search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3:libsmb: Add in the core of the libsmb client SMB2 functions.
[Samba.git] / source3 / winbindd / winbindd_ads.c
blob4c2638900ffa1cb609e7c932147ca27ef9e5d7e4
1 /*
2 Unix SMB/CIFS implementation.
3
4 Winbind ADS backend functions
5
6 Copyright (C) Andrew Tridgell 2001
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003
8 Copyright (C) Gerald (Jerry) Carter 2004
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "winbindd.h"
26 #include "rpc_client/rpc_client.h"
27 #include "../librpc/gen_ndr/ndr_netlogon_c.h"
28 #include "../libds/common/flags.h"
29 #include "ads.h"
30 #include "../libcli/ldap/ldap_ndr.h"
31 #include "../libcli/security/security.h"
32 #include "../libds/common/flag_mapping.h"
33 #include "passdb.h"
34
35 #ifdef HAVE_ADS
36
37 #undef DBGC_CLASS
38 #define DBGC_CLASS DBGC_WINBIND
39
40 extern struct winbindd_methods reconnect_methods;
41
42 #define WINBIND_CCACHE_NAME "MEMORY:winbind_ccache"
43
44 /**
45 * Check if cached connection can be reused. If the connection cannot
46 * be reused the ADS_STRUCT is freed and the pointer is set to NULL.
47 */
48 static void ads_cached_connection_reuse(ADS_STRUCT **adsp)
49 {
50
51 ADS_STRUCT *ads = *adsp;
52
53 if (ads != NULL) {
54 time_t expire;
55 time_t now = time(NULL);
56
57 expire = MIN(ads->auth.tgt_expire, ads->auth.tgs_expire);
58
59 DEBUG(7, ("Current tickets expire in %d seconds (at %d, time "
60 "is now %d)\n", (uint32)expire - (uint32)now,
61 (uint32) expire, (uint32) now));
62
63 if ( ads->config.realm && (expire > now)) {
64 return;
65 } else {
66 /* we own this ADS_STRUCT so make sure it goes away */
67 DEBUG(7,("Deleting expired krb5 credential cache\n"));
68 ads->is_mine = True;
69 ads_destroy( &ads );
70 ads_kdestroy(WINBIND_CCACHE_NAME);
71 *adsp = NULL;
72 }
73 }
74 }
75
76 static ADS_STATUS ads_cached_connection_connect(ADS_STRUCT **adsp,
77 const char *dom_name_alt,
78 const char *dom_name,
79 const char *ldap_server,
80 char *password,
81 char *realm,
82 time_t renewable)
83 {
84 ADS_STRUCT *ads;
85 ADS_STATUS status;
86 struct sockaddr_storage dc_ss;
87 fstring dc_name;
88
89 if (realm == NULL) {
90 return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
91 }
92
93 /* we don't want this to affect the users ccache */
94 setenv("KRB5CCNAME", WINBIND_CCACHE_NAME, 1);
95
96 ads = ads_init(dom_name_alt, dom_name, ldap_server);
97 if (!ads) {
98 DEBUG(1,("ads_init for domain %s failed\n", dom_name));
99 return ADS_ERROR(LDAP_NO_MEMORY);
100 }
101
102 SAFE_FREE(ads->auth.password);
103 SAFE_FREE(ads->auth.realm);
104
105 ads->auth.renewable = renewable;
106 ads->auth.password = password;
107
108 ads->auth.realm = SMB_STRDUP(realm);
109 if (!strupper_m(ads->auth.realm)) {
110 ads_destroy(&ads);
111 return ADS_ERROR_NT(NT_STATUS_INTERNAL_ERROR);
112 }
113
114 /* Setup the server affinity cache. We don't reaally care
115 about the name. Just setup affinity and the KRB5_CONFIG
116 file. */
117 get_dc_name(ads->server.workgroup, ads->server.realm, dc_name, &dc_ss);
118
119 status = ads_connect(ads);
120 if (!ADS_ERR_OK(status)) {
121 DEBUG(1,("ads_connect for domain %s failed: %s\n",
122 dom_name, ads_errstr(status)));
123 ads_destroy(&ads);
124 return status;
125 }
126
127 /* set the flag that says we don't own the memory even
128 though we do so that ads_destroy() won't destroy the
129 structure we pass back by reference */
130
131 ads->is_mine = False;
132
133 *adsp = ads;
134
135 return status;
136 }
137
138 ADS_STATUS ads_idmap_cached_connection(ADS_STRUCT **adsp, const char *dom_name)
139 {
140 char *ldap_server, *realm, *password;
141 struct winbindd_domain *wb_dom;
142 ADS_STATUS status;
143
144 ads_cached_connection_reuse(adsp);
145 if (*adsp != NULL) {
146 return ADS_SUCCESS;
147 }
148
149 /*
150 * At this point we only have the NetBIOS domain name.
151 * Check if we can get server nam and realm from SAF cache
152 * and the domain list.
153 */
154 ldap_server = saf_fetch(dom_name);
155 DEBUG(10, ("ldap_server from saf cache: '%s'\n",
156 ldap_server ? ldap_server : ""));
157
158 wb_dom = find_domain_from_name(dom_name);
159 if (wb_dom == NULL) {
160 DEBUG(10, ("could not find domain '%s'\n", dom_name));
161 return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
162 }
163
164 DEBUG(10, ("find_domain_from_name found realm '%s' for "
165 " domain '%s'\n", wb_dom->alt_name, dom_name));
166
167 if (!get_trust_pw_clear(dom_name, &password, NULL, NULL)) {
168 return ADS_ERROR_NT(NT_STATUS_CANT_ACCESS_DOMAIN_INFO);
169 }
170
171 if (IS_DC) {
172 realm = SMB_STRDUP(wb_dom->alt_name);
173 } else {
174 struct winbindd_domain *our_domain = wb_dom;
175
176 /* always give preference to the alt_name in our
177 primary domain if possible */
178
179 if (!wb_dom->primary) {
180 our_domain = find_our_domain();
181 }
182
183 if (our_domain->alt_name != NULL) {
184 realm = SMB_STRDUP(our_domain->alt_name);
185 } else {
186 realm = SMB_STRDUP(lp_realm());
187 }
188 }
189
190 status = ads_cached_connection_connect(adsp, realm, dom_name, ldap_server,
191 password, realm, 0);
192 SAFE_FREE(realm);
193
194 return status;
195 }
196
197 /*
198 return our ads connections structure for a domain. We keep the connection
199 open to make things faster
200 */
201 static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain)
202 {
203 ADS_STATUS status;
204 char *password, *realm;
205
206 DEBUG(10,("ads_cached_connection\n"));
207 ads_cached_connection_reuse((ADS_STRUCT **)&domain->private_data);
208
209 if (domain->private_data) {
210 return (ADS_STRUCT *)domain->private_data;
211 }
212
213 /* the machine acct password might have change - fetch it every time */
214
215 if (!get_trust_pw_clear(domain->name, &password, NULL, NULL)) {
216 return NULL;
217 }
218
219 if ( IS_DC ) {
220
