2 Unix SMB/CIFS implementation.
4 Winbind ADS backend functions
6 Copyright (C) Andrew Tridgell 2001
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003
8 Copyright (C) Gerald (Jerry) Carter 2004
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
26 #include "winbindd_ads.h"
27 #include "rpc_client/rpc_client.h"
28 #include "../librpc/gen_ndr/ndr_netlogon_c.h"
29 #include "../libds/common/flags.h"
31 #include "../libcli/ldap/ldap_ndr.h"
32 #include "../libcli/security/security.h"
33 #include "../libds/common/flag_mapping.h"
34 #include "libsmb/samlogon_cache.h"
40 #define DBGC_CLASS DBGC_WINBIND
42 extern struct winbindd_methods reconnect_methods
;
43 extern struct winbindd_methods msrpc_methods
;
45 #define WINBIND_CCACHE_NAME "MEMORY:winbind_ccache"
48 * Check if cached connection can be reused. If the connection cannot
49 * be reused the ADS_STRUCT is freed and the pointer is set to NULL.
51 static void ads_cached_connection_reuse(ADS_STRUCT
**adsp
)
54 ADS_STRUCT
*ads
= *adsp
;
58 time_t now
= time(NULL
);
60 expire
= MIN(ads
->auth
.tgt_expire
, ads
->auth
.tgs_expire
);
62 DEBUG(7, ("Current tickets expire in %d seconds (at %d, time "
63 "is now %d)\n", (uint32_t)expire
- (uint32_t)now
,
64 (uint32_t) expire
, (uint32_t) now
));
66 if ( ads
->config
.realm
&& (expire
> now
)) {
69 /* we own this ADS_STRUCT so make sure it goes away */
70 DEBUG(7,("Deleting expired krb5 credential cache\n"));
73 ads_kdestroy(WINBIND_CCACHE_NAME
);
80 * @brief Establish a connection to a DC
82 * @param[out] adsp ADS_STRUCT that will be created
83 * @param[in] target_realm Realm of domain to connect to
84 * @param[in] target_dom_name 'workgroup' name of domain to connect to
85 * @param[in] ldap_server DNS name of server to connect to
86 * @param[in] password Our machine acount secret
87 * @param[in] auth_realm Realm of local domain for creating krb token
88 * @param[in] renewable Renewable ticket time
92 static ADS_STATUS
ads_cached_connection_connect(ADS_STRUCT
**adsp
,
93 const char *target_realm
,
94 const char *target_dom_name
,
95 const char *ldap_server
,
102 struct sockaddr_storage dc_ss
;
105 if (auth_realm
== NULL
) {
106 return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL
);
109 /* we don't want this to affect the users ccache */
110 setenv("KRB5CCNAME", WINBIND_CCACHE_NAME
, 1);
112 ads
= ads_init(target_realm
, target_dom_name
, ldap_server
);
114 DEBUG(1,("ads_init for domain %s failed\n", target_dom_name
));
115 return ADS_ERROR(LDAP_NO_MEMORY
);
118 SAFE_FREE(ads
->auth
.password
);
119 SAFE_FREE(ads
->auth
.realm
);
121 ads
->auth
.renewable
= renewable
;
122 ads
->auth
.password
= password
;
124 ads
->auth
.flags
|= ADS_AUTH_ALLOW_NTLMSSP
;
126 ads
->auth
.realm
= SMB_STRDUP(auth_realm
);
127 if (!strupper_m(ads
->auth
.realm
)) {
129 return ADS_ERROR_NT(NT_STATUS_INTERNAL_ERROR
);
132 /* Setup the server affinity cache. We don't reaally care
133 about the name. Just setup affinity and the KRB5_CONFIG
135 get_dc_name(ads
->server
.workgroup
, ads
->server
.realm
, dc_name
, &dc_ss
);
137 status
= ads_connect(ads
);
138 if (!ADS_ERR_OK(status
)) {
139 DEBUG(1,("ads_connect for domain %s failed: %s\n",
140 target_dom_name
, ads_errstr(status
)));
145 /* set the flag that says we don't own the memory even
146 though we do so that ads_destroy() won't destroy the
147 structure we pass back by reference */
149 ads
->is_mine
= False
;
156 ADS_STATUS
ads_idmap_cached_connection(ADS_STRUCT
**adsp
, const char *dom_name
)
158 char *ldap_server
, *realm
, *password
;
159 struct winbindd_domain
*wb_dom
;
164 * Make sure we never try to use LDAP against
165 * a trusted domain as AD DC.
167 return ADS_ERROR_NT(NT_STATUS_REQUEST_NOT_ACCEPTED
);
170 ads_cached_connection_reuse(adsp
);
176 * At this point we only have the NetBIOS domain name.
177 * Check if we can get server nam and realm from SAF cache
178 * and the domain list.
180 ldap_server
= saf_fetch(talloc_tos(), dom_name
);
181 DEBUG(10, ("ldap_server from saf cache: '%s'\n",
182 ldap_server
? ldap_server
: ""));
184 wb_dom
= find_domain_from_name(dom_name
);
185 if (wb_dom
== NULL
) {
186 DEBUG(10, ("could not find domain '%s'\n", dom_name
));
187 return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL
);
190 DEBUG(10, ("find_domain_from_name found realm '%s' for "
191 " domain '%s'\n", wb_dom
->alt_name
, dom_name
));
193 if (!get_trust_pw_clear(dom_name
, &password
, NULL
, NULL
)) {
194 TALLOC_FREE(ldap_server
);
195 return ADS_ERROR_NT(NT_STATUS_CANT_ACCESS_DOMAIN_INFO
);
199 SMB_ASSERT(wb_dom
->alt_name
!= NULL
);
200 realm
= SMB_STRDUP(wb_dom
->alt_name
);
202 struct winbindd_domain
*our_domain
= wb_dom
;
204 /* always give preference to the alt_name in our
205 primary domain if possible */
207 if (!wb_dom
->primary
) {
208 our_domain
= find_our_domain();
211 if (our_domain
->alt_name
!= NULL
) {
212 realm
= SMB_STRDUP(our_domain
->alt_name
);
214 realm
= SMB_STRDUP(lp_realm());
218 status
= ads_cached_connection_connect(
219 adsp
, /* Returns ads struct. */
220 wb_dom
->alt_name
, /* realm to connect to. */
221 dom_name
, /* 'workgroup' name for ads_init */
222 ldap_server
, /* DNS name to connect to. */
223 password
, /* password for auth realm. */
224 realm
, /* realm used for krb5 ticket. */
225 0); /* renewable ticket time. */
228 TALLOC_FREE(ldap_server
);
234 return our ads connections structure for a domain. We keep the connection
235 open to make things faster
237 static ADS_STRUCT
*ads_cached_connection(struct winbindd_domain
*domain
)
240 char *password
, *realm
;
244 * Make sure we never try to use LDAP against
245 * a trusted domain as AD DC.
