bool is_trusted_domain(const char* dom_name)
{
struct dom_sid trustdom_sid;
bool ret;
/* no trusted domains for a standalone server */
if ( lp_server_role() == ROLE_STANDALONE )
return False;
if (dom_name == NULL || dom_name[0] == '\0') {
return false;
}
if (strequal(dom_name, get_global_sam_name())) {
return false;
}
/* if we are a DC, then check for a direct trust relationships */
if ( IS_DC ) {
become_root();
DEBUG (5,("is_trusted_domain: Checking for domain trust with "
"[%s]\n", dom_name ));
ret = pdb_get_trusteddom_pw(dom_name, NULL, NULL, NULL);
unbecome_root();
if (ret)
return True;
}
else {
wbcErr result;
/* If winbind is around, ask it */
result = wb_is_trusted_domain(dom_name);
if (result == WBC_ERR_SUCCESS) {
return True;
}
if (result == WBC_ERR_DOMAIN_NOT_FOUND) {
/* winbind could not find the domain */
return False;
}
/* The only other possible result is that winbind is not up
and running. We need to update the trustdom_cache
ourselves */
update_trustdom_cache();
}
/* now the trustdom cache should be available a DC could still
* have a transitive trust so fall back to the cache of trusted
* domains (like a domain member would use */
if ( trustdom_cache_fetch(dom_name, &trustdom_sid) ) {
return True;
}
return False;
}
bool lookup_name(TALLOC_CTX *mem_ctx,
const char *full_name, int flags,
const char **ret_domain, const char **ret_name,
DOM_SID *ret_sid, enum lsa_SidType *ret_type)
{
char *p;
const char *tmp;
const char *domain = NULL;
const char *name = NULL;
uint32 rid;
DOM_SID sid;
enum lsa_SidType type;
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
if (tmp_ctx == NULL) {
DEBUG(0, ("talloc_new failed\n"));
return false;
}
p = strchr_m(full_name, '\\');
if (p != NULL) {
domain = talloc_strndup(tmp_ctx, full_name,
PTR_DIFF(p, full_name));
name = talloc_strdup(tmp_ctx, p+1);
} else {
domain = talloc_strdup(tmp_ctx, "");
name = talloc_strdup(tmp_ctx, full_name);
}
if ((domain == NULL) || (name == NULL)) {
DEBUG(0, ("talloc failed\n"));
TALLOC_FREE(tmp_ctx);
return false;
}
DEBUG(10,("lookup_name: %s => %s (domain), %s (name)\n",
full_name, domain, name));
DEBUG(10, ("lookup_name: flags = 0x0%x\n", flags));
if ((flags & LOOKUP_NAME_DOMAIN) &&
strequal(domain, get_global_sam_name()))
{
/* It's our own domain, lookup the name in passdb */
if (lookup_global_sam_name(name, flags, &rid, &type)) {
sid_copy(&sid, get_global_sam_sid());
sid_append_rid(&sid, rid);
goto ok;
}
TALLOC_FREE(tmp_ctx);
return false;
}
if ((flags & LOOKUP_NAME_BUILTIN) &&
strequal(domain, builtin_domain_name()))
{
/* Explicit request for a name in BUILTIN */
if (lookup_builtin_name(name, &rid)) {
sid_copy(&sid, &global_sid_Builtin);
sid_append_rid(&sid, rid);
type = SID_NAME_ALIAS;
goto ok;
}
TALLOC_FREE(tmp_ctx);
return false;
}
/* Try the explicit winbind lookup first, don't let it guess the
* domain yet at this point yet. This comes later. */
if ((domain[0] != '\0') &&
(flags & ~(LOOKUP_NAME_DOMAIN|LOOKUP_NAME_ISOLATED)) &&
(winbind_lookup_name(domain, name, &sid, &type))) {
goto ok;
}
if (!(flags & LOOKUP_NAME_EXPLICIT) && strequal(domain, unix_users_domain_name())) {
if (lookup_unix_user_name(name, &sid)) {
type = SID_NAME_USER;
goto ok;
}
TALLOC_FREE(tmp_ctx);
return false;
}
if (!(flags & LOOKUP_NAME_EXPLICIT) && strequal(domain, unix_groups_domain_name())) {
if (lookup_unix_group_name(name, &sid)) {
type = SID_NAME_DOM_GRP;
goto ok;
}
TALLOC_FREE(tmp_ctx);
return false;
}
if ((domain[0] == '\0') && (!(flags & LOOKUP_NAME_ISOLATED))) {
TALLOC_FREE(tmp_ctx);
return false;
}
/* Now the guesswork begins, we haven't been given an explicit
* domain. Try the sequence as documented on
* http://msdn.microsoft.com/library/en-us/secmgmt/security/lsalookupnames.asp
* November 27, 2005 */
