search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
winbindd: Avoid using deallocated memory
[Samba.git] / source3 / winbindd / winbindd_ads.c
blob4f149a757bebf75b763cc4fd0aa2feb5fb923f3d
1 /*
2 Unix SMB/CIFS implementation.
3
4 Winbind ADS backend functions
5
6 Copyright (C) Andrew Tridgell 2001
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003
8 Copyright (C) Gerald (Jerry) Carter 2004
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "winbindd.h"
26 #include "rpc_client/rpc_client.h"
27 #include "../librpc/gen_ndr/ndr_netlogon_c.h"
28 #include "../libds/common/flags.h"
29 #include "ads.h"
30 #include "../libcli/ldap/ldap_ndr.h"
31 #include "../libcli/security/security.h"
32 #include "../libds/common/flag_mapping.h"
33 #include "passdb.h"
34
35 #ifdef HAVE_ADS
36
37 #undef DBGC_CLASS
38 #define DBGC_CLASS DBGC_WINBIND
39
40 extern struct winbindd_methods reconnect_methods;
41
42 #define WINBIND_CCACHE_NAME "MEMORY:winbind_ccache"
43
44 /**
45 * Check if cached connection can be reused. If the connection cannot
46 * be reused the ADS_STRUCT is freed and the pointer is set to NULL.
47 */
48 static void ads_cached_connection_reuse(ADS_STRUCT **adsp)
49 {
50
51 ADS_STRUCT *ads = *adsp;
52
53 if (ads != NULL) {
54 time_t expire;
55 time_t now = time(NULL);
56
57 expire = MIN(ads->auth.tgt_expire, ads->auth.tgs_expire);
58
59 DEBUG(7, ("Current tickets expire in %d seconds (at %d, time "
60 "is now %d)\n", (uint32)expire - (uint32)now,
61 (uint32) expire, (uint32) now));
62
63 if ( ads->config.realm && (expire > now)) {
64 return;
65 } else {
66 /* we own this ADS_STRUCT so make sure it goes away */
67 DEBUG(7,("Deleting expired krb5 credential cache\n"));
68 ads->is_mine = True;
69 ads_destroy( &ads );
70 ads_kdestroy(WINBIND_CCACHE_NAME);
71 *adsp = NULL;
72 }
73 }
74 }
75
76 static ADS_STATUS ads_cached_connection_connect(ADS_STRUCT **adsp,
77 const char *dom_name_alt,
78 const char *dom_name,
79 const char *ldap_server,
80 char *password,
81 char *realm,
82 time_t renewable)
83 {
84 ADS_STRUCT *ads;
85 ADS_STATUS status;
86 struct sockaddr_storage dc_ss;
87 fstring dc_name;
88
89 if (realm == NULL) {
90 return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
91 }
92
93 /* we don't want this to affect the users ccache */
94 setenv("KRB5CCNAME", WINBIND_CCACHE_NAME, 1);
95
96 ads = ads_init(dom_name_alt, dom_name, ldap_server);
97 if (!ads) {
98 DEBUG(1,("ads_init for domain %s failed\n", dom_name));
99 return ADS_ERROR(LDAP_NO_MEMORY);
100 }
101
102 SAFE_FREE(ads->auth.password);
103 SAFE_FREE(ads->auth.realm);
104
105 ads->auth.renewable = renewable;
106 ads->auth.password = password;
107
108 ads->auth.realm = SMB_STRDUP(realm);
109 if (!strupper_m(ads->auth.realm)) {
110 ads_destroy(&ads);
111 return ADS_ERROR_NT(NT_STATUS_INTERNAL_ERROR);
112 }
113
114 /* Setup the server affinity cache. We don't reaally care
115 about the name. Just setup affinity and the KRB5_CONFIG
116 file. */
117 get_dc_name(ads->server.workgroup, ads->server.realm, dc_name, &dc_ss);
118
119 status = ads_connect(ads);
120 if (!ADS_ERR_OK(status)) {
121 DEBUG(1,("ads_connect for domain %s failed: %s\n",
122 dom_name, ads_errstr(status)));
123 ads_destroy(&ads);
124 return status;
125 }
126
127 /* set the flag that says we don't own the memory even
128 though we do so that ads_destroy() won't destroy the
129 structure we pass back by reference */
130
131 ads->is_mine = False;
132
133 *adsp = ads;
134
135 return status;
136 }
137
138 ADS_STATUS ads_idmap_cached_connection(ADS_STRUCT **adsp, const char *dom_name)
139 {
140 char *ldap_server, *realm, *password;
141 struct winbindd_domain *wb_dom;
142 ADS_STATUS status;
143
144 ads_cached_connection_reuse(adsp);
145 if (*adsp != NULL) {
146 return ADS_SUCCESS;
147 }
148
149 /*
150 * At this point we only have the NetBIOS domain name.
151 * Check if we can get server nam and realm from SAF cache
152 * and the domain list.
153 */
154 ldap_server = saf_fetch(talloc_tos(), dom_name);
155 DEBUG(10, ("ldap_server from saf cache: '%s'\n",
156 ldap_server ? ldap_server : ""));
157
158 wb_dom = find_domain_from_name(dom_name);
159 if (wb_dom == NULL) {
160 DEBUG(10, ("could not find domain '%s'\n", dom_name));
161 return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
162 }
163
164 DEBUG(10, ("find_domain_from_name found realm '%s' for "
165 " domain '%s'\n", wb_dom->alt_name, dom_name));
166
167 if (!get_trust_pw_clear(dom_name, &password, NULL, NULL)) {
168 TALLOC_FREE(ldap_server);
169 return ADS_ERROR_NT(NT_STATUS_CANT_ACCESS_DOMAIN_INFO);
170 }
171
172 if (IS_DC) {
173 realm = SMB_STRDUP(wb_dom->alt_name);
174 } else {
175 struct winbindd_domain *our_domain = wb_dom;
176
177 /* always give preference to the alt_name in our
178 primary domain if possible */
179
180 if (!wb_dom->primary) {
181 our_domain = find_our_domain();
182 }
183
184 if (our_domain->alt_name != NULL) {
185 realm = SMB_STRDUP(our_domain->alt_name);
186 } else {
187 realm = SMB_STRDUP(lp_realm());
188 }
189 }
190
191 status = ads_cached_connection_connect(adsp, realm, dom_name, ldap_server,
192 password, realm, 0);
193 SAFE_FREE(realm);
194 TALLOC_FREE(ldap_server);
195
196 return status;
197 }
198
199 /*
200 return our ads connections structure for a domain. We keep the connection
201 open to make things faster
202 */
203 static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain)
204 {
205 ADS_STATUS status;
206 char *password, *realm;
207
208 DEBUG(10,("ads_cached_connection\n"));
209 ads_cached_connection_reuse((ADS_STRUCT **)&domain->private_data);
210
211 if (domain->private_data) {
212 return (ADS_STRUCT *)domain->private_data;
213 }
214
215 /* the machine acct password might have change - fetch it every time */
216
217 if (!get_trust_pw_clear(domain->name, &password, NULL, NULL)) {
218 return NULL;
219 }
220
221 if ( IS_DC ) {
