void winbindd_check_machine_acct(struct winbindd_cli_state *state)
{
DEBUG(3, ("[%5lu]: check machine account\n",
(unsigned long)state->pid));
sendto_domain(state, find_our_domain());
}
enum winbindd_result winbindd_dual_check_machine_acct(struct winbindd_domain *domain,
struct winbindd_cli_state *state)
{
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
int num_retries = 0;
struct winbindd_domain *contact_domain;
DEBUG(3, ("[%5lu]: check machine account\n", (unsigned long)state->pid));
/* Get trust account password */
again:
contact_domain = find_our_domain();
/* This call does a cli_nt_setup_creds() which implicitly checks
the trust account password. */
invalidate_cm_connection(&contact_domain->conn);
{
struct rpc_pipe_client *netlogon_pipe;
result = cm_connect_netlogon(contact_domain, &netlogon_pipe);
}
if (!NT_STATUS_IS_OK(result)) {
DEBUG(3, ("could not open handle to NETLOGON pipe\n"));
goto done;
}
/* There is a race condition between fetching the trust account
password and the periodic machine password change. So it's
possible that the trust account password has been changed on us.
We are returned NT_STATUS_ACCESS_DENIED if this happens. */
#define MAX_RETRIES 8
if ((num_retries < MAX_RETRIES) &&
NT_STATUS_V(result) == NT_STATUS_V(NT_STATUS_ACCESS_DENIED)) {
num_retries++;
goto again;
}
/* Pass back result code - zero for success, other values for
specific failures. */
DEBUG(3, ("secret is %s\n", NT_STATUS_IS_OK(result) ?
"good" : "bad"));
done:
state->response.data.auth.nt_status = NT_STATUS_V(result);
fstrcpy(state->response.data.auth.nt_status_string, nt_errstr(result));
fstrcpy(state->response.data.auth.error_string, nt_errstr(result));
state->response.data.auth.pam_error = nt_status_to_pam(result);
DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2, ("Checking the trust account password returned %s\n",
state->response.data.auth.nt_status_string));
return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
}
/* get a list of trusted domains */
static NTSTATUS trusted_domains(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
uint32 *num_domains,
char ***names,
char ***alt_names,
DOM_SID **dom_sids)
{
CLI_POLICY_HND *hnd;
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
uint32 enum_ctx = 0;
int retry;
DEBUG(3,("rpc: trusted_domains\n"));
*num_domains = 0;
*alt_names = NULL;
retry = 0;
do {
if (!NT_STATUS_IS_OK(result = cm_get_lsa_handle(find_our_domain(), &hnd)))
goto done;
result = cli_lsa_enum_trust_dom(hnd->cli, mem_ctx,
&hnd->pol, &enum_ctx,
num_domains, names, dom_sids);
} while (!NT_STATUS_IS_OK(result) && (retry++ < 1) && hnd && hnd->cli && hnd->cli->fd == -1);
done:
return result;
}
void winbindd_list_trusted_domains(struct winbindd_cli_state *state)
{
DEBUG(3, ("[%5lu]: list trusted domains\n",
(unsigned long)state->pid));
sendto_domain(state, find_our_domain());
}
void winbindd_getdcname(struct winbindd_cli_state *state)
{
state->request.domain_name
[sizeof(state->request.domain_name)-1] = '\0';
DEBUG(3, ("[%5lu]: Get DC name for %s\n", (unsigned long)state->pid,
state->request.domain_name));
sendto_domain(state, find_our_domain());
}
static BOOL get_dc_name_via_netlogon(const struct winbindd_domain *domain,
fstring dcname, struct in_addr *dc_ip)
{
struct winbindd_domain *our_domain;
NTSTATUS result;
struct winbindd_cm_conn *conn;
TALLOC_CTX *mem_ctx;
fstring tmp;
char *p;
if (IS_DC)
return False;
if (domain->primary)
return False;
if ((our_domain = find_our_domain()) == NULL)
return False;
result = get_connection_from_cache(our_domain, PIPE_NETLOGON, &conn);
if (!NT_STATUS_IS_OK(result))
return False;
if ((mem_ctx = talloc_init("get_dc_name_via_netlogon")) == NULL)
return False;
result = cli_netlogon_getdcname(conn->cli, mem_ctx, domain->name, tmp);
talloc_destroy(mem_ctx);
if (!NT_STATUS_IS_OK(result))
return False;
/* cli_netlogon_getdcname gives us a name with \\ */
