search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
winbindd: force netlogon reauth for certain errors in reset_cm_connection_on_error()
[Samba.git] / source3 / winbindd / winbindd_ads.c
blob725fa4ff97776a5dccb7a6ca3425b65b109f0756
1 /*
2 Unix SMB/CIFS implementation.
3
4 Winbind ADS backend functions
5
6 Copyright (C) Andrew Tridgell 2001
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003
8 Copyright (C) Gerald (Jerry) Carter 2004
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "winbindd.h"
26 #include "winbindd_ads.h"
27 #include "rpc_client/rpc_client.h"
28 #include "../librpc/gen_ndr/ndr_netlogon_c.h"
29 #include "../libds/common/flags.h"
30 #include "ads.h"
31 #include "../libcli/ldap/ldap_ndr.h"
32 #include "../libcli/security/security.h"
33 #include "../libds/common/flag_mapping.h"
34 #include "libsmb/samlogon_cache.h"
35 #include "passdb.h"
36
37 #ifdef HAVE_ADS
38
39 #undef DBGC_CLASS
40 #define DBGC_CLASS DBGC_WINBIND
41
42 extern struct winbindd_methods reconnect_methods;
43 extern struct winbindd_methods msrpc_methods;
44
45 #define WINBIND_CCACHE_NAME "MEMORY:winbind_ccache"
46
47 /**
48 * Check if cached connection can be reused. If the connection cannot
49 * be reused the ADS_STRUCT is freed and the pointer is set to NULL.
50 */
51 static void ads_cached_connection_reuse(ADS_STRUCT **adsp)
52 {
53
54 ADS_STRUCT *ads = *adsp;
55
56 if (ads != NULL) {
57 time_t expire;
58 time_t now = time(NULL);
59
60 expire = MIN(ads->auth.tgt_expire, ads->auth.tgs_expire);
61
62 DEBUG(7, ("Current tickets expire in %d seconds (at %d, time "
63 "is now %d)\n", (uint32_t)expire - (uint32_t)now,
64 (uint32_t) expire, (uint32_t) now));
65
66 if ( ads->config.realm && (expire > now)) {
67 return;
68 } else {
69 /* we own this ADS_STRUCT so make sure it goes away */
70 DEBUG(7,("Deleting expired krb5 credential cache\n"));
71 ads->is_mine = True;
72 ads_destroy( &ads );
73 ads_kdestroy(WINBIND_CCACHE_NAME);
74 *adsp = NULL;
75 }
76 }
77 }
78
79 /**
80 * @brief Establish a connection to a DC
81 *
82 * @param[out] adsp ADS_STRUCT that will be created
83 * @param[in] target_realm Realm of domain to connect to
84 * @param[in] target_dom_name 'workgroup' name of domain to connect to
85 * @param[in] ldap_server DNS name of server to connect to
86 * @param[in] password Our machine acount secret
87 * @param[in] auth_realm Realm of local domain for creating krb token
88 * @param[in] renewable Renewable ticket time
89 *
90 * @return ADS_STATUS
91 */
92 static ADS_STATUS ads_cached_connection_connect(ADS_STRUCT **adsp,
93 const char *target_realm,
94 const char *target_dom_name,
95 const char *ldap_server,
96 char *password,
97 char *auth_realm,
98 time_t renewable)
99 {
100 ADS_STRUCT *ads;
101 ADS_STATUS status;
102 struct sockaddr_storage dc_ss;
103 fstring dc_name;
104
105 if (auth_realm == NULL) {
106 return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
107 }
108
109 /* we don't want this to affect the users ccache */
110 setenv("KRB5CCNAME", WINBIND_CCACHE_NAME, 1);
111
112 ads = ads_init(target_realm, target_dom_name, ldap_server);
113 if (!ads) {
114 DEBUG(1,("ads_init for domain %s failed\n", target_dom_name));
115 return ADS_ERROR(LDAP_NO_MEMORY);
116 }
117
118 SAFE_FREE(ads->auth.password);
119 SAFE_FREE(ads->auth.realm);
120
121 ads->auth.renewable = renewable;
122 ads->auth.password = password;
123
124 ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
125
126 ads->auth.realm = SMB_STRDUP(auth_realm);
127 if (!strupper_m(ads->auth.realm)) {
128 ads_destroy(&ads);
129 return ADS_ERROR_NT(NT_STATUS_INTERNAL_ERROR);
130 }
131
132 /* Setup the server affinity cache. We don't reaally care
133 about the name. Just setup affinity and the KRB5_CONFIG
134 file. */
135 get_dc_name(ads->server.workgroup, ads->server.realm, dc_name, &dc_ss);
136
137 status = ads_connect(ads);
138 if (!ADS_ERR_OK(status)) {
139 DEBUG(1,("ads_connect for domain %s failed: %s\n",
140 target_dom_name, ads_errstr(status)));
141 ads_destroy(&ads);
142 return status;
143 }
144
145 /* set the flag that says we don't own the memory even
146 though we do so that ads_destroy() won't destroy the
147 structure we pass back by reference */
148
149 ads->is_mine = False;
150
151 *adsp = ads;
152
153 return status;
154 }
155
156 ADS_STATUS ads_idmap_cached_connection(ADS_STRUCT **adsp, const char *dom_name)
157 {
158 char *ldap_server, *realm, *password;
159 struct winbindd_domain *wb_dom;
160 ADS_STATUS status;
161
162 if (IS_AD_DC) {
163 /*
164 * Make sure we never try to use LDAP against
165 * a trusted domain as AD DC.
166 */
167 return ADS_ERROR_NT(NT_STATUS_REQUEST_NOT_ACCEPTED);
168 }
169
170 ads_cached_connection_reuse(adsp);
171 if (*adsp != NULL) {
172 return ADS_SUCCESS;
173 }
174
175 /*
176 * At this point we only have the NetBIOS domain name.
177 * Check if we can get server nam and realm from SAF cache
178 * and the domain list.