222
223 realm = SMB_STRDUP(domain->alt_name);
224 }
225 else {
226 struct winbindd_domain *our_domain = domain;
227
228
229 /* always give preference to the alt_name in our
230 primary domain if possible */
231
232 if ( !domain->primary )
233 our_domain = find_our_domain();
234
235 if (our_domain->alt_name != NULL) {
236 realm = SMB_STRDUP( our_domain->alt_name );
237 }
238 else
239 realm = SMB_STRDUP( lp_realm() );
240 }
241
242 status = ads_cached_connection_connect(
243 (ADS_STRUCT **)&domain->private_data,
244 domain->alt_name,
245 domain->name, NULL,
246 password, realm,
247 WINBINDD_PAM_AUTH_KRB5_RENEW_TIME);
248 SAFE_FREE(realm);
249
250 if (!ADS_ERR_OK(status)) {
251 /* if we get ECONNREFUSED then it might be a NT4
252 server, fall back to MSRPC */
253 if (status.error_type == ENUM_ADS_ERROR_SYSTEM &&
254 status.err.rc == ECONNREFUSED) {
255 /* 'reconnect_methods' is the MS-RPC backend. */
256 DEBUG(1,("Trying MSRPC methods\n"));
257 domain->backend = &reconnect_methods;
258 }
259 return NULL;
260 }
261
262 return (ADS_STRUCT *)domain->private_data;
263 }
264
265 /* Query display info for a realm. This is the basic user list fn */
266 static NTSTATUS query_user_list(struct winbindd_domain *domain,
267 TALLOC_CTX *mem_ctx,
268 uint32 *num_entries,
269 struct wbint_userinfo **pinfo)
270 {
271 ADS_STRUCT *ads = NULL;
272 const char *attrs[] = { "*", NULL };
273 int i, count;
274 ADS_STATUS rc;
275 LDAPMessage *res = NULL;
276 LDAPMessage *msg = NULL;
277 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
278
279 *num_entries = 0;
280
281 DEBUG(3,("ads: query_user_list\n"));
282
283 if ( !winbindd_can_contact_domain( domain ) ) {
284 DEBUG(10,("query_user_list: No incoming trust for domain %s\n",
285 domain->name));
286 return NT_STATUS_OK;
287 }
288
289 ads = ads_cached_connection(domain);
290
291 if (!ads) {
292 domain->last_status = NT_STATUS_SERVER_DISABLED;
293 goto done;
294 }
295
296 rc = ads_search_retry(ads, &res, "(objectCategory=user)", attrs);
297 if (!ADS_ERR_OK(rc)) {
298 DEBUG(1,("query_user_list ads_search: %s\n", ads_errstr(rc)));
299 status = ads_ntstatus(rc);
300 goto done;
301 } else if (!res) {
302 DEBUG(1,("query_user_list ads_search returned NULL res\n"));
303 goto done;
304 }
305
306 count = ads_count_replies(ads, res);
307 if (count == 0) {
308 DEBUG(1,("query_user_list: No users found\n"));
309 goto done;
310 }
311
312 (*pinfo) = talloc_zero_array(mem_ctx, struct wbint_userinfo, count);
313 if (!*pinfo) {
314 status = NT_STATUS_NO_MEMORY;
315 goto done;
316 }
317
318 count = 0;
319
320 for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
321 struct wbint_userinfo *info = &((*pinfo)[count]);
322 uint32 group;
323 uint32 atype;
324
325 if (!ads_pull_uint32(ads, msg, "sAMAccountType", &atype) ||
326 ds_atype_map(atype) != SID_NAME_USER) {
327 DEBUG(1,("Not a user account? atype=0x%x\n", atype));
328 continue;
329 }
330
331 info->acct_name = ads_pull_username(ads, mem_ctx, msg);
332 info->full_name = ads_pull_string(ads, mem_ctx, msg, "name");
333 info->homedir = NULL;
334 info->shell = NULL;
335 info->primary_gid = (gid_t)-1;
336
337 if (!ads_pull_sid(ads, msg, "objectSid",
338 &info->user_sid)) {
339 DEBUG(1, ("No sid for %s !?\n", info->acct_name));
340 continue;
341 }
342
343 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &group)) {
344 DEBUG(1, ("No primary group for %s !?\n",
345 info->acct_name));
346 continue;
347 }
348 sid_compose(&info->group_sid, &domain->sid, group);
349
350 count += 1;
351 }
352
353 (*num_entries) = count;
354 ads_msgfree(ads, res);
355
356 for (i=0; i<count; i++) {
357 struct wbint_userinfo *info = &((*pinfo)[i]);
358 const char *gecos = NULL;
359 gid_t primary_gid = (gid_t)-1;
360
361 status = nss_get_info_cached(domain, &info->user_sid, mem_ctx,
362 &info->homedir, &info->shell,
363 &gecos, &primary_gid);
364 if (!NT_STATUS_IS_OK(status)) {
365 /*
366 * Deliberately ignore this error, there might be more
367 * users to fill
368 */
369 continue;
370 }
371
372 if (gecos != NULL) {
373 info->full_name = gecos;
374 }
375 info->primary_gid = primary_gid;
376 }
377
378 status = NT_STATUS_OK;
379
380 DEBUG(3,("ads query_user_list gave %d entries\n", (*num_entries)));
381
382 done:
383 return status;
384 }
385
386 /* list all domain groups */
387 static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
388 TALLOC_CTX *mem_ctx,
389 uint32 *num_entries,
390 struct wb_acct_info **info)
391 {
392 ADS_STRUCT *ads = NULL;
393 const char *attrs[] = {"userPrincipalName", "sAMAccountName",
394 "name", "objectSid", NULL};
395 int i, count;
396 ADS_STATUS rc;
397 LDAPMessage *res = NULL;
398 LDAPMessage *msg = NULL;
399 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
400 const char *filter;
401 bool enum_dom_local_groups = False;
402
403 *num_entries = 0;
404
405 DEBUG(3,("ads: enum_dom_groups\n"));
406
407 if ( !winbindd_can_contact_domain( domain ) ) {
408 DEBUG(10,("enum_dom_groups: No incoming trust for domain %s\n",
409 domain->name));
410 return NT_STATUS_OK;
411 }
412
413 /* only grab domain local groups for our domain */
414 if ( domain->active_directory && strequal(lp_realm(), domain->alt_name) ) {
415 enum_dom_local_groups = True;
416 }
417
418 /* Workaround ADS LDAP bug present in MS W2K3 SP0 and W2K SP4 w/o
419 * rollup-fixes:
420 *
421 * According to Section 5.1(4) of RFC 2251 if a value of a type is it's
422 * default value, it MUST be absent. In case of extensible matching the
423 * "dnattr" boolean defaults to FALSE and so it must be only be present
424 * when set to TRUE.
425 *
426 * When it is set to FALSE and the OpenLDAP lib (correctly) encodes a
427 * filter using bitwise matching rule then the buggy AD fails to decode
428 * the extensible match. As a workaround set it to TRUE and thereby add
429 * the dnAttributes "dn" field to cope with those older AD versions.