p = tmp;
if (*p == '\\') p+=1;
if (*p == '\\') p+=1;
fstrcpy(dcname, p);
if (!resolve_name(dcname, dc_ip, 0x20))
return False;
return True;
}
enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state)
{
NTSTATUS result;
unsigned char trust_passwd[16];
time_t last_change_time;
uint32 sec_channel_type;
NET_USER_INFO_3 info3;
struct cli_state *cli = NULL;
TALLOC_CTX *mem_ctx = NULL;
char *name_user = NULL;
const char *name_domain = NULL;
const char *workstation;
struct winbindd_domain *contact_domain;
DOM_CRED ret_creds;
int attempts = 0;
BOOL retry;
DATA_BLOB lm_resp, nt_resp;
if (!state->privileged) {
char *error_string = NULL;
DEBUG(2, ("winbindd_pam_auth_crap: non-privileged access denied. !\n"));
DEBUGADD(2, ("winbindd_pam_auth_crap: Ensure permissions on %s are set correctly.\n",
get_winbind_priv_pipe_dir()));
/* send a better message than ACCESS_DENIED */
asprintf(&error_string, "winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on %s are set correctly.",
get_winbind_priv_pipe_dir());
push_utf8_fstring(state->response.data.auth.error_string, error_string);
SAFE_FREE(error_string);
result = NT_STATUS_ACCESS_DENIED;
goto done;
}
/* Ensure null termination */
state->request.data.auth_crap.user[sizeof(state->request.data.auth_crap.user)-1]=0;
state->request.data.auth_crap.domain[sizeof(state->request.data.auth_crap.domain)-1]=0;
if (!(mem_ctx = talloc_init("winbind pam auth crap for (utf8) %s", state->request.data.auth_crap.user))) {
DEBUG(0, ("winbindd_pam_auth_crap: could not talloc_init()!\n"));
result = NT_STATUS_NO_MEMORY;
goto done;
}
if (pull_utf8_talloc(mem_ctx, &name_user, state->request.data.auth_crap.user) == (size_t)-1) {
DEBUG(0, ("winbindd_pam_auth_crap: pull_utf8_talloc failed!\n"));
result = NT_STATUS_UNSUCCESSFUL;
goto done;
}
if (*state->request.data.auth_crap.domain) {
char *dom = NULL;
if (pull_utf8_talloc(mem_ctx, &dom, state->request.data.auth_crap.domain) == (size_t)-1) {
DEBUG(0, ("winbindd_pam_auth_crap: pull_utf8_talloc failed!\n"));
result = NT_STATUS_UNSUCCESSFUL;
goto done;
}
name_domain = dom;
} else if (lp_winbind_use_default_domain()) {
name_domain = lp_workgroup();
} else {
DEBUG(5,("no domain specified with username (%s) - failing auth\n",
name_user));
result = NT_STATUS_NO_SUCH_USER;
goto done;
}
DEBUG(3, ("[%5lu]: pam auth crap domain: %s user: %s\n", (unsigned long)state->pid,
name_domain, name_user));
if (*state->request.data.auth_crap.workstation) {
char *wrk = NULL;
if (pull_utf8_talloc(mem_ctx, &wrk, state->request.data.auth_crap.workstation) == (size_t)-1) {
DEBUG(0, ("winbindd_pam_auth_crap: pull_utf8_talloc failed!\n"));
result = NT_STATUS_UNSUCCESSFUL;
goto done;
}
workstation = wrk;
} else {
workstation = global_myname();
}
if (state->request.data.auth_crap.lm_resp_len > sizeof(state->request.data.auth_crap.lm_resp)
|| state->request.data.auth_crap.nt_resp_len > sizeof(state->request.data.auth_crap.nt_resp)) {
DEBUG(0, ("winbindd_pam_auth_crap: invalid password length %u/%u\n",
state->request.data.auth_crap.lm_resp_len,
state->request.data.auth_crap.nt_resp_len));
result = NT_STATUS_INVALID_PARAMETER;
goto done;
}
lm_resp = data_blob_talloc(mem_ctx, state->request.data.auth_crap.lm_resp, state->request.data.auth_crap.lm_resp_len);
nt_resp = data_blob_talloc(mem_ctx, state->request.data.auth_crap.nt_resp, state->request.data.auth_crap.nt_resp_len);
/* what domain should we contact? */
if ( IS_DC ) {
if (!(contact_domain = find_domain_from_name(name_domain))) {
DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
state->request.data.auth_crap.user, name_domain, name_user, name_domain));
result = NT_STATUS_NO_SUCH_USER;
goto done;
}
} else {
if (is_myname(name_domain)) {
DEBUG(3, ("Authentication for domain %s (local domain to this server) not supported at this stage\n", name_domain));
result = NT_STATUS_NO_SUCH_USER;
goto done;
}
