct wbint_PamLogOff *r)
+{
+ struct winbindd_domain *domain = wb_child_domain();
+ NTSTATUS result = NT_STATUS_NOT_SUPPORTED;
+ pid_t client_pid;
+ uid_t user_uid;
+
+ if (domain == NULL) {
+ return NT_STATUS_REQUEST_NOT_ACCEPTED;
+ }
+
+ /* Cut client_pid to 32bit */
+ client_pid = r->in.client_pid;
+ if ((uint64_t)client_pid != r->in.client_pid) {
+ DBG_DEBUG("pid out of range\n");
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ /* Cut uid to 32bit */
+ user_uid = r->in.uid;
+ if ((uint64_t)user_uid != r->in.uid) {
+ DBG_DEBUG("uid out of range\n");
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ DBG_NOTICE("[%"PRIu32"]: pam dual logoff %s\n", client_pid, r->in.user);
+
+ if (!(r->in.flags & WBFLAG_PAM_KRB5)) {
+ result = NT_STATUS_OK;
+ goto process_result;
+ }
+
+ if ((r->in.krb5ccname == NULL) || (strlen(r->in.krb5ccname) == 0)) {
+ result = NT_STATUS_OK;
+ goto process_result;
+ }
+
+#ifdef HAVE_KRB5
+
+ if (user_uid == (uid_t)-1) {
+ DBG_DEBUG("Invalid uid for user '%s'\n", r->in.user);
+ goto process_result;
+ }
+
+ /* what we need here is to find the corresponding krb5 ccache name *we*
+ * created for a given username and destroy it */
+
+ if (!ccache_entry_exists(r->in.user)) {
+ result = NT_STATUS_OK;
+ DBG_DEBUG("No entry found for user '%s'.\n", r->in.user);
+ goto process_result;
+ }
+
+ if (!ccache_entry_identical(r->in.user, user_uid, r->in.krb5ccname)) {
+ DBG_DEBUG("Cached entry differs for user '%s'\n", r->in.user);
+ goto process_result;
+ }
+
+ result = remove_ccache(r->in.user);
+ if (!NT_STATUS_IS_OK(result)) {
+ DBG_DEBUG("Failed to remove ccache for user '%s': %s\n",
+ r->in.user, nt_errstr(result));
+ goto process_result;
+ }
+
+ /*
+ * Remove any mlock'ed memory creds in the child
+ * we might be using for krb5 ticket renewal.
+ */
+
+ winbindd_delete_memory_creds(r->in.user);
+
+#else
+ result = NT_STATUS_NOT_SUPPORTED;
+#endif
+
+process_result:
+
+ return result;
+}
+
+/* Change user password with auth crap*/
+
+NTSTATUS _wbint_PamAuthCrapChangePassword(struct pipes_struct *p,
+ struct wbint_PamAuthCrapChangePassword *r)
+{
+ NTSTATUS result;
+ fstring namespace, domain, user;
+ struct policy_handle dom_pol;
+ struct winbindd_domain *contact_domain = wb_child_domain();
+ struct rpc_pipe_client *cli = NULL;
+ struct dcerpc_binding_handle *b = NULL;
+ pid_t client_pid;
+
+ ZERO_STRUCT(dom_pol);
+
+ if (contact_domain == NULL) {
+ return NT_STATUS_REQUEST_NOT_ACCEPTED;
+ }
+
+ /* Cut client_pid to 32bit */
+ client_pid = r->in.client_pid;
+ if ((uint64_t)client_pid != r->in.client_pid) {
+ DBG_DEBUG("pid out of range\n");
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ domain[0] = '\0';
+ namespace[0] = '\0';
+ user[0] = '\0';
+
+ DBG_NOTICE("[%"PRIu32"]: pam change pswd auth crap domain: %s "
+ "user: %s\n", client_pid, r->in.domain, r->in.user);
+
+ if (lp_winbind_offline_logon()) {
+ DEBUG(0,("Refusing password change as winbind offline logons are enabled. "));
+ DEBUGADD(0,("Changing passwords here would risk inconsistent logons\n"));
+ result = NT_STATUS_ACCESS_DENIED;
+ goto done;
+ }
+
+ if (r->in.domain != NULL && strlen(r->in.domain) > 0) {
+ fstrcpy(domain, r->in.domain);
+ } else {
+ bool ok;
+
+ ok = parse_domain_user(r->in.user,
+ namespace,
+ domain,
+ user);
+ if (!ok) {
+ result = NT_STATUS_INVALID_PARAMETER;
+ goto done;
+ }
+
+ if (strlen(domain) == 0) {
+ DBG_NOTICE("no domain specified with username (%s) - "
+ "failing auth\n", r->in.user);
+ result = NT_STATUS_NO_SUCH_USER;
+ goto done;
+ }
+ }
+
+ if (!*domain && lp_winbind_use_default_domain()) {
+ fstrcpy(domain,lp_workgroup());
+ }
+
+ if (!is_allowed_domain(domain)) {
+ DBG_NOTICE("Authentication failed for user [%s] "
+ "from firewalled domain [%s]\n",
+ r->in.user,
+ domain);
+ result = NT_STATUS_AUTHENTICATION_FIREWALL_FAILED;
+ goto done;
+ }
+
+ if(!*user) {
+ fstrcpy(user, r->in.user);
+ }
+
+ /* Get sam handle */
+
+ result = cm_connect_sam(contact_domain,
+ p->mem_ctx,
+ true,
+ &cli,
+ &dom_pol);
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(1, ("could not get SAM handle on DC for %s\n", domain));
+ goto done;
+ }
+
+ b = cli->binding_handle;
+
+ result = rpccli_samr_chng_pswd_auth_crap(cli,
+ p->mem_ctx,
+ user,
+ r->in.new_nt_pswd,
+ r->in.old_nt_hash_enc,
+ r->in.new_lm_pswd,
+ r->in.old_lm_hash_enc);
+
+ done:
+
+ if (strequal(contact_domain->name, get_global_sam_name())) {
+ /* FIXME: internal rpc pipe does not cache handles yet */
+ if (b) {
+ if (is_valid_policy_hnd(&dom_pol)) {
+ NTSTATUS _result;
+ dcerpc_samr_Close(b,
+ p->mem_ctx,
+ &dom_pol,
+ &_result);
+ }
+ TALLOC_FREE(cli);
+ }
+ }
+
+ DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
+ ("Password change for user [%s]\\[%s] returned %s (PAM: %d)\n",
+ domain, user,
+ nt_errstr(result),
+ nt_status_to_pam(result)));
+
+ return result;
+}
+
+#ifdef HAVE_KRB5
+static NTSTATUS extract_pac_vrfy_sigs(TALLOC_CTX *mem_ctx, DATA_BLOB pac_blob,
+ struct PAC_DATA **p_pac_data)
+{
+ krb5_context krbctx = NULL;
+ krb5_error_code k5ret;
+ krb5_keytab keytab;
+ krb5_kt_cursor cursor;
+ krb5_keytab_entry entry;
+ NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
+
+ ZERO_STRUCT(entry);
+ ZERO_STRUCT(cursor);
+
+ k5ret = smb_krb5_init_context_common(&krbctx);
+ if (k5ret) {
+ DBG_ERR("kerberos init context failed (%s)\n",
+ error_message(k5ret));
+ status = krb5_to_nt_status(k5ret);
+ goto out;
+ }
+
+ k5ret = gse_krb5_get_server_keytab(krbctx, &keytab);
+ if (k5ret) {
+ DEBUG(1, ("Failed to get keytab: %s\n",
+ error_message(k5ret)));
+ status = krb5_to_nt_status(k5ret);
+ goto out_free;
+ }
+
+ k5ret = krb5_kt_start_seq_get(krbctx, keytab, &cursor);
+ if (k5ret) {
+ DEBUG(1, ("Failed to start seq: %s\n",
+ error_message(k5ret)));
+ status = krb5_to_nt_status(k5ret);
+ goto out_keytab;
+ }
+
+ k5ret = krb5_kt_next_entry(krbctx, keytab, &entry, &cursor);
+ while (k5ret == 0) {
+ status = kerberos_decode_pac(mem_ctx,
+ pac_blob,
+ krbctx,
+ NULL, /* krbtgt_keyblock */
+ KRB5_KT_KEY(&entry), /* service_keyblock */
+ NULL, /* client_principal */
+ 0, /* tgs_authtime */
+ p_pac_data);
+ if (NT_STATUS_IS_OK(status)) {
+ break;
+ }
+ k5ret = smb_krb5_kt_free_entry(krbctx, &entry);
+ k5ret = krb5_kt_next_entry(krbctx, keytab, &entry, &cursor);
+ }
+
+ k5ret = krb5_kt_end_seq_get(krbctx, keytab, &cursor);
+ if (k5ret) {
+ DEBUG(1, ("Failed to end seq: %s\n",
+ error_message(k5ret)));
+ }
+out_keytab:
+ k5ret = krb5_kt_close(krbctx, keytab);
+ if (k5ret) {
+ DEBUG(1, ("Failed to close keytab: %s\n",
+ error_message(k5ret)));
+ }
+out_free:
+ krb5_free_context(krbctx);
+out:
+ return status;
+}
+
+NTSTATUS winbindd_pam_auth_pac_verify(struct winbindd_cli_state *state,
+ TALLOC_CTX *mem_ctx,
+ bool *p_is_trusted,
+ uint16_t *p_validation_level,
+ union netr_Validation **p_validation)
+{
+ struct winbindd_request *req = state->request;
+ DATA_BLOB pac_blob;
+ struct PAC_DATA *pac_data = NULL;
+ struct PAC_LOGON_INFO *logon_info = NULL;
+ struct PAC_UPN_DNS_INFO *upn_dns_info = NULL;
+ struct netr_SamInfo6 *info6 = NULL;
+ uint16_t validation_level = 0;
+ union netr_Validation *validation = NULL;
+ struct netr_SamInfo3 *info3_copy = NULL;
+ NTSTATUS result;
+ bool is_trusted = false;
+ uint32_t i;
+ TALLOC_CTX *tmp_ctx = NULL;
+
+ tmp_ctx = talloc_new(mem_ctx);
+ if (tmp_ctx == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ *p_is_trusted = false;
+ *p_validation_level = 0;
+ *p_validation = NULL;
+
+ pac_blob = data_blob_const(req->extra_data.data, req->extra_len);
+ result = extract_pac_vrfy_sigs(tmp_ctx, pac_blob, &pac_data);
+ if (NT_STATUS_IS_OK(result)) {
+ is_trusted = true;
+ }
+ if (NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED)) {
+ /* Try without signature verification */
+ result = kerberos_decode_pac(tmp_ctx,
+ pac_blob,
+ NULL, /* krb5_context */
+ NULL, /* krbtgt_keyblock */
+ NULL, /* service_keyblock */
+ NULL, /* client_principal */
+ 0, /* tgs_authtime */
+ &pac_data);
+ }
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(1, ("Error during PAC signature verification: %s\n",
+ nt_errstr(result)));
+ goto out;
+ }
+
+ for (i=0; i < pac_data->num_buffers; i++) {
+ if (pac_data->buffers[i].type == PAC_TYPE_LOGON_INFO) {
+ logon_info = pac_data->buffers[i].info->logon_info.info;
+ continue;
+ }
+ if (pac_data->buffers[i].type == PAC_TYPE_UPN_DNS_INFO) {
+ upn_dns_info = &pac_data->buffers[i].info->upn_dns_info;
+ continue;
+ }
+ }
+
+ result = create_info6_from_pac(tmp_ctx,
+ logon_info,
+ upn_dns_info,
+ &info6);
+ if (!NT_STATUS_IS_OK(result)) {
+ goto out;
+ }
+
+ if (!is_allowed_domain(info6->base.logon_domain.string)) {
+ DBG_NOTICE("Authentication failed for user [%s] "
+ "from firewalled domain [%s]\n",
+ info6->base.account_name.string,
+ info6->base.logon_domain.string);
+ result = NT_STATUS_AUTHENTICATION_FIREWALL_FAILED;
+ goto out;
+ }
+
+ result = map_info6_to_validation(tmp_ctx,
+ info6,
+ &validation_level,
+ &validation);
+ if (!NT_STATUS_IS_OK(result)) {
+ goto out;
+ }
+
+ result = map_validation_to_info3(tmp_ctx,
+ validation_level,
+ validation,
+ &info3_copy);
+ if (!NT_STATUS_IS_OK(result)) {
+ goto out;
+ }
+
+ if (is_trusted) {
+ /*
+ * Signature verification succeeded, we can
+ * trust the PAC and prime the netsamlogon
+ * and name2sid caches. DO NOT DO THIS
+ * in the signature verification failed
+ * code path.
+ */
+ struct winbindd_domain *domain = NULL;
+
+ netsamlogon_cache_store(NULL, info3_copy);
+
+ /*
+ * We're in the parent here, so find the child
+ * pointer from the PAC domain name.
+ */
+ domain = find_lookup_domain_from_name(
+ info3_copy->base.logon_domain.string);
+ if (domain && domain->primary ) {
+ struct dom_sid user_sid;
+ struct dom_sid_buf buf;
+
+ sid_compose(&user_sid,
+ info3_copy->base.domain_sid,
+ info3_copy->base.rid);
+
+ cache_name2sid_trusted(domain,
+ info3_copy->base.logon_domain.string,
+ info3_copy->base.account_name.string,
+ SID_NAME_USER,
+ &user_sid);
+
+ DBG_INFO("PAC for user %s\\%s SID %s primed cache\n",
+ info3_copy->base.logon_domain.string,
+ info3_copy->base.account_name.string,
+ dom_sid_str_buf(&user_sid, &buf));
+ }
+ }
+
+ *p_is_trusted = is_trusted;
+ *p_validation_level = validation_level;
+ *p_validation = talloc_move(mem_ctx, &validation);
+
+ result = NT_STATUS_OK;
+out:
+ TALLOC_FREE(tmp_ctx);
+ return result;
+}
+#else /* HAVE_KRB5 */
+NTSTATUS winbindd_pam_auth_pac_verify(struct winbindd_cli_state *state,
+ TALLOC_CTX *mem_ctx,
+ bool *p_is_trusted,
+ uint16_t *p_validation_level,
+ union netr_Validation **p_validation);
+{
+
+ *p_is_trusted = false;
+ *p_validation_level = 0;
+ *p_validation = NULL;
+ return NT_STATUS_NO_SUCH_USER;
+}
+#endif /* HAVE_KRB5 */
diff --git a/source3/winbindd/winbindd_pam_auth.c b/source3/winbindd/winbindd_pam_auth.c
new file mode 100644
index 0000000..a59f33e
--- /dev/null
+++ b/source3/winbindd/winbindd_pam_auth.c
@@ -0,0 +1,286 @@
+/*
+ Unix SMB/CIFS implementation.
+ async implementation of WINBINDD_PAM_AUTH
+ Copyright (C) Volker Lendecke 2010
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "winbindd.h"
+#include "libcli/security/dom_sid.h"
+#include "lib/util/string_wrappers.h"
+#include "lib/global_contexts.h"
+#include "librpc/gen_ndr/ndr_winbind_c.h"
+
+static NTSTATUS fake_password_policy(struct winbindd_response *r,
+ uint16_t validation_level,
+ union netr_Validation *validation)
+{
+ const struct netr_SamBaseInfo *bi = NULL;
+ NTTIME min_password_age;
+ NTTIME max_password_age;
+
+ switch (validation_level) {
+ case 3:
+ bi = &validation->sam3->base;
+ break;
+ case 6:
+ bi = &validation->sam6->base;
+ break;
+ default:
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
+ if (bi->allow_password_change > bi->last_password_change) {
+ min_password_age = bi->allow_password_change -
+ bi->last_password_change;
+ } else {
+ min_password_age = 0;
+ }
+
+ if (bi->force_password_change > bi->last_password_change) {
+ max_password_age = bi->force_password_change -
+ bi->last_password_change;
+ } else {
+ max_password_age = 0;
+ }
+
+ r->data.auth.policy.min_length_password = 0;
+ r->data.auth.policy.password_history = 0;
+ r->data.auth.policy.password_properties = 0;
+ r->data.auth.policy.expire =
+ nt_time_to_unix_abs(&max_password_age);
+ r->data.auth.policy.min_passwordage =
+ nt_time_to_unix_abs(&min_password_age);
+
+ return NT_STATUS_OK;
+}
+
+struct winbindd_pam_auth_state {
+ struct wbint_PamAuth *r;
+ fstring name_namespace;
+ fstring name_domain;
+ fstring name_user;
+};
+
+static void winbindd_pam_auth_done(struct tevent_req *subreq);
+
+struct tevent_req *winbindd_pam_auth_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request)
+{
+ struct tevent_req *req, *subreq;
+ struct winbindd_pam_auth_state *state;
+ struct winbindd_domain *domain;
+ char *mapped = NULL;
+ NTSTATUS status;
+ bool ok;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct winbindd_pam_auth_state);
+ if (req == NULL) {
+ return NULL;
+ }
+
+ D_NOTICE("[%s (%u)] Winbind external command PAM_AUTH start.\n"
+ "Authenticating user '%s'.\n",
+ cli->client_name,
+ (unsigned int)cli->pid,
+ request->data.auth.user);
+
+ if (!check_request_flags(request->flags)) {
+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
+ return tevent_req_post(req, ev);
+ }
+
+ /* Parse domain and username */
+
+ status = normalize_name_unmap(state, request->data.auth.user, &mapped);
+
+ /* If the name normalization changed something, copy it over the given
+ name */
+
+ if (NT_STATUS_IS_OK(status)
+ || NT_STATUS_EQUAL(status, NT_STATUS_FILE_RENAMED)) {
+ fstrcpy(request->data.auth.user, mapped);
+ }
+
+ ok = canonicalize_username(request->data.auth.user,
+ state->name_namespace,
+ state->name_domain,
+ state->name_user);
+ if (!ok) {
+ tevent_req_nterror(req, NT_STATUS_NO_SUCH_USER);
+ return tevent_req_post(req, ev);
+ }
+
+ domain = find_auth_domain(request->flags, state->name_namespace);
+ if (domain == NULL) {
+ tevent_req_nterror(req, NT_STATUS_NO_SUCH_USER);
+ return tevent_req_post(req, ev);
+ }
+
+ state->r = talloc_zero(state, struct wbint_PamAuth);
+ if (tevent_req_nomem(state->r, req)) {
+ return tevent_req_post(req, ev);
+ }
+
+ state->r->in.client_name = talloc_strdup(
+ state->r, request->client_name);
+ if (tevent_req_nomem(state->r, req)) {
+ return tevent_req_post(req, ev);
+ }
+
+ state->r->in.client_pid = request->pid;
+ state->r->in.flags = request->flags;
+
+ state->r->in.info = talloc_zero(state->r, struct wbint_AuthUserInfo);
+ if (tevent_req_nomem(state->r, req)) {
+ return tevent_req_post(req, ev);
+ }
+
+ state->r->in.info->krb5_cc_type = talloc_strdup(
+ state->r, request->data.auth.krb5_cc_type);
+ if (tevent_req_nomem(state->r, req)) {
+ return tevent_req_post(req, ev);
+ }
+
+ state->r->in.info->password = talloc_strdup(
+ state->r, request->data.auth.pass);
+ if (tevent_req_nomem(state->r, req)) {
+ return tevent_req_post(req, ev);
+ }
+
+ state->r->in.info->username = talloc_strdup(
+ state->r, request->data.auth.user);
+ if (tevent_req_nomem(state->r, req)) {
+ return tevent_req_post(req, ev);
+ }
+
+ state->r->in.info->uid = request->data.auth.uid;
+
+ status = extra_data_to_sid_array(
+ request->data.auth.require_membership_of_sid,
+ state->r,
+ &state->r->in.require_membership_of_sid);
+ if (tevent_req_nterror(req, status)) {
+ return tevent_req_post(req, ev);
+ }
+
+ subreq = dcerpc_wbint_PamAuth_r_send(state,
+ global_event_context(),
+ dom_child_handle(domain),
+ state->r);
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+ tevent_req_set_callback(subreq, winbindd_pam_auth_done, req);
+ return req;
+}
+
+static void winbindd_pam_auth_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct winbindd_pam_auth_state *state = tevent_req_data(
+ req, struct winbindd_pam_auth_state);
+ NTSTATUS status;
+
+ status = dcerpc_wbint_PamAuth_r_recv(subreq, state);
+ TALLOC_FREE(subreq);
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+
+ if (tevent_req_nterror(req, state->r->out.result)) {
+ return;
+ }
+
+ tevent_req_done(req);
+}
+
+NTSTATUS winbindd_pam_auth_recv(struct tevent_req *req,
+ struct winbindd_response *response)
+{
+ struct winbindd_pam_auth_state *state = tevent_req_data(
+ req, struct winbindd_pam_auth_state);
+ NTSTATUS status;
+
+ D_NOTICE("Winbind external command PAM_AUTH end.\n");
+ if (tevent_req_is_nterror(req, &status)) {
+ set_auth_errors(response, status);
+ return status;
+ }
+
+ response->result = WINBINDD_PENDING;
+
+ status = append_auth_data(response,
+ response,
+ state->r->in.flags,
+ state->r->out.validation->level,
+ state->r->out.validation->validation,
+ state->name_domain,
+ state->name_user);
+ fstrcpy(response->data.auth.krb5ccname,
+ state->r->out.validation->krb5ccname);
+
+ if (state->r->in.flags & WBFLAG_PAM_INFO3_TEXT) {
+ bool ok;
+
+ ok = add_trusted_domain_from_auth(
+ state->r->out.validation->level,
+ &response->data.auth.info3,
+ &response->data.auth.info6);
+ if (!ok) {
+ DBG_ERR("add_trusted_domain_from_auth failed\n");
+ set_auth_errors(response, NT_STATUS_LOGON_FAILURE);
+ return NT_STATUS_LOGON_FAILURE;
+ }
+ }
+
+ if (state->r->in.flags & WBFLAG_PAM_CACHED_LOGIN) {
+
+ /* Store in-memory creds for single-signon using ntlm_auth. */
+
+ status = winbindd_add_memory_creds(
+ state->r->in.info->username,
+ state->r->in.info->uid,
+ state->r->in.info->password);
+ D_DEBUG("winbindd_add_memory_creds returned: %s\n",
+ nt_errstr(status));
+ }
+
+ if (state->r->in.flags & WBFLAG_PAM_GET_PWD_POLICY) {
+ /*
+ * WBFLAG_PAM_GET_PWD_POLICY is not used within
+ * any Samba caller anymore.
+ *
+ * We just fake this based on the effective values
+ * for the user, for legacy callers.
+ */
+ status = fake_password_policy(response,
+ state->r->out.validation->level,
+ state->r->out.validation->validation);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_ERR("Failed to fake password policy: %s\n",
+ nt_errstr(status));
+ set_auth_errors(response, status);
+ return status;
+ }
+ }
+
+ return NT_STATUS_OK;
+}
diff --git a/source3/winbindd/winbindd_pam_auth_crap.c b/source3/winbindd/winbindd_pam_auth_crap.c
new file mode 100644
index 0000000..e6a32c7
--- /dev/null
+++ b/source3/winbindd/winbindd_pam_auth_crap.c
@@ -0,0 +1,285 @@
+/*
+ Unix SMB/CIFS implementation.
+ async implementation of WINBINDD_PAM_AUTH_CRAP
+ Copyright (C) Volker Lendecke 2010
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "winbindd.h"
+#include "rpc_client/util_netlogon.h"
+#include "libcli/security/dom_sid.h"
+#include "lib/util/string_wrappers.h"
+#include "lib/global_contexts.h"
+#include "librpc/gen_ndr/ndr_winbind_c.h"
+
+struct winbindd_pam_auth_crap_state {
+ uint8_t authoritative;
+ uint32_t flags;
+ bool pac_is_trusted;
+ char *domain;
+ char *user;
+ struct wbint_PamAuthCrapValidation validation;
+ NTSTATUS result;
+};
+
+static void winbindd_pam_auth_crap_done(struct tevent_req *subreq);
+
+struct tevent_req *winbindd_pam_auth_crap_send(
+ TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request)
+{
+ struct tevent_req *req, *subreq;
+ struct winbindd_pam_auth_crap_state *state;
+ struct winbindd_domain *domain;
+ const char *auth_domain = NULL;
+ DATA_BLOB lm_resp = data_blob_null;
+ DATA_BLOB nt_resp = data_blob_null;
+ DATA_BLOB chal = data_blob_null;
+ struct wbint_SidArray *require_membership_of_sid = NULL;
+ NTSTATUS status;
+ bool lmlength_ok = false;
+ bool ntlength_ok = false;
+ bool pwlength_ok = false;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct winbindd_pam_auth_crap_state);
+ if (req == NULL) {
+ return NULL;
+ }
+ state->authoritative = 1;
+ state->flags = request->flags;
+
+ if (state->flags & WBFLAG_PAM_AUTH_PAC) {
+ state->result = winbindd_pam_auth_pac_verify(cli,
+ state,
+ &state->pac_is_trusted,
+ &state->validation.level,
+ &state->validation.validation);
+ if (tevent_req_nterror(req, state->result)) {
+ return tevent_req_post(req, ev);
+ }
+
+ tevent_req_done(req);
+ return tevent_req_post(req, ev);
+ }
+
+ /* Ensure null termination */
+ request->data.auth_crap.user[
+ sizeof(request->data.auth_crap.user)-1] = '\0';
+ request->data.auth_crap.domain[
+ sizeof(request->data.auth_crap.domain)-1] = '\0';
+ request->data.auth_crap.workstation[
+ sizeof(request->data.auth_crap.workstation)-1] = '\0';
+
+ DBG_NOTICE("[%5lu]: pam auth crap domain: [%s] user: [%s] "
+ "workstation: [%s]\n",
+ (unsigned long)cli->pid,
+ request->data.auth_crap.domain,
+ request->data.auth_crap.user,
+ request->data.auth_crap.workstation);
+
+ if (!check_request_flags(request->flags)) {
+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
+ return tevent_req_post(req, ev);
+ }
+
+ auth_domain = request->data.auth_crap.domain;
+ if (auth_domain[0] == '\0') {
+ auth_domain = lp_workgroup();
+ }
+
+ domain = find_auth_domain(request->flags, auth_domain);
+ if (domain == NULL) {
+ /*
+ * We don't know the domain so
+ * we're not authoritative
+ */
+ state->authoritative = 0;
+ tevent_req_nterror(req, NT_STATUS_NO_SUCH_USER);
+ return tevent_req_post(req, ev);
+ }
+
+ if (request->data.auth_crap.workstation[0] == '\0') {
+ fstrcpy(request->data.auth_crap.workstation, lp_netbios_name());
+ }
+
+ lmlength_ok = (request->data.auth_crap.lm_resp_len <=
+ sizeof(request->data.auth_crap.lm_resp));
+
+ ntlength_ok = (request->data.auth_crap.nt_resp_len <=
+ sizeof(request->data.auth_crap.nt_resp));
+
+ ntlength_ok |=
+ ((request->flags & WBFLAG_BIG_NTLMV2_BLOB) &&
+ (request->extra_len == request->data.auth_crap.nt_resp_len));
+
+ pwlength_ok = lmlength_ok && ntlength_ok;
+
+ if (!pwlength_ok) {
+ DBG_ERR("Invalid password length %u/%u\n",
+ request->data.auth_crap.lm_resp_len,
+ request->data.auth_crap.nt_resp_len);
+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ return tevent_req_post(req, ev);
+ }
+
+ state->domain = talloc_strdup(state, request->data.auth_crap.domain);
+ if (tevent_req_nomem(state->domain, req)) {
+ return tevent_req_post(req, ev);
+ }
+
+ state->user = talloc_strdup(state, request->data.auth_crap.user);
+ if (tevent_req_nomem(state->user, req)) {
+ return tevent_req_post(req, ev);
+ }
+
+ status = extra_data_to_sid_array(
+ request->data.auth_crap.require_membership_of_sid,
+ state,
+ &require_membership_of_sid);
+ if (tevent_req_nterror(req, status)) {
+ return tevent_req_post(req, ev);
+ }
+
+ lm_resp = data_blob_talloc(state,
+ request->data.auth_crap.lm_resp,
+ request->data.auth_crap.lm_resp_len);
+ if (tevent_req_nomem(lm_resp.data, req)) {
+ return tevent_req_post(req, ev);
+ }
+
+ if (request->flags & WBFLAG_BIG_NTLMV2_BLOB) {
+ nt_resp = data_blob_talloc(state,
+ request->extra_data.data,
+ request->data.auth_crap.nt_resp_len);
+ } else {
+ nt_resp = data_blob_talloc(state,
+ request->data.auth_crap.nt_resp,
+ request->data.auth_crap.nt_resp_len);
+ }
+ if (tevent_req_nomem(nt_resp.data, req)) {
+ return tevent_req_post(req, ev);
+ }
+
+ chal = data_blob_talloc(state,
+ request->data.auth_crap.chal,
+ 8);
+ if (tevent_req_nomem(chal.data, req)) {
+ return tevent_req_post(req, ev);
+ }
+
+ subreq = dcerpc_wbint_PamAuthCrap_send(state,
+ global_event_context(),
+ dom_child_handle(domain),
+ request->client_name,
+ request->pid,
+ request->flags,
+ request->data.auth_crap.user,
+ request->data.auth_crap.domain,
+ request->data.auth_crap.workstation,
+ lm_resp,
+ nt_resp,
+ chal,
+ request->data.auth_crap.logon_parameters,
+ require_membership_of_sid,
+ &state->authoritative,
+ &state->validation);
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+ tevent_req_set_callback(subreq, winbindd_pam_auth_crap_done, req);
+ return req;
+}
+
+static void winbindd_pam_auth_crap_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct winbindd_pam_auth_crap_state *state = tevent_req_data(
+ req, struct winbindd_pam_auth_crap_state);
+ NTSTATUS status;
+
+ status = dcerpc_wbint_PamAuthCrap_recv(subreq, state, &state->result);
+ TALLOC_FREE(subreq);
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+
+ tevent_req_done(req);
+}
+
+NTSTATUS winbindd_pam_auth_crap_recv(struct tevent_req *req,
+ struct winbindd_response *response)
+{
+ struct winbindd_pam_auth_crap_state *state = tevent_req_data(
+ req, struct winbindd_pam_auth_crap_state);
+ NTSTATUS status;
+
+ if (tevent_req_is_nterror(req, &status)) {
+ goto out;
+ }
+
+ if (NT_STATUS_IS_ERR(state->result)) {
+ status = state->result;
+ goto out;
+ }
+
+ status = append_auth_data(response,
+ response,
+ state->flags,
+ state->validation.level,
+ state->validation.validation,
+ state->domain,
+ state->user);
+ if (NT_STATUS_IS_ERR(status)) {
+ goto out;
+ }
+
+ if (state->flags & WBFLAG_PAM_AUTH_PAC && !state->pac_is_trusted) {
+ /*
+ * Clear the flag just in state to do no add the domain
+ * from auth below.
+ */
+ state->flags &= ~WBFLAG_PAM_INFO3_TEXT;
+ }
+
+ if (state->flags & WBFLAG_PAM_INFO3_TEXT) {
+ bool ok;
+
+ ok = add_trusted_domain_from_auth(
+ response->data.auth.validation_level,
+ &response->data.auth.info3,
+ &response->data.auth.info6);
+ if (!ok) {
+ status = NT_STATUS_LOGON_FAILURE;
+ DBG_ERR("add_trusted_domain_from_auth failed\n");
+ set_auth_errors(response, status);
+ response->data.auth.authoritative =
+ state->authoritative;
+ return status;
+ }
+ }
+
+ status = NT_STATUS_OK;
+
+out:
+ set_auth_errors(response, status);
+ response->data.auth.authoritative = state->authoritative;
+ response->result = WINBINDD_PENDING;
+ return NT_STATUS(response->data.auth.nt_status);
+}
diff --git a/source3/winbindd/winbindd_pam_chauthtok.c b/source3/winbindd/winbindd_pam_chauthtok.c
new file mode 100644
index 0000000..336654e
--- /dev/null
+++ b/source3/winbindd/winbindd_pam_chauthtok.c
@@ -0,0 +1,197 @@
+/*
+ Unix SMB/CIFS implementation.