221 realm = SMB_STRDUP(domain->alt_name);
222 }
223 else {
224 struct winbindd_domain *our_domain = domain;
225
226
227 /* always give preference to the alt_name in our
228 primary domain if possible */
229
230 if ( !domain->primary )
231 our_domain = find_our_domain();
232
233 if (our_domain->alt_name != NULL) {
234 realm = SMB_STRDUP( our_domain->alt_name );
235 }
236 else
237 realm = SMB_STRDUP( lp_realm() );
238 }
239
240 status = ads_cached_connection_connect(
241 (ADS_STRUCT **)&domain->private_data,
242 domain->alt_name,
243 domain->name, NULL,
244 password, realm,
245 WINBINDD_PAM_AUTH_KRB5_RENEW_TIME);
246 SAFE_FREE(realm);
247
248 if (!ADS_ERR_OK(status)) {
249 /* if we get ECONNREFUSED then it might be a NT4
250 server, fall back to MSRPC */
251 if (status.error_type == ENUM_ADS_ERROR_SYSTEM &&
252 status.err.rc == ECONNREFUSED) {
253 /* 'reconnect_methods' is the MS-RPC backend. */
254 DEBUG(1,("Trying MSRPC methods\n"));
255 domain->backend = &reconnect_methods;
256 }
257 return NULL;
258 }
259
260 return (ADS_STRUCT *)domain->private_data;
261 }
262
263 /* Query display info for a realm. This is the basic user list fn */
264 static NTSTATUS query_user_list(struct winbindd_domain *domain,
265 TALLOC_CTX *mem_ctx,
266 uint32 *num_entries,
267 struct wbint_userinfo **pinfo)
268 {
269 ADS_STRUCT *ads = NULL;
270 const char *attrs[] = { "*", NULL };
271 int i, count;
272 ADS_STATUS rc;
273 LDAPMessage *res = NULL;
274 LDAPMessage *msg = NULL;
275 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
276
277 *num_entries = 0;
278
279 DEBUG(3,("ads: query_user_list\n"));
280
281 if ( !winbindd_can_contact_domain( domain ) ) {
282 DEBUG(10,("query_user_list: No incoming trust for domain %s\n",
283 domain->name));
284 return NT_STATUS_OK;
285 }
286
287 ads = ads_cached_connection(domain);
288
289 if (!ads) {
290 domain->last_status = NT_STATUS_SERVER_DISABLED;
291 goto done;
292 }
293
294 rc = ads_search_retry(ads, &res, "(objectCategory=user)", attrs);
295 if (!ADS_ERR_OK(rc)) {
296 DEBUG(1,("query_user_list ads_search: %s\n", ads_errstr(rc)));
297 status = ads_ntstatus(rc);
298 } else if (!res) {
299 DEBUG(1,("query_user_list ads_search returned NULL res\n"));
300
301 goto done;
302 }
303
304 count = ads_count_replies(ads, res);
305 if (count == 0) {
306 DEBUG(1,("query_user_list: No users found\n"));
307 goto done;
308 }
309
310 (*pinfo) = talloc_zero_array(mem_ctx, struct wbint_userinfo, count);
311 if (!*pinfo) {
312 status = NT_STATUS_NO_MEMORY;
313 goto done;
314 }
315
316 count = 0;
317
318 for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
319 struct wbint_userinfo *info = &((*pinfo)[count]);
320 uint32 group;
321 uint32 atype;
322
323 if (!ads_pull_uint32(ads, msg, "sAMAccountType", &atype) ||
324 ds_atype_map(atype) != SID_NAME_USER) {
325 DEBUG(1,("Not a user account? atype=0x%x\n", atype));
326 continue;
327 }
328
329 info->acct_name = ads_pull_username(ads, mem_ctx, msg);
330 info->full_name = ads_pull_string(ads, mem_ctx, msg, "name");
331 info->homedir = NULL;
332 info->shell = NULL;
333 info->primary_gid = (gid_t)-1;
334
335 if (!ads_pull_sid(ads, msg, "objectSid",
336 &info->user_sid)) {
337 DEBUG(1, ("No sid for %s !?\n", info->acct_name));
338 continue;
339 }
340
341 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &group)) {
342 DEBUG(1, ("No primary group for %s !?\n",
343 info->acct_name));
344 continue;
345 }
346 sid_compose(&info->group_sid, &domain->sid, group);
347
348 count += 1;
349 }
350
351 (*num_entries) = count;
352 ads_msgfree(ads, res);
353
354 for (i=0; i<count; i++) {
355 struct wbint_userinfo *info = &((*pinfo)[i]);
356 const char *gecos = NULL;
357 gid_t primary_gid = (gid_t)-1;
358
359 status = nss_get_info_cached(domain, &info->user_sid, mem_ctx,
360 &info->homedir, &info->shell,
361 &gecos, &primary_gid);
362 if (!NT_STATUS_IS_OK(status)) {
363 /*
364 * Deliberately ignore this error, there might be more
365 * users to fill
366 */
367 continue;
368 }
369
370 if (gecos != NULL) {
371 info->full_name = gecos;
372 }
373 info->primary_gid = primary_gid;
374 }
375
376 status = NT_STATUS_OK;
377
378 DEBUG(3,("ads query_user_list gave %d entries\n", (*num_entries)));
379
380 done:
381 return status;
382 }
383
384 /* list all domain groups */
385 static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
386 TALLOC_CTX *mem_ctx,
387 uint32 *num_entries,
388 struct wb_acct_info **info)
389 {
390 ADS_STRUCT *ads = NULL;
391 const char *attrs[] = {"userPrincipalName", "sAMAccountName",
392 "name", "objectSid", NULL};
393 int i, count;
394 ADS_STATUS rc;
395 LDAPMessage *res = NULL;
396 LDAPMessage *msg = NULL;
397 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
398 const char *filter;
399 bool enum_dom_local_groups = False;
400
401 *num_entries = 0;
402
403 DEBUG(3,("ads: enum_dom_groups\n"));
404
405 if ( !winbindd_can_contact_domain( domain ) ) {
406 DEBUG(10,("enum_dom_groups: No incoming trust for domain %s\n",
407 domain->name));
408 return NT_STATUS_OK;
409 }
410
411 /* only grab domain local groups for our domain */
412 if ( domain->active_directory && strequal(lp_realm(), domain->alt_name) ) {
413 enum_dom_local_groups = True;
414 }
415
416 /* Workaround ADS LDAP bug present in MS W2K3 SP0 and W2K SP4 w/o
417 * rollup-fixes:
418 *
419 * According to Section 5.1(4) of RFC 2251 if a value of a type is it's
420 * default value, it MUST be absent. In case of extensible matching the
421 * "dnattr" boolean defaults to FALSE and so it must be only be present
422 * when set to TRUE.
423 *
424 * When it is set to FALSE and the OpenLDAP lib (correctly) encodes a
425 * filter using bitwise matching rule then the buggy AD fails to decode
426 * the extensible match. As a workaround set it to TRUE and thereby add
427 * the dnAttributes "dn" field to cope with those older AD versions.