/* 1. well-known names */
if ((flags & LOOKUP_NAME_WKN) &&
lookup_wellknown_name(tmp_ctx, name, &sid, &domain))
{
type = SID_NAME_WKN_GRP;
goto ok;
}
/* 2. Builtin domain as such */
if ((flags & (LOOKUP_NAME_BUILTIN|LOOKUP_NAME_REMOTE)) &&
strequal(name, builtin_domain_name()))
{
/* Swap domain and name */
tmp = name; name = domain; domain = tmp;
sid_copy(&sid, &global_sid_Builtin);
type = SID_NAME_DOMAIN;
goto ok;
}
/* 3. Account domain */
if ((flags & LOOKUP_NAME_DOMAIN) &&
strequal(name, get_global_sam_name()))
{
if (!secrets_fetch_domain_sid(name, &sid)) {
DEBUG(3, ("Could not fetch my SID\n"));
TALLOC_FREE(tmp_ctx);
return false;
}
/* Swap domain and name */
tmp = name; name = domain; domain = tmp;
type = SID_NAME_DOMAIN;
goto ok;
}
/* 4. Primary domain */
if ((flags & LOOKUP_NAME_DOMAIN) && !IS_DC &&
strequal(name, lp_workgroup()))
{
if (!secrets_fetch_domain_sid(name, &sid)) {
DEBUG(3, ("Could not fetch the domain SID\n"));
TALLOC_FREE(tmp_ctx);
return false;
}
/* Swap domain and name */
tmp = name; name = domain; domain = tmp;
type = SID_NAME_DOMAIN;
goto ok;
}
/* 5. Trusted domains as such, to me it looks as if members don't do
this, tested an XP workstation in a NT domain -- vl */
if ((flags & LOOKUP_NAME_REMOTE) && IS_DC &&
(pdb_get_trusteddom_pw(name, NULL, &sid, NULL)))
{
/* Swap domain and name */
tmp = name; name = domain; domain = tmp;
type = SID_NAME_DOMAIN;
goto ok;
}
/* 6. Builtin aliases */
if ((flags & LOOKUP_NAME_BUILTIN) &&
lookup_builtin_name(name, &rid))
{
domain = talloc_strdup(tmp_ctx, builtin_domain_name());
sid_copy(&sid, &global_sid_Builtin);
sid_append_rid(&sid, rid);
type = SID_NAME_ALIAS;
goto ok;
}
/* 7. Local systems' SAM (DCs don't have a local SAM) */
/* 8. Primary SAM (On members, this is the domain) */
/* Both cases are done by looking at our passdb */
if ((flags & LOOKUP_NAME_DOMAIN) &&
lookup_global_sam_name(name, flags, &rid, &type))
{
domain = talloc_strdup(tmp_ctx, get_global_sam_name());
sid_copy(&sid, get_global_sam_sid());
sid_append_rid(&sid, rid);
goto ok;
}
/* Now our local possibilities are exhausted. */
if (!(flags & LOOKUP_NAME_REMOTE)) {
TALLOC_FREE(tmp_ctx);
return false;
}
/* If we are not a DC, we have to ask in our primary domain. Let
* winbind do that. */
if (!IS_DC &&
(winbind_lookup_name(lp_workgroup(), name, &sid, &type))) {
domain = talloc_strdup(tmp_ctx, lp_workgroup());
goto ok;
}
/* 9. Trusted domains */
/* If we're a DC we have to ask all trusted DC's. Winbind does not do
* that (yet), but give it a chance. */
if (IS_DC && winbind_lookup_name("", name, &sid, &type)) {
DOM_SID dom_sid;
uint32 tmp_rid;
enum lsa_SidType domain_type;
if (type == SID_NAME_DOMAIN) {
/* Swap name and type */
tmp = name; name = domain; domain = tmp;
goto ok;
}
/* Here we have to cope with a little deficiency in the
* winbind API: We have to ask it again for the name of the
* domain it figured out itself. Maybe fix that later... */
sid_copy(&dom_sid, &sid);
sid_split_rid(&dom_sid, &tmp_rid);
if (!winbind_lookup_sid(tmp_ctx, &dom_sid, &domain, NULL,
&domain_type) ||
(domain_type != SID_NAME_DOMAIN)) {
DEBUG(2, ("winbind could not find the domain's name "
"it just looked up for us\n"));
TALLOC_FREE(tmp_ctx);
return false;
}
goto ok;
}
/* 10. Don't translate */
/* 11. Ok, windows would end here. Samba has two more options:
Unmapped users and unmapped groups */
if (!(flags & LOOKUP_NAME_EXPLICIT) && lookup_unix_user_name(name, &sid)) {
domain = talloc_strdup(tmp_ctx, unix_users_domain_name());
type = SID_NAME_USER;
goto ok;
}
if (!(flags & LOOKUP_NAME_EXPLICIT) && lookup_unix_group_name(name, &sid)) {
domain = talloc_strdup(tmp_ctx, unix_groups_domain_name());
type = SID_NAME_DOM_GRP;
goto ok;
}
/*
* Ok, all possibilities tried. Fail.