179 */
180 ldap_server = saf_fetch(talloc_tos(), dom_name);
181 DEBUG(10, ("ldap_server from saf cache: '%s'\n",
182 ldap_server ? ldap_server : ""));
183
184 wb_dom = find_domain_from_name(dom_name);
185 if (wb_dom == NULL) {
186 DEBUG(10, ("could not find domain '%s'\n", dom_name));
187 return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
188 }
189
190 DEBUG(10, ("find_domain_from_name found realm '%s' for "
191 " domain '%s'\n", wb_dom->alt_name, dom_name));
192
193 if (!get_trust_pw_clear(dom_name, &password, NULL, NULL)) {
194 TALLOC_FREE(ldap_server);
195 return ADS_ERROR_NT(NT_STATUS_CANT_ACCESS_DOMAIN_INFO);
196 }
197
198 if (IS_DC) {
199 SMB_ASSERT(wb_dom->alt_name != NULL);
200 realm = SMB_STRDUP(wb_dom->alt_name);
201 } else {
202 struct winbindd_domain *our_domain = wb_dom;
203
204 /* always give preference to the alt_name in our
205 primary domain if possible */
206
207 if (!wb_dom->primary) {
208 our_domain = find_our_domain();
209 }
210
211 if (our_domain->alt_name != NULL) {
212 realm = SMB_STRDUP(our_domain->alt_name);
213 } else {
214 realm = SMB_STRDUP(lp_realm());
215 }
216 }
217
218 status = ads_cached_connection_connect(
219 adsp, /* Returns ads struct. */
220 wb_dom->alt_name, /* realm to connect to. */
221 dom_name, /* 'workgroup' name for ads_init */
222 ldap_server, /* DNS name to connect to. */
223 password, /* password for auth realm. */
224 realm, /* realm used for krb5 ticket. */
225 0); /* renewable ticket time. */
226
227 SAFE_FREE(realm);
228 TALLOC_FREE(ldap_server);
229
230 return status;
231 }
232
233 /*
234 return our ads connections structure for a domain. We keep the connection
235 open to make things faster
236 */
237 static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain)
238 {
239 ADS_STATUS status;
240 char *password, *realm;
241
242 if (IS_AD_DC) {
243 /*
244 * Make sure we never try to use LDAP against
245 * a trusted domain as AD DC.
246 */
247 return NULL;
248 }
249
250 DEBUG(10,("ads_cached_connection\n"));
251 ads_cached_connection_reuse((ADS_STRUCT **)&domain->private_data);
252
253 if (domain->private_data) {
254 return (ADS_STRUCT *)domain->private_data;
255 }
256
257 /* the machine acct password might have change - fetch it every time */
258
259 if (!get_trust_pw_clear(domain->name, &password, NULL, NULL)) {
260 return NULL;
261 }
262
263 if ( IS_DC ) {
264 SMB_ASSERT(domain->alt_name != NULL);
265 realm = SMB_STRDUP(domain->alt_name);
266 }
267 else {
268 struct winbindd_domain *our_domain = domain;
269
270
271 /* always give preference to the alt_name in our
272 primary domain if possible */
273
274 if ( !domain->primary )
275 our_domain = find_our_domain();
276
277 if (our_domain->alt_name != NULL) {
278 realm = SMB_STRDUP( our_domain->alt_name );
279 }
280 else
281 realm = SMB_STRDUP( lp_realm() );
282 }
283
284 status = ads_cached_connection_connect(
285 (ADS_STRUCT **)&domain->private_data,
286 domain->alt_name,
287 domain->name, NULL,
288 password, realm,
289 WINBINDD_PAM_AUTH_KRB5_RENEW_TIME);
290 SAFE_FREE(realm);
291
292 if (!ADS_ERR_OK(status)) {
293 /* if we get ECONNREFUSED then it might be a NT4
294 server, fall back to MSRPC */
295 if (status.error_type == ENUM_ADS_ERROR_SYSTEM &&
296 status.err.rc == ECONNREFUSED) {
297 /* 'reconnect_methods' is the MS-RPC backend. */
298 DEBUG(1,("Trying MSRPC methods\n"));
299 domain->backend = &reconnect_methods;
300 }
301 return NULL;
302 }
303
304 return (ADS_STRUCT *)domain->private_data;
305 }
306
307 /* Query display info for a realm. This is the basic user list fn */
308 static NTSTATUS query_user_list(struct winbindd_domain *domain,
309 TALLOC_CTX *mem_ctx,
310 uint32_t **prids)
311 {
312 ADS_STRUCT *ads = NULL;
313 const char *attrs[] = { "sAMAccountType", "objectSid", NULL };
314 int count;
315 uint32_t *rids = NULL;
316 ADS_STATUS rc;
317 LDAPMessage *res = NULL;
318 LDAPMessage *msg = NULL;
319 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
320
321 DEBUG(3,("ads: query_user_list\n"));
322
323 if ( !winbindd_can_contact_domain( domain ) ) {
324 DEBUG(10,("query_user_list: No incoming trust for domain %s\n",
325 domain->name));
326 return NT_STATUS_OK;
327 }
328
329 ads = ads_cached_connection(domain);
330
331 if (!ads) {
332 domain->last_status = NT_STATUS_SERVER_DISABLED;
333 goto done;
334 }
335
336 rc = ads_search_retry(ads, &res, "(objectCategory=user)", attrs);
337 if (!ADS_ERR_OK(rc)) {
338 DEBUG(1,("query_user_list ads_search: %s\n", ads_errstr(rc)));
339 status = ads_ntstatus(rc);
340 goto done;
341 } else if (!res) {
342 DEBUG(1,("query_user_list ads_search returned NULL res\n"));
343 goto done;
344 }
345
346 count = ads_count_replies(ads, res);
347 if (count == 0) {
348 DEBUG(1,("query_user_list: No users found\n"));
349 goto done;
350 }
351
352 rids = talloc_zero_array(mem_ctx, uint32_t, count);
353 if (rids == NULL) {
354 status = NT_STATUS_NO_MEMORY;
355 goto done;
356 }
357
358 count = 0;
359
360 for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
361 struct dom_sid user_sid;
362 uint32_t atype;
363 bool ok;
364
365 ok = ads_pull_uint32(ads, msg, "sAMAccountType", &atype);
366 if (!ok) {
367 DBG_INFO("Object lacks sAMAccountType attribute\n");
368 continue;
369 }
370 if (ds_atype_map(atype) != SID_NAME_USER) {
371 DBG_INFO("Not a user account? atype=0x%x\n", atype);
372 continue;
373 }
374
375 if (!ads_pull_sid(ads, msg, "objectSid", &user_sid)) {
376 char *dn = ads_get_dn(ads, talloc_tos(), msg);
377 DBG_INFO("No sid for %s !?\n", dn);
378 TALLOC_FREE(dn);
379 continue;
380 }
381
382 if (!dom_sid_in_domain(&domain->sid, &user_sid)) {
383 fstring sidstr, domstr;
384 DBG_WARNING("Got sid %s in domain %s\n",
385 sid_to_fstring(sidstr, &user_sid),
386 sid_to_fstring(domstr, &domain->sid));
387 continue;
388 }
389
390 sid_split_rid(&user_sid, &rids[count]);
391 count += 1;
392 }
393
394 rids = talloc_realloc(mem_ctx, rids, uint32_t, count);
395 if (prids != NULL) {
396 *prids = rids;
397 }
398
399 status = NT_STATUS_OK;
400
401 DBG_NOTICE("ads query_user_list gave %d entries\n", count);
402
403 done:
404 return status;
405 }
406
407 /* list all domain groups */
408 static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
409 TALLOC_CTX *mem_ctx,
410 uint32_t *num_entries,
411 struct wb_acct_info **info)
412 {
413 ADS_STRUCT *ads = NULL;
414 const char *attrs[] = {"userPrincipalName", "sAMAccountName",
415 "name", "objectSid", NULL};
416 int i, count;
417 ADS_STATUS rc;
418 LDAPMessage *res = NULL;
419 LDAPMessage *msg = NULL;
420 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
421 const char *filter;
422 bool enum_dom_local_groups = False;
423
424 *num_entries = 0;
425
426 DEBUG(3,("ads: enum_dom_groups\n"));
427
428 if ( !winbindd_can_contact_domain( domain ) ) {
429 DEBUG(10,("enum_dom_groups: No incoming trust for domain %s\n",
430 domain->name));
431 return NT_STATUS_OK;
432 }
433
434 /* only grab domain local groups for our domain */
435 if ( domain->active_directory && strequal(lp_realm(), domain->alt_name) ) {
436 enum_dom_local_groups = True;
437 }
438
439 /* Workaround ADS LDAP bug present in MS W2K3 SP0 and W2K SP4 w/o
440 * rollup-fixes:
441 *
442 * According to Section 5.1(4) of RFC 2251 if a value of a type is it's
443 * default value, it MUST be absent. In case of extensible matching the
444 * "dnattr" boolean defaults to FALSE and so it must be only be present
445 * when set to TRUE.