250 DEBUG(10,("ads_cached_connection\n"));
251 ads_cached_connection_reuse((ADS_STRUCT
**)&domain
->private_data
);
253 if (domain
->private_data
) {
254 return (ADS_STRUCT
*)domain
->private_data
;
257 /* the machine acct password might have change - fetch it every time */
259 if (!get_trust_pw_clear(domain
->name
, &password
, NULL
, NULL
)) {
264 SMB_ASSERT(domain
->alt_name
!= NULL
);
265 realm
= SMB_STRDUP(domain
->alt_name
);
268 struct winbindd_domain
*our_domain
= domain
;
271 /* always give preference to the alt_name in our
272 primary domain if possible */
274 if ( !domain
->primary
)
275 our_domain
= find_our_domain();
277 if (our_domain
->alt_name
!= NULL
) {
278 realm
= SMB_STRDUP( our_domain
->alt_name
);
281 realm
= SMB_STRDUP( lp_realm() );
284 status
= ads_cached_connection_connect(
285 (ADS_STRUCT
**)&domain
->private_data
,
289 WINBINDD_PAM_AUTH_KRB5_RENEW_TIME
);
292 if (!ADS_ERR_OK(status
)) {
293 /* if we get ECONNREFUSED then it might be a NT4
294 server, fall back to MSRPC */
295 if (status
.error_type
== ENUM_ADS_ERROR_SYSTEM
&&
296 status
.err
.rc
== ECONNREFUSED
) {
297 /* 'reconnect_methods' is the MS-RPC backend. */
298 DEBUG(1,("Trying MSRPC methods\n"));
299 domain
->backend
= &reconnect_methods
;
304 return (ADS_STRUCT
*)domain
->private_data
;
307 /* Query display info for a realm. This is the basic user list fn */
308 static NTSTATUS
query_user_list(struct winbindd_domain
*domain
,
312 ADS_STRUCT
*ads
= NULL
;
313 const char *attrs
[] = { "sAMAccountType", "objectSid", NULL
};
315 uint32_t *rids
= NULL
;
317 LDAPMessage
*res
= NULL
;
318 LDAPMessage
*msg
= NULL
;
319 NTSTATUS status
= NT_STATUS_UNSUCCESSFUL
;
321 DEBUG(3,("ads: query_user_list\n"));
323 if ( !winbindd_can_contact_domain( domain
) ) {
324 DEBUG(10,("query_user_list: No incoming trust for domain %s\n",
329 ads
= ads_cached_connection(domain
);
332 domain
->last_status
= NT_STATUS_SERVER_DISABLED
;
336 rc
= ads_search_retry(ads
, &res
, "(objectCategory=user)", attrs
);
337 if (!ADS_ERR_OK(rc
)) {
338 DEBUG(1,("query_user_list ads_search: %s\n", ads_errstr(rc
)));
339 status
= ads_ntstatus(rc
);
342 DEBUG(1,("query_user_list ads_search returned NULL res\n"));
346 count
= ads_count_replies(ads
, res
);
348 DEBUG(1,("query_user_list: No users found\n"));
352 rids
= talloc_zero_array(mem_ctx
, uint32_t, count
);
354 status
= NT_STATUS_NO_MEMORY
;
360 for (msg
= ads_first_entry(ads
, res
); msg
; msg
= ads_next_entry(ads
, msg
)) {
361 struct dom_sid user_sid
;
365 ok
= ads_pull_uint32(ads
, msg
, "sAMAccountType", &atype
);
367 DBG_INFO("Object lacks sAMAccountType attribute\n");
370 if (ds_atype_map(atype
) != SID_NAME_USER
) {
371 DBG_INFO("Not a user account? atype=0x%x\n", atype
);
375 if (!ads_pull_sid(ads
, msg
, "objectSid", &user_sid
)) {
376 char *dn
= ads_get_dn(ads
, talloc_tos(), msg
);
377 DBG_INFO("No sid for %s !?\n", dn
);
382 if (!dom_sid_in_domain(&domain
->sid
, &user_sid
)) {
383 fstring sidstr
, domstr
;
384 DBG_WARNING("Got sid %s in domain %s\n",
385 sid_to_fstring(sidstr
, &user_sid
),
386 sid_to_fstring(domstr
, &domain
->sid
));
390 sid_split_rid(&user_sid
, &rids
[count
]);
394 rids
= talloc_realloc(mem_ctx
, rids
, uint32_t, count
);
399 status
= NT_STATUS_OK
;
401 DBG_NOTICE("ads query_user_list gave %d entries\n", count
);
407 /* list all domain groups */
408 static NTSTATUS
enum_dom_groups(struct winbindd_domain
*domain
,
410 uint32_t *num_entries
,
411 struct wb_acct_info
**info
)
413 ADS_STRUCT
*ads
= NULL
;
414 const char *attrs
[] = {"userPrincipalName", "sAMAccountName",
415 "name", "objectSid", NULL
};
418 LDAPMessage
*res
= NULL
;
419 LDAPMessage
*msg
= NULL
;
420 NTSTATUS status
= NT_STATUS_UNSUCCESSFUL
;
422 bool enum_dom_local_groups
= False
;
426 DEBUG(3,("ads: enum_dom_groups\n"));
428 if ( !winbindd_can_contact_domain( domain
) ) {
429 DEBUG(10,("enum_dom_groups: No incoming trust for domain %s\n",
434 /* only grab domain local groups for our domain */
435 if ( domain
->active_directory
&& strequal(lp_realm(), domain
->alt_name
) ) {
436 enum_dom_local_groups
= True
;
439 /* Workaround ADS LDAP bug present in MS W2K3 SP0 and W2K SP4 w/o
442 * According to Section 5.1(4) of RFC 2251 if a value of a type is it's
443 * default value, it MUST be absent. In case of extensible matching the
444 * "dnattr" boolean defaults to FALSE and so it must be only be present
447 * When it is set to FALSE and the OpenLDAP lib (correctly) encodes a
448 * filter using bitwise matching rule then the buggy AD fails to decode
449 * the extensible match. As a workaround set it to TRUE and thereby add
450 * the dnAttributes "dn" field to cope with those older AD versions.
