2 Unix SMB/CIFS implementation.
4 Winbind ADS backend functions
6 Copyright (C) Andrew Tridgell 2001
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003
8 Copyright (C) Gerald (Jerry) Carter 2004
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
26 #include "rpc_client/rpc_client.h"
27 #include "../librpc/gen_ndr/ndr_netlogon_c.h"
28 #include "../libds/common/flags.h"
30 #include "../libcli/ldap/ldap_ndr.h"
31 #include "../libcli/security/security.h"
32 #include "../libds/common/flag_mapping.h"
38 #define DBGC_CLASS DBGC_WINBIND
40 extern struct winbindd_methods reconnect_methods
;
42 #define WINBIND_CCACHE_NAME "MEMORY:winbind_ccache"
45 * Check if cached connection can be reused. If the connection cannot
46 * be reused the ADS_STRUCT is freed and the pointer is set to NULL.
48 static void ads_cached_connection_reuse(ADS_STRUCT
**adsp
)
51 ADS_STRUCT
*ads
= *adsp
;
55 time_t now
= time(NULL
);
57 expire
= MIN(ads
->auth
.tgt_expire
, ads
->auth
.tgs_expire
);
59 DEBUG(7, ("Current tickets expire in %d seconds (at %d, time "
60 "is now %d)\n", (uint32
)expire
- (uint32
)now
,
61 (uint32
) expire
, (uint32
) now
));
63 if ( ads
->config
.realm
&& (expire
> now
)) {
66 /* we own this ADS_STRUCT so make sure it goes away */
67 DEBUG(7,("Deleting expired krb5 credential cache\n"));
70 ads_kdestroy(WINBIND_CCACHE_NAME
);
76 static ADS_STATUS
ads_cached_connection_connect(ADS_STRUCT
**adsp
,
77 const char *dom_name_alt
,
79 const char *ldap_server
,
86 struct sockaddr_storage dc_ss
;
90 return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL
);
93 /* we don't want this to affect the users ccache */
94 setenv("KRB5CCNAME", WINBIND_CCACHE_NAME
, 1);
96 ads
= ads_init(dom_name_alt
, dom_name
, ldap_server
);
98 DEBUG(1,("ads_init for domain %s failed\n", dom_name
));
99 return ADS_ERROR(LDAP_NO_MEMORY
);
102 SAFE_FREE(ads
->auth
.password
);
103 SAFE_FREE(ads
->auth
.realm
);
105 ads
->auth
.renewable
= renewable
;
106 ads
->auth
.password
= password
;
108 ads
->auth
.realm
= SMB_STRDUP(realm
);
109 if (!strupper_m(ads
->auth
.realm
)) {
111 return ADS_ERROR_NT(NT_STATUS_INTERNAL_ERROR
);
114 /* Setup the server affinity cache. We don't reaally care
115 about the name. Just setup affinity and the KRB5_CONFIG
117 get_dc_name(ads
->server
.workgroup
, ads
->server
.realm
, dc_name
, &dc_ss
);
119 status
= ads_connect(ads
);
120 if (!ADS_ERR_OK(status
)) {
121 DEBUG(1,("ads_connect for domain %s failed: %s\n",
122 dom_name
, ads_errstr(status
)));
127 /* set the flag that says we don't own the memory even
128 though we do so that ads_destroy() won't destroy the
129 structure we pass back by reference */
131 ads
->is_mine
= False
;
138 ADS_STATUS
ads_idmap_cached_connection(ADS_STRUCT
**adsp
, const char *dom_name
)
140 char *ldap_server
, *realm
, *password
;
141 struct winbindd_domain
*wb_dom
;
144 ads_cached_connection_reuse(adsp
);
150 * At this point we only have the NetBIOS domain name.
151 * Check if we can get server nam and realm from SAF cache
152 * and the domain list.
154 ldap_server
= saf_fetch(dom_name
);
155 DEBUG(10, ("ldap_server from saf cache: '%s'\n",
156 ldap_server
? ldap_server
: ""));
158 wb_dom
= find_domain_from_name(dom_name
);
159 if (wb_dom
== NULL
) {
160 DEBUG(10, ("could not find domain '%s'\n", dom_name
));
161 return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL
);
164 DEBUG(10, ("find_domain_from_name found realm '%s' for "
165 " domain '%s'\n", wb_dom
->alt_name
, dom_name
));
167 if (!get_trust_pw_clear(dom_name
, &password
, NULL
, NULL
)) {
168 return ADS_ERROR_NT(NT_STATUS_CANT_ACCESS_DOMAIN_INFO
);
172 realm
= SMB_STRDUP(wb_dom
->alt_name
);
174 struct winbindd_domain
*our_domain
= wb_dom
;
176 /* always give preference to the alt_name in our
177 primary domain if possible */
179 if (!wb_dom
->primary
) {
180 our_domain
= find_our_domain();
183 if (our_domain
->alt_name
!= NULL
) {
184 realm
= SMB_STRDUP(our_domain
->alt_name
);
186 realm
= SMB_STRDUP(lp_realm());
190 status
= ads_cached_connection_connect(adsp
, realm
, dom_name
, ldap_server
,
198 return our ads connections structure for a domain. We keep the connection
199 open to make things faster
201 static ADS_STRUCT
*ads_cached_connection(struct winbindd_domain
*domain
)
204 char *password
, *realm
;
206 DEBUG(10,("ads_cached_connection\n"));
207 ads_cached_connection_reuse((ADS_STRUCT
**)&domain
->private_data
);
209 if (domain
->private_data
) {
210 return (ADS_STRUCT
*)domain
->private_data
;
213 /* the machine acct password might have change - fetch it every time */
215 if (!get_trust_pw_clear(domain
->name
, &password
, NULL
, NULL
)) {
221 realm
= SMB_STRDUP(domain
->alt_name
);
224 struct winbindd_domain
*our_domain
= domain
;