+ async implementation of WINBINDD_PAM_CHAUTHTOK
+ Copyright (C) Volker Lendecke 2010
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "winbindd.h"
+#include "lib/util/string_wrappers.h"
+#include "lib/global_contexts.h"
+#include "librpc/gen_ndr/ndr_winbind_c.h"
+
+static void fill_in_password_policy(struct winbindd_response *r,
+ const struct samr_DomInfo1 *p)
+{
+ r->data.auth.policy.min_length_password =
+ p->min_password_length;
+ r->data.auth.policy.password_history =
+ p->password_history_length;
+ r->data.auth.policy.password_properties =
+ p->password_properties;
+ r->data.auth.policy.expire =
+ nt_time_to_unix_abs((const NTTIME *)&(p->max_password_age));
+ r->data.auth.policy.min_passwordage =
+ nt_time_to_unix_abs((const NTTIME *)&(p->min_password_age));
+}
+
+struct winbindd_pam_chauthtok_state {
+ struct wbint_PamAuthChangePassword r;
+};
+
+static void winbindd_pam_chauthtok_done(struct tevent_req *subreq);
+
+struct tevent_req *winbindd_pam_chauthtok_send(
+ TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request)
+{
+ struct tevent_req *req, *subreq;
+ struct winbindd_pam_chauthtok_state *state;
+ struct winbindd_domain *contact_domain;
+ fstring namespace, domain, user;
+ char *mapped_user;
+ NTSTATUS status;
+ bool ok;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct winbindd_pam_chauthtok_state);
+ if (req == NULL) {
+ return NULL;
+ }
+
+ /* Ensure null termination */
+ request->data.chauthtok.user[
+ sizeof(request->data.chauthtok.user)-1]='\0';
+
+ DEBUG(3, ("[%5lu]: pam chauthtok %s\n", (unsigned long)cli->pid,
+ request->data.chauthtok.user));
+
+ status = normalize_name_unmap(state, request->data.chauthtok.user,
+ &mapped_user);
+
+ if (NT_STATUS_IS_OK(status) ||
+ NT_STATUS_EQUAL(status, NT_STATUS_FILE_RENAMED)) {
+ fstrcpy(request->data.chauthtok.user, mapped_user);
+ }
+
+ ok = canonicalize_username(request->data.chauthtok.user,
+ namespace,
+ domain,
+ user);
+ if (!ok) {
+ DEBUG(10, ("winbindd_pam_chauthtok: canonicalize_username %s "
+ "failed with\n", request->data.chauthtok.user));
+ tevent_req_nterror(req, NT_STATUS_NO_SUCH_USER);
+ return tevent_req_post(req, ev);
+ }
+
+ contact_domain = find_domain_from_name(namespace);
+ if (contact_domain == NULL) {
+ DEBUG(3, ("Cannot change password for [%s] -> [%s]\\[%s] "
+ "as %s is not a trusted domain\n",
+ request->data.chauthtok.user, domain, user, domain));
+ tevent_req_nterror(req, NT_STATUS_NO_SUCH_USER);
+ return tevent_req_post(req, ev);
+ }
+
+ state->r.in.client_pid = request->pid;
+ state->r.in.flags = request->flags;
+
+ state->r.in.client_name = talloc_strdup(state, request->client_name);
+ if (tevent_req_nomem(state->r.in.client_name, req)) {
+ return tevent_req_post(req, ev);
+ }
+
+ state->r.in.user = talloc_strdup(state, request->data.chauthtok.user);
+ if (tevent_req_nomem(state->r.in.user, req)) {
+ return tevent_req_post(req, ev);
+ }
+
+ state->r.in.old_password = talloc_strdup(state,
+ request->data.chauthtok.oldpass);
+ if (tevent_req_nomem(state->r.in.old_password, req)) {
+ return tevent_req_post(req, ev);
+ }
+
+ state->r.in.new_password = talloc_strdup(state,
+ request->data.chauthtok.newpass);
+ if (tevent_req_nomem(state->r.in.new_password, req)) {
+ return tevent_req_post(req, ev);
+ }
+
+ subreq = dcerpc_wbint_PamAuthChangePassword_r_send(state,
+ global_event_context(),
+ dom_child_handle(contact_domain),
+ &state->r);
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+ tevent_req_set_callback(subreq, winbindd_pam_chauthtok_done, req);
+ return req;
+}
+
+static void winbindd_pam_chauthtok_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct winbindd_pam_chauthtok_state *state = tevent_req_data(
+ req, struct winbindd_pam_chauthtok_state);
+ NTSTATUS status;
+
+ status = dcerpc_wbint_PamAuthChangePassword_r_recv(subreq, state);
+ TALLOC_FREE(subreq);
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+
+ tevent_req_done(req);
+}
+
+NTSTATUS winbindd_pam_chauthtok_recv(struct tevent_req *req,
+ struct winbindd_response *response)
+{
+ struct winbindd_pam_chauthtok_state *state = tevent_req_data(
+ req, struct winbindd_pam_chauthtok_state);
+ NTSTATUS status = NT_STATUS_OK;
+
+ if (tevent_req_is_nterror(req, &status)) {
+ set_auth_errors(response, status);
+ return status;
+ }
+
+ response->result = WINBINDD_PENDING;
+
+ set_auth_errors(response, state->r.out.result);
+ if (*state->r.out.dominfo != NULL) {
+ fill_in_password_policy(response, *state->r.out.dominfo);
+ }
+ response->data.auth.reject_reason = *state->r.out.reject_reason;
+
+ if (state->r.in.flags & WBFLAG_PAM_CACHED_LOGIN) {
+
+ /* Update the single sign-on memory creds. */
+ status = winbindd_replace_memory_creds(
+ state->r.in.user, state->r.in.new_password);
+
+ DEBUG(10, ("winbindd_replace_memory_creds returned %s\n",
+ nt_errstr(status)));
+
+ /*
+ * When we login from gdm or xdm and password expires,
+ * we change password, but there are no memory
+ * crendentials So, winbindd_replace_memory_creds()
+ * returns NT_STATUS_OBJECT_NAME_NOT_FOUND. This is
+ * not a failure. --- BoYang
+ */
+ if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
+ status = NT_STATUS_OK;
+ }
+ }
+
+ return NT_STATUS(response->data.auth.nt_status);
+}
diff --git a/source3/winbindd/winbindd_pam_chng_pswd_auth_crap.c b/source3/winbindd/winbindd_pam_chng_pswd_auth_crap.c
new file mode 100644
index 0000000..8b69f02
--- /dev/null
+++ b/source3/winbindd/winbindd_pam_chng_pswd_auth_crap.c
@@ -0,0 +1,171 @@
+/*
+ Unix SMB/CIFS implementation.
+ async implementation of WINBINDD_PAM_CHNG_PSWD_AUTH_CRAP
+ Copyright (C) Volker Lendecke 2010
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "winbindd.h"
+#include "lib/global_contexts.h"
+#include "librpc/gen_ndr/ndr_winbind_c.h"
+
+struct winbindd_pam_chng_pswd_auth_crap_state {
+ struct wbint_PamAuthCrapChangePassword r;
+};
+
+static void winbindd_pam_chng_pswd_auth_crap_done(struct tevent_req *subreq);
+
+struct tevent_req *winbindd_pam_chng_pswd_auth_crap_send(
+ TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request)
+{
+ struct tevent_req *req, *subreq;
+ struct winbindd_pam_chng_pswd_auth_crap_state *state;
+ struct winbindd_domain *domain;
+ const char *domain_name;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct winbindd_pam_chng_pswd_auth_crap_state);
+ if (req == NULL) {
+ return NULL;
+ }
+
+ /* Ensure null termination */
+ request->data.chng_pswd_auth_crap.user[
+ sizeof(request->data.chng_pswd_auth_crap.user)-1]='\0';
+ request->data.chng_pswd_auth_crap.domain[
+ sizeof(request->data.chng_pswd_auth_crap.domain)-1]=0;
+
+ DEBUG(3, ("[%5lu]: pam change pswd auth crap domain: %s user: %s\n",
+ (unsigned long)cli->pid,
+ request->data.chng_pswd_auth_crap.domain,
+ request->data.chng_pswd_auth_crap.user));
+
+ domain_name = NULL;
+ if (*request->data.chng_pswd_auth_crap.domain != '\0') {
+ domain_name = request->data.chng_pswd_auth_crap.domain;
+ } else if (lp_winbind_use_default_domain()) {
+ domain_name = lp_workgroup();
+ }
+
+ domain = NULL;
+ if (domain_name != NULL) {
+ domain = find_domain_from_name(domain_name);
+ }
+
+ if (domain == NULL) {
+ tevent_req_nterror(req, NT_STATUS_NO_SUCH_USER);
+ return tevent_req_post(req, ev);
+ }
+
+ state->r.in.client_pid = request->pid;
+ state->r.in.client_name = talloc_strdup(state, request->client_name);
+ if (tevent_req_nomem(state->r.in.client_name, req)) {
+ return tevent_req_post(req, ev);
+ }
+
+ state->r.in.domain = talloc_strdup(state, domain_name);
+ if (tevent_req_nomem(state->r.in.domain, req)) {
+ return tevent_req_post(req, ev);
+ }
+ state->r.in.user = talloc_strdup(state,
+ request->data.chng_pswd_auth_crap.user);
+ if (tevent_req_nomem(state->r.in.user, req)) {
+ return tevent_req_post(req, ev);
+ }
+
+ state->r.in.new_nt_pswd = data_blob_talloc(state,
+ request->data.chng_pswd_auth_crap.new_nt_pswd,
+ request->data.chng_pswd_auth_crap.new_nt_pswd_len);
+ if (tevent_req_nomem(state->r.in.new_nt_pswd.data, req)) {
+ return tevent_req_post(req, ev);
+ }
+
+ state->r.in.old_nt_hash_enc = data_blob_talloc(state,
+ request->data.chng_pswd_auth_crap.old_nt_hash_enc,
+ request->data.chng_pswd_auth_crap.old_nt_hash_enc_len);
+ if (tevent_req_nomem(state->r.in.old_nt_hash_enc.data, req)) {
+ return tevent_req_post(req, ev);
+ }
+
+ if (request->data.chng_pswd_auth_crap.new_lm_pswd_len > 0) {
+ state->r.in.new_lm_pswd = data_blob_talloc(state,
+ request->data.chng_pswd_auth_crap.new_lm_pswd,
+ request->data.chng_pswd_auth_crap.new_lm_pswd_len);
+ if (tevent_req_nomem(state->r.in.new_lm_pswd.data, req)) {
+ return tevent_req_post(req, ev);
+ }
+
+ state->r.in.old_lm_hash_enc = data_blob_talloc(state,
+ request->data.chng_pswd_auth_crap.old_lm_hash_enc,
+ request->data.chng_pswd_auth_crap.old_lm_hash_enc_len);
+ if (tevent_req_nomem(state->r.in.old_lm_hash_enc.data, req)) {
+ return tevent_req_post(req, ev);
+ }
+ } else {
+ state->r.in.new_lm_pswd = data_blob_null;
+ state->r.in.old_lm_hash_enc = data_blob_null;
+ }
+
+ subreq = dcerpc_wbint_PamAuthCrapChangePassword_r_send(state,
+ global_event_context(),
+ dom_child_handle(domain),
+ &state->r);
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+ tevent_req_set_callback(subreq, winbindd_pam_chng_pswd_auth_crap_done,
+ req);
+ return req;
+}
+
+static void winbindd_pam_chng_pswd_auth_crap_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct winbindd_pam_chng_pswd_auth_crap_state *state = tevent_req_data(
+ req, struct winbindd_pam_chng_pswd_auth_crap_state);
+ NTSTATUS status;
+
+ status = dcerpc_wbint_PamAuthCrapChangePassword_r_recv(subreq, state);
+ TALLOC_FREE(subreq);
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+
+ tevent_req_done(req);
+}
+
+NTSTATUS winbindd_pam_chng_pswd_auth_crap_recv(
+ struct tevent_req *req,
+ struct winbindd_response *response)
+{
+ struct winbindd_pam_chng_pswd_auth_crap_state *state = tevent_req_data(
+ req, struct winbindd_pam_chng_pswd_auth_crap_state);
+ NTSTATUS status = NT_STATUS_OK;
+
+ if (tevent_req_is_nterror(req, &status)) {
+ set_auth_errors(response, status);
+ return status;
+ }
+
+ response->result = WINBINDD_PENDING;
+ set_auth_errors(response, state->r.out.result);
+
+ return NT_STATUS(response->data.auth.nt_status);
+}
diff --git a/source3/winbindd/winbindd_pam_logoff.c b/source3/winbindd/winbindd_pam_logoff.c
new file mode 100644
index 0000000..7a3b1b6
--- /dev/null
+++ b/source3/winbindd/winbindd_pam_logoff.c
@@ -0,0 +1,173 @@
+/*
+ Unix SMB/CIFS implementation.
+ async implementation of WINBINDD_PAM_LOGOFF
+ Copyright (C) Volker Lendecke 2010
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "util/debug.h"
+#include "winbindd.h"
+#include "lib/global_contexts.h"
+#include "librpc/gen_ndr/ndr_winbind_c.h"
+
+struct winbindd_pam_logoff_state {
+ struct wbint_PamLogOff r;
+};
+
+static void winbindd_pam_logoff_done(struct tevent_req *subreq);
+
+struct tevent_req *winbindd_pam_logoff_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request)
+{
+ struct tevent_req *req, *subreq;
+ struct winbindd_pam_logoff_state *state;
+ struct winbindd_domain *domain;
+ fstring name_namespace, name_domain, user;
+ uid_t caller_uid;
+ gid_t caller_gid;
+ int res;
+ bool ok;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct winbindd_pam_logoff_state);
+ if (req == NULL) {
+ return NULL;
+ }
+ D_NOTICE("[%s (%u)] Winbind external command PAM_LOGOFF start.\n"
+ "Username '%s' is used during logoff.\n",
+ cli->client_name,
+ (unsigned int)cli->pid,
+ request->data.auth.user);
+ /* Ensure null termination */
+ /* Ensure null termination */
+ request->data.logoff.user[sizeof(request->data.logoff.user)-1]='\0';
+ request->data.logoff.krb5ccname[
+ sizeof(request->data.logoff.krb5ccname)-1]='\0';
+
+ if (request->data.logoff.uid == (uid_t)-1) {
+ goto failed;
+ }
+
+ ok = canonicalize_username(request->data.logoff.user,
+ name_namespace,
+ name_domain,
+ user);
+ if (!ok) {
+ goto failed;
+ }
+
+ domain = find_auth_domain(request->flags, name_namespace);
+ if (domain == NULL) {
+ goto failed;
+ }
+
+ caller_uid = (uid_t)-1;
+
+ res = getpeereid(cli->sock, &caller_uid, &caller_gid);
+ if (res != 0) {
+ D_WARNING("winbindd_pam_logoff: failed to check peerid: %s\n",
+ strerror(errno));
+ goto failed;
+ }
+
+ switch (caller_uid) {
+ case -1:
+ goto failed;
+ case 0:
+ /* root must be able to logoff any user - gd */
+ break;
+ default:
+ if (caller_uid != request->data.logoff.uid) {
+ D_WARNING("caller requested invalid uid\n");
+ goto failed;
+ }
+ break;
+ }
+
+ state->r.in.client_name = talloc_strdup(state, request->client_name);
+ if (tevent_req_nomem(state->r.in.client_name, req)) {
+ return tevent_req_post(req, ev);
+ }
+ state->r.in.client_pid = request->pid;
+
+ state->r.in.flags = request->flags;
+ state->r.in.user = talloc_strdup(state, request->data.logoff.user);
+ if (tevent_req_nomem(state->r.in.user, req)) {
+ return tevent_req_post(req, ev);
+ }
+ state->r.in.uid = request->data.logoff.uid;
+ state->r.in.krb5ccname = talloc_strdup(state,
+ request->data.logoff.krb5ccname);
+ if (tevent_req_nomem(state->r.in.krb5ccname, req)) {
+ return tevent_req_post(req, ev);
+ }
+
+ subreq = dcerpc_wbint_PamLogOff_r_send(state,
+ global_event_context(),
+ dom_child_handle(domain),
+ &state->r);
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+ tevent_req_set_callback(subreq, winbindd_pam_logoff_done, req);
+ return req;
+
+failed:
+ tevent_req_nterror(req, NT_STATUS_NO_SUCH_USER);
+ return tevent_req_post(req, ev);
+}
+
+static void winbindd_pam_logoff_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct winbindd_pam_logoff_state *state = tevent_req_data(
+ req, struct winbindd_pam_logoff_state);
+ NTSTATUS status;
+
+ status = dcerpc_wbint_PamLogOff_r_recv(subreq, state);
+ TALLOC_FREE(subreq);
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+
+ tevent_req_done(req);
+}
+
+NTSTATUS winbindd_pam_logoff_recv(struct tevent_req *req,
+ struct winbindd_response *response)
+{
+ struct winbindd_pam_logoff_state *state = tevent_req_data(
+ req, struct winbindd_pam_logoff_state);
+ NTSTATUS status = NT_STATUS_OK;
+
+ D_NOTICE("Winbind external command PAM_LOGOFF end.\n");
+ if (tevent_req_is_nterror(req, &status)) {
+ set_auth_errors(response, status);
+ return status;
+ }
+
+ response->result = WINBINDD_PENDING;
+ set_auth_errors(response, state->r.out.result);
+
+ if (NT_STATUS_IS_OK(state->r.out.result)) {
+ winbindd_delete_memory_creds(state->r.in.user);
+ }
+
+ return NT_STATUS(response->data.auth.nt_status);
+}
diff --git a/source3/winbindd/winbindd_ping_dc.c b/source3/winbindd/winbindd_ping_dc.c
new file mode 100644
index 0000000..8f56a9e
--- /dev/null
+++ b/source3/winbindd/winbindd_ping_dc.c
@@ -0,0 +1,140 @@
+/*
+ Unix SMB/CIFS implementation.
+ async implementation of WINBINDD_PING_DC
+ Copyright (C) Volker Lendecke 2009
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "winbindd.h"
+#include "librpc/gen_ndr/ndr_winbind_c.h"
+
+struct winbindd_ping_dc_state {
+ const char *dcname;
+ NTSTATUS result;
+};
+
+static void winbindd_ping_dc_done(struct tevent_req *subreq);
+
+struct tevent_req *winbindd_ping_dc_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request)
+{
+ struct tevent_req *req, *subreq;
+ struct winbindd_ping_dc_state *state;
+ struct winbindd_domain *domain;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct winbindd_ping_dc_state);
+ if (req == NULL) {
+ return NULL;
+ }
+
+ if (request->domain_name[0] == '\0') {
+ /* preserve old behavior, when no domain name is given */
+ domain = find_our_domain();
+ } else {
+ domain = find_trust_from_name_noinit(request->domain_name);
+ }
+ if (domain == NULL) {
+ tevent_req_nterror(req, NT_STATUS_NO_SUCH_DOMAIN);
+ return tevent_req_post(req, ev);
+ }
+ if (domain->internal) {
+ const char *d = lp_dnsdomain();
+ const char *n = lp_netbios_name();
+
+ /*
+ * Internal domains are passdb based, we can always
+ * contact them.
+ */
+
+ if (d != NULL) {
+ char *h;
+ h = strlower_talloc(mem_ctx, n);
+ if (tevent_req_nomem(h, req)) {
+ return tevent_req_post(req, ev);
+ }
+
+ state->dcname = talloc_asprintf(state, "%s.%s", h, d);
+ TALLOC_FREE(h);
+
+ if (tevent_req_nomem(state->dcname, req)) {
+ return tevent_req_post(req, ev);
+ }
+ } else {
+ state->dcname = talloc_strdup(state, n);
+ if (tevent_req_nomem(state->dcname, req)) {
+ return tevent_req_post(req, ev);
+ }
+ }
+
+ tevent_req_done(req);
+ return tevent_req_post(req, ev);
+ }
+
+ subreq = dcerpc_wbint_PingDc_send(state, ev, dom_child_handle(domain),
+ &state->dcname);
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+ tevent_req_set_callback(subreq, winbindd_ping_dc_done, req);
+ return req;
+}
+
+static void winbindd_ping_dc_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct winbindd_ping_dc_state *state = tevent_req_data(
+ req, struct winbindd_ping_dc_state);
+ NTSTATUS status, result;
+
+ status = dcerpc_wbint_PingDc_recv(subreq, state, &result);
+ state->result = result;
+ if (any_nt_status_not_ok(status, result, &status)) {
+ tevent_req_nterror(req, status);
+ return;
+ }
+ tevent_req_done(req);
+}
+
+NTSTATUS winbindd_ping_dc_recv(struct tevent_req *req,
+ struct winbindd_response *presp)
+{
+ struct winbindd_ping_dc_state *state = tevent_req_data(
+ req, struct winbindd_ping_dc_state);
+ NTSTATUS status;
+
+ if (tevent_req_is_nterror(req, &status)) {
+ return status;
+ }
+
+ if (!NT_STATUS_IS_OK(state->result)) {
+ set_auth_errors(presp, state->result);
+ }
+
+ if (state->dcname) {
+ presp->extra_data.data = talloc_strdup(presp, state->dcname);
+ if (presp->extra_data.data == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ presp->length += strlen((char *)presp->extra_data.data) + 1;
+ }
+
+ tevent_req_received(req);
+ return NT_STATUS_OK;
+}
diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h
new file mode 100644
index 0000000..0da731d
--- /dev/null
+++ b/source3/winbindd/winbindd_proto.h
@@ -0,0 +1,996 @@
+/*
+ * Unix SMB/CIFS implementation.
+ * collected prototypes header
+ *
+ * frozen from "make proto" in May 2008
+ *
+ * Copyright (C) Michael Adam 2008
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef _WINBINDD_PROTO_H_
+#define _WINBINDD_PROTO_H_
+
+/* The following definitions come from winbindd/winbindd.c */
+struct imessaging_context *winbind_imessaging_context(void);
+void winbindd_terminate(bool is_parent);
+bool winbindd_setup_sig_term_handler(bool parent);
+bool winbindd_setup_stdin_handler(bool parent, bool foreground);
+bool winbindd_setup_sig_hup_handler(const char *lfile);
+bool winbindd_use_idmap_cache(void);
+bool winbindd_use_cache(void);
+void winbindd_set_use_cache(bool use_cache);
+char *get_winbind_priv_pipe_dir(void);
+void winbindd_flush_caches(void);
+bool winbindd_reload_services_file(const char *lfile);
+
+/* The following definitions come from winbindd/winbindd_ads.c */
+
+/* The following definitions come from winbindd/winbindd_rpc.c */
+
+NTSTATUS winbindd_lookup_sids(TALLOC_CTX *mem_ctx,
+ struct winbindd_domain *domain,
+ uint32_t num_sids,
+ const struct dom_sid *sids,
+ char ***domains,
+ char ***names,
+ enum lsa_SidType **types);
+NTSTATUS rpc_lookup_sids(TALLOC_CTX *mem_ctx,
+ struct winbindd_domain *domain,
+ struct lsa_SidArray *sids,
+ struct lsa_RefDomainList **pdomains,
+ struct lsa_TransNameArray **pnames);
+
+/* The following definitions come from winbindd/winbindd_cache.c */
+
+NTSTATUS wb_cache_query_user_list(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ uint32_t **prids);
+NTSTATUS wb_cache_enum_dom_groups(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ uint32_t *num_entries,
+ struct wb_acct_info **info);
+NTSTATUS wb_cache_enum_local_groups(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ uint32_t *num_entries,
+ struct wb_acct_info **info);
+NTSTATUS wb_cache_name_to_sid(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ const char *domain_name,
+ const char *name,
+ uint32_t flags,
+ struct dom_sid *sid,
+ enum lsa_SidType *type);
+NTSTATUS wb_cache_sid_to_name(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ const struct dom_sid *sid,
+ char **domain_name,
+ char **name,
+ enum lsa_SidType *type);
+NTSTATUS wb_cache_rids_to_names(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ const struct dom_sid *domain_sid,
+ uint32_t *rids,
+ size_t num_rids,
+ char **domain_name,
+ char ***names,
+ enum lsa_SidType **types);
+NTSTATUS wb_cache_lookup_usergroups(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ const struct dom_sid *user_sid,
+ uint32_t *pnum_sids,
+ struct dom_sid **psids);
+NTSTATUS wb_cache_lookup_useraliases(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ uint32_t num_sids,
+ const struct dom_sid *sids,
+ uint32_t *num_aliases,
+ uint32_t **alias_rids);
+NTSTATUS wb_cache_lookup_groupmem(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ const struct dom_sid *group_sid,
+ enum lsa_SidType type,
+ uint32_t *num_names,
+ struct dom_sid **sid_mem,
+ char ***names,
+ uint32_t **name_types);
+NTSTATUS wb_cache_sequence_number(struct winbindd_domain *domain,
+ uint32_t *seq);
+NTSTATUS wb_cache_lockout_policy(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ struct samr_DomInfo12 *policy);
+NTSTATUS wb_cache_password_policy(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ struct samr_DomInfo1 *policy);
+NTSTATUS wb_cache_trusted_domains(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ struct netr_DomainTrustList *trusts);
+
+NTSTATUS wcache_cached_creds_exist(struct winbindd_domain *domain, const struct dom_sid *sid);
+NTSTATUS wcache_get_creds(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ const struct dom_sid *sid,
+ const uint8_t **cached_nt_pass,
+ const uint8_t **cached_salt);
+NTSTATUS wcache_save_creds(struct winbindd_domain *domain,
+ const struct dom_sid *sid,
+ const uint8_t nt_pass[NT_HASH_LEN]);
+void wcache_invalidate_samlogon(struct winbindd_domain *domain,
+ const struct dom_sid *user_sid);
+bool wcache_invalidate_cache(void);
+bool wcache_invalidate_cache_noinit(void);
+bool initialize_winbindd_cache(void);
+void close_winbindd_cache(void);
+bool lookup_cached_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid,
+ char **domain_name, char **name,
+ enum lsa_SidType *type);
+bool lookup_cached_name(const char *namespace,
+ const char *domain_name,
+ const char *name,
+ struct dom_sid *sid,
+ enum lsa_SidType *type);
+void cache_name2sid_trusted(struct winbindd_domain *domain,
+ const char *domain_name,
+ const char *name,
+ enum lsa_SidType type,
+ const struct dom_sid *sid);
+void cache_name2sid(struct winbindd_domain *domain,
+ const char *domain_name, const char *name,
+ enum lsa_SidType type, const struct dom_sid *sid);
+NTSTATUS wcache_query_user_fullname(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ const struct dom_sid *user_sid,
+ const char **full_name);
+
+NTSTATUS wcache_count_cached_creds(struct winbindd_domain *domain, int *count);
+NTSTATUS wcache_remove_oldest_cached_creds(struct winbindd_domain *domain, const struct dom_sid *sid) ;
+bool set_global_winbindd_state_offline(void);
+void set_global_winbindd_state_online(void);
+bool get_global_winbindd_state_offline(void);
+int winbindd_validate_cache(void);
+int winbindd_validate_cache_nobackup(void);
+bool winbindd_cache_validate_and_initialize(void);
+bool wcache_tdc_fetch_list( struct winbindd_tdc_domain **domains, size_t *num_domains );
+bool wcache_tdc_add_domain( struct winbindd_domain *domain );
+struct winbindd_tdc_domain * wcache_tdc_fetch_domain( TALLOC_CTX *ctx, const char *name );
+void wcache_tdc_clear( void );
+bool wcache_store_seqnum(const char *domain_name, uint32_t seqnum,
+ time_t last_seq_check);
+bool wcache_fetch_ndr(TALLOC_CTX *mem_ctx, struct winbindd_domain *domain,
+ uint32_t opnum, const DATA_BLOB *req, DATA_BLOB *resp);
+void wcache_store_ndr(struct winbindd_domain *domain, uint32_t opnum,
+ const DATA_BLOB *req, const DATA_BLOB *resp);
+
+/* The following definitions come from winbindd/winbindd_ccache_access.c */
+
+bool winbindd_ccache_ntlm_auth(struct winbindd_cli_state *state);
+enum winbindd_result winbindd_dual_ccache_ntlm_auth(struct winbindd_domain *domain,
+ struct winbindd_cli_state *state);
+bool winbindd_ccache_save(struct winbindd_cli_state *state);
+
+/* The following definitions come from winbindd/winbindd_cm.c */
+void winbind_msg_domain_offline(struct messaging_context *msg_ctx,
+ void *private_data,
+ uint32_t msg_type,
+ struct server_id server_id,
+ DATA_BLOB *data);
+void winbind_msg_domain_online(struct messaging_context *msg_ctx,
+ void *private_data,
+ uint32_t msg_type,
+ struct server_id server_id,
+ DATA_BLOB *data);
+
+void set_domain_offline(struct winbindd_domain *domain);
+void set_domain_online_request(struct winbindd_domain *domain);
+
+struct ndr_interface_table;
+NTSTATUS wb_open_internal_pipe(TALLOC_CTX *mem_ctx,
+ const struct ndr_interface_table *table,
+ struct rpc_pipe_client **ret_pipe);
+void invalidate_cm_connection(struct winbindd_domain *domain);
+void close_conns_after_fork(void);
+NTSTATUS init_dc_connection(struct winbindd_domain *domain, bool need_rw_dc);
+NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
+ bool need_rw_dc,
+ struct rpc_pipe_client **cli, struct policy_handle *sam_handle);
+NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
+ struct rpc_pipe_client **cli, struct policy_handle *lsa_policy);
+NTSTATUS cm_connect_lsat(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ struct rpc_pipe_client **cli,
+ struct policy_handle *lsa_policy);
+NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
+ struct rpc_pipe_client **cli);
+NTSTATUS cm_connect_netlogon_secure(struct winbindd_domain *domain,
+ struct rpc_pipe_client **cli,
+ struct netlogon_creds_cli_context **ppdc);
+bool fetch_current_dc_from_gencache(TALLOC_CTX *mem_ctx,
+ const char *domain_name,
+ char **p_dc_name, char **p_dc_ip);
+
+/* The following definitions come from winbindd/winbindd_cred_cache.c */
+
+bool ccache_entry_exists(const char *username);
+bool ccache_entry_identical(const char *username,
+ uid_t uid,
+ const char *ccname);
+void ccache_remove_all_after_fork(void);
+void ccache_regain_all_now(void);
+NTSTATUS add_ccache_to_list(const char *princ_name,
+ const char *ccname,
+ const char *username,
+ const char *password,
+ const char *realm,
+ uid_t uid,
+ time_t create_time,
+ time_t ticket_end,
+ time_t renew_until,
+ bool postponed_request,
+ const char *canon_principal,
+ const char *canon_realm);
+NTSTATUS remove_ccache(const char *username);
+struct WINBINDD_MEMORY_CREDS *find_memory_creds_by_name(const char *username);
+NTSTATUS winbindd_add_memory_creds(const char *username,
+ uid_t uid,
+ const char *pass);
+NTSTATUS winbindd_delete_memory_creds(const char *username);
+NTSTATUS winbindd_replace_memory_creds(const char *username,
+ const char *pass);
+
+/* The following definitions come from winbindd/winbindd_creds.c */
+
+NTSTATUS winbindd_get_creds(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ const struct dom_sid *sid,
+ struct netr_SamInfo3 **info3,
+ const uint8_t **cached_nt_pass,
+ const uint8_t **cred_salt);
+NTSTATUS winbindd_store_creds(struct winbindd_domain *domain,
+ const char *user,
+ const char *pass,
+ struct netr_SamInfo3 *info3);
+NTSTATUS winbindd_update_creds_by_info3(struct winbindd_domain *domain,
+ const char *user,
+ const char *pass,
+ struct netr_SamInfo3 *info3);
+NTSTATUS winbindd_update_creds_by_name(struct winbindd_domain *domain,
+ const char *user,
+ const char *pass);
+
+/* The following definitions come from winbindd/winbindd_domain.c */
+
+void setup_domain_child(struct winbindd_domain *domain);
+
+/* The following definitions come from winbindd/winbindd_dual.c */
+
+struct dcerpc_binding_handle *dom_child_handle(struct winbindd_domain *domain);
+
+struct tevent_req *wb_child_request_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_child *child,
+ struct winbindd_request *request);
+int wb_child_request_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
+ struct winbindd_response **presponse, int *err);
+struct tevent_req *wb_domain_request_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_domain *domain,
+ struct winbindd_request *request);
+int wb_domain_request_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
+ struct winbindd_response **presponse, int *err);
+
+void setup_child(struct winbindd_domain *domain, struct winbindd_child *child,
+ const char *logprefix,
+ const char *logname);
+void winbind_child_died(pid_t pid);
+void winbindd_flush_negative_conn_cache(struct winbindd_domain *domain);
+void winbind_msg_debug(struct messaging_context *msg_ctx,
+ void *private_data,
+ uint32_t msg_type,
+ struct server_id server_id,
+ DATA_BLOB *data);
+void winbind_disconnect_dc_parent(struct messaging_context *msg_ctx,
+ void *private_data,
+ uint32_t msg_type,
+ struct server_id server_id,
+ DATA_BLOB *data);
+void winbind_msg_offline(struct messaging_context *msg_ctx,
+ void *private_data,
+ uint32_t msg_type,
+ struct server_id server_id,
+ DATA_BLOB *data);
+void winbind_msg_online(struct messaging_context *msg_ctx,
+ void *private_data,
+ uint32_t msg_type,
+ struct server_id server_id,
+ DATA_BLOB *data);
+void winbind_msg_onlinestatus(struct messaging_context *msg_ctx,
+ void *private_data,
+ uint32_t msg_type,
+ struct server_id server_id,
+ DATA_BLOB *data);
+void winbind_msg_dump_event_list(struct messaging_context *msg_ctx,
+ void *private_data,
+ uint32_t msg_type,
+ struct server_id server_id,
+ DATA_BLOB *data);
+void winbind_msg_dump_domain_list(struct messaging_context *msg_ctx,
+ void *private_data,
+ uint32_t msg_type,
+ struct server_id server_id,
+ DATA_BLOB *data);
+void winbind_msg_ip_dropped(struct messaging_context *msg_ctx,
+ void *private_data,
+ uint32_t msg_type,
+ struct server_id server_id,
+ DATA_BLOB *data);
+void winbind_msg_disconnect_dc(struct messaging_context *msg_ctx,
+ void *private_data,
+ uint32_t msg_type,
+ struct server_id server_id,
+ DATA_BLOB *data);
+void winbind_msg_ip_dropped_parent(struct messaging_context *msg_ctx,
+ void *private_data,
+ uint32_t msg_type,
+ struct server_id server_id,
+ DATA_BLOB *data);
+void winbindd_msg_reload_services_parent(struct messaging_context *msg,
+ void *private_data,
+ uint32_t msg_type,
+ struct server_id server_id,
+ DATA_BLOB *data);
+NTSTATUS winbindd_reinit_after_fork(const struct winbindd_child *myself,
+ const char *logfilename);
+struct winbindd_domain *wb_child_domain(void);
+
+/* The following definitions come from winbindd/winbindd_group.c */
+bool fill_grent(TALLOC_CTX *mem_ctx, struct winbindd_gr *gr,
+ const char *dom_name, const char *gr_name, gid_t unix_gid);
+
+struct db_context;
+NTSTATUS winbindd_print_groupmembers(struct db_context *members,
+ TALLOC_CTX *mem_ctx,
+ int *num_members, char **result);
+
+
+/* The following definitions come from winbindd/winbindd_idmap.c */
+
+struct tevent_req *wb_parent_idmap_setup_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev);
+NTSTATUS wb_parent_idmap_setup_recv(struct tevent_req *req,
+ const struct wb_parent_idmap_config **_cfg);
+
+void init_idmap_child(void);
+struct winbindd_child *idmap_child(void);
+bool is_idmap_child(const struct winbindd_child *child);
+pid_t idmap_child_pid(void);
+struct dcerpc_binding_handle *idmap_child_handle(void);
+struct idmap_domain *idmap_find_domain_with_sid(const char *domname,
+ const struct dom_sid *sid);
+const char *idmap_config_const_string(const char *domname, const char *option,
+ const char *def);
+bool idmap_config_bool(const char *domname, const char *option, bool def);
+int idmap_config_int(const char *domname, const char *option, int def);
+bool domain_has_idmap_config(const char *domname);
+bool lp_scan_idmap_domains(bool (*fn)(const char *domname,
+ void *private_data),
+ void *private_data);
+
+/* The following definitions come from winbindd/winbindd_locator.c */
+
+void init_locator_child(void);
+struct winbindd_child *locator_child(void);
+struct dcerpc_binding_handle *locator_child_handle(void);
+
+/* The following definitions come from winbindd/winbindd_misc.c */
+
+bool winbindd_list_trusted_domains(struct winbindd_cli_state *state);
+bool winbindd_dc_info(struct winbindd_cli_state *state);
+bool winbindd_ping(struct winbindd_cli_state *state);
+bool winbindd_info(struct winbindd_cli_state *state);
+bool winbindd_interface_version(struct winbindd_cli_state *state);
+bool winbindd_domain_name(struct winbindd_cli_state *state);
+bool winbindd_netbios_name(struct winbindd_cli_state *state);
+bool winbindd_priv_pipe_dir(struct winbindd_cli_state *state);
+
+/* The following definitions come from winbindd/winbindd_ndr.c */
+struct ndr_print;
+void ndr_print_winbindd_child(struct ndr_print *ndr,
+ const char *name,
+ const struct winbindd_child *r);
+void ndr_print_winbindd_cm_conn(struct ndr_print *ndr,
+ const char *name,
+ const struct winbindd_cm_conn *r);
+void ndr_print_winbindd_methods(struct ndr_print *ndr,
+ const char *name,
+ const struct winbindd_methods *r);
+void ndr_print_winbindd_domain(struct ndr_print *ndr,
+ const char *name,
+ const struct winbindd_domain *r);
+
+/* The following definitions come from winbindd/winbindd_pam.c */
+
+bool check_request_flags(uint32_t flags);
+NTSTATUS append_auth_data(TALLOC_CTX *mem_ctx,
+ struct winbindd_response *resp,
+ uint32_t request_flags,
+ uint16_t validation_level,
+ union netr_Validation *validation,
+ const char *name_domain,
+ const char *name_user);
+NTSTATUS extra_data_to_sid_array(const char *group_sid,
+ TALLOC_CTX *mem_ctx,
+ struct wbint_SidArray **_sid_array);
+uid_t get_uid_from_request(struct winbindd_request *request);
+struct winbindd_domain *find_auth_domain(uint8_t flags,
+ const char *domain_name);
+struct pipes_struct;
+struct wbint_PamAuth;
+NTSTATUS _wbint_PamAuth(struct pipes_struct *p,
+ struct wbint_PamAuth *r);
+NTSTATUS _wbint_PamAuthCrap(struct pipes_struct *p,
+ struct wbint_PamAuthCrap *r);
+NTSTATUS _wbint_PamAuthChangePassword(struct pipes_struct *p,
+ struct wbint_PamAuthChangePassword *r);
+NTSTATUS _wbint_PamLogOff(struct pipes_struct *p,
