1/* 2 Unix SMB/CIFS implementation. 3 4 Winbind daemon for ntdom nss module 5 6 Copyright (C) Tim Potter 2000 7 Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003 8 9 This library is free software; you can redistribute it and/or 10 modify it under the terms of the GNU Lesser General Public 11 License as published by the Free Software Foundation; either 12 version 3 of the License, or (at your option) any later version. 13 14 This library is distributed in the hope that it will be useful, 15 but WITHOUT ANY WARRANTY; without even the implied warranty of 16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 17 Library General Public License for more details. 18 19 You should have received a copy of the GNU Lesser General Public License 20 along with this program. If not, see <http://www.gnu.org/licenses/>. 21*/ 22 23#ifndef _WINBINDD_H 24#define _WINBINDD_H 25 26#include "nsswitch/winbind_struct_protocol.h" 27#include "nsswitch/libwbclient/wbclient.h" 28#include "librpc/gen_ndr/wbint.h" 29 30#ifdef HAVE_LIBNSCD 31#include <libnscd.h> 32#endif 33 34#ifdef HAVE_SYS_MMAN_H 35#include <sys/mman.h> 36#endif 37 38#undef DBGC_CLASS 39#define DBGC_CLASS DBGC_WINBIND 40 41#define WB_REPLACE_CHAR '_' 42 43struct sid_ctr { 44 DOM_SID *sid; 45 bool finished; 46 const char *domain; 47 const char *name; 48 enum lsa_SidType type; 49}; 50 51struct winbindd_cli_state { 52 struct winbindd_cli_state *prev, *next; /* Linked list pointers */ 53 int sock; /* Open socket from client */ 54 pid_t pid; /* pid of client */ 55 time_t last_access; /* Time of last access (read or write) */ 56 bool privileged; /* Is the client 'privileged' */ 57 58 TALLOC_CTX *mem_ctx; /* memory per request */ 59 const char *cmd_name; 60 NTSTATUS (*recv_fn)(struct tevent_req *req, 61 struct winbindd_response *presp); 62 struct winbindd_request *request; /* Request from client */ 63 struct tevent_queue *out_queue; 64 struct winbindd_response *response; /* Respose to client */ 65 bool getpwent_initialized; /* Has getpwent_state been 66 * initialized? */ 67 bool getgrent_initialized; /* Has getgrent_state been 68 * initialized? */ 69 70 struct getpwent_state *pwent_state; /* State for getpwent() */ 71 struct getgrent_state *grent_state; /* State for getgrent() */ 72}; 73 74struct getpwent_state { 75 struct winbindd_domain *domain; 76 int next_user; 77 int num_users; 78 struct wbint_userinfo *users; 79}; 80 81struct getgrent_state { 82 struct winbindd_domain *domain; 83 int next_group; 84 int num_groups; 85 struct wbint_Principal *groups; 86}; 87 88/* Storage for cached getpwent() user entries */ 89 90struct getpwent_user { 91 fstring name; /* Account name */ 92 fstring gecos; /* User information */ 93 fstring homedir; /* User Home Directory */ 94 fstring shell; /* User Login Shell */ 95 DOM_SID user_sid; /* NT user and primary group SIDs */ 96 DOM_SID group_sid; 97}; 98 99/* Our connection to the DC */ 100 101struct winbindd_cm_conn { 102 struct cli_state *cli; 103 104 struct rpc_pipe_client *samr_pipe; 105 struct policy_handle sam_connect_handle, sam_domain_handle; 106 107 struct rpc_pipe_client *lsa_pipe; 108 struct rpc_pipe_client *lsa_pipe_tcp; 109 struct policy_handle lsa_policy; 110 111 struct rpc_pipe_client *netlogon_pipe; 112}; 113 114/* Async child */ 115 116struct winbindd_domain; 117 118struct winbindd_child_dispatch_table { 119 const char *name; 120 enum winbindd_cmd struct_cmd; 121 enum winbindd_result (*struct_fn)(struct winbindd_domain *domain, 122 struct winbindd_cli_state *state); 123}; 124 125struct winbindd_child { 126 struct winbindd_child *next, *prev; 127 128 pid_t pid; 129 struct winbindd_domain *domain; 130 char *logfilename; 131 132 int sock; 133 struct tevent_queue *queue; 134 struct rpc_pipe_client *rpccli; 135 136 struct timed_event *lockout_policy_event; 137 struct timed_event *machine_password_change_event; 138 139 const struct winbindd_child_dispatch_table *table; 140}; 141 142/* Structures to hold per domain information */ 143 144struct winbindd_domain { 145 fstring name; /* Domain name (NetBIOS) */ 146 fstring alt_name; /* alt Domain name, if any (FQDN for ADS) */ 147 fstring forest_name; /* Name of the AD forest we're in */ 148 DOM_SID sid; /* SID for this domain */ 149 uint32 domain_flags; /* Domain flags from netlogon.h */ 150 uint32 domain_type; /* Domain type from netlogon.h */ 151 uint32 domain_trust_attribs; /* Trust attribs from netlogon.h */ 152 bool initialized; /* Did we already ask for the domain mode? */ 153 bool native_mode; /* is this a win2k domain in native mode ? */ 154 bool active_directory; /* is this a win2k active directory ? */ 155 bool primary; /* is this our primary domain ? */ 156 bool internal; /* BUILTIN and member SAM */ 157 bool online; /* is this domain available ? */ 158 time_t startup_time; /* When we set "startup" true. */ 159 bool startup; /* are we in the first 30 seconds after startup_time ? */ 160 161 bool can_do_samlogon_ex; /* Due to the lack of finer control what type 162 * of DC we have, let us try to do a 163 * credential-chain less samlogon_ex call 164 * with AD and schannel. If this fails with 165 * DCERPC_FAULT_OP_RNG_ERROR, then set this 166 * to False. This variable is around so that 167 * we don't have to try _ex every time. */ 168 169 bool can_do_ncacn_ip_tcp; 170 bool can_do_validation6; 171 172 /* Lookup methods for this domain (LDAP or RPC) */ 173 struct winbindd_methods *methods; 174 175 /* the backend methods are used by the cache layer to find the right 176 backend */ 177 struct winbindd_methods *backend; 178 179 /* Private data for the backends (used for connection cache) */ 180 181 void *private_data; 182 183 /* 184 * idmap config settings, used to tell the idmap child which 185 * special domain config to use for a mapping 186 */ 187 bool have_idmap_config; 188 uint32_t id_range_low, id_range_high; 189 190 /* A working DC */ 191 pid_t dc_probe_pid; /* Child we're using to detect the DC. */ 192 fstring dcname; 193 struct sockaddr_storage dcaddr; 194 195 /* Sequence number stuff */ 196 197 time_t last_seq_check; 198 uint32 sequence_number; 199 NTSTATUS last_status; 200 201 /* The smb connection */ 202 203 struct winbindd_cm_conn conn; 204 205 /* The child pid we're talking to */ 206 207 struct winbindd_child child; 208 209 /* Callback we use to try put us back online. */ 210 211 uint32 check_online_timeout; 212 struct timed_event *check_online_event; 213 214 /* Linked list info */ 215 216 struct winbindd_domain *prev, *next; 217}; 218 219/* per-domain methods. This is how LDAP vs RPC is selected 220 */ 221struct winbindd_methods { 222 /* does this backend provide a consistent view of the data? (ie. is the primary group 223 always correct) */ 224 bool consistent; 225 226 /* get a list of users, returning a wbint_userinfo for each one */ 227 NTSTATUS (*query_user_list)(struct winbindd_domain *domain, 228 TALLOC_CTX *mem_ctx, 229 uint32 *num_entries, 230 struct wbint_userinfo **info); 231 232 /* get a list of domain groups */ 233 NTSTATUS (*enum_dom_groups)(struct winbindd_domain *domain, 234 TALLOC_CTX *mem_ctx, 235 uint32 *num_entries, 236 struct acct_info **info); 237 238 /* get a list of domain local groups */ 239 NTSTATUS (*enum_local_groups)(struct winbindd_domain *domain, 240 TALLOC_CTX *mem_ctx, 241 uint32 *num_entries, 242 struct acct_info **info); 243 244 /* convert one user or group name to a sid */ 245 NTSTATUS (*name_to_sid)(struct winbindd_domain *domain, 246 TALLOC_CTX *mem_ctx, 247 const char *domain_name, 248 const char *name, 249 uint32_t flags, 250 DOM_SID *sid, 251 enum lsa_SidType *type); 252 253 /* convert a sid to a user or group name */ 254 NTSTATUS (*sid_to_name)(struct winbindd_domain *domain, 255 TALLOC_CTX *mem_ctx, 256 const DOM_SID *sid, 257 char **domain_name, 258 char **name, 259 enum