227 /* always give preference to the alt_name in our
228 primary domain if possible */
230 if ( !domain
->primary
)
231 our_domain
= find_our_domain();
233 if (our_domain
->alt_name
!= NULL
) {
234 realm
= SMB_STRDUP( our_domain
->alt_name
);
237 realm
= SMB_STRDUP( lp_realm() );
240 status
= ads_cached_connection_connect(
241 (ADS_STRUCT
**)&domain
->private_data
,
245 WINBINDD_PAM_AUTH_KRB5_RENEW_TIME
);
248 if (!ADS_ERR_OK(status
)) {
249 /* if we get ECONNREFUSED then it might be a NT4
250 server, fall back to MSRPC */
251 if (status
.error_type
== ENUM_ADS_ERROR_SYSTEM
&&
252 status
.err
.rc
== ECONNREFUSED
) {
253 /* 'reconnect_methods' is the MS-RPC backend. */
254 DEBUG(1,("Trying MSRPC methods\n"));
255 domain
->backend
= &reconnect_methods
;
260 return (ADS_STRUCT
*)domain
->private_data
;
263 /* Query display info for a realm. This is the basic user list fn */
264 static NTSTATUS
query_user_list(struct winbindd_domain
*domain
,
267 struct wbint_userinfo
**pinfo
)
269 ADS_STRUCT
*ads
= NULL
;
270 const char *attrs
[] = { "*", NULL
};
273 LDAPMessage
*res
= NULL
;
274 LDAPMessage
*msg
= NULL
;
275 NTSTATUS status
= NT_STATUS_UNSUCCESSFUL
;
279 DEBUG(3,("ads: query_user_list\n"));
281 if ( !winbindd_can_contact_domain( domain
) ) {
282 DEBUG(10,("query_user_list: No incoming trust for domain %s\n",
287 ads
= ads_cached_connection(domain
);
290 domain
->last_status
= NT_STATUS_SERVER_DISABLED
;
294 rc
= ads_search_retry(ads
, &res
, "(objectCategory=user)", attrs
);
295 if (!ADS_ERR_OK(rc
)) {
296 DEBUG(1,("query_user_list ads_search: %s\n", ads_errstr(rc
)));
297 status
= ads_ntstatus(rc
);
299 DEBUG(1,("query_user_list ads_search returned NULL res\n"));
304 count
= ads_count_replies(ads
, res
);
306 DEBUG(1,("query_user_list: No users found\n"));
310 (*pinfo
) = talloc_zero_array(mem_ctx
, struct wbint_userinfo
, count
);
312 status
= NT_STATUS_NO_MEMORY
;
318 for (msg
= ads_first_entry(ads
, res
); msg
; msg
= ads_next_entry(ads
, msg
)) {
319 struct wbint_userinfo
*info
= &((*pinfo
)[count
]);
323 if (!ads_pull_uint32(ads
, msg
, "sAMAccountType", &atype
) ||
324 ds_atype_map(atype
) != SID_NAME_USER
) {
325 DEBUG(1,("Not a user account? atype=0x%x\n", atype
));
329 info
->acct_name
= ads_pull_username(ads
, mem_ctx
, msg
);
330 info
->full_name
= ads_pull_string(ads
, mem_ctx
, msg
, "name");
331 info
->homedir
= NULL
;
333 info
->primary_gid
= (gid_t
)-1;
335 if (!ads_pull_sid(ads
, msg
, "objectSid",
337 DEBUG(1, ("No sid for %s !?\n", info
->acct_name
));
341 if (!ads_pull_uint32(ads
, msg
, "primaryGroupID", &group
)) {
342 DEBUG(1, ("No primary group for %s !?\n",
346 sid_compose(&info
->group_sid
, &domain
->sid
, group
);
351 (*num_entries
) = count
;
352 ads_msgfree(ads
, res
);
354 for (i
=0; i
<count
; i
++) {
355 struct wbint_userinfo
*info
= &((*pinfo
)[i
]);
356 const char *gecos
= NULL
;
357 gid_t primary_gid
= (gid_t
)-1;
359 status
= nss_get_info_cached(domain
, &info
->user_sid
, mem_ctx
,
360 &info
->homedir
, &info
->shell
,
361 &gecos
, &primary_gid
);
362 if (!NT_STATUS_IS_OK(status
)) {
364 * Deliberately ignore this error, there might be more
371 info
->full_name
= gecos
;
373 info
->primary_gid
= primary_gid
;
376 status
= NT_STATUS_OK
;
378 DEBUG(3,("ads query_user_list gave %d entries\n", (*num_entries
)));
384 /* list all domain groups */
385 static NTSTATUS
enum_dom_groups(struct winbindd_domain
*domain
,
388 struct wb_acct_info
**info
)
390 ADS_STRUCT
*ads
= NULL
;
391 const char *attrs
[] = {"userPrincipalName", "sAMAccountName",
392 "name", "objectSid", NULL
};
395 LDAPMessage
*res
= NULL
;
396 LDAPMessage
*msg
= NULL
;
397 NTSTATUS status
= NT_STATUS_UNSUCCESSFUL
;
399 bool enum_dom_local_groups
= False
;
403 DEBUG(3,("ads: enum_dom_groups\n"));
405 if ( !winbindd_can_contact_domain( domain
) ) {
406 DEBUG(10,("enum_dom_groups: No incoming trust for domain %s\n",
411 /* only grab domain local groups for our domain */
412 if ( domain
->active_directory
&& strequal(lp_realm(), domain
->alt_name
) ) {
413 enum_dom_local_groups
= True
;
416 /* Workaround ADS LDAP bug present in MS W2K3 SP0 and W2K SP4 w/o
419 * According to Section 5.1(4) of RFC 2251 if a value of a type is it's
420 * default value, it MUST be absent. In case of extensible matching the
421 * "dnattr" boolean defaults to FALSE and so it must be only be present
424 * When it is set to FALSE and the OpenLDAP lib (correctly) encodes a
425 * filter using bitwise matching rule then the buggy AD fails to decode
426 * the extensible match. As a workaround set it to TRUE and thereby add
427 * the dnAttributes "dn" field to cope with those older AD versions.
428 * It should not harm and won't put any additional load on the AD since
429 * none of the dn components have a bitmask-attribute.