*/
TALLOC_FREE(tmp_ctx);
return false;
ok:
if ((domain == NULL) || (name == NULL)) {
DEBUG(0, ("talloc failed\n"));
TALLOC_FREE(tmp_ctx);
return false;
}
/*
* Hand over the results to the talloc context we've been given.
*/
if ((ret_name != NULL) &&
!(*ret_name = talloc_strdup(mem_ctx, name))) {
DEBUG(0, ("talloc failed\n"));
TALLOC_FREE(tmp_ctx);
return false;
}
if (ret_domain != NULL) {
char *tmp_dom;
if (!(tmp_dom = talloc_strdup(mem_ctx, domain))) {
DEBUG(0, ("talloc failed\n"));
TALLOC_FREE(tmp_ctx);
return false;
}
strupper_m(tmp_dom);
*ret_domain = tmp_dom;
}
if (ret_sid != NULL) {
sid_copy(ret_sid, &sid);
}
if (ret_type != NULL) {
*ret_type = type;
}
TALLOC_FREE(tmp_ctx);
return true;
}
/*
return our ads connections structure for a domain. We keep the connection
open to make things faster
*/
static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain)
{
ADS_STRUCT *ads;
ADS_STATUS status;
fstring dc_name;
struct sockaddr_storage dc_ss;
DEBUG(10,("ads_cached_connection\n"));
if (domain->private_data) {
time_t expire;
time_t now = time(NULL);
/* check for a valid structure */
ads = (ADS_STRUCT *)domain->private_data;
expire = MIN(ads->auth.tgt_expire, ads->auth.tgs_expire);
DEBUG(7, ("Current tickets expire in %d seconds (at %d, time is now %d)\n",
(uint32)expire-(uint32)now, (uint32) expire, (uint32) now));
if ( ads->config.realm && (expire > now)) {
return ads;
} else {
/* we own this ADS_STRUCT so make sure it goes away */
DEBUG(7,("Deleting expired krb5 credential cache\n"));
ads->is_mine = True;
ads_destroy( &ads );
ads_kdestroy("MEMORY:winbind_ccache");
domain->private_data = NULL;
}
}
/* we don't want this to affect the users ccache */
setenv("KRB5CCNAME", "MEMORY:winbind_ccache", 1);
ads = ads_init(domain->alt_name, domain->name, NULL);
if (!ads) {
DEBUG(1,("ads_init for domain %s failed\n", domain->name));
return NULL;
}
/* the machine acct password might have change - fetch it every time */
SAFE_FREE(ads->auth.password);
SAFE_FREE(ads->auth.realm);
if ( IS_DC ) {
if ( !pdb_get_trusteddom_pw( domain->name, &ads->auth.password, NULL, NULL ) ) {
ads_destroy( &ads );
return NULL;
}
ads->auth.realm = SMB_STRDUP( ads->server.realm );
strupper_m( ads->auth.realm );
}
else {
struct winbindd_domain *our_domain = domain;
ads->auth.password = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
/* always give preference to the alt_name in our
primary domain if possible */
if ( !domain->primary )
our_domain = find_our_domain();
if ( our_domain->alt_name[0] != '\0' ) {
ads->auth.realm = SMB_STRDUP( our_domain->alt_name );
strupper_m( ads->auth.realm );
}
else
ads->auth.realm = SMB_STRDUP( lp_realm() );
}
ads->auth.renewable = WINBINDD_PAM_AUTH_KRB5_RENEW_TIME;
/* Setup the server affinity cache. We don't reaally care
about the name. Just setup affinity and the KRB5_CONFIG
file. */
get_dc_name( ads->server.workgroup, ads->server.realm, dc_name, &dc_ss );
status = ads_connect(ads);
if (!ADS_ERR_OK(status) || !ads->config.realm) {
DEBUG(1,("ads_connect for domain %s failed: %s\n",
domain->name, ads_errstr(status)));
ads_destroy(&ads);
/* if we get ECONNREFUSED then it might be a NT4
server, fall back to MSRPC */
if (status.error_type == ENUM_ADS_ERROR_SYSTEM &&
status.err.rc == ECONNREFUSED) {
/* 'reconnect_methods' is the MS-RPC backend. */
DEBUG(1,("Trying MSRPC methods\n"));
domain->backend = &reconnect_methods;
}
return NULL;
}
/* set the flag that says we don't own the memory even
though we do so that ads_destroy() won't destroy the
structure we pass back by reference */
ads->is_mine = False;
domain->private_data = (void *)ads;
return ads;
}