if (!(contact_domain = find_our_domain())) {
DEBUG(1, ("Authenticatoin for [%s] -> [%s]\\[%s] in our domain failed - we can't find our domain!\n",
state->request.data.auth_crap.user, name_domain, name_user));
result = NT_STATUS_NO_SUCH_USER;
goto done;
}
}
if ( !get_trust_pw(contact_domain->name, trust_passwd, &last_change_time, &sec_channel_type) ) {
result = NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
goto done;
}
do {
ZERO_STRUCT(info3);
ZERO_STRUCT(ret_creds);
retry = False;
/* Don't shut this down - it belongs to the connection cache code */
result = cm_get_netlogon_cli(contact_domain, trust_passwd, sec_channel_type, False, &cli);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(3, ("could not open handle to NETLOGON pipe (error: %s)\n",
nt_errstr(result)));
goto done;
}
result = cli_netlogon_sam_network_logon(cli, mem_ctx,
&ret_creds,
name_user, name_domain,
workstation,
state->request.data.auth_crap.chal,
lm_resp, nt_resp,
&info3);
attempts += 1;
/* We have to try a second time as cm_get_netlogon_cli
might not yet have noticed that the DC has killed
our connection. */
if ( cli->fd == -1 ) {
retry = True;
continue;
}
/* if we get access denied, a possible cause was that we had and open
connection to the DC, but someone changed our machine account password
out from underneath us using 'net rpc changetrustpw' */
if ( NT_STATUS_V(result) == NT_STATUS_V(NT_STATUS_ACCESS_DENIED) ) {
DEBUG(3,("winbindd_pam_auth_crap: sam_logon returned ACCESS_DENIED. Maybe the trust account "
"password was changed and we didn't know it. Killing connections to domain %s\n",
contact_domain->name));
winbindd_cm_flush();
retry = True;
cli = NULL;
}
} while ( (attempts < 2) && retry );
if (cli != NULL) {
/* We might have come out of the loop above with cli == NULL,
so don't dereference that. */
clnt_deal_with_creds(cli->sess_key, &(cli->clnt_cred), &ret_creds);
}
if (NT_STATUS_IS_OK(result)) {
netsamlogon_cache_store( cli->mem_ctx, &info3 );
wcache_invalidate_samlogon(find_domain_from_name(name_domain), &info3);
if (!NT_STATUS_IS_OK(result = check_info3_in_group(mem_ctx, &info3, state->request.data.auth_crap.required_membership_sid))) {
DEBUG(3, ("User %s is not in the required group (%s), so plaintext authentication is rejected\n",
state->request.data.auth_crap.user,
state->request.data.auth_crap.required_membership_sid));
goto done;
}
if (state->request.flags & WBFLAG_PAM_INFO3_NDR) {
result = append_info3_as_ndr(mem_ctx, state, &info3);
} else if (state->request.flags & WBFLAG_PAM_UNIX_NAME) {
/* ntlm_auth should return the unix username, per
'winbind use default domain' settings and the like */
fstring username_out;
const char *nt_username, *nt_domain;
if (!(nt_username = unistr2_tdup(mem_ctx, &(info3.uni_user_name)))) {
/* If the server didn't give us one, just use the one we sent them */
nt_username = name_user;
}
if (!(nt_domain = unistr2_tdup(mem_ctx, &(info3.uni_logon_dom)))) {
/* If the server didn't give us one, just use the one we sent them */
nt_domain = name_domain;
}
fill_domain_username(username_out, nt_domain, nt_username);
DEBUG(5, ("Setting unix username to [%s]\n", username_out));
/* this interface is in UTF8 */
if (push_utf8_allocate((char **)&state->response.extra_data, username_out) == -1) {
result = NT_STATUS_NO_MEMORY;
goto done;
}
state->response.length += strlen(state->response.extra_data)+1;
}
if (state->request.flags & WBFLAG_PAM_USER_SESSION_KEY) {
memcpy(state->response.data.auth.user_session_key, info3.user_sess_key, sizeof(state->response.data.auth.user_session_key) /* 16 */);
}
if (state->request.flags & WBFLAG_PAM_LMKEY) {
memcpy(state->response.data.auth.first_8_lm_hash, info3.padding, sizeof(state->response.data.auth.first_8_lm_hash) /* 8 */);
}
}
done:
/* give us a more useful (more correct?) error code */
if ((NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) || (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)))) {