431 * Thanks to Ralf Haferkamp for input and testing - Guenther */
433 filter
= talloc_asprintf(mem_ctx
, "(&(objectCategory=group)(&(groupType:dn:%s:=%d)(!(groupType:dn:%s:=%d))))",
434 ADS_LDAP_MATCHING_RULE_BIT_AND
, GROUP_TYPE_SECURITY_ENABLED
,
435 ADS_LDAP_MATCHING_RULE_BIT_AND
,
436 enum_dom_local_groups
? GROUP_TYPE_BUILTIN_LOCAL_GROUP
: GROUP_TYPE_RESOURCE_GROUP
);
438 if (filter
== NULL
) {
439 status
= NT_STATUS_NO_MEMORY
;
443 ads
= ads_cached_connection(domain
);
446 domain
->last_status
= NT_STATUS_SERVER_DISABLED
;
450 rc
= ads_search_retry(ads
, &res
, filter
, attrs
);
451 if (!ADS_ERR_OK(rc
)) {
452 status
= ads_ntstatus(rc
);
453 DEBUG(1,("enum_dom_groups ads_search: %s\n", ads_errstr(rc
)));
456 DEBUG(1,("enum_dom_groups ads_search returned NULL res\n"));
460 count
= ads_count_replies(ads
, res
);
462 DEBUG(1,("enum_dom_groups: No groups found\n"));
466 (*info
) = talloc_zero_array(mem_ctx
, struct wb_acct_info
, count
);
468 status
= NT_STATUS_NO_MEMORY
;
474 for (msg
= ads_first_entry(ads
, res
); msg
; msg
= ads_next_entry(ads
, msg
)) {
479 name
= ads_pull_username(ads
, mem_ctx
, msg
);
480 gecos
= ads_pull_string(ads
, mem_ctx
, msg
, "name");
481 if (!ads_pull_sid(ads
, msg
, "objectSid", &sid
)) {
482 DEBUG(1,("No sid for %s !?\n", name
));
486 if (!sid_peek_check_rid(&domain
->sid
, &sid
, &rid
)) {
487 DEBUG(1,("No rid for %s !?\n", name
));
491 fstrcpy((*info
)[i
].acct_name
, name
);
492 fstrcpy((*info
)[i
].acct_desc
, gecos
);
493 (*info
)[i
].rid
= rid
;
499 status
= NT_STATUS_OK
;
501 DEBUG(3,("ads enum_dom_groups gave %d entries\n", (*num_entries
)));
505 ads_msgfree(ads
, res
);
510 /* list all domain local groups */
511 static NTSTATUS
enum_local_groups(struct winbindd_domain
*domain
,
514 struct wb_acct_info
**info
)
517 * This is a stub function only as we returned the domain
518 * local groups in enum_dom_groups() if the domain->native field
519 * was true. This is a simple performance optimization when
522 * if we ever need to enumerate domain local groups separately,
523 * then this optimization in enum_dom_groups() will need
531 /* convert a single name to a sid in a domain - use rpc methods */
532 static NTSTATUS
name_to_sid(struct winbindd_domain
*domain
,
534 const char *domain_name
,
538 enum lsa_SidType
*type
)
540 return reconnect_methods
.name_to_sid(domain
, mem_ctx
,
541 domain_name
, name
, flags
,
545 /* convert a domain SID to a user or group name - use rpc methods */
546 static NTSTATUS
sid_to_name(struct winbindd_domain
*domain
,
548 const struct dom_sid
*sid
,
551 enum lsa_SidType
*type
)
553 return reconnect_methods
.sid_to_name(domain
, mem_ctx
, sid
,
554 domain_name
, name
, type
);
557 /* convert a list of rids to names - use rpc methods */
558 static NTSTATUS
rids_to_names(struct winbindd_domain
*domain
,
560 const struct dom_sid
*sid
,
565 enum lsa_SidType
**types
)
567 return reconnect_methods
.rids_to_names(domain
, mem_ctx
, sid
,
569 domain_name
, names
, types
);
572 /* If you are looking for "dn_lookup": Yes, it used to be here!
573 * It has gone now since it was a major speed bottleneck in
574 * lookup_groupmem (its only use). It has been replaced by
575 * an rpc lookup sids call... R.I.P. */
577 /* Lookup user information from a rid */
578 static NTSTATUS
query_user(struct winbindd_domain
*domain
,
580 const struct dom_sid
*sid
,
581 struct wbint_userinfo
*info
)
583 ADS_STRUCT
*ads
= NULL
;
584 const char *attrs
[] = { "*", NULL
};
587 LDAPMessage
*msg
= NULL
;
591 NTSTATUS status
= NT_STATUS_UNSUCCESSFUL
;
592 struct netr_SamInfo3
*user
= NULL
;
597 DEBUG(3,("ads: query_user\n"));
599 info
->homedir
= NULL
;
602 /* try netsamlogon cache first */
604 if ( (user
= netsamlogon_cache_get( mem_ctx
, sid
)) != NULL
)
606 DEBUG(5,("query_user: Cache lookup succeeded for %s\n",
607 sid_string_dbg(sid
)));
609 sid_compose(&info
->user_sid
, &domain
->sid
, user
->base
.rid
);
610 sid_compose(&info
->group_sid
, &domain
->sid
, user
->base
.primary_gid
);
612 info
->acct_name
= talloc_strdup(mem_ctx
, user
->base
.account_name
.string
);
613 info
->full_name
= talloc_strdup(mem_ctx
, user
->base
.full_name
.string
);
615 nss_get_info_cached( domain
, sid
, mem_ctx
,
616 &info
->homedir
, &info
->shell
, &info
->full_name
,
618 info
->primary_gid
= gid
;
625 if ( !winbindd_can_contact_domain(domain
)) {
626 DEBUG(8,("query_user: No incoming trust from domain %s\n",
629 /* We still need to generate some basic information