428 * It should not harm and won't put any additional load on the AD since
429 * none of the dn components have a bitmask-attribute.
430 *
431 * Thanks to Ralf Haferkamp for input and testing - Guenther */
432
433 filter = talloc_asprintf(mem_ctx, "(&(objectCategory=group)(&(groupType:dn:%s:=%d)(!(groupType:dn:%s:=%d))))",
434 ADS_LDAP_MATCHING_RULE_BIT_AND, GROUP_TYPE_SECURITY_ENABLED,
435 ADS_LDAP_MATCHING_RULE_BIT_AND,
436 enum_dom_local_groups ? GROUP_TYPE_BUILTIN_LOCAL_GROUP : GROUP_TYPE_RESOURCE_GROUP);
437
438 if (filter == NULL) {
439 status = NT_STATUS_NO_MEMORY;
440 goto done;
441 }
442
443 ads = ads_cached_connection(domain);
444
445 if (!ads) {
446 domain->last_status = NT_STATUS_SERVER_DISABLED;
447 goto done;
448 }
449
450 rc = ads_search_retry(ads, &res, filter, attrs);
451 if (!ADS_ERR_OK(rc)) {
452 status = ads_ntstatus(rc);
453 DEBUG(1,("enum_dom_groups ads_search: %s\n", ads_errstr(rc)));
454 goto done;
455 } else if (!res) {
456 DEBUG(1,("enum_dom_groups ads_search returned NULL res\n"));
457 goto done;
458 }
459
460 count = ads_count_replies(ads, res);
461 if (count == 0) {
462 DEBUG(1,("enum_dom_groups: No groups found\n"));
463 goto done;
464 }
465
466 (*info) = talloc_zero_array(mem_ctx, struct wb_acct_info, count);
467 if (!*info) {
468 status = NT_STATUS_NO_MEMORY;
469 goto done;
470 }
471
472 i = 0;
473
474 for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
475 char *name, *gecos;
476 struct dom_sid sid;
477 uint32 rid;
478
479 name = ads_pull_username(ads, mem_ctx, msg);
480 gecos = ads_pull_string(ads, mem_ctx, msg, "name");
481 if (!ads_pull_sid(ads, msg, "objectSid", &sid)) {
482 DEBUG(1,("No sid for %s !?\n", name));
483 continue;
484 }
485
486 if (!sid_peek_check_rid(&domain->sid, &sid, &rid)) {
487 DEBUG(1,("No rid for %s !?\n", name));
488 continue;
489 }
490
491 fstrcpy((*info)[i].acct_name, name);
492 fstrcpy((*info)[i].acct_desc, gecos);
493 (*info)[i].rid = rid;
494 i++;
495 }
496
497 (*num_entries) = i;
498
499 status = NT_STATUS_OK;
500
501 DEBUG(3,("ads enum_dom_groups gave %d entries\n", (*num_entries)));
502
503 done:
504 if (res)
505 ads_msgfree(ads, res);
506
507 return status;
508 }
509
510 /* list all domain local groups */
511 static NTSTATUS enum_local_groups(struct winbindd_domain *domain,
512 TALLOC_CTX *mem_ctx,
513 uint32 *num_entries,
514 struct wb_acct_info **info)
515 {
516 /*
517 * This is a stub function only as we returned the domain
518 * local groups in enum_dom_groups() if the domain->native field
519 * was true. This is a simple performance optimization when
520 * using LDAP.
521 *
522 * if we ever need to enumerate domain local groups separately,
523 * then this optimization in enum_dom_groups() will need
524 * to be split out
525 */
526 *num_entries = 0;
527
528 return NT_STATUS_OK;
529 }
530
531 /* convert a single name to a sid in a domain - use rpc methods */
532 static NTSTATUS name_to_sid(struct winbindd_domain *domain,
533 TALLOC_CTX *mem_ctx,
534 const char *domain_name,
535 const char *name,
536 uint32_t flags,
537 struct dom_sid *sid,
538 enum lsa_SidType *type)
539 {
540 return reconnect_methods.name_to_sid(domain, mem_ctx,
541 domain_name, name, flags,
542 sid, type);
543 }
544
545 /* convert a domain SID to a user or group name - use rpc methods */
546 static NTSTATUS sid_to_name(struct winbindd_domain *domain,
547 TALLOC_CTX *mem_ctx,
548 const struct dom_sid *sid,
549 char **domain_name,
550 char **name,
551 enum lsa_SidType *type)
552 {
553 return reconnect_methods.sid_to_name(domain, mem_ctx, sid,
554 domain_name, name, type);
555 }
556
557 /* convert a list of rids to names - use rpc methods */
558 static NTSTATUS rids_to_names(struct winbindd_domain *domain,
559 TALLOC_CTX *mem_ctx,
560 const struct dom_sid *sid,
561 uint32 *rids,
562 size_t num_rids,
563 char **domain_name,
564 char ***names,
565 enum lsa_SidType **types)
566 {
567 return reconnect_methods.rids_to_names(domain, mem_ctx, sid,
568 rids, num_rids,
569 domain_name, names, types);
570 }
571
572 /* If you are looking for "dn_lookup": Yes, it used to be here!