446 *
447 * When it is set to FALSE and the OpenLDAP lib (correctly) encodes a
448 * filter using bitwise matching rule then the buggy AD fails to decode
449 * the extensible match. As a workaround set it to TRUE and thereby add
450 * the dnAttributes "dn" field to cope with those older AD versions.
451 * It should not harm and won't put any additional load on the AD since
452 * none of the dn components have a bitmask-attribute.
453 *
454 * Thanks to Ralf Haferkamp for input and testing - Guenther */
455
456 filter = talloc_asprintf(mem_ctx, "(&(objectCategory=group)(&(groupType:dn:%s:=%d)(!(groupType:dn:%s:=%d))))",
457 ADS_LDAP_MATCHING_RULE_BIT_AND, GROUP_TYPE_SECURITY_ENABLED,
458 ADS_LDAP_MATCHING_RULE_BIT_AND,
459 enum_dom_local_groups ? GROUP_TYPE_BUILTIN_LOCAL_GROUP : GROUP_TYPE_RESOURCE_GROUP);
460
461 if (filter == NULL) {
462 status = NT_STATUS_NO_MEMORY;
463 goto done;
464 }
465
466 ads = ads_cached_connection(domain);
467
468 if (!ads) {
469 domain->last_status = NT_STATUS_SERVER_DISABLED;
470 goto done;
471 }
472
473 rc = ads_search_retry(ads, &res, filter, attrs);
474 if (!ADS_ERR_OK(rc)) {
475 status = ads_ntstatus(rc);
476 DEBUG(1,("enum_dom_groups ads_search: %s\n", ads_errstr(rc)));
477 goto done;
478 } else if (!res) {
479 DEBUG(1,("enum_dom_groups ads_search returned NULL res\n"));
480 goto done;
481 }
482
483 count = ads_count_replies(ads, res);
484 if (count == 0) {
485 DEBUG(1,("enum_dom_groups: No groups found\n"));
486 goto done;
487 }
488
489 (*info) = talloc_zero_array(mem_ctx, struct wb_acct_info, count);
490 if (!*info) {
491 status = NT_STATUS_NO_MEMORY;
492 goto done;
493 }
494
495 i = 0;
496
497 for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
498 char *name, *gecos;
499 struct dom_sid sid;
500 uint32_t rid;
501
502 name = ads_pull_username(ads, mem_ctx, msg);
503 gecos = ads_pull_string(ads, mem_ctx, msg, "name");
504 if (!ads_pull_sid(ads, msg, "objectSid", &sid)) {
505 DEBUG(1,("No sid for %s !?\n", name));
506 continue;
507 }
508
509 if (!sid_peek_check_rid(&domain->sid, &sid, &rid)) {
510 DEBUG(1,("No rid for %s !?\n", name));
511 continue;
512 }
513
514 fstrcpy((*info)[i].acct_name, name);
515 fstrcpy((*info)[i].acct_desc, gecos);
516 (*info)[i].rid = rid;
517 i++;
518 }
519
520 (*num_entries) = i;
521
522 status = NT_STATUS_OK;
523
524 DEBUG(3,("ads enum_dom_groups gave %d entries\n", (*num_entries)));
525
526 done:
527 if (res)
528 ads_msgfree(ads, res);
529
530 return status;
531 }
532
533 /* list all domain local groups */
534 static NTSTATUS enum_local_groups(struct winbindd_domain *domain,
535 TALLOC_CTX *mem_ctx,
536 uint32_t *num_entries,
537 struct wb_acct_info **info)
538 {
539 /*
540 * This is a stub function only as we returned the domain
541 * local groups in enum_dom_groups() if the domain->native field
542 * was true. This is a simple performance optimization when
543 * using LDAP.
544 *
545 * if we ever need to enumerate domain local groups separately,
546 * then this optimization in enum_dom_groups() will need
547 * to be split out
548 */
549 *num_entries = 0;
550
551 return NT_STATUS_OK;
552 }
553
554 /* convert a single name to a sid in a domain - use rpc methods */
555 static NTSTATUS name_to_sid(struct winbindd_domain *domain,
556 TALLOC_CTX *mem_ctx,
557 const char *domain_name,
558 const char *name,
559 uint32_t flags,
560 struct dom_sid *sid,
561 enum lsa_SidType *type)
562 {
563 return msrpc_methods.name_to_sid(domain, mem_ctx, domain_name, name,
564 flags, sid, type);
565 }
566
567 /* convert a domain SID to a user or group name - use rpc methods */
568 static NTSTATUS sid_to_name(struct winbindd_domain *domain,
569 TALLOC_CTX *mem_ctx,
570 const struct dom_sid *sid,
571 char **domain_name,
572 char **name,
573 enum lsa_SidType *type)
574 {
575 return msrpc_methods.sid_to_name(domain, mem_ctx, sid,
576 domain_name, name, type);
577 }
578
579 /* convert a list of rids to names - use rpc methods */
580 static NTSTATUS rids_to_names(struct winbindd_domain *domain,
581 TALLOC_CTX *mem_ctx,
582 const struct dom_sid *sid,
583 uint32_t *rids,
584 size_t num_rids,
585 char **domain_name,
586 char ***names,
587 enum lsa_SidType **types)
588 {
589 return msrpc_methods.rids_to_names(domain, mem_ctx, sid,
590 rids, num_rids,
591 domain_name, names, types);
592 }
593
594 /* Lookup groups a user is a member of - alternate method, for when
595 tokenGroups are not available. */
596 static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain,
597 TALLOC_CTX *mem_ctx,
598 const char *user_dn,
599 struct dom_sid *primary_group,
600 uint32_t *p_num_groups, struct dom_sid **user_sids)
601 {
602 ADS_STATUS rc;
603 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
604 int count;
605 LDAPMessage *res = NULL;
606 LDAPMessage *msg = NULL;
607 char *ldap_exp;
608 ADS_STRUCT *ads;
609 const char *group_attrs[] = {"objectSid", NULL};
610 char *escaped_dn;
611 uint32_t num_groups = 0;
612
613 DEBUG(3,("ads: lookup_usergroups_member\n"));
614
615 if ( !winbindd_can_contact_domain( domain ) ) {