630 about the user even if we cannot contact the
631 domain. Most of this stuff we can deduce. */
633 sid_copy( &info
->user_sid
, sid
);
635 /* Assume "Domain Users" for the primary group */
637 sid_compose(&info
->group_sid
, &domain
->sid
, DOMAIN_RID_USERS
);
639 /* Try to fill in what the nss_info backend can do */
641 nss_get_info_cached( domain
, sid
, mem_ctx
,
642 &info
->homedir
, &info
->shell
, &info
->full_name
,
644 info
->primary_gid
= gid
;
649 /* no cache...do the query */
651 if ( (ads
= ads_cached_connection(domain
)) == NULL
) {
652 domain
->last_status
= NT_STATUS_SERVER_DISABLED
;
653 return NT_STATUS_SERVER_DISABLED
;
656 sidstr
= ldap_encode_ndr_dom_sid(talloc_tos(), sid
);
658 ret
= asprintf(&ldap_exp
, "(objectSid=%s)", sidstr
);
661 return NT_STATUS_NO_MEMORY
;
663 rc
= ads_search_retry(ads
, &msg
, ldap_exp
, attrs
);
665 if (!ADS_ERR_OK(rc
)) {
666 DEBUG(1,("query_user(sid=%s) ads_search: %s\n",
667 sid_string_dbg(sid
), ads_errstr(rc
)));
668 return ads_ntstatus(rc
);
670 DEBUG(1,("query_user(sid=%s) ads_search returned NULL res\n",
671 sid_string_dbg(sid
)));
672 return NT_STATUS_INTERNAL_ERROR
;
675 count
= ads_count_replies(ads
, msg
);
677 DEBUG(1,("query_user(sid=%s): Not found\n",
678 sid_string_dbg(sid
)));
679 ads_msgfree(ads
, msg
);
680 return NT_STATUS_NO_SUCH_USER
;
683 info
->acct_name
= ads_pull_username(ads
, mem_ctx
, msg
);
685 if (!ads_pull_uint32(ads
, msg
, "primaryGroupID", &group_rid
)) {
686 DEBUG(1,("No primary group for %s !?\n",
687 sid_string_dbg(sid
)));
688 ads_msgfree(ads
, msg
);
689 return NT_STATUS_NO_SUCH_USER
;
691 sid_copy(&info
->user_sid
, sid
);
692 sid_compose(&info
->group_sid
, &domain
->sid
, group_rid
);
695 * We have to fetch the "name" attribute before doing the
696 * nss_get_info_cached call. nss_get_info_cached might destroy
697 * the ads struct, potentially invalidating the ldap message.
699 ads_name
= ads_pull_string(ads
, mem_ctx
, msg
, "name");
701 ads_msgfree(ads
, msg
);
704 status
= nss_get_info_cached( domain
, sid
, mem_ctx
,
705 &info
->homedir
, &info
->shell
, &info
->full_name
,
707 info
->primary_gid
= gid
;
708 if (!NT_STATUS_IS_OK(status
)) {
709 DEBUG(1, ("nss_get_info_cached failed: %s\n",
714 if (info
->full_name
== NULL
) {
715 info
->full_name
= ads_name
;
717 TALLOC_FREE(ads_name
);
720 status
= NT_STATUS_OK
;
722 DEBUG(3,("ads query_user gave %s\n", info
->acct_name
));
726 /* Lookup groups a user is a member of - alternate method, for when
727 tokenGroups are not available. */
728 static NTSTATUS
lookup_usergroups_member(struct winbindd_domain
*domain
,
731 struct dom_sid
*primary_group
,
732 uint32_t *p_num_groups
, struct dom_sid
**user_sids
)
735 NTSTATUS status
= NT_STATUS_UNSUCCESSFUL
;
737 LDAPMessage
*res
= NULL
;
738 LDAPMessage
*msg
= NULL
;
741 const char *group_attrs
[] = {"objectSid", NULL
};
743 uint32_t num_groups
= 0;
745 DEBUG(3,("ads: lookup_usergroups_member\n"));
747 if ( !winbindd_can_contact_domain( domain
) ) {
748 DEBUG(10,("lookup_usergroups_members: No incoming trust for domain %s\n",
753 ads
= ads_cached_connection(domain
);
756 domain
->last_status
= NT_STATUS_SERVER_DISABLED
;
760 if (!(escaped_dn
= escape_ldap_string(talloc_tos(), user_dn
))) {
761 status
= NT_STATUS_NO_MEMORY
;
765 ldap_exp
= talloc_asprintf(mem_ctx
,
766 "(&(member=%s)(objectCategory=group)(groupType:dn:%s:=%d))",
768 ADS_LDAP_MATCHING_RULE_BIT_AND
,
769 GROUP_TYPE_SECURITY_ENABLED
);
771 DEBUG(1,("lookup_usergroups(dn=%s) asprintf failed!\n", user_dn
));
772 TALLOC_FREE(escaped_dn
);
773 status
= NT_STATUS_NO_MEMORY
;
777 TALLOC_FREE(escaped_dn
);
779 rc
= ads_search_retry(ads
, &res
, ldap_exp
, group_attrs
);
781 if (!ADS_ERR_OK(rc
)) {
782 DEBUG(1,("lookup_usergroups ads_search member=%s: %s\n", user_dn
, ads_errstr(rc
)));
783 return ads_ntstatus(rc
);
785 DEBUG(1,("lookup_usergroups ads_search returned NULL res\n"));
786 return NT_STATUS_INTERNAL_ERROR
;
790 count
= ads_count_replies(ads
, res
);
795 /* always add the primary group to the sid array */
796 status
= add_sid_to_array(mem_ctx
, primary_group
, user_sids
,
798 if (!NT_STATUS_IS_OK(status
)) {
803 for (msg
= ads_first_entry(ads
, res
); msg
;
804 msg
= ads_next_entry(ads
, msg
)) {
805 struct dom_sid group_sid
;
807 if (!ads_pull_sid(ads
, msg
, "objectSid", &group_sid
)) {
808 DEBUG(1,("No sid for this group ?!?\n"));
812 /* ignore Builtin groups from ADS - Guenther */
813 if (sid_check_is_in_builtin(&group_sid