430 * It should not harm and won't put any additional load on the AD since
431 * none of the dn components have a bitmask-attribute.
432 *
433 * Thanks to Ralf Haferkamp for input and testing - Guenther */
434
435 filter = talloc_asprintf(mem_ctx, "(&(objectCategory=group)(&(groupType:dn:%s:=%d)(!(groupType:dn:%s:=%d))))",
436 ADS_LDAP_MATCHING_RULE_BIT_AND, GROUP_TYPE_SECURITY_ENABLED,
437 ADS_LDAP_MATCHING_RULE_BIT_AND,
438 enum_dom_local_groups ? GROUP_TYPE_BUILTIN_LOCAL_GROUP : GROUP_TYPE_RESOURCE_GROUP);
439
440 if (filter == NULL) {
441 status = NT_STATUS_NO_MEMORY;
442 goto done;
443 }
444
445 ads = ads_cached_connection(domain);
446
447 if (!ads) {
448 domain->last_status = NT_STATUS_SERVER_DISABLED;
449 goto done;
450 }
451
452 rc = ads_search_retry(ads, &res, filter, attrs);
453 if (!ADS_ERR_OK(rc)) {
454 status = ads_ntstatus(rc);
455 DEBUG(1,("enum_dom_groups ads_search: %s\n", ads_errstr(rc)));
456 goto done;
457 } else if (!res) {
458 DEBUG(1,("enum_dom_groups ads_search returned NULL res\n"));
459 goto done;
460 }
461
462 count = ads_count_replies(ads, res);
463 if (count == 0) {
464 DEBUG(1,("enum_dom_groups: No groups found\n"));
465 goto done;
466 }
467
468 (*info) = talloc_zero_array(mem_ctx, struct wb_acct_info, count);
469 if (!*info) {
470 status = NT_STATUS_NO_MEMORY;
471 goto done;
472 }
473
474 i = 0;
475
476 for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
477 char *name, *gecos;
478 struct dom_sid sid;
479 uint32 rid;
480
481 name = ads_pull_username(ads, mem_ctx, msg);
482 gecos = ads_pull_string(ads, mem_ctx, msg, "name");
483 if (!ads_pull_sid(ads, msg, "objectSid", &sid)) {
484 DEBUG(1,("No sid for %s !?\n", name));
485 continue;
486 }
487
488 if (!sid_peek_check_rid(&domain->sid, &sid, &rid)) {
489 DEBUG(1,("No rid for %s !?\n", name));
490 continue;
491 }
492
493 fstrcpy((*info)[i].acct_name, name);
494 fstrcpy((*info)[i].acct_desc, gecos);
495 (*info)[i].rid = rid;
496 i++;
497 }
498
499 (*num_entries) = i;
500
501 status = NT_STATUS_OK;
502
503 DEBUG(3,("ads enum_dom_groups gave %d entries\n", (*num_entries)));
504
505 done:
506 if (res)
507 ads_msgfree(ads, res);
508
509 return status;
510 }
511
512 /* list all domain local groups */
513 static NTSTATUS enum_local_groups(struct winbindd_domain *domain,
514 TALLOC_CTX *mem_ctx,
515 uint32 *num_entries,
516 struct wb_acct_info **info)
517 {
518 /*
519 * This is a stub function only as we returned the domain
520 * local groups in enum_dom_groups() if the domain->native field
521 * was true. This is a simple performance optimization when
522 * using LDAP.
523 *
524 * if we ever need to enumerate domain local groups separately,
525 * then this optimization in enum_dom_groups() will need
526 * to be split out
527 */
528 *num_entries = 0;
529
530 return NT_STATUS_OK;
531 }
532
533 /* convert a single name to a sid in a domain - use rpc methods */
534 static NTSTATUS name_to_sid(struct winbindd_domain *domain,
535 TALLOC_CTX *mem_ctx,
536 const char *domain_name,
537 const char *name,
538 uint32_t flags,
539 struct dom_sid *sid,
540 enum lsa_SidType *type)
541 {
542 return reconnect_methods.name_to_sid(domain, mem_ctx,
543 domain_name, name, flags,
544 sid, type);
545 }
546
547 /* convert a domain SID to a user or group name - use rpc methods */
548 static NTSTATUS sid_to_name(struct winbindd_domain *domain,
549 TALLOC_CTX *mem_ctx,
550 const struct dom_sid *sid,
551 char **domain_name,
552 char **name,
553 enum lsa_SidType *type)
554 {
555 return reconnect_methods.sid_to_name(domain, mem_ctx, sid,
556 domain_name, name, type);
557 }
558
559 /* convert a list of rids to names - use rpc methods */
560 static NTSTATUS rids_to_names(struct winbindd_domain *domain,
561 TALLOC_CTX *mem_ctx,
562 const struct dom_sid *sid,
563 uint32 *rids,
564 size_t num_rids,
565 char **domain_name,
566 char ***names,
567 enum lsa_SidType **types)
568 {
569 return reconnect_methods.rids_to_names(domain, mem_ctx, sid,
570 rids, num_rids,
571 domain_name, names, types);
572 }
573
574 /* If you are looking for "dn_lookup": Yes, it used to be here!