573 * It has gone now since it was a major speed bottleneck in
574 * lookup_groupmem (its only use). It has been replaced by
575 * an rpc lookup sids call... R.I.P. */
576
577 /* Lookup user information from a rid */
578 static NTSTATUS query_user(struct winbindd_domain *domain,
579 TALLOC_CTX *mem_ctx,
580 const struct dom_sid *sid,
581 struct wbint_userinfo *info)
582 {
583 ADS_STRUCT *ads = NULL;
584 const char *attrs[] = { "*", NULL };
585 ADS_STATUS rc;
586 int count;
587 LDAPMessage *msg = NULL;
588 char *ldap_exp;
589 char *sidstr;
590 uint32 group_rid;
591 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
592 struct netr_SamInfo3 *user = NULL;
593 gid_t gid = -1;
594 int ret;
595 char *ads_name;
596
597 DEBUG(3,("ads: query_user\n"));
598
599 info->homedir = NULL;
600 info->shell = NULL;
601
602 /* try netsamlogon cache first */
603
604 if ( (user = netsamlogon_cache_get( mem_ctx, sid )) != NULL )
605 {
606 DEBUG(5,("query_user: Cache lookup succeeded for %s\n",
607 sid_string_dbg(sid)));
608
609 sid_compose(&info->user_sid, &domain->sid, user->base.rid);
610 sid_compose(&info->group_sid, &domain->sid, user->base.primary_gid);
611
612 info->acct_name = talloc_strdup(mem_ctx, user->base.account_name.string);
613 info->full_name = talloc_strdup(mem_ctx, user->base.full_name.string);
614
615 nss_get_info_cached( domain, sid, mem_ctx,
616 &info->homedir, &info->shell, &info->full_name,
617 &gid );
618 info->primary_gid = gid;
619
620 TALLOC_FREE(user);
621
622 return NT_STATUS_OK;
623 }
624
625 if ( !winbindd_can_contact_domain(domain)) {
626 DEBUG(8,("query_user: No incoming trust from domain %s\n",
627 domain->name));
628
629 /* We still need to generate some basic information
630 about the user even if we cannot contact the
631 domain. Most of this stuff we can deduce. */
632
633 sid_copy( &info->user_sid, sid );
634
635 /* Assume "Domain Users" for the primary group */
636
637 sid_compose(&info->group_sid, &domain->sid, DOMAIN_RID_USERS );
638
639 /* Try to fill in what the nss_info backend can do */
640
641 nss_get_info_cached( domain, sid, mem_ctx,
642 &info->homedir, &info->shell, &info->full_name,
643 &gid);
644 info->primary_gid = gid;
645
646 return NT_STATUS_OK;
647 }
648
649 /* no cache...do the query */
650
651 if ( (ads = ads_cached_connection(domain)) == NULL ) {
652 domain->last_status = NT_STATUS_SERVER_DISABLED;
653 return NT_STATUS_SERVER_DISABLED;
654 }
655
656 sidstr = ldap_encode_ndr_dom_sid(talloc_tos(), sid);
657
658 ret = asprintf(&ldap_exp, "(objectSid=%s)", sidstr);
659 TALLOC_FREE(sidstr);
660 if (ret == -1) {
661 return NT_STATUS_NO_MEMORY;
662 }
663 rc = ads_search_retry(ads, &msg, ldap_exp, attrs);
664 SAFE_FREE(ldap_exp);
665 if (!ADS_ERR_OK(rc)) {
666 DEBUG(1,("query_user(sid=%s) ads_search: %s\n",
667 sid_string_dbg(sid), ads_errstr(rc)));
668 return ads_ntstatus(rc);
669 } else if (!msg) {
670 DEBUG(1,("query_user(sid=%s) ads_search returned NULL res\n",
671 sid_string_dbg(sid)));
672 return NT_STATUS_INTERNAL_ERROR;
673 }
674
675 count = ads_count_replies(ads, msg);
676 if (count != 1) {
677 DEBUG(1,("query_user(sid=%s): Not found\n",
678 sid_string_dbg(sid)));
679 ads_msgfree(ads, msg);
680 return NT_STATUS_NO_SUCH_USER;
681 }
682
683 info->acct_name = ads_pull_username(ads, mem_ctx, msg);
684
685 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &group_rid)) {
686 DEBUG(1,("No primary group for %s !?\n",
687 sid_string_dbg(sid)));
688 ads_msgfree(ads, msg);
689 return NT_STATUS_NO_SUCH_USER;
690 }
691 sid_copy(&info->user_sid, sid);
692 sid_compose(&info->group_sid, &domain->sid, group_rid);
693
694 /*
695 * We have to fetch the "name" attribute before doing the
696 * nss_get_info_cached call. nss_get_info_cached might destroy
697 * the ads struct, potentially invalidating the ldap message.
698 */
699 ads_name = ads_pull_string(ads, mem_ctx, msg, "name");
700
701 ads_msgfree(ads, msg);
702 msg = NULL;
703
704 status = nss_get_info_cached( domain, sid, mem_ctx,
705 &info->homedir, &info->shell, &info->full_name,
706 &gid);
707 info->primary_gid = gid;
708 if (!NT_STATUS_IS_OK(status)) {
709 DEBUG(1, ("nss_get_info_cached failed: %s\n",
710 nt_errstr(status)));
711 return status;
712 }
713
714 if (info->full_name == NULL) {
715 info->full_name = ads_name;
716 } else {
717 TALLOC_FREE(ads_name);
718 }
719
720 status = NT_STATUS_OK;
721
722 DEBUG(3,("ads query_user gave %s\n", info->acct_name));
723 return NT_STATUS_OK;
724 }
725
726 /* Lookup groups a user is a member of - alternate method, for when
727 tokenGroups are not available. */
728 static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain,
729 TALLOC_CTX *mem_ctx,
730 const char *user_dn,
731 struct dom_sid *primary_group,
732 uint32_t *p_num_groups, struct dom_sid **user_sids)
733 {
734 ADS_STATUS rc;
735 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
736 int count;
737 LDAPMessage *res = NULL;
738 LDAPMessage *msg = NULL;
739 char *ldap_exp;
740 ADS_STRUCT *ads;
741 const char *group_attrs[] = {"objectSid", NULL};
742 char *escaped_dn;
743 uint32_t num_groups = 0;
744
745 DEBUG(3,("ads: lookup_usergroups_member\n"));
746
747 if ( !winbindd_can_contact_domain( domain ) ) {
748 DEBUG(10,("lookup_usergroups_members: No incoming trust for domain %s\n",
749 domain->name));
750 return NT_STATUS_OK;
751 }
752
753 ads = ads_cached_connection(domain);
754
755 if (!ads) {
756 domain->last_status = NT_STATUS_SERVER_DISABLED;
757 goto done;
758 }
759
760 if (!(escaped_dn = escape_ldap_string(talloc_tos(), user_dn))) {
761 status = NT_STATUS_NO_MEMORY;
762 goto done;
763 }
764
765 ldap_exp = talloc_asprintf(mem_ctx,
766 "(&(member=%s)(objectCategory=group)(groupType:dn:%s:=%d))",
767 escaped_dn,
768 ADS_LDAP_MATCHING_RULE_BIT_AND,
769 GROUP_TYPE_SECURITY_ENABLED);
770 if (!ldap_exp) {
771 DEBUG(1,("lookup_usergroups(dn=%s) asprintf failed!\n", user_dn));
772 TALLOC_FREE(escaped_dn);
773 status = NT_STATUS_NO_MEMORY;