)) {
817 status
= add_sid_to_array(mem_ctx
, &group_sid
,
818 user_sids
, &num_groups
);
819 if (!NT_STATUS_IS_OK(status
)) {
826 *p_num_groups
= num_groups
;
827 status
= (user_sids
!= NULL
) ? NT_STATUS_OK
: NT_STATUS_NO_MEMORY
;
829 DEBUG(3,("ads lookup_usergroups (member) succeeded for dn=%s\n", user_dn
));
832 ads_msgfree(ads
, res
);
837 /* Lookup groups a user is a member of - alternate method, for when
838 tokenGroups are not available. */
839 static NTSTATUS
lookup_usergroups_memberof(struct winbindd_domain
*domain
,
842 struct dom_sid
*primary_group
,
843 uint32_t *p_num_groups
,
844 struct dom_sid
**user_sids
)
847 NTSTATUS status
= NT_STATUS_UNSUCCESSFUL
;
849 const char *attrs
[] = {"memberOf", NULL
};
850 uint32_t num_groups
= 0;
851 struct dom_sid
*group_sids
= NULL
;
853 char **strings
= NULL
;
854 size_t num_strings
= 0, num_sids
= 0;
857 DEBUG(3,("ads: lookup_usergroups_memberof\n"));
859 if ( !winbindd_can_contact_domain( domain
) ) {
860 DEBUG(10,("lookup_usergroups_memberof: No incoming trust for "
861 "domain %s\n", domain
->name
));
865 ads
= ads_cached_connection(domain
);
868 domain
->last_status
= NT_STATUS_SERVER_DISABLED
;
869 return NT_STATUS_UNSUCCESSFUL
;
872 rc
= ads_search_retry_extended_dn_ranged(ads
, mem_ctx
, user_dn
, attrs
,
873 ADS_EXTENDED_DN_HEX_STRING
,
874 &strings
, &num_strings
);
876 if (!ADS_ERR_OK(rc
)) {
877 DEBUG(1,("lookup_usergroups_memberof ads_search "
878 "member=%s: %s\n", user_dn
, ads_errstr(rc
)));
879 return ads_ntstatus(rc
);
885 /* always add the primary group to the sid array */
886 status
= add_sid_to_array(mem_ctx
, primary_group
, user_sids
,
888 if (!NT_STATUS_IS_OK(status
)) {
892 group_sids
= talloc_zero_array(mem_ctx
, struct dom_sid
, num_strings
+ 1);
894 status
= NT_STATUS_NO_MEMORY
;
898 for (i
=0; i
<num_strings
; i
++) {
899 rc
= ads_get_sid_from_extended_dn(mem_ctx
, strings
[i
],
900 ADS_EXTENDED_DN_HEX_STRING
,
902 if (!ADS_ERR_OK(rc
)) {
903 /* ignore members without SIDs */
904 if (NT_STATUS_EQUAL(ads_ntstatus(rc
),
905 NT_STATUS_NOT_FOUND
)) {
909 status
= ads_ntstatus(rc
);
917 DEBUG(1,("No memberOf for this user?!?\n"));
918 status
= NT_STATUS_NO_MEMORY
;
922 for (i
=0; i
<num_sids
; i
++) {
924 /* ignore Builtin groups from ADS - Guenther */
925 if (sid_check_is_in_builtin(&group_sids
[i
])) {
929 status
= add_sid_to_array(mem_ctx
, &group_sids
[i
], user_sids
,
931 if (!NT_STATUS_IS_OK(status
)) {
937 *p_num_groups
= num_groups
;
938 status
= (*user_sids
!= NULL
) ? NT_STATUS_OK
: NT_STATUS_NO_MEMORY
;
940 DEBUG(3,("ads lookup_usergroups (memberof) succeeded for dn=%s\n",
944 TALLOC_FREE(strings
);
945 TALLOC_FREE(group_sids
);
951 /* Lookup groups a user is a member of. */
952 static NTSTATUS
lookup_usergroups(struct winbindd_domain
*domain
,
954 const struct dom_sid
*sid
,
955 uint32
*p_num_groups
, struct dom_sid
**user_sids
)
957 ADS_STRUCT
*ads
= NULL
;
958 const char *attrs
[] = {"tokenGroups", "primaryGroupID", NULL
};
961 LDAPMessage
*msg
= NULL
;
962 char *user_dn
= NULL
;
963 struct dom_sid
*sids
;
965 struct dom_sid primary_group
;
966 uint32 primary_group_rid
;
967 NTSTATUS status
= NT_STATUS_UNSUCCESSFUL
;
968 uint32_t num_groups
= 0;
970 DEBUG(3,("ads: lookup_usergroups\n"));
973 status
= lookup_usergroups_cached(domain
, mem_ctx
, sid
,
974 p_num_groups
, user_sids
);
975 if (NT_STATUS_IS_OK(status
)) {
979 if ( !winbindd_can_contact_domain( domain
) ) {
980 DEBUG(10,("lookup_usergroups: No incoming trust for domain %s\n",
983 /* Tell the cache manager not to remember this one */
985 return NT_STATUS_SYNCHRONIZATION_REQUIRED
;
988 ads
= ads_cached_connection(domain
);
991 domain
->last_status
= NT_STATUS_SERVER_DISABLED
;
992 status
= NT_STATUS_SERVER_DISABLED
;
996 rc
= ads_search_retry_sid(ads
, &msg
, sid
, attrs
);
998 if (!ADS_ERR_OK(rc
)) {
999 status
= ads_ntstatus(rc
);
1000 DEBUG(1, ("lookup_usergroups(sid=%s) ads_search tokenGroups: "
1001 "%s\n", sid_string_dbg(sid
), ads_errstr(rc
)));
1005 count
= ads_count_replies(ads
, msg
);
1007 status
= NT_STATUS_UNSUCCESSFUL
;
1008 DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: "
1009 "invalid number of results (count=%d)\n",
1010 sid_string_dbg(sid
), count
));
1015 DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: NULL msg\n",
1016 sid_string_dbg(sid
)));
1017 status
= NT_STATUS_UNSUCCESSFUL
;
1021 user_dn
= ads_get_dn(ads
, mem_ctx
, msg
);
1022 if (user_dn
== NULL
) {
1023 status
= NT_STATUS_NO_MEMORY
