bool is_trusted_domain(const char* dom_name) { struct dom_sid trustdom_sid; bool ret; /* no trusted domains for a standalone server */ if ( lp_server_role() == ROLE_STANDALONE ) return False; if (dom_name == NULL || dom_name[0] == '\0') { return false; } if (strequal(dom_name, get_global_sam_name())) { return false; } /* if we are a DC, then check for a direct trust relationships */ if ( IS_DC ) { become_root(); DEBUG (5,("is_trusted_domain: Checking for domain trust with " "[%s]\n", dom_name )); ret = pdb_get_trusteddom_pw(dom_name, NULL, NULL, NULL); unbecome_root(); if (ret) return True; } else { wbcErr result; /* If winbind is around, ask it */ result = wb_is_trusted_domain(dom_name); if (result == WBC_ERR_SUCCESS) { return True; } if (result == WBC_ERR_DOMAIN_NOT_FOUND) { /* winbind could not find the domain */ return False; } /* The only other possible result is that winbind is not up and running. We need to update the trustdom_cache ourselves */ update_trustdom_cache(); } /* now the trustdom cache should be available a DC could still * have a transitive trust so fall back to the cache of trusted * domains (like a domain member would use */ if ( trustdom_cache_fetch(dom_name, &trustdom_sid) ) { return True; } return False; }
bool lookup_name(TALLOC_CTX *mem_ctx, const char *full_name, int flags, const char **ret_domain, const char **ret_name, DOM_SID *ret_sid, enum lsa_SidType *ret_type) { char *p; const char *tmp; const char *domain = NULL; const char *name = NULL; uint32 rid; DOM_SID sid; enum lsa_SidType type; TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); if (tmp_ctx == NULL) { DEBUG(0, ("talloc_new failed\n")); return false; } p = strchr_m(full_name, '\\'); if (p != NULL) { domain = talloc_strndup(tmp_ctx, full_name, PTR_DIFF(p, full_name)); name = talloc_strdup(tmp_ctx, p+1); } else { domain = talloc_strdup(tmp_ctx, ""); name = talloc_strdup(tmp_ctx, full_name); } if ((domain == NULL) || (name == NULL)) { DEBUG(0, ("talloc failed\n")); TALLOC_FREE(tmp_ctx); return false; } DEBUG(10,("lookup_name: %s => %s (domain), %s (name)\n", full_name, domain, name)); DEBUG(10, ("lookup_name: flags = 0x0%x\n", flags)); if ((flags & LOOKUP_NAME_DOMAIN) && strequal(domain, get_global_sam_name())) { /* It's our own domain, lookup the name in passdb */ if (lookup_global_sam_name(name, flags, &rid, &type)) { sid_copy(&sid, get_global_sam_sid()); sid_append_rid(&sid, rid); goto ok; } TALLOC_FREE(tmp_ctx); return false; } if ((flags & LOOKUP_NAME_BUILTIN) && strequal(domain, builtin_domain_name())) { /* Explicit request for a name in BUILTIN */ if (lookup_builtin_name(name, &rid)) { sid_copy(&sid, &global_sid_Builtin); sid_append_rid(&sid, rid); type = SID_NAME_ALIAS; goto ok; } TALLOC_FREE(tmp_ctx); return false; } /* Try the explicit winbind lookup first, don't let it guess the * domain yet at this point yet. This comes later. */ if ((domain[0] != '\0') && (flags & ~(LOOKUP_NAME_DOMAIN|LOOKUP_NAME_ISOLATED)) && (winbind_lookup_name(domain, name, &sid, &type))) { goto ok; } if (!(flags & LOOKUP_NAME_EXPLICIT) && strequal(domain, unix_users_domain_name())) { if (lookup_unix_user_name(name, &sid)) { type = SID_NAME_USER; goto ok; } TALLOC_FREE(tmp_ctx); return false; } if (!(flags & LOOKUP_NAME_EXPLICIT) && strequal(domain, unix_groups_domain_name())) { if (lookup_unix_group_name(name, &sid)) { type = SID_NAME_DOM_GRP; goto ok; } TALLOC_FREE(tmp_ctx); return false; } if ((domain[0] == '\0') && (!