616 DEBUG(10,("lookup_usergroups_members: No incoming trust for domain %s\n",
617 domain->name));
618 return NT_STATUS_OK;
619 }
620
621 ads = ads_cached_connection(domain);
622
623 if (!ads) {
624 domain->last_status = NT_STATUS_SERVER_DISABLED;
625 goto done;
626 }
627
628 if (!(escaped_dn = escape_ldap_string(talloc_tos(), user_dn))) {
629 status = NT_STATUS_NO_MEMORY;
630 goto done;
631 }
632
633 ldap_exp = talloc_asprintf(mem_ctx,
634 "(&(member=%s)(objectCategory=group)(groupType:dn:%s:=%d))",
635 escaped_dn,
636 ADS_LDAP_MATCHING_RULE_BIT_AND,
637 GROUP_TYPE_SECURITY_ENABLED);
638 if (!ldap_exp) {
639 DEBUG(1,("lookup_usergroups(dn=%s) asprintf failed!\n", user_dn));
640 TALLOC_FREE(escaped_dn);
641 status = NT_STATUS_NO_MEMORY;
642 goto done;
643 }
644
645 TALLOC_FREE(escaped_dn);
646
647 rc = ads_search_retry(ads, &res, ldap_exp, group_attrs);
648
649 if (!ADS_ERR_OK(rc)) {
650 DEBUG(1,("lookup_usergroups ads_search member=%s: %s\n", user_dn, ads_errstr(rc)));
651 return ads_ntstatus(rc);
652 } else if (!res) {
653 DEBUG(1,("lookup_usergroups ads_search returned NULL res\n"));
654 return NT_STATUS_INTERNAL_ERROR;
655 }
656
657
658 count = ads_count_replies(ads, res);
659
660 *user_sids = NULL;
661 num_groups = 0;
662
663 /* always add the primary group to the sid array */
664 status = add_sid_to_array(mem_ctx, primary_group, user_sids,
665 &num_groups);
666 if (!NT_STATUS_IS_OK(status)) {
667 goto done;
668 }
669
670 if (count > 0) {
671 for (msg = ads_first_entry(ads, res); msg;
672 msg = ads_next_entry(ads, msg)) {
673 struct dom_sid group_sid;
674
675 if (!ads_pull_sid(ads, msg, "objectSid", &group_sid)) {
676 DEBUG(1,("No sid for this group ?!?\n"));
677 continue;
678 }
679
680 /* ignore Builtin groups from ADS - Guenther */
681 if (sid_check_is_in_builtin(&group_sid)) {
682 continue;
683 }
684
685 status = add_sid_to_array(mem_ctx, &group_sid,
686 user_sids, &num_groups);
687 if (!NT_STATUS_IS_OK(status)) {
688 goto done;
689 }
690 }
691
692 }
693
694 *p_num_groups = num_groups;
695 status = (user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
696
697 DEBUG(3,("ads lookup_usergroups (member) succeeded for dn=%s\n", user_dn));
698 done:
699 if (res)
700 ads_msgfree(ads, res);
701
702 return status;
703 }
704
705 /* Lookup groups a user is a member of - alternate method, for when
706 tokenGroups are not available. */
707 static NTSTATUS lookup_usergroups_memberof(struct winbindd_domain *domain,
708 TALLOC_CTX *mem_ctx,
709 const char *user_dn,
710 struct dom_sid *primary_group,
711 uint32_t *p_num_groups,
712 struct dom_sid **user_sids)
713 {
714 ADS_STATUS rc;
715 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
716 ADS_STRUCT *ads;
717 const char *attrs[] = {"memberOf", NULL};
718 uint32_t num_groups = 0;
719 struct dom_sid *group_sids = NULL;
720 int i;
721 char **strings = NULL;
722 size_t num_strings = 0, num_sids = 0;
723
724
725 DEBUG(3,("ads: lookup_usergroups_memberof\n"));
726
727 if ( !winbindd_can_contact_domain( domain ) ) {
728 DEBUG(10,("lookup_usergroups_memberof: No incoming trust for "
729 "domain %s\n", domain->name));
730 return NT_STATUS_OK;
731 }
732
733 ads = ads_cached_connection(domain);
734
735 if (!ads) {
736 domain->last_status = NT_STATUS_SERVER_DISABLED;
737 return NT_STATUS_UNSUCCESSFUL;
738 }
739
740 rc = ads_search_retry_extended_dn_ranged(ads, mem_ctx, user_dn, attrs,
741 ADS_EXTENDED_DN_HEX_STRING,
742 &strings, &num_strings);
743
744 if (!ADS_ERR_OK(rc)) {
745 DEBUG(1,("lookup_usergroups_memberof ads_search "
746 "member=%s: %s\n", user_dn, ads_errstr(rc)));
747 return ads_ntstatus(rc);
748 }
749
750 *user_sids = NULL;
751 num_groups = 0;
752
753 /* always add the primary group to the sid array */
754 status = add_sid_to_array(mem_ctx, primary_group, user_sids,
755 &num_groups);
756 if (!NT_STATUS_IS_OK(status)) {
757 goto done;
758 }
759
760 group_sids = talloc_zero_array(mem_ctx, struct dom_sid, num_strings + 1);
761 if (!group_sids) {
762 status = NT_STATUS_NO_MEMORY;
763 goto done;
764 }
765
766 for (i=0; i<num_strings; i++) {
767 rc = ads_get_sid_from_extended_dn(mem_ctx, strings[i],
768 ADS_EXTENDED_DN_HEX_STRING,
769 &(group_sids)[i]);
770 if (!ADS_ERR_OK(rc)) {
771 /* ignore members without SIDs */
772 if (NT_STATUS_EQUAL(ads_ntstatus(rc),
773 NT_STATUS_NOT_FOUND)) {
774 continue;
775 }
776 else {
777 status = ads_ntstatus(rc);
778 goto done;
779 }
780 }
781 num_sids++;
782 }
783
784 if (i == 0) {
785 DEBUG(1,("No memberOf for this user?!?\n"));
786 status = NT_STATUS_NO_MEMORY;
787 goto done;
788 }
789
790 for (i=0; i<num_sids; i++) {
791
792 /* ignore Builtin groups from ADS - Guenther */
793 if (sid_check_is_in_builtin(&group_sids[i])) {
794 continue;
795 }
796
797 status = add_sid_to_array(mem_ctx, &group_sids[i], user_sids,
798 &num_groups);
799 if (!NT_STATUS_IS_OK(status)) {
800 goto done;
801 }
802
803 }
804
805 *p_num_groups = num_groups;
806 status = (*user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
807
808 DEBUG(3,("ads lookup_usergroups (memberof) succeeded for dn=%s\n",