451 * It should not harm and won't put any additional load on the AD since
452 * none of the dn components have a bitmask-attribute.
454 * Thanks to Ralf Haferkamp for input and testing - Guenther */
456 filter
= talloc_asprintf(mem_ctx
, "(&(objectCategory=group)(&(groupType:dn:%s:=%d)(!(groupType:dn:%s:=%d))))",
457 ADS_LDAP_MATCHING_RULE_BIT_AND
, GROUP_TYPE_SECURITY_ENABLED
,
458 ADS_LDAP_MATCHING_RULE_BIT_AND
,
459 enum_dom_local_groups
? GROUP_TYPE_BUILTIN_LOCAL_GROUP
: GROUP_TYPE_RESOURCE_GROUP
);
461 if (filter
== NULL
) {
462 status
= NT_STATUS_NO_MEMORY
;
466 ads
= ads_cached_connection(domain
);
469 domain
->last_status
= NT_STATUS_SERVER_DISABLED
;
473 rc
= ads_search_retry(ads
, &res
, filter
, attrs
);
474 if (!ADS_ERR_OK(rc
)) {
475 status
= ads_ntstatus(rc
);
476 DEBUG(1,("enum_dom_groups ads_search: %s\n", ads_errstr(rc
)));
479 DEBUG(1,("enum_dom_groups ads_search returned NULL res\n"));
483 count
= ads_count_replies(ads
, res
);
485 DEBUG(1,("enum_dom_groups: No groups found\n"));
489 (*info
) = talloc_zero_array(mem_ctx
, struct wb_acct_info
, count
);
491 status
= NT_STATUS_NO_MEMORY
;
497 for (msg
= ads_first_entry(ads
, res
); msg
; msg
= ads_next_entry(ads
, msg
)) {
502 name
= ads_pull_username(ads
, mem_ctx
, msg
);
503 gecos
= ads_pull_string(ads
, mem_ctx
, msg
, "name");
504 if (!ads_pull_sid(ads
, msg
, "objectSid", &sid
)) {
505 DEBUG(1,("No sid for %s !?\n", name
));
509 if (!sid_peek_check_rid(&domain
->sid
, &sid
, &rid
)) {
510 DEBUG(1,("No rid for %s !?\n", name
));
514 fstrcpy((*info
)[i
].acct_name
, name
);
515 fstrcpy((*info
)[i
].acct_desc
, gecos
);
516 (*info
)[i
].rid
= rid
;
522 status
= NT_STATUS_OK
;
524 DEBUG(3,("ads enum_dom_groups gave %d entries\n", (*num_entries
)));
528 ads_msgfree(ads
, res
);
533 /* list all domain local groups */
534 static NTSTATUS
enum_local_groups(struct winbindd_domain
*domain
,
536 uint32_t *num_entries
,
537 struct wb_acct_info
**info
)
540 * This is a stub function only as we returned the domain
541 * local groups in enum_dom_groups() if the domain->native field
542 * was true. This is a simple performance optimization when
545 * if we ever need to enumerate domain local groups separately,
546 * then this optimization in enum_dom_groups() will need
554 /* convert a single name to a sid in a domain - use rpc methods */
555 static NTSTATUS
name_to_sid(struct winbindd_domain
*domain
,
557 const char *domain_name
,
561 enum lsa_SidType
*type
)
563 return msrpc_methods
.name_to_sid(domain
, mem_ctx
, domain_name
, name
,
567 /* convert a domain SID to a user or group name - use rpc methods */
568 static NTSTATUS
sid_to_name(struct winbindd_domain
*domain
,
570 const struct dom_sid
*sid
,
573 enum lsa_SidType
*type
)
575 return msrpc_methods
.sid_to_name(domain
, mem_ctx
, sid
,
576 domain_name
, name
, type
);
579 /* convert a list of rids to names - use rpc methods */
580 static NTSTATUS
rids_to_names(struct winbindd_domain
*domain
,
582 const struct dom_sid
*sid
,
587 enum lsa_SidType
**types
)
589 return msrpc_methods
.rids_to_names(domain
, mem_ctx
, sid
,
591 domain_name
, names
, types
);
594 /* Lookup groups a user is a member of - alternate method, for when
595 tokenGroups are not available. */
596 static NTSTATUS
lookup_usergroups_member(struct winbindd_domain
*domain
,
599 struct dom_sid
*primary_group
,
600 uint32_t *p_num_groups
, struct dom_sid
**user_sids
)
603 NTSTATUS status
= NT_STATUS_UNSUCCESSFUL
;
605 LDAPMessage
*res
= NULL
;
606 LDAPMessage
*msg
= NULL
;
609 const char *group_attrs
[] = {"objectSid", NULL
};
611 uint32_t num_groups
= 0;
613 DEBUG(3,("ads: lookup_usergroups_member\n"));
615 if ( !winbindd_can_contact_domain( domain
) ) {
616 DEBUG(10,("lookup_usergroups_members: No incoming trust for domain %s\n",
621 ads
= ads_cached_connection(domain
);
624 domain
->last_status
= NT_STATUS_SERVER_DISABLED
;
628 if (!(escaped_dn
= escape_ldap_string(talloc_tos(), user_dn
))) {
629 status
= NT_STATUS_NO_MEMORY
;
633 ldap_exp
= talloc_asprintf(mem_ctx
,