result = NT_STATUS_NO_LOGON_SERVERS;
}
if (state->request.flags & WBFLAG_PAM_NT_STATUS_SQUASH) {
result = nt_status_squash(result);
}
state->response.data.auth.nt_status = NT_STATUS_V(result);
push_utf8_fstring(state->response.data.auth.nt_status_string, nt_errstr(result));
/* we might have given a more useful error above */
if (!*state->response.data.auth.error_string)
push_utf8_fstring(state->response.data.auth.error_string, get_friendly_nt_error_msg(result));
state->response.data.auth.pam_error = nt_status_to_pam(result);
DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
("NTLM CRAP authentication for user [%s]\\[%s] returned %s (PAM: %d)\n",
name_domain,
name_user,
state->response.data.auth.nt_status_string,
state->response.data.auth.pam_error));
if (mem_ctx)
talloc_destroy(mem_ctx);
return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
}
enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state)
{
NTSTATUS result;
fstring name_domain, name_user;
unsigned char trust_passwd[16];
time_t last_change_time;
uint32 sec_channel_type;
NET_USER_INFO_3 info3;
struct cli_state *cli = NULL;
uchar chal[8];
TALLOC_CTX *mem_ctx = NULL;
DATA_BLOB lm_resp;
DATA_BLOB nt_resp;
DOM_CRED ret_creds;
int attempts = 0;
unsigned char local_lm_response[24];
unsigned char local_nt_response[24];
struct winbindd_domain *contact_domain;
BOOL retry;
/* Ensure null termination */
state->request.data.auth.user[sizeof(state->request.data.auth.user)-1]='\0';
/* Ensure null termination */
state->request.data.auth.pass[sizeof(state->request.data.auth.pass)-1]='\0';
DEBUG(3, ("[%5lu]: pam auth %s\n", (unsigned long)state->pid,
state->request.data.auth.user));
if (!(mem_ctx = talloc_init("winbind pam auth for %s", state->request.data.auth.user))) {
DEBUG(0, ("winbindd_pam_auth: could not talloc_init()!\n"));
result = NT_STATUS_NO_MEMORY;
goto done;
}
/* Parse domain and username */
parse_domain_user(state->request.data.auth.user, name_domain, name_user);
/* do password magic */
generate_random_buffer(chal, 8);
SMBencrypt(state->request.data.auth.pass, chal, local_lm_response);
SMBNTencrypt(state->request.data.auth.pass, chal, local_nt_response);
lm_resp = data_blob_talloc(mem_ctx, local_lm_response, sizeof(local_lm_response));
nt_resp = data_blob_talloc(mem_ctx, local_nt_response, sizeof(local_nt_response));
/* what domain should we contact? */
if ( IS_DC ) {
if (!(contact_domain = find_domain_from_name(name_domain))) {
DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
state->request.data.auth.user, name_domain, name_user, name_domain));
result = NT_STATUS_NO_SUCH_USER;
goto done;
}
} else {
if (is_myname(name_domain)) {
DEBUG(3, ("Authentication for domain %s (local domain to this server) not supported at this stage\n", name_domain));
result = NT_STATUS_NO_SUCH_USER;
goto done;
}
if (!(contact_domain = find_our_domain())) {
DEBUG(1, ("Authentication for [%s] -> [%s]\\[%s] in our domain failed - we can't find our domain!\n",
state->request.data.auth.user, name_domain, name_user));
result = NT_STATUS_NO_SUCH_USER;
goto done;
}
}
if ( !get_trust_pw(contact_domain->name, trust_passwd, &last_change_time, &sec_channel_type) ) {
result = NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
goto done;
}
/* check authentication loop */
do {
ZERO_STRUCT(info3);
ZERO_STRUCT(ret_creds);
retry = False;
/* Don't shut this down - it belongs to the connection cache code */
result = cm_get_netlogon_cli(contact_domain, trust_passwd,
sec_channel_type, False, &cli);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(3, ("could not open handle to NETLOGON pipe\n"));
goto done;
}
result = cli_netlogon_sam_network_logon(cli, mem_ctx,
&ret_creds,
name_user, name_domain,
global_myname(), chal,
lm_resp, nt_resp,
&info3);
attempts += 1;
/* We have to try a second time as cm_get_netlogon_cli