809 user_dn));
810
811 done:
812 TALLOC_FREE(strings);
813 TALLOC_FREE(group_sids);
814
815 return status;
816 }
817
818
819 /* Lookup groups a user is a member of. */
820 static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
821 TALLOC_CTX *mem_ctx,
822 const struct dom_sid *sid,
823 uint32_t *p_num_groups, struct dom_sid **user_sids)
824 {
825 ADS_STRUCT *ads = NULL;
826 const char *attrs[] = {"tokenGroups", "primaryGroupID", NULL};
827 ADS_STATUS rc;
828 int count;
829 LDAPMessage *msg = NULL;
830 char *user_dn = NULL;
831 struct dom_sid *sids;
832 int i;
833 struct dom_sid primary_group;
834 uint32_t primary_group_rid;
835 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
836 uint32_t num_groups = 0;
837
838 DEBUG(3,("ads: lookup_usergroups\n"));
839 *p_num_groups = 0;
840
841 status = lookup_usergroups_cached(mem_ctx, sid,
842 p_num_groups, user_sids);
843 if (NT_STATUS_IS_OK(status)) {
844 return NT_STATUS_OK;
845 }
846
847 if ( !winbindd_can_contact_domain( domain ) ) {
848 DEBUG(10,("lookup_usergroups: No incoming trust for domain %s\n",
849 domain->name));
850
851 /* Tell the cache manager not to remember this one */
852
853 return NT_STATUS_SYNCHRONIZATION_REQUIRED;
854 }
855
856 ads = ads_cached_connection(domain);
857
858 if (!ads) {
859 domain->last_status = NT_STATUS_SERVER_DISABLED;
860 status = NT_STATUS_SERVER_DISABLED;
861 goto done;
862 }
863
864 rc = ads_search_retry_sid(ads, &msg, sid, attrs);
865
866 if (!ADS_ERR_OK(rc)) {
867 status = ads_ntstatus(rc);
868 DEBUG(1, ("lookup_usergroups(sid=%s) ads_search tokenGroups: "
869 "%s\n", sid_string_dbg(sid), ads_errstr(rc)));
870 goto done;
871 }
872
873 count = ads_count_replies(ads, msg);
874 if (count != 1) {
875 status = NT_STATUS_UNSUCCESSFUL;
876 DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: "
877 "invalid number of results (count=%d)\n",
878 sid_string_dbg(sid), count));
879 goto done;
880 }
881
882 if (!msg) {
883 DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: NULL msg\n",
884 sid_string_dbg(sid)));
885 status = NT_STATUS_UNSUCCESSFUL;
886 goto done;
887 }
888
889 user_dn = ads_get_dn(ads, mem_ctx, msg);
890 if (user_dn == NULL) {
891 status = NT_STATUS_NO_MEMORY;
892 goto done;
893 }
894
895 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &primary_group_rid)) {
896 DEBUG(1,("%s: No primary group for sid=%s !?\n",
897 domain->name, sid_string_dbg(sid)));
898 goto done;
899 }
900
901 sid_compose(&primary_group, &domain->sid, primary_group_rid);
902
903 count = ads_pull_sids(ads, mem_ctx, msg, "tokenGroups", &sids);
904
905 /* there must always be at least one group in the token,
906 unless we are talking to a buggy Win2k server */
907
908 /* actually this only happens when the machine account has no read
909 * permissions on the tokenGroup attribute - gd */
910
911 if (count == 0) {
912
913 /* no tokenGroups */
914
915 /* lookup what groups this user is a member of by DN search on
916 * "memberOf" */
917
918 status = lookup_usergroups_memberof(domain, mem_ctx, user_dn,
919 &primary_group,
920 &num_groups, user_sids);
921 *p_num_groups = num_groups;
922 if (NT_STATUS_IS_OK(status)) {
923 goto done;
924 }
925
926 /* lookup what groups this user is a member of by DN search on
927 * "member" */
928
929 status = lookup_usergroups_member(domain, mem_ctx, user_dn,
930 &primary_group,
931 &num_groups, user_sids);
932 *p_num_groups = num_groups;
933 goto done;
934 }
935
936 *user_sids = NULL;
937 num_groups = 0;
938
939 status = add_sid_to_array(mem_ctx, &primary_group, user_sids,
940 &num_groups);
941 if (!NT_STATUS_IS_OK(status)) {
942 goto done;
943 }
944
945 for (i=0;i<count;i++) {
946
947 /* ignore Builtin groups from ADS - Guenther */
948 if (sid_check_is_in_builtin(&sids[i])) {
949 continue;
950 }
951
952 status = add_sid_to_array_unique(mem_ctx, &sids[i],
953 user_sids, &num_groups);
954 if (!NT_STATUS_IS_OK(status)) {
955 goto done;
956 }
957 }
958
959 *p_num_groups = (uint32_t)num_groups;
960 status = (*user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
961
962 DEBUG(3,("ads lookup_usergroups (tokenGroups) succeeded for sid=%s\n",
963 sid_string_dbg(sid)));
964 done:
965 TALLOC_FREE(user_dn);
966 ads_msgfree(ads, msg);
967 return status;
968 }
969
970 /* Lookup aliases a user is member of - use rpc methods */
971 static NTSTATUS lookup_useraliases(struct winbindd_domain *domain,
972 TALLOC_CTX *mem_ctx,
973 uint32_t num_sids, const struct dom_sid *sids,
974 uint32_t *num_aliases, uint32_t **alias_rids)
975 {
976 return msrpc_methods.lookup_useraliases(domain, mem_ctx, num_sids, sids,
977 num_aliases, alias_rids);
978 }
979
980 static NTSTATUS add_primary_group_members(
981 ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, uint32_t rid,
982 char ***all_members, size_t *num_all_members)
983 {
984 char *filter;
985 NTSTATUS status = NT_STATUS_NO_MEMORY;
986 ADS_STATUS rc;
987 const char *attrs[] = { "dn", NULL };
988 LDAPMessage *res = NULL;
989 LDAPMessage *msg;
990 char **members;
991 size_t num_members;
