2
Unix SMB/CIFS implementation.
4
Winbind daemon for ntdom nss module
6
Copyright (C) Tim Potter 2000
7
Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003
9
This library is free software; you can redistribute it and/or
10
modify it under the terms of the GNU Lesser General Public
11
License as published by the Free Software Foundation; either
12
version 3 of the License, or (at your option) any later version.
14
This library is distributed in the hope that it will be useful,
15
but WITHOUT ANY WARRANTY; without even the implied warranty of
16
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17
Library General Public License for more details.
19
You should have received a copy of the GNU Lesser General Public License
20
along with this program. If not, see <http://www.gnu.org/licenses/>.
26
#include "nsswitch/winbind_struct_protocol.h"
27
#include "nsswitch/libwbclient/wbclient.h"
33
#ifdef HAVE_SYS_MMAN_H
38
#define DBGC_CLASS DBGC_WINBIND
40
#define WB_REPLACE_CHAR '_'
42
struct winbindd_fd_event {
43
struct winbindd_fd_event *next, *prev;
45
int flags; /* see EVENT_FD_* flags */
46
void (*handler)(struct winbindd_fd_event *fde, int flags);
49
void (*finished)(void *private_data, bool success);
58
enum lsa_SidType type;
61
struct winbindd_cli_state {
62
struct winbindd_cli_state *prev, *next; /* Linked list pointers */
63
int sock; /* Open socket from client */
64
struct winbindd_fd_event fd_event;
65
pid_t pid; /* pid of client */
66
bool finished; /* Can delete from list */
67
bool write_extra_data; /* Write extra_data field */
68
time_t last_access; /* Time of last access (read or write) */
69
bool privileged; /* Is the client 'privileged' */
71
TALLOC_CTX *mem_ctx; /* memory per request */
72
struct winbindd_request request; /* Request from client */
73
struct winbindd_response response; /* Respose to client */
74
bool getpwent_initialized; /* Has getpwent_state been
76
bool getgrent_initialized; /* Has getgrent_state been
78
struct getent_state *getpwent_state; /* State for getpwent() */
79
struct getent_state *getgrent_state; /* State for getgrent() */
82
/* State between get{pw,gr}ent() calls */
85
struct getent_state *prev, *next;
87
uint32 sam_entry_index, num_sam_entries;
92
/* Storage for cached getpwent() user entries */
94
struct getpwent_user {
95
fstring name; /* Account name */
96
fstring gecos; /* User information */
97
fstring homedir; /* User Home Directory */
98
fstring shell; /* User Login Shell */
99
DOM_SID user_sid; /* NT user and primary group SIDs */
103
/* Server state structure */
110
gid_t primary_gid; /* allow the nss_info
111
backend to set the primary group */
112
DOM_SID user_sid; /* NT user and primary group SIDs */
116
/* Our connection to the DC */
118
struct winbindd_cm_conn {
119
struct cli_state *cli;
121
struct rpc_pipe_client *samr_pipe;
122
struct policy_handle sam_connect_handle, sam_domain_handle;
124
struct rpc_pipe_client *lsa_pipe;
125
struct rpc_pipe_client *lsa_pipe_tcp;
126
struct policy_handle lsa_policy;
128
struct rpc_pipe_client *netlogon_pipe;
131
struct winbindd_async_request;
135
struct winbindd_domain;
137
struct winbindd_child_dispatch_table {
139
enum winbindd_cmd struct_cmd;
140
enum winbindd_result (*struct_fn)(struct winbindd_domain *domain,
141
struct winbindd_cli_state *state);
144
struct winbindd_child {
145
struct winbindd_child *next, *prev;
148
struct winbindd_domain *domain;
151
struct winbindd_fd_event event;
152
struct timed_event *lockout_policy_event;
153
struct timed_event *machine_password_change_event;
154
struct winbindd_async_request *requests;
156
const struct winbindd_child_dispatch_table *table;
159
/* Structures to hold per domain information */
161
struct winbindd_domain {
162
fstring name; /* Domain name (NetBIOS) */
163
fstring alt_name; /* alt Domain name, if any (FQDN for ADS) */
164
fstring forest_name; /* Name of the AD forest we're in */
165
DOM_SID sid; /* SID for this domain */
166
uint32 domain_flags; /* Domain flags from netlogon.h */
167
uint32 domain_type; /* Domain type from netlogon.h */
168
uint32 domain_trust_attribs; /* Trust attribs from netlogon.h */
169
bool initialized; /* Did we already ask for the domain mode? */
170
bool native_mode; /* is this a win2k domain in native mode ? */
171
bool active_directory; /* is this a win2k active directory ? */
172
bool primary; /* is this our primary domain ? */
173
bool internal; /* BUILTIN and member SAM */
174
bool online; /* is this domain available ? */
175
time_t startup_time; /* When we set "startup" true. */
176
bool startup; /* are we in the first 30 seconds after startup_time ? */
178
bool can_do_samlogon_ex; /* Due to the lack of finer control what type
179
* of DC we have, let us try to do a
180
* credential-chain less samlogon_ex call
181
* with AD and schannel. If this fails with
182
* DCERPC_FAULT_OP_RNG_ERROR, then set this
183
* to False. This variable is around so that
184
* we don't have to try _ex every time. */
186
bool can_do_ncacn_ip_tcp;