;
1027 if (!ads_pull_uint32(ads
, msg
, "primaryGroupID", &primary_group_rid
)) {
1028 DEBUG(1,("%s: No primary group for sid=%s !?\n",
1029 domain
->name
, sid_string_dbg(sid
)));
1033 sid_compose(&primary_group
, &domain
->sid
, primary_group_rid
);
1035 count
= ads_pull_sids(ads
, mem_ctx
, msg
, "tokenGroups", &sids
);
1037 /* there must always be at least one group in the token,
1038 unless we are talking to a buggy Win2k server */
1040 /* actually this only happens when the machine account has no read
1041 * permissions on the tokenGroup attribute - gd */
1045 /* no tokenGroups */
1047 /* lookup what groups this user is a member of by DN search on
1050 status
= lookup_usergroups_memberof(domain
, mem_ctx
, user_dn
,
1052 &num_groups
, user_sids
);
1053 *p_num_groups
= num_groups
;
1054 if (NT_STATUS_IS_OK(status
)) {
1058 /* lookup what groups this user is a member of by DN search on
1061 status
= lookup_usergroups_member(domain
, mem_ctx
, user_dn
,
1063 &num_groups
, user_sids
);
1064 *p_num_groups
= num_groups
;
1071 status
= add_sid_to_array(mem_ctx
, &primary_group
, user_sids
,
1073 if (!NT_STATUS_IS_OK(status
)) {
1077 for (i
=0;i
<count
;i
++) {
1079 /* ignore Builtin groups from ADS - Guenther */
1080 if (sid_check_is_in_builtin(&sids
[i
])) {
1084 status
= add_sid_to_array_unique(mem_ctx
, &sids
[i
],
1085 user_sids
, &num_groups
);
1086 if (!NT_STATUS_IS_OK(status
)) {
1091 *p_num_groups
= (uint32
)num_groups
;
1092 status
= (*user_sids
!= NULL
) ? NT_STATUS_OK
: NT_STATUS_NO_MEMORY
;
1094 DEBUG(3,("ads lookup_usergroups (tokenGroups) succeeded for sid=%s\n",
1095 sid_string_dbg(sid
)));
1097 TALLOC_FREE(user_dn
);
1098 ads_msgfree(ads
, msg
);
1102 /* Lookup aliases a user is member of - use rpc methods */
1103 static NTSTATUS
lookup_useraliases(struct winbindd_domain
*domain
,
1104 TALLOC_CTX
*mem_ctx
,
1105 uint32 num_sids
, const struct dom_sid
*sids
,
1106 uint32
*num_aliases
, uint32
**alias_rids
)
1108 return reconnect_methods
.lookup_useraliases(domain
, mem_ctx
,
1115 find the members of a group, given a group rid and domain
1117 static NTSTATUS
lookup_groupmem(struct winbindd_domain
*domain
,
1118 TALLOC_CTX
*mem_ctx
,
1119 const struct dom_sid
*group_sid
,
1120 enum lsa_SidType type
,
1122 struct dom_sid
**sid_mem
, char ***names
,
1123 uint32
**name_types
)
1126 ADS_STRUCT
*ads
= NULL
;
1128 NTSTATUS status
= NT_STATUS_UNSUCCESSFUL
;
1130 char **members
= NULL
;
1132 size_t num_members
= 0;
1134 struct dom_sid
*sid_mem_nocache
= NULL
;
1135 char **names_nocache
= NULL
;
1136 enum lsa_SidType
*name_types_nocache
= NULL
;
1137 char **domains_nocache
= NULL
; /* only needed for rpccli_lsa_lookup_sids */
1138 uint32 num_nocache
= 0;
1139 TALLOC_CTX
*tmp_ctx
= NULL
;
1141 DEBUG(10,("ads: lookup_groupmem %s sid=%s\n", domain
->name
,
1142 sid_string_dbg(group_sid
)));
1146 tmp_ctx
= talloc_new(mem_ctx
);
1148 DEBUG(1, ("ads: lookup_groupmem: talloc failed\n"));
1149 status
= NT_STATUS_NO_MEMORY
;
1153 if ( !winbindd_can_contact_domain( domain
) ) {
1154 DEBUG(10,("lookup_groupmem: No incoming trust for domain %s\n",
1156 return NT_STATUS_OK
;
1159 ads
= ads_cached_connection(domain
);
1162 domain
->last_status
= NT_STATUS_SERVER_DISABLED
;
1166 if ((sidbinstr
= ldap_encode_ndr_dom_sid(talloc_tos(), group_sid
)) == NULL
) {
1167 status
= NT_STATUS_NO_MEMORY
;
1171 /* search for all members of the group */
1172 ldap_exp
= talloc_asprintf(tmp_ctx
, "(objectSid=%s)", sidbinstr
);
1173 TALLOC_FREE(sidbinstr
);
1174 if (ldap_exp
== NULL
) {
1175 DEBUG(1, ("ads: lookup_groupmem: talloc_asprintf for ldap_exp failed!\n"));
1176 status
= NT_STATUS_NO_MEMORY
;
1180 args
.control
= ADS_EXTENDED_DN_OID
;
1181 args
.val
= ADS_EXTENDED_DN_HEX_STRING
;
1182 args
.critical
= True
;
1184 rc
= ads_ranged_search(ads
, tmp_ctx
, LDAP_SCOPE_SUBTREE
, ads
->config
.bind_path
,
1185 ldap_exp
, &args
, "member", &members
, &num_members
);
1187 if (!ADS_ERR_OK(rc
)) {
1188 DEBUG(0,("ads_ranged_search failed with: %s\n", ads_errstr(rc
)));
1189 status
= NT_STATUS_UNSUCCESSFUL
;
1193 DEBUG(10, ("ads lookup_groupmem: got %d sids via extended dn call\n", (int)num_members
));
1195 /* Now that we have a list of sids, we need to get the
1196 * lists of names and name_types belonging to these sids.
1197 * even though conceptually not quite clean, we use the
1198 * RPC call lsa_lookup_sids for this since it can handle a
1199 * list of sids. ldap calls can just resolve one sid at a time.