+ struct wbint_PamLogOff *r);
+NTSTATUS _wbint_PamAuthCrapChangePassword(struct pipes_struct *p,
+ struct wbint_PamAuthCrapChangePassword *r);
+NTSTATUS winbindd_pam_auth_pac_verify(struct winbindd_cli_state *state,
+ TALLOC_CTX *mem_ctx,
+ bool *p_is_trusted,
+ uint16_t *p_validation_level,
+ union netr_Validation **p_validation);
+
+NTSTATUS winbind_dual_SamLogon(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ bool interactive,
+ uint32_t logon_parameters,
+ const char *name_user,
+ const char *name_domain,
+ const char *workstation,
+ const uint64_t logon_id,
+ const char *client_name,
+ const int pid,
+ DATA_BLOB chal,
+ DATA_BLOB lm_response,
+ DATA_BLOB nt_response,
+ const struct tsocket_address *remote,
+ const struct tsocket_address *local,
+ uint8_t *authoritative,
+ bool skip_sam,
+ uint32_t *flags,
+ uint16_t *_validation_level,
+ union netr_Validation **_validation);
+
+/* The following definitions come from winbindd/winbindd_util.c */
+
+struct winbindd_domain *domain_list(void);
+struct winbindd_domain *wb_next_domain(struct winbindd_domain *domain);
+bool set_routing_domain(struct winbindd_domain *domain,
+ struct winbindd_domain *routing_domain);
+bool add_trusted_domain_from_auth(uint16_t validation_level,
+ struct info3_text *info3,
+ struct info6_text *info6);
+bool domain_is_forest_root(const struct winbindd_domain *domain);
+void rescan_trusted_domains(struct tevent_context *ev, struct tevent_timer *te,
+ struct timeval now, void *private_data);
+void winbindd_ping_offline_domains(struct tevent_context *ev,
+ struct tevent_timer *te,
+ struct timeval now,
+ void *private_data);
+bool init_domain_list(void);
+struct winbindd_domain *find_domain_from_name_noinit(const char *domain_name);
+struct winbindd_domain *find_trust_from_name_noinit(const char *domain_name);
+struct winbindd_domain *find_domain_from_name(const char *domain_name);
+struct winbindd_domain *find_domain_from_sid_noinit(const struct dom_sid *sid);
+struct winbindd_domain *find_trust_from_sid_noinit(const struct dom_sid *sid);
+struct winbindd_domain *find_domain_from_sid(const struct dom_sid *sid);
+struct winbindd_domain *find_our_domain(void);
+struct winbindd_domain *find_default_route_domain(void);
+struct winbindd_domain *find_lookup_domain_from_sid(const struct dom_sid *sid);
+struct winbindd_domain *find_lookup_domain_from_name(const char *domain_name);
+bool parse_domain_user(const char *domuser,
+ fstring namespace,
+ fstring domain,
+ fstring user);
+bool canonicalize_username(fstring username_inout,
+ fstring namespace,
+ fstring domain,
+ fstring user);
+char *fill_domain_username_talloc(TALLOC_CTX *ctx,
+ const char *domain,
+ const char *user,
+ bool can_assume);
+struct winbindd_cli_state *winbindd_client_list(void);
+struct winbindd_cli_state *winbindd_client_list_tail(void);
+struct winbindd_cli_state *
+winbindd_client_list_prev(struct winbindd_cli_state *cli);
+void winbindd_add_client(struct winbindd_cli_state *cli);
+void winbindd_remove_client(struct winbindd_cli_state *cli);
+void winbindd_promote_client(struct winbindd_cli_state *cli);
+int winbindd_num_clients(void);
+NTSTATUS lookup_usergroups_cached(TALLOC_CTX *mem_ctx,
+ const struct dom_sid *user_sid,
+ uint32_t *p_num_groups, struct dom_sid **user_sids);
+
+NTSTATUS normalize_name_map(TALLOC_CTX *mem_ctx,
+ const char *domain_name,
+ const char *name,
+ char **normalized);
+NTSTATUS normalize_name_unmap(TALLOC_CTX *mem_ctx,
+ const char *name,
+ char **normalized);
+
+NTSTATUS resolve_username_to_alias(TALLOC_CTX *mem_ctx,
+ struct winbindd_domain *domain,
+ const char *name, char **alias);
+NTSTATUS resolve_alias_to_username(TALLOC_CTX *mem_ctx,
+ struct winbindd_domain *domain,
+ const char *alias, char **name);
+
+bool winbindd_can_contact_domain(struct winbindd_domain *domain);
+void winbindd_set_locator_kdc_envs(const struct winbindd_domain *domain);
+void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain);
+void winbindd_set_locator_kdc_envs(const struct winbindd_domain *domain);
+void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain);
+void set_auth_errors(struct winbindd_response *resp, NTSTATUS result);
+bool is_domain_offline(const struct winbindd_domain *domain);
+bool is_domain_online(const struct winbindd_domain *domain);
+bool parse_sidlist(TALLOC_CTX *mem_ctx, const char *sidstr,
+ struct dom_sid **sids, uint32_t *num_sids);
+bool parse_xidlist(TALLOC_CTX *mem_ctx, const char *xidstr,
+ struct unixid **pxids, uint32_t *pnum_xids);
+
+/* The following definitions come from winbindd/winbindd_wins.c */
+
+void winbindd_wins_byname(struct winbindd_cli_state *state);
+
+struct dcerpc_binding_handle *wbint_binding_handle(TALLOC_CTX *mem_ctx,
+ struct winbindd_domain *domain,
+ struct winbindd_child *child);
+enum winbindd_result winbindd_dual_ndrcmd(struct winbindd_domain *domain,
+ struct winbindd_cli_state *state);
+
+struct tevent_req *wb_lookupsid_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ const struct dom_sid *sid);
+NTSTATUS wb_lookupsid_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
+ enum lsa_SidType *type, const char **domain,
+ const char **name);
+
+struct tevent_req *winbindd_lookupsid_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request);
+NTSTATUS winbindd_lookupsid_recv(struct tevent_req *req,
+ struct winbindd_response *response);
+
+struct tevent_req *winbindd_lookupsids_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request);
+NTSTATUS winbindd_lookupsids_recv(struct tevent_req *req,
+ struct winbindd_response *response);
+
+struct tevent_req *wb_lookupname_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ const char *namespace,
+ const char *dom_name,
+ const char *name,
+ uint32_t flags);
+NTSTATUS wb_lookupname_recv(struct tevent_req *req, struct dom_sid *sid,
+ enum lsa_SidType *type);
+
+struct tevent_req *winbindd_lookupname_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request);
+NTSTATUS winbindd_lookupname_recv(struct tevent_req *req,
+ struct winbindd_response *response);
+
+struct tevent_req *winbindd_allocate_uid_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request);
+NTSTATUS winbindd_allocate_uid_recv(struct tevent_req *req,
+ struct winbindd_response *response);
+
+struct tevent_req *winbindd_allocate_gid_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request);
+NTSTATUS winbindd_allocate_gid_recv(struct tevent_req *req,
+ struct winbindd_response *response);
+
+struct tevent_req *wb_queryuser_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ const struct dom_sid *user_sid);
+NTSTATUS wb_queryuser_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
+ struct wbint_userinfo **pinfo);
+
+struct tevent_req *wb_getpwsid_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ const struct dom_sid *user_sid,
+ struct winbindd_pw *pw);
+NTSTATUS wb_getpwsid_recv(struct tevent_req *req);
+
+struct tevent_req *winbindd_getpwsid_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request);
+NTSTATUS winbindd_getpwsid_recv(struct tevent_req *req,
+ struct winbindd_response *response);
+
+struct tevent_req *winbindd_getpwnam_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request);
+NTSTATUS winbindd_getpwnam_recv(struct tevent_req *req,
+ struct winbindd_response *response);
+
+struct tevent_req *winbindd_getpwuid_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request);
+NTSTATUS winbindd_getpwuid_recv(struct tevent_req *req,
+ struct winbindd_response *response);
+struct tevent_req *wb_lookupuseraliases_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_domain *domain,
+ uint32_t num_sids,
+ const struct dom_sid *sids);
+NTSTATUS wb_lookupuseraliases_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
+ uint32_t *num_aliases, uint32_t **aliases);
+struct tevent_req *winbindd_getsidaliases_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request);
+NTSTATUS winbindd_getsidaliases_recv(struct tevent_req *req,
+ struct winbindd_response *response);
+struct tevent_req *wb_lookupusergroups_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ const struct dom_sid *sid);
+NTSTATUS wb_lookupusergroups_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
+ uint32_t *num_sids, struct dom_sid **sids);
+
+struct tevent_req *winbindd_getuserdomgroups_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request);
+NTSTATUS winbindd_getuserdomgroups_recv(struct tevent_req *req,
+ struct winbindd_response *response);
+struct tevent_req *wb_gettoken_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ const struct dom_sid *sid,
+ bool expand_local_aliases);
+NTSTATUS wb_gettoken_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
+ uint32_t *num_sids, struct dom_sid **sids);
+struct tevent_req *winbindd_getgroups_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request);
+NTSTATUS winbindd_getgroups_recv(struct tevent_req *req,
+ struct winbindd_response *response);
+
+struct tevent_req *wb_seqnum_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_domain *domain);
+NTSTATUS wb_seqnum_recv(struct tevent_req *req, uint32_t *seqnum);
+
+struct tevent_req *wb_seqnums_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev);
+NTSTATUS wb_seqnums_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
+ int *num_domains, struct winbindd_domain ***domains,
+ NTSTATUS **stati, uint32_t **seqnums);
+
+struct tevent_req *winbindd_show_sequence_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request);
+NTSTATUS winbindd_show_sequence_recv(struct tevent_req *req,
+ struct winbindd_response *response);
+
+struct tevent_req *wb_group_members_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ const struct dom_sid *sid,
+ enum lsa_SidType type,
+ int max_depth);
+NTSTATUS wb_group_members_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
+ struct db_context **members);
+NTSTATUS add_member_to_db(struct db_context *db, struct dom_sid *sid,
+ const char *name);
+
+struct tevent_req *wb_getgrsid_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ const struct dom_sid *group_sid,
+ int max_nesting);
+NTSTATUS wb_getgrsid_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
+ const char **domname, const char **name, gid_t *gid,
+ struct db_context **members);
+
+struct tevent_req *winbindd_getgrgid_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request);
+NTSTATUS winbindd_getgrgid_recv(struct tevent_req *req,
+ struct winbindd_response *response);
+
+struct tevent_req *winbindd_getgrnam_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request);
+NTSTATUS winbindd_getgrnam_recv(struct tevent_req *req,
+ struct winbindd_response *response);
+
+struct tevent_req *winbindd_getusersids_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request);
+NTSTATUS winbindd_getusersids_recv(struct tevent_req *req,
+ struct winbindd_response *response);
+
+struct tevent_req *winbindd_lookuprids_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request);
+NTSTATUS winbindd_lookuprids_recv(struct tevent_req *req,
+ struct winbindd_response *response);
+
+struct tevent_req *wb_query_user_list_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_domain *domain);
+NTSTATUS wb_query_user_list_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
+ char **users);
+
+struct tevent_req *wb_query_group_list_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_domain *domain);
+NTSTATUS wb_query_group_list_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
+ uint32_t *num_users,
+ struct wbint_Principal **groups);
+
+struct tevent_req *wb_next_pwent_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct getpwent_state *gstate,
+ struct winbindd_pw *pw);
+NTSTATUS wb_next_pwent_recv(struct tevent_req *req);
+
+struct tevent_req *winbindd_setpwent_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request);
+NTSTATUS winbindd_setpwent_recv(struct tevent_req *req,
+ struct winbindd_response *presp);
+
+struct tevent_req *winbindd_getpwent_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request);
+NTSTATUS winbindd_getpwent_recv(struct tevent_req *req,
+ struct winbindd_response *response);
+
+struct tevent_req *winbindd_endpwent_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request);
+NTSTATUS winbindd_endpwent_recv(struct tevent_req *req,
+ struct winbindd_response *response);
+
+struct tevent_req *winbindd_dsgetdcname_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request);
+NTSTATUS winbindd_dsgetdcname_recv(struct tevent_req *req,
+ struct winbindd_response *response);
+
+struct tevent_req *wb_dsgetdcname_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ const char *domain_name,
+ const struct GUID *domain_guid,
+ const char *site_name,
+ uint32_t flags);
+NTSTATUS wb_dsgetdcname_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
+ struct netr_DsRGetDCNameInfo **pdcinfo);
+NTSTATUS wb_dsgetdcname_gencache_set(const char *domname,
+ struct netr_DsRGetDCNameInfo *dcinfo);
+NTSTATUS wb_dsgetdcname_gencache_get(TALLOC_CTX *mem_ctx,
+ const char *domname,
+ struct netr_DsRGetDCNameInfo **dcinfo);
+
+struct tevent_req *winbindd_getdcname_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request);
+NTSTATUS winbindd_getdcname_recv(struct tevent_req *req,
+ struct winbindd_response *response);
+
+struct tevent_req *wb_next_grent_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ int max_nesting,
+ struct getgrent_state *gstate,
+ struct winbindd_gr *gr);
+NTSTATUS wb_next_grent_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
+ struct db_context **members);
+
+struct tevent_req *winbindd_setgrent_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request);
+NTSTATUS winbindd_setgrent_recv(struct tevent_req *req,
+ struct winbindd_response *response);
+struct tevent_req *winbindd_getgrent_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request);
+NTSTATUS winbindd_getgrent_recv(struct tevent_req *req,
+ struct winbindd_response *response);
+struct tevent_req *winbindd_endgrent_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request);
+NTSTATUS winbindd_endgrent_recv(struct tevent_req *req,
+ struct winbindd_response *response);
+
+struct tevent_req *winbindd_list_users_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request);
+NTSTATUS winbindd_list_users_recv(struct tevent_req *req,
+ struct winbindd_response *response);
+
+struct tevent_req *winbindd_list_groups_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request);
+NTSTATUS winbindd_list_groups_recv(struct tevent_req *req,
+ struct winbindd_response *response);
+
+struct tevent_req *winbindd_check_machine_acct_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request);
+NTSTATUS winbindd_check_machine_acct_recv(struct tevent_req *req,
+ struct winbindd_response *presp);
+
+struct tevent_req *winbindd_ping_dc_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request);
+NTSTATUS winbindd_ping_dc_recv(struct tevent_req *req,
+ struct winbindd_response *presp);
+
+struct tevent_req *winbindd_change_machine_acct_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request);
+NTSTATUS winbindd_change_machine_acct_recv(struct tevent_req *req,
+ struct winbindd_response *presp);
+
+struct tevent_req *winbindd_pam_auth_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request);
+NTSTATUS winbindd_pam_auth_recv(struct tevent_req *req,
+ struct winbindd_response *response);
+
+struct tevent_req *winbindd_pam_auth_crap_send(
+ TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request);
+NTSTATUS winbindd_pam_auth_crap_recv(struct tevent_req *req,
+ struct winbindd_response *response);
+
+struct tevent_req *winbindd_pam_chauthtok_send(
+ TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request);
+NTSTATUS winbindd_pam_chauthtok_recv(struct tevent_req *req,
+ struct winbindd_response *response);
+
+struct tevent_req *winbindd_pam_logoff_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request);
+NTSTATUS winbindd_pam_logoff_recv(struct tevent_req *req,
+ struct winbindd_response *response);
+
+struct tevent_req *winbindd_pam_chng_pswd_auth_crap_send(
+ TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request);
+NTSTATUS winbindd_pam_chng_pswd_auth_crap_recv(
+ struct tevent_req *req,
+ struct winbindd_response *response);
+
+struct tevent_req *wb_lookupsids_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct dom_sid *sids,
+ uint32_t num_sids);
+NTSTATUS wb_lookupsids_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
+ struct lsa_RefDomainList **domains,
+ struct lsa_TransNameArray **names);
+
+struct tevent_req *wb_sids2xids_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ const struct dom_sid *sids,
+ const uint32_t num_sids);
+NTSTATUS wb_sids2xids_recv(struct tevent_req *req,
+ struct unixid xids[], uint32_t num_xids);
+struct tevent_req *winbindd_sids_to_xids_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request);
+NTSTATUS winbindd_sids_to_xids_recv(struct tevent_req *req,
+ struct winbindd_response *response);
+struct tevent_req *wb_xids2sids_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ const struct unixid *xids,
+ uint32_t num_xids);
+NTSTATUS wb_xids2sids_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
+ struct dom_sid **sids);
+struct tevent_req *winbindd_xids_to_sids_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request);
+NTSTATUS winbindd_xids_to_sids_recv(struct tevent_req *req,
+ struct winbindd_response *response);
+struct tevent_req *winbindd_wins_byip_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request);
+NTSTATUS winbindd_wins_byip_recv(struct tevent_req *req,
+ struct winbindd_response *presp);
+struct tevent_req *winbindd_wins_byname_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request);
+NTSTATUS winbindd_wins_byname_recv(struct tevent_req *req,
+ struct winbindd_response *presp);
+struct tevent_req *winbindd_domain_info_send(
+ TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request);
+NTSTATUS winbindd_domain_info_recv(struct tevent_req *req,
+ struct winbindd_response *response);
+
+/* The following definitions come from winbindd/winbindd_samr.c */
+
+NTSTATUS open_internal_samr_conn(TALLOC_CTX *mem_ctx,
+ struct winbindd_domain *domain,
+ struct rpc_pipe_client **samr_pipe,
+ struct policy_handle *samr_domain_hnd);
+NTSTATUS open_internal_lsa_conn(TALLOC_CTX *mem_ctx,
+ struct rpc_pipe_client **lsa_pipe,
+ struct policy_handle *lsa_hnd);
+
+/* The following definitions come from winbindd/winbindd_irpc.c */
+NTSTATUS wb_irpc_register(void);
+
+/* The following definitions come from winbindd/winbindd_reconnect.c */
+bool reconnect_need_retry(NTSTATUS status, struct winbindd_domain *domain);
+
+/* The following definitions come from winbindd/winbindd_gpupdate.c */
+void gpupdate_init(void);
+
+/* The following comes from winbindd/winbindd_dual_srv.c */
+bool reset_cm_connection_on_error(struct winbindd_domain *domain,
+ struct dcerpc_binding_handle *b,
+ NTSTATUS status);
+
+#endif /* _WINBINDD_PROTO_H_ */
diff --git a/source3/winbindd/winbindd_reconnect.c b/source3/winbindd/winbindd_reconnect.c
new file mode 100644
index 0000000..508ac75
--- /dev/null
+++ b/source3/winbindd/winbindd_reconnect.c
@@ -0,0 +1,325 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ Wrapper around winbindd_rpc.c to centralize retry logic.
+
+ Copyright (C) Volker Lendecke 2005
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "winbindd.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_WINBIND
+
+extern struct winbindd_methods msrpc_methods;
+
+bool reconnect_need_retry(NTSTATUS status, struct winbindd_domain *domain)
+{
+ if (NT_STATUS_IS_OK(status)) {
+ return false;
+ }
+
+ if (!NT_STATUS_IS_ERR(status)) {
+ return false;
+ }
+
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)) {
+ return false;
+ }
+
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
+ return false;
+ }
+
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_GROUP)) {
+ return false;
+ }
+
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_ALIAS)) {
+ return false;
+ }
+
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_MEMBER)) {
+ return false;
+ }
+
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_DOMAIN)) {
+ return false;
+ }
+
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_PRIVILEGE)) {
+ return false;
+ }
+
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NO_MEMORY)) {
+ return false;
+ }
+
+ reset_cm_connection_on_error(domain, NULL, status);
+
+ return true;
+}
+
+/* List all users */
+static NTSTATUS query_user_list(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ uint32_t **rids)
+{
+ NTSTATUS result;
+
+ result = msrpc_methods.query_user_list(domain, mem_ctx, rids);
+
+ if (reconnect_need_retry(result, domain))
+ result = msrpc_methods.query_user_list(domain, mem_ctx, rids);
+
+ return result;
+}
+
+/* list all domain groups */
+static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ uint32_t *num_entries,
+ struct wb_acct_info **info)
+{
+ NTSTATUS result;
+
+ result = msrpc_methods.enum_dom_groups(domain, mem_ctx,
+ num_entries, info);
+
+ if (reconnect_need_retry(result, domain))
+ result = msrpc_methods.enum_dom_groups(domain, mem_ctx,
+ num_entries, info);
+ return result;
+}
+
+/* List all domain groups */
+
+static NTSTATUS enum_local_groups(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ uint32_t *num_entries,
+ struct wb_acct_info **info)
+{
+ NTSTATUS result;
+
+ result = msrpc_methods.enum_local_groups(domain, mem_ctx,
+ num_entries, info);
+
+ if (reconnect_need_retry(result, domain))
+ result = msrpc_methods.enum_local_groups(domain, mem_ctx,
+ num_entries, info);
+
+ return result;
+}
+
+/* convert a single name to a sid in a domain */
+static NTSTATUS name_to_sid(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ const char *domain_name,
+ const char *name,
+ uint32_t flags,
+ const char **pdom_name,
+ struct dom_sid *sid,
+ enum lsa_SidType *type)
+{
+ NTSTATUS result;
+
+ result = msrpc_methods.name_to_sid(domain, mem_ctx, domain_name, name,
+ flags, pdom_name, sid, type);
+
+ if (reconnect_need_retry(result, domain))
+ result = msrpc_methods.name_to_sid(domain, mem_ctx,
+ domain_name, name, flags,
+ pdom_name, sid, type);
+
+ return result;
+}
+
+/*
+ convert a domain SID to a user or group name
+*/
+static NTSTATUS sid_to_name(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ const struct dom_sid *sid,
+ char **domain_name,
+ char **name,
+ enum lsa_SidType *type)
+{
+ NTSTATUS result;
+
+ result = msrpc_methods.sid_to_name(domain, mem_ctx, sid,
+ domain_name, name, type);
+
+ if (reconnect_need_retry(result, domain))
+ result = msrpc_methods.sid_to_name(domain, mem_ctx, sid,
+ domain_name, name, type);
+
+ return result;
+}
+
+static NTSTATUS rids_to_names(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ const struct dom_sid *sid,
+ uint32_t *rids,
+ size_t num_rids,
+ char **domain_name,
+ char ***names,
+ enum lsa_SidType **types)
+{
+ NTSTATUS result;
+
+ result = msrpc_methods.rids_to_names(domain, mem_ctx, sid,
+ rids, num_rids,
+ domain_name, names, types);
+ if (reconnect_need_retry(result, domain)) {
+ result = msrpc_methods.rids_to_names(domain, mem_ctx, sid,
+ rids, num_rids,
+ domain_name, names,
+ types);
+ }
+
+ return result;
+}
+
+/* Lookup groups a user is a member of. I wish Unix had a call like this! */
+static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ const struct dom_sid *user_sid,
+ uint32_t *num_groups, struct dom_sid **user_gids)
+{
+ NTSTATUS result;
+
+ result = msrpc_methods.lookup_usergroups(domain, mem_ctx,
+ user_sid, num_groups,
+ user_gids);
+
+ if (reconnect_need_retry(result, domain))
+ result = msrpc_methods.lookup_usergroups(domain, mem_ctx,
+ user_sid, num_groups,
+ user_gids);
+
+ return result;
+}
+
+static NTSTATUS lookup_useraliases(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ uint32_t num_sids, const struct dom_sid *sids,
+ uint32_t *num_aliases, uint32_t **alias_rids)
+{
+ NTSTATUS result;
+
+ result = msrpc_methods.lookup_useraliases(domain, mem_ctx,
+ num_sids, sids,
+ num_aliases,
+ alias_rids);
+
+ if (reconnect_need_retry(result, domain))
+ result = msrpc_methods.lookup_useraliases(domain, mem_ctx,
+ num_sids, sids,
+ num_aliases,
+ alias_rids);
+
+ return result;
+}
+
+/* Lookup group membership given a rid. */
+static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ const struct dom_sid *group_sid,
+ enum lsa_SidType type,
+ uint32_t *num_names,
+ struct dom_sid **sid_mem, char ***names,
+ uint32_t **name_types)
+{
+ NTSTATUS result;
+
+ result = msrpc_methods.lookup_groupmem(domain, mem_ctx,
+ group_sid, type, num_names,
+ sid_mem, names,
+ name_types);
+
+ if (reconnect_need_retry(result, domain))
+ result = msrpc_methods.lookup_groupmem(domain, mem_ctx,
+ group_sid, type,
+ num_names,
+ sid_mem, names,
+ name_types);
+
+ return result;
+}
+
+/* find the lockout policy of a domain */
+static NTSTATUS lockout_policy(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ struct samr_DomInfo12 *policy)
+{
+ NTSTATUS result;
+
+ result = msrpc_methods.lockout_policy(domain, mem_ctx, policy);
+
+ if (reconnect_need_retry(result, domain))
+ result = msrpc_methods.lockout_policy(domain, mem_ctx, policy);
+
+ return result;
+}
+
+/* find the password policy of a domain */
+static NTSTATUS password_policy(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ struct samr_DomInfo1 *policy)
+{
+ NTSTATUS result;
+
+ result = msrpc_methods.password_policy(domain, mem_ctx, policy);
+
+ if (reconnect_need_retry(result, domain))
+ result = msrpc_methods.password_policy(domain, mem_ctx, policy);
+
+ return result;
+}
+
+/* get a list of trusted domains */
+static NTSTATUS trusted_domains(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ struct netr_DomainTrustList *trusts)
+{
+ NTSTATUS result;
+
+ result = msrpc_methods.trusted_domains(domain, mem_ctx, trusts);
+
+ if (reconnect_need_retry(result, domain))
+ result = msrpc_methods.trusted_domains(domain, mem_ctx,
+ trusts);
+
+ return result;
+}
+
+/* the rpc backend methods are exposed via this structure */
+struct winbindd_methods reconnect_methods = {
+ False,
+ query_user_list,
+ enum_dom_groups,
+ enum_local_groups,
+ name_to_sid,
+ sid_to_name,
+ rids_to_names,
+ lookup_usergroups,
+ lookup_useraliases,
+ lookup_groupmem,
+ lockout_policy,
+ password_policy,
+ trusted_domains,
+};
diff --git a/source3/winbindd/winbindd_reconnect_ads.c b/source3/winbindd/winbindd_reconnect_ads.c
new file mode 100644
index 0000000..dbea90c
--- /dev/null
+++ b/source3/winbindd/winbindd_reconnect_ads.c
@@ -0,0 +1,334 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ Wrapper around winbindd_ads.c to centralize retry logic.
+ Copyright (C) Christof Schmitt 2016
+
+ Based on winbindd_reconnect.c
+ Copyright (C) Volker Lendecke 2005
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "winbindd.h"
+
+#ifdef HAVE_ADS
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_WINBIND
+
+extern struct winbindd_methods ads_methods;
+
+static bool ldap_reconnect_need_retry(NTSTATUS status,
+ struct winbindd_domain *domain)
+{
+ if (NT_STATUS_IS_OK(status)) {
+ return false;
+ }
+
+ if (!NT_STATUS_IS_ERR(status)) {
+ return false;
+ }
+
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)) {
+ return false;
+ }
+
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
+ return false;
+ }
+
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_GROUP)) {
+ return false;
+ }
+
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_ALIAS)) {
+ return false;
+ }
+
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_MEMBER)) {
+ return false;
+ }
+
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_DOMAIN)) {
+ return false;
+ }
+
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_PRIVILEGE)) {
+ return false;
+ }
+
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NO_MEMORY)) {
+ return false;
+ }
+
+ return true;
+}
+
+/* List all users */
+static NTSTATUS query_user_list(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ uint32_t **rids)
+{
+ NTSTATUS result;
+
+ result = ads_methods.query_user_list(domain, mem_ctx, rids);
+
+ if (ldap_reconnect_need_retry(result, domain)) {
+ result = ads_methods.query_user_list(domain, mem_ctx, rids);
+ }
+
+ return result;
+}
+
+/* list all domain groups */
+static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ uint32_t *num_entries,
+ struct wb_acct_info **info)
+{
+ NTSTATUS result;
+
+ result = ads_methods.enum_dom_groups(domain, mem_ctx,
+ num_entries, info);
+
+ if (ldap_reconnect_need_retry(result, domain)) {
+ result = ads_methods.enum_dom_groups(domain, mem_ctx,
+ num_entries, info);
+ }
+
+ return result;
+}
+
+/* List all domain groups */
+static NTSTATUS enum_local_groups(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ uint32_t *num_entries,
+ struct wb_acct_info **info)
+{
+ NTSTATUS result;
+
+ result = ads_methods.enum_local_groups(domain, mem_ctx,
+ num_entries, info);
+
+ if (ldap_reconnect_need_retry(result, domain)) {
+ result = ads_methods.enum_local_groups(domain, mem_ctx,
+ num_entries, info);
+ }
+
+ return result;
+}
+
+/* convert a single name to a sid in a domain */
+static NTSTATUS name_to_sid(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ const char *domain_name,
+ const char *name,
+ uint32_t flags,
+ const char **pdom_name,
+ struct dom_sid *sid,
+ enum lsa_SidType *type)
+{
+ NTSTATUS result;
+
+ result = ads_methods.name_to_sid(domain, mem_ctx, domain_name, name,
+ flags, pdom_name, sid, type);
+
+ if (reconnect_need_retry(result, domain)) {
+ result = ads_methods.name_to_sid(domain, mem_ctx,
+ domain_name, name, flags,
+ pdom_name, sid, type);
+ }
+
+ return result;
+}
+
+/*
+ convert a domain SID to a user or group name
+*/
+static NTSTATUS sid_to_name(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ const struct dom_sid *sid,
+ char **domain_name,
+ char **name,
+ enum lsa_SidType *type)
+{
+ NTSTATUS result;
+
+ result = ads_methods.sid_to_name(domain, mem_ctx, sid,
+ domain_name, name, type);
+
+ if (reconnect_need_retry(result, domain))
+ result = ads_methods.sid_to_name(domain, mem_ctx, sid,
+ domain_name, name, type);
+
+ return result;
+}
+
+static NTSTATUS rids_to_names(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ const struct dom_sid *sid,
+ uint32_t *rids,
+ size_t num_rids,
+ char **domain_name,
+ char ***names,
+ enum lsa_SidType **types)
+{
+ NTSTATUS result;
+
+ result = ads_methods.rids_to_names(domain, mem_ctx, sid,
+ rids, num_rids,
+ domain_name, names, types);
+ if (reconnect_need_retry(result, domain)) {
+ result = ads_methods.rids_to_names(domain, mem_ctx, sid,
+ rids, num_rids, domain_name,
+ names, types);
+ }
+
+ return result;
+}
+
+/* Lookup groups a user is a member of. I wish Unix had a call like this! */
+static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ const struct dom_sid *user_sid,
+ uint32_t *num_groups,
+ struct dom_sid **user_gids)
+{
+ NTSTATUS result;
+
+ result = ads_methods.lookup_usergroups(domain, mem_ctx, user_sid,
+ num_groups, user_gids);
+
+ if (ldap_reconnect_need_retry(result, domain)) {
+ result = ads_methods.lookup_usergroups(domain, mem_ctx,
+ user_sid, num_groups,
+ user_gids);
+ }
+
+ return result;
+}
+
+static NTSTATUS lookup_useraliases(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ uint32_t num_sids,
+ const struct dom_sid *sids,
+ uint32_t *num_aliases, uint32_t **alias_rids)
+{
+ NTSTATUS result;
+
+ result = ads_methods.lookup_useraliases(domain, mem_ctx, num_sids, sids,
+ num_aliases, alias_rids);
+
+ if (reconnect_need_retry(result, domain)) {
+ result = ads_methods.lookup_useraliases(domain, mem_ctx,
+ num_sids, sids,
+ num_aliases,
+ alias_rids);
+ }
+
+ return result;
+}
+
+/* Lookup group membership given a rid. */
+static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ const struct dom_sid *group_sid,
+ enum lsa_SidType type,
+ uint32_t *num_names,
+ struct dom_sid **sid_mem, char ***names,
+ uint32_t **name_types)
+{
+ NTSTATUS result;
+
+ result = ads_methods.lookup_groupmem(domain, mem_ctx, group_sid, type,
+ num_names, sid_mem, names,
+ name_types);
+
+ if (ldap_reconnect_need_retry(result, domain)) {
+ result = ads_methods.lookup_groupmem(domain, mem_ctx, group_sid,
+ type, num_names, sid_mem,
+ names, name_types);
+ }
+
+ return result;
+}
+
+/* find the lockout policy of a domain */
+static NTSTATUS lockout_policy(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ struct samr_DomInfo12 *policy)
+{
+ NTSTATUS result;
+
+ result = ads_methods.lockout_policy(domain, mem_ctx, policy);
+
+ if (reconnect_need_retry(result, domain)) {
+ result = ads_methods.lockout_policy(domain, mem_ctx, policy);
+ }
+
+ return result;
+}
+
+/* find the password policy of a domain */
+static NTSTATUS password_policy(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ struct samr_DomInfo1 *policy)
+{
+ NTSTATUS result;
+
+ result = ads_methods.password_policy(domain, mem_ctx, policy);
+
+ if (reconnect_need_retry(result, domain)) {
+ result = ads_methods.password_policy(domain, mem_ctx, policy);
+ }
+
+ return result;
+}
+
+/* get a list of trusted domains */
+static NTSTATUS trusted_domains(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ struct netr_DomainTrustList *trusts)
+{
+ NTSTATUS result;
+
+ result = ads_methods.trusted_domains(domain, mem_ctx, trusts);
+
+ if (reconnect_need_retry(result, domain)) {
+ result = ads_methods.trusted_domains(domain, mem_ctx, trusts);
+ }
+
+ return result;
+}
+
+/* the rpc backend methods are exposed via this structure */
+struct winbindd_methods reconnect_ads_methods = {
+ true,
+ query_user_list,
+ enum_dom_groups,
+ enum_local_groups,
+ name_to_sid,
+ sid_to_name,
+ rids_to_names,
+ lookup_usergroups,
+ lookup_useraliases,
+ lookup_groupmem,
+ lockout_policy,
+ password_policy,
+ trusted_domains,
+};
+
+#endif
diff --git a/source3/winbindd/winbindd_rpc.c b/source3/winbindd/winbindd_rpc.c
new file mode 100644
index 0000000..d1c2f05
--- /dev/null
+++ b/source3/winbindd/winbindd_rpc.c
@@ -0,0 +1,822 @@
+/*
+ * Unix SMB/CIFS implementation.
