ad_subdomains.c revision 44656ce260030556820c4b6be519e66ffdacb408
AD Subdomains Module
Sumit Bose <>
Copyright (C) 2013 Red Hat
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <>.
#include "providers/ldap/sdap_async.h"
#include "providers/ad/ad_subdomains.h"
#include "providers/ad/ad_domain_info.h"
#include "providers/ad/ad_common.h"
#include "providers/ldap/sdap_idmap.h"
#include "providers/ldap/sdap_ops.h"
#include "util/util_sss_idmap.h"
#include <ctype.h>
#include <ndr.h>
/* Attributes of AD trusted domains */
#define AD_AT_FLATNAME "flatName"
#define AD_AT_SID "securityIdentifier"
#define AD_AT_TRUST_TYPE "trustType"
#define AD_AT_TRUST_PARTNER "trustPartner"
#define AD_AT_TRUST_ATTRS "trustAttributes"
/* trustType=2 denotes uplevel (NT5 and later) trusted domains. See
* for example.
* The absence of msDS-TrustForestTrustInfo attribute denotes a domain from
* the same forest. See
* for more information.
#define SLAVE_DOMAIN_FILTER_BASE "(objectclass=trustedDomain)(trustType=2)(!(msDS-TrustForestTrustInfo=*))"
/* do not refresh more often than every 5 seconds for now */
static errno_t
struct sss_domain_info *subdom,
struct ad_id_ctx **_subdom_id_ctx)
struct ad_options *ad_options;
const char *gc_service_name;
struct ad_srv_plugin_ctx *srv_ctx;
char *ad_domain;
char *ad_site_override;
struct sdap_domain *sdom;
const char *realm;
const char *hostname;
const char *keytab;
return EINVAL;
if (ad_options == NULL) {
return ENOMEM;
if (gc_service_name == NULL) {
return ENOMEM;
return ret;
return ENOMEM;
/* use AD plugin */
return ENOMEM;
return ret;
return EFAULT;
/* Set up the ID mapping object */
return EOK;
struct ad_subdomains_ctx {
struct sdap_id_ctx *sdap_id_ctx;
struct sdap_domain *sdom;
char *domain_name;
struct sysdb_attrs *attrs,
bool *_enumerates)
const char *name;
return ret;
return EOK;
static errno_t
struct sss_domain_info *domain,
struct sysdb_attrs *subdom_attrs,
bool enumerate)
const char *name;
char *realm;
const char *flat;
enum idmap_error_code err;
struct ldb_message_element *el;
bool mpg;
goto done;
goto done;
goto done;
if (!realm) {
goto done;
if (ret) {
goto done;
goto done;
if (err != IDMAP_SUCCESS) {
goto done;
goto done;
return ret;
struct sdap_idmap_ctx *idmap_ctx,
struct sdap_options *opts,
struct sysdb_attrs **subdomains,
bool root_domain,
bool *_changes)
struct sdap_domain *sdom;
struct sss_domain_info *domain;
struct sss_domain_info *dom;
bool handled[num_subdomains];
const char *value;
size_t c, h;
int ret;
bool enumerate;
h = 0;
if (root_domain) {
goto done;
/* check existing subdomains */
/* If we are handling root domain, skip all the other domains. We don't
* want to accidentally remove non-root domains
for (c = 0; c < num_subdomains; c++) {
if (handled[c]) {
goto done;
if (c >= num_subdomains) {
/* ok this subdomain does not exist anymore, let's clean up */
goto done;
/* Remove the subdomain from the list of LDAP domains */
/* terminate all requests for this subdomain so we can free it */
} else {
/* ok let's try to update it */
goto done;
if (ret) {
/* Nothing we can do about the error. Let's at least try
* to reuse the existing domains
"will try to use cached subdomain\n");
handled[c] = true;
if (num_subdomains == h) {
/* all domains were already accounted for and have been updated */
*_changes = false;
goto done;
/* if we get here it means we have changes to the subdomains list */
*_changes = true;
for (c = 0; c < num_subdomains; c++) {
if (handled[c]) {
/* Nothing we can do about the error. Let's at least try
* to reuse the existing domains.
goto done;
if (ret) {
"will try to use cached subdomain\n");
*_last_refreshed = 0;
} else {
return ret;
struct sss_domain_info *domain,
struct sysdb_attrs *root,
struct sysdb_attrs ***_sd_out)
struct sysdb_attrs **sd_out;
const char *sd_name;
/* We are connected directly to the root domain. The 'sd'
* list is complete and we can just use it
return EOK;
/* If we searched for root separately, we must:
* a) treat the root domain as a subdomain
* b) filter the subdomain we are connected to from the subdomain
* list, from our point of view, it's the master domain
return ENOMEM;
sdi = 0;
for (i = 0; i < nsd; i++) {
goto fail;
"Not including primary domain %s in the subdomain list\n",
/* Now include the root */
return EOK;
return ret;
static errno_t
struct sss_domain_info *parent)
int ret;
struct sdap_domain *sditer;
struct ad_id_ctx *subdom_id_ctx;
return ret;
} else {
return EOK;
const char *path;
bool canonicalize;
/* Just continue */
return ret;
/* Just continue */
return ret;
return EOK;
struct ad_get_slave_domain_state {
struct tevent_context *ev;
struct ad_subdomains_ctx *sd_ctx;
struct sdap_options *opts;
struct sdap_idmap_ctx *idmap_ctx;
struct sysdb_attrs *root_attrs;
struct sdap_id_op *sdap_op;
static struct tevent_req *
struct tevent_context *ev,
struct ad_subdomains_ctx *sd_ctx,
struct sysdb_attrs *root_attrs,
struct ad_id_ctx *root_id_ctx)
struct ad_get_slave_domain_state *state;
struct tevent_req *req;
struct ad_get_slave_domain_state);
return NULL;
goto immediately;
/* asynchronous processing */
return req;
} else {
return req;
struct ad_get_slave_domain_state *state;
struct tevent_req *subreq;
int ret;
return ret;
return EAGAIN;
struct ad_get_slave_domain_state *state;
int dp_error;
if (dp_error == DP_ERR_OFFLINE) {
"cannot get the subdomain list while offline\n");
NULL, false, 0,
struct ad_get_slave_domain_state *state;
struct tevent_req *req;
struct sysdb_attrs **reply;
struct sysdb_attrs **subdoms;
bool has_changes;
int dp_error;
/* We continue to finish sdap_id_op. */
/* retry */
goto done;
} else if (dp_error == DP_ERR_OFFLINE) {
goto done;
goto done;
/* Based on whether we are connected to the forest root or not, we might
* need to exclude the subdomain we are connected to from the list of
* subdomains.