774 goto done;
775 }
776
777 TALLOC_FREE(escaped_dn);
778
779 rc = ads_search_retry(ads, &res, ldap_exp, group_attrs);
780
781 if (!ADS_ERR_OK(rc)) {
782 DEBUG(1,("lookup_usergroups ads_search member=%s: %s\n", user_dn, ads_errstr(rc)));
783 return ads_ntstatus(rc);
784 } else if (!res) {
785 DEBUG(1,("lookup_usergroups ads_search returned NULL res\n"));
786 return NT_STATUS_INTERNAL_ERROR;
787 }
788
789
790 count = ads_count_replies(ads, res);
791
792 *user_sids = NULL;
793 num_groups = 0;
794
795 /* always add the primary group to the sid array */
796 status = add_sid_to_array(mem_ctx, primary_group, user_sids,
797 &num_groups);
798 if (!NT_STATUS_IS_OK(status)) {
799 goto done;
800 }
801
802 if (count > 0) {
803 for (msg = ads_first_entry(ads, res); msg;
804 msg = ads_next_entry(ads, msg)) {
805 struct dom_sid group_sid;
806
807 if (!ads_pull_sid(ads, msg, "objectSid", &group_sid)) {
808 DEBUG(1,("No sid for this group ?!?\n"));
809 continue;
810 }
811
812 /* ignore Builtin groups from ADS - Guenther */
813 if (sid_check_is_in_builtin(&group_sid)) {
814 continue;
815 }
816
817 status = add_sid_to_array(mem_ctx, &group_sid,
818 user_sids, &num_groups);
819 if (!NT_STATUS_IS_OK(status)) {
820 goto done;
821 }
822 }
823
824 }
825
826 *p_num_groups = num_groups;
827 status = (user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
828
829 DEBUG(3,("ads lookup_usergroups (member) succeeded for dn=%s\n", user_dn));
830 done:
831 if (res)
832 ads_msgfree(ads, res);
833
834 return status;
835 }
836
837 /* Lookup groups a user is a member of - alternate method, for when
838 tokenGroups are not available. */
839 static NTSTATUS lookup_usergroups_memberof(struct winbindd_domain *domain,
840 TALLOC_CTX *mem_ctx,
841 const char *user_dn,
842 struct dom_sid *primary_group,
843 uint32_t *p_num_groups,
844 struct dom_sid **user_sids)
845 {
846 ADS_STATUS rc;
847 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
848 ADS_STRUCT *ads;
849 const char *attrs[] = {"memberOf", NULL};
850 uint32_t num_groups = 0;
851 struct dom_sid *group_sids = NULL;
852 int i;
853 char **strings = NULL;
854 size_t num_strings = 0, num_sids = 0;
855
856
857 DEBUG(3,("ads: lookup_usergroups_memberof\n"));
858
859 if ( !winbindd_can_contact_domain( domain ) ) {
860 DEBUG(10,("lookup_usergroups_memberof: No incoming trust for "
861 "domain %s\n", domain->name));
862 return NT_STATUS_OK;
863 }
864
865 ads = ads_cached_connection(domain);
866
867 if (!ads) {
868 domain->last_status = NT_STATUS_SERVER_DISABLED;
869 return NT_STATUS_UNSUCCESSFUL;
870 }
871
872 rc = ads_search_retry_extended_dn_ranged(ads, mem_ctx, user_dn, attrs,
873 ADS_EXTENDED_DN_HEX_STRING,
874 &strings, &num_strings);
875
876 if (!ADS_ERR_OK(rc)) {
877 DEBUG(1,("lookup_usergroups_memberof ads_search "
878 "member=%s: %s\n", user_dn, ads_errstr(rc)));
879 return ads_ntstatus(rc);
880 }
881
882 *user_sids = NULL;
883 num_groups = 0;
884
885 /* always add the primary group to the sid array */
886 status = add_sid_to_array(mem_ctx, primary_group, user_sids,
887 &num_groups);
888 if (!NT_STATUS_IS_OK(status)) {
889 goto done;
890 }
891
892 group_sids = talloc_zero_array(mem_ctx, struct dom_sid, num_strings + 1);
893 if (!group_sids) {
894 status = NT_STATUS_NO_MEMORY;
895 goto done;
896 }
897
898 for (i=0; i<num_strings; i++) {
899 rc = ads_get_sid_from_extended_dn(mem_ctx, strings[i],
900 ADS_EXTENDED_DN_HEX_STRING,
901 &(group_sids)[i]);
902 if (!ADS_ERR_OK(rc)) {
903 /* ignore members without SIDs */
904 if (NT_STATUS_EQUAL(ads_ntstatus(rc),
905 NT_STATUS_NOT_FOUND)) {
906 continue;
907 }
908 else {
909 status = ads_ntstatus(rc);
910 goto done;
911 }
912 }
913 num_sids++;
914 }
915
916 if (i == 0) {
917 DEBUG(1,("No memberOf for this user?!?\n"));
918 status = NT_STATUS_NO_MEMORY;
919 goto done;
920 }
921
922 for (i=0; i<num_sids; i++) {
923
924 /* ignore Builtin groups from ADS - Guenther */
925 if (sid_check_is_in_builtin(&group_sids[i])) {
926 continue;
927 }
928
929 status = add_sid_to_array(mem_ctx, &group_sids[i], user_sids,
930 &num_groups);
931 if (!NT_STATUS_IS_OK(status)) {
932 goto done;
933 }
934
935 }
936
937 *p_num_groups = num_groups;
938 status = (*user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
939
940 DEBUG(3,("ads lookup_usergroups (memberof) succeeded for dn=%s\n",
941 user_dn));
942
943 done:
944 TALLOC_FREE(strings);
945 TALLOC_FREE(group_sids);
946
947 return status;
948 }
949
950
951 /* Lookup groups a user is a member of. */
952 static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
953 TALLOC_CTX *mem_ctx,
954 const struct dom_sid *sid,
955 uint32 *p_num_groups, struct dom_sid **user_sids)
956 {
957 ADS_STRUCT *ads = NULL;
958 const char *attrs[] = {"tokenGroups", "primaryGroupID", NULL};
959 ADS_STATUS rc;
960 int count;
961 LDAPMessage *msg = NULL;
962 char *user_dn = NULL;
963 struct dom_sid *sids;
964 int i;
965 struct dom_sid primary_group;
966 uint32 primary_group_rid;
967 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
968 uint32_t num_groups = 0;
969
970 DEBUG(3,("ads: lookup_usergroups\n"));
971 *p_num_groups = 0;
972
973 status = lookup_usergroups_cached(domain, mem_ctx, sid,
974 p_num_groups, user_sids);
975 if (NT_STATUS_IS_OK(status)) {
976 return NT_STATUS_OK;
977 }
978
979 if ( !winbindd_can_contact_domain( domain ) ) {
980 DEBUG(10,("lookup_usergroups: No incoming trust for domain %s\n",
981 domain->name));
982
983 /* Tell the cache manager not to remember this one */
984
985 return NT_STATUS_SYNCHRONIZATION_REQUIRED;
986 }
987
988 ads = ads_cached_connection(domain);
989
990 if (!ads) {
991 domain->last_status = NT_STATUS_SERVER_DISABLED;
992 status = NT_STATUS_SERVER_DISABLED;
993 goto done;
994 }
995
996 rc = ads_search_retry_sid(ads, &msg, sid, attrs);
997
998 if (!ADS_ERR_OK(rc)) {
999 status = ads_ntstatus(rc);
1000 DEBUG(1, ("lookup_usergroups(sid=%s) ads_search tokenGroups: "
1001 "%s\n", sid_string_dbg(sid), ads_errstr(rc)));