+ *
+ * Winbind rpc backend functions
+ *
+ * Copyright (c) 2000-2003 Tim Potter
+ * Copyright (c) 2001 Andrew Tridgell
+ * Copyright (c) 2005 Volker Lendecke
+ * Copyright (c) 2008 Guenther Deschner (pidl conversion)
+ * Copyright (c) 2010 Andreas Schneider <asn@samba.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "includes.h"
+#include "winbindd.h"
+#include "winbindd_rpc.h"
+#include "rpc_client/rpc_client.h"
+#include "librpc/gen_ndr/ndr_samr_c.h"
+#include "librpc/gen_ndr/ndr_lsa_c.h"
+#include "rpc_client/cli_samr.h"
+#include "rpc_client/cli_lsarpc.h"
+#include "../libcli/security/security.h"
+#include "lsa.h"
+
+/* Query display info for a domain */
+NTSTATUS rpc_query_user_list(TALLOC_CTX *mem_ctx,
+ struct rpc_pipe_client *samr_pipe,
+ struct policy_handle *samr_policy,
+ const struct dom_sid *domain_sid,
+ uint32_t **prids)
+{
+ struct dcerpc_binding_handle *b = samr_pipe->binding_handle;
+ uint32_t *rids = NULL;
+ uint32_t num_rids = 0;
+ uint32_t i = 0;
+ uint32_t resume_handle = 0;
+ NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
+ NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
+ TALLOC_CTX *tmp_ctx;
+
+ *prids = NULL;
+
+ tmp_ctx = talloc_stackframe();
+ if (tmp_ctx == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ do {
+ struct samr_SamArray *sam_array = NULL;
+ uint32_t count = 0;
+ uint32_t *tmp;
+
+ status = dcerpc_samr_EnumDomainUsers(
+ b, tmp_ctx, samr_policy, &resume_handle,
+ ACB_NORMAL, &sam_array, 0xffff, &count, &result);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+ if (!NT_STATUS_IS_OK(result)) {
+ if (!NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES)) {
+ DBG_WARNING("EnumDomainUsers failed: %s\n",
+ nt_errstr(result));
+ status = result;
+ goto done;
+ }
+ }
+
+ if (num_rids + count < num_rids) {
+ status = NT_STATUS_INTEGER_OVERFLOW;
+ goto done;
+ }
+
+ tmp = talloc_realloc(tmp_ctx, rids, uint32_t, num_rids+count);
+ if (tmp == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
+ rids = tmp;
+
+ for (i=0; i<count; i++) {
+ rids[num_rids++] = sam_array->entries[i].idx;
+ }
+
+ TALLOC_FREE(sam_array);
+ } while (NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES));
+
+ *prids = talloc_steal(mem_ctx, rids);
+ status = NT_STATUS_OK;
+
+done:
+ TALLOC_FREE(tmp_ctx);
+ return status;
+}
+
+/* List all domain groups */
+NTSTATUS rpc_enum_dom_groups(TALLOC_CTX *mem_ctx,
+ struct rpc_pipe_client *samr_pipe,
+ struct policy_handle *samr_policy,
+ uint32_t *pnum_info,
+ struct wb_acct_info **pinfo)
+{
+ struct wb_acct_info *info = NULL;
+ uint32_t start = 0;
+ uint32_t num_info = 0;
+ NTSTATUS status, result;
+ struct dcerpc_binding_handle *b = samr_pipe->binding_handle;
+
+ *pnum_info = 0;
+
+ do {
+ struct samr_SamArray *sam_array = NULL;
+ uint32_t count = 0;
+ uint32_t g;
+
+ /* start is updated by this call. */
+ status = dcerpc_samr_EnumDomainGroups(b,
+ mem_ctx,
+ samr_policy,
+ &start,
+ &sam_array,
+ 0xFFFF, /* buffer size? */
+ &count,
+ &result);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ if (!NT_STATUS_IS_OK(result)) {
+ if (!NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES)) {
+ DEBUG(2,("query_user_list: failed to enum domain groups: %s\n",
+ nt_errstr(result)));
+ return result;
+ }
+ }
+
+ info = talloc_realloc(mem_ctx,
+ info,
+ struct wb_acct_info,
+ num_info + count);
+ if (info == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ for (g = 0; g < count; g++) {
+ struct wb_acct_info *i = &info[num_info + g];
+
+ i->acct_name = talloc_strdup(info,
+ sam_array->entries[g].name.string);
+ if (i->acct_name == NULL) {
+ TALLOC_FREE(info);
+ return NT_STATUS_NO_MEMORY;
+ }
+ i->acct_desc = NULL;
+ i->rid = sam_array->entries[g].idx;
+ }
+
+ num_info += count;
+ } while (NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES));
+
+ *pnum_info = num_info;
+ *pinfo = info;
+
+ return NT_STATUS_OK;
+}
+
+NTSTATUS rpc_enum_local_groups(TALLOC_CTX *mem_ctx,
+ struct rpc_pipe_client *samr_pipe,
+ struct policy_handle *samr_policy,
+ uint32_t *pnum_info,
+ struct wb_acct_info **pinfo)
+{
+ struct wb_acct_info *info = NULL;
+ uint32_t num_info = 0;
+ NTSTATUS status, result;
+ struct dcerpc_binding_handle *b = samr_pipe->binding_handle;
+
+ *pnum_info = 0;
+
+ do {
+ struct samr_SamArray *sam_array = NULL;
+ uint32_t count = 0;
+ uint32_t start = num_info;
+ uint32_t g;
+
+ status = dcerpc_samr_EnumDomainAliases(b,
+ mem_ctx,
+ samr_policy,
+ &start,
+ &sam_array,
+ 0xFFFF, /* buffer size? */
+ &count,
+ &result);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ if (!NT_STATUS_IS_OK(result)) {
+ if (!NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES)) {
+ return result;
+ }
+ }
+
+ info = talloc_realloc(mem_ctx,
+ info,
+ struct wb_acct_info,
+ num_info + count);
+ if (info == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ for (g = 0; g < count; g++) {
+ struct wb_acct_info *i = &info[num_info + g];
+
+ i->acct_name = talloc_strdup(info,
+ sam_array->entries[g].name.string);
+ if (i->acct_name == NULL) {
+ TALLOC_FREE(info);
+ return NT_STATUS_NO_MEMORY;
+ }
+ i->acct_desc = NULL;
+ i->rid = sam_array->entries[g].idx;
+ }
+
+ num_info += count;
+ } while (NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES));
+
+ *pnum_info = num_info;
+ *pinfo = info;
+
+ return NT_STATUS_OK;
+}
+
+/* Lookup groups a user is a member of. */
+NTSTATUS rpc_lookup_usergroups(TALLOC_CTX *mem_ctx,
+ struct rpc_pipe_client *samr_pipe,
+ struct policy_handle *samr_policy,
+ const struct dom_sid *domain_sid,
+ const struct dom_sid *user_sid,
+ uint32_t *pnum_groups,
+ struct dom_sid **puser_grpsids)
+{
+ struct policy_handle user_policy;
+ struct samr_RidWithAttributeArray *rid_array = NULL;
+ struct dom_sid *user_grpsids = NULL;
+ uint32_t num_groups = 0, i;
+ uint32_t user_rid;
+ NTSTATUS status, result;
+ struct dcerpc_binding_handle *b = samr_pipe->binding_handle;
+
+ if (!sid_peek_check_rid(domain_sid, user_sid, &user_rid)) {
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ /* Get user handle */
+ status = dcerpc_samr_OpenUser(b,
+ mem_ctx,
+ samr_policy,
+ SEC_FLAG_MAXIMUM_ALLOWED,
+ user_rid,
+ &user_policy,
+ &result);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ if (!NT_STATUS_IS_OK(result)) {
+ return result;
+ }
+
+ /* Query user rids */
+ status = dcerpc_samr_GetGroupsForUser(b,
+ mem_ctx,
+ &user_policy,
+ &rid_array,
+ &result);
+ {
+ NTSTATUS _result;
+ dcerpc_samr_Close(b, mem_ctx, &user_policy, &_result);
+ }
+
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ if (!NT_STATUS_IS_OK(result)) {
+ return result;
+ }
+
+ num_groups = rid_array->count;
+
+ user_grpsids = talloc_array(mem_ctx, struct dom_sid, num_groups);
+ if (user_grpsids == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ return status;
+ }
+
+ for (i = 0; i < num_groups; i++) {
+ sid_compose(&(user_grpsids[i]), domain_sid,
+ rid_array->rids[i].rid);
+ }
+
+ *pnum_groups = num_groups;
+
+ *puser_grpsids = user_grpsids;
+
+ return NT_STATUS_OK;
+}
+
+NTSTATUS rpc_lookup_useraliases(TALLOC_CTX *mem_ctx,
+ struct rpc_pipe_client *samr_pipe,
+ struct policy_handle *samr_policy,
+ uint32_t num_sids,
+ const struct dom_sid *sids,
+ uint32_t *pnum_aliases,
+ uint32_t **palias_rids)
+{
+#define MAX_SAM_ENTRIES_W2K 0x400 /* 1024 */
+ uint32_t num_query_sids = 0;
+ uint32_t num_queries = 1;
+ uint32_t num_aliases = 0;
+ uint32_t total_sids = 0;
+ uint32_t *alias_rids = NULL;
+ uint32_t rangesize = MAX_SAM_ENTRIES_W2K;
+ uint32_t i;
+ struct samr_Ids alias_rids_query;
+ NTSTATUS status, result;
+ struct dcerpc_binding_handle *b = samr_pipe->binding_handle;
+
+ do {
+ /* prepare query */
+ struct lsa_SidArray sid_array;
+
+ ZERO_STRUCT(sid_array);
+
+ num_query_sids = MIN(num_sids - total_sids, rangesize);
+
+ DEBUG(10,("rpc: lookup_useraliases: entering query %d for %d sids\n",
+ num_queries, num_query_sids));
+
+ if (num_query_sids) {
+ sid_array.sids = talloc_zero_array(mem_ctx, struct lsa_SidPtr, num_query_sids);
+ if (sid_array.sids == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ } else {
+ sid_array.sids = NULL;
+ }
+
+ for (i = 0; i < num_query_sids; i++) {
+ sid_array.sids[i].sid = dom_sid_dup(mem_ctx, &sids[total_sids++]);
+ if (sid_array.sids[i].sid == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+ sid_array.num_sids = num_query_sids;
+
+ /* do request */
+ status = dcerpc_samr_GetAliasMembership(b,
+ mem_ctx,
+ samr_policy,
+ &sid_array,
+ &alias_rids_query,
+ &result);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ if (!NT_STATUS_IS_OK(result)) {
+ return result;
+ }
+
+ /* process output */
+ for (i = 0; i < alias_rids_query.count; i++) {
+ size_t na = num_aliases;
+
+ if (!add_rid_to_array_unique(mem_ctx,
+ alias_rids_query.ids[i],
+ &alias_rids,
+ &na)) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ num_aliases = na;
+ }
+
+ num_queries++;
+
+ } while (total_sids < num_sids);
+
+ DEBUG(10,("rpc: rpc_lookup_useraliases: got %d aliases in %d queries "
+ "(rangesize: %d)\n", num_aliases, num_queries, rangesize));
+
+ *pnum_aliases = num_aliases;
+ *palias_rids = alias_rids;
+
+ return NT_STATUS_OK;
+#undef MAX_SAM_ENTRIES_W2K
+}
+
+/* Lookup group membership given a rid. */
+NTSTATUS rpc_lookup_groupmem(TALLOC_CTX *mem_ctx,
+ struct rpc_pipe_client *samr_pipe,
+ struct policy_handle *samr_policy,
+ const char *domain_name,
+ const struct dom_sid *domain_sid,
+ const struct dom_sid *group_sid,
+ enum lsa_SidType type,
+ uint32_t *pnum_names,
+ struct dom_sid **psid_mem,
+ char ***pnames,
+ uint32_t **pname_types)
+{
+ struct policy_handle group_policy;
+ uint32_t group_rid;
+ uint32_t *rid_mem = NULL;
+
+ uint32_t num_names = 0;
+ uint32_t total_names = 0;
+ struct dom_sid *sid_mem = NULL;
+ char **names = NULL;
+ uint32_t *name_types = NULL;
+
+ struct lsa_Strings tmp_names;
+ struct samr_Ids tmp_types;
+
+ uint32_t j, r;
+ NTSTATUS status, result;
+ struct dcerpc_binding_handle *b = samr_pipe->binding_handle;
+
+ if (!sid_peek_check_rid(domain_sid, group_sid, &group_rid)) {
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ switch(type) {
+ case SID_NAME_DOM_GRP:
+ {
+ struct samr_RidAttrArray *rids = NULL;
+
+ status = dcerpc_samr_OpenGroup(b,
+ mem_ctx,
+ samr_policy,
+ SEC_FLAG_MAXIMUM_ALLOWED,
+ group_rid,
+ &group_policy,
+ &result);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ if (!NT_STATUS_IS_OK(result)) {
+ return result;
+ }
+
+ /*
+ * Step #1: Get a list of user rids that are the members of the group.
+ */
+ status = dcerpc_samr_QueryGroupMember(b,
+ mem_ctx,
+ &group_policy,
+ &rids,
+ &result);
+ {
+ NTSTATUS _result;
+ dcerpc_samr_Close(b, mem_ctx, &group_policy, &_result);
+ }
+
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ if (!NT_STATUS_IS_OK(result)) {
+ return result;
+ }
+
+
+ if (rids == NULL || rids->count == 0) {
+ pnum_names = 0;
+ pnames = NULL;
+ pname_types = NULL;
+ psid_mem = NULL;
+
+ return NT_STATUS_OK;
+ }
+
+ num_names = rids->count;
+ rid_mem = rids->rids;
+
+ break;
+ }
+ case SID_NAME_WKN_GRP:
+ case SID_NAME_ALIAS:
+ {
+ struct lsa_SidArray sid_array;
+ struct lsa_SidPtr sid_ptr;
+ struct samr_Ids rids_query;
+
+ sid_ptr.sid = dom_sid_dup(mem_ctx, group_sid);
+ if (sid_ptr.sid == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ sid_array.num_sids = 1;
+ sid_array.sids = &sid_ptr;
+
+ status = dcerpc_samr_GetAliasMembership(b,
+ mem_ctx,
+ samr_policy,
+ &sid_array,
+ &rids_query,
+ &result);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ if (!NT_STATUS_IS_OK(result)) {
+ return result;
+ }
+
+ if (rids_query.count == 0) {
+ pnum_names = 0;
+ pnames = NULL;
+ pname_types = NULL;
+ psid_mem = NULL;
+
+ return NT_STATUS_OK;
+ }
+
+ num_names = rids_query.count;
+ rid_mem = rids_query.ids;
+
+ break;
+ }
+ default:
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ /*
+ * Step #2: Convert list of rids into list of usernames.
+ */
+ if (num_names > 0) {
+ names = talloc_zero_array(mem_ctx, char *, num_names);
+ name_types = talloc_zero_array(mem_ctx, uint32_t, num_names);
+ sid_mem = talloc_zero_array(mem_ctx, struct dom_sid, num_names);
+ if (names == NULL || name_types == NULL || sid_mem == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+
+ for (j = 0; j < num_names; j++) {
+ sid_compose(&sid_mem[j], domain_sid, rid_mem[j]);
+ }
+
+ status = dcerpc_samr_LookupRids(b,
+ mem_ctx,
+ samr_policy,
+ num_names,
+ rid_mem,
+ &tmp_names,
+ &tmp_types,
+ &result);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ if (!NT_STATUS_IS_OK(result)) {
+ if (!NT_STATUS_EQUAL(result, STATUS_SOME_UNMAPPED)) {
+ return result;
+ }
+ }
+
+ /* Copy result into array. The talloc system will take
+ care of freeing the temporary arrays later on. */
+ if (tmp_names.count != num_names) {
+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
+ }
+ if (tmp_types.count != num_names) {
+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
+ }
+
+ for (r = 0; r < tmp_names.count; r++) {
+ if (tmp_types.ids[r] == SID_NAME_UNKNOWN) {
+ continue;
+ }
+ if (total_names >= num_names) {
+ break;
+ }
+ names[total_names] = fill_domain_username_talloc(names,
+ domain_name,
+ tmp_names.names[r].string,
+ true);
+ if (names[total_names] == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ name_types[total_names] = tmp_types.ids[r];
+ total_names++;
+ }
+
+ *pnum_names = total_names;
+ *pnames = names;
+ *pname_types = name_types;
+ *psid_mem = sid_mem;
+
+ return NT_STATUS_OK;
+}
+
+/* Get a list of trusted domains */
+NTSTATUS rpc_trusted_domains(TALLOC_CTX *mem_ctx,
+ struct rpc_pipe_client *lsa_pipe,
+ struct policy_handle *lsa_policy,
+ uint32_t *pnum_trusts,
+ struct netr_DomainTrust **ptrusts)
+{
+ struct netr_DomainTrust *array = NULL;
+ uint32_t enum_ctx = 0;
+ uint32_t count = 0;
+ NTSTATUS status, result;
+ struct dcerpc_binding_handle *b = lsa_pipe->binding_handle;
+
+ do {
+ struct lsa_DomainList dom_list;
+ struct lsa_DomainListEx dom_list_ex;
+ bool has_ex = false;
+ uint32_t i;
+
+ /*
+ * We don't run into deadlocks here, cause winbind_off() is
+ * called in the main function.
+ */
+ status = dcerpc_lsa_EnumTrustedDomainsEx(b,
+ mem_ctx,
+ lsa_policy,
+ &enum_ctx,
+ &dom_list_ex,
+ (uint32_t) -1,
+ &result);
+ if (NT_STATUS_IS_OK(status) && !NT_STATUS_IS_ERR(result) &&
+ dom_list_ex.count > 0) {
+ count += dom_list_ex.count;
+ has_ex = true;
+ } else {
+ status = dcerpc_lsa_EnumTrustDom(b,
+ mem_ctx,
+ lsa_policy,
+ &enum_ctx,
+ &dom_list,
+ (uint32_t) -1,
+ &result);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ if (!NT_STATUS_IS_OK(result)) {
+ if (!NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES)) {
+ return result;
+ }
+ }
+
+ count += dom_list.count;
+ }
+
+ array = talloc_realloc(mem_ctx,
+ array,
+ struct netr_DomainTrust,
+ count);
+ if (array == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ for (i = 0; i < count; i++) {
+ struct netr_DomainTrust *trust = &array[i];
+ struct dom_sid *sid;
+
+ ZERO_STRUCTP(trust);
+
+ sid = talloc(array, struct dom_sid);
+ if (sid == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if (dom_list_ex.domains[i].sid == NULL) {
+ DBG_ERR("Trusted domain %s has no SID, "
+ "skipping!\n",
+ trust->dns_name);
+ continue;
+ }
+
+ if (has_ex) {
+ trust->netbios_name = talloc_move(array,
+ &dom_list_ex.domains[i].netbios_name.string);
+ trust->dns_name = talloc_move(array,
+ &dom_list_ex.domains[i].domain_name.string);
+ sid_copy(sid, dom_list_ex.domains[i].sid);
+ } else {
+ trust->netbios_name = talloc_move(array,
+ &dom_list.domains[i].name.string);
+ trust->dns_name = NULL;
+
+ sid_copy(sid, dom_list.domains[i].sid);
+ }
+
+ trust->sid = sid;
+ }
+ } while (NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES));
+
+ *pnum_trusts = count;
+ *ptrusts = array;
+
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS rpc_try_lookup_sids3(TALLOC_CTX *mem_ctx,
+ struct winbindd_domain *domain,
+ struct rpc_pipe_client *cli,
+ struct lsa_SidArray *sids,
+ struct lsa_RefDomainList **pdomains,
+ struct lsa_TransNameArray **pnames)
+{
+ struct lsa_TransNameArray2 lsa_names2;
+ struct lsa_TransNameArray *names = *pnames;
+ uint32_t i, count = 0;
+ NTSTATUS status, result;
+
+ ZERO_STRUCT(lsa_names2);
+ status = dcerpc_lsa_LookupSids3(cli->binding_handle,
+ mem_ctx,
+ sids,
+ pdomains,
+ &lsa_names2,
+ LSA_LOOKUP_NAMES_ALL,
+ &count,
+ LSA_LOOKUP_OPTION_SEARCH_ISOLATED_NAMES,
+ LSA_CLIENT_REVISION_2,
+ &result);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ if (NT_STATUS_LOOKUP_ERR(result)) {
+ return result;
+ }
+ if (sids->num_sids != lsa_names2.count) {
+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
+ }
+
+ names->count = lsa_names2.count;
+ names->names = talloc_array(names, struct lsa_TranslatedName,
+ names->count);
+ if (names->names == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ for (i=0; i<names->count; i++) {
+ names->names[i].sid_type = lsa_names2.names[i].sid_type;
+ names->names[i].name.string = talloc_move(
+ names->names, &lsa_names2.names[i].name.string);
+ names->names[i].sid_index = lsa_names2.names[i].sid_index;
+
+ if (names->names[i].sid_index == UINT32_MAX) {
+ continue;
+ }
+ if ((*pdomains) == NULL) {
+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
+ }
+ if (names->names[i].sid_index >= (*pdomains)->count) {
+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
+ }
+ }
+ return NT_STATUS_OK;
+}
+
+NTSTATUS rpc_lookup_sids(TALLOC_CTX *mem_ctx,
+ struct winbindd_domain *domain,
+ struct lsa_SidArray *sids,
+ struct lsa_RefDomainList **pdomains,
+ struct lsa_TransNameArray **pnames)
+{
+ struct lsa_TransNameArray *names = *pnames;
+ struct rpc_pipe_client *cli = NULL;
+ struct policy_handle lsa_policy;
+ uint32_t count;
+ uint32_t i;
+ NTSTATUS status, result;
+
+ status = cm_connect_lsat(domain, mem_ctx, &cli, &lsa_policy);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ if (cli->transport->transport == NCACN_IP_TCP) {
+ return rpc_try_lookup_sids3(mem_ctx, domain, cli, sids,
+ pdomains, pnames);
+ }
+
+ status = dcerpc_lsa_LookupSids(cli->binding_handle, mem_ctx,
+ &lsa_policy, sids, pdomains,
+ names, LSA_LOOKUP_NAMES_ALL,
+ &count, &result);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ if (NT_STATUS_LOOKUP_ERR(result)) {
+ return result;
+ }
+
+ if (sids->num_sids != names->count) {
+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
+ }
+
+ for (i=0; i < names->count; i++) {
+ if (names->names[i].sid_index == UINT32_MAX) {
+ continue;
+ }
+ if ((*pdomains) == NULL) {
+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
+ }
+ if (names->names[i].sid_index >= (*pdomains)->count) {
+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
+ }
+ }
+
+ return NT_STATUS_OK;
+}
diff --git a/source3/winbindd/winbindd_rpc.h b/source3/winbindd/winbindd_rpc.h
new file mode 100644
index 0000000..67d4ac6
--- /dev/null
+++ b/source3/winbindd/winbindd_rpc.h
@@ -0,0 +1,86 @@
+/*
+ * Unix SMB/CIFS implementation.
+ *
+ * Winbind rpc backend functions
+ *
+ * Copyright (c) 2000-2003 Tim Potter
+ * Copyright (c) 2001 Andrew Tridgell
+ * Copyright (c) 2005 Volker Lendecke
+ * Copyright (c) 2008 Guenther Deschner (pidl conversion)
+ * Copyright (c) 2010 Andreas Schneider <asn@samba.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef _WINBINDD_RPC_H_
+#define _WINBINDD_RPC_H_
+
+/* Query display info for a domain */
+NTSTATUS rpc_query_user_list(TALLOC_CTX *mem_ctx,
+ struct rpc_pipe_client *samr_pipe,
+ struct policy_handle *samr_policy,
+ const struct dom_sid *domain_sid,
+ uint32_t **prids);
+
+NTSTATUS rpc_enum_dom_groups(TALLOC_CTX *mem_ctx,
+ struct rpc_pipe_client *samr_pipe,
+ struct policy_handle *sam_policy,
+ uint32_t *pnum_info,
+ struct wb_acct_info **pinfo);
+
+/* List all domain groups */
+NTSTATUS rpc_enum_local_groups(TALLOC_CTX *mem_ctx,
+ struct rpc_pipe_client *samr_pipe,
+ struct policy_handle *samr_policy,
+ uint32_t *pnum_info,
+ struct wb_acct_info **pinfo);
+
+/* Lookup groups a user is a member of. */
+NTSTATUS rpc_lookup_usergroups(TALLOC_CTX *mem_ctx,
+ struct rpc_pipe_client *samr_pipe,
+ struct policy_handle *samr_policy,
+ const struct dom_sid *domain_sid,
+ const struct dom_sid *user_sid,
+ uint32_t *pnum_groups,
+ struct dom_sid **puser_grpsids);
+
+NTSTATUS rpc_lookup_useraliases(TALLOC_CTX *mem_ctx,
+ struct rpc_pipe_client *samr_pipe,
+ struct policy_handle *samr_policy,
+ uint32_t num_sids,
+ const struct dom_sid *sids,
+ uint32_t *pnum_aliases,
+ uint32_t **palias_rids);
+
+/* Lookup group membership given a rid. */
+NTSTATUS rpc_lookup_groupmem(TALLOC_CTX *mem_ctx,
+ struct rpc_pipe_client *samr_pipe,
+ struct policy_handle *samr_policy,
+ const char *domain_name,
+ const struct dom_sid *domain_sid,
+ const struct dom_sid *group_sid,
+ enum lsa_SidType type,
+ uint32_t *pnum_names,
+ struct dom_sid **psid_mem,
+ char ***pnames,
+ uint32_t **pname_types);
+
+/* Get a list of trusted domains */
+NTSTATUS rpc_trusted_domains(TALLOC_CTX *mem_ctx,
+ struct rpc_pipe_client *lsa_pipe,
+ struct policy_handle *lsa_policy,
+ uint32_t *pnum_trusts,
+ struct netr_DomainTrust **ptrusts);
+
+#endif /* _WINBINDD_RPC_H_ */
diff --git a/source3/winbindd/winbindd_samr.c b/source3/winbindd/winbindd_samr.c
new file mode 100644
index 0000000..92dd185
--- /dev/null
+++ b/source3/winbindd/winbindd_samr.c
@@ -0,0 +1,1355 @@
+/*
+ * Unix SMB/CIFS implementation.
+ *
+ * Winbind rpc backend functions
+ *
+ * Copyright (c) 2000-2003 Tim Potter
+ * Copyright (c) 2001 Andrew Tridgell
+ * Copyright (c) 2005 Volker Lendecke
+ * Copyright (c) 2008 Guenther Deschner (pidl conversion)
+ * Copyright (c) 2010 Andreas Schneider <asn@samba.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "includes.h"
+#include "winbindd.h"
+#include "winbindd_rpc.h"
+#include "lib/util_unixsids.h"
+#include "rpc_client/rpc_client.h"
+#include "rpc_client/cli_pipe.h"
+#include "../librpc/gen_ndr/ndr_samr_c.h"
+#include "rpc_client/cli_samr.h"
+#include "../librpc/gen_ndr/ndr_lsa_c.h"
+#include "rpc_client/cli_lsarpc.h"
+#include "rpc_server/rpc_ncacn_np.h"
+#include "../libcli/security/security.h"
+#include "passdb/machine_sid.h"
+#include "auth.h"
+#include "source3/lib/global_contexts.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_WINBIND
+
+/*
+ * The other end of this won't go away easily, so we can trust it
+ *
+ * It is either a long-lived process with the same lifetime as
+ * winbindd or a part of this process
+ */
+struct winbind_internal_pipes {
+ struct tevent_timer *shutdown_timer;
+ struct rpc_pipe_client *samr_pipe;
+ struct policy_handle samr_domain_hnd;
+ struct rpc_pipe_client *lsa_pipe;
+ struct policy_handle lsa_hnd;
+};
+
+
+NTSTATUS open_internal_samr_conn(TALLOC_CTX *mem_ctx,
+ struct winbindd_domain *domain,
+ struct rpc_pipe_client **samr_pipe,
+ struct policy_handle *samr_domain_hnd)
+{
+ NTSTATUS status, result;
+ struct policy_handle samr_connect_hnd;
+ struct dcerpc_binding_handle *b;
+
+ status = wb_open_internal_pipe(mem_ctx, &ndr_table_samr, samr_pipe);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_ERR("Could not connect to %s pipe: %s\n",
+ ndr_table_samr.name, nt_errstr(status));
+ return status;
+ }
+
+ b = (*samr_pipe)->binding_handle;
+
+ status = dcerpc_samr_Connect2(b, mem_ctx,
+ (*samr_pipe)->desthost,
+ SEC_FLAG_MAXIMUM_ALLOWED,
+ &samr_connect_hnd,
+ &result);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ if (!NT_STATUS_IS_OK(result)) {
+ return result;
+ }
+
+ status = dcerpc_samr_OpenDomain(b, mem_ctx,
+ &samr_connect_hnd,
+ SEC_FLAG_MAXIMUM_ALLOWED,
+ &domain->sid,
+ samr_domain_hnd,
+ &result);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ return result;
+}
+
+NTSTATUS open_internal_lsa_conn(TALLOC_CTX *mem_ctx,
+ struct rpc_pipe_client **lsa_pipe,
+ struct policy_handle *lsa_hnd)
+{
+ NTSTATUS status;
+
+ status = wb_open_internal_pipe(mem_ctx, &ndr_table_lsarpc, lsa_pipe);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_ERR("Could not connect to %s pipe: %s\n",
+ ndr_table_lsarpc.name, nt_errstr(status));
+ return status;
+ }
+
+ status = rpccli_lsa_open_policy((*lsa_pipe),
+ mem_ctx,
+ true,
+ SEC_FLAG_MAXIMUM_ALLOWED,
+ lsa_hnd);
+
+ return status;
+}
+
+static void cached_internal_pipe_close(
+ struct tevent_context *ev,
+ struct tevent_timer *te,
+ struct timeval current_time,
+ void *private_data)
+{
+ struct winbindd_domain *domain = talloc_get_type_abort(
+ private_data, struct winbindd_domain);
+ /*
+ * Freeing samr_pipes closes the cached pipes.
+ *
+ * We can do a hard close because at the time of this commit
+ * we only use sychronous calls to external pipes. So we can't
+ * have any outstanding requests. Also, we don't set
+ * dcerpc_binding_handle_set_sync_ev in winbind, so we don't
+ * get nested event loops. Once we start to get async in
+ * winbind children, we need to check for outstanding calls
+ */
+ TALLOC_FREE(domain->backend_data.samr_pipes);
+}
+
+static NTSTATUS open_cached_internal_pipe_conn(
+ struct winbindd_domain *domain,
+ struct rpc_pipe_client **samr_pipe,
+ struct policy_handle *samr_domain_hnd,
+ struct rpc_pipe_client **lsa_pipe,
+ struct policy_handle *lsa_hnd)
+{
+ struct winbind_internal_pipes *internal_pipes =
+ domain->backend_data.samr_pipes;
+
+ if (internal_pipes == NULL) {
+ TALLOC_CTX *frame = talloc_stackframe();
+ NTSTATUS status;
+
+ internal_pipes = talloc_zero(frame,
+ struct winbind_internal_pipes);
+
+ status = open_internal_samr_conn(
+ internal_pipes,
+ domain,
+ &internal_pipes->samr_pipe,
+ &internal_pipes->samr_domain_hnd);
+ if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(frame);
+ return status;
+ }
+
+ status = open_internal_lsa_conn(internal_pipes,
+ &internal_pipes->lsa_pipe,
+ &internal_pipes->lsa_hnd);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(frame);
+ return status;
+ }
+
+ internal_pipes->shutdown_timer = tevent_add_timer(
+ global_event_context(),
+ internal_pipes,
+ timeval_current_ofs(5, 0),
+ cached_internal_pipe_close,
+ domain);
+ if (internal_pipes->shutdown_timer == NULL) {
+ TALLOC_FREE(frame);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ domain->backend_data.samr_pipes =
+ talloc_steal(domain, internal_pipes);
+
+ TALLOC_FREE(frame);
+ }
+
+ if (samr_domain_hnd) {
+ *samr_domain_hnd = internal_pipes->samr_domain_hnd;
+ }
+
+ if (samr_pipe) {
+ *samr_pipe = internal_pipes->samr_pipe;
+ }
+
+ if (lsa_hnd) {
+ *lsa_hnd = internal_pipes->lsa_hnd;
+ }
+
+ if (lsa_pipe) {
+ *lsa_pipe = internal_pipes->lsa_pipe;
+ }
+
+ tevent_update_timer(
+ internal_pipes->shutdown_timer,
+ timeval_current_ofs(5, 0));
+
+ return NT_STATUS_OK;
+}
+
+static bool reset_connection_on_error(struct winbindd_domain *domain,
+ struct rpc_pipe_client *p,
+ NTSTATUS status)
+{
+ struct dcerpc_binding_handle *b = p->binding_handle;
+
+ if (NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) ||
+ NT_STATUS_EQUAL(status, NT_STATUS_IO_DEVICE_ERROR))
+ {
+ TALLOC_FREE(domain->backend_data.samr_pipes);
+ return true;
+ }
+
+ if (!dcerpc_binding_handle_is_connected(b)) {
+ TALLOC_FREE(domain->backend_data.samr_pipes);
+ return true;
+ }
+
+ return false;
+}
+
+/*********************************************************************
+ SAM specific functions.