634 "(&(member=%s)(objectCategory=group)(groupType:dn:%s:=%d))",
636 ADS_LDAP_MATCHING_RULE_BIT_AND
,
637 GROUP_TYPE_SECURITY_ENABLED
);
639 DEBUG(1,("lookup_usergroups(dn=%s) asprintf failed!\n", user_dn
));
640 TALLOC_FREE(escaped_dn
);
641 status
= NT_STATUS_NO_MEMORY
;
645 TALLOC_FREE(escaped_dn
);
647 rc
= ads_search_retry(ads
, &res
, ldap_exp
, group_attrs
);
649 if (!ADS_ERR_OK(rc
)) {
650 DEBUG(1,("lookup_usergroups ads_search member=%s: %s\n", user_dn
, ads_errstr(rc
)));
651 return ads_ntstatus(rc
);
653 DEBUG(1,("lookup_usergroups ads_search returned NULL res\n"));
654 return NT_STATUS_INTERNAL_ERROR
;
658 count
= ads_count_replies(ads
, res
);
663 /* always add the primary group to the sid array */
664 status
= add_sid_to_array(mem_ctx
, primary_group
, user_sids
,
666 if (!NT_STATUS_IS_OK(status
)) {
671 for (msg
= ads_first_entry(ads
, res
); msg
;
672 msg
= ads_next_entry(ads
, msg
)) {
673 struct dom_sid group_sid
;
675 if (!ads_pull_sid(ads
, msg
, "objectSid", &group_sid
)) {
676 DEBUG(1,("No sid for this group ?!?\n"));
680 /* ignore Builtin groups from ADS - Guenther */
681 if (sid_check_is_in_builtin(&group_sid
)) {
685 status
= add_sid_to_array(mem_ctx
, &group_sid
,
686 user_sids
, &num_groups
);
687 if (!NT_STATUS_IS_OK(status
)) {
694 *p_num_groups
= num_groups
;
695 status
= (user_sids
!= NULL
) ? NT_STATUS_OK
: NT_STATUS_NO_MEMORY
;
697 DEBUG(3,("ads lookup_usergroups (member) succeeded for dn=%s\n", user_dn
));
700 ads_msgfree(ads
, res
);
705 /* Lookup groups a user is a member of - alternate method, for when
706 tokenGroups are not available. */
707 static NTSTATUS
lookup_usergroups_memberof(struct winbindd_domain
*domain
,
710 struct dom_sid
*primary_group
,
711 uint32_t *p_num_groups
,
712 struct dom_sid
**user_sids
)
715 NTSTATUS status
= NT_STATUS_UNSUCCESSFUL
;
717 const char *attrs
[] = {"memberOf", NULL
};
718 uint32_t num_groups
= 0;
719 struct dom_sid
*group_sids
= NULL
;
721 char **strings
= NULL
;
722 size_t num_strings
= 0, num_sids
= 0;
725 DEBUG(3,("ads: lookup_usergroups_memberof\n"));
727 if ( !winbindd_can_contact_domain( domain
) ) {
728 DEBUG(10,("lookup_usergroups_memberof: No incoming trust for "
729 "domain %s\n", domain
->name
));
733 ads
= ads_cached_connection(domain
);
736 domain
->last_status
= NT_STATUS_SERVER_DISABLED
;
737 return NT_STATUS_UNSUCCESSFUL
;
740 rc
= ads_search_retry_extended_dn_ranged(ads
, mem_ctx
, user_dn
, attrs
,
741 ADS_EXTENDED_DN_HEX_STRING
,
742 &strings
, &num_strings
);
744 if (!ADS_ERR_OK(rc
)) {
745 DEBUG(1,("lookup_usergroups_memberof ads_search "
746 "member=%s: %s\n", user_dn
, ads_errstr(rc
)));
747 return ads_ntstatus(rc
);
753 /* always add the primary group to the sid array */
754 status
= add_sid_to_array(mem_ctx
, primary_group
, user_sids
,
756 if (!NT_STATUS_IS_OK(status
)) {
760 group_sids
= talloc_zero_array(mem_ctx
, struct dom_sid
, num_strings
+ 1);
762 status
= NT_STATUS_NO_MEMORY
;
766 for (i
=0; i
<num_strings
; i
++) {
767 rc
= ads_get_sid_from_extended_dn(mem_ctx
, strings
[i
],
768 ADS_EXTENDED_DN_HEX_STRING
,
770 if (!ADS_ERR_OK(rc
)) {
771 /* ignore members without SIDs */
772 if (NT_STATUS_EQUAL(ads_ntstatus(rc
),
773 NT_STATUS_NOT_FOUND
)) {
777 status
= ads_ntstatus(rc
);
785 DEBUG(1,("No memberOf for this user?!?\n"));
786 status
= NT_STATUS_NO_MEMORY
;
790 for (i
=0; i
<num_sids
; i
++) {
792 /* ignore Builtin groups from ADS - Guenther */
793 if (sid_check_is_in_builtin(&group_sids
[i
])) {
797 status
= add_sid_to_array(mem_ctx
, &group_sids
[i
], user_sids
,
799 if (!NT_STATUS_IS_OK(status
)) {
805 *p_num_groups
= num_groups
;
806 status
= (*user_sids
!= NULL
) ? NT_STATUS_OK
: NT_STATUS_NO_MEMORY
;
808 DEBUG(3,("ads lookup_usergroups (memberof) succeeded for dn=%s\n",
812 TALLOC_FREE(strings
);
813 TALLOC_FREE(group_sids
);
819 /* Lookup groups a user is a member of. */
820 static NTSTATUS
lookup_usergroups(struct winbindd_domain
*domain
,
822 const struct dom_sid
*sid
,
823 uint32_t *p_num_groups
, struct dom_sid
**user_sids
)
825 ADS_STRUCT
*ads
= NULL
;
