2 Unix SMB/CIFS implementation.
4 Winbind rpc backend functions
6 Copyright (C) Tim Potter 2000-2001,2003
7 Copyright (C) Andrew Tridgell 2001
8 Copyright (C) Volker Lendecke 2005
9 Copyright (C) Guenther Deschner 2008 (pidl conversion)
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 3 of the License, or
14 (at your option) any later version.
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
21 You should have received a copy of the GNU General Public License
22 along with this program. If not, see <http://www.gnu.org/licenses/>.
27 #include "winbindd_rpc.h"
29 #include "../librpc/gen_ndr/ndr_samr_c.h"
30 #include "rpc_client/cli_pipe.h"
31 #include "rpc_client/cli_samr.h"
32 #include "rpc_client/cli_lsarpc.h"
33 #include "../libcli/security/security.h"
34 #include "libsmb/samlogon_cache.h"
37 #define DBGC_CLASS DBGC_WINBIND
39 static NTSTATUS
winbindd_lookup_names(TALLOC_CTX
*mem_ctx
,
40 struct winbindd_domain
*domain
,
43 const char ***domains
,
44 struct dom_sid
**sids
,
45 enum lsa_SidType
**types
);
47 /* Query display info for a domain. This returns enough information plus a
48 bit extra to give an overview of domain users for the User Manager
50 static NTSTATUS
msrpc_query_user_list(struct winbindd_domain
*domain
,
54 struct rpc_pipe_client
*samr_pipe
= NULL
;
55 struct policy_handle dom_pol
;
56 uint32_t *rids
= NULL
;
60 DEBUG(3, ("msrpc_query_user_list\n"));
62 tmp_ctx
= talloc_stackframe();
63 if (tmp_ctx
== NULL
) {
64 return NT_STATUS_NO_MEMORY
;
67 if ( !winbindd_can_contact_domain( domain
) ) {
68 DEBUG(10,("query_user_list: No incoming trust for domain %s\n",
70 status
= NT_STATUS_OK
;
74 status
= cm_connect_sam(domain
, tmp_ctx
, false, &samr_pipe
, &dom_pol
);
75 if (!NT_STATUS_IS_OK(status
)) {
79 status
= rpc_query_user_list(tmp_ctx
,
84 if (!NT_STATUS_IS_OK(status
)) {
89 *prids
= talloc_move(mem_ctx
, &rids
);
98 /* list all domain groups */
99 static NTSTATUS
msrpc_enum_dom_groups(struct winbindd_domain
*domain
,
102 struct wb_acct_info
**pinfo
)
104 struct rpc_pipe_client
*samr_pipe
;
105 struct policy_handle dom_pol
;
106 struct wb_acct_info
*info
= NULL
;
107 uint32_t num_info
= 0;
111 DEBUG(3,("msrpc_enum_dom_groups\n"));
117 tmp_ctx
= talloc_stackframe();
118 if (tmp_ctx
== NULL
) {
119 return NT_STATUS_NO_MEMORY
;
122 if ( !winbindd_can_contact_domain( domain
) ) {
123 DEBUG(10,("enum_domain_groups: No incoming trust for domain %s\n",
125 status
= NT_STATUS_OK
;
129 status
= cm_connect_sam(domain
, tmp_ctx
, false, &samr_pipe
, &dom_pol
);
130 if (!NT_STATUS_IS_OK(status
)) {
134 status
= rpc_enum_dom_groups(tmp_ctx
,
139 if (!NT_STATUS_IS_OK(status
)) {
144 *pnum_info
= num_info
;
148 *pinfo
= talloc_move(mem_ctx
, &info
);
152 TALLOC_FREE(tmp_ctx
);
156 /* List all domain groups */
158 static NTSTATUS
msrpc_enum_local_groups(struct winbindd_domain
*domain
,
161 struct wb_acct_info
**pinfo
)
163 struct rpc_pipe_client
*samr_pipe
;
164 struct policy_handle dom_pol
;
165 struct wb_acct_info
*info
= NULL
;
166 uint32_t num_info
= 0;
170 DEBUG(3,("msrpc_enum_local_groups\n"));
176 tmp_ctx
= talloc_stackframe();
177 if (tmp_ctx
== NULL
) {
178 return NT_STATUS_NO_MEMORY
;
181 if ( !winbindd_can_contact_domain( domain
) ) {
182 DEBUG(10,("enum_local_groups: No incoming trust for domain %s\n",
184 status
= NT_STATUS_OK
;
188 status
= cm_connect_sam(domain
, tmp_ctx
, false, &samr_pipe
, &dom_pol
);
189 if (!NT_STATUS_IS_OK(status
)) {
193 status
= rpc_enum_local_groups(mem_ctx
,
198 if (!NT_STATUS_IS_OK(status
)) {
203 *pnum_info
= num_info
;
207 *pinfo
= talloc_move(mem_ctx
, &info
);
211 TALLOC_FREE(tmp_ctx
);
215 /* convert a single name to a sid in a domain */
216 static NTSTATUS
msrpc_name_to_sid(struct winbindd_domain
*domain
,
218 const char *domain_name
,
221 const char **pdom_name
,
223 enum lsa_SidType
*type
)
226 struct dom_sid
*sids
= NULL
;
227 enum lsa_SidType
*types
= NULL
;
228 char *full_name
= NULL
;
229 const char *names