+*********************************************************************/
+
+/* List all domain groups */
+static NTSTATUS sam_enum_dom_groups(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ uint32_t *pnum_info,
+ struct wb_acct_info **pinfo)
+{
+ struct rpc_pipe_client *samr_pipe;
+ struct policy_handle dom_pol = { 0 };
+ struct wb_acct_info *info = NULL;
+ uint32_t num_info = 0;
+ TALLOC_CTX *tmp_ctx = talloc_stackframe();
+ NTSTATUS status;
+ bool retry = false;
+
+ DEBUG(3,("sam_enum_dom_groups\n"));
+
+ if (pnum_info) {
+ *pnum_info = 0;
+ }
+
+again:
+ status = open_cached_internal_pipe_conn(domain,
+ &samr_pipe,
+ &dom_pol,
+ NULL,
+ NULL);
+ if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(tmp_ctx);
+ return status;
+ }
+
+ status = rpc_enum_dom_groups(tmp_ctx,
+ samr_pipe,
+ &dom_pol,
+ &num_info,
+ &info);
+
+ if (!retry && reset_connection_on_error(domain, samr_pipe, status)) {
+ retry = true;
+ goto again;
+ }
+
+ if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(tmp_ctx);
+ return status;
+ }
+
+ if (pnum_info) {
+ *pnum_info = num_info;
+ }
+
+ if (pinfo) {
+ *pinfo = talloc_move(mem_ctx, &info);
+ }
+
+ TALLOC_FREE(tmp_ctx);
+ return status;
+}
+
+/* Query display info for a domain */
+static NTSTATUS sam_query_user_list(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ uint32_t **prids)
+{
+ struct rpc_pipe_client *samr_pipe = NULL;
+ struct policy_handle dom_pol = { 0 };
+ uint32_t *rids = NULL;
+ TALLOC_CTX *tmp_ctx = talloc_stackframe();
+ NTSTATUS status;
+ bool retry = false;
+
+ DEBUG(3,("samr_query_user_list\n"));
+
+again:
+ status = open_cached_internal_pipe_conn(domain,
+ &samr_pipe,
+ &dom_pol,
+ NULL,
+ NULL);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+
+ status = rpc_query_user_list(tmp_ctx,
+ samr_pipe,
+ &dom_pol,
+ &domain->sid,
+ &rids);
+ if (!retry && reset_connection_on_error(domain, samr_pipe, status)) {
+ retry = true;
+ goto again;
+ }
+
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+
+ if (prids != NULL) {
+ *prids = talloc_move(mem_ctx, &rids);
+ }
+
+done:
+ TALLOC_FREE(rids);
+ TALLOC_FREE(tmp_ctx);
+ return status;
+}
+
+/* get a list of trusted domains - builtin domain */
+static NTSTATUS sam_trusted_domains(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ struct netr_DomainTrustList *ptrust_list)
+{
+ struct rpc_pipe_client *lsa_pipe;
+ struct policy_handle lsa_policy = { 0 };
+ struct netr_DomainTrust *trusts = NULL;
+ uint32_t num_trusts = 0;
+ TALLOC_CTX *tmp_ctx = talloc_stackframe();
+ NTSTATUS status;
+ bool retry = false;
+
+ DEBUG(3,("samr: trusted domains\n"));
+
+ if (ptrust_list) {
+ ZERO_STRUCTP(ptrust_list);
+ }
+
+again:
+ status = open_cached_internal_pipe_conn(domain,
+ NULL,
+ NULL,
+ &lsa_pipe,
+ &lsa_policy);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+
+ status = rpc_trusted_domains(tmp_ctx,
+ lsa_pipe,
+ &lsa_policy,
+ &num_trusts,
+ &trusts);
+
+ if (!retry && reset_connection_on_error(domain, lsa_pipe, status)) {
+ retry = true;
+ goto again;
+ }
+
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+
+ if (ptrust_list) {
+ ptrust_list->count = num_trusts;
+ ptrust_list->array = talloc_move(mem_ctx, &trusts);
+ }
+
+done:
+ TALLOC_FREE(tmp_ctx);
+ return status;
+}
+
+/* Lookup group membership given a rid. */
+static NTSTATUS sam_lookup_groupmem(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ const struct dom_sid *group_sid,
+ enum lsa_SidType type,
+ uint32_t *pnum_names,
+ struct dom_sid **psid_mem,
+ char ***pnames,
+ uint32_t **pname_types)
+{
+ struct rpc_pipe_client *samr_pipe;
+ struct policy_handle dom_pol = { 0 };
+
+ uint32_t num_names = 0;
+ struct dom_sid *sid_mem = NULL;
+ char **names = NULL;
+ uint32_t *name_types = NULL;
+
+ TALLOC_CTX *tmp_ctx = talloc_stackframe();
+ NTSTATUS status;
+ bool retry = false;
+
+ DEBUG(3,("sam_lookup_groupmem\n"));
+
+ /* Paranoia check */
+ if (sid_check_is_in_builtin(group_sid) && (type != SID_NAME_ALIAS)) {
+ /* There's no groups, only aliases in BUILTIN */
+ status = NT_STATUS_NO_SUCH_GROUP;
+ goto done;
+ }
+
+ if (pnum_names) {
+ *pnum_names = 0;
+ }
+
+again:
+ status = open_cached_internal_pipe_conn(domain,
+ &samr_pipe,
+ &dom_pol,
+ NULL,
+ NULL);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+
+ status = rpc_lookup_groupmem(tmp_ctx,
+ samr_pipe,
+ &dom_pol,
+ domain->name,
+ &domain->sid,
+ group_sid,
+ type,
+ &num_names,
+ &sid_mem,
+ &names,
+ &name_types);
+
+ if (!retry && reset_connection_on_error(domain, samr_pipe, status)) {
+ retry = true;
+ goto again;
+ }
+
+ if (pnum_names) {
+ *pnum_names = num_names;
+ }
+
+ if (pnames) {
+ *pnames = talloc_move(mem_ctx, &names);
+ }
+
+ if (pname_types) {
+ *pname_types = talloc_move(mem_ctx, &name_types);
+ }
+
+ if (psid_mem) {
+ *psid_mem = talloc_move(mem_ctx, &sid_mem);
+ }
+
+done:
+ TALLOC_FREE(tmp_ctx);
+ return status;
+}
+
+/*********************************************************************
+ BUILTIN specific functions.
+*********************************************************************/
+
+/* List all domain groups */
+static NTSTATUS builtin_enum_dom_groups(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ uint32_t *num_entries,
+ struct wb_acct_info **info)
+{
+ /* BUILTIN doesn't have domain groups */
+ *num_entries = 0;
+ *info = NULL;
+ return NT_STATUS_OK;
+}
+
+/* Query display info for a domain */
+static NTSTATUS builtin_query_user_list(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ uint32_t **rids)
+{
+ /* We don't have users */
+ *rids = NULL;
+ return NT_STATUS_OK;
+}
+
+/* get a list of trusted domains - builtin domain */
+static NTSTATUS builtin_trusted_domains(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ struct netr_DomainTrustList *trusts)
+{
+ ZERO_STRUCTP(trusts);
+ return NT_STATUS_OK;
+}
+
+/*********************************************************************
+ COMMON functions.
+*********************************************************************/
+
+/* List all local groups (aliases) */
+static NTSTATUS sam_enum_local_groups(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ uint32_t *pnum_info,
+ struct wb_acct_info **pinfo)
+{
+ struct rpc_pipe_client *samr_pipe;
+ struct policy_handle dom_pol = { 0 };
+ struct wb_acct_info *info = NULL;
+ uint32_t num_info = 0;
+ TALLOC_CTX *tmp_ctx = talloc_stackframe();
+ NTSTATUS status;
+ bool retry = false;
+
+ DEBUG(3,("samr: enum local groups\n"));
+
+ if (pnum_info) {
+ *pnum_info = 0;
+ }
+
+again:
+ status = open_cached_internal_pipe_conn(domain,
+ &samr_pipe,
+ &dom_pol,
+ NULL,
+ NULL);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+
+ status = rpc_enum_local_groups(mem_ctx,
+ samr_pipe,
+ &dom_pol,
+ &num_info,
+
+ &info);
+ if (!retry && reset_connection_on_error(domain, samr_pipe, status)) {
+ retry = true;
+ goto again;
+ }
+
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+
+ if (pnum_info) {
+ *pnum_info = num_info;
+ }
+
+ if (pinfo) {
+ *pinfo = talloc_move(mem_ctx, &info);
+ }
+
+done:
+ TALLOC_FREE(tmp_ctx);
+ return status;
+}
+
+/* convert a single name to a sid in a domain */
+static NTSTATUS sam_name_to_sid(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ const char *domain_name,
+ const char *name,
+ uint32_t flags,
+ const char **pdom_name,
+ struct dom_sid *psid,
+ enum lsa_SidType *ptype)
+{
+ struct rpc_pipe_client *samr_pipe = NULL;
+ struct dcerpc_binding_handle *h = NULL;
+ struct policy_handle dom_pol = { .handle_type = 0, };
+ struct dom_sid sid;
+ const char *dom_name = domain_name;
+ struct lsa_String lsa_name = { .string = name };
+ struct samr_Ids rids = { .count = 0 };
+ struct samr_Ids types = { .count = 0 };
+ enum lsa_SidType type;
+ TALLOC_CTX *tmp_ctx = talloc_stackframe();
+ NTSTATUS status = NT_STATUS_NONE_MAPPED;
+ NTSTATUS result;
+ bool retry = false;
+ bool ok;
+
+ DBG_NOTICE("%s\\%s\n", domain_name, name);
+
+ if (strequal(domain_name, unix_users_domain_name())) {
+ struct passwd *pwd = NULL;
+
+ if (name[0] == '\0') {
+ sid_copy(&sid, &global_sid_Unix_Users);
+ type = SID_NAME_DOMAIN;
+ goto done;
+ }
+
+ pwd = Get_Pwnam_alloc(tmp_ctx, name);
+ if (pwd == NULL) {
+ goto fail;
+ }
+ ok = sid_compose(&sid, &global_sid_Unix_Users, pwd->pw_uid);
+ if (!ok) {
+ status = NT_STATUS_INTERNAL_ERROR;
+ goto fail;
+ }
+ type = SID_NAME_USER;
+ goto done;
+ }
+
+ if (strequal(domain_name, unix_groups_domain_name())) {
+ struct group *grp = NULL;
+
+ if (name[0] == '\0') {
+ sid_copy(&sid, &global_sid_Unix_Groups);
+ type = SID_NAME_DOMAIN;
+ goto done;
+ }
+
+ grp = getgrnam(name);
+ if (grp == NULL) {
+ goto fail;
+ }
+ ok = sid_compose(&sid, &global_sid_Unix_Groups, grp->gr_gid);
+ if (!ok) {
+ status = NT_STATUS_INTERNAL_ERROR;
+ goto fail;
+ }
+ type = SID_NAME_DOM_GRP;
+ goto done;
+ }
+
+ if (name[0] == '\0') {
+ sid_copy(&sid, &domain->sid);
+ type = SID_NAME_DOMAIN;
+ goto done;
+ }
+
+ ok = lookup_wellknown_name(tmp_ctx, name, &sid, &dom_name);
+ if (ok) {
+ type = SID_NAME_WKN_GRP;
+ goto done;
+ }
+
+ {
+ char *normalized = NULL;
+ NTSTATUS nstatus = normalize_name_unmap(
+ tmp_ctx, name, &normalized);
+ if (NT_STATUS_IS_OK(nstatus) ||
+ NT_STATUS_EQUAL(nstatus, NT_STATUS_FILE_RENAMED)) {
+ lsa_name.string = normalized;
+ }
+ }
+
+again:
+ status = open_cached_internal_pipe_conn(
+ domain, &samr_pipe, &dom_pol, NULL, NULL);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto fail;
+ }
+ h = samr_pipe->binding_handle;
+
+ status = dcerpc_samr_LookupNames(
+ h, tmp_ctx, &dom_pol, 1, &lsa_name, &rids, &types, &result);
+
+ if (!retry && reset_connection_on_error(domain, samr_pipe, status)) {
+ retry = true;
+ goto again;
+ }
+
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_DEBUG("dcerpc_samr_LookupNames returned %s\n",
+ nt_errstr(status));
+ goto fail;
+ }
+ if (!NT_STATUS_IS_OK(result)) {
+ DBG_DEBUG("dcerpc_samr_LookupNames resulted in %s\n",
+ nt_errstr(status));
+ status = result;
+ goto fail;
+ }
+
+ sid_compose(&sid, &domain->sid, rids.ids[0]);
+ type = types.ids[0];
+
+done:
+ if (pdom_name != NULL) {
+ *pdom_name = talloc_strdup(mem_ctx, dom_name);
+ if (*pdom_name == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto fail;
+ }
+ }
+
+ if (psid) {
+ sid_copy(psid, &sid);
+ }
+ if (ptype) {
+ *ptype = type;
+ }
+
+ status = NT_STATUS_OK;
+fail:
+ TALLOC_FREE(tmp_ctx);
+ return status;
+}
+
+/* convert a domain SID to a user or group name */
+static NTSTATUS sam_sid_to_name(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ const struct dom_sid *sid,
+ char **pdomain_name,
+ char **pname,
+ enum lsa_SidType *ptype)
+{
+ struct rpc_pipe_client *samr_pipe = NULL;
+ struct dcerpc_binding_handle *h = NULL;
+ struct policy_handle dom_pol = { .handle_type = 0, };
+ const char *domain_name = "";
+ const char *name = "";
+ enum lsa_SidType type = SID_NAME_USE_NONE;
+ struct lsa_Strings names = { .count = 0, };
+ struct samr_Ids types = { .count = 0 };
+ struct dom_sid domain_sid;
+ uint32_t rid;
+ TALLOC_CTX *tmp_ctx = talloc_stackframe();
+ NTSTATUS status = NT_STATUS_NONE_MAPPED;
+ NTSTATUS result;
+ bool retry = false;
+ bool ok;
+
+ DEBUG(3,("sam_sid_to_name\n"));
+
+ if (sid_check_is_unix_users(sid)) {
+ domain_name = unix_users_domain_name();
+ type = SID_NAME_DOMAIN;
+ goto done;
+ }
+ if (sid_check_is_in_unix_users(sid)) {
+ struct passwd *pwd = NULL;
+
+ ok = sid_peek_rid(sid, &rid);
+ if (!ok) {
+ goto fail;
+ }
+ pwd = getpwuid(rid);
+ if (pwd == NULL) {
+ goto fail;
+ }
+
+ domain_name = unix_users_domain_name();
+ name = talloc_strdup(tmp_ctx, pwd->pw_name);
+ if (name == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto fail;
+ }
+ type = SID_NAME_USER;
+ goto done;
+ }
+
+ if (sid_check_is_unix_groups(sid)) {
+ domain_name = unix_groups_domain_name();
+ type = SID_NAME_DOMAIN;
+ goto done;
+ }
+ if (sid_check_is_in_unix_groups(sid)) {
+ struct group *grp = NULL;
+
+ ok = sid_peek_rid(sid, &rid);
+ if (!ok) {
+ goto fail;
+ }
+ grp = getgrgid(rid);
+ if (grp == NULL) {
+ goto fail;
+ }
+
+ domain_name = unix_groups_domain_name();
+ name = talloc_strdup(tmp_ctx, grp->gr_name);
+ if (name == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto fail;
+ }
+ type = SID_NAME_DOM_GRP;
+ goto done;
+ }
+
+ ok = lookup_wellknown_sid(tmp_ctx, sid, &domain_name, &name);
+ if (ok) {
+ type = SID_NAME_WKN_GRP;
+ goto done;
+ }
+
+ if (dom_sid_equal(sid, &domain->sid)) {
+ domain_name = domain->name;
+ type = SID_NAME_DOMAIN;
+ goto done;
+ }
+
+ sid_copy(&domain_sid, sid);
+ ok = sid_split_rid(&domain_sid, &rid);
+ if (!ok) {
+ goto fail;
+ }
+
+ if (!dom_sid_equal(&domain_sid, &domain->sid)) {
+ goto fail;
+ }
+
+again:
+ status = open_cached_internal_pipe_conn(
+ domain, &samr_pipe, &dom_pol, NULL, NULL);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto fail;
+ }
+ h = samr_pipe->binding_handle;
+
+ status = dcerpc_samr_LookupRids(
+ h, tmp_ctx, &dom_pol, 1, &rid, &names, &types, &result);
+
+ if (!retry && reset_connection_on_error(domain, samr_pipe, status)) {
+ retry = true;
+ goto again;
+ }
+
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_DEBUG("dcerpc_samr_LookupRids failed: %s\n",
+ nt_errstr(status));
+ goto fail;
+ }
+ if (!NT_STATUS_IS_OK(result)) {
+ DBG_DEBUG("dcerpc_samr_LookupRids resulted in %s\n",
+ nt_errstr(result));
+ status = result;
+ goto fail;
+ }
+
+ domain_name = domain->name;
+ name = names.names[0].string;
+ type = types.ids[0];
+
+ if (name != NULL) {
+ char *normalized = NULL;
+ NTSTATUS nstatus = normalize_name_map(
+ tmp_ctx, domain_name, name, &normalized);
+ if (NT_STATUS_IS_OK(nstatus) ||
+ NT_STATUS_EQUAL(nstatus, NT_STATUS_FILE_RENAMED)) {
+ name = normalized;
+ }
+ }
+
+done:
+ if (ptype) {
+ *ptype = type;
+ }
+
+ if (pname) {
+ *pname = talloc_strdup(mem_ctx, name);
+ if (*pname == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto fail;
+ }
+ }
+
+ if (pdomain_name) {
+ *pdomain_name = talloc_strdup(mem_ctx, domain_name);
+ if (*pdomain_name == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto fail;
+ }
+ }
+
+ status = NT_STATUS_OK;
+fail:
+ TALLOC_FREE(tmp_ctx);
+ return status;
+}
+
+static NTSTATUS sam_rids_to_names(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ const struct dom_sid *domain_sid,
+ uint32_t *rids,
+ size_t num_rids,
+ char **pdomain_name,
+ char ***pnames,
+ enum lsa_SidType **ptypes)
+{
+ struct rpc_pipe_client *samr_pipe = NULL;
+ struct dcerpc_binding_handle *h = NULL;
+ struct policy_handle dom_pol = { .handle_type = 0, };
+ enum lsa_SidType *types = NULL;
+ char **names = NULL;
+ const char *domain_name = NULL;
+ TALLOC_CTX *tmp_ctx = talloc_stackframe();
+ NTSTATUS status = NT_STATUS_NO_MEMORY;
+ NTSTATUS result;
+ bool retry = false;
+ uint32_t i;
+
+ DEBUG(3,("sam_rids_to_names for %s\n", domain->name));
+
+ types = talloc_array(tmp_ctx, enum lsa_SidType, num_rids);
+ if (types == NULL) {
+ goto fail;
+ }
+
+ names = talloc_array(tmp_ctx, char *, num_rids);
+ if (names == NULL) {
+ goto fail;
+ }
+
+ if (sid_check_is_unix_users(domain_sid)) {
+ domain_name = unix_users_domain_name();
+ domain_sid = &global_sid_Unix_Users;
+ }
+ if (sid_check_is_unix_groups(domain_sid)) {
+ domain_name = unix_groups_domain_name();
+ domain_sid = &global_sid_Unix_Groups;
+ }
+
+ /* Here we're only interested in the domain name being set */
+ sid_check_is_wellknown_domain(domain_sid, &domain_name);
+
+ if (domain_name != NULL) {
+ uint32_t num_mapped = 0;
+
+ /*
+ * Do unix users/groups and wkn in a loop. There is no
+ * getpwuids() call & friends anyway
+ */
+
+ for (i=0; i<num_rids; i++) {
+ struct dom_sid sid;
+ char *name = NULL;
+
+ sid_compose(&sid, domain_sid, rids[i]);
+
+ types[i] = SID_NAME_UNKNOWN;
+ names[i] = NULL;
+
+ status = sam_sid_to_name(
+ domain,
+ tmp_ctx,
+ &sid,
+ NULL,
+ &name,
+ &types[i]);
+ if (NT_STATUS_IS_OK(status)) {
+ names[i] = talloc_move(names, &name);
+ num_mapped += 1;
+ }
+ }
+
+ status = NT_STATUS_NONE_MAPPED;
+ if (num_mapped > 0) {
+ status = (num_mapped == num_rids) ?
+ NT_STATUS_OK : STATUS_SOME_UNMAPPED;
+ }
+ goto done;
+ }
+
+ domain_name = domain->name;
+
+again:
+ status = open_cached_internal_pipe_conn(
+ domain, &samr_pipe, &dom_pol, NULL, NULL);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+ h = samr_pipe->binding_handle;
+
+ /*
+ * Magic number 1000 comes from samr.idl
+ */
+
+ for (i = 0; i < num_rids; i += 1000) {
+ uint32_t num_lookup_rids = MIN(num_rids - i, 1000);
+ struct lsa_Strings lsa_names = {
+ .count = 0,
+ };
+ struct samr_Ids samr_types = {
+ .count = 0,
+ };
+ uint32_t j;
+
+ status = dcerpc_samr_LookupRids(h,
+ tmp_ctx,
+ &dom_pol,
+ num_lookup_rids,
+ &rids[i],
+ &lsa_names,
+ &samr_types,
+ &result);
+
+ if (!retry &&
+ reset_connection_on_error(domain, samr_pipe, status)) {
+ retry = true;
+ goto again;
+ }
+
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_DEBUG("dcerpc_samr_LookupRids failed: %s\n",
+ nt_errstr(status));
+ goto fail;
+ }
+ if (!NT_STATUS_IS_OK(result) &&
+ !NT_STATUS_EQUAL(result, STATUS_SOME_UNMAPPED)) {
+ DBG_DEBUG("dcerpc_samr_LookupRids resulted in %s\n",
+ nt_errstr(result));
+ status = result;
+ goto fail;
+ }
+
+ for (j = 0; j < num_lookup_rids; j++) {
+ uint32_t dst = i + j;
+
+ types[dst] = samr_types.ids[j];
+ names[dst] = talloc_move(
+ names,
+ discard_const_p(char *,
+ &lsa_names.names[j].string));
+ if (names[dst] != NULL) {
+ char *normalized = NULL;
+ NTSTATUS nstatus =
+ normalize_name_map(names,
+ domain_name,
+ names[dst],
+ &normalized);
+ if (NT_STATUS_IS_OK(nstatus) ||
+ NT_STATUS_EQUAL(nstatus,
+ NT_STATUS_FILE_RENAMED)) {
+ names[dst] = normalized;
+ }
+ }
+ }
+
+ TALLOC_FREE(samr_types.ids);
+ TALLOC_FREE(lsa_names.names);
+ }
+
+done:
+ if (pdomain_name) {
+ *pdomain_name = talloc_strdup(mem_ctx, domain_name);
+ if (*pdomain_name == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto fail;
+ }
+ }
+
+ if (ptypes) {
+ *ptypes = talloc_move(mem_ctx, &types);
+ }
+
+ if (pnames) {
+ *pnames = talloc_move(mem_ctx, &names);
+ }
+
+fail:
+ TALLOC_FREE(tmp_ctx);
+ return status;
+}
+
+static NTSTATUS sam_lockout_policy(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ struct samr_DomInfo12 *lockout_policy)
+{
+ struct rpc_pipe_client *samr_pipe;
+ struct policy_handle dom_pol = { 0 };
+ union samr_DomainInfo *info = NULL;
+ TALLOC_CTX *tmp_ctx = talloc_stackframe();
+ NTSTATUS status, result;
+ struct dcerpc_binding_handle *b = NULL;
+ bool retry = false;
+
+ DEBUG(3,("sam_lockout_policy\n"));
+
+again:
+ status = open_cached_internal_pipe_conn(domain,
+ &samr_pipe,
+ &dom_pol,
+ NULL,
+ NULL);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto error;
+ }
+
+ b = samr_pipe->binding_handle;
+
+ status = dcerpc_samr_QueryDomainInfo(b,
+ mem_ctx,
+ &dom_pol,
+ DomainLockoutInformation,
+ &info,
+ &result);
+
+ if (!retry && reset_connection_on_error(domain, samr_pipe, status)) {
+ retry = true;
+ goto again;
+ }
+
+ if (!NT_STATUS_IS_OK(status)) {
+ goto error;
+ }
+ if (!NT_STATUS_IS_OK(result)) {
+ status = result;
+ goto error;
+ }
+
+ *lockout_policy = info->info12;
+
+error:
+ TALLOC_FREE(tmp_ctx);
+ return status;
+}
+
+static NTSTATUS sam_password_policy(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ struct samr_DomInfo1 *passwd_policy)
+{
+ struct rpc_pipe_client *samr_pipe;
+ struct policy_handle dom_pol = { 0 };
+ union samr_DomainInfo *info = NULL;
+ TALLOC_CTX *tmp_ctx = talloc_stackframe();
+ NTSTATUS status, result;
+ struct dcerpc_binding_handle *b = NULL;
+ bool retry = false;
+
+ DEBUG(3,("sam_password_policy\n"));
+
+again:
+ status = open_cached_internal_pipe_conn(domain,
+ &samr_pipe,
+ &dom_pol,
+ NULL,
+ NULL);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto error;
+ }
+
+ b = samr_pipe->binding_handle;
+
+ status = dcerpc_samr_QueryDomainInfo(b,
+ mem_ctx,
+ &dom_pol,
+ DomainPasswordInformation,
+ &info,
+ &result);
+
+ if (!retry && reset_connection_on_error(domain, samr_pipe, status)) {
+ retry = true;
+ goto again;
+ }
+
+ if (!NT_STATUS_IS_OK(status)) {
+ goto error;
+ }
+ if (!NT_STATUS_IS_OK(result)) {
+ status = result;
+ goto error;
+ }
+
+ *passwd_policy = info->info1;
+
+error:
+ TALLOC_FREE(tmp_ctx);
+ return status;
+}
+
+/* Lookup groups a user is a member of. */
+static NTSTATUS sam_lookup_usergroups(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ const struct dom_sid *user_sid,
+ uint32_t *pnum_groups,
+ struct dom_sid **puser_grpsids)
+{
+ struct rpc_pipe_client *samr_pipe;
+ struct policy_handle dom_pol;
+ struct dom_sid *user_grpsids = NULL;
+ uint32_t num_groups = 0;
+ TALLOC_CTX *tmp_ctx = talloc_stackframe();
+ NTSTATUS status;
+ bool retry = false;
+
+ DEBUG(3,("sam_lookup_usergroups\n"));
+
+ ZERO_STRUCT(dom_pol);
+
+ if (pnum_groups) {
+ *pnum_groups = 0;
+ }
+
+again:
+ status = open_cached_internal_pipe_conn(domain,
+ &samr_pipe,
+ &dom_pol,
+ NULL,
+ NULL);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+
+ status = rpc_lookup_usergroups(tmp_ctx,
+ samr_pipe,
+ &dom_pol,
+ &domain->sid,
+ user_sid,
+ &num_groups,
+ &user_grpsids);
+
+ if (!retry && reset_connection_on_error(domain, samr_pipe, status)) {
+ retry = true;
+ goto again;
+ }
+
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+
+ if (pnum_groups) {
+ *pnum_groups = num_groups;
+ }
+
+ if (puser_grpsids) {
+ *puser_grpsids = talloc_move(mem_ctx, &user_grpsids);
+ }
+
+done:
+
+ TALLOC_FREE(tmp_ctx);
+ return status;
+}
+
+static NTSTATUS sam_lookup_useraliases(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ uint32_t num_sids,
+ const struct dom_sid *sids,
+ uint32_t *pnum_aliases,
+ uint32_t **palias_rids)
+{
+ struct rpc_pipe_client *samr_pipe;
+ struct policy_handle dom_pol = { 0 };
+ uint32_t num_aliases = 0;
+ uint32_t *alias_rids = NULL;
+ TALLOC_CTX *tmp_ctx = talloc_stackframe();
+ NTSTATUS status;
+ bool retry = false;
+
+ DEBUG(3,("sam_lookup_useraliases\n"));
+
+ if (pnum_aliases) {
+ *pnum_aliases = 0;
+ }
+
+again:
+ status = open_cached_internal_pipe_conn(domain,
+ &samr_pipe,
+ &dom_pol,
+ NULL,
+ NULL);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+
+ status = rpc_lookup_useraliases(tmp_ctx,
+ samr_pipe,
+ &dom_pol,
+ num_sids,
+ sids,
+ &num_aliases,
+ &alias_rids);
+
+ if (!retry && reset_connection_on_error(domain, samr_pipe, status)) {
+ retry = true;
+ goto again;
+ }
+
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+
+ if (pnum_aliases) {
+ *pnum_aliases = num_aliases;
+ }
+
+ if (palias_rids) {
+ *palias_rids = talloc_move(mem_ctx, &alias_rids);
+ }
+
+done:
+
+ TALLOC_FREE(tmp_ctx);
+ return status;
+}
+
+/* the rpc backend methods are exposed via this structure */
+struct winbindd_methods builtin_passdb_methods = {
+ .consistent = false,
+
+ .query_user_list = builtin_query_user_list,
+ .enum_dom_groups = builtin_enum_dom_groups,
+ .enum_local_groups = sam_enum_local_groups,
+ .name_to_sid = sam_name_to_sid,
+ .sid_to_name = sam_sid_to_name,
+ .rids_to_names = sam_rids_to_names,
+ .lookup_usergroups = sam_lookup_usergroups,
+ .lookup_useraliases = sam_lookup_useraliases,
+ .lookup_groupmem = sam_lookup_groupmem,
+ .lockout_policy = sam_lockout_policy,
+ .password_policy = sam_password_policy,
+ .trusted_domains = builtin_trusted_domains
+};
+
+/* the rpc backend methods are exposed via this structure */
+struct winbindd_methods sam_passdb_methods = {
+ .consistent = false,
+
+ .query_user_list = sam_query_user_list,
+ .enum_dom_groups = sam_enum_dom_groups,
+ .enum_local_groups = sam_enum_local_groups,
+ .name_to_sid = sam_name_to_sid,
+ .sid_to_name = sam_sid_to_name,
+ .rids_to_names = sam_rids_to_names,
+ .lookup_usergroups = sam_lookup_usergroups,
+ .lookup_useraliases = sam_lookup_useraliases,
+ .lookup_groupmem = sam_lookup_groupmem,
+ .lockout_policy = sam_lockout_policy,
+ .password_policy = sam_password_policy,
+ .trusted_domains = sam_trusted_domains
+};
diff --git a/source3/winbindd/winbindd_setgrent.c b/source3/winbindd/winbindd_setgrent.c
new file mode 100644
index 0000000..f4f2498
--- /dev/null
+++ b/source3/winbindd/winbindd_setgrent.c
@@ -0,0 +1,67 @@
+/*
+ Unix SMB/CIFS implementation.
+ async implementation of WINBINDD_SETGRENT
+ Copyright (C) Volker Lendecke 2009
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "winbindd.h"
+
+struct winbindd_setgrent_state {
+ uint8_t dummy;
+};
+
+struct tevent_req *winbindd_setgrent_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request)
+{
+ struct tevent_req *req;
+ struct winbindd_setgrent_state *state;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct winbindd_setgrent_state);
+ if (req == NULL) {
+ return NULL;
+ }
+ TALLOC_FREE(cli->grent_state);
+
+ D_NOTICE("[%s (%u)] Winbind external command SETGRENT start.\n"
+ "winbind enum groups = %d\n",
+ cli->client_name,
+ (unsigned int)cli->pid,
+ lp_winbind_enum_groups());
+
+ if (!lp_winbind_enum_groups()) {
+ tevent_req_done(req);
+ return tevent_req_post(req, ev);
+ }
+
+ cli->grent_state = talloc_zero(cli, struct getgrent_state);
+ if (tevent_req_nomem(cli->grent_state, req)) {
+ return tevent_req_post(req, ev);
+ }
+
+ tevent_req_done(req);
+ return tevent_req_post(req, ev);
+}
+
+NTSTATUS winbindd_setgrent_recv(struct tevent_req *req,
+ struct winbindd_response *presp)
+{
+ D_NOTICE("Winbind external command SETGRENT end.\n");
+ return NT_STATUS_OK;
+}
diff --git a/source3/winbindd/winbindd_setpwent.c b/source3/winbindd/winbindd_setpwent.c
new file mode 100644
index 0000000..3c98e5a
--- /dev/null
+++ b/source3/winbindd/winbindd_setpwent.c
@@ -0,0 +1,67 @@
+/*
+ Unix SMB/CIFS implementation.