826 const char *attrs
[] = {"tokenGroups", "primaryGroupID", NULL
};
829 LDAPMessage
*msg
= NULL
;
830 char *user_dn
= NULL
;
831 struct dom_sid
*sids
;
833 struct dom_sid primary_group
;
834 uint32_t primary_group_rid
;
835 NTSTATUS status
= NT_STATUS_UNSUCCESSFUL
;
836 uint32_t num_groups
= 0;
838 DEBUG(3,("ads: lookup_usergroups\n"));
841 status
= lookup_usergroups_cached(mem_ctx
, sid
,
842 p_num_groups
, user_sids
);
843 if (NT_STATUS_IS_OK(status
)) {
847 if ( !winbindd_can_contact_domain( domain
) ) {
848 DEBUG(10,("lookup_usergroups: No incoming trust for domain %s\n",
851 /* Tell the cache manager not to remember this one */
853 return NT_STATUS_SYNCHRONIZATION_REQUIRED
;
856 ads
= ads_cached_connection(domain
);
859 domain
->last_status
= NT_STATUS_SERVER_DISABLED
;
860 status
= NT_STATUS_SERVER_DISABLED
;
864 rc
= ads_search_retry_sid(ads
, &msg
, sid
, attrs
);
866 if (!ADS_ERR_OK(rc
)) {
867 status
= ads_ntstatus(rc
);
868 DEBUG(1, ("lookup_usergroups(sid=%s) ads_search tokenGroups: "
869 "%s\n", sid_string_dbg(sid
), ads_errstr(rc
)));
873 count
= ads_count_replies(ads
, msg
);
875 status
= NT_STATUS_UNSUCCESSFUL
;
876 DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: "
877 "invalid number of results (count=%d)\n",
878 sid_string_dbg(sid
), count
));
883 DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: NULL msg\n",
884 sid_string_dbg(sid
)));
885 status
= NT_STATUS_UNSUCCESSFUL
;
889 user_dn
= ads_get_dn(ads
, mem_ctx
, msg
);
890 if (user_dn
== NULL
) {
891 status
= NT_STATUS_NO_MEMORY
;
895 if (!ads_pull_uint32(ads
, msg
, "primaryGroupID", &primary_group_rid
)) {
896 DEBUG(1,("%s: No primary group for sid=%s !?\n",
897 domain
->name
, sid_string_dbg(sid
)));
901 sid_compose(&primary_group
, &domain
->sid
, primary_group_rid
);
903 count
= ads_pull_sids(ads
, mem_ctx
, msg
, "tokenGroups", &sids
);
905 /* there must always be at least one group in the token,
906 unless we are talking to a buggy Win2k server */
908 /* actually this only happens when the machine account has no read
909 * permissions on the tokenGroup attribute - gd */
915 /* lookup what groups this user is a member of by DN search on
918 status
= lookup_usergroups_memberof(domain
, mem_ctx
, user_dn
,
920 &num_groups
, user_sids
);
921 *p_num_groups
= num_groups
;
922 if (NT_STATUS_IS_OK(status
)) {
926 /* lookup what groups this user is a member of by DN search on
929 status
= lookup_usergroups_member(domain
, mem_ctx
, user_dn
,
931 &num_groups
, user_sids
);
932 *p_num_groups
= num_groups
;
939 status
= add_sid_to_array(mem_ctx
, &primary_group
, user_sids
,
941 if (!NT_STATUS_IS_OK(status
)) {
945 for (i
=0;i
<count
;i
++) {
947 /* ignore Builtin groups from ADS - Guenther */
948 if (sid_check_is_in_builtin(&sids
[i
])) {
952 status
= add_sid_to_array_unique(mem_ctx
, &sids
[i
],
953 user_sids
, &num_groups
);
954 if (!NT_STATUS_IS_OK(status
)) {
959 *p_num_groups
= (uint32_t)num_groups
;
960 status
= (*user_sids
!= NULL
) ? NT_STATUS_OK
: NT_STATUS_NO_MEMORY
;
962 DEBUG(3,("ads lookup_usergroups (tokenGroups) succeeded for sid=%s\n",
963 sid_string_dbg(sid
)));
965 TALLOC_FREE(user_dn
);
966 ads_msgfree(ads
, msg
);
970 /* Lookup aliases a user is member of - use rpc methods */
971 static NTSTATUS
lookup_useraliases(struct winbindd_domain
*domain
,
973 uint32_t num_sids
, const struct dom_sid
*sids
,
974 uint32_t *num_aliases
, uint32_t **alias_rids
)
976 return msrpc_methods
.lookup_useraliases(domain
, mem_ctx
, num_sids
, sids
,
977 num_aliases
, alias_rids
);
980 static NTSTATUS
add_primary_group_members(
981 ADS_STRUCT
*ads
, TALLOC_CTX
*mem_ctx
, uint32_t rid
,
982 char ***all_members
, size_t *num_all_members
)
985 NTSTATUS status
= NT_STATUS_NO_MEMORY
;
987 const char *attrs
[] = { "dn", NULL
};
988 LDAPMessage
*res
= NULL
;
994 filter
= talloc_asprintf(
995 mem_ctx
, "(&(objectCategory=user)(primaryGroupID=%u))",
997 if (filter
== NULL
) {
1001 args
.control
= ADS_EXTENDED_DN_OID
;
1002 args
.val
= ADS_EXTENDED_DN_HEX_STRING
;
1003 args
.critical
= True
;
1005 rc