might not yet have noticed that the DC has killed
our connection. */
if ( cli->fd == -1 ) {
retry = True;
continue;
}
/* if we get access denied, a possible cuase was that we had and open
connection to the DC, but someone changed our machine account password
out from underneath us using 'net rpc changetrustpw' */
if ( NT_STATUS_V(result) == NT_STATUS_V(NT_STATUS_ACCESS_DENIED) ) {
DEBUG(3,("winbindd_pam_auth: sam_logon returned ACCESS_DENIED. Maybe the trust account "
"password was changed and we didn't know it. Killing connections to domain %s\n",
name_domain));
winbindd_cm_flush();
retry = True;
cli = NULL;
}
} while ( (attempts < 2) && retry );
if (cli != NULL) {
/* We might have come out of the loop above with cli == NULL,
so don't dereference that. */
clnt_deal_with_creds(cli->sess_key, &(cli->clnt_cred), &ret_creds);
}
if (NT_STATUS_IS_OK(result)) {
netsamlogon_cache_store( cli->mem_ctx, &info3 );
wcache_invalidate_samlogon(find_domain_from_name(name_domain), &info3);
/* Check if the user is in the right group */
if (!NT_STATUS_IS_OK(result = check_info3_in_group(mem_ctx, &info3, state->request.data.auth.required_membership_sid))) {
DEBUG(3, ("User %s is not in the required group (%s), so plaintext authentication is rejected\n",
state->request.data.auth.user,
state->request.data.auth.required_membership_sid));
}
}
done:
/* give us a more useful (more correct?) error code */
if ((NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) || (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)))) {
result = NT_STATUS_NO_LOGON_SERVERS;
}
state->response.data.auth.nt_status = NT_STATUS_V(result);
fstrcpy(state->response.data.auth.nt_status_string, nt_errstr(result));
/* we might have given a more useful error above */
if (!*state->response.data.auth.error_string)
fstrcpy(state->response.data.auth.error_string, get_friendly_nt_error_msg(result));
state->response.data.auth.pam_error = nt_status_to_pam(result);
DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2, ("Plain-text authentication for user %s returned %s (PAM: %d)\n",
state->request.data.auth.user,
state->response.data.auth.nt_status_string,
state->response.data.auth.pam_error));
if ( NT_STATUS_IS_OK(result) &&
(state->request.flags & WBFLAG_PAM_AFS_TOKEN) ) {
char *afsname = strdup(lp_afs_username_map());
char *cell;
if (afsname == NULL) goto no_token;
afsname = realloc_string_sub(afsname, "%D", name_domain);
afsname = realloc_string_sub(afsname, "%u", name_user);
afsname = realloc_string_sub(afsname, "%U", name_user);
if (afsname == NULL) goto no_token;
strlower_m(afsname);
cell = strchr(afsname, '@');
if (cell == NULL) goto no_token;
*cell = '\0';
cell += 1;
/* Append an AFS token string */
state->response.extra_data =
afs_createtoken_str(afsname, cell);
if (state->response.extra_data != NULL)
state->response.length +=
strlen(state->response.extra_data)+1;
no_token:
SAFE_FREE(afsname);
}
if (mem_ctx)
talloc_destroy(mem_ctx);
return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
}
/*
return our ads connections structure for a domain. We keep the connection
open to make things faster
*/
static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain)
{
ADS_STRUCT *ads;
ADS_STATUS status;
fstring dc_name;
struct sockaddr_storage dc_ss;
DEBUG(10,("ads_cached_connection\n"));
if (domain->private_data) {
time_t expire;
time_t now = time(NULL);
/* check for a valid structure */
ads = (ADS_STRUCT *)domain->private_data;
expire = MIN(ads->auth.tgt_expire, ads->auth.tgs_expire);
DEBUG(7, ("Current tickets expire in %d seconds (at %d, time is now %d)\n",
(uint32)expire-(uint32)now, (uint32) expire, (uint32) now));
if ( ads->config.realm && (expire > now)) {
return ads;
} else {
/* we own this ADS_STRUCT so make sure it goes away */
DEBUG(7,("Deleting expired krb5 credential cache\n"));
ads->is_mine = True;
ads_destroy( &ads );