575 * It has gone now since it was a major speed bottleneck in
576 * lookup_groupmem (its only use). It has been replaced by
577 * an rpc lookup sids call... R.I.P. */
578
579 /* Lookup user information from a rid */
580 static NTSTATUS query_user(struct winbindd_domain *domain,
581 TALLOC_CTX *mem_ctx,
582 const struct dom_sid *sid,
583 struct wbint_userinfo *info)
584 {
585 ADS_STRUCT *ads = NULL;
586 const char *attrs[] = { "*", NULL };
587 ADS_STATUS rc;
588 int count;
589 LDAPMessage *msg = NULL;
590 char *ldap_exp;
591 char *sidstr;
592 uint32 group_rid;
593 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
594 struct netr_SamInfo3 *user = NULL;
595 gid_t gid = -1;
596 int ret;
597 char *ads_name;
598
599 DEBUG(3,("ads: query_user\n"));
600
601 info->homedir = NULL;
602 info->shell = NULL;
603
604 /* try netsamlogon cache first */
605
606 if ( (user = netsamlogon_cache_get( mem_ctx, sid )) != NULL )
607 {
608 DEBUG(5,("query_user: Cache lookup succeeded for %s\n",
609 sid_string_dbg(sid)));
610
611 sid_compose(&info->user_sid, &domain->sid, user->base.rid);
612 sid_compose(&info->group_sid, &domain->sid, user->base.primary_gid);
613
614 info->acct_name = talloc_strdup(mem_ctx, user->base.account_name.string);
615 info->full_name = talloc_strdup(mem_ctx, user->base.full_name.string);
616
617 nss_get_info_cached( domain, sid, mem_ctx,
618 &info->homedir, &info->shell, &info->full_name,
619 &gid );
620 info->primary_gid = gid;
621
622 TALLOC_FREE(user);
623
624 return NT_STATUS_OK;
625 }
626
627 if ( !winbindd_can_contact_domain(domain)) {
628 DEBUG(8,("query_user: No incoming trust from domain %s\n",
629 domain->name));
630
631 /* We still need to generate some basic information
632 about the user even if we cannot contact the
633 domain. Most of this stuff we can deduce. */
634
635 sid_copy( &info->user_sid, sid );
636
637 /* Assume "Domain Users" for the primary group */
638
639 sid_compose(&info->group_sid, &domain->sid, DOMAIN_RID_USERS );
640
641 /* Try to fill in what the nss_info backend can do */
642
643 nss_get_info_cached( domain, sid, mem_ctx,
644 &info->homedir, &info->shell, &info->full_name,
645 &gid);
646 info->primary_gid = gid;
647
648 return NT_STATUS_OK;
649 }
650
651 /* no cache...do the query */
652
653 if ( (ads = ads_cached_connection(domain)) == NULL ) {
654 domain->last_status = NT_STATUS_SERVER_DISABLED;
655 return NT_STATUS_SERVER_DISABLED;
656 }
657
658 sidstr = ldap_encode_ndr_dom_sid(talloc_tos(), sid);
659
660 ret = asprintf(&ldap_exp, "(objectSid=%s)", sidstr);
661 TALLOC_FREE(sidstr);
662 if (ret == -1) {
663 return NT_STATUS_NO_MEMORY;
664 }
665 rc = ads_search_retry(ads, &msg, ldap_exp, attrs);
666 SAFE_FREE(ldap_exp);
667 if (!ADS_ERR_OK(rc)) {
668 DEBUG(1,("query_user(sid=%s) ads_search: %s\n",
669 sid_string_dbg(sid), ads_errstr(rc)));
670 return ads_ntstatus(rc);
671 } else if (!msg) {
672 DEBUG(1,("query_user(sid=%s) ads_search returned NULL res\n",
673 sid_string_dbg(sid)));
674 return NT_STATUS_INTERNAL_ERROR;
675 }
676
677 count = ads_count_replies(ads, msg);
678 if (count != 1) {
679 DEBUG(1,("query_user(sid=%s): Not found\n",
680 sid_string_dbg(sid)));
681 ads_msgfree(ads, msg);
682 return NT_STATUS_NO_SUCH_USER;
683 }
684
685 info->acct_name = ads_pull_username(ads, mem_ctx, msg);
686
687 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &group_rid)) {
688 DEBUG(1,("No primary group for %s !?\n",
689 sid_string_dbg(sid)));
690 ads_msgfree(ads, msg);
691 return NT_STATUS_NO_SUCH_USER;
692 }
693 sid_copy(&info->user_sid, sid);
694 sid_compose(&info->group_sid, &domain->sid, group_rid);
695
696 /*
697 * We have to fetch the "name" attribute before doing the
698 * nss_get_info_cached call. nss_get_info_cached might destroy
699 * the ads struct, potentially invalidating the ldap message.
700 */
701 ads_name = ads_pull_string(ads, mem_ctx, msg, "name");
702
703 ads_msgfree(ads, msg);
704 msg = NULL;
705
706 status = nss_get_info_cached( domain, sid, mem_ctx,
707 &info->homedir, &info->shell, &info->full_name,
708 &gid);
709 info->primary_gid = gid;
710 if (!NT_STATUS_IS_OK(status)) {
711 DEBUG(1, ("nss_get_info_cached failed: %s\n",
712 nt_errstr(status)));
713 return status;
714 }
715
716 if (info->full_name == NULL) {
717 info->full_name = ads_name;
718 } else {
719 TALLOC_FREE(ads_name);
720 }
721
722 status = NT_STATUS_OK;
723
724 DEBUG(3,("ads query_user gave %s\n", info->acct_name));
725 return NT_STATUS_OK;
726 }
727
728 /* Lookup groups a user is a member of - alternate method, for when
729 tokenGroups are not available. */
730 static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain,
731 TALLOC_CTX *mem_ctx,
732 const char *user_dn,
733 struct dom_sid *primary_group,
734 uint32_t *p_num_groups, struct dom_sid **user_sids)
735 {
736 ADS_STATUS rc;
737 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
738 int count;
739 LDAPMessage *res = NULL;
740 LDAPMessage *msg = NULL;
741 char *ldap_exp;
742 ADS_STRUCT *ads;
743 const char *group_attrs[] = {"objectSid", NULL};
744 char *escaped_dn;
745 uint32_t num_groups = 0;
746
747 DEBUG(3,("ads: lookup_usergroups_member\n"));
748
749 if ( !winbindd_can_contact_domain( domain ) ) {
750 DEBUG(10,("lookup_usergroups_members: No incoming trust for domain %s\n",
751 domain->name));
752 return NT_STATUS_OK;
753 }
754
755 ads = ads_cached_connection(domain);
756
757 if (!ads) {
758 domain->last_status = NT_STATUS_SERVER_DISABLED;
759 goto done;
760 }
761
762 if (!(escaped_dn = escape_ldap_string(talloc_tos(), user_dn))) {
763 status = NT_STATUS_NO_MEMORY;
764 goto done;
765 }
766
767 ldap_exp = talloc_asprintf(mem_ctx,
768 "(&(member=%s)(objectCategory=group)(groupType:dn:%s:=%d))",
769 escaped_dn,
770 ADS_LDAP_MATCHING_RULE_BIT_AND,
771 GROUP_TYPE_SECURITY_ENABLED);
772 if (!ldap_exp) {
773 DEBUG(1,("lookup_usergroups(dn=%s) asprintf failed!\n", user_dn));
774 TALLOC_FREE(escaped_dn);
775 status = NT_STATUS_NO_MEMORY;