= ads_do_search_all_args(ads
, ads
->config
.bind_path
,
1006 LDAP_SCOPE_SUBTREE
, filter
, attrs
, &args
,
1009 if (!ADS_ERR_OK(rc
)) {
1010 status
= ads_ntstatus(rc
);
1011 DEBUG(1,("%s: ads_search: %s\n", __func__
, ads_errstr(rc
)));
1015 DEBUG(1,("%s: ads_search returned NULL res\n", __func__
));
1019 num_members
= ads_count_replies(ads
, res
);
1021 DEBUG(10, ("%s: Got %ju primary group members\n", __func__
,
1022 (uintmax_t)num_members
));
1024 if (num_members
== 0) {
1025 status
= NT_STATUS_OK
;
1029 members
= talloc_realloc(mem_ctx
, *all_members
, char *,
1030 *num_all_members
+ num_members
);
1031 if (members
== NULL
) {
1032 DEBUG(1, ("%s: talloc_realloc failed\n", __func__
));
1035 *all_members
= members
;
1037 for (msg
= ads_first_entry(ads
, res
); msg
!= NULL
;
1038 msg
= ads_next_entry(ads
, msg
)) {
1041 dn
= ads_get_dn(ads
, members
, msg
);
1043 DEBUG(1, ("%s: ads_get_dn failed\n", __func__
));
1047 members
[*num_all_members
] = dn
;
1048 *num_all_members
+= 1;
1051 status
= NT_STATUS_OK
;
1054 ads_msgfree(ads
, res
);
1056 TALLOC_FREE(filter
);
1061 find the members of a group, given a group rid and domain
1063 static NTSTATUS
lookup_groupmem(struct winbindd_domain
*domain
,
1064 TALLOC_CTX
*mem_ctx
,
1065 const struct dom_sid
*group_sid
,
1066 enum lsa_SidType type
,
1067 uint32_t *num_names
,
1068 struct dom_sid
**sid_mem
, char ***names
,
1069 uint32_t **name_types
)
1072 ADS_STRUCT
*ads
= NULL
;
1074 NTSTATUS status
= NT_STATUS_UNSUCCESSFUL
;
1076 char **members
= NULL
;
1078 size_t num_members
= 0;
1080 struct dom_sid
*sid_mem_nocache
= NULL
;
1081 char **names_nocache
= NULL
;
1082 enum lsa_SidType
*name_types_nocache
= NULL
;
1083 char **domains_nocache
= NULL
; /* only needed for rpccli_lsa_lookup_sids */
1084 uint32_t num_nocache
= 0;
1085 TALLOC_CTX
*tmp_ctx
= NULL
;
1088 DEBUG(10,("ads: lookup_groupmem %s sid=%s\n", domain
->name
,
1089 sid_string_dbg(group_sid
)));
1093 tmp_ctx
= talloc_new(mem_ctx
);
1095 DEBUG(1, ("ads: lookup_groupmem: talloc failed\n"));
1096 status
= NT_STATUS_NO_MEMORY
;
1100 if (!sid_peek_rid(group_sid
, &rid
)) {
1101 DEBUG(1, ("%s: sid_peek_rid failed\n", __func__
));
1102 status
= NT_STATUS_INVALID_PARAMETER
;
1106 if ( !winbindd_can_contact_domain( domain
) ) {
1107 DEBUG(10,("lookup_groupmem: No incoming trust for domain %s\n",
1109 return NT_STATUS_OK
;
1112 ads
= ads_cached_connection(domain
);
1115 domain
->last_status
= NT_STATUS_SERVER_DISABLED
;
1119 if ((sidbinstr
= ldap_encode_ndr_dom_sid(talloc_tos(), group_sid
)) == NULL
) {
1120 status
= NT_STATUS_NO_MEMORY
;
1124 /* search for all members of the group */
1125 ldap_exp
= talloc_asprintf(tmp_ctx
, "(objectSid=%s)", sidbinstr
);
1126 TALLOC_FREE(sidbinstr
);
1127 if (ldap_exp
== NULL
) {
1128 DEBUG(1, ("ads: lookup_groupmem: talloc_asprintf for ldap_exp failed!\n"));
1129 status
= NT_STATUS_NO_MEMORY
;
1133 args
.control
= ADS_EXTENDED_DN_OID
;
1134 args
.val
= ADS_EXTENDED_DN_HEX_STRING
;
1135 args
.critical
= True
;
1137 rc
= ads_ranged_search(ads
, tmp_ctx
, LDAP_SCOPE_SUBTREE
, ads
->config
.bind_path
,
1138 ldap_exp
, &args
, "member", &members
, &num_members
);
1140 if (!ADS_ERR_OK(rc
)) {
1141 DEBUG(0,("ads_ranged_search failed with: %s\n", ads_errstr(rc
)));
1142 status
= NT_STATUS_UNSUCCESSFUL
;
1146 DEBUG(10, ("ads lookup_groupmem: got %d sids via extended dn call\n", (int)num_members
));
1148 status
= add_primary_group_members(ads
, mem_ctx
, rid
,
1149 &members
, &num_members
);
1150 if (!NT_STATUS_IS_OK(status
)) {
1151 DEBUG(10, ("%s: add_primary_group_members failed: %s\n",
1152 __func__
, nt_errstr(status
)));
1156 DEBUG(10, ("%s: Got %d sids after adding primary group members\n",
1157 __func__
, (int)num_members
));
1159 /* Now that we have a list of sids, we need to get the
1160 * lists of names and name_types belonging to these sids.
1161 * even though conceptually not quite clean, we use the
1162 * RPC call lsa_lookup_sids for this since it can handle a
1163 * list of sids. ldap calls can just resolve one sid at a time.