1201 * At this stage, the sids are still hidden in the exetended dn
1202 * member output format. We actually do a little better than
1203 * stated above: In extracting the sids from the member strings,
1204 * we try to resolve as many sids as possible from the
1205 * cache. Only the rest is passed to the lsa_lookup_sids call. */
1208 (*sid_mem
) = talloc_zero_array(mem_ctx
, struct dom_sid
, num_members
);
1209 (*names
) = talloc_zero_array(mem_ctx
, char *, num_members
);
1210 (*name_types
) = talloc_zero_array(mem_ctx
, uint32
, num_members
);
1211 (sid_mem_nocache
) = talloc_zero_array(tmp_ctx
, struct dom_sid
, num_members
);
1213 if ((members
== NULL
) || (*sid_mem
== NULL
) ||
1214 (*names
== NULL
) || (*name_types
== NULL
) ||
1215 (sid_mem_nocache
== NULL
))
1217 DEBUG(1, ("ads: lookup_groupmem: talloc failed\n"));
1218 status
= NT_STATUS_NO_MEMORY
;
1225 (*name_types
) = NULL
;
1228 for (i
=0; i
<num_members
; i
++) {
1229 enum lsa_SidType name_type
;
1230 char *name
, *domain_name
;
1233 rc
= ads_get_sid_from_extended_dn(tmp_ctx
, members
[i
], args
.val
,
1235 if (!ADS_ERR_OK(rc
)) {
1236 if (NT_STATUS_EQUAL(ads_ntstatus(rc
),
1237 NT_STATUS_NOT_FOUND
)) {
1238 /* Group members can be objects, like Exchange
1239 * Public Folders, that don't have a SID. Skip
1244 status
= ads_ntstatus(rc
);
1248 if (lookup_cached_sid(mem_ctx
, &sid
, &domain_name
, &name
,
1250 DEBUG(10,("ads: lookup_groupmem: got sid %s from "
1251 "cache\n", sid_string_dbg(&sid
)));
1252 sid_copy(&(*sid_mem
)[*num_names
], &sid
);
1253 (*names
)[*num_names
] = fill_domain_username_talloc(
1259 (*name_types
)[*num_names
] = name_type
;
1263 DEBUG(10, ("ads: lookup_groupmem: sid %s not found in "
1264 "cache\n", sid_string_dbg(&sid
)));
1265 sid_copy(&(sid_mem_nocache
)[num_nocache
], &sid
);
1270 DEBUG(10, ("ads: lookup_groupmem: %d sids found in cache, "
1271 "%d left for lsa_lookupsids\n", *num_names
, num_nocache
));
1273 /* handle sids not resolved from cache by lsa_lookup_sids */
1274 if (num_nocache
> 0) {
1276 status
= winbindd_lookup_sids(tmp_ctx
,
1282 &name_types_nocache
);
1284 if (!(NT_STATUS_IS_OK(status
) ||
1285 NT_STATUS_EQUAL(status
, STATUS_SOME_UNMAPPED
) ||
1286 NT_STATUS_EQUAL(status
, NT_STATUS_NONE_MAPPED
)))
1288 DEBUG(1, ("lsa_lookupsids call failed with %s "
1289 "- retrying...\n", nt_errstr(status
)));
1291 status
= winbindd_lookup_sids(tmp_ctx
,
1297 &name_types_nocache
);
1300 if (NT_STATUS_IS_OK(status
) ||
1301 NT_STATUS_EQUAL(status
, STATUS_SOME_UNMAPPED
))
1303 /* Copy the entries over from the "_nocache" arrays
1304 * to the result arrays, skipping the gaps the
1305 * lookup_sids call left. */
1306 for (i
=0; i
< num_nocache
; i
++) {
1307 if (((names_nocache
)[i
] != NULL
) &&
1308 ((name_types_nocache
)[i
] != SID_NAME_UNKNOWN
))
1310 sid_copy(&(*sid_mem
)[*num_names
],
1311 &sid_mem_nocache
[i
]);
1312 (*names
)[*num_names
] =
1313 fill_domain_username_talloc(
1318 (*name_types
)[*num_names
] = name_types_nocache
[i
];
1323 else if (NT_STATUS_EQUAL(status
, NT_STATUS_NONE_MAPPED
)) {
1324 DEBUG(10, ("lookup_groupmem: lsa_lookup_sids could "
1325 "not map any SIDs at all.\n"));
1326 /* Don't handle this as an error here.
1327 * There is nothing left to do with respect to the
1328 * overall result... */
1330 else if (!NT_STATUS_IS_OK(status
)) {
1331 DEBUG(10, ("lookup_groupmem: Error looking up %d "
1332 "sids via rpc_lsa_lookup_sids: %s\n",
1333 (int)num_members
, nt_errstr(status
)));
1338 status
= NT_STATUS_OK
;
1339 DEBUG(3,("ads lookup_groupmem for sid=%s succeeded\n",
1340 sid_string_dbg(group_sid
)));
1344 TALLOC_FREE(tmp_ctx
);
1349 /* find the sequence number for a domain */
1350 static NTSTATUS
sequence_number(struct winbindd_domain
*domain
, uint32
*seq
)
1352 ADS_STRUCT
*ads
= NULL
;
1355 DEBUG(3,("ads: fetch sequence_number for %s\n", domain
->name
));
1357 if ( !winbindd_can_contact_domain( domain
) ) {
1358 DEBUG(10,("sequence: No incoming trust for domain %s\n",
1361 return NT_STATUS_OK
;
1364 *seq
= DOM_SEQUENCE_NONE
;
1366 ads
= ads_cached_connection(domain
);
1369 domain
->last_status
= NT_STATUS_SERVER_DISABLED
;
1370 return NT_STATUS_UNSUCCESSFUL
;
1373 rc
= ads_USN(ads
, seq
);
1375 if (!ADS_ERR_OK(rc
)) {
1377 /* its a dead connection, destroy it */
1379 if (domain
->private_data
) {
1380 ads
= (ADS_STRUCT
*)domain
->private_data
;
1381 ads
->is_mine
= True
;
1383 ads_kdestroy(WINBIND_CCACHE_NAME
);
1384 domain
->private_data
= NULL
;
1387 return ads_ntstatus(rc
);
1390 /* find the lockout policy of a domain - use rpc methods */
1391 static NTSTATUS
lockout_policy(struct winbindd_domain
*domain
,
1392 TALLOC_CTX
*mem_ctx
,
1393 struct samr_DomInfo12
*policy
)