(flags & LOOKUP_NAME_ISOLATED))) { TALLOC_FREE(tmp_ctx); return false; } /* Now the guesswork begins, we haven't been given an explicit * domain. Try the sequence as documented on * http://msdn.microsoft.com/library/en-us/secmgmt/security/lsalookupnames.asp * November 27, 2005 */ /* 1. well-known names */ if ((flags & LOOKUP_NAME_WKN) && lookup_wellknown_name(tmp_ctx, name, &sid, &domain)) { type = SID_NAME_WKN_GRP; goto ok; } /* 2. Builtin domain as such */ if ((flags & (LOOKUP_NAME_BUILTIN|LOOKUP_NAME_REMOTE)) && strequal(name, builtin_domain_name())) { /* Swap domain and name */ tmp = name; name = domain; domain = tmp; sid_copy(&sid, &global_sid_Builtin); type = SID_NAME_DOMAIN; goto ok; } /* 3. Account domain */ if ((flags & LOOKUP_NAME_DOMAIN) && strequal(name, get_global_sam_name())) { if (!secrets_fetch_domain_sid(name, &sid)) { DEBUG(3, ("Could not fetch my SID\n")); TALLOC_FREE(tmp_ctx); return false; } /* Swap domain and name */ tmp = name; name = domain; domain = tmp; type = SID_NAME_DOMAIN; goto ok; } /* 4. Primary domain */ if ((flags & LOOKUP_NAME_DOMAIN) && !IS_DC && strequal(name, lp_workgroup())) { if (!secrets_fetch_domain_sid(name, &sid)) { DEBUG(3, ("Could not fetch the domain SID\n")); TALLOC_FREE(tmp_ctx); return false; } /* Swap domain and name */ tmp = name; name = domain; domain = tmp; type = SID_NAME_DOMAIN; goto ok; } /* 5. Trusted domains as such, to me it looks as if members don't do this, tested an XP workstation in a NT domain -- vl */ if ((flags & LOOKUP_NAME_REMOTE) && IS_DC && (pdb_get_trusteddom_pw(name, NULL, &sid, NULL))) { /* Swap domain and name */ tmp = name; name = domain; domain = tmp; type = SID_NAME_DOMAIN; goto ok; } /* 6. Builtin aliases */ if ((flags & LOOKUP_NAME_BUILTIN) && lookup_builtin_name(name, &rid)) { domain = talloc_strdup(tmp_ctx, builtin_domain_name()); sid_copy(&sid, &global_sid_Builtin); sid_append_rid(&sid, rid); type = SID_NAME_ALIAS; goto ok; } /* 7. Local systems' SAM (DCs don't have a local SAM) */ /* 8. Primary SAM (On members, this is the domain) */ /* Both cases are done by looking at our passdb */ if ((flags & LOOKUP_NAME_DOMAIN) && lookup_global_sam_name(name, flags, &rid, &type)) { domain = talloc_strdup(tmp_ctx, get_global_sam_name()); sid_copy(&sid, get_global_sam_sid()); sid_append_rid(&sid, rid); goto ok; } /* Now our local possibilities are exhausted. */ if (!(flags & LOOKUP_NAME_REMOTE)) { TALLOC_FREE(tmp_ctx); return false; } /* If we are not a DC, we have to ask in our primary domain. Let * winbind do that. */ if (!IS_DC && (winbind_lookup_name(lp_workgroup(), name, &sid, &type))) { domain = talloc_strdup(tmp_ctx, lp_workgroup()); goto ok; } /* 9. Trusted domains */ /* If we're a DC we have to ask all trusted DC's. Winbind does not do * that (yet), but give it a chance. */ if (IS_DC && winbind_lookup_name("", name, &sid, &type)) { DOM_SID dom_sid; uint32 tmp_rid; enum lsa_SidType domain_type; if (type == SID_NAME_DOMAIN) { /* Swap name and type */ tmp = name; name = domain; domain = tmp; goto ok; } /* Here we have to cope with a little deficiency in the * winbind API: We have to ask it again for the name of the * domain it figured out itself. Maybe fix that later... */ sid_copy(&dom_sid, &sid); sid_split_rid(&dom_sid, &tmp_rid); if (!winbind_lookup_sid(tmp_ctx, &dom_sid, &domain, NULL, &domain_type) || (domain_type != SID_NAME_DOMAIN)) { DEBUG(2, ("winbind could not find the domain's name " "it just looked up for us\n")); TALLOC_FREE(tmp_ctx); return false; } goto ok; } /* 10. Don't translate */ /* 11. Ok, windows would end here. Samba has two more options: Unmapped users and unmapped groups */ if (!(flags & LOOKUP_NAME_EXPLICIT) && lookup_unix_user_name(name, &sid)) { domain = talloc_strdup(tmp_ctx, unix_users_domain_name()); type = SID_NAME_USER; goto ok; } if (!