1165 * At this stage, the sids are still hidden in the exetended dn
1166 * member output format. We actually do a little better than
1167 * stated above: In extracting the sids from the member strings,
1168 * we try to resolve as many sids as possible from the
1169 * cache. Only the rest is passed to the lsa_lookup_sids call. */
1172 (*sid_mem
) = talloc_zero_array(mem_ctx
, struct dom_sid
, num_members
);
1173 (*names
) = talloc_zero_array(mem_ctx
, char *, num_members
);
1174 (*name_types
) = talloc_zero_array(mem_ctx
, uint32_t, num_members
);
1175 (sid_mem_nocache
) = talloc_zero_array(tmp_ctx
, struct dom_sid
, num_members
);
1177 if ((members
== NULL
) || (*sid_mem
== NULL
) ||
1178 (*names
== NULL
) || (*name_types
== NULL
) ||
1179 (sid_mem_nocache
== NULL
))
1181 DEBUG(1, ("ads: lookup_groupmem: talloc failed\n"));
1182 status
= NT_STATUS_NO_MEMORY
;
1189 (*name_types
) = NULL
;
1192 for (i
=0; i
<num_members
; i
++) {
1193 enum lsa_SidType name_type
;
1194 char *name
, *domain_name
;
1197 rc
= ads_get_sid_from_extended_dn(tmp_ctx
, members
[i
], args
.val
,
1199 if (!ADS_ERR_OK(rc
)) {
1200 if (NT_STATUS_EQUAL(ads_ntstatus(rc
),
1201 NT_STATUS_NOT_FOUND
)) {
1202 /* Group members can be objects, like Exchange
1203 * Public Folders, that don't have a SID. Skip
1208 status
= ads_ntstatus(rc
);
1212 if (lookup_cached_sid(mem_ctx
, &sid
, &domain_name
, &name
,
1214 DEBUG(10,("ads: lookup_groupmem: got sid %s from "
1215 "cache\n", sid_string_dbg(&sid
)));
1216 sid_copy(&(*sid_mem
)[*num_names
], &sid
);
1217 (*names
)[*num_names
] = fill_domain_username_talloc(
1223 (*name_types
)[*num_names
] = name_type
;
1227 DEBUG(10, ("ads: lookup_groupmem: sid %s not found in "
1228 "cache\n", sid_string_dbg(&sid
)));
1229 sid_copy(&(sid_mem_nocache
)[num_nocache
], &sid
);
1234 DEBUG(10, ("ads: lookup_groupmem: %d sids found in cache, "
1235 "%d left for lsa_lookupsids\n", *num_names
, num_nocache
));
1237 /* handle sids not resolved from cache by lsa_lookup_sids */
1238 if (num_nocache
> 0) {
1240 status
= winbindd_lookup_sids(tmp_ctx
,
1246 &name_types_nocache
);
1248 if (!(NT_STATUS_IS_OK(status
) ||
1249 NT_STATUS_EQUAL(status
, STATUS_SOME_UNMAPPED
) ||
1250 NT_STATUS_EQUAL(status
, NT_STATUS_NONE_MAPPED
)))
1252 DEBUG(1, ("lsa_lookupsids call failed with %s "
1253 "- retrying...\n", nt_errstr(status
)));
1255 status
= winbindd_lookup_sids(tmp_ctx
,
1261 &name_types_nocache
);
1264 if (NT_STATUS_IS_OK(status
) ||
1265 NT_STATUS_EQUAL(status
, STATUS_SOME_UNMAPPED
))
1267 /* Copy the entries over from the "_nocache" arrays
1268 * to the result arrays, skipping the gaps the
1269 * lookup_sids call left. */
1270 for (i
=0; i
< num_nocache
; i
++) {
1271 if (((names_nocache
)[i
] != NULL
) &&
1272 ((name_types_nocache
)[i
] != SID_NAME_UNKNOWN
))
1274 sid_copy(&(*sid_mem
)[*num_names
],
1275 &sid_mem_nocache
[i
]);
1276 (*names
)[*num_names
] =
1277 fill_domain_username_talloc(
1282 (*name_types
)[*num_names
] = name_types_nocache
[i
];
1287 else if (NT_STATUS_EQUAL(status
, NT_STATUS_NONE_MAPPED
)) {
1288 DEBUG(10, ("lookup_groupmem: lsa_lookup_sids could "
1289 "not map any SIDs at all.\n"));
1290 /* Don't handle this as an error here.
1291 * There is nothing left to do with respect to the
1292 * overall result... */
1294 else if (!NT_STATUS_IS_OK(status
)) {
1295 DEBUG(10, ("lookup_groupmem: Error looking up %d "
1296 "sids via rpc_lsa_lookup_sids: %s\n",
1297 (int)num_members
, nt_errstr(status
)));
1302 status
= NT_STATUS_OK
;
1303 DEBUG(3,("ads lookup_groupmem for sid=%s succeeded\n",
1304 sid_string_dbg(group_sid
)));
1308 TALLOC_FREE(tmp_ctx
);
1313 /* find the sequence number for a domain */
1314 static NTSTATUS
sequence_number(struct winbindd_domain
*domain
, uint32_t *seq
)
1316 ADS_STRUCT
*ads
= NULL
;
1319 DEBUG(3,("ads: fetch sequence_number for %s\n", domain
->name
));
1321 if ( !winbindd_can_contact_domain( domain
) ) {
1322 DEBUG(10,("sequence: No incoming trust for domain %s\n",
1325 return NT_STATUS_OK
;
1329 DEBUG(10,("sequence: Avoid LDAP connection for domain %s\n",
1332 return NT_STATUS_OK
;
1335 *seq
= DOM_SEQUENCE_NONE
;
1337 ads
= ads_cached_connection(domain
);
1340 domain
->last_status
= NT_STATUS_SERVER_DISABLED
;
1341 return NT_STATUS_UNSUCCESSFUL
;
1344 rc
= ads_USN(ads
, seq
);
1346 if (!ADS_ERR_OK(rc
)) {
1348 /* its a dead connection, destroy it */
1350 if (domain
->private_data
) {
1351 ads
= (ADS_STRUCT
*)domain
->private_data
;
1352 ads
->is_mine
= True
;
1354 ads_kdestroy(WINBIND_CCACHE_NAME
);
1355 domain
->private_data
= NULL
;
1358 return ads_ntstatus(rc
);
1361 /* find the lockout policy of a domain - use rpc methods */
1362 static NTSTATUS
lockout_policy(struct winbindd_domain
*domain
,
1363 TALLOC_CTX
*mem_ctx
,
1364 struct samr_DomInfo12
*policy
)
1366 return msrpc_methods
.lockout_policy(domain