+ async implementation of WINBINDD_SETPWENT
+ Copyright (C) Volker Lendecke 2009
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "winbindd.h"
+
+struct winbindd_setpwent_state {
+ uint8_t dummy;
+};
+
+struct tevent_req *winbindd_setpwent_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request)
+{
+ struct tevent_req *req;
+ struct winbindd_setpwent_state *state;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct winbindd_setpwent_state);
+ if (req == NULL) {
+ return NULL;
+ }
+ TALLOC_FREE(cli->pwent_state);
+
+ D_NOTICE("[%s (%u)] Winbind external command SETPWENT start.\n"
+ "winbind enum users = %d\n",
+ cli->client_name,
+ (unsigned int)cli->pid,
+ lp_winbind_enum_users());
+
+ if (!lp_winbind_enum_users()) {
+ tevent_req_done(req);
+ return tevent_req_post(req, ev);
+ }
+
+ cli->pwent_state = talloc_zero(cli, struct getpwent_state);
+ if (tevent_req_nomem(cli->pwent_state, req)) {
+ return tevent_req_post(req, ev);
+ }
+
+ tevent_req_done(req);
+ return tevent_req_post(req, ev);
+}
+
+NTSTATUS winbindd_setpwent_recv(struct tevent_req *req,
+ struct winbindd_response *presp)
+{
+ D_NOTICE("Winbind external command SETPWENT end.\n");
+ return NT_STATUS_OK;
+}
diff --git a/source3/winbindd/winbindd_show_sequence.c b/source3/winbindd/winbindd_show_sequence.c
new file mode 100644
index 0000000..8e53781
--- /dev/null
+++ b/source3/winbindd/winbindd_show_sequence.c
@@ -0,0 +1,167 @@
+/*
+ Unix SMB/CIFS implementation.
+ async implementation of WINBINDD_SHOW_SEQUENCE
+ Copyright (C) Volker Lendecke 2009
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "winbindd.h"
+
+struct winbindd_show_sequence_state {
+ bool one_domain;
+ /* One domain */
+ uint32_t seqnum;
+
+ /* All domains */
+ int num_domains;
+ NTSTATUS *stati;
+ struct winbindd_domain **domains;
+ uint32_t *seqnums;
+};
+
+static void winbindd_show_sequence_done_one(struct tevent_req *subreq);
+static void winbindd_show_sequence_done_all(struct tevent_req *subreq);
+
+struct tevent_req *winbindd_show_sequence_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request)
+{
+ struct tevent_req *req, *subreq;
+ struct winbindd_show_sequence_state *state;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct winbindd_show_sequence_state);
+ if (req == NULL) {
+ return NULL;
+ }
+ state->one_domain = false;
+ state->domains = NULL;
+ state->stati = NULL;
+ state->seqnums = NULL;
+
+ /* Ensure null termination */
+ request->domain_name[sizeof(request->domain_name)-1]='\0';
+
+ DEBUG(3, ("show_sequence %s\n", request->domain_name));
+
+ if (request->domain_name[0] != '\0') {
+ struct winbindd_domain *domain;
+
+ state->one_domain = true;
+
+ domain = find_domain_from_name_noinit(
+ request->domain_name);
+ if (domain == NULL) {
+ tevent_req_nterror(req, NT_STATUS_NO_SUCH_DOMAIN);
+ return tevent_req_post(req, ev);
+ }
+
+ subreq = wb_seqnum_send(state, ev, domain);
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+ tevent_req_set_callback(
+ subreq, winbindd_show_sequence_done_one, req);
+ return req;
+ }
+
+ subreq = wb_seqnums_send(state, ev);
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+ tevent_req_set_callback(subreq, winbindd_show_sequence_done_all, req);
+ return req;
+}
+
+static void winbindd_show_sequence_done_one(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct winbindd_show_sequence_state *state = tevent_req_data(
+ req, struct winbindd_show_sequence_state);
+ NTSTATUS status;
+
+ status = wb_seqnum_recv(subreq, &state->seqnum);
+ TALLOC_FREE(subreq);
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+ tevent_req_done(req);
+}
+
+static void winbindd_show_sequence_done_all(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct winbindd_show_sequence_state *state = tevent_req_data(
+ req, struct winbindd_show_sequence_state);
+ NTSTATUS status;
+
+ status = wb_seqnums_recv(subreq, state, &state->num_domains,
+ &state->domains, &state->stati,
+ &state->seqnums);
+ TALLOC_FREE(subreq);
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+ tevent_req_done(req);
+}
+
+NTSTATUS winbindd_show_sequence_recv(struct tevent_req *req,
+ struct winbindd_response *response)
+{
+ struct winbindd_show_sequence_state *state = tevent_req_data(
+ req, struct winbindd_show_sequence_state);
+ NTSTATUS status;
+ char *extra_data;
+ int i;
+
+ if (tevent_req_is_nterror(req, &status)) {
+ return status;
+ }
+
+ if (state->one_domain) {
+ response->data.sequence_number = state->seqnum;
+ return NT_STATUS_OK;
+ }
+
+ extra_data = talloc_strdup(response, "");
+ if (extra_data == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ for (i=0; i<state->num_domains; i++) {
+ if (!NT_STATUS_IS_OK(state->stati[i])
+ || (state->seqnums[i] == DOM_SEQUENCE_NONE)) {
+ extra_data = talloc_asprintf_append_buffer(
+ extra_data, "%s : DISCONNECTED\n",
+ state->domains[i]->name);
+ } else {
+ extra_data = talloc_asprintf_append_buffer(
+ extra_data, "%s : %d\n",
+ state->domains[i]->name,
+ (int)state->seqnums[i]);
+ }
+ if (extra_data == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+
+ response->extra_data.data = extra_data;
+ response->length += talloc_get_size(extra_data);
+ return NT_STATUS_OK;
+}
diff --git a/source3/winbindd/winbindd_sids_to_xids.c b/source3/winbindd/winbindd_sids_to_xids.c
new file mode 100644
index 0000000..187b299
--- /dev/null
+++ b/source3/winbindd/winbindd_sids_to_xids.c
@@ -0,0 +1,164 @@
+/*
+ Unix SMB/CIFS implementation.
+ async implementation of WINBINDD_SIDS_TO_XIDS
+ Copyright (C) Volker Lendecke 2011
+ Copyright (C) Michael Adam 2012
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "winbindd.h"
+#include "../libcli/security/security.h"
+
+
+struct winbindd_sids_to_xids_state {
+ struct tevent_context *ev;
+ struct dom_sid *sids;
+ uint32_t num_sids;
+ struct unixid *xids;
+};
+
+static void winbindd_sids_to_xids_done(struct tevent_req *subreq);
+
+struct tevent_req *winbindd_sids_to_xids_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request)
+{
+ struct tevent_req *req, *subreq;
+ struct winbindd_sids_to_xids_state *state;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct winbindd_sids_to_xids_state);
+ if (req == NULL) {
+ return NULL;
+ }
+ state->ev = ev;
+
+ D_NOTICE("[%s (%u)] Winbind external command SIDS_TO_XIDS start.\n",
+ cli->client_name,
+ (unsigned int)cli->pid);
+
+ if (request->extra_len == 0) {
+ tevent_req_done(req);
+ return tevent_req_post(req, ev);
+ }
+ if (request->extra_data.data[request->extra_len-1] != '\0') {
+ D_DEBUG("Got invalid sids list\n");
+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ return tevent_req_post(req, ev);
+ }
+ if (!parse_sidlist(state, request->extra_data.data,
+ &state->sids, &state->num_sids)) {
+ D_DEBUG("parse_sidlist failed\n");
+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ return tevent_req_post(req, ev);
+ }
+
+ D_DEBUG("Resolving %"PRIu32" SID(s).\n", state->num_sids);
+
+ subreq = wb_sids2xids_send(state, ev, state->sids, state->num_sids);
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+
+ tevent_req_set_callback(subreq, winbindd_sids_to_xids_done, req);
+ return req;
+}
+
+static void winbindd_sids_to_xids_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct winbindd_sids_to_xids_state *state = tevent_req_data(
+ req, struct winbindd_sids_to_xids_state);
+ NTSTATUS status;
+
+ state->xids = talloc_zero_array(state, struct unixid, state->num_sids);
+ if (tevent_req_nomem(state->xids, req)) {
+ return;
+ }
+
+ status = wb_sids2xids_recv(subreq, state->xids, state->num_sids);
+ TALLOC_FREE(subreq);
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+ tevent_req_done(req);
+}
+
+NTSTATUS winbindd_sids_to_xids_recv(struct tevent_req *req,
+ struct winbindd_response *response)
+{
+ struct winbindd_sids_to_xids_state *state = tevent_req_data(
+ req, struct winbindd_sids_to_xids_state);
+ NTSTATUS status;
+ char *result = NULL;
+ uint32_t i;
+
+ D_NOTICE("Winbind external command SIDS_TO_XIDS end.\n");
+ if (tevent_req_is_nterror(req, &status)) {
+ D_WARNING("Could not convert sids: %s\n", nt_errstr(status));
+ return status;
+ }
+
+ result = talloc_strdup(response, "");
+
+ for (i=0; i<state->num_sids; i++) {
+ char type = '\0';
+ bool found = true;
+ struct unixid xid;
+
+ xid = state->xids[i];
+
+ switch (xid.type) {
+ case ID_TYPE_UID:
+ type = 'U';
+ break;
+ case ID_TYPE_GID:
+ type = 'G';
+ break;
+ case ID_TYPE_BOTH:
+ type = 'B';
+ break;
+ default:
+ found = false;
+ break;
+ }
+
+ if (xid.id == UINT32_MAX) {
+ found = false;
+ }
+
+ if (found) {
+ talloc_asprintf_addbuf(
+ &result,
+ "%c%lu\n",
+ type,
+ (unsigned long)xid.id);
+ } else {
+ talloc_asprintf_addbuf(&result, "\n");
+ }
+ }
+
+ if (result == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ response->extra_data.data = result;
+ response->length += talloc_get_size(result);
+
+ return NT_STATUS_OK;
+}
diff --git a/source3/winbindd/winbindd_traceid.c b/source3/winbindd/winbindd_traceid.c
new file mode 100644
index 0000000..acf16be
--- /dev/null
+++ b/source3/winbindd/winbindd_traceid.c
@@ -0,0 +1,147 @@
+/*
+ Authors:
+ Pavel Březina <pbrezina@redhat.com>
+
+ Copyright (C) 2021 Red Hat
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "lib/util/debug.h"
+#include "winbindd_traceid.h"
+#include "tevent.h"
+
+static void debug_traceid_trace_fde(struct tevent_fd *fde,
+ enum tevent_event_trace_point point,
+ void *private_data)
+{
+ switch (point) {
+ case TEVENT_EVENT_TRACE_ATTACH:
+ /* Assign the current traceid id when the event is created. */
+ tevent_fd_set_tag(fde, debug_traceid_get());
+ break;
+ case TEVENT_EVENT_TRACE_BEFORE_HANDLER:
+ /* Set the traceid id when a handler is being called. */
+ debug_traceid_set(tevent_fd_get_tag(fde));
+ break;
+ default:
+ /* Do nothing. */
+ break;
+ }
+}
+
+static void debug_traceid_trace_signal(struct tevent_signal *se,
+ enum tevent_event_trace_point point,
+ void *private_data)
+{
+ switch (point) {
+ case TEVENT_EVENT_TRACE_ATTACH:
+ /* Assign the current traceid id when the event is created. */
+ tevent_signal_set_tag(se, debug_traceid_get());
+ break;
+ case TEVENT_EVENT_TRACE_BEFORE_HANDLER:
+ /* Set the traceid id when a handler is being called. */
+ debug_traceid_set(tevent_signal_get_tag(se));
+ break;
+ default:
+ /* Do nothing. */
+ break;
+ }
+}
+
+static void debug_traceid_trace_timer(struct tevent_timer *timer,
+ enum tevent_event_trace_point point,
+ void *private_data)
+{
+ switch (point) {
+ case TEVENT_EVENT_TRACE_ATTACH:
+ /* Assign the current traceid id when the event is created. */
+ tevent_timer_set_tag(timer, debug_traceid_get());
+ break;
+ case TEVENT_EVENT_TRACE_BEFORE_HANDLER:
+ /* Set the traceid id when a handler is being called. */
+ debug_traceid_set(tevent_timer_get_tag(timer));
+ break;
+ default:
+ /* Do nothing. */
+ break;
+ }
+}
+
+static void debug_traceid_trace_immediate(struct tevent_immediate *im,
+ enum tevent_event_trace_point point,
+ void *private_data)
+{
+ switch (point) {
+ case TEVENT_EVENT_TRACE_ATTACH:
+ /* Assign the current traceid id when the event is created. */
+ tevent_immediate_set_tag(im, debug_traceid_get());
+ break;
+ case TEVENT_EVENT_TRACE_BEFORE_HANDLER:
+ /* Set the traceid id when a handler is being called. */
+ debug_traceid_set(tevent_immediate_get_tag(im));
+ break;
+ default:
+ /* Do nothing. */
+ break;
+ }
+}
+
+static void debug_traceid_trace_queue(struct tevent_queue_entry *qe,
+ enum tevent_event_trace_point point,
+ void *private_data)
+{
+ switch (point) {
+ case TEVENT_EVENT_TRACE_ATTACH:
+ /* Assign the current traceid id when the event is created. */
+ tevent_queue_entry_set_tag(qe, debug_traceid_get());
+ break;
+ case TEVENT_EVENT_TRACE_BEFORE_HANDLER:
+ /* Set the traceid id when a handler is being called. */
+ debug_traceid_set(tevent_queue_entry_get_tag(qe));
+ break;
+ default:
+ /* Do nothing. */
+ break;
+ }
+}
+
+static void debug_traceid_trace_loop(enum tevent_trace_point point,
+ void *private_data)
+{
+ switch (point) {
+ case TEVENT_TRACE_AFTER_LOOP_ONCE:
+ /* Reset traceid id when we got back to the loop. An event handler
+ * that set traceid id was fired. This tracepoint represents a place
+ * after the event handler was finished, we need to restore traceid
+ * id to 1 (out of request). 0 means not initialized.
+ */
+ debug_traceid_set(1);
+ break;
+ default:
+ /* Do nothing. */
+ break;
+ }
+}
+
+void winbind_debug_traceid_setup(struct tevent_context *ev)
+{
+ tevent_set_trace_callback(ev, debug_traceid_trace_loop, NULL);
+ tevent_set_trace_fd_callback(ev, debug_traceid_trace_fde, NULL);
+ tevent_set_trace_signal_callback(ev, debug_traceid_trace_signal, NULL);
+ tevent_set_trace_timer_callback(ev, debug_traceid_trace_timer, NULL);
+ tevent_set_trace_immediate_callback(ev, debug_traceid_trace_immediate, NULL);
+ tevent_set_trace_queue_callback(ev, debug_traceid_trace_queue, NULL);
+ debug_traceid_set(1);
+}
diff --git a/source3/winbindd/winbindd_traceid.h b/source3/winbindd/winbindd_traceid.h
new file mode 100644
index 0000000..d06e3ef
--- /dev/null
+++ b/source3/winbindd/winbindd_traceid.h
@@ -0,0 +1,29 @@
+/*
+ Authors:
+ Pavel Březina <pbrezina@redhat.com>
+
+ Copyright (C) 2021 Red Hat
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#ifndef _DEBUG_TRACE_ID_
+#define _DEBUG_TRACE_ID_
+
+#include <tevent.h>
+
+/* Setup traceid tracking on tevent context. */
+void winbind_debug_traceid_setup(struct tevent_context *ev);
+
+#endif /* _DEBUG_TRACE_ID_ */
diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
new file mode 100644
index 0000000..b4c53ba
--- /dev/null
+++ b/source3/winbindd/winbindd_util.c
@@ -0,0 +1,2183 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ Winbind daemon for ntdom nss module
+
+ Copyright (C) Tim Potter 2000-2001
+ Copyright (C) 2001 by Martin Pool <mbp@samba.org>
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "winbindd.h"
+#include "lib/util_unixsids.h"
+#include "secrets.h"
+#include "../libcli/security/security.h"
+#include "../libcli/auth/pam_errors.h"
+#include "passdb/machine_sid.h"
+#include "passdb.h"
+#include "source4/lib/messaging/messaging.h"
+#include "librpc/gen_ndr/ndr_lsa.h"
+#include "librpc/gen_ndr/ndr_drsblobs.h"
+#include "auth/credentials/credentials.h"
+#include "libsmb/samlogon_cache.h"
+#include "lib/util/smb_strtox.h"
+#include "lib/util/string_wrappers.h"
+#include "lib/global_contexts.h"
+#include "librpc/gen_ndr/ndr_winbind_c.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_WINBIND
+
+/**
+ * @file winbindd_util.c
+ *
+ * Winbind daemon for NT domain authentication nss module.
+ **/
+
+static bool add_trusted_domains_dc(void);
+
+/* The list of trusted domains. Note that the list can be deleted and
+ recreated using the init_domain_list() function so pointers to
+ individual winbindd_domain structures cannot be made. Keep a copy of
+ the domain name instead. */
+
+static struct winbindd_domain *_domain_list = NULL;
+
+struct winbindd_domain *domain_list(void)
+{
+ /* Initialise list */
+
+ if ((!_domain_list) && (!init_domain_list())) {
+ smb_panic("Init_domain_list failed");
+ }
+
+ return _domain_list;
+}
+
+/* Free all entries in the trusted domain list */
+
+static void free_domain_list(void)
+{
+ struct winbindd_domain *domain = _domain_list;
+
+ while(domain) {
+ struct winbindd_domain *next = domain->next;
+
+ DLIST_REMOVE(_domain_list, domain);
+ TALLOC_FREE(domain);
+ domain = next;
+ }
+}
+
+/**
+ * Iterator for winbindd's domain list.
+ * To be used (e.g.) in tevent based loops.
+ */
+struct winbindd_domain *wb_next_domain(struct winbindd_domain *domain)
+{
+ if (domain == NULL) {
+ domain = domain_list();
+ } else {
+ domain = domain->next;
+ }
+
+ if ((domain != NULL) &&
+ (lp_server_role() != ROLE_ACTIVE_DIRECTORY_DC) &&
+ sid_check_is_our_sam(&domain->sid))
+ {
+ domain = domain->next;
+ }
+
+ return domain;
+}
+
+static bool is_internal_domain(const struct dom_sid *sid)
+{
+ if (sid == NULL)
+ return False;
+
+ return (sid_check_is_our_sam(sid) || sid_check_is_builtin(sid));
+}
+
+/* Add a trusted domain to our list of domains.
+ If the domain already exists in the list,
+ return it and don't re-initialize. */
+
+static NTSTATUS add_trusted_domain(const char *domain_name,
+ const char *dns_name,
+ const struct dom_sid *sid,
+ uint32_t trust_type,
+ uint32_t trust_flags,
+ uint32_t trust_attribs,
+ enum netr_SchannelType secure_channel_type,
+ struct winbindd_domain *routing_domain,
+ struct winbindd_domain **_d)
+{
+ struct winbindd_domain *domain = NULL;
+ int role = lp_server_role();
+ struct dom_sid_buf buf;
+
+ if (is_null_sid(sid)) {
+ DBG_ERR("Got null SID for domain [%s]\n", domain_name);
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ if (secure_channel_type == SEC_CHAN_NULL && !is_allowed_domain(domain_name)) {
+ return NT_STATUS_NO_SUCH_DOMAIN;
+ }
+
+ /*
+ * We can't call domain_list() as this function is called from
+ * init_domain_list() and we'll get stuck in a loop.
+ */
+ for (domain = _domain_list; domain; domain = domain->next) {
+ if (strequal(domain_name, domain->name)) {
+ break;
+ }
+ }
+
+ if (domain != NULL) {
+ struct winbindd_domain *check_domain = NULL;
+
+ for (check_domain = _domain_list;
+ check_domain != NULL;
+ check_domain = check_domain->next)
+ {
+ if (check_domain == domain) {
+ continue;
+ }
+
+ if (dom_sid_equal(&check_domain->sid, sid)) {
+ break;
+ }
+ }
+
+ if (check_domain != NULL) {
+ DBG_ERR("SID [%s] already used by domain [%s], "
+ "expected [%s]\n",
+ dom_sid_str_buf(sid, &buf),
+ check_domain->name,
+ domain->name);
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+ }
+
+ if ((domain != NULL) && (dns_name != NULL)) {
+ struct winbindd_domain *check_domain = NULL;
+
+ for (check_domain = _domain_list;
+ check_domain != NULL;
+ check_domain = check_domain->next)
+ {
+ if (check_domain == domain) {
+ continue;
+ }
+
+ if (strequal(check_domain->alt_name, dns_name)) {
+ break;
+ }
+ }
+
+ if (check_domain != NULL) {
+ DBG_ERR("DNS name [%s] used by domain [%s], "
+ "expected [%s]\n",
+ dns_name, check_domain->name,
+ domain->name);
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+ }
+
+ if (domain != NULL) {
+ *_d = domain;
+ return NT_STATUS_OK;
+ }
+
+ /* Create new domain entry */
+ domain = talloc_zero(NULL, struct winbindd_domain);
+ if (domain == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ domain->children = talloc_zero_array(domain,
+ struct winbindd_child,
+ lp_winbind_max_domain_connections());
+ if (domain->children == NULL) {
+ TALLOC_FREE(domain);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ domain->queue = tevent_queue_create(domain, "winbind_domain");
+ if (domain->queue == NULL) {
+ TALLOC_FREE(domain);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ domain->binding_handle = wbint_binding_handle(domain, domain, NULL);
+ if (domain->binding_handle == NULL) {
+ TALLOC_FREE(domain);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ domain->name = talloc_strdup(domain, domain_name);
+ if (domain->name == NULL) {
+ TALLOC_FREE(domain);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if (dns_name != NULL) {
+ domain->alt_name = talloc_strdup(domain, dns_name);
+ if (domain->alt_name == NULL) {
+ TALLOC_FREE(domain);
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+
+ domain->backend = NULL;
+ domain->internal = is_internal_domain(sid);
+ domain->secure_channel_type = secure_channel_type;
+ domain->sequence_number = DOM_SEQUENCE_NONE;
+ domain->last_seq_check = 0;
+ domain->initialized = false;
+ domain->online = is_internal_domain(sid);
+ domain->domain_flags = trust_flags;
+ domain->domain_type = trust_type;
+ domain->domain_trust_attribs = trust_attribs;
+ domain->secure_channel_type = secure_channel_type;
+ domain->routing_domain = routing_domain;
+ sid_copy(&domain->sid, sid);
+
+ /* Is this our primary domain ? */
+ if (role == ROLE_DOMAIN_MEMBER) {
+ domain->primary = strequal(domain_name, lp_workgroup());
+ } else {
+ domain->primary = strequal(domain_name, get_global_sam_name());
+ }
+
+ if (domain->primary) {
+ if (role == ROLE_ACTIVE_DIRECTORY_DC) {
+ domain->active_directory = true;
+ }
+ if (lp_security() == SEC_ADS) {
+ domain->active_directory = true;
+ }
+ } else if (!domain->internal) {
+ if (domain->domain_type == LSA_TRUST_TYPE_UPLEVEL) {
+ domain->active_directory = true;
+ }
+ }
+
+ domain->can_do_ncacn_ip_tcp = domain->active_directory;
+
+ /* Link to domain list */
+ DLIST_ADD_END(_domain_list, domain);
+
+ wcache_tdc_add_domain( domain );
+
+ setup_domain_child(domain);
+
+ DBG_NOTICE("Added domain [%s] [%s] [%s]\n",
+ domain->name, domain->alt_name,
+ dom_sid_str_buf(&domain->sid, &buf));
+
+ *_d = domain;
+ return NT_STATUS_OK;
+}
+
+bool set_routing_domain(struct winbindd_domain *domain,
+ struct winbindd_domain *routing_domain)
+{
+ if (domain->routing_domain == NULL) {
+ domain->routing_domain = routing_domain;
+ return true;
+ }
+ if (domain->routing_domain != routing_domain) {
+ return false;
+ }
+ return true;
+}
+
+bool add_trusted_domain_from_auth(uint16_t validation_level,
+ struct info3_text *info3,
+ struct info6_text *info6)
+{
+ struct winbindd_domain *domain = NULL;
+ struct dom_sid domain_sid;
+ const char *dns_domainname = NULL;
+ NTSTATUS status;
+ bool ok;
+
+ /*
+ * We got a successfull auth from a domain that might not yet be in our
+ * domain list. If we're a member we trust our DC who authenticated the
+ * user from that domain and add the domain to our list on-the-fly. If
+ * we're a DC we rely on configured trusts and don't add on-the-fly.
+ */
+
+ if (IS_DC) {
+ return true;
+ }
+
+ ok = dom_sid_parse(info3->dom_sid, &domain_sid);
+ if (!ok) {
+ DBG_NOTICE("dom_sid_parse [%s] failed\n", info3->dom_sid);
+ return false;
+ }
+
+ if (validation_level == 6) {
+ if (!strequal(info6->dns_domainname, "")) {
+ dns_domainname = info6->dns_domainname;
+ }
+ }
+
+ status = add_trusted_domain(info3->logon_dom,
+ dns_domainname,
+ &domain_sid,
+ 0,
+ NETR_TRUST_FLAG_OUTBOUND,
+ 0,
+ SEC_CHAN_NULL,
+ find_default_route_domain(),
+ &domain);
+ if (!NT_STATUS_IS_OK(status) &&
+ !NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_DOMAIN))
+ {
+ DBG_DEBUG("Adding domain [%s] with sid [%s] failed\n",
+ info3->logon_dom, info3->dom_sid);
+ return false;
+ }
+
+ return true;
+}
+
+bool domain_is_forest_root(const struct winbindd_domain *domain)
+{
+ const uint32_t fr_flags =
+ (NETR_TRUST_FLAG_TREEROOT|NETR_TRUST_FLAG_IN_FOREST);
+
+ return ((domain->domain_flags & fr_flags) == fr_flags);
+}
+
+/********************************************************************
+ rescan our domains looking for new trusted domains
+********************************************************************/
+
+struct trustdom_state {
+ struct winbindd_domain *domain;
+ struct netr_DomainTrustList trusts;
+};
+
+static void trustdom_list_done(struct tevent_req *req);
+static void rescan_forest_root_trusts( void );
+static void rescan_forest_trusts( void );
+
+static void add_trusted_domains( struct winbindd_domain *domain )
+{
+ struct tevent_context *ev = global_event_context();
+ struct trustdom_state *state;
+ struct tevent_req *req;
+ const char *client_name = NULL;
+ pid_t client_pid;
+
+ state = talloc_zero(NULL, struct trustdom_state);
+ if (state == NULL) {
+ DEBUG(0, ("talloc failed\n"));
+ return;
+ }
+ state->domain = domain;
+
+ /* Called from timer, not from a real client */
+ client_name = getprogname();
+ client_pid = getpid();
+
+ req = dcerpc_wbint_ListTrustedDomains_send(state,
+ ev,
+ dom_child_handle(domain),
+ client_name,
+ client_pid,
+ &state->trusts);
+ if (req == NULL) {
+ DBG_ERR("dcerpc_wbint_ListTrustedDomains_send failed\n");
+ TALLOC_FREE(state);
+ return;
+ }
+ tevent_req_set_callback(req, trustdom_list_done, state);
+}
+
+static void trustdom_list_done(struct tevent_req *req)
+{
+ struct trustdom_state *state = tevent_req_callback_data(
+ req, struct trustdom_state);
+ bool within_forest = false;
+ NTSTATUS status, result;
+ uint32_t i;
+
+ /*
+ * Only when we enumerate our primary domain
+ * or our forest root domain, we should keep
+ * the NETR_TRUST_FLAG_IN_FOREST flag, in
+ * all other cases we need to clear it as the domain
+ * is not part of our forest.
+ */
+ if (state->domain->primary) {
+ within_forest = true;
+ } else if (domain_is_forest_root(state->domain)) {
+ within_forest = true;
+ }
+
+ status = dcerpc_wbint_ListTrustedDomains_recv(req, state, &result);
+ if (any_nt_status_not_ok(status, result, &status)) {
+ DBG_WARNING("Could not receive trusts for domain %s: %s-%s\n",
+ state->domain->name, nt_errstr(status),
+ nt_errstr(result));
+ TALLOC_FREE(state);
+ return;
+ }
+
+ for (i=0; i<state->trusts.count; i++) {
+ struct netr_DomainTrust *trust = &state->trusts.array[i];
+ struct winbindd_domain *domain = NULL;
+
+ if (!within_forest) {
+ trust->trust_flags &= ~NETR_TRUST_FLAG_IN_FOREST;
+ }
+
+ if (!state->domain->primary) {
+ trust->trust_flags &= ~NETR_TRUST_FLAG_PRIMARY;
+ }
+
+ /*
+ * We always call add_trusted_domain() cause on an existing
+ * domain structure, it will update the SID if necessary.
+ * This is important because we need the SID for sibling
+ * domains.
+ */
+ status = add_trusted_domain(trust->netbios_name,
+ trust->dns_name,
+ trust->sid,
+ trust->trust_type,
+ trust->trust_flags,
+ trust->trust_attributes,
+ SEC_CHAN_NULL,
+ find_default_route_domain(),
+ &domain);
+ if (!NT_STATUS_IS_OK(status) &&
+ !NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_DOMAIN))
+ {
+ DBG_NOTICE("add_trusted_domain returned %s\n",
+ nt_errstr(status));
+ return;
+ }
+ }
+
+ /*
+ Cases to consider when scanning trusts:
+ (a) we are calling from a child domain (primary && !forest_root)
+ (b) we are calling from the root of the forest (primary && forest_root)
+ (c) we are calling from a trusted forest domain (!primary
+ && !forest_root)
+ */
+
+ if (state->domain->primary) {
+ /* If this is our primary domain and we are not in the
+ forest root, we have to scan the root trusts first */
+
+ if (!domain_is_forest_root(state->domain))
+ rescan_forest_root_trusts();
+ else
+ rescan_forest_trusts();
+
+ } else if (domain_is_forest_root(state->domain)) {
+ /* Once we have done root forest trust search, we can
+ go on to search the trusted forests */
+
+ rescan_forest_trusts();
+ }
+
+ TALLOC_FREE(state);
+
+ return;
+}
+
+/********************************************************************
+ Scan the trusts of our forest root
+********************************************************************/
+
+static void rescan_forest_root_trusts( void )
+{
+ struct winbindd_tdc_domain *dom_list = NULL;
+ size_t num_trusts = 0;
+ size_t i;
+ NTSTATUS status;
+
+ /* The only transitive trusts supported by Windows 2003 AD are
+ (a) Parent-Child, (b) Tree-Root, and (c) Forest. The
+ first two are handled in forest and listed by
+ DsEnumerateDomainTrusts(). Forest trusts are not so we
+ have to do that ourselves. */
+
+ if ( !wcache_tdc_fetch_list( &dom_list, &num_trusts ) )
+ return;
+
+ for ( i=0; i<num_trusts; i++ ) {
+ struct winbindd_domain *d = NULL;
+
+ /* Find the forest root. Don't necessarily trust
+ the domain_list() as our primary domain may not
+ have been initialized. */
+
+ if ( !(dom_list[i].trust_flags & NETR_TRUST_FLAG_TREEROOT) ) {
+ continue;
+ }
+
+ /* Here's the forest root */
+
+ d = find_domain_from_name_noinit( dom_list[i].domain_name );
+ if (d == NULL) {
+ status = add_trusted_domain(dom_list[i].domain_name,
+ dom_list[i].dns_name,
+ &dom_list[i].sid,
+ dom_list[i].trust_type,
+ dom_list[i].trust_flags,
+ dom_list[i].trust_attribs,
+ SEC_CHAN_NULL,
+ find_default_route_domain(),
+ &d);
+
+ if (!NT_STATUS_IS_OK(status) &&
+ NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_DOMAIN))
+ {
+ DBG_ERR("add_trusted_domain returned %s\n",
+ nt_errstr(status));
+ return;
+ }
+ }
+ if (d == NULL) {
+ continue;
+ }
+
+ DEBUG(10,("rescan_forest_root_trusts: Following trust path "
+ "for domain tree root %s (%s)\n",
+ d->name, d->alt_name ));
+
+ d->domain_flags = dom_list[i].trust_flags;
+ d->domain_type = dom_list[i].trust_type;
+ d->domain_trust_attribs = dom_list[i].trust_attribs;
+
+ add_trusted_domains( d );
+
+ break;
+ }
+
+ TALLOC_FREE( dom_list );
+
+ return;
+}
+
+/********************************************************************
+ scan the transitive forest trusts (not our own)
+********************************************************************/
+
+
+static void rescan_forest_trusts( void )
+{
+ struct winbindd_domain *d = NULL;
+ struct winbindd_tdc_domain *dom_list = NULL;
+ size_t num_trusts = 0;
+ size_t i;
+ NTSTATUS status;
+
+ /* The only transitive trusts supported by Windows 2003 AD are
+ (a) Parent-Child, (b) Tree-Root, and (c) Forest. The
+ first two are handled in forest and listed by
+ DsEnumerateDomainTrusts(). Forest trusts are not so we
+ have to do that ourselves. */
+
+ if ( !wcache_tdc_fetch_list( &dom_list, &num_trusts ) )
+ return;
+
+ for ( i=0; i<num_trusts; i++ ) {
+ uint32_t flags = dom_list[i].trust_flags;
+ uint32_t type = dom_list[i].trust_type;
+ uint32_t attribs = dom_list[i].trust_attribs;
+
+ d = find_domain_from_name_noinit( dom_list[i].domain_name );
+
+ /* ignore our primary and internal domains */
+
+ if ( d && (d->internal || d->primary ) )
+ continue;
+
+ if ( (flags & NETR_TRUST_FLAG_INBOUND) &&
+ (type == LSA_TRUST_TYPE_UPLEVEL) &&
+ (attribs & LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) )
+ {
+ /* add the trusted domain if we don't know
+ about it */
+
+ if (d == NULL) {
+ status = add_trusted_domain(
+ dom_list[i].domain_name,
+ dom_list[i].dns_name,
+ &dom_list[i].sid,
+ type,
+ flags,
+ attribs,
+ SEC_CHAN_NULL,
+ find_default_route_domain(),
+ &d);
+ if (!NT_STATUS_IS_OK(status) &&
+ NT_STATUS_EQUAL(status,
+ NT_STATUS_NO_SUCH_DOMAIN))
+ {
+ DBG_ERR("add_trusted_domain: %s\n",
+ nt_errstr(status));
+ return;
+ }
+ }
+
+ if (d == NULL) {
+ continue;
+ }
+
+ DEBUG(10,("Following trust path for domain %s (%s)\n",
+ d->name, d->alt_name ));
+ add_trusted_domains( d );
+ }
+ }
+
+ TALLOC_FREE( dom_list );
+
+ return;
+}
+
+/*********************************************************************
+ The process of updating the trusted domain list is a three step
+ async process:
+ (a) ask our domain
+ (b) ask the root domain in our forest
+ (c) ask the a DC in any Win2003 trusted forests
+*********************************************************************/
+
+void rescan_trusted_domains(struct tevent_context *ev, struct tevent_timer *te,
+ struct timeval now, void *private_data)
+{
+ TALLOC_FREE(te);
+
+ /* I use to clear the cache here and start over but that
+ caused problems in child processes that needed the
+ trust dom list early on. Removing it means we
+ could have some trusted domains listed that have been
+ removed from our primary domain's DC until a full
+ restart. This should be ok since I think this is what
+ Windows does as well. */
+
+ /* this will only add new domains we didn't already know about
+ in the domain_list()*/
+
+ add_trusted_domains( find_our_domain() );
+
+ te = tevent_add_timer(
+ ev, NULL, timeval_current_ofs(WINBINDD_RESCAN_FREQ, 0),
+ rescan_trusted_domains, NULL);
+ /*
+ * If te == NULL, there's not much we can do here. Don't fail, the
+ * only thing we miss is new trusted domains.