lsa_SidType *type); 260 261 NTSTATUS (*rids_to_names)(struct winbindd_domain *domain, 262 TALLOC_CTX *mem_ctx, 263 const DOM_SID *domain_sid, 264 uint32 *rids, 265 size_t num_rids, 266 char **domain_name, 267 char ***names, 268 enum lsa_SidType **types); 269 270 /* lookup user info for a given SID */ 271 NTSTATUS (*query_user)(struct winbindd_domain *domain, 272 TALLOC_CTX *mem_ctx, 273 const DOM_SID *user_sid, 274 struct wbint_userinfo *user_info); 275 276 /* lookup all groups that a user is a member of. The backend 277 can also choose to lookup by username or rid for this 278 function */ 279 NTSTATUS (*lookup_usergroups)(struct winbindd_domain *domain, 280 TALLOC_CTX *mem_ctx, 281 const DOM_SID *user_sid, 282 uint32 *num_groups, DOM_SID **user_gids); 283 284 /* Lookup all aliases that the sids delivered are member of. This is 285 * to implement 'domain local groups' correctly */ 286 NTSTATUS (*lookup_useraliases)(struct winbindd_domain *domain, 287 TALLOC_CTX *mem_ctx, 288 uint32 num_sids, 289 const DOM_SID *sids, 290 uint32 *num_aliases, 291 uint32 **alias_rids); 292 293 /* find all members of the group with the specified group_rid */ 294 NTSTATUS (*lookup_groupmem)(struct winbindd_domain *domain, 295 TALLOC_CTX *mem_ctx, 296 const DOM_SID *group_sid, 297 enum lsa_SidType type, 298 uint32 *num_names, 299 DOM_SID **sid_mem, char ***names, 300 uint32 **name_types); 301 302 /* return the current global sequence number */ 303 NTSTATUS (*sequence_number)(struct winbindd_domain *domain, uint32 *seq); 304 305 /* return the lockout policy */ 306 NTSTATUS (*lockout_policy)(struct winbindd_domain *domain, 307 TALLOC_CTX *mem_ctx, 308 struct samr_DomInfo12 *lockout_policy); 309 310 /* return the lockout policy */ 311 NTSTATUS (*password_policy)(struct winbindd_domain *domain, 312 TALLOC_CTX *mem_ctx, 313 struct samr_DomInfo1 *password_policy); 314 315 /* enumerate trusted domains */ 316 NTSTATUS (*trusted_domains)(struct winbindd_domain *domain, 317 TALLOC_CTX *mem_ctx, 318 struct netr_DomainTrustList *trusts); 319}; 320 321/* Filled out by IDMAP backends */ 322struct winbindd_idmap_methods { 323 /* Called when backend is first loaded */ 324 bool (*init)(void); 325 326 bool (*get_sid_from_uid)(uid_t uid, DOM_SID *sid); 327 bool (*get_sid_from_gid)(gid_t gid, DOM_SID *sid); 328 329 bool (*get_uid_from_sid)(DOM_SID *sid, uid_t *uid); 330 bool (*get_gid_from_sid)(DOM_SID *sid, gid_t *gid); 331 332 /* Called when backend is unloaded */ 333 bool (*close)(void); 334 /* Called to dump backend status */ 335 void (*status)(void); 336}; 337 338/* Data structures for dealing with the trusted domain cache */ 339 340struct winbindd_tdc_domain { 341 const char *domain_name; 342 const char *dns_name; 343 DOM_SID sid; 344 uint32 trust_flags; 345 uint32 trust_attribs; 346 uint32 trust_type; 347}; 348 349/* Switch for listing users or groups */ 350enum ent_type { 351 LIST_USERS = 0, 352 LIST_GROUPS, 353}; 354 355struct WINBINDD_MEMORY_CREDS { 356 struct WINBINDD_MEMORY_CREDS *next, *prev; 357 const char *username; /* lookup key. */ 358 uid_t uid; 359 int ref_count; 360 size_t len; 361 uint8_t *nt_hash; /* Base pointer for the following 2 */ 362 uint8_t *lm_hash; 363 char *pass; 364}; 365 366struct WINBINDD_CCACHE_ENTRY { 367 struct WINBINDD_CCACHE_ENTRY *next, *prev; 368 const char *principal_name; 369 const char *ccname; 370 const char *service; 371 const char *username; 372 const char *realm; 373 struct WINBINDD_MEMORY_CREDS *cred_ptr; 374 int ref_count; 375 uid_t uid; 376 time_t create_time; 377 time_t renew_until; 378 time_t refresh_time; 379 struct timed_event *event; 380}; 381 382#include "winbindd/winbindd_proto.h" 383 384#define WINBINDD_ESTABLISH_LOOP 30 385#define WINBINDD_RESCAN_FREQ lp_winbind_cache_time() 386#define WINBINDD_PAM_AUTH_KRB5_RENEW_TIME 2592000 /* one month */ 387#define DOM_SEQUENCE_NONE ((uint32)-1) 388 389#endif /* _WINBINDD_H */ 390