1002 goto done;
1003 }
1004
1005 count = ads_count_replies(ads, msg);
1006 if (count != 1) {
1007 status = NT_STATUS_UNSUCCESSFUL;
1008 DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: "
1009 "invalid number of results (count=%d)\n",
1010 sid_string_dbg(sid), count));
1011 goto done;
1012 }
1013
1014 if (!msg) {
1015 DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: NULL msg\n",
1016 sid_string_dbg(sid)));
1017 status = NT_STATUS_UNSUCCESSFUL;
1018 goto done;
1019 }
1020
1021 user_dn = ads_get_dn(ads, mem_ctx, msg);
1022 if (user_dn == NULL) {
1023 status = NT_STATUS_NO_MEMORY;
1024 goto done;
1025 }
1026
1027 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &primary_group_rid)) {
1028 DEBUG(1,("%s: No primary group for sid=%s !?\n",
1029 domain->name, sid_string_dbg(sid)));
1030 goto done;
1031 }
1032
1033 sid_compose(&primary_group, &domain->sid, primary_group_rid);
1034
1035 count = ads_pull_sids(ads, mem_ctx, msg, "tokenGroups", &sids);
1036
1037 /* there must always be at least one group in the token,
1038 unless we are talking to a buggy Win2k server */
1039
1040 /* actually this only happens when the machine account has no read
1041 * permissions on the tokenGroup attribute - gd */
1042
1043 if (count == 0) {
1044
1045 /* no tokenGroups */
1046
1047 /* lookup what groups this user is a member of by DN search on
1048 * "memberOf" */
1049
1050 status = lookup_usergroups_memberof(domain, mem_ctx, user_dn,
1051 &primary_group,
1052 &num_groups, user_sids);
1053 *p_num_groups = num_groups;
1054 if (NT_STATUS_IS_OK(status)) {
1055 goto done;
1056 }
1057
1058 /* lookup what groups this user is a member of by DN search on
1059 * "member" */
1060
1061 status = lookup_usergroups_member(domain, mem_ctx, user_dn,
1062 &primary_group,
1063 &num_groups, user_sids);
1064 *p_num_groups = num_groups;
1065 goto done;
1066 }
1067
1068 *user_sids = NULL;
1069 num_groups = 0;
1070
1071 status = add_sid_to_array(mem_ctx, &primary_group, user_sids,
1072 &num_groups);
1073 if (!NT_STATUS_IS_OK(status)) {
1074 goto done;
1075 }
1076
1077 for (i=0;i<count;i++) {
1078
1079 /* ignore Builtin groups from ADS - Guenther */
1080 if (sid_check_is_in_builtin(&sids[i])) {
1081 continue;
1082 }
1083
1084 status = add_sid_to_array_unique(mem_ctx, &sids[i],
1085 user_sids, &num_groups);
1086 if (!NT_STATUS_IS_OK(status)) {
1087 goto done;
1088 }
1089 }
1090
1091 *p_num_groups = (uint32)num_groups;
1092 status = (*user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
1093
1094 DEBUG(3,("ads lookup_usergroups (tokenGroups) succeeded for sid=%s\n",
1095 sid_string_dbg(sid)));
1096 done:
1097 TALLOC_FREE(user_dn);
1098 ads_msgfree(ads, msg);
1099 return status;
1100 }
1101
1102 /* Lookup aliases a user is member of - use rpc methods */
1103 static NTSTATUS lookup_useraliases(struct winbindd_domain *domain,
1104 TALLOC_CTX *mem_ctx,
1105 uint32 num_sids, const struct dom_sid *sids,
1106 uint32 *num_aliases, uint32 **alias_rids)
1107 {
1108 return reconnect_methods.lookup_useraliases(domain, mem_ctx,
1109 num_sids, sids,
1110 num_aliases,
1111 alias_rids);
1112 }
1113
1114 /*
1115 find the members of a group, given a group rid and domain
1116 */
1117 static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
1118 TALLOC_CTX *mem_ctx,
1119 const struct dom_sid *group_sid,
1120 enum lsa_SidType type,
1121 uint32 *num_names,
1122 struct dom_sid **sid_mem, char ***names,
1123 uint32 **name_types)
1124 {
1125 ADS_STATUS rc;
1126 ADS_STRUCT *ads = NULL;
1127 char *ldap_exp;
1128 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
1129 char *sidbinstr;
1130 char **members = NULL;
1131 int i;
1132 size_t num_members = 0;
1133 ads_control args;
1134 struct dom_sid *sid_mem_nocache = NULL;
1135 char **names_nocache = NULL;
1136 enum lsa_SidType *name_types_nocache = NULL;
1137 char **domains_nocache = NULL; /* only needed for rpccli_lsa_lookup_sids */
1138 uint32 num_nocache = 0;
1139 TALLOC_CTX *tmp_ctx = NULL;
1140
1141 DEBUG(10,("ads: lookup_groupmem %s sid=%s\n", domain->name,
1142 sid_string_dbg(group_sid)));
1143
1144 *num_names = 0;
1145
1146 tmp_ctx = talloc_new(mem_ctx);
1147 if (!tmp_ctx) {
1148 DEBUG(1, ("ads: lookup_groupmem: talloc failed\n"));
1149 status = NT_STATUS_NO_MEMORY;
1150 goto done;
1151 }
1152
1153 if ( !winbindd_can_contact_domain( domain ) ) {
1154 DEBUG(10,("lookup_groupmem: No incoming trust for domain %s\n",
1155 domain->name));
1156 return NT_STATUS_OK;
1157 }
1158
1159 ads = ads_cached_connection(domain);
1160
1161 if (!ads) {
1162 domain->last_status = NT_STATUS_SERVER_DISABLED;
1163 goto done;
1164 }
1165
1166 if ((sidbinstr = ldap_encode_ndr_dom_sid(talloc_tos(), group_sid)) == NULL) {
1167 status = NT_STATUS_NO_MEMORY;
1168 goto done;
1169 }
1170
1171 /* search for all members of the group */
1172 ldap_exp = talloc_asprintf(tmp_ctx, "(objectSid=%s)", sidbinstr);
1173 TALLOC_FREE(sidbinstr);
1174 if (ldap_exp == NULL) {
1175 DEBUG(1, ("ads: lookup_groupmem: talloc_asprintf for ldap_exp failed!\n"));
1176 status = NT_STATUS_NO_MEMORY;
1177 goto done;
1178 }
1179
1180 args.control = ADS_EXTENDED_DN_OID;
1181 args.val = ADS_EXTENDED_DN_HEX_STRING;
1182 args.critical = True;
1183
1184 rc = ads_ranged_search(ads, tmp_ctx, LDAP_SCOPE_SUBTREE, ads->config.bind_path,
1185 ldap_exp, &args, "member", &members, &num_members);
1186
1187 if (!ADS_ERR_OK(rc)) {
1188 DEBUG(0,("ads_ranged_search failed with: %s\n", ads_errstr(rc)));
1189 status = NT_STATUS_UNSUCCESSFUL;
1190 goto done;
1191 }
1192
1193 DEBUG(10, ("ads lookup_groupmem: got %d sids via extended dn call\n", (int)num_members));
1194
1195 /* Now that we have a list of sids, we need to get the
1196 * lists of names and name_types belonging to these sids.
1197 * even though conceptually not quite clean, we use the
1198 * RPC call lsa_lookup_sids for this since it can handle a
1199 * list of sids. ldap calls can just resolve one sid at a time.