776 goto done;
777 }
778
779 TALLOC_FREE(escaped_dn);
780
781 rc = ads_search_retry(ads, &res, ldap_exp, group_attrs);
782
783 if (!ADS_ERR_OK(rc)) {
784 DEBUG(1,("lookup_usergroups ads_search member=%s: %s\n", user_dn, ads_errstr(rc)));
785 return ads_ntstatus(rc);
786 } else if (!res) {
787 DEBUG(1,("lookup_usergroups ads_search returned NULL res\n"));
788 return NT_STATUS_INTERNAL_ERROR;
789 }
790
791
792 count = ads_count_replies(ads, res);
793
794 *user_sids = NULL;
795 num_groups = 0;
796
797 /* always add the primary group to the sid array */
798 status = add_sid_to_array(mem_ctx, primary_group, user_sids,
799 &num_groups);
800 if (!NT_STATUS_IS_OK(status)) {
801 goto done;
802 }
803
804 if (count > 0) {
805 for (msg = ads_first_entry(ads, res); msg;
806 msg = ads_next_entry(ads, msg)) {
807 struct dom_sid group_sid;
808
809 if (!ads_pull_sid(ads, msg, "objectSid", &group_sid)) {
810 DEBUG(1,("No sid for this group ?!?\n"));
811 continue;
812 }
813
814 /* ignore Builtin groups from ADS - Guenther */
815 if (sid_check_is_in_builtin(&group_sid)) {
816 continue;
817 }
818
819 status = add_sid_to_array(mem_ctx, &group_sid,
820 user_sids, &num_groups);
821 if (!NT_STATUS_IS_OK(status)) {
822 goto done;
823 }
824 }
825
826 }
827
828 *p_num_groups = num_groups;
829 status = (user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
830
831 DEBUG(3,("ads lookup_usergroups (member) succeeded for dn=%s\n", user_dn));
832 done:
833 if (res)
834 ads_msgfree(ads, res);
835
836 return status;
837 }
838
839 /* Lookup groups a user is a member of - alternate method, for when
840 tokenGroups are not available. */
841 static NTSTATUS lookup_usergroups_memberof(struct winbindd_domain *domain,
842 TALLOC_CTX *mem_ctx,
843 const char *user_dn,
844 struct dom_sid *primary_group,
845 uint32_t *p_num_groups,
846 struct dom_sid **user_sids)
847 {
848 ADS_STATUS rc;
849 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
850 ADS_STRUCT *ads;
851 const char *attrs[] = {"memberOf", NULL};
852 uint32_t num_groups = 0;
853 struct dom_sid *group_sids = NULL;
854 int i;
855 char **strings = NULL;
856 size_t num_strings = 0, num_sids = 0;
857
858
859 DEBUG(3,("ads: lookup_usergroups_memberof\n"));
860
861 if ( !winbindd_can_contact_domain( domain ) ) {
862 DEBUG(10,("lookup_usergroups_memberof: No incoming trust for "
863 "domain %s\n", domain->name));
864 return NT_STATUS_OK;
865 }
866
867 ads = ads_cached_connection(domain);
868
869 if (!ads) {
870 domain->last_status = NT_STATUS_SERVER_DISABLED;
871 return NT_STATUS_UNSUCCESSFUL;
872 }
873
874 rc = ads_search_retry_extended_dn_ranged(ads, mem_ctx, user_dn, attrs,
875 ADS_EXTENDED_DN_HEX_STRING,
876 &strings, &num_strings);
877
878 if (!ADS_ERR_OK(rc)) {
879 DEBUG(1,("lookup_usergroups_memberof ads_search "
880 "member=%s: %s\n", user_dn, ads_errstr(rc)));
881 return ads_ntstatus(rc);
882 }
883
884 *user_sids = NULL;
885 num_groups = 0;
886
887 /* always add the primary group to the sid array */
888 status = add_sid_to_array(mem_ctx, primary_group, user_sids,
889 &num_groups);
890 if (!NT_STATUS_IS_OK(status)) {
891 goto done;
892 }
893
894 group_sids = talloc_zero_array(mem_ctx, struct dom_sid, num_strings + 1);
895 if (!group_sids) {
896 status = NT_STATUS_NO_MEMORY;
897 goto done;
898 }
899
900 for (i=0; i<num_strings; i++) {
901 rc = ads_get_sid_from_extended_dn(mem_ctx, strings[i],
902 ADS_EXTENDED_DN_HEX_STRING,
903 &(group_sids)[i]);
904 if (!ADS_ERR_OK(rc)) {
905 /* ignore members without SIDs */
906 if (NT_STATUS_EQUAL(ads_ntstatus(rc),
907 NT_STATUS_NOT_FOUND)) {
908 continue;
909 }
910 else {
911 status = ads_ntstatus(rc);
912 goto done;
913 }
914 }
915 num_sids++;
916 }
917
918 if (i == 0) {
919 DEBUG(1,("No memberOf for this user?!?\n"));
920 status = NT_STATUS_NO_MEMORY;
921 goto done;
922 }
923
924 for (i=0; i<num_sids; i++) {
925
926 /* ignore Builtin groups from ADS - Guenther */
927 if (sid_check_is_in_builtin(&group_sids[i])) {
928 continue;
929 }
930
931 status = add_sid_to_array(mem_ctx, &group_sids[i], user_sids,
932 &num_groups);
933 if (!NT_STATUS_IS_OK(status)) {
934 goto done;
935 }
936
937 }
938
939 *p_num_groups = num_groups;
940 status = (*user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
941
942 DEBUG(3,("ads lookup_usergroups (memberof) succeeded for dn=%s\n",
943 user_dn));
944
945 done:
946 TALLOC_FREE(strings);
947 TALLOC_FREE(group_sids);
948
949 return status;
950 }
951
952
953 /* Lookup groups a user is a member of. */
954 static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
955 TALLOC_CTX *mem_ctx,
956 const struct dom_sid *sid,
957 uint32 *p_num_groups, struct dom_sid **user_sids)
958 {
959 ADS_STRUCT *ads = NULL;
960 const char *attrs[] = {"tokenGroups", "primaryGroupID", NULL};
961 ADS_STATUS rc;
962 int count;
963 LDAPMessage *msg = NULL;
964 char *user_dn = NULL;
965 struct dom_sid *sids;
966 int i;
967 struct dom_sid primary_group;
968 uint32 primary_group_rid;
969 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
970 uint32_t num_groups = 0;
971
972 DEBUG(3,("ads: lookup_usergroups\n"));
973 *p_num_groups = 0;
974
975 status = lookup_usergroups_cached(domain, mem_ctx, sid,
976 p_num_groups, user_sids);
977 if (NT_STATUS_IS_OK(status)) {
978 return NT_STATUS_OK;
979 }
980
981 if ( !winbindd_can_contact_domain( domain ) ) {
982 DEBUG(10,("lookup_usergroups: No incoming trust for domain %s\n",
983 domain->name));
984
985 /* Tell the cache manager not to remember this one */
986
987 return NT_STATUS_SYNCHRONIZATION_REQUIRED;
988 }
989
990 ads = ads_cached_connection(domain);
991
992 if (!ads) {
993 domain->last_status = NT_STATUS_SERVER_DISABLED;
994 status = NT_STATUS_SERVER_DISABLED;
995 goto done;
996 }
997
998 rc = ads_search_retry_sid(ads, &msg, sid, attrs);
999
1000 if (!ADS_ERR_OK(rc)) {
1001 status = ads_ntstatus(rc);
1002 DEBUG(1, ("lookup_usergroups(sid=%s) ads_search tokenGroups: "
1003 "%s\n", sid_string_dbg(sid), ads_errstr(rc)));