+ */
+
+ return;
+}
+
+static void wbd_ping_dc_done(struct tevent_req *subreq);
+
+void winbindd_ping_offline_domains(struct tevent_context *ev,
+ struct tevent_timer *te,
+ struct timeval now,
+ void *private_data)
+{
+ struct winbindd_domain *domain = NULL;
+
+ TALLOC_FREE(te);
+
+ for (domain = domain_list(); domain != NULL; domain = domain->next) {
+ DBG_DEBUG("Domain %s is %s\n",
+ domain->name,
+ domain->online ? "online" : "offline");
+
+ if (get_global_winbindd_state_offline()) {
+ DBG_DEBUG("We are globally offline, do nothing.\n");
+ break;
+ }
+
+ if (domain->online ||
+ domain->check_online_event != NULL ||
+ domain->secure_channel_type == SEC_CHAN_NULL) {
+ continue;
+ }
+
+ winbindd_flush_negative_conn_cache(domain);
+
+ domain->check_online_event =
+ dcerpc_wbint_PingDc_send(domain,
+ ev,
+ dom_child_handle(domain),
+ &domain->ping_dcname);
+ if (domain->check_online_event == NULL) {
+ DBG_WARNING("Failed to schedule ping, no-memory\n");
+ continue;
+ }
+
+ tevent_req_set_callback(domain->check_online_event,
+ wbd_ping_dc_done, domain);
+ }
+
+ te = tevent_add_timer(ev,
+ NULL,
+ timeval_current_ofs(lp_winbind_reconnect_delay(),
+ 0),
+ winbindd_ping_offline_domains,
+ NULL);
+ if (te == NULL) {
+ DBG_ERR("Failed to schedule winbindd_ping_offline_domains()\n");
+ }
+
+ return;
+}
+
+static void wbd_ping_dc_done(struct tevent_req *subreq)
+{
+ struct winbindd_domain *domain =
+ tevent_req_callback_data(subreq,
+ struct winbindd_domain);
+ NTSTATUS status, result;
+
+ SMB_ASSERT(subreq == domain->check_online_event);
+ domain->check_online_event = NULL;
+
+ status = dcerpc_wbint_PingDc_recv(subreq, domain, &result);
+ TALLOC_FREE(subreq);
+ if (any_nt_status_not_ok(status, result, &status)) {
+ DBG_WARNING("dcerpc_wbint_PingDc_recv failed for domain: "
+ "%s - %s\n",
+ domain->name,
+ nt_errstr(status));
+ return;
+ }
+
+ DBG_DEBUG("dcerpc_wbint_PingDc_recv() succeeded, "
+ "domain: %s, dc-name: %s\n",
+ domain->name,
+ domain->ping_dcname);
+
+ talloc_free(discard_const(domain->ping_dcname));
+ domain->ping_dcname = NULL;
+
+ return;
+}
+
+static void wb_imsg_new_trusted_domain(struct imessaging_context *msg,
+ void *private_data,
+ uint32_t msg_type,
+ struct server_id server_id,
+ size_t num_fds,
+ int *fds,
+ DATA_BLOB *data)
+{
+ bool ok;
+
+ if (num_fds != 0) {
+ DBG_WARNING("Received %zu fds, ignoring message\n", num_fds);
+ return;
+ }
+
+ DBG_NOTICE("Rescanning trusted domains\n");
+
+ ok = add_trusted_domains_dc();
+ if (!ok) {
+ DBG_ERR("Failed to reload trusted domains\n");
+ }
+}
+
+/*
+ * We did not get the secret when we queried secrets.tdb, so read it
+ * from secrets.tdb and re-sync the databases
+ */
+static bool migrate_secrets_tdb_to_ldb(struct winbindd_domain *domain)
+{
+ bool ok;
+ struct cli_credentials *creds;
+ NTSTATUS can_migrate = pdb_get_trust_credentials(domain->name,
+ NULL, domain, &creds);
+ if (!NT_STATUS_IS_OK(can_migrate)) {
+ DEBUG(0, ("Failed to fetch our own, local AD domain join "
+ "password for winbindd's internal use, both from "
+ "secrets.tdb and secrets.ldb: %s\n",
+ nt_errstr(can_migrate)));
+ return false;
+ }
+
+ /*
+ * NOTE: It is very unlikely we end up here if there is an
+ * oldpass, because a new password is created at
+ * classicupgrade, so this is not a concern.
+ */
+ ok = secrets_store_machine_pw_sync(cli_credentials_get_password(creds),
+ NULL /* oldpass */,
+ cli_credentials_get_domain(creds),
+ cli_credentials_get_realm(creds),
+ cli_credentials_get_salt_principal(creds),
+ 0, /* Supported enc types, unused */
+ &domain->sid,
+ cli_credentials_get_password_last_changed_time(creds),
+ cli_credentials_get_secure_channel_type(creds),
+ false /* do_delete: Do not delete */);
+ TALLOC_FREE(creds);
+ if (ok == false) {
+ DEBUG(0, ("Failed to write our our own, "
+ "local AD domain join password for "
+ "winbindd's internal use into secrets.tdb\n"));
+ return false;
+ }
+ return true;
+}
+
+static bool add_trusted_domains_dc(void)
+{
+ struct winbindd_domain *domain = NULL;
+ struct pdb_trusted_domain **domains = NULL;
+ uint32_t num_domains = 0;
+ uint32_t i;
+ NTSTATUS status;
+
+ if (!(pdb_capabilities() & PDB_CAP_TRUSTED_DOMAINS_EX)) {
+ struct trustdom_info **ti = NULL;
+
+ status = pdb_enum_trusteddoms(talloc_tos(), &num_domains, &ti);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_ERR("pdb_enum_trusteddoms() failed - %s\n",
+ nt_errstr(status));
+ return false;
+ }
+
+ for (i = 0; i < num_domains; i++) {
+ status = add_trusted_domain(ti[i]->name,
+ NULL,
+ &ti[i]->sid,
+ LSA_TRUST_TYPE_DOWNLEVEL,
+ NETR_TRUST_FLAG_OUTBOUND,
+ 0,
+ SEC_CHAN_DOMAIN,
+ NULL,
+ &domain);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_NOTICE("add_trusted_domain returned %s\n",
+ nt_errstr(status));
+ return false;
+ }
+ }
+
+ return true;
+ }
+
+ status = pdb_enum_trusted_domains(talloc_tos(), &num_domains, &domains);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_ERR("pdb_enum_trusted_domains() failed - %s\n",
+ nt_errstr(status));
+ return false;
+ }
+
+ for (i = 0; i < num_domains; i++) {
+ enum netr_SchannelType sec_chan_type = SEC_CHAN_DOMAIN;
+ uint32_t trust_flags = 0;
+
+ if (domains[i]->trust_type == LSA_TRUST_TYPE_UPLEVEL) {
+ sec_chan_type = SEC_CHAN_DNS_DOMAIN;
+ }
+
+ if (!(domains[i]->trust_direction & LSA_TRUST_DIRECTION_OUTBOUND)) {
+ sec_chan_type = SEC_CHAN_NULL;
+ }
+
+ if (domains[i]->trust_direction & LSA_TRUST_DIRECTION_INBOUND) {
+ trust_flags |= NETR_TRUST_FLAG_INBOUND;
+ }
+ if (domains[i]->trust_direction & LSA_TRUST_DIRECTION_OUTBOUND) {
+ trust_flags |= NETR_TRUST_FLAG_OUTBOUND;
+ }
+ if (domains[i]->trust_attributes & LSA_TRUST_ATTRIBUTE_WITHIN_FOREST) {
+ trust_flags |= NETR_TRUST_FLAG_IN_FOREST;
+ }
+
+ if (domains[i]->trust_attributes & LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION) {
+ /*
+ * We don't support selective authentication yet.
+ */
+ DBG_WARNING("Ignoring CROSS_ORGANIZATION trust to "
+ "domain[%s/%s]\n",
+ domains[i]->netbios_name,
+ domains[i]->domain_name);
+ continue;
+ }
+
+ status = add_trusted_domain(domains[i]->netbios_name,
+ domains[i]->domain_name,
+ &domains[i]->security_identifier,
+ domains[i]->trust_type,
+ trust_flags,
+ domains[i]->trust_attributes,
+ sec_chan_type,
+ NULL,
+ &domain);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_NOTICE("add_trusted_domain returned %s\n",
+ nt_errstr(status));
+ return false;
+ }
+
+ if (domains[i]->trust_type == LSA_TRUST_TYPE_UPLEVEL) {
+ domain->active_directory = true;
+ }
+ domain->domain_type = domains[i]->trust_type;
+ domain->domain_trust_attribs = domains[i]->trust_attributes;
+ }
+
+ for (i = 0; i < num_domains; i++) {
+ struct ForestTrustInfo fti;
+ uint32_t fi;
+ enum ndr_err_code ndr_err;
+ struct winbindd_domain *routing_domain = NULL;
+
+ if (domains[i]->trust_type != LSA_TRUST_TYPE_UPLEVEL) {
+ continue;
+ }
+
+ if (!(domains[i]->trust_attributes & LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE)) {
+ continue;
+ }
+
+ if (domains[i]->trust_forest_trust_info.length == 0) {
+ continue;
+ }
+
+ routing_domain = find_domain_from_name_noinit(
+ domains[i]->netbios_name);
+ if (routing_domain == NULL) {
+ DBG_ERR("Can't find winbindd domain [%s]\n",
+ domains[i]->netbios_name);
+ return false;
+ }
+
+ ndr_err = ndr_pull_struct_blob_all(
+ &domains[i]->trust_forest_trust_info,
+ talloc_tos(), &fti,
+ (ndr_pull_flags_fn_t)ndr_pull_ForestTrustInfo);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ DBG_ERR("ndr_pull_ForestTrustInfo(%s) - %s\n",
+ domains[i]->netbios_name,
+ ndr_map_error2string(ndr_err));
+ return false;
+ }
+
+ for (fi = 0; fi < fti.count; fi++) {
+ struct ForestTrustInfoRecord *rec =
+ &fti.records[fi].record;
+ struct ForestTrustDataDomainInfo *drec = NULL;
+
+ if (rec->type != FOREST_TRUST_DOMAIN_INFO) {
+ continue;
+ }
+ drec = &rec->data.info;
+
+ if (rec->flags & LSA_NB_DISABLED_MASK) {
+ continue;
+ }
+
+ if (rec->flags & LSA_SID_DISABLED_MASK) {
+ continue;
+ }
+
+ /*
+ * TODO:
+ * also try to find a matching
+ * LSA_TLN_DISABLED_MASK ???
+ */
+
+ domain = find_domain_from_name_noinit(drec->netbios_name.string);
+ if (domain != NULL) {
+ continue;
+ }
+
+ status = add_trusted_domain(drec->netbios_name.string,
+ drec->dns_name.string,
+ &drec->sid,
+ LSA_TRUST_TYPE_UPLEVEL,
+ NETR_TRUST_FLAG_OUTBOUND,
+ 0,
+ SEC_CHAN_NULL,
+ routing_domain,
+ &domain);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_NOTICE("add_trusted_domain returned %s\n",
+ nt_errstr(status));
+ return false;
+ }
+ if (domain == NULL) {
+ continue;
+ }
+ }
+ }
+
+ return true;
+}
+
+
+/* Look up global info for the winbind daemon */
+bool init_domain_list(void)
+{
+ int role = lp_server_role();
+ struct pdb_domain_info *pdb_domain_info = NULL;
+ struct winbindd_domain *domain = NULL;
+ NTSTATUS status;
+ bool ok;
+
+ /* Free existing list */
+ free_domain_list();
+
+ /* BUILTIN domain */
+
+ status = add_trusted_domain("BUILTIN",
+ NULL,
+ &global_sid_Builtin,
+ LSA_TRUST_TYPE_DOWNLEVEL,
+ 0, /* trust_flags */
+ 0, /* trust_attribs */
+ SEC_CHAN_LOCAL,
+ NULL,
+ &domain);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_ERR("add_trusted_domain BUILTIN returned %s\n",
+ nt_errstr(status));
+ return false;
+ }
+
+ /* Local SAM */
+
+ /*
+ * In case the passdb backend is passdb_dsdb the domain SID comes from
+ * dsdb, not from secrets.tdb. As we use the domain SID in various
+ * places, we must ensure the domain SID is migrated from dsdb to
+ * secrets.tdb before get_global_sam_sid() is called the first time.
+ *
+ * The migration is done as part of the passdb_dsdb initialisation,
+ * calling pdb_get_domain_info() triggers it.
+ */
+ pdb_domain_info = pdb_get_domain_info(talloc_tos());
+
+ if ( role == ROLE_ACTIVE_DIRECTORY_DC ) {
+ uint32_t trust_flags;
+ bool is_root;
+ enum netr_SchannelType sec_chan_type;
+ const char *account_name;
+ struct samr_Password current_nt_hash;
+
+ if (pdb_domain_info == NULL) {
+ DEBUG(0, ("Failed to fetch our own, local AD "
+ "domain info from sam.ldb\n"));
+ return false;
+ }
+
+ trust_flags = NETR_TRUST_FLAG_PRIMARY;
+ trust_flags |= NETR_TRUST_FLAG_IN_FOREST;
+ trust_flags |= NETR_TRUST_FLAG_NATIVE;
+ trust_flags |= NETR_TRUST_FLAG_OUTBOUND;
+
+ is_root = strequal(pdb_domain_info->dns_domain,
+ pdb_domain_info->dns_forest);
+ if (is_root) {
+ trust_flags |= NETR_TRUST_FLAG_TREEROOT;
+ }
+
+ status = add_trusted_domain(pdb_domain_info->name,
+ pdb_domain_info->dns_domain,
+ &pdb_domain_info->sid,
+ LSA_TRUST_TYPE_UPLEVEL,
+ trust_flags,
+ LSA_TRUST_ATTRIBUTE_WITHIN_FOREST,
+ SEC_CHAN_BDC,
+ NULL,
+ &domain);
+ TALLOC_FREE(pdb_domain_info);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_ERR("Failed to add our own, local AD "
+ "domain to winbindd's internal list\n");
+ return false;
+ }
+
+ /*
+ * We need to call this to find out if we are an RODC
+ */
+ ok = get_trust_pw_hash(domain->name,
+ current_nt_hash.hash,
+ &account_name,
+ &sec_chan_type);
+ if (!ok) {
+ /*
+ * If get_trust_pw_hash() fails, then try and
+ * fetch the password from the more recent of
+ * secrets.{ldb,tdb} using the
+ * pdb_get_trust_credentials()
+ */
+ ok = migrate_secrets_tdb_to_ldb(domain);
+
+ if (!ok) {
+ DEBUG(0, ("Failed to migrate our own, "
+ "local AD domain join password for "
+ "winbindd's internal use into "
+ "secrets.tdb\n"));
+ return false;
+ }
+ ok = get_trust_pw_hash(domain->name,
+ current_nt_hash.hash,
+ &account_name,
+ &sec_chan_type);
+ if (!ok) {
+ DEBUG(0, ("Failed to find our our own, just "
+ "written local AD domain join "
+ "password for winbindd's internal "
+ "use in secrets.tdb\n"));
+ return false;
+ }
+ }
+
+ domain->secure_channel_type = sec_chan_type;
+ if (sec_chan_type == SEC_CHAN_RODC) {
+ domain->rodc = true;
+ }
+
+ } else {
+ uint32_t trust_flags;
+ enum netr_SchannelType secure_channel_type;
+
+ trust_flags = NETR_TRUST_FLAG_OUTBOUND;
+ if (role != ROLE_DOMAIN_MEMBER) {
+ trust_flags |= NETR_TRUST_FLAG_PRIMARY;
+ }
+
+ if (role > ROLE_DOMAIN_MEMBER) {
+ secure_channel_type = SEC_CHAN_BDC;
+ } else {
+ secure_channel_type = SEC_CHAN_LOCAL;
+ }
+
+ if ((pdb_domain_info != NULL) && (role == ROLE_IPA_DC)) {
+ /* This is IPA DC that presents itself as
+ * an Active Directory domain controller to trusted AD
+ * forests but in fact is a classic domain controller.
+ */
+ trust_flags = NETR_TRUST_FLAG_PRIMARY;
+ trust_flags |= NETR_TRUST_FLAG_IN_FOREST;
+ trust_flags |= NETR_TRUST_FLAG_NATIVE;
+ trust_flags |= NETR_TRUST_FLAG_OUTBOUND;
+ trust_flags |= NETR_TRUST_FLAG_TREEROOT;
+ status = add_trusted_domain(pdb_domain_info->name,
+ pdb_domain_info->dns_domain,
+ &pdb_domain_info->sid,
+ LSA_TRUST_TYPE_UPLEVEL,
+ trust_flags,
+ LSA_TRUST_ATTRIBUTE_WITHIN_FOREST,
+ secure_channel_type,
+ NULL,
+ &domain);
+ TALLOC_FREE(pdb_domain_info);
+ } else {
+ status = add_trusted_domain(get_global_sam_name(),
+ NULL,
+ get_global_sam_sid(),
+ LSA_TRUST_TYPE_DOWNLEVEL,
+ trust_flags,
+ 0, /* trust_attribs */
+ secure_channel_type,
+ NULL,
+ &domain);
+ }
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_ERR("Failed to add local SAM to "
+ "domain to winbindd's internal list\n");
+ return false;
+ }
+ }
+
+ if (IS_DC) {
+ ok = add_trusted_domains_dc();
+ if (!ok) {
+ DBG_ERR("init_domain_list_dc failed\n");
+ return false;
+ }
+ }
+
+ if ( role == ROLE_DOMAIN_MEMBER ) {
+ struct dom_sid our_sid;
+ uint32_t trust_type;
+
+ if (!secrets_fetch_domain_sid(lp_workgroup(), &our_sid)) {
+ DEBUG(0, ("Could not fetch our SID - did we join?\n"));
+ return False;
+ }
+
+ if (lp_realm() != NULL) {
+ trust_type = LSA_TRUST_TYPE_UPLEVEL;
+ } else {
+ trust_type = LSA_TRUST_TYPE_DOWNLEVEL;
+ }
+
+ status = add_trusted_domain(lp_workgroup(),
+ lp_realm(),
+ &our_sid,
+ trust_type,
+ NETR_TRUST_FLAG_PRIMARY|
+ NETR_TRUST_FLAG_OUTBOUND,
+ 0, /* trust_attribs */
+ SEC_CHAN_WKSTA,
+ NULL,
+ &domain);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_ERR("Failed to add local SAM to "
+ "domain to winbindd's internal list\n");
+ return false;
+ }
+ }
+
+ status = imessaging_register(winbind_imessaging_context(), NULL,
+ MSG_WINBIND_RELOAD_TRUSTED_DOMAINS,
+ wb_imsg_new_trusted_domain);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_ERR("imessaging_register failed %s\n", nt_errstr(status));
+ return false;
+ }
+
+ return True;
+}
+
+/**
+ * Given a domain name, return the struct winbindd domain info for it
+ *
+ * @note Do *not* pass lp_workgroup() to this function. domain_list
+ * may modify it's value, and free that pointer. Instead, our local
+ * domain may be found by calling find_our_domain().
+ * directly.
+ *
+ *
+ * @return The domain structure for the named domain, if it is working.
+ */
+
+struct winbindd_domain *find_domain_from_name_noinit(const char *domain_name)
+{
+ struct winbindd_domain *domain;
+
+ /* Search through list */
+
+ for (domain = domain_list(); domain != NULL; domain = domain->next) {
+ if (strequal(domain_name, domain->name)) {
+ return domain;
+ }
+ if (domain->alt_name == NULL) {
+ continue;
+ }
+ if (strequal(domain_name, domain->alt_name)) {
+ return domain;
+ }
+ }
+
+ /* Not found */
+
+ return NULL;
+}
+
+/**
+ * Given a domain name, return the struct winbindd domain if it's a direct
+ * outgoing trust
+ *
+ * @return The domain structure for the named domain, if it is a direct outgoing trust
+ */
+struct winbindd_domain *find_trust_from_name_noinit(const char *domain_name)
+{
+ struct winbindd_domain *domain = NULL;
+
+ domain = find_domain_from_name_noinit(domain_name);
+ if (domain == NULL) {
+ return NULL;
+ }
+
+ if (domain->secure_channel_type != SEC_CHAN_NULL) {
+ return domain;
+ }
+
+ return NULL;
+}
+
+struct winbindd_domain *find_domain_from_name(const char *domain_name)
+{
+ struct winbindd_domain *domain;
+
+ domain = find_domain_from_name_noinit(domain_name);
+
+ if (domain == NULL)
+ return NULL;
+
+ if (!domain->initialized)
+ init_dc_connection(domain, false);
+
+ return domain;
+}
+
+/* Given a domain sid, return the struct winbindd domain info for it */
+
+struct winbindd_domain *find_domain_from_sid_noinit(const struct dom_sid *sid)
+{
+ struct winbindd_domain *domain;
+
+ /* Search through list */
+
+ for (domain = domain_list(); domain != NULL; domain = domain->next) {
+ if (dom_sid_compare_domain(sid, &domain->sid) == 0)
+ return domain;
+ }
+
+ /* Not found */
+
+ return NULL;
+}
+
+/**
+ * Given a domain sid, return the struct winbindd domain if it's a direct
+ * outgoing trust
+ *
+ * @return The domain structure for the specified domain, if it is a direct outgoing trust
+ */
+struct winbindd_domain *find_trust_from_sid_noinit(const struct dom_sid *sid)
+{
+ struct winbindd_domain *domain = NULL;
+
+ domain = find_domain_from_sid_noinit(sid);
+ if (domain == NULL) {
+ return NULL;
+ }
+
+ if (domain->secure_channel_type != SEC_CHAN_NULL) {
+ return domain;
+ }
+
+ return NULL;
+}
+
+/* Given a domain sid, return the struct winbindd domain info for it */
+
+struct winbindd_domain *find_domain_from_sid(const struct dom_sid *sid)
+{
+ struct winbindd_domain *domain;
+
+ domain = find_domain_from_sid_noinit(sid);
+
+ if (domain == NULL)
+ return NULL;
+
+ if (!domain->initialized)
+ init_dc_connection(domain, false);
+
+ return domain;
+}
+
+struct winbindd_domain *find_our_domain(void)
+{
+ struct winbindd_domain *domain;
+
+ /* Search through list */
+
+ for (domain = domain_list(); domain != NULL; domain = domain->next) {
+ if (domain->primary)
+ return domain;
+ }
+
+ smb_panic("Could not find our domain");
+ return NULL;
+}
+
+struct winbindd_domain *find_default_route_domain(void)
+{
+ if (!IS_DC) {
+ return find_our_domain();
+ }
+ DBG_DEBUG("Routing logic not yet implemented on a DC\n");
+ return NULL;
+}
+
+/* Find the appropriate domain to lookup a name or SID */
+
+struct winbindd_domain *find_lookup_domain_from_sid(const struct dom_sid *sid)
+{
+ struct dom_sid_buf buf;
+
+ DBG_DEBUG("SID [%s]\n", dom_sid_str_buf(sid, &buf));
+
+ /*
+ * SIDs in the S-1-22-{1,2} domain and well-known SIDs should be handled
+ * by our passdb.
+ */
+
+ if ( sid_check_is_in_unix_groups(sid) ||
+ sid_check_is_unix_groups(sid) ||
+ sid_check_is_in_unix_users(sid) ||
+ sid_check_is_unix_users(sid) ||
+ sid_check_is_our_sam(sid) ||
+ sid_check_is_in_our_sam(sid) )
+ {
+ return find_domain_from_sid(get_global_sam_sid());
+ }
+
+ if ( sid_check_is_builtin(sid) ||
+ sid_check_is_in_builtin(sid) ||
+ sid_check_is_wellknown_domain(sid, NULL) ||
+ sid_check_is_in_wellknown_domain(sid) )
+ {
+ return find_domain_from_sid(&global_sid_Builtin);
+ }
+
+ if (IS_DC) {
+ struct winbindd_domain *domain = NULL;
+
+ domain = find_domain_from_sid_noinit(sid);
+ if (domain == NULL) {
+ return NULL;
+ }
+
+ if (domain->secure_channel_type != SEC_CHAN_NULL) {
+ return domain;
+ }
+
+ return domain->routing_domain;
+ }
+
+ /* On a member server a query for SID or name can always go to our
+ * primary DC. */
+
+ DEBUG(10, ("calling find_our_domain\n"));
+ return find_our_domain();
+}
+
+struct winbindd_domain *find_lookup_domain_from_name(const char *domain_name)
+{
+ bool predefined;
+
+ if ( strequal(domain_name, unix_users_domain_name() ) ||
+ strequal(domain_name, unix_groups_domain_name() ) )
+ {
+ /*
+ * The "Unix User" and "Unix Group" domain are handled by
+ * passdb
+ */
+ return find_domain_from_name_noinit( get_global_sam_name() );
+ }
+
+ if (strequal(domain_name, "BUILTIN") ||
+ strequal(domain_name, get_global_sam_name())) {
+ return find_domain_from_name_noinit(domain_name);
+ }
+
+ predefined = dom_sid_lookup_is_predefined_domain(domain_name);
+ if (predefined) {
+ return find_domain_from_name_noinit(builtin_domain_name());
+ }
+
+ if (IS_DC) {
+ struct winbindd_domain *domain = NULL;
+
+ domain = find_domain_from_name_noinit(domain_name);
+ if (domain == NULL) {
+ return NULL;
+ }
+
+ if (domain->secure_channel_type != SEC_CHAN_NULL) {
+ return domain;
+ }
+
+ return domain->routing_domain;
+ }
+
+ return find_our_domain();
+}
+
+/* Is this a domain which we may assume no DOMAIN\ prefix? */
+
+static bool assume_domain(const char *domain)
+{
+ /* never assume the domain on a standalone server */
+
+ if ( lp_server_role() == ROLE_STANDALONE )
+ return False;
+
+ /* domain member servers may possibly assume for the domain name */
+
+ if ( lp_server_role() == ROLE_DOMAIN_MEMBER ) {
+ if ( !strequal(lp_workgroup(), domain) )
+ return False;
+
+ if ( lp_winbind_use_default_domain() )
+ return True;
+ }
+
+ /* only left with a domain controller */
+
+ if ( strequal(get_global_sam_name(), domain) ) {
+ return True;
+ }
+
+ return False;
+}
+
+/* Parse a DOMAIN\user or UPN string into a domain, namespace and a user */
+bool parse_domain_user(const char *domuser,
+ fstring namespace,
+ fstring domain,
+ fstring user)
+{
+ char *p = NULL;
+
+ if (strlen(domuser) == 0) {
+ return false;
+ }
+
+ p = strchr(domuser, *lp_winbind_separator());
+ if (p != NULL) {
+ fstrcpy(user, p + 1);
+ fstrcpy(domain, domuser);
+ domain[PTR_DIFF(p, domuser)] = '\0';
+ fstrcpy(namespace, domain);
+ } else {
+ fstrcpy(user, domuser);
+
+ domain[0] = '\0';
+ namespace[0] = '\0';
+ p = strchr(domuser, '@');
+ if (p != NULL) {
+ /* upn */
+ fstrcpy(namespace, p + 1);
+ } else if (assume_domain(lp_workgroup())) {
+ fstrcpy(domain, lp_workgroup());
+ fstrcpy(namespace, domain);
+ } else {
+ fstrcpy(namespace, lp_netbios_name());
+ }
+ }
+
+ return strupper_m(domain);
+}
+
+/* Ensure an incoming username from NSS is fully qualified. Replace the
+ incoming fstring with DOMAIN <separator> user. Returns the same
+ values as parse_domain_user() but also replaces the incoming username.
+ Used to ensure all names are fully qualified within winbindd.
+ Used by the NSS protocols of auth, chauthtok, logoff and ccache_ntlm_auth.
+ The protocol definitions of auth_crap, chng_pswd_auth_crap
+ really should be changed to use this instead of doing things
+ by hand. JRA. */
+
+bool canonicalize_username(fstring username_inout,
+ fstring namespace,
+ fstring domain,
+ fstring user)
+{
+ bool ok;
+
+ ok = parse_domain_user(username_inout, namespace, domain, user);
+ if (!ok) {
+ return False;
+ }
+ slprintf(username_inout, sizeof(fstring) - 1, "%s%c%s",
+ domain, *lp_winbind_separator(),
+ user);
+ return True;
+}
+
+/*
+ Fill DOMAIN\\USERNAME entry accounting 'winbind use default domain' and
+ 'winbind separator' options.
+ This means:
+ - omit DOMAIN when 'winbind use default domain = true' and DOMAIN is
+ lp_workgroup()
+
+ If we are a PDC or BDC, and this is for our domain, do likewise.
+
+ On an AD DC we always fill DOMAIN\\USERNAME.
+
+ We always canonicalize as UPPERCASE DOMAIN, lowercase username.
+*/
+/**
+ * talloc version of fill_domain_username()
+ * return NULL on talloc failure.
+ */
+char *fill_domain_username_talloc(TALLOC_CTX *mem_ctx,
+ const char *domain,
+ const char *user,
+ bool can_assume)
+{
+ char *tmp_user, *name;
+
+ if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC) {
+ can_assume = false;
+ }
+
+ if (user == NULL) {
+ return NULL;
+ }
+
+ tmp_user = talloc_strdup(mem_ctx, user);
+ if (tmp_user == NULL) {
+ return NULL;
+ }
+ if (!strlower_m(tmp_user)) {
+ TALLOC_FREE(tmp_user);
+ return NULL;
+ }
+
+ if (can_assume && assume_domain(domain)) {
+ name = tmp_user;
+ } else {
+ name = talloc_asprintf(mem_ctx, "%s%c%s",
+ domain,
+ *lp_winbind_separator(),
+ tmp_user);
+ TALLOC_FREE(tmp_user);
+ }
+
+ return name;
+}
+
+/*
+ * Client list accessor functions
+ */
+
+static struct winbindd_cli_state *_client_list;
+static int _num_clients;
+
+/* Return list of all connected clients */
+
+struct winbindd_cli_state *winbindd_client_list(void)
+{
+ return _client_list;
+}
+
+/* Return list-tail of all connected clients */
+
+struct winbindd_cli_state *winbindd_client_list_tail(void)
+{
+ return DLIST_TAIL(_client_list);
+}
+
+/* Return previous (read:newer) client in list */
+
+struct winbindd_cli_state *
+winbindd_client_list_prev(struct winbindd_cli_state *cli)
+{
+ return DLIST_PREV(cli);
+}
+
+/* Add a connection to the list */
+
+void winbindd_add_client(struct winbindd_cli_state *cli)
+{
+ cli->last_access = time(NULL);
+ DLIST_ADD(_client_list, cli);
+ _num_clients++;
+}
+
+/* Remove a client from the list */
+
+void winbindd_remove_client(struct winbindd_cli_state *cli)
+{
+ DLIST_REMOVE(_client_list, cli);
+ _num_clients--;
+}
+
+/* Move a client to head or list */
+
+void winbindd_promote_client(struct winbindd_cli_state *cli)
+{
+ cli->last_access = time(NULL);
+ DLIST_PROMOTE(_client_list, cli);
+}
+
+/* Return number of open clients */
+
+int winbindd_num_clients(void)
+{
+ return _num_clients;
+}
+
+NTSTATUS lookup_usergroups_cached(TALLOC_CTX *mem_ctx,
+ const struct dom_sid *user_sid,
+ uint32_t *p_num_groups, struct dom_sid **user_sids)
+{
+ struct netr_SamInfo3 *info3 = NULL;
+ NTSTATUS status = NT_STATUS_NO_MEMORY;
+ uint32_t num_groups = 0;
+
+ DEBUG(3,(": lookup_usergroups_cached\n"));
+
+ *user_sids = NULL;
+ *p_num_groups = 0;
+
+ info3 = netsamlogon_cache_get(mem_ctx, user_sid);
+
+ if (info3 == NULL) {
+ return NT_STATUS_OBJECT_NAME_NOT_FOUND;
+ }
+
+ /*
+ * Before bug #7843 the "Domain Local" groups were added with a
+ * lookupuseraliases call, but this isn't done anymore for our domain
+ * so we need to resolve resource groups here.