1395 return reconnect_methods
.lockout_policy(domain
, mem_ctx
, policy
);
1398 /* find the password policy of a domain - use rpc methods */
1399 static NTSTATUS
password_policy(struct winbindd_domain
*domain
,
1400 TALLOC_CTX
*mem_ctx
,
1401 struct samr_DomInfo1
*policy
)
1403 return reconnect_methods
.password_policy(domain
, mem_ctx
, policy
);
1406 /* get a list of trusted domains */
1407 static NTSTATUS
trusted_domains(struct winbindd_domain
*domain
,
1408 TALLOC_CTX
*mem_ctx
,
1409 struct netr_DomainTrustList
*trusts
)
1411 NTSTATUS result
= NT_STATUS_UNSUCCESSFUL
;
1415 struct rpc_pipe_client
*cli
;
1417 struct dcerpc_binding_handle
*b
;
1419 DEBUG(3,("ads: trusted_domains\n"));
1421 ZERO_STRUCTP(trusts
);
1423 /* If this is our primary domain or a root in our forest,
1424 query for all trusts. If not, then just look for domain
1425 trusts in the target forest */
1427 if (domain
->primary
|| domain_is_forest_root(domain
)) {
1428 flags
= NETR_TRUST_FLAG_OUTBOUND
|
1429 NETR_TRUST_FLAG_INBOUND
|
1430 NETR_TRUST_FLAG_IN_FOREST
;
1432 flags
= NETR_TRUST_FLAG_IN_FOREST
;
1435 result
= cm_connect_netlogon(domain
, &cli
);
1437 if (!NT_STATUS_IS_OK(result
)) {
1438 DEBUG(5, ("trusted_domains: Could not open a connection to %s "
1439 "for PIPE_NETLOGON (%s)\n",
1440 domain
->name
, nt_errstr(result
)));
1441 return NT_STATUS_UNSUCCESSFUL
;
1444 b
= cli
->binding_handle
;
1446 result
= dcerpc_netr_DsrEnumerateDomainTrusts(b
, mem_ctx
,
1451 if (!NT_STATUS_IS_OK(result
)) {
1455 if (!W_ERROR_IS_OK(werr
)) {
1456 return werror_to_ntstatus(werr
);
1458 if (trusts
->count
== 0) {
1459 return NT_STATUS_OK
;
1462 /* Copy across names and sids */
1465 for (i
= 0; i
< trusts
->count
; i
++) {
1466 struct netr_DomainTrust
*trust
= &trusts
->array
[i
];
1467 struct winbindd_domain d
;
1472 * drop external trusts if this is not our primary
1473 * domain. This means that the returned number of
1474 * domains may be less that the ones actually trusted
1478 if ((trust
->trust_attributes
1479 == NETR_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN
) &&
1482 DEBUG(10,("trusted_domains: Skipping external trusted "
1483 "domain %s because it is outside of our "
1485 trust
->netbios_name
));
1489 /* add to the trusted domain cache */
1491 d
.name
= discard_const_p(char, trust
->netbios_name
);
1492 d
.alt_name
= discard_const_p(char, trust
->dns_name
);
1495 sid_copy(&d
.sid
, trust
->sid
);
1497 sid_copy(&d
.sid
, &global_sid_NULL
);
1500 if ( domain
->primary
) {
1501 DEBUG(10,("trusted_domains(ads): Searching "
1502 "trusted domain list of %s and storing "
1503 "trust flags for domain %s\n",
1504 domain
->name
, d
.alt_name
));
1506 d
.domain_flags
= trust
->trust_flags
;
1507 d
.domain_type
= trust
->trust_type
;
1508 d
.domain_trust_attribs
= trust
->trust_attributes
;
1510 wcache_tdc_add_domain( &d
);
1512 } else if (domain_is_forest_root(domain
)) {
1513 /* Check if we already have this record. If
1514 * we are following our forest root that is not
1515 * our primary domain, we want to keep trust
1516 * flags from the perspective of our primary
1517 * domain not our forest root. */
1518 struct winbindd_tdc_domain
*exist
= NULL
;
1520 exist
= wcache_tdc_fetch_domain(
1521 talloc_tos(), trust
->netbios_name
);
1523 DEBUG(10,("trusted_domains(ads): Searching "
1524 "trusted domain list of %s and "
1525 "storing trust flags for domain "
1526 "%s\n", domain
->name
, d
.alt_name
));
1527 d
.domain_flags
= trust
->trust_flags
;
1528 d
.domain_type
= trust
->trust_type
;
1529 d
.domain_trust_attribs
=
1530 trust
->trust_attributes
;
1532 wcache_tdc_add_domain( &d
);
1537 /* This gets a little tricky. If we are
1538 following a transitive forest trust, then
1539 innerit the flags, type, and attribs from
1540 the domain we queried to make sure we don't
1541 record the view of the trust from the wrong
1542 side. Always view it from the side of our
1543 primary domain. --jerry */
1544 struct winbindd_tdc_domain
*parent
= NULL
;
1546 DEBUG(10,("trusted_domains(ads): Searching "
1547 "trusted domain list of %s and inheriting "
1548 "trust flags for domain %s\n",
1549 domain
->name
, d
.alt_name
));
1551 parent
= wcache_tdc_fetch_domain(talloc_tos(),
1554 d
.domain_flags
= parent
->trust_flags
;
1555 d
.domain_type
= parent
->trust_type
;
1556 d
.domain_trust_attribs
= parent
->trust_attribs
;
1558 d
.domain_flags
= domain
->domain_flags
;
1559 d
.domain_type
= domain
->domain_type
;
1560 d
.domain_trust_attribs
=
1561 domain
->domain_trust_attribs
;
1563 TALLOC_FREE(parent
);
1565 wcache_tdc_add_domain( &d
);
1572 /* the ADS backend methods are exposed via this structure */
1573 struct winbindd_methods ads_methods
= {