1004 goto done;
1005 }
1006
1007 count = ads_count_replies(ads, msg);
1008 if (count != 1) {
1009 status = NT_STATUS_UNSUCCESSFUL;
1010 DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: "
1011 "invalid number of results (count=%d)\n",
1012 sid_string_dbg(sid), count));
1013 goto done;
1014 }
1015
1016 if (!msg) {
1017 DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: NULL msg\n",
1018 sid_string_dbg(sid)));
1019 status = NT_STATUS_UNSUCCESSFUL;
1020 goto done;
1021 }
1022
1023 user_dn = ads_get_dn(ads, mem_ctx, msg);
1024 if (user_dn == NULL) {
1025 status = NT_STATUS_NO_MEMORY;
1026 goto done;
1027 }
1028
1029 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &primary_group_rid)) {
1030 DEBUG(1,("%s: No primary group for sid=%s !?\n",
1031 domain->name, sid_string_dbg(sid)));
1032 goto done;
1033 }
1034
1035 sid_compose(&primary_group, &domain->sid, primary_group_rid);
1036
1037 count = ads_pull_sids(ads, mem_ctx, msg, "tokenGroups", &sids);
1038
1039 /* there must always be at least one group in the token,
1040 unless we are talking to a buggy Win2k server */
1041
1042 /* actually this only happens when the machine account has no read
1043 * permissions on the tokenGroup attribute - gd */
1044
1045 if (count == 0) {
1046
1047 /* no tokenGroups */
1048
1049 /* lookup what groups this user is a member of by DN search on
1050 * "memberOf" */
1051
1052 status = lookup_usergroups_memberof(domain, mem_ctx, user_dn,
1053 &primary_group,
1054 &num_groups, user_sids);
1055 *p_num_groups = num_groups;
1056 if (NT_STATUS_IS_OK(status)) {
1057 goto done;
1058 }
1059
1060 /* lookup what groups this user is a member of by DN search on
1061 * "member" */
1062
1063 status = lookup_usergroups_member(domain, mem_ctx, user_dn,
1064 &primary_group,
1065 &num_groups, user_sids);
1066 *p_num_groups = num_groups;
1067 goto done;
1068 }
1069
1070 *user_sids = NULL;
1071 num_groups = 0;
1072
1073 status = add_sid_to_array(mem_ctx, &primary_group, user_sids,
1074 &num_groups);
1075 if (!NT_STATUS_IS_OK(status)) {
1076 goto done;
1077 }
1078
1079 for (i=0;i<count;i++) {
1080
1081 /* ignore Builtin groups from ADS - Guenther */
1082 if (sid_check_is_in_builtin(&sids[i])) {
1083 continue;
1084 }
1085
1086 status = add_sid_to_array_unique(mem_ctx, &sids[i],
1087 user_sids, &num_groups);
1088 if (!NT_STATUS_IS_OK(status)) {
1089 goto done;
1090 }
1091 }
1092
1093 *p_num_groups = (uint32)num_groups;
1094 status = (*user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
1095
1096 DEBUG(3,("ads lookup_usergroups (tokenGroups) succeeded for sid=%s\n",
1097 sid_string_dbg(sid)));
1098 done:
1099 TALLOC_FREE(user_dn);
1100 ads_msgfree(ads, msg);
1101 return status;
1102 }
1103
1104 /* Lookup aliases a user is member of - use rpc methods */
1105 static NTSTATUS lookup_useraliases(struct winbindd_domain *domain,
1106 TALLOC_CTX *mem_ctx,
1107 uint32 num_sids, const struct dom_sid *sids,
1108 uint32 *num_aliases, uint32 **alias_rids)
1109 {
1110 return reconnect_methods.lookup_useraliases(domain, mem_ctx,
1111 num_sids, sids,
1112 num_aliases,
1113 alias_rids);
1114 }
1115
1116 /*
1117 find the members of a group, given a group rid and domain
1118 */
1119 static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
1120 TALLOC_CTX *mem_ctx,
1121 const struct dom_sid *group_sid,
1122 enum lsa_SidType type,
1123 uint32 *num_names,
1124 struct dom_sid **sid_mem, char ***names,
1125 uint32 **name_types)
1126 {
1127 ADS_STATUS rc;
1128 ADS_STRUCT *ads = NULL;
1129 char *ldap_exp;
1130 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
1131 char *sidbinstr;
1132 char **members = NULL;
1133 int i;
1134 size_t num_members = 0;
1135 ads_control args;
1136 struct dom_sid *sid_mem_nocache = NULL;
1137 char **names_nocache = NULL;
1138 enum lsa_SidType *name_types_nocache = NULL;
1139 char **domains_nocache = NULL; /* only needed for rpccli_lsa_lookup_sids */
1140 uint32 num_nocache = 0;
1141 TALLOC_CTX *tmp_ctx = NULL;
1142
1143 DEBUG(10,("ads: lookup_groupmem %s sid=%s\n", domain->name,
1144 sid_string_dbg(group_sid)));
1145
1146 *num_names = 0;
1147
1148 tmp_ctx = talloc_new(mem_ctx);
1149 if (!tmp_ctx) {
1150 DEBUG(1, ("ads: lookup_groupmem: talloc failed\n"));
1151 status = NT_STATUS_NO_MEMORY;
1152 goto done;
1153 }
1154
1155 if ( !winbindd_can_contact_domain( domain ) ) {
1156 DEBUG(10,("lookup_groupmem: No incoming trust for domain %s\n",
1157 domain->name));
1158 return NT_STATUS_OK;
1159 }
1160
1161 ads = ads_cached_connection(domain);
1162
1163 if (!ads) {
1164 domain->last_status = NT_STATUS_SERVER_DISABLED;
1165 goto done;
1166 }
1167
1168 if ((sidbinstr = ldap_encode_ndr_dom_sid(talloc_tos(), group_sid)) == NULL) {
1169 status = NT_STATUS_NO_MEMORY;
1170 goto done;
1171 }
1172
1173 /* search for all members of the group */
1174 ldap_exp = talloc_asprintf(tmp_ctx, "(objectSid=%s)", sidbinstr);
1175 TALLOC_FREE(sidbinstr);
1176 if (ldap_exp == NULL) {
1177 DEBUG(1, ("ads: lookup_groupmem: talloc_asprintf for ldap_exp failed!\n"));
1178 status = NT_STATUS_NO_MEMORY;
1179 goto done;
1180 }
1181
1182 args.control = ADS_EXTENDED_DN_OID;
1183 args.val = ADS_EXTENDED_DN_HEX_STRING;
1184 args.critical = True;
1185
1186 rc = ads_ranged_search(ads, tmp_ctx, LDAP_SCOPE_SUBTREE, ads->config.bind_path,
1187 ldap_exp, &args, "member", &members, &num_members);
1188
1189 if (!ADS_ERR_OK(rc)) {
1190 DEBUG(0,("ads_ranged_search failed with: %s\n", ads_errstr(rc)));
1191 status = NT_STATUS_UNSUCCESSFUL;
1192 goto done;
1193 }
1194
1195 DEBUG(10, ("ads lookup_groupmem: got %d sids via extended dn call\n", (int)num_members));
1196
1197 /* Now that we have a list of sids, we need to get the
1198 * lists of names and name_types belonging to these sids.
1199 * even though conceptually not quite clean, we use the
1200 * RPC call lsa_lookup_sids for this since it can handle a
1201 * list of sids. ldap calls can just resolve one sid at a time.