1200 *
1201 * At this stage, the sids are still hidden in the exetended dn
1202 * member output format. We actually do a little better than
1203 * stated above: In extracting the sids from the member strings,
1204 * we try to resolve as many sids as possible from the
1205 * cache. Only the rest is passed to the lsa_lookup_sids call. */
1206
1207 if (num_members) {
1208 (*sid_mem) = talloc_zero_array(mem_ctx, struct dom_sid, num_members);
1209 (*names) = talloc_zero_array(mem_ctx, char *, num_members);
1210 (*name_types) = talloc_zero_array(mem_ctx, uint32, num_members);
1211 (sid_mem_nocache) = talloc_zero_array(tmp_ctx, struct dom_sid, num_members);
1212
1213 if ((members == NULL) || (*sid_mem == NULL) ||
1214 (*names == NULL) || (*name_types == NULL) ||
1215 (sid_mem_nocache == NULL))
1216 {
1217 DEBUG(1, ("ads: lookup_groupmem: talloc failed\n"));
1218 status = NT_STATUS_NO_MEMORY;
1219 goto done;
1220 }
1221 }
1222 else {
1223 (*sid_mem) = NULL;
1224 (*names) = NULL;
1225 (*name_types) = NULL;
1226 }
1227
1228 for (i=0; i<num_members; i++) {
1229 enum lsa_SidType name_type;
1230 char *name, *domain_name;
1231 struct dom_sid sid;
1232
1233 rc = ads_get_sid_from_extended_dn(tmp_ctx, members[i], args.val,
1234 &sid);
1235 if (!ADS_ERR_OK(rc)) {
1236 if (NT_STATUS_EQUAL(ads_ntstatus(rc),
1237 NT_STATUS_NOT_FOUND)) {
1238 /* Group members can be objects, like Exchange
1239 * Public Folders, that don't have a SID. Skip
1240 * them. */
1241 continue;
1242 }
1243 else {
1244 status = ads_ntstatus(rc);
1245 goto done;
1246 }
1247 }
1248 if (lookup_cached_sid(mem_ctx, &sid, &domain_name, &name,
1249 &name_type)) {
1250 DEBUG(10,("ads: lookup_groupmem: got sid %s from "
1251 "cache\n", sid_string_dbg(&sid)));
1252 sid_copy(&(*sid_mem)[*num_names], &sid);
1253 (*names)[*num_names] = fill_domain_username_talloc(
1254 *names,
1255 domain_name,
1256 name,
1257 true);
1258
1259 (*name_types)[*num_names] = name_type;
1260 (*num_names)++;
1261 }
1262 else {
1263 DEBUG(10, ("ads: lookup_groupmem: sid %s not found in "
1264 "cache\n", sid_string_dbg(&sid)));
1265 sid_copy(&(sid_mem_nocache)[num_nocache], &sid);
1266 num_nocache++;
1267 }
1268 }
1269
1270 DEBUG(10, ("ads: lookup_groupmem: %d sids found in cache, "
1271 "%d left for lsa_lookupsids\n", *num_names, num_nocache));
1272
1273 /* handle sids not resolved from cache by lsa_lookup_sids */
1274 if (num_nocache > 0) {
1275
1276 status = winbindd_lookup_sids(tmp_ctx,
1277 domain,
1278 num_nocache,
1279 sid_mem_nocache,
1280 &domains_nocache,
1281 &names_nocache,
1282 &name_types_nocache);
1283
1284 if (!(NT_STATUS_IS_OK(status) ||
1285 NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED) ||
1286 NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)))
1287 {
1288 DEBUG(1, ("lsa_lookupsids call failed with %s "
1289 "- retrying...\n", nt_errstr(status)));
1290
1291 status = winbindd_lookup_sids(tmp_ctx,
1292 domain,
1293 num_nocache,
1294 sid_mem_nocache,
1295 &domains_nocache,
1296 &names_nocache,
1297 &name_types_nocache);
1298 }
1299
1300 if (NT_STATUS_IS_OK(status) ||
1301 NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED))
1302 {
1303 /* Copy the entries over from the "_nocache" arrays
1304 * to the result arrays, skipping the gaps the
1305 * lookup_sids call left. */
1306 for (i=0; i < num_nocache; i++) {
1307 if (((names_nocache)[i] != NULL) &&
1308 ((name_types_nocache)[i] != SID_NAME_UNKNOWN))
1309 {
1310 sid_copy(&(*sid_mem)[*num_names],
1311 &sid_mem_nocache[i]);
1312 (*names)[*num_names] =
1313 fill_domain_username_talloc(
1314 *names,
1315 domains_nocache[i],
1316 names_nocache[i],
1317 true);
1318 (*name_types)[*num_names] = name_types_nocache[i];
1319 (*num_names)++;
1320 }
1321 }
1322 }
1323 else if (NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)) {
1324 DEBUG(10, ("lookup_groupmem: lsa_lookup_sids could "
1325 "not map any SIDs at all.\n"));
1326 /* Don't handle this as an error here.
1327 * There is nothing left to do with respect to the
1328 * overall result... */
1329 }
1330 else if (!NT_STATUS_IS_OK(status)) {
1331 DEBUG(10, ("lookup_groupmem: Error looking up %d "
1332 "sids via rpc_lsa_lookup_sids: %s\n",
1333 (int)num_members, nt_errstr(status)));
1334 goto done;
1335 }
1336 }
1337
1338 status = NT_STATUS_OK;
1339 DEBUG(3,("ads lookup_groupmem for sid=%s succeeded\n",
1340 sid_string_dbg(group_sid)));
1341
1342 done:
1343
1344 TALLOC_FREE(tmp_ctx);
1345
1346 return status;
1347 }
1348
1349 /* find the sequence number for a domain */
1350 static NTSTATUS sequence_number(struct winbindd_domain *domain, uint32 *seq)
1351 {
1352 ADS_STRUCT *ads = NULL;
1353 ADS_STATUS rc;
1354
1355 DEBUG(3,("ads: fetch sequence_number for %s\n", domain->name));
1356
1357 if ( !winbindd_can_contact_domain( domain ) ) {
1358 DEBUG(10,("sequence: No incoming trust for domain %s\n",
1359 domain->name));
1360 *seq = time(NULL);
1361 return NT_STATUS_OK;
1362 }
1363
1364 *seq = DOM_SEQUENCE_NONE;
1365
1366 ads = ads_cached_connection(domain);
1367
1368 if (!ads) {
1369 domain->last_status = NT_STATUS_SERVER_DISABLED;
1370 return NT_STATUS_UNSUCCESSFUL;
1371 }
1372
1373 rc = ads_USN(ads, seq);
1374
1375 if (!ADS_ERR_OK(rc)) {
1376
1377 /* its a dead connection, destroy it */
1378
1379 if (domain->private_data) {
1380 ads = (ADS_STRUCT *)domain->private_data;
1381 ads->is_mine = True;
1382 ads_destroy(&ads);
1383 ads_kdestroy(WINBIND_CCACHE_NAME);
1384 domain->private_data = NULL;
1385 }
1386 }
1387 return ads_ntstatus(rc);
1388 }
1389
1390 /* find the lockout policy of a domain - use rpc methods */
1391 static NTSTATUS lockout_policy(struct winbindd_domain *domain,
1392 TALLOC_CTX *mem_ctx,
1393 struct samr_DomInfo12 *policy)
1394 {