188
/* Lookup methods for this domain (LDAP or RPC) */
189
struct winbindd_methods *methods;
191
/* the backend methods are used by the cache layer to find the right
193
struct winbindd_methods *backend;
195
/* Private data for the backends (used for connection cache) */
200
* idmap config settings, used to tell the idmap child which
201
* special domain config to use for a mapping
203
bool have_idmap_config;
204
uint32_t id_range_low, id_range_high;
207
pid_t dc_probe_pid; /* Child we're using to detect the DC. */
209
struct sockaddr_storage dcaddr;
211
/* Sequence number stuff */
213
time_t last_seq_check;
214
uint32 sequence_number;
215
NTSTATUS last_status;
217
/* The smb connection */
219
struct winbindd_cm_conn conn;
221
/* The child pid we're talking to */
223
struct winbindd_child child;
225
/* Callback we use to try put us back online. */
227
uint32 check_online_timeout;
228
struct timed_event *check_online_event;
230
/* Linked list info */
232
struct winbindd_domain *prev, *next;
235
/* per-domain methods. This is how LDAP vs RPC is selected
237
struct winbindd_methods {
238
/* does this backend provide a consistent view of the data? (ie. is the primary group
242
/* get a list of users, returning a WINBIND_USERINFO for each one */
243
NTSTATUS (*query_user_list)(struct winbindd_domain *domain,
246
WINBIND_USERINFO **info);
248
/* get a list of domain groups */
249
NTSTATUS (*enum_dom_groups)(struct winbindd_domain *domain,
252
struct acct_info **info);
254
/* get a list of domain local groups */
255
NTSTATUS (*enum_local_groups)(struct winbindd_domain *domain,
258
struct acct_info **info);
260
/* convert one user or group name to a sid */
261
NTSTATUS (*name_to_sid)(struct winbindd_domain *domain,
263
enum winbindd_cmd orig_cmd,
264
const char *domain_name,
267
enum lsa_SidType *type);
269
/* convert a sid to a user or group name */
270
NTSTATUS (*sid_to_name)(struct winbindd_domain *domain,
275
enum lsa_SidType *type);
277
NTSTATUS (*rids_to_names)(struct winbindd_domain *domain,
279
const DOM_SID *domain_sid,
284
enum lsa_SidType **types);
286
/* lookup user info for a given SID */
287
NTSTATUS (*query_user)(struct winbindd_domain *domain,
289
const DOM_SID *user_sid,
290
WINBIND_USERINFO *user_info);
292
/* lookup all groups that a user is a member of. The backend
293
can also choose to lookup by username or rid for this
295
NTSTATUS (*lookup_usergroups)(struct winbindd_domain *domain,
297
const DOM_SID *user_sid,
298
uint32 *num_groups, DOM_SID **user_gids);
300
/* Lookup all aliases that the sids delivered are member of. This is
301
* to implement 'domain local groups' correctly */
302
NTSTATUS (*lookup_useraliases)(struct winbindd_domain *domain,
307
uint32 **alias_rids);
309
/* find all members of the group with the specified group_rid */
310
NTSTATUS (*lookup_groupmem)(struct winbindd_domain *domain,
312
const DOM_SID *group_sid,
314
DOM_SID **sid_mem, char ***names,
315
uint32 **name_types);
317
/* return the current global sequence number */
318
NTSTATUS (*sequence_number)(struct winbindd_domain *domain, uint32 *seq);
320
/* return the lockout policy */
321
NTSTATUS (*lockout_policy)(struct winbindd_domain *domain,
323
struct samr_DomInfo12 *lockout_policy);
325
/* return the lockout policy */
326
NTSTATUS (*password_policy)(struct winbindd_domain *domain,
328
struct samr_DomInfo1 *password_policy);
330
/* enumerate trusted domains */
331
NTSTATUS (*trusted_domains)(struct winbindd_domain *domain,
339
/* Filled out by IDMAP backends */
340
struct winbindd_idmap_methods {
341
/* Called when backend is first loaded */
344
bool (*get_sid_from_uid)(uid_t uid, DOM_SID *sid);
345
bool (*get_sid_from_gid)(gid_t gid, DOM_SID *sid);
347
bool (*get_uid_from_sid)(DOM_SID *sid, uid_t *uid);
348
bool (*get_gid_from_sid)(DOM_SID *sid, gid_t *gid);
350
/* Called when backend is unloaded */
352
/* Called to dump backend status */
353
void (*status)(void);
356
/* Data structures for dealing with the trusted domain cache */
358
struct winbindd_tdc_domain {
359
const char *domain_name;
360
const char *dns_name;
363
uint32 trust_attribs;
367
/* Switch for listing users or groups */
373
struct WINBINDD_MEMORY_CREDS {
374
struct WINBINDD_MEMORY_CREDS *next, *prev;
375
const char *username; /* lookup key. */
379
uint8_t *nt_hash; /* Base pointer for the following 2 */
384
struct WINBINDD_CCACHE_ENTRY {
385
struct WINBINDD_CCACHE_ENTRY *next, *prev;
386
const char *principal_name;
389
const char *username;
391
struct WINBINDD_MEMORY_CREDS *cred_ptr;
397
struct timed_event *event;
400
#include "winbindd/winbindd_proto.h"
402
#define WINBINDD_ESTABLISH_LOOP 30
403
#define WINBINDD_RESCAN_FREQ lp_winbind_cache_time()
404
#define WINBINDD_PAM_AUTH_KRB5_RENEW_TIME 2592000 /* one month */
405
#define DOM_SEQUENCE_NONE ((uint32)-1)
407
#define IS_DOMAIN_OFFLINE(x) ( lp_winbind_offline_logon() && \
408
( get_global_winbindd_state_offline() \
410
#define IS_DOMAIN_ONLINE(x) (!IS_DOMAIN_OFFLINE(x))
412
#endif /* _WINBINDD_H */