ads_kdestroy("MEMORY:winbind_ccache");
domain->private_data = NULL;
}
}
/* we don't want this to affect the users ccache */
setenv("KRB5CCNAME", "MEMORY:winbind_ccache", 1);
ads = ads_init(domain->alt_name, domain->name, NULL);
if (!ads) {
DEBUG(1,("ads_init for domain %s failed\n", domain->name));
return NULL;
}
/* the machine acct password might have change - fetch it every time */
SAFE_FREE(ads->auth.password);
SAFE_FREE(ads->auth.realm);
if ( IS_DC ) {
if ( !pdb_get_trusteddom_pw( domain->name, &ads->auth.password, NULL, NULL ) ) {
ads_destroy( &ads );
return NULL;
}
ads->auth.realm = SMB_STRDUP( ads->server.realm );
strupper_m( ads->auth.realm );
}
else {
struct winbindd_domain *our_domain = domain;
ads->auth.password = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
/* always give preference to the alt_name in our
primary domain if possible */
if ( !domain->primary )
our_domain = find_our_domain();
if ( our_domain->alt_name[0] != '\0' ) {
ads->auth.realm = SMB_STRDUP( our_domain->alt_name );
strupper_m( ads->auth.realm );
}
else
ads->auth.realm = SMB_STRDUP( lp_realm() );
}
ads->auth.renewable = WINBINDD_PAM_AUTH_KRB5_RENEW_TIME;
/* Setup the server affinity cache. We don't reaally care
about the name. Just setup affinity and the KRB5_CONFIG
file. */
get_dc_name( ads->server.workgroup, ads->server.realm, dc_name, &dc_ss );
status = ads_connect(ads);
if (!ADS_ERR_OK(status) || !ads->config.realm) {
DEBUG(1,("ads_connect for domain %s failed: %s\n",
domain->name, ads_errstr(status)));
ads_destroy(&ads);
/* if we get ECONNREFUSED then it might be a NT4
server, fall back to MSRPC */
if (status.error_type == ENUM_ADS_ERROR_SYSTEM &&
status.err.rc == ECONNREFUSED) {
/* 'reconnect_methods' is the MS-RPC backend. */
DEBUG(1,("Trying MSRPC methods\n"));
domain->backend = &reconnect_methods;
}
return NULL;
}
/* set the flag that says we don't own the memory even
though we do so that ads_destroy() won't destroy the
structure we pass back by reference */
ads->is_mine = False;
domain->private_data = (void *)ads;
return ads;
}
/*
return our ads connections structure for a domain. We keep the connection
open to make things faster
*/
static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain)
{
ADS_STATUS status;
char *password, *realm;
DEBUG(10,("ads_cached_connection\n"));
ads_cached_connection_reuse((ADS_STRUCT **)&domain->private_data);
if (domain->private_data) {
return (ADS_STRUCT *)domain->private_data;
}
/* the machine acct password might have change - fetch it every time */
if (!get_trust_pw_clear(domain->name, &password, NULL, NULL)) {
return NULL;
}
if ( IS_DC ) {
SMB_ASSERT(domain->alt_name != NULL);
realm = SMB_STRDUP(domain->alt_name);
}
else {
struct winbindd_domain *our_domain = domain;
/* always give preference to the alt_name in our
primary domain if possible */
if ( !domain->primary )
our_domain = find_our_domain();
if (our_domain->alt_name != NULL) {
realm = SMB_STRDUP( our_domain->alt_name );
}
else
realm = SMB_STRDUP( lp_realm() );
}
status = ads_cached_connection_connect(
(ADS_STRUCT **)&domain->private_data,
domain->alt_name,
domain->name, NULL,
password, realm,
WINBINDD_PAM_AUTH_KRB5_RENEW_TIME);
SAFE_FREE(realm);
if (!ADS_ERR_OK(status)) {
/* if we get ECONNREFUSED then it might be a NT4
server, fall back to MSRPC */
if (status.error_type == ENUM_ADS_ERROR_SYSTEM &&
status.err.rc == ECONNREFUSED) {
/* 'reconnect_methods' is the MS-RPC backend. */
DEBUG(1,("Trying MSRPC methods\n"));
domain->backend = &reconnect_methods;
}
return NULL;
}
return (ADS_STRUCT *)domain->private_data;
}
ADS_STATUS ads_idmap_cached_connection(ADS_STRUCT **adsp, const char *dom_name)
{
char *ldap_server, *realm, *password;
struct winbindd_domain *wb_dom;
ADS_STATUS status;
ads_cached_connection_reuse(adsp);
if (*adsp != NULL) {
return ADS_SUCCESS;
}
/*
* At this point we only have the NetBIOS domain name.