1202 *
1203 * At this stage, the sids are still hidden in the exetended dn
1204 * member output format. We actually do a little better than
1205 * stated above: In extracting the sids from the member strings,
1206 * we try to resolve as many sids as possible from the
1207 * cache. Only the rest is passed to the lsa_lookup_sids call. */
1208
1209 if (num_members) {
1210 (*sid_mem) = talloc_zero_array(mem_ctx, struct dom_sid, num_members);
1211 (*names) = talloc_zero_array(mem_ctx, char *, num_members);
1212 (*name_types) = talloc_zero_array(mem_ctx, uint32, num_members);
1213 (sid_mem_nocache) = talloc_zero_array(tmp_ctx, struct dom_sid, num_members);
1214
1215 if ((members == NULL) || (*sid_mem == NULL) ||
1216 (*names == NULL) || (*name_types == NULL) ||
1217 (sid_mem_nocache == NULL))
1218 {
1219 DEBUG(1, ("ads: lookup_groupmem: talloc failed\n"));
1220 status = NT_STATUS_NO_MEMORY;
1221 goto done;
1222 }
1223 }
1224 else {
1225 (*sid_mem) = NULL;
1226 (*names) = NULL;
1227 (*name_types) = NULL;
1228 }
1229
1230 for (i=0; i<num_members; i++) {
1231 enum lsa_SidType name_type;
1232 char *name, *domain_name;
1233 struct dom_sid sid;
1234
1235 rc = ads_get_sid_from_extended_dn(tmp_ctx, members[i], args.val,
1236 &sid);
1237 if (!ADS_ERR_OK(rc)) {
1238 if (NT_STATUS_EQUAL(ads_ntstatus(rc),
1239 NT_STATUS_NOT_FOUND)) {
1240 /* Group members can be objects, like Exchange
1241 * Public Folders, that don't have a SID. Skip
1242 * them. */
1243 continue;
1244 }
1245 else {
1246 status = ads_ntstatus(rc);
1247 goto done;
1248 }
1249 }
1250 if (lookup_cached_sid(mem_ctx, &sid, &domain_name, &name,
1251 &name_type)) {
1252 DEBUG(10,("ads: lookup_groupmem: got sid %s from "
1253 "cache\n", sid_string_dbg(&sid)));
1254 sid_copy(&(*sid_mem)[*num_names], &sid);
1255 (*names)[*num_names] = fill_domain_username_talloc(
1256 *names,
1257 domain_name,
1258 name,
1259 true);
1260
1261 (*name_types)[*num_names] = name_type;
1262 (*num_names)++;
1263 }
1264 else {
1265 DEBUG(10, ("ads: lookup_groupmem: sid %s not found in "
1266 "cache\n", sid_string_dbg(&sid)));
1267 sid_copy(&(sid_mem_nocache)[num_nocache], &sid);
1268 num_nocache++;
1269 }
1270 }
1271
1272 DEBUG(10, ("ads: lookup_groupmem: %d sids found in cache, "
1273 "%d left for lsa_lookupsids\n", *num_names, num_nocache));
1274
1275 /* handle sids not resolved from cache by lsa_lookup_sids */
1276 if (num_nocache > 0) {
1277
1278 status = winbindd_lookup_sids(tmp_ctx,
1279 domain,
1280 num_nocache,
1281 sid_mem_nocache,
1282 &domains_nocache,
1283 &names_nocache,
1284 &name_types_nocache);
1285
1286 if (!(NT_STATUS_IS_OK(status) ||
1287 NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED) ||
1288 NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)))
1289 {
1290 DEBUG(1, ("lsa_lookupsids call failed with %s "
1291 "- retrying...\n", nt_errstr(status)));
1292
1293 status = winbindd_lookup_sids(tmp_ctx,
1294 domain,
1295 num_nocache,
1296 sid_mem_nocache,
1297 &domains_nocache,
1298 &names_nocache,
1299 &name_types_nocache);
1300 }
1301
1302 if (NT_STATUS_IS_OK(status) ||
1303 NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED))
1304 {
1305 /* Copy the entries over from the "_nocache" arrays
1306 * to the result arrays, skipping the gaps the
1307 * lookup_sids call left. */
1308 for (i=0; i < num_nocache; i++) {
1309 if (((names_nocache)[i] != NULL) &&
1310 ((name_types_nocache)[i] != SID_NAME_UNKNOWN))
1311 {
1312 sid_copy(&(*sid_mem)[*num_names],
1313 &sid_mem_nocache[i]);
1314 (*names)[*num_names] =
1315 fill_domain_username_talloc(
1316 *names,
1317 domains_nocache[i],
1318 names_nocache[i],
1319 true);
1320 (*name_types)[*num_names] = name_types_nocache[i];
1321 (*num_names)++;
1322 }
1323 }
1324 }
1325 else if (NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)) {
1326 DEBUG(10, ("lookup_groupmem: lsa_lookup_sids could "
1327 "not map any SIDs at all.\n"));
1328 /* Don't handle this as an error here.
1329 * There is nothing left to do with respect to the
1330 * overall result... */
1331 }
1332 else if (!NT_STATUS_IS_OK(status)) {
1333 DEBUG(10, ("lookup_groupmem: Error looking up %d "
1334 "sids via rpc_lsa_lookup_sids: %s\n",
1335 (int)num_members, nt_errstr(status)));
1336 goto done;
1337 }
1338 }
1339
1340 status = NT_STATUS_OK;
1341 DEBUG(3,("ads lookup_groupmem for sid=%s succeeded\n",
1342 sid_string_dbg(group_sid)));
1343
1344 done:
1345
1346 TALLOC_FREE(tmp_ctx);
1347
1348 return status;
1349 }
1350
1351 /* find the sequence number for a domain */
1352 static NTSTATUS sequence_number(struct winbindd_domain *domain, uint32 *seq)
1353 {
1354 ADS_STRUCT *ads = NULL;
1355 ADS_STATUS rc;
1356
1357 DEBUG(3,("ads: fetch sequence_number for %s\n", domain->name));
1358
1359 if ( !winbindd_can_contact_domain( domain ) ) {
1360 DEBUG(10,("sequence: No incoming trust for domain %s\n",
1361 domain->name));
1362 *seq = time(NULL);
1363 return NT_STATUS_OK;
1364 }
1365
1366 *seq = DOM_SEQUENCE_NONE;
1367
1368 ads = ads_cached_connection(domain);
1369
1370 if (!ads) {
1371 domain->last_status = NT_STATUS_SERVER_DISABLED;
1372 return NT_STATUS_UNSUCCESSFUL;
1373 }
1374
1375 rc = ads_USN(ads, seq);
1376
1377 if (!ADS_ERR_OK(rc)) {
1378
1379 /* its a dead connection, destroy it */
1380
1381 if (domain->private_data) {
1382 ads = (ADS_STRUCT *)domain->private_data;
1383 ads->is_mine = True;
1384 ads_destroy(&ads);
1385 ads_kdestroy(WINBIND_CCACHE_NAME);
1386 domain->private_data = NULL;
1387 }
1388 }
1389 return ads_ntstatus(rc);
1390 }
1391
1392 /* find the lockout policy of a domain - use rpc methods */
1393 static NTSTATUS lockout_policy(struct winbindd_domain *domain,
1394 TALLOC_CTX *mem_ctx,
1395 struct samr_DomInfo12 *policy)
1396 {