, mem_ctx
, policy
);
1369 /* find the password policy of a domain - use rpc methods */
1370 static NTSTATUS
password_policy(struct winbindd_domain
*domain
,
1371 TALLOC_CTX
*mem_ctx
,
1372 struct samr_DomInfo1
*policy
)
1374 return msrpc_methods
.password_policy(domain
, mem_ctx
, policy
);
1377 /* get a list of trusted domains */
1378 static NTSTATUS
trusted_domains(struct winbindd_domain
*domain
,
1379 TALLOC_CTX
*mem_ctx
,
1380 struct netr_DomainTrustList
*trusts
)
1382 NTSTATUS result
= NT_STATUS_UNSUCCESSFUL
;
1386 struct rpc_pipe_client
*cli
;
1388 struct dcerpc_binding_handle
*b
;
1390 DEBUG(3,("ads: trusted_domains\n"));
1392 ZERO_STRUCTP(trusts
);
1394 /* If this is our primary domain or a root in our forest,
1395 query for all trusts. If not, then just look for domain
1396 trusts in the target forest */
1398 if (domain
->primary
|| domain_is_forest_root(domain
)) {
1399 flags
= NETR_TRUST_FLAG_OUTBOUND
|
1400 NETR_TRUST_FLAG_INBOUND
|
1401 NETR_TRUST_FLAG_IN_FOREST
;
1403 flags
= NETR_TRUST_FLAG_IN_FOREST
;
1406 result
= cm_connect_netlogon(domain
, &cli
);
1408 if (!NT_STATUS_IS_OK(result
)) {
1409 DEBUG(5, ("trusted_domains: Could not open a connection to %s "
1410 "for PIPE_NETLOGON (%s)\n",
1411 domain
->name
, nt_errstr(result
)));
1412 return NT_STATUS_UNSUCCESSFUL
;
1415 b
= cli
->binding_handle
;
1417 result
= dcerpc_netr_DsrEnumerateDomainTrusts(b
, mem_ctx
,
1422 if (!NT_STATUS_IS_OK(result
)) {
1426 if (!W_ERROR_IS_OK(werr
)) {
1427 return werror_to_ntstatus(werr
);
1429 if (trusts
->count
== 0) {
1430 return NT_STATUS_OK
;
1433 /* Copy across names and sids */
1436 for (i
= 0; i
< trusts
->count
; i
++) {
1437 struct netr_DomainTrust
*trust
= &trusts
->array
[i
];
1438 struct winbindd_domain d
;
1443 * drop external trusts if this is not our primary
1444 * domain. This means that the returned number of
1445 * domains may be less that the ones actually trusted
1449 if ((trust
->trust_attributes
1450 == LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN
) &&
1453 DEBUG(10,("trusted_domains: Skipping external trusted "
1454 "domain %s because it is outside of our "
1456 trust
->netbios_name
));
1460 /* add to the trusted domain cache */
1462 d
.name
= discard_const_p(char, trust
->netbios_name
);
1463 d
.alt_name
= discard_const_p(char, trust
->dns_name
);
1466 sid_copy(&d
.sid
, trust
->sid
);
1468 sid_copy(&d
.sid
, &global_sid_NULL
);
1471 if ( domain
->primary
) {
1472 DEBUG(10,("trusted_domains(ads): Searching "
1473 "trusted domain list of %s and storing "
1474 "trust flags for domain %s\n",
1475 domain
->name
, d
.alt_name
));
1477 d
.domain_flags
= trust
->trust_flags
;
1478 d
.domain_type
= trust
->trust_type
;
1479 d
.domain_trust_attribs
= trust
->trust_attributes
;
1481 wcache_tdc_add_domain( &d
);
1483 } else if (domain_is_forest_root(domain
)) {
1484 /* Check if we already have this record. If
1485 * we are following our forest root that is not
1486 * our primary domain, we want to keep trust
1487 * flags from the perspective of our primary
1488 * domain not our forest root. */
1489 struct winbindd_tdc_domain
*exist
= NULL
;
1491 exist
= wcache_tdc_fetch_domain(
1492 talloc_tos(), trust
->netbios_name
);
1494 DEBUG(10,("trusted_domains(ads): Searching "
1495 "trusted domain list of %s and "
1496 "storing trust flags for domain "
1497 "%s\n", domain
->name
, d
.alt_name
));
1498 d
.domain_flags
= trust
->trust_flags
;
1499 d
.domain_type
= trust
->trust_type
;
1500 d
.domain_trust_attribs
=
1501 trust
->trust_attributes
;
1503 wcache_tdc_add_domain( &d
);
1508 /* This gets a little tricky. If we are
1509 following a transitive forest trust, then
1510 innerit the flags, type, and attribs from
1511 the domain we queried to make sure we don't
1512 record the view of the trust from the wrong
1513 side. Always view it from the side of our
1514 primary domain. --jerry */
1515 struct winbindd_tdc_domain
*parent
= NULL
;
1517 DEBUG(10,("trusted_domains(ads): Searching "
1518 "trusted domain list of %s and inheriting "
1519 "trust flags for domain %s\n",
1520 domain
->name
, d
.alt_name
));
1522 parent
= wcache_tdc_fetch_domain(talloc_tos(),
1525 d
.domain_flags
= parent
->trust_flags
;
1526 d
.domain_type
= parent
->trust_type
;
1527 d
.domain_trust_attribs
= parent
->trust_attribs
;
1529 d
.domain_flags
= domain
->domain_flags
;
1530 d
.domain_type
= domain
->domain_type
;
1531 d
.domain_trust_attribs
=
1532 domain
->domain_trust_attribs
;
1534 TALLOC_FREE(parent
);
1537 * We need to pass the modified properties
1540 trust
->trust_flags
= d
.domain_flags
;
1541 trust
->trust_type
= d
.domain_type
;
1542 trust
->trust_attributes
= d
.domain_trust_attribs
;
1544 wcache_tdc_add_domain( &d
);
1551 /* the ADS backend methods are exposed via this structure */
1552 struct winbindd_methods ads_methods
= {