* Check if we can get server nam and realm from SAF cache
* and the domain list.
*/
ldap_server = saf_fetch(talloc_tos(), dom_name);
DEBUG(10, ("ldap_server from saf cache: '%s'\n",
ldap_server ? ldap_server : ""));
wb_dom = find_domain_from_name(dom_name);
if (wb_dom == NULL) {
DEBUG(10, ("could not find domain '%s'\n", dom_name));
return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
}
DEBUG(10, ("find_domain_from_name found realm '%s' for "
" domain '%s'\n", wb_dom->alt_name, dom_name));
if (!get_trust_pw_clear(dom_name, &password, NULL, NULL)) {
TALLOC_FREE(ldap_server);
return ADS_ERROR_NT(NT_STATUS_CANT_ACCESS_DOMAIN_INFO);
}
if (IS_DC) {
SMB_ASSERT(wb_dom->alt_name != NULL);
realm = SMB_STRDUP(wb_dom->alt_name);
} else {
struct winbindd_domain *our_domain = wb_dom;
/* always give preference to the alt_name in our
primary domain if possible */
if (!wb_dom->primary) {
our_domain = find_our_domain();
}
if (our_domain->alt_name != NULL) {
realm = SMB_STRDUP(our_domain->alt_name);
} else {
realm = SMB_STRDUP(lp_realm());
}
}
status = ads_cached_connection_connect(
adsp, /* Returns ads struct. */
wb_dom->alt_name, /* realm to connect to. */
dom_name, /* 'workgroup' name for ads_init */
ldap_server, /* DNS name to connect to. */
password, /* password for auth realm. */
realm, /* realm used for krb5 ticket. */
0); /* renewable ticket time. */
SAFE_FREE(realm);
TALLOC_FREE(ldap_server);
return status;
}
enum winbindd_result winbindd_gid_to_sid(struct winbindd_cli_state *state)
{
DOM_SID sid;
DEBUG(3, ("[%5lu]: gid to sid %lu\n", (unsigned long)state->pid,
(unsigned long)state->request.data.gid));
if ( (state->request.data.gid < server_state.gid_low)
|| (state->request.data.gid > server_state.gid_high) )
{
struct group *grp = NULL;
enum SID_NAME_USE type;
unid_t id;
struct winbindd_domain *domain;
/* SPECIAL CASE FOR MEMBERS OF SAMBA DOMAINS */
/* if we don't trust /etc/group then when can't know
anything about this gid */
if ( !lp_winbind_trusted_domains_only() )
return WINBINDD_ERROR;
/* look for an idmap entry first */
if ( NT_STATUS_IS_OK(idmap_gid_to_sid(&sid, state->request.data.gid)) )
goto done;
/* if users exist in /etc/group, we should try to
use that gid. Get the username and the lookup the SID */
if ( !(grp = sys_getgrgid(state->request.data.gid)) )
return WINBINDD_ERROR;
if ( !(domain = find_our_domain()) ) {
DEBUG(0,("winbindd_uid_to_sid: can't find my own domain!\n"));
return WINBINDD_ERROR;
}
if ( !winbindd_lookup_sid_by_name(domain, grp->gr_name, &sid, &type) )
return WINBINDD_ERROR;
if ( type!=SID_NAME_DOM_GRP && type!=SID_NAME_ALIAS )
return WINBINDD_ERROR;
/* don't fail if we can't store it */
id.gid = grp->gr_gid;
idmap_set_mapping( &sid, id, ID_GROUPID );
goto done;
}
/* Lookup sid for this uid */
if (!NT_STATUS_IS_OK(idmap_gid_to_sid(&sid, state->request.data.gid))) {
DEBUG(1, ("Could not convert gid %lu to sid\n",
(unsigned long)state->request.data.gid));
return WINBINDD_ERROR;
}
done:
/* Construct sid and return it */
sid_to_string(state->response.data.sid.sid, &sid);
state->response.data.sid.type = SID_NAME_DOM_GRP;
return WINBINDD_OK;
}
enum winbindd_result winbindd_sid_to_gid(struct winbindd_cli_state *state)
{
DOM_SID sid;
uint32 flags = 0x0;
/* Ensure null termination */
state->request.data.sid[sizeof(state->request.data.sid)-1]='\0';
DEBUG(3, ("[%5lu]: sid to gid %s\n", (unsigned long)state->pid,
state->request.data.sid));
if (!string_to_sid(&sid, state->request.data.sid)) {
DEBUG(1, ("Could not cvt string to sid %s\n", state->request.data.sid));
return WINBINDD_ERROR;
}
/* This gets a little tricky. If we assume that usernames are syncd between
/etc/passwd and the windows domain (such as a member of a Samba domain),
the we need to get the uid from the OS and not alocate one ourselves */
if ( lp_winbind_trusted_domains_only() ) {
struct winbindd_domain *domain = NULL;
DOM_SID sid2;
uint32 rid;
unid_t id;
domain = find_our_domain();
if ( !domain ) {
DEBUG(0,("winbindd_sid_to_uid: can't find my own domain!\n"));
return WINBINDD_ERROR;
}
sid_copy( &sid2, &sid );
sid_split_rid( &sid2, &rid );
if ( sid_equal( &sid2, &domain->sid ) ) {
fstring domain_name;
fstring group;
enum SID_NAME_USE type;
struct group *grp = NULL;
/* ok...here's we know that we are dealing with our
own domain (the one to which we are joined). And
we know that there must be a UNIX account for this group.