(flags & LOOKUP_NAME_EXPLICIT) && lookup_unix_group_name(name, &sid)) { domain = talloc_strdup(tmp_ctx, unix_groups_domain_name()); type = SID_NAME_DOM_GRP; goto ok; } /* * Ok, all possibilities tried. Fail. */ TALLOC_FREE(tmp_ctx); return false; ok: if ((domain == NULL) || (name == NULL)) { DEBUG(0, ("talloc failed\n")); TALLOC_FREE(tmp_ctx); return false; } /* * Hand over the results to the talloc context we've been given. */ if ((ret_name != NULL) && !(*ret_name = talloc_strdup(mem_ctx, name))) { DEBUG(0, ("talloc failed\n")); TALLOC_FREE(tmp_ctx); return false; } if (ret_domain != NULL) { char *tmp_dom; if (!(tmp_dom = talloc_strdup(mem_ctx, domain))) { DEBUG(0, ("talloc failed\n")); TALLOC_FREE(tmp_ctx); return false; } strupper_m(tmp_dom); *ret_domain = tmp_dom; } if (ret_sid != NULL) { sid_copy(ret_sid, &sid); } if (ret_type != NULL) { *ret_type = type; } TALLOC_FREE(tmp_ctx); return true; }
/* return our ads connections structure for a domain. We keep the connection open to make things faster */ static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain) { ADS_STRUCT *ads; ADS_STATUS status; fstring dc_name; struct sockaddr_storage dc_ss; DEBUG(10,("ads_cached_connection\n")); if (domain->private_data) { time_t expire; time_t now = time(NULL); /* check for a valid structure */ ads = (ADS_STRUCT *)domain->private_data; expire = MIN(ads->auth.tgt_expire, ads->auth.tgs_expire); DEBUG(7, ("Current tickets expire in %d seconds (at %d, time is now %d)\n", (uint32)expire-(uint32)now, (uint32) expire, (uint32) now)); if ( ads->config.realm && (expire > now)) { return ads; } else { /* we own this ADS_STRUCT so make sure it goes away */ DEBUG(7,("Deleting expired krb5 credential cache\n")); ads->is_mine = True; ads_destroy( &ads ); ads_kdestroy("MEMORY:winbind_ccache"); domain->private_data = NULL; } } /* we don't want this to affect the users ccache */ setenv("KRB5CCNAME", "MEMORY:winbind_ccache", 1); ads = ads_init(domain->alt_name, domain->name, NULL); if (!ads) { DEBUG(1,("ads_init for domain %s failed\n", domain->name)); return NULL; } /* the machine acct password might have change - fetch it every time */ SAFE_FREE(ads->auth.password); SAFE_FREE(ads->auth.realm); if ( IS_DC ) { if ( !pdb_get_trusteddom_pw( domain->name, &ads->auth.password, NULL, NULL ) ) { ads_destroy( &ads ); return NULL; } ads->auth.realm = SMB_STRDUP( ads->server.realm ); strupper_m( ads->auth.realm ); } else { struct winbindd_domain *our_domain = domain; ads->auth.password = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL); /* always give preference to the alt_name in our primary domain if possible */ if ( !domain->primary ) our_domain = find_our_domain(); if ( our_domain->alt_name[0] != '\0' ) { ads->auth.realm = SMB_STRDUP( our_domain->alt_name ); strupper_m( ads->auth.realm ); } else ads->auth.realm = SMB_STRDUP( lp_realm() ); } ads->auth.renewable = WINBINDD_PAM_AUTH_KRB5_RENEW_TIME; /* Setup the server affinity cache. We don't reaally care about the name. Just setup affinity and the KRB5_CONFIG file. */ get_dc_name( ads->server.workgroup, ads->server.realm, dc_name, &dc_ss ); status = ads_connect(ads); if (!ADS_ERR_OK(status) || !ads->config.realm) { DEBUG(1,("ads_connect for domain %s failed: %s\n", domain->name, ads_errstr(status))); ads_destroy(&ads); /* if we get ECONNREFUSED then it might be a NT4 server, fall back to MSRPC */ if (status.error_type == ENUM_ADS_ERROR_SYSTEM && status.err.rc == ECONNREFUSED) { /* 'reconnect_methods' is the MS-RPC backend. */ DEBUG(1,("Trying MSRPC methods\n")); domain->backend = &reconnect_methods; } return NULL; } /* set the flag that says we don't own the memory even though we do so that ads_destroy() won't destroy the structure we pass back by reference */ ads->is_mine = False; domain->private_data = (void *)ads; return ads; }