1395 return reconnect_methods.lockout_policy(domain, mem_ctx, policy);
1396 }
1397
1398 /* find the password policy of a domain - use rpc methods */
1399 static NTSTATUS password_policy(struct winbindd_domain *domain,
1400 TALLOC_CTX *mem_ctx,
1401 struct samr_DomInfo1 *policy)
1402 {
1403 return reconnect_methods.password_policy(domain, mem_ctx, policy);
1404 }
1405
1406 /* get a list of trusted domains */
1407 static NTSTATUS trusted_domains(struct winbindd_domain *domain,
1408 TALLOC_CTX *mem_ctx,
1409 struct netr_DomainTrustList *trusts)
1410 {
1411 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1412 WERROR werr;
1413 int i;
1414 uint32 flags;
1415 struct rpc_pipe_client *cli;
1416 int ret_count;
1417 struct dcerpc_binding_handle *b;
1418
1419 DEBUG(3,("ads: trusted_domains\n"));
1420
1421 ZERO_STRUCTP(trusts);
1422
1423 /* If this is our primary domain or a root in our forest,
1424 query for all trusts. If not, then just look for domain
1425 trusts in the target forest */
1426
1427 if (domain->primary || domain_is_forest_root(domain)) {
1428 flags = NETR_TRUST_FLAG_OUTBOUND |
1429 NETR_TRUST_FLAG_INBOUND |
1430 NETR_TRUST_FLAG_IN_FOREST;
1431 } else {
1432 flags = NETR_TRUST_FLAG_IN_FOREST;
1433 }
1434
1435 result = cm_connect_netlogon(domain, &cli);
1436
1437 if (!NT_STATUS_IS_OK(result)) {
1438 DEBUG(5, ("trusted_domains: Could not open a connection to %s "
1439 "for PIPE_NETLOGON (%s)\n",
1440 domain->name, nt_errstr(result)));
1441 return NT_STATUS_UNSUCCESSFUL;
1442 }
1443
1444 b = cli->binding_handle;
1445
1446 result = dcerpc_netr_DsrEnumerateDomainTrusts(b, mem_ctx,
1447 cli->desthost,
1448 flags,
1449 trusts,
1450 &werr);
1451 if (!NT_STATUS_IS_OK(result)) {
1452 return result;
1453 }
1454
1455 if (!W_ERROR_IS_OK(werr)) {
1456 return werror_to_ntstatus(werr);
1457 }
1458 if (trusts->count == 0) {
1459 return NT_STATUS_OK;
1460 }
1461
1462 /* Copy across names and sids */
1463
1464 ret_count = 0;
1465 for (i = 0; i < trusts->count; i++) {
1466 struct netr_DomainTrust *trust = &trusts->array[i];
1467 struct winbindd_domain d;
1468
1469 ZERO_STRUCT(d);
1470
1471 /*
1472 * drop external trusts if this is not our primary
1473 * domain. This means that the returned number of
1474 * domains may be less that the ones actually trusted
1475 * by the DC.
1476 */
1477
1478 if ((trust->trust_attributes
1479 == NETR_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN) &&
1480 !domain->primary )
1481 {
1482 DEBUG(10,("trusted_domains: Skipping external trusted "
1483 "domain %s because it is outside of our "
1484 "primary domain\n",
1485 trust->netbios_name));
1486 continue;
1487 }
1488
1489 /* add to the trusted domain cache */
1490
1491 d.name = discard_const_p(char, trust->netbios_name);
1492 d.alt_name = discard_const_p(char, trust->dns_name);
1493
1494 if (trust->sid) {
1495 sid_copy(&d.sid, trust->sid);
1496 } else {
1497 sid_copy(&d.sid, &global_sid_NULL);
1498 }
1499
1500 if ( domain->primary ) {
1501 DEBUG(10,("trusted_domains(ads): Searching "
1502 "trusted domain list of %s and storing "
1503 "trust flags for domain %s\n",
1504 domain->name, d.alt_name));
1505
1506 d.domain_flags = trust->trust_flags;
1507 d.domain_type = trust->trust_type;
1508 d.domain_trust_attribs = trust->trust_attributes;
1509
1510 wcache_tdc_add_domain( &d );
1511 ret_count++;
1512 } else if (domain_is_forest_root(domain)) {
1513 /* Check if we already have this record. If
1514 * we are following our forest root that is not
1515 * our primary domain, we want to keep trust
1516 * flags from the perspective of our primary
1517 * domain not our forest root. */
1518 struct winbindd_tdc_domain *exist = NULL;
1519
1520 exist = wcache_tdc_fetch_domain(
1521 talloc_tos(), trust->netbios_name);
1522 if (!exist) {
1523 DEBUG(10,("trusted_domains(ads): Searching "
1524 "trusted domain list of %s and "
1525 "storing trust flags for domain "
1526 "%s\n", domain->name, d.alt_name));
1527 d.domain_flags = trust->trust_flags;
1528 d.domain_type = trust->trust_type;
1529 d.domain_trust_attribs =
1530 trust->trust_attributes;
1531
1532 wcache_tdc_add_domain( &d );
1533 ret_count++;
1534 }
1535 TALLOC_FREE(exist);
1536 } else {
1537 /* This gets a little tricky. If we are
1538 following a transitive forest trust, then
1539 innerit the flags, type, and attribs from
1540 the domain we queried to make sure we don't
1541 record the view of the trust from the wrong
1542 side. Always view it from the side of our
1543 primary domain. --jerry */
1544 struct winbindd_tdc_domain *parent = NULL;
1545
1546 DEBUG(10,("trusted_domains(ads): Searching "
1547 "trusted domain list of %s and inheriting "
1548 "trust flags for domain %s\n",
1549 domain->name, d.alt_name));
1550
1551 parent = wcache_tdc_fetch_domain(talloc_tos(),
1552 domain->name);
1553 if (parent) {
1554 d.domain_flags = parent->trust_flags;
1555 d.domain_type = parent->trust_type;
1556 d.domain_trust_attribs = parent->trust_attribs;
1557 } else {
1558 d.domain_flags = domain->domain_flags;
1559 d.domain_type = domain->domain_type;
1560 d.domain_trust_attribs =
1561 domain->domain_trust_attribs;
1562 }
1563 TALLOC_FREE(parent);
1564
1565 wcache_tdc_add_domain( &d );
1566 ret_count++;
1567 }
1568 }
1569 return result;
1570 }
1571
1572 /* the ADS backend methods are exposed via this structure */
1573 struct winbindd_methods ads_methods = {
1574 True,
1575 query_user_list,
1576 enum_dom_groups,
1577 enum_local_groups,
1578 name_to_sid,
1579 sid_to_name,
1580 rids_to_names,
1581 query_user,
1582 lookup_usergroups,
1583 lookup_useraliases,
1584 lookup_groupmem,
1585 sequence_number,
1586 lockout_policy,
1587 password_policy,
1588 trusted_domains,
1589 };
1590
1591 #endif
Samba GIT mirror