So we lookup the sid and the call getpwnam().*/
/* But first check and see if we don't already have a mapping */
flags = ID_QUERY_ONLY;
if ( NT_STATUS_IS_OK(idmap_sid_to_gid(&sid, &(state->response.data.gid), flags)) )
return WINBINDD_OK;
/* now fall back to the hard way */
if ( !winbindd_lookup_name_by_sid(&sid, domain_name, group, &type) )
return WINBINDD_ERROR;
if ( !(grp = sys_getgrnam(group)) ) {
DEBUG(0,("winbindd_sid_to_uid: 'winbind trusted domains only' is "
"set but this group [%s] doesn't exist!\n", group));
return WINBINDD_ERROR;
}
state->response.data.gid = grp->gr_gid;
id.gid = grp->gr_gid;
idmap_set_mapping( &sid, id, ID_GROUPID );
return WINBINDD_OK;
}
}
if ( state->request.flags & WBFLAG_QUERY_ONLY )
flags = ID_QUERY_ONLY;
/* Find gid for this sid and return it */
if ( !NT_STATUS_IS_OK(idmap_sid_to_gid(&sid, &(state->response.data.gid), flags)) ) {
DEBUG(1, ("Could not get gid for sid %s\n", state->request.data.sid));
return WINBINDD_ERROR;
}
return WINBINDD_OK;
}
enum winbindd_result winbindd_check_machine_acct(struct winbindd_cli_state *state)
{
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
uchar trust_passwd[16];
int num_retries = 0;
struct cli_state *cli;
uint32 sec_channel_type;
struct winbindd_domain *contact_domain;
DEBUG(3, ("[%5lu]: check machine account\n", (unsigned long)state->pid));
/* Get trust account password */
again:
if (!secrets_fetch_trust_account_password(
lp_workgroup(), trust_passwd, NULL, &sec_channel_type)) {
result = NT_STATUS_INTERNAL_ERROR;
goto done;
}
contact_domain = find_our_domain();
if (!contact_domain) {
result = NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
DEBUG(1, ("Cannot find our own domain!\n"));
goto done;
}
/* This call does a cli_nt_setup_creds() which implicitly checks
the trust account password. */
/* Don't shut this down - it belongs to the connection cache code */
result = cm_get_netlogon_cli(contact_domain,
trust_passwd, sec_channel_type, True, &cli);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(3, ("could not open handle to NETLOGON pipe\n"));
goto done;
}
/* There is a race condition between fetching the trust account
password and the periodic machine password change. So it's
possible that the trust account password has been changed on us.
We are returned NT_STATUS_ACCESS_DENIED if this happens. */
#define MAX_RETRIES 8
if ((num_retries < MAX_RETRIES) &&
NT_STATUS_V(result) == NT_STATUS_V(NT_STATUS_ACCESS_DENIED)) {
num_retries++;
goto again;
}
/* Pass back result code - zero for success, other values for
specific failures. */
DEBUG(3, ("secret is %s\n", NT_STATUS_IS_OK(result) ?
"good" : "bad"));
done:
state->response.data.auth.nt_status = NT_STATUS_V(result);
fstrcpy(state->response.data.auth.nt_status_string, nt_errstr(result));
fstrcpy(state->response.data.auth.error_string, nt_errstr(result));
state->response.data.auth.pam_error = nt_status_to_pam(result);
DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2, ("Checking the trust account password returned %s\n",
state->response.data.auth.nt_status_string));
return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
}