/* Got all the subdomains, let's process them. */
goto done;
if (has_changes) {
goto done;
return EOK;
static struct sss_domain_info *
struct sss_domain_info *root;
const char *name;
return NULL;
/* With a subsequent run, the root should already be known */
return root;
static struct ad_id_ctx *
struct sss_domain_info *root_domain,
struct sdap_options *opts)
struct sdap_domain *sdom;
struct ad_id_ctx *root_id_ctx;
return NULL;
return NULL;
} else {
return root_id_ctx;
struct ad_get_root_domain_state {
struct ad_subdomains_ctx *sd_ctx;
struct sdap_idmap_ctx *idmap_ctx;
struct sdap_options *opts;
struct ad_id_ctx *root_id_ctx;
struct sysdb_attrs *root_domain_attrs;
static struct tevent_req *
struct tevent_context *ev,
const char *forest,
struct sdap_handle *sh,
struct ad_subdomains_ctx *sd_ctx)
struct ad_get_root_domain_state *state;
struct tevent_req *subreq;
struct tevent_req *req;
struct sdap_options *opts;
const char *filter;
return NULL;
goto immediately;
goto immediately;
goto immediately;
return req;
} else {
return req;
struct tevent_req *req;
struct ad_get_root_domain_state *state;
struct sysdb_attrs **reply;
struct sss_domain_info *root_domain;
bool has_changes;
goto done;
if (reply_count == 0) {
goto done;
} else if (reply_count > 1) {
"domain list might be incomplete!\n");
goto done;
reply, reply_count, true,
goto done;
if (has_changes) {
goto done;
if (root_domain == NULL) {
goto done;
goto done;
struct tevent_req *req,
struct sysdb_attrs **_attrs,
return EOK;
struct ad_subdomains_refresh_state {
struct tevent_context *ev;
struct ad_subdomains_ctx *sd_ctx;
struct sdap_id_op *sdap_op;
struct sdap_id_ctx *id_ctx;
struct ad_options *ad_options;
static struct tevent_req *
struct tevent_context *ev,
struct ad_subdomains_ctx *sd_ctx)
struct ad_subdomains_refresh_state *state;
struct tevent_req *req;
struct ad_subdomains_refresh_state);
return NULL;
goto immediately;
/* asynchronous processing */
return req;
} else {
return req;
struct ad_subdomains_refresh_state *state;
struct tevent_req *subreq;
int ret;
return ret;
return EAGAIN;
struct ad_subdomains_refresh_state *state;
struct tevent_req *req;
int dp_error;
if (dp_error == DP_ERR_OFFLINE) {
"cannot get the subdomain list while offline\n");
struct ad_subdomains_refresh_state *state;
struct tevent_req *req;
const char *realm;
char *master_sid;
char *flat_name;
char *forest;
goto done;
goto done;
goto done;
goto done;
struct ad_subdomains_refresh_state *state;
struct tevent_req *req;
struct ad_id_ctx *root_id_ctx;
struct sysdb_attrs *root_attrs;
int dp_error;
root_attrs = NULL;
root_id_ctx = NULL;
/* We continue to finish sdap_id_op. */
/* We finish sdap_id_op here since we connect
* to forest root for slave domains. */
/* retry */
} else if (dp_error == DP_ERR_OFFLINE) {
struct tevent_req *req;
return EOK;
struct ad_subdomains_handler_state {
struct dp_reply_std reply;
static struct tevent_req *
struct ad_subdomains_ctx *sd_ctx,
struct dp_subdomains_data *data,
struct dp_req_params *params)
struct ad_subdomains_handler_state *state;
struct tevent_req *req;
struct tevent_req *subreq;
struct ad_subdomains_handler_state);
return NULL;
"nothing to do\n");
goto immediately;
goto immediately;
return req;
/* TODO For backward compatibility we always return EOK to DP now. */
return req;
struct ad_subdomains_handler_state *state;
struct tevent_req *req;
/* TODO For backward compatibility we always return EOK to DP now. */
struct tevent_req *req,
struct dp_reply_std *data)
struct ad_subdomains_handler_state *state;
return EOK;
static struct tevent_req *
struct tevent_context *ev,
void *pvt)
struct ad_subdomains_ctx *sd_ctx;
static errno_t
return ad_subdomains_refresh_recv(req);
struct dp_method *dp_methods)
struct ad_subdomains_ctx *sd_ctx;
const char *ad_domain;
return ENOMEM;
return ENOMEM;
"Subdomains Refresh", NULL);
/* Ignore, responders will trigger refresh from time to time. */
"Users from trusted domains might not be resolved correctly\n");
/* Ignore this error and try to discover the subdomains later */
return EOK;