+ *
+ * When to use Resource Groups:
+ * http://technet.microsoft.com/en-us/library/cc753670%28v=WS.10%29.aspx
+ */
+ status = sid_array_from_info3(mem_ctx, info3,
+ user_sids,
+ &num_groups,
+ false);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(info3);
+ return status;
+ }
+
+ TALLOC_FREE(info3);
+ *p_num_groups = num_groups;
+ status = (user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
+
+ DEBUG(3,(": lookup_usergroups_cached succeeded\n"));
+
+ return status;
+}
+
+/*********************************************************************
+ We use this to remove spaces from user and group names
+********************************************************************/
+
+NTSTATUS normalize_name_map(TALLOC_CTX *mem_ctx,
+ const char *domain_name,
+ const char *name,
+ char **normalized)
+{
+ struct winbindd_domain *domain = NULL;
+ NTSTATUS nt_status;
+
+ if (!name || !normalized) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ if (!lp_winbind_normalize_names()) {
+ return NT_STATUS_PROCEDURE_NOT_FOUND;
+ }
+
+ domain = find_domain_from_name_noinit(domain_name);
+ if (domain == NULL) {
+ DBG_ERR("Failed to find domain '%s'\n", domain_name);
+ return NT_STATUS_NO_SUCH_DOMAIN;
+ }
+
+ /* Alias support and whitespace replacement are mutually
+ exclusive */
+
+ nt_status = resolve_username_to_alias(mem_ctx, domain,
+ name, normalized );
+ if (NT_STATUS_IS_OK(nt_status)) {
+ /* special return code to let the caller know we
+ mapped to an alias */
+ return NT_STATUS_FILE_RENAMED;
+ }
+
+ /* check for an unreachable domain */
+
+ if (NT_STATUS_EQUAL(nt_status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
+ DEBUG(5,("normalize_name_map: Setting domain %s offline\n",
+ domain->name));
+ set_domain_offline(domain);
+ return nt_status;
+ }
+
+ /* deal with whitespace */
+
+ *normalized = talloc_strdup(mem_ctx, name);
+ if (!(*normalized)) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ all_string_sub( *normalized, " ", "_", 0 );
+
+ return NT_STATUS_OK;
+}
+
+/*********************************************************************
+ We use this to do the inverse of normalize_name_map()
+********************************************************************/
+
+NTSTATUS normalize_name_unmap(TALLOC_CTX *mem_ctx,
+ const char *name,
+ char **normalized)
+{
+ NTSTATUS nt_status;
+ struct winbindd_domain *domain = find_our_domain();
+
+ if (!name || !normalized) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ if (!lp_winbind_normalize_names()) {
+ return NT_STATUS_PROCEDURE_NOT_FOUND;
+ }
+
+ /* Alias support and whitespace replacement are mutally
+ exclusive */
+
+ /* When mapping from an alias to a username, we don't know the
+ domain. But we only need a domain structure to cache
+ a successful lookup , so just our own domain structure for
+ the seqnum. */
+
+ nt_status = resolve_alias_to_username(mem_ctx, domain,
+ name, normalized);
+ if (NT_STATUS_IS_OK(nt_status)) {
+ /* Special return code to let the caller know we mapped
+ from an alias */
+ return NT_STATUS_FILE_RENAMED;
+ }
+
+ /* check for an unreachable domain */
+
+ if (NT_STATUS_EQUAL(nt_status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
+ DEBUG(5,("normalize_name_unmap: Setting domain %s offline\n",
+ domain->name));
+ set_domain_offline(domain);
+ return nt_status;
+ }
+
+ /* deal with whitespace */
+
+ *normalized = talloc_strdup(mem_ctx, name);
+ if (!(*normalized)) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ all_string_sub(*normalized, "_", " ", 0);
+
+ return NT_STATUS_OK;
+}
+
+/*********************************************************************
+ ********************************************************************/
+
+bool winbindd_can_contact_domain(struct winbindd_domain *domain)
+{
+ struct winbindd_tdc_domain *tdc = NULL;
+ TALLOC_CTX *frame = talloc_stackframe();
+ bool ret = false;
+
+ /* We can contact the domain if it is our primary domain */
+
+ if (domain->primary) {
+ ret = true;
+ goto done;
+ }
+
+ /* Trust the TDC cache and not the winbindd_domain flags */
+
+ if ((tdc = wcache_tdc_fetch_domain(frame, domain->name)) == NULL) {
+ DEBUG(10,("winbindd_can_contact_domain: %s not found in cache\n",
+ domain->name));
+ ret = false;
+ goto done;
+ }
+
+ /* Can always contact a domain that is in out forest */
+
+ if (tdc->trust_flags & NETR_TRUST_FLAG_IN_FOREST) {
+ ret = true;
+ goto done;
+ }
+
+ /*
+ * On a _member_ server, we cannot contact the domain if it
+ * is running AD and we have no inbound trust.
+ */
+
+ if (!IS_DC &&
+ domain->active_directory &&
+ ((tdc->trust_flags & NETR_TRUST_FLAG_INBOUND) != NETR_TRUST_FLAG_INBOUND))
+ {
+ DEBUG(10, ("winbindd_can_contact_domain: %s is an AD domain "
+ "and we have no inbound trust.\n", domain->name));
+ goto done;
+ }
+
+ /* Assume everything else is ok (probably not true but what
+ can you do?) */
+
+ ret = true;
+
+done:
+ talloc_destroy(frame);
+
+ return ret;
+}
+
+#ifdef HAVE_KRB5_LOCATE_PLUGIN_H
+
+/*********************************************************************
+ ********************************************************************/
+
+static void winbindd_set_locator_kdc_env(const struct winbindd_domain *domain)
+{
+ char *var = NULL;
+ char addr[INET6_ADDRSTRLEN];
+ const char *kdc = NULL;
+ int lvl = 11;
+
+ if (!domain || !domain->alt_name || !*domain->alt_name) {
+ return;
+ }
+
+ if (domain->initialized && !domain->active_directory) {
+ DEBUG(lvl,("winbindd_set_locator_kdc_env: %s not AD\n",
+ domain->alt_name));
+ return;
+ }
+
+ print_sockaddr(addr, sizeof(addr), &domain->dcaddr);
+ kdc = addr;
+ if (!*kdc) {
+ DEBUG(lvl,("winbindd_set_locator_kdc_env: %s no DC IP\n",
+ domain->alt_name));
+ kdc = domain->dcname;
+ }
+
+ if (!kdc || !*kdc) {
+ DEBUG(lvl,("winbindd_set_locator_kdc_env: %s no DC at all\n",
+ domain->alt_name));
+ return;
+ }
+
+ var = talloc_asprintf_strupper_m(
+ talloc_tos(),
+ "%s_%s",
+ WINBINDD_LOCATOR_KDC_ADDRESS,
+ domain->alt_name);
+ if (var == NULL) {
+ return;
+ }
+
+ DEBUG(lvl,("winbindd_set_locator_kdc_env: setting var: %s to: %s\n",
+ var, kdc));
+
+ setenv(var, kdc, 1);
+ TALLOC_FREE(var);
+}
+
+/*********************************************************************
+ ********************************************************************/
+
+void winbindd_set_locator_kdc_envs(const struct winbindd_domain *domain)
+{
+ struct winbindd_domain *our_dom = find_our_domain();
+
+ winbindd_set_locator_kdc_env(domain);
+
+ if (domain != our_dom) {
+ winbindd_set_locator_kdc_env(our_dom);
+ }
+}
+
+/*********************************************************************
+ ********************************************************************/
+
+void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain)
+{
+ char *var = NULL;
+
+ if (!domain || !domain->alt_name || !*domain->alt_name) {
+ return;
+ }
+
+ var = talloc_asprintf_strupper_m(
+ talloc_tos(),
+ "%s_%s",
+ WINBINDD_LOCATOR_KDC_ADDRESS,
+ domain->alt_name);
+ if (var == NULL) {
+ return;
+ }
+
+ unsetenv(var);
+ TALLOC_FREE(var);
+}
+#else
+
+void winbindd_set_locator_kdc_envs(const struct winbindd_domain *domain)
+{
+ return;
+}
+
+void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain)
+{
+ return;
+}
+
+#endif /* HAVE_KRB5_LOCATE_PLUGIN_H */
+
+void set_auth_errors(struct winbindd_response *resp, NTSTATUS result)
+{
+ /*
+ * Make sure we start with authoritative=true,
+ * it will only set to false if we don't know the
+ * domain.
+ */
+ resp->data.auth.authoritative = true;
+
+ resp->data.auth.nt_status = NT_STATUS_V(result);
+ fstrcpy(resp->data.auth.nt_status_string, nt_errstr(result));
+
+ /* we might have given a more useful error above */
+ if (*resp->data.auth.error_string == '\0')
+ fstrcpy(resp->data.auth.error_string,
+ get_friendly_nt_error_msg(result));
+ resp->data.auth.pam_error = nt_status_to_pam(result);
+}
+
+bool is_domain_offline(const struct winbindd_domain *domain)
+{
+ if (get_global_winbindd_state_offline()) {
+ return true;
+ }
+ return !domain->online;
+}
+
+bool is_domain_online(const struct winbindd_domain *domain)
+{
+ return !is_domain_offline(domain);
+}
+
+/**
+ * Parse an char array into a list of sids.
+ *
+ * The input sidstr should consist of 0-terminated strings
+ * representing sids, separated by newline characters '\n'.
+ * The list is terminated by an empty string, i.e.
+ * character '\0' directly following a character '\n'
+ * (or '\0' right at the start of sidstr).
+ */
+bool parse_sidlist(TALLOC_CTX *mem_ctx, const char *sidstr,
+ struct dom_sid **sids, uint32_t *num_sids)
+{
+ const char *p;
+
+ p = sidstr;
+ if (p == NULL)
+ return False;
+
+ while (p[0] != '\0') {
+ struct dom_sid sid;
+ const char *q = NULL;
+
+ if (!dom_sid_parse_endp(p, &sid, &q)) {
+ DEBUG(1, ("Could not parse sid %s\n", p));
+ return false;
+ }
+ if (q[0] != '\n') {
+ DEBUG(1, ("Got invalid sidstr: %s\n", p));
+ return false;
+ }
+ if (!NT_STATUS_IS_OK(add_sid_to_array(mem_ctx, &sid, sids,
+ num_sids)))
+ {
+ return False;
+ }
+ p = q+1;
+ }
+ return True;
+}
+
+bool parse_xidlist(TALLOC_CTX *mem_ctx, const char *xidstr,
+ struct unixid **pxids, uint32_t *pnum_xids)
+{
+ const char *p;
+ struct unixid *xids = NULL;
+ uint32_t num_xids = 0;
+
+ p = xidstr;
+ if (p == NULL) {
+ return false;
+ }
+
+ while (p[0] != '\0') {
+ struct unixid *tmp;
+ struct unixid xid;
+ unsigned long long id;
+ char *endp;
+ int error = 0;
+
+ switch (p[0]) {
+ case 'U':
+ xid = (struct unixid) { .type = ID_TYPE_UID };
+ break;
+ case 'G':
+ xid = (struct unixid) { .type = ID_TYPE_GID };
+ break;
+ default:
+ return false;
+ }
+
+ p += 1;
+
+ id = smb_strtoull(p, &endp, 10, &error, SMB_STR_STANDARD);
+ if (error != 0) {
+ goto fail;
+ }
+ if (*endp != '\n') {
+ goto fail;
+ }
+ p = endp+1;
+
+ xid.id = id;
+ if ((unsigned long long)xid.id != id) {
+ goto fail;
+ }
+
+ tmp = talloc_realloc(mem_ctx, xids, struct unixid, num_xids+1);
+ if (tmp == NULL) {
+ return 0;
+ }
+ xids = tmp;
+
+ xids[num_xids] = xid;
+ num_xids += 1;
+ }
+
+ *pxids = xids;
+ *pnum_xids = num_xids;
+ return true;
+
+fail:
+ TALLOC_FREE(xids);
+ return false;
+}
diff --git a/source3/winbindd/winbindd_wins_byip.c b/source3/winbindd/winbindd_wins_byip.c
new file mode 100644
index 0000000..1b9cdbc
--- /dev/null
+++ b/source3/winbindd/winbindd_wins_byip.c
@@ -0,0 +1,142 @@
+/*
+ Unix SMB/CIFS implementation.
+ async implementation of WINBINDD_WINS_BYIP
+ Copyright (C) Volker Lendecke 2011
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "winbindd.h"
+#include "libsmb/namequery.h"
+#include "librpc/gen_ndr/ndr_winbind_c.h"
+#include "libsmb/nmblib.h"
+#include "lib/util/string_wrappers.h"
+
+struct winbindd_wins_byip_state {
+ struct nmb_name star;
+ struct sockaddr_storage addr;
+ fstring response;
+};
+
+static void winbindd_wins_byip_done(struct tevent_req *subreq);
+
+struct tevent_req *winbindd_wins_byip_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request)
+{
+ struct tevent_req *req, *subreq;
+ struct winbindd_wins_byip_state *state;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct winbindd_wins_byip_state);
+ if (req == NULL) {
+ return NULL;
+ }
+ /* Ensure null termination */
+ request->data.winsreq[sizeof(request->data.winsreq)-1]='\0';
+
+ fstr_sprintf(state->response, "%s\t", request->data.winsreq);
+
+ D_NOTICE("[%s (%u)] Winbind external command WINS_BYIP start.\n"
+ "Resolving wins byip for %s.\n",
+ cli->client_name,
+ (unsigned int)cli->pid,
+ request->data.winsreq);
+
+ make_nmb_name(&state->star, "*", 0);
+
+ if (!interpret_string_addr(&state->addr, request->data.winsreq,
+ AI_NUMERICHOST)) {
+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ return tevent_req_post(req, ev);
+ }
+
+ subreq = node_status_query_send(state, ev, &state->star,
+ &state->addr);
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+ tevent_req_set_callback(subreq, winbindd_wins_byip_done, req);
+ return req;
+}
+
+static void winbindd_wins_byip_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct winbindd_wins_byip_state *state = tevent_req_data(
+ req, struct winbindd_wins_byip_state);
+ struct node_status *names;
+ size_t i;
+ size_t num_names = 0;
+ NTSTATUS status;
+
+ status = node_status_query_recv(subreq, talloc_tos(), &names,
+ &num_names, NULL);
+ TALLOC_FREE(subreq);
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+
+ for (i=0; i<num_names; i++) {
+ size_t size;
+ /*
+ * ignore group names
+ */
+ if (names[i].flags & 0x80) {
+ continue;
+ }
+ /*
+ * Only report 0x20
+ */
+ if (names[i].type != 0x20) {
+ continue;
+ }
+
+ D_DEBUG("Got name '%s'.\n", names[i].name);
+
+ size = strlen(names[i].name + strlen(state->response));
+ if (size > sizeof(state->response) - 1) {
+ D_WARNING("Too much data!\n");
+ tevent_req_nterror(req, STATUS_BUFFER_OVERFLOW);
+ return;
+ }
+ fstrcat(state->response, names[i].name);
+ fstrcat(state->response, " ");
+ }
+ state->response[strlen(state->response)-1] = '\n';
+
+
+ TALLOC_FREE(names);
+ tevent_req_done(req);
+}
+
+NTSTATUS winbindd_wins_byip_recv(struct tevent_req *req,
+ struct winbindd_response *presp)
+{
+ struct winbindd_wins_byip_state *state = tevent_req_data(
+ req, struct winbindd_wins_byip_state);
+ NTSTATUS status;
+
+ if (tevent_req_is_nterror(req, &status)) {
+ return status;
+ }
+ D_NOTICE("Winbind external command WINS_BYIP end.\n"
+ "Response: %s",
+ state->response);
+ fstrcpy(presp->data.winsresp, state->response);
+ return NT_STATUS_OK;
+}
diff --git a/source3/winbindd/winbindd_wins_byname.c b/source3/winbindd/winbindd_wins_byname.c
new file mode 100644
index 0000000..2014714
--- /dev/null
+++ b/source3/winbindd/winbindd_wins_byname.c
@@ -0,0 +1,157 @@
+/*
+ Unix SMB/CIFS implementation.
+ async implementation of WINBINDD_WINS_BYNAME
+ Copyright (C) Volker Lendecke 2011
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "winbindd.h"
+#include "libsmb/namequery.h"
+#include "librpc/gen_ndr/ndr_winbind_c.h"
+#include "libsmb/nmblib.h"
+#include "lib/util/string_wrappers.h"
+
+struct winbindd_wins_byname_state {
+ struct tevent_context *ev;
+ struct winbindd_request *request;
+ struct sockaddr_storage *addrs;
+ size_t num_addrs;
+};
+
+static void winbindd_wins_byname_wins_done(struct tevent_req *subreq);
+static void winbindd_wins_byname_bcast_done(struct tevent_req *subreq);
+
+struct tevent_req *winbindd_wins_byname_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request)
+{
+ struct tevent_req *req, *subreq;
+ struct winbindd_wins_byname_state *state;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct winbindd_wins_byname_state);
+ if (req == NULL) {
+ return NULL;
+ }
+ state->ev = ev;
+ state->request = request;
+
+ /* Ensure null termination */
+ request->data.winsreq[sizeof(request->data.winsreq)-1]='\0';
+
+ D_NOTICE("[%s (%u)] Winbind external command WINS_BYNAME start.\n"
+ "Resolving wins byname for '%s'.\n",
+ cli->client_name,
+ (unsigned int)cli->pid,
+ request->data.winsreq);
+
+ subreq = resolve_wins_send(state, ev, state->request->data.winsreq,
+ 0x20);
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+ tevent_req_set_callback(subreq, winbindd_wins_byname_wins_done, req);
+ return req;
+}
+
+static void winbindd_wins_byname_wins_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct winbindd_wins_byname_state *state = tevent_req_data(
+ req, struct winbindd_wins_byname_state);
+ NTSTATUS status;
+
+ status = resolve_wins_recv(subreq, talloc_tos(), &state->addrs,
+ &state->num_addrs, NULL);
+ TALLOC_FREE(subreq);
+ if (NT_STATUS_IS_OK(status)) {
+ tevent_req_done(req);
+ return;
+ }
+ subreq = name_resolve_bcast_send(state, state->ev,
+ state->request->data.winsreq, 0x20);
+ if (tevent_req_nomem(subreq, req)) {
+ return;
+ }
+ tevent_req_set_callback(subreq, winbindd_wins_byname_bcast_done, req);
+}
+
+static void winbindd_wins_byname_bcast_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct winbindd_wins_byname_state *state = tevent_req_data(
+ req, struct winbindd_wins_byname_state);
+ NTSTATUS status;
+
+ status = name_resolve_bcast_recv(subreq, talloc_tos(), &state->addrs,
+ &state->num_addrs);
+ TALLOC_FREE(subreq);
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+ tevent_req_done(req);
+}
+
+NTSTATUS winbindd_wins_byname_recv(struct tevent_req *req,
+ struct winbindd_response *presp)
+{
+ struct winbindd_wins_byname_state *state = tevent_req_data(
+ req, struct winbindd_wins_byname_state);
+ char *response;
+ NTSTATUS status;
+ size_t i;
+
+ if (tevent_req_is_nterror(req, &status)) {
+ return status;
+ }
+
+ response = talloc_strdup(talloc_tos(), "");
+ if (response == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ D_NOTICE("Winbind external command WINS_BYNAME end.\n"
+ "Received %zu address(es).\n",
+ state->num_addrs);
+ for (i=0; i<state->num_addrs; i++) {
+ char addr[INET6_ADDRSTRLEN];
+ print_sockaddr(addr, sizeof(addr), &state->addrs[i]);
+ D_NOTICE("%zu: %s\n", i, addr);
+ response = talloc_asprintf_append_buffer(
+ response, "%s%s", addr,
+ i < (state->num_addrs-1) ? " " : "");
+ if (response == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+
+ response = talloc_asprintf_append_buffer(
+ response, "\t%s\n", state->request->data.winsreq);
+ if (response == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if (talloc_get_size(response) > sizeof(presp->data.winsresp)) {
+ TALLOC_FREE(response);
+ return NT_STATUS_MARSHALL_OVERFLOW;
+ }
+ fstrcpy(presp->data.winsresp, response);
+ TALLOC_FREE(response);
+ return NT_STATUS_OK;
+}
diff --git a/source3/winbindd/winbindd_xids_to_sids.c b/source3/winbindd/winbindd_xids_to_sids.c
new file mode 100644
index 0000000..3420377
--- /dev/null
+++ b/source3/winbindd/winbindd_xids_to_sids.c
@@ -0,0 +1,142 @@
+/*
+ Unix SMB/CIFS implementation.
+ async implementation of WINBINDD_SIDS_TO_XIDS
+ Copyright (C) Volker Lendecke 2011
+ Copyright (C) Michael Adam 2012
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "winbindd.h"
+#include "../libcli/security/security.h"
+
+
+struct winbindd_xids_to_sids_state {
+ struct tevent_context *ev;
+
+ struct unixid *xids;
+ uint32_t num_xids;
+
+ struct dom_sid *sids;
+};
+
+static void winbindd_xids_to_sids_done(struct tevent_req *subreq);
+
+struct tevent_req *winbindd_xids_to_sids_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct winbindd_cli_state *cli,
+ struct winbindd_request *request)
+{
+ struct tevent_req *req, *subreq;
+ struct winbindd_xids_to_sids_state *state;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct winbindd_xids_to_sids_state);
+ if (req == NULL) {
+ return NULL;
+ }
+ state->ev = ev;
+
+ D_NOTICE("[%s (%u)] Winbind external command XIDS_TO_SIDS start.\n",
+ cli->client_name,
+ (unsigned int)cli->pid);
+
+ if (request->extra_len == 0) {
+ tevent_req_done(req);
+ return tevent_req_post(req, ev);
+ }
+ if (request->extra_data.data[request->extra_len-1] != '\0') {
+ D_DEBUG("Got invalid XID list.\n");
+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ return tevent_req_post(req, ev);
+ }
+ if (!parse_xidlist(state, request->extra_data.data,
+ &state->xids, &state->num_xids)) {
+ D_DEBUG("parse_sidlist failed\n");
+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ return tevent_req_post(req, ev);
+ }
+
+ D_DEBUG("Resolving %"PRIu32" XID(s):\n%s\n",
+ state->num_xids,
+ (char *)request->extra_data.data);
+
+ subreq = wb_xids2sids_send(state, ev, state->xids, state->num_xids);
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+ tevent_req_set_callback(subreq, winbindd_xids_to_sids_done, req);
+ return req;
+}
+
+static void winbindd_xids_to_sids_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct winbindd_xids_to_sids_state *state = tevent_req_data(
+ req, struct winbindd_xids_to_sids_state);
+ NTSTATUS status;
+
+ status = wb_xids2sids_recv(subreq, state, &state->sids);
+ TALLOC_FREE(subreq);
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+ tevent_req_done(req);
+}
+
+NTSTATUS winbindd_xids_to_sids_recv(struct tevent_req *req,
+ struct winbindd_response *response)
+{
+ struct winbindd_xids_to_sids_state *state = tevent_req_data(
+ req, struct winbindd_xids_to_sids_state);
+ NTSTATUS status;
+ char *result = NULL;
+ uint32_t i;
+
+ D_NOTICE("Winbind external command XIDS_TO_SIDS end.\n");
+ if (tevent_req_is_nterror(req, &status)) {
+ D_WARNING("Could not convert xids: %s\n", nt_errstr(status));
+ return status;
+ }
+
+ result = talloc_strdup(response, "");
+ if (result == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ for (i=0; i<state->num_xids; i++) {
+ struct dom_sid_buf sid_buf;
+ const char *str = "-";
+
+ if (!is_null_sid(&state->sids[i])) {
+ dom_sid_str_buf(&state->sids[i], &sid_buf);
+ str = sid_buf.buf;
+ }
+
+ D_NOTICE("%"PRIu32": XID %"PRIu32" mapped to SID %s.\n",
+ i, state->xids[i].id, str);
+ result = talloc_asprintf_append_buffer(
+ result, "%s\n", str);
+ if (result == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+
+ response->extra_data.data = result;
+ response->length += talloc_get_size(result);
+
+ return NT_STATUS_OK;
+}
diff --git a/source3/winbindd/wscript_build b/source3/winbindd/wscript_build
new file mode 100644
index 0000000..904072b
--- /dev/null
+++ b/source3/winbindd/wscript_build
@@ -0,0 +1,290 @@
+#!/usr/bin/env python
+
+bld.SAMBA3_LIBRARY('idmap',
+ source='idmap.c idmap_util.c',
+ deps='samba-util pdb',
+ allow_undefined_symbols=True,
+ private_library=True)
+
+bld.SAMBA3_SUBSYSTEM('IDMAP_RW',
+ source='idmap_rw.c',
+ deps='samba-util')
+
+bld.SAMBA3_SUBSYSTEM('IDMAP_TDB_COMMON',
+ source='idmap_tdb_common.c',
+ deps='tdb IDMAP_RW')
+
+bld.SAMBA3_SUBSYSTEM('IDMAP_HASH',
+ source='idmap_hash/idmap_hash.c idmap_hash/mapfile.c',
+ deps='samba-util krb5samba',
+ enabled=bld.SAMBA3_IS_ENABLED_MODULE('idmap_hash'))
+
+bld.SAMBA3_SUBSYSTEM('IDMAP_AD',
+ source='idmap_ad.c idmap_ad_nss.c',
+ deps='ads nss_info',
+ enabled=bld.SAMBA3_IS_ENABLED_MODULE('idmap_ad'))
+
+bld.SAMBA3_MODULE('idmap_ad',
+ subsystem='idmap',
+ allow_undefined_symbols=True,
+ source='',
+ deps='IDMAP_AD TLDAP LIBNMB',
+ init_function='',
+ internal_module=bld.SAMBA3_IS_STATIC_MODULE('idmap_ad'),
+ enabled=bld.SAMBA3_IS_ENABLED_MODULE('idmap_ad'))
+
+bld.SAMBA3_MODULE('idmap_rfc2307',
+ subsystem='idmap',
+ allow_undefined_symbols=True,
+ source='idmap_rfc2307.c',
+ init_function='',
+ deps='ads',
+ internal_module=bld.SAMBA3_IS_STATIC_MODULE('idmap_rfc2307'),
+ enabled=bld.SAMBA3_IS_ENABLED_MODULE('idmap_rfc2307'))
+
+bld.SAMBA3_MODULE('idmap_rid',
+ subsystem='idmap',
+ allow_undefined_symbols=True,
+ source='idmap_rid.c',
+ init_function='',
+ internal_module=bld.SAMBA3_IS_STATIC_MODULE('idmap_rid'),
+ enabled=bld.SAMBA3_IS_ENABLED_MODULE('idmap_rid'))
+
+bld.SAMBA3_MODULE('idmap_passdb',
+ subsystem='idmap',
+ source='idmap_passdb.c',
+ deps='samba-util samba-passdb',
+ init_function='',
+ internal_module=bld.SAMBA3_IS_STATIC_MODULE('idmap_passdb'),
+ enabled=bld.SAMBA3_IS_ENABLED_MODULE('idmap_passdb'))
+
+bld.SAMBA3_MODULE('idmap_ldap',
+ subsystem='idmap',
+ source='idmap_ldap.c',
+ deps='smbldap smbldaphelper pdb IDMAP_RW',
+ init_function='',
+ internal_module=bld.SAMBA3_IS_STATIC_MODULE('idmap_ldap'),
+ enabled=bld.SAMBA3_IS_ENABLED_MODULE('idmap_ldap') and bld.CONFIG_SET("HAVE_LDAP"),
+ allow_undefined_symbols=True)
+
+bld.SAMBA3_MODULE('idmap_nss',
+ subsystem='idmap',
+ source='idmap_nss.c',
+ deps='samba-util',
+ init_function='',
+ internal_module=bld.SAMBA3_IS_STATIC_MODULE('idmap_nss'),
+ enabled=bld.SAMBA3_IS_ENABLED_MODULE('idmap_nss'))
+
+bld.SAMBA3_MODULE('idmap_tdb',
+ subsystem='idmap',
+ source='idmap_tdb.c',
+ deps='samba-util tdb IDMAP_TDB_COMMON',
+ init_function='',
+ allow_undefined_symbols=True,
+ internal_module=bld.SAMBA3_IS_STATIC_MODULE('idmap_tdb'),
+ enabled=bld.SAMBA3_IS_ENABLED_MODULE('idmap_tdb'))
+
+bld.SAMBA3_MODULE('idmap_tdb2',
+ subsystem='idmap',
+ source='idmap_tdb2.c',
+ deps='samba-util tdb IDMAP_TDB_COMMON',
+ init_function='',
+ internal_module=bld.SAMBA3_IS_STATIC_MODULE('idmap_tdb2'),
+ enabled=bld.SAMBA3_IS_ENABLED_MODULE('idmap_tdb2'))
+
+bld.SAMBA3_MODULE('idmap_hash',
+ subsystem='idmap',
+ source='',
+ deps='IDMAP_HASH',
+ allow_undefined_symbols=True,
+ init_function='',
+ internal_module=bld.SAMBA3_IS_STATIC_MODULE('idmap_hash'),
+ enabled=bld.SAMBA3_IS_ENABLED_MODULE('idmap_hash'))
+
+bld.SAMBA3_SUBSYSTEM('IDMAP_AUTORID_TDB',
+ source='idmap_autorid_tdb.c',
+ deps='tdb')
+
+bld.SAMBA3_MODULE('idmap_autorid',
+ subsystem='idmap',
+ source='idmap_autorid.c',
+ deps='samba-util tdb IDMAP_TDB_COMMON IDMAP_AUTORID_TDB',
+ init_function='',
+ internal_module=bld.SAMBA3_IS_STATIC_MODULE('idmap_autorid'),
+ enabled=bld.SAMBA3_IS_ENABLED_MODULE('idmap_autorid'),
+ allow_undefined_symbols=True)
+
+bld.SAMBA3_LIBRARY('nss_info',
+ source='nss_info.c',
+ deps='samba-util smbconf samba-modules',
+ private_library=True)
+
+bld.SAMBA3_MODULE('nss_info_template',
+ subsystem='nss_info',
+ source='nss_info_template.c',
+ deps='samba-util krb5samba',
+ init_function='',
+ internal_module=bld.SAMBA3_IS_STATIC_MODULE('nss_info_template'),
+ enabled=bld.SAMBA3_IS_ENABLED_MODULE('nss_info_template'))
+
+bld.SAMBA3_MODULE('nss_info_hash',
+ subsystem='nss_info',
+ source='',
+ deps='IDMAP_HASH',
+ allow_undefined_symbols=True,
+ init_function='',
+ internal_module=bld.SAMBA3_IS_STATIC_MODULE('idmap_hash'),
+ enabled=bld.SAMBA3_IS_ENABLED_MODULE('idmap_hash'))
+
+bld.SAMBA3_MODULE('nss_info_rfc2307',
+ subsystem='nss_info',
+ source='',
+ deps='IDMAP_AD',
+ allow_undefined_symbols=True,
+ init_function='',
+ internal_module=bld.SAMBA3_IS_STATIC_MODULE('idmap_ad'),
+ enabled=bld.SAMBA3_IS_ENABLED_MODULE('idmap_ad'))
+
+bld.SAMBA3_MODULE('nss_info_sfu20',
+ subsystem='nss_info',
+ source='',
+ deps='IDMAP_AD',
+ allow_undefined_symbols=True,
+ init_function='',
+ internal_module=bld.SAMBA3_IS_STATIC_MODULE('idmap_ad'),
+ enabled=bld.SAMBA3_IS_ENABLED_MODULE('idmap_ad'))
+
+bld.SAMBA3_MODULE('nss_info_sfu',
+ subsystem='nss_info',
+ source='',
+ deps='IDMAP_AD',
+ allow_undefined_symbols=True,
+ init_function='',
+ internal_module=bld.SAMBA3_IS_STATIC_MODULE('idmap_ad'),
+ enabled=bld.SAMBA3_IS_ENABLED_MODULE('idmap_ad') and bld.CONFIG_SET("HAVE_LDAP"))
+
+bld.SAMBA3_MODULE('idmap_script',
+ subsystem='idmap',
+ allow_undefined_symbols=True,
+ source='idmap_script.c',
+ init_function='',
+ internal_module=bld.SAMBA3_IS_STATIC_MODULE('idmap_script'),
+ enabled=bld.SAMBA3_IS_ENABLED_MODULE('idmap_script'))
+
+bld.SAMBA3_SUBSYSTEM('winbindd-lib',
+ source='''
+ winbindd_group.c
+ winbindd_util.c
+ winbindd_cache.c
+ winbindd_pam.c
+ winbindd_misc.c
+ winbindd_cm.c
+ winbindd_wins_byip.c
+ winbindd_wins_byname.c
+ winbindd_msrpc.c
+ winbindd_rpc.c
+ winbindd_reconnect.c
+ winbindd_reconnect_ads.c
+ winbindd_ads.c
+ winbindd_samr.c
+ winbindd_dual.c
+ winbindd_dual_ndr.c
+ winbindd_dual_srv.c
+ winbindd_creds.c
+ winbindd_cred_cache.c
+ winbindd_ccache_access.c
+ winbindd_domain.c
+ winbindd_idmap.c
+ winbindd_locator.c
+ winbindd_ndr.c
+ winbindd_traceid.c
+ wb_lookupsid.c
+ wb_lookupsids.c
+ wb_lookupname.c
+ wb_sids2xids.c
+ wb_xids2sids.c
+ wb_queryuser.c
+ wb_lookupuseraliases.c
+ wb_lookupusergroups.c
+ wb_getpwsid.c
+ wb_gettoken.c
+ wb_seqnum.c
+ wb_seqnums.c
+ wb_group_members.c
+ wb_getgrsid.c
+ wb_query_user_list.c
+ wb_query_group_list.c
+ wb_next_pwent.c
+ wb_next_grent.c
+ wb_dsgetdcname.c
+ winbindd_lookupsid.c
+ winbindd_lookupsids.c
+ winbindd_lookupname.c
+ winbindd_sids_to_xids.c
+ winbindd_xids_to_sids.c
+ winbindd_allocate_uid.c
+ winbindd_allocate_gid.c
+ winbindd_getpwsid.c
+ winbindd_getpwnam.c
+ winbindd_getpwuid.c
+ winbindd_getsidaliases.c
+ winbindd_getuserdomgroups.c
+ winbindd_getgroups.c
+ winbindd_show_sequence.c
+ winbindd_getgrgid.c
+ winbindd_getgrnam.c
+ winbindd_getusersids.c
+ winbindd_lookuprids.c
+ winbindd_setpwent.c
+ winbindd_getpwent.c
+ winbindd_endpwent.c
+ winbindd_setgrent.c
+ winbindd_getgrent.c
+ winbindd_endgrent.c
+ winbindd_dsgetdcname.c
+ winbindd_getdcname.c
+ winbindd_list_users.c
+ winbindd_list_groups.c
+ winbindd_check_machine_acct.c
+ winbindd_change_machine_acct.c
+ winbindd_irpc.c
+ winbindd_ping_dc.c
+ winbindd_domain_info.c
+ winbindd_pam_auth.c
+ winbindd_pam_logoff.c
+ winbindd_pam_chauthtok.c
+ winbindd_pam_auth_crap.c
+ winbindd_pam_chng_pswd_auth_crap.c
+ winbindd_gpupdate.c''',
+ deps='''
+ talloc
+ tevent
+ pdb
+ idmap
+ ads
+ msrpc3
+ nss_info
+ LIBAFS
+ LIBADS_SERVER
+ LIBCLI_SAMR
+ SLCACHE
+ RPC_NDR_DSSETUP
+ RPC_NDR_WINBIND
+ TOKEN_UTIL
+ RPC_SERVER
+ WB_REQTRANS
+ TDB_VALIDATE
+ MESSAGING
+ LIBLSA
+ ''')
+
+bld.SAMBA3_BINARY('winbindd',
+ source='''
+ winbindd.c
+ ''',
+ deps='''
+ CMDLINE_S3
+ winbindd-lib
+ ''',
+ enabled=bld.env.build_winbind,
+ install_path='${SBINDIR}')