992 ads_control args;
993
994 filter = talloc_asprintf(
995 mem_ctx, "(&(objectCategory=user)(primaryGroupID=%u))",
996 (unsigned)rid);
997 if (filter == NULL) {
998 goto done;
999 }
1000
1001 args.control = ADS_EXTENDED_DN_OID;
1002 args.val = ADS_EXTENDED_DN_HEX_STRING;
1003 args.critical = True;
1004
1005 rc = ads_do_search_all_args(ads, ads->config.bind_path,
1006 LDAP_SCOPE_SUBTREE, filter, attrs, &args,
1007 &res);
1008
1009 if (!ADS_ERR_OK(rc)) {
1010 status = ads_ntstatus(rc);
1011 DEBUG(1,("%s: ads_search: %s\n", __func__, ads_errstr(rc)));
1012 goto done;
1013 }
1014 if (res == NULL) {
1015 DEBUG(1,("%s: ads_search returned NULL res\n", __func__));
1016 goto done;
1017 }
1018
1019 num_members = ads_count_replies(ads, res);
1020
1021 DEBUG(10, ("%s: Got %ju primary group members\n", __func__,
1022 (uintmax_t)num_members));
1023
1024 if (num_members == 0) {
1025 status = NT_STATUS_OK;
1026 goto done;
1027 }
1028
1029 members = talloc_realloc(mem_ctx, *all_members, char *,
1030 *num_all_members + num_members);
1031 if (members == NULL) {
1032 DEBUG(1, ("%s: talloc_realloc failed\n", __func__));
1033 goto done;
1034 }
1035 *all_members = members;
1036
1037 for (msg = ads_first_entry(ads, res); msg != NULL;
1038 msg = ads_next_entry(ads, msg)) {
1039 char *dn;
1040
1041 dn = ads_get_dn(ads, members, msg);
1042 if (dn == NULL) {
1043 DEBUG(1, ("%s: ads_get_dn failed\n", __func__));
1044 continue;
1045 }
1046
1047 members[*num_all_members] = dn;
1048 *num_all_members += 1;
1049 }
1050
1051 status = NT_STATUS_OK;
1052 done:
1053 if (res != NULL) {
1054 ads_msgfree(ads, res);
1055 }
1056 TALLOC_FREE(filter);
1057 return status;
1058 }
1059
1060 /*
1061 find the members of a group, given a group rid and domain
1062 */
1063 static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
1064 TALLOC_CTX *mem_ctx,
1065 const struct dom_sid *group_sid,
1066 enum lsa_SidType type,
1067 uint32_t *num_names,
1068 struct dom_sid **sid_mem, char ***names,
1069 uint32_t **name_types)
1070 {
1071 ADS_STATUS rc;
1072 ADS_STRUCT *ads = NULL;
1073 char *ldap_exp;
1074 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
1075 char *sidbinstr;
1076 char **members = NULL;
1077 int i;
1078 size_t num_members = 0;
1079 ads_control args;
1080 struct dom_sid *sid_mem_nocache = NULL;
1081 char **names_nocache = NULL;
1082 enum lsa_SidType *name_types_nocache = NULL;
1083 char **domains_nocache = NULL; /* only needed for rpccli_lsa_lookup_sids */
1084 uint32_t num_nocache = 0;
1085 TALLOC_CTX *tmp_ctx = NULL;
1086 uint32_t rid;
1087
1088 DEBUG(10,("ads: lookup_groupmem %s sid=%s\n", domain->name,
1089 sid_string_dbg(group_sid)));
1090
1091 *num_names = 0;
1092
1093 tmp_ctx = talloc_new(mem_ctx);
1094 if (!tmp_ctx) {
1095 DEBUG(1, ("ads: lookup_groupmem: talloc failed\n"));
1096 status = NT_STATUS_NO_MEMORY;
1097 goto done;
1098 }
1099
1100 if (!sid_peek_rid(group_sid, &rid)) {
1101 DEBUG(1, ("%s: sid_peek_rid failed\n", __func__));
1102 status = NT_STATUS_INVALID_PARAMETER;
1103 goto done;
1104 }
1105
1106 if ( !winbindd_can_contact_domain( domain ) ) {
1107 DEBUG(10,("lookup_groupmem: No incoming trust for domain %s\n",
1108 domain->name));
1109 return NT_STATUS_OK;
1110 }
1111
1112 ads = ads_cached_connection(domain);
1113
1114 if (!ads) {
1115 domain->last_status = NT_STATUS_SERVER_DISABLED;
1116 goto done;
1117 }
1118
1119 if ((sidbinstr = ldap_encode_ndr_dom_sid(talloc_tos(), group_sid)) == NULL) {
1120 status = NT_STATUS_NO_MEMORY;
1121 goto done;
1122 }
1123
1124 /* search for all members of the group */
1125 ldap_exp = talloc_asprintf(tmp_ctx, "(objectSid=%s)", sidbinstr);
1126 TALLOC_FREE(sidbinstr);
1127 if (ldap_exp == NULL) {
1128 DEBUG(1, ("ads: lookup_groupmem: talloc_asprintf for ldap_exp failed!\n"));
1129 status = NT_STATUS_NO_MEMORY;
1130 goto done;
1131 }
1132
1133 args.control = ADS_EXTENDED_DN_OID;
1134 args.val = ADS_EXTENDED_DN_HEX_STRING;
1135 args.critical = True;
1136
1137 rc = ads_ranged_search(ads, tmp_ctx, LDAP_SCOPE_SUBTREE, ads->config.bind_path,
1138 ldap_exp, &args, "member", &members, &num_members);
1139
1140 if (!ADS_ERR_OK(rc)) {
1141 DEBUG(0,("ads_ranged_search failed with: %s\n", ads_errstr(rc)));
1142 status = NT_STATUS_UNSUCCESSFUL;
1143 goto done;
1144 }
1145
1146 DEBUG(10, ("ads lookup_groupmem: got %d sids via extended dn call\n", (int)num_members));
1147
1148 status = add_primary_group_members(ads, mem_ctx, rid,
1149 &members, &num_members);
1150 if (!NT_STATUS_IS_OK(status)) {
1151 DEBUG(10, ("%s: add_primary_group_members failed: %s\n",
1152 __func__, nt_errstr(status)));
1153 goto done;
1154 }
1155
1156 DEBUG(10, ("%s: Got %d sids after adding primary group members\n",
1157 __func__, (int)num_members));
1158
1159 /* Now that we have a list of sids, we need to get the
1160 * lists of names and name_types belonging to these sids.
1161 * even though conceptually not quite clean, we use the
1162 * RPC call lsa_lookup_sids for this since it can handle a
1163 * list of sids. ldap calls can just resolve one sid at a time.