1397 return reconnect_methods.lockout_policy(domain, mem_ctx, policy);
1398 }
1399
1400 /* find the password policy of a domain - use rpc methods */
1401 static NTSTATUS password_policy(struct winbindd_domain *domain,
1402 TALLOC_CTX *mem_ctx,
1403 struct samr_DomInfo1 *policy)
1404 {
1405 return reconnect_methods.password_policy(domain, mem_ctx, policy);
1406 }
1407
1408 /* get a list of trusted domains */
1409 static NTSTATUS trusted_domains(struct winbindd_domain *domain,
1410 TALLOC_CTX *mem_ctx,
1411 struct netr_DomainTrustList *trusts)
1412 {
1413 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1414 WERROR werr;
1415 int i;
1416 uint32 flags;
1417 struct rpc_pipe_client *cli;
1418 int ret_count;
1419 struct dcerpc_binding_handle *b;
1420
1421 DEBUG(3,("ads: trusted_domains\n"));
1422
1423 ZERO_STRUCTP(trusts);
1424
1425 /* If this is our primary domain or a root in our forest,
1426 query for all trusts. If not, then just look for domain
1427 trusts in the target forest */
1428
1429 if (domain->primary || domain_is_forest_root(domain)) {
1430 flags = NETR_TRUST_FLAG_OUTBOUND |
1431 NETR_TRUST_FLAG_INBOUND |
1432 NETR_TRUST_FLAG_IN_FOREST;
1433 } else {
1434 flags = NETR_TRUST_FLAG_IN_FOREST;
1435 }
1436
1437 result = cm_connect_netlogon(domain, &cli);
1438
1439 if (!NT_STATUS_IS_OK(result)) {
1440 DEBUG(5, ("trusted_domains: Could not open a connection to %s "
1441 "for PIPE_NETLOGON (%s)\n",
1442 domain->name, nt_errstr(result)));
1443 return NT_STATUS_UNSUCCESSFUL;
1444 }
1445
1446 b = cli->binding_handle;
1447
1448 result = dcerpc_netr_DsrEnumerateDomainTrusts(b, mem_ctx,
1449 cli->desthost,
1450 flags,
1451 trusts,
1452 &werr);
1453 if (!NT_STATUS_IS_OK(result)) {
1454 return result;
1455 }
1456
1457 if (!W_ERROR_IS_OK(werr)) {
1458 return werror_to_ntstatus(werr);
1459 }
1460 if (trusts->count == 0) {
1461 return NT_STATUS_OK;
1462 }
1463
1464 /* Copy across names and sids */
1465
1466 ret_count = 0;
1467 for (i = 0; i < trusts->count; i++) {
1468 struct netr_DomainTrust *trust = &trusts->array[i];
1469 struct winbindd_domain d;
1470
1471 ZERO_STRUCT(d);
1472
1473 /*
1474 * drop external trusts if this is not our primary
1475 * domain. This means that the returned number of
1476 * domains may be less that the ones actually trusted
1477 * by the DC.
1478 */
1479
1480 if ((trust->trust_attributes
1481 == NETR_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN) &&
1482 !domain->primary )
1483 {
1484 DEBUG(10,("trusted_domains: Skipping external trusted "
1485 "domain %s because it is outside of our "
1486 "primary domain\n",
1487 trust->netbios_name));
1488 continue;
1489 }
1490
1491 /* add to the trusted domain cache */
1492
1493 d.name = discard_const_p(char, trust->netbios_name);
1494 d.alt_name = discard_const_p(char, trust->dns_name);
1495
1496 if (trust->sid) {
1497 sid_copy(&d.sid, trust->sid);
1498 } else {
1499 sid_copy(&d.sid, &global_sid_NULL);
1500 }
1501
1502 if ( domain->primary ) {
1503 DEBUG(10,("trusted_domains(ads): Searching "
1504 "trusted domain list of %s and storing "
1505 "trust flags for domain %s\n",
1506 domain->name, d.alt_name));
1507
1508 d.domain_flags = trust->trust_flags;
1509 d.domain_type = trust->trust_type;
1510 d.domain_trust_attribs = trust->trust_attributes;
1511
1512 wcache_tdc_add_domain( &d );
1513 ret_count++;
1514 } else if (domain_is_forest_root(domain)) {
1515 /* Check if we already have this record. If
1516 * we are following our forest root that is not
1517 * our primary domain, we want to keep trust
1518 * flags from the perspective of our primary
1519 * domain not our forest root. */
1520 struct winbindd_tdc_domain *exist = NULL;
1521
1522 exist = wcache_tdc_fetch_domain(
1523 talloc_tos(), trust->netbios_name);
1524 if (!exist) {
1525 DEBUG(10,("trusted_domains(ads): Searching "
1526 "trusted domain list of %s and "
1527 "storing trust flags for domain "
1528 "%s\n", domain->name, d.alt_name));
1529 d.domain_flags = trust->trust_flags;
1530 d.domain_type = trust->trust_type;
1531 d.domain_trust_attribs =
1532 trust->trust_attributes;
1533
1534 wcache_tdc_add_domain( &d );
1535 ret_count++;
1536 }
1537 TALLOC_FREE(exist);
1538 } else {
1539 /* This gets a little tricky. If we are
1540 following a transitive forest trust, then
1541 innerit the flags, type, and attribs from
1542 the domain we queried to make sure we don't
1543 record the view of the trust from the wrong
1544 side. Always view it from the side of our
1545 primary domain. --jerry */
1546 struct winbindd_tdc_domain *parent = NULL;
1547
1548 DEBUG(10,("trusted_domains(ads): Searching "
1549 "trusted domain list of %s and inheriting "
1550 "trust flags for domain %s\n",
1551 domain->name, d.alt_name));
1552
1553 parent = wcache_tdc_fetch_domain(talloc_tos(),
1554 domain->name);
1555 if (parent) {
1556 d.domain_flags = parent->trust_flags;
1557 d.domain_type = parent->trust_type;
1558 d.domain_trust_attribs = parent->trust_attribs;
1559 } else {
1560 d.domain_flags = domain->domain_flags;
1561 d.domain_type = domain->domain_type;
1562 d.domain_trust_attribs =
1563 domain->domain_trust_attribs;
1564 }
1565 TALLOC_FREE(parent);
1566
1567 wcache_tdc_add_domain( &d );
1568 ret_count++;
1569 }
1570 }
1571 return result;
1572 }
1573
1574 /* the ADS backend methods are exposed via this structure */
1575 struct winbindd_methods ads_methods = {
1576 True,
1577 query_user_list,
1578 enum_dom_groups,
1579 enum_local_groups,
1580 name_to_sid,
1581 sid_to_name,
1582 rids_to_names,
1583 query_user,
1584 lookup_usergroups,
1585 lookup_useraliases,
1586 lookup_groupmem,
1587 sequence_number,
1588 lockout_policy,
1589 password_policy,
1590 trusted_domains,
1591 };
1592
1593 #endif
Samba GIT mirror