1164 *
1165 * At this stage, the sids are still hidden in the exetended dn
1166 * member output format. We actually do a little better than
1167 * stated above: In extracting the sids from the member strings,
1168 * we try to resolve as many sids as possible from the
1169 * cache. Only the rest is passed to the lsa_lookup_sids call. */
1170
1171 if (num_members) {
1172 (*sid_mem) = talloc_zero_array(mem_ctx, struct dom_sid, num_members);
1173 (*names) = talloc_zero_array(mem_ctx, char *, num_members);
1174 (*name_types) = talloc_zero_array(mem_ctx, uint32_t, num_members);
1175 (sid_mem_nocache) = talloc_zero_array(tmp_ctx, struct dom_sid, num_members);
1176
1177 if ((members == NULL) || (*sid_mem == NULL) ||
1178 (*names == NULL) || (*name_types == NULL) ||
1179 (sid_mem_nocache == NULL))
1180 {
1181 DEBUG(1, ("ads: lookup_groupmem: talloc failed\n"));
1182 status = NT_STATUS_NO_MEMORY;
1183 goto done;
1184 }
1185 }
1186 else {
1187 (*sid_mem) = NULL;
1188 (*names) = NULL;
1189 (*name_types) = NULL;
1190 }
1191
1192 for (i=0; i<num_members; i++) {
1193 enum lsa_SidType name_type;
1194 char *name, *domain_name;
1195 struct dom_sid sid;
1196
1197 rc = ads_get_sid_from_extended_dn(tmp_ctx, members[i], args.val,
1198 &sid);
1199 if (!ADS_ERR_OK(rc)) {
1200 if (NT_STATUS_EQUAL(ads_ntstatus(rc),
1201 NT_STATUS_NOT_FOUND)) {
1202 /* Group members can be objects, like Exchange
1203 * Public Folders, that don't have a SID. Skip
1204 * them. */
1205 continue;
1206 }
1207 else {
1208 status = ads_ntstatus(rc);
1209 goto done;
1210 }
1211 }
1212 if (lookup_cached_sid(mem_ctx, &sid, &domain_name, &name,
1213 &name_type)) {
1214 DEBUG(10,("ads: lookup_groupmem: got sid %s from "
1215 "cache\n", sid_string_dbg(&sid)));
1216 sid_copy(&(*sid_mem)[*num_names], &sid);
1217 (*names)[*num_names] = fill_domain_username_talloc(
1218 *names,
1219 domain_name,
1220 name,
1221 true);
1222
1223 (*name_types)[*num_names] = name_type;
1224 (*num_names)++;
1225 }
1226 else {
1227 DEBUG(10, ("ads: lookup_groupmem: sid %s not found in "
1228 "cache\n", sid_string_dbg(&sid)));
1229 sid_copy(&(sid_mem_nocache)[num_nocache], &sid);
1230 num_nocache++;
1231 }
1232 }
1233
1234 DEBUG(10, ("ads: lookup_groupmem: %d sids found in cache, "
1235 "%d left for lsa_lookupsids\n", *num_names, num_nocache));
1236
1237 /* handle sids not resolved from cache by lsa_lookup_sids */
1238 if (num_nocache > 0) {
1239
1240 status = winbindd_lookup_sids(tmp_ctx,
1241 domain,
1242 num_nocache,
1243 sid_mem_nocache,
1244 &domains_nocache,
1245 &names_nocache,
1246 &name_types_nocache);
1247
1248 if (!(NT_STATUS_IS_OK(status) ||
1249 NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED) ||
1250 NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)))
1251 {
1252 DEBUG(1, ("lsa_lookupsids call failed with %s "
1253 "- retrying...\n", nt_errstr(status)));
1254
1255 status = winbindd_lookup_sids(tmp_ctx,
1256 domain,
1257 num_nocache,
1258 sid_mem_nocache,
1259 &domains_nocache,
1260 &names_nocache,
1261 &name_types_nocache);
1262 }
1263
1264 if (NT_STATUS_IS_OK(status) ||
1265 NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED))
1266 {
1267 /* Copy the entries over from the "_nocache" arrays
1268 * to the result arrays, skipping the gaps the
1269 * lookup_sids call left. */
1270 for (i=0; i < num_nocache; i++) {
1271 if (((names_nocache)[i] != NULL) &&
1272 ((name_types_nocache)[i] != SID_NAME_UNKNOWN))
1273 {
1274 sid_copy(&(*sid_mem)[*num_names],
1275 &sid_mem_nocache[i]);
1276 (*names)[*num_names] =
1277 fill_domain_username_talloc(
1278 *names,
1279 domains_nocache[i],
1280 names_nocache[i],
1281 true);
1282 (*name_types)[*num_names] = name_types_nocache[i];
1283 (*num_names)++;
1284 }
1285 }
1286 }
1287 else if (NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)) {
1288 DEBUG(10, ("lookup_groupmem: lsa_lookup_sids could "
1289 "not map any SIDs at all.\n"));
1290 /* Don't handle this as an error here.
1291 * There is nothing left to do with respect to the
1292 * overall result... */
1293 }
1294 else if (!NT_STATUS_IS_OK(status)) {
1295 DEBUG(10, ("lookup_groupmem: Error looking up %d "
1296 "sids via rpc_lsa_lookup_sids: %s\n",
1297 (int)num_members, nt_errstr(status)));
1298 goto done;
1299 }
1300 }
1301
1302 status = NT_STATUS_OK;
1303 DEBUG(3,("ads lookup_groupmem for sid=%s succeeded\n",
1304 sid_string_dbg(group_sid)));
1305
1306 done:
1307
1308 TALLOC_FREE(tmp_ctx);
1309
1310 return status;
1311 }
1312
1313 /* find the sequence number for a domain */
1314 static NTSTATUS sequence_number(struct winbindd_domain *domain, uint32_t *seq)
1315 {
1316 ADS_STRUCT *ads = NULL;
1317 ADS_STATUS rc;
1318
1319 DEBUG(3,("ads: fetch sequence_number for %s\n", domain->name));
1320
1321 if ( !winbindd_can_contact_domain( domain ) ) {
1322 DEBUG(10,("sequence: No incoming trust for domain %s\n",
1323 domain->name));
1324 *seq = time(NULL);
1325 return NT_STATUS_OK;
1326 }
1327
1328 if (IS_AD_DC) {
1329 DEBUG(10,("sequence: Avoid LDAP connection for domain %s\n",
1330 domain->name));
1331 *seq = time(NULL);
1332 return NT_STATUS_OK;
1333 }
1334
1335 *seq = DOM_SEQUENCE_NONE;
1336
1337 ads = ads_cached_connection(domain);
1338
1339 if (!ads) {
1340 domain->last_status = NT_STATUS_SERVER_DISABLED;
1341 return NT_STATUS_UNSUCCESSFUL;
1342 }
1343
1344 rc = ads_USN(ads, seq);
1345
1346 if (!ADS_ERR_OK(rc)) {
1347
1348 /* its a dead connection, destroy it */
1349
1350 if (domain->private_data) {
1351 ads = (ADS_STRUCT *)domain->private_data;
1352 ads->is_mine = True;
1353 ads_destroy(&ads);
1354 ads_kdestroy(WINBIND_CCACHE_NAME);
1355 domain->private_data = NULL;
1356 }
1357 }
1358 return ads_ntstatus(rc);
1359 }
1360
1361 /* find the lockout policy of a domain - use rpc methods */
1362 static NTSTATUS lockout_policy(struct winbindd_domain *domain,
1363 TALLOC_CTX *mem_ctx,
1364 struct samr_DomInfo12 *policy)
1365 {
1366 return msrpc_methods.lockout_policy(domain, mem_ctx, policy);
1367 }
1368
1369 /* find the password policy of a domain - use rpc methods */
1370 static NTSTATUS password_policy(struct winbindd_domain *domain,
1371 TALLOC_CTX *mem_ctx,
1372 struct samr_DomInfo1 *policy)
1373 {
1374 return msrpc_methods.password_policy(domain, mem_ctx, policy);
1375 }
1376
1377 /* get a list of trusted domains */
1378 static NTSTATUS trusted_domains(struct winbindd_domain *domain,
1379 TALLOC_CTX *mem_ctx,
1380 struct netr_DomainTrustList *trusts)
1381 {
1382 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1383 WERROR werr;
1384 int i;
1385 uint32_t flags;
1386 struct rpc_pipe_client *cli;
1387 int ret_count;
1388 struct dcerpc_binding_handle *b;
1389
1390 DEBUG(3,("ads: trusted_domains\n"));
1391
1392 ZERO_STRUCTP(trusts);
1393
1394 /* If this is our primary domain or a root in our forest,
1395 query for all trusts. If not, then just look for domain
1396 trusts in the target forest */
1397
1398 if (domain->primary || domain_is_forest_root(domain)) {
1399 flags = NETR_TRUST_FLAG_OUTBOUND |
1400 NETR_TRUST_FLAG_INBOUND |
1401 NETR_TRUST_FLAG_IN_FOREST;
1402 } else {
1403 flags = NETR_TRUST_FLAG_IN_FOREST;
1404 }
1405
1406 result = cm_connect_netlogon(domain, &cli);
1407
1408 if (!NT_STATUS_IS_OK(result)) {
1409 DEBUG(5, ("trusted_domains: Could not open a connection to %s "
1410 "for PIPE_NETLOGON (%s)\n",
1411 domain->name, nt_errstr(result)));
1412 return NT_STATUS_UNSUCCESSFUL;
1413 }
1414
1415 b = cli->binding_handle;
1416
1417 result = dcerpc_netr_DsrEnumerateDomainTrusts(b, mem_ctx,
1418 cli->desthost,
1419 flags,
1420 trusts,
1421 &werr);
1422 if (!NT_STATUS_IS_OK(result)) {
1423 return result;
1424 }
1425
1426 if (!W_ERROR_IS_OK(werr)) {
1427 return werror_to_ntstatus(werr);
1428 }
1429 if (trusts->count == 0) {
1430 return NT_STATUS_OK;
1431 }
1432
1433 /* Copy across names and sids */
1434
1435 ret_count = 0;
1436 for (i = 0; i < trusts->count; i++) {
1437 struct netr_DomainTrust *trust = &trusts->array[i];
1438 struct winbindd_domain d;
1439
1440 ZERO_STRUCT(d);
1441
1442 /*
1443 * drop external trusts if this is not our primary
1444 * domain. This means that the returned number of
1445 * domains may be less that the ones actually trusted
1446 * by the DC.
1447 */
1448
1449 if ((trust->trust_attributes
1450 == LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN) &&
1451 !domain->primary )
1452 {
1453 DEBUG(10,("trusted_domains: Skipping external trusted "
1454 "domain %s because it is outside of our "
1455 "primary domain\n",
1456 trust->netbios_name));
1457 continue;
1458 }
1459
1460 /* add to the trusted domain cache */
1461
1462 d.name = discard_const_p(char, trust->netbios_name);
1463 d.alt_name = discard_const_p(char, trust->dns_name);
1464
1465 if (trust->sid) {
1466 sid_copy(&d.sid, trust->sid);
1467 } else {
1468 sid_copy(&d.sid, &global_sid_NULL);
1469 }
1470
1471 if ( domain->primary ) {
1472 DEBUG(10,("trusted_domains(ads): Searching "
1473 "trusted domain list of %s and storing "
1474 "trust flags for domain %s\n",
1475 domain->name, d.alt_name));
1476
1477 d.domain_flags = trust->trust_flags;
1478 d.domain_type = trust->trust_type;
1479 d.domain_trust_attribs = trust->trust_attributes;
1480
1481 wcache_tdc_add_domain( &d );
1482 ret_count++;
1483 } else if (domain_is_forest_root(domain)) {
1484 /* Check if we already have this record. If
1485 * we are following our forest root that is not
1486 * our primary domain, we want to keep trust
1487 * flags from the perspective of our primary
1488 * domain not our forest root. */
1489 struct winbindd_tdc_domain *exist = NULL;
1490
1491 exist = wcache_tdc_fetch_domain(
1492 talloc_tos(), trust->netbios_name);
1493 if (!exist) {
1494 DEBUG(10,("trusted_domains(ads): Searching "
1495 "trusted domain list of %s and "
1496 "storing trust flags for domain "
1497 "%s\n", domain->name, d.alt_name));
1498 d.domain_flags = trust->trust_flags;
1499 d.domain_type = trust->trust_type;
1500 d.domain_trust_attribs =
1501 trust->trust_attributes;
1502
1503 wcache_tdc_add_domain( &d );
1504 ret_count++;
1505 }
1506 TALLOC_FREE(exist);
1507 } else {
1508 /* This gets a little tricky. If we are
1509 following a transitive forest trust, then
1510 innerit the flags, type, and attribs from
1511 the domain we queried to make sure we don't
1512 record the view of the trust from the wrong
1513 side. Always view it from the side of our
1514 primary domain. --jerry */
1515 struct winbindd_tdc_domain *parent = NULL;
1516
1517 DEBUG(10,("trusted_domains(ads): Searching "
1518 "trusted domain list of %s and inheriting "
1519 "trust flags for domain %s\n",
1520 domain->name, d.alt_name));
1521
1522 parent = wcache_tdc_fetch_domain(talloc_tos(),
1523 domain->name);
1524 if (parent) {
1525 d.domain_flags = parent->trust_flags;
1526 d.domain_type = parent->trust_type;
1527 d.domain_trust_attribs = parent->trust_attribs;
1528 } else {
1529 d.domain_flags = domain->domain_flags;
1530 d.domain_type = domain->domain_type;
1531 d.domain_trust_attribs =
1532 domain->domain_trust_attribs;
1533 }
1534 TALLOC_FREE(parent);
1535
1536 /*
1537 * We need to pass the modified properties
1538 * to the caller.
1539 */
1540 trust->trust_flags = d.domain_flags;
1541 trust->trust_type = d.domain_type;
1542 trust->trust_attributes = d.domain_trust_attribs;
1543
1544 wcache_tdc_add_domain( &d );
1545 ret_count++;
1546 }
1547 }
1548 return result;
1549 }
1550
1551 /* the ADS backend methods are exposed via this structure */
1552 struct winbindd_methods ads_methods = {
1553 True,
1554 query_user_list,
1555 enum_dom_groups,
1556 enum_local_groups,
1557 name_to_sid,
1558 sid_to_name,
1559 rids_to_names,
1560 lookup_usergroups,
1561 lookup_useraliases,
1562 lookup_groupmem,
1563 sequence_number,
1564 lockout_policy,
1565 password_policy,
1566 trusted_domains,
1567 };
1568
1569 #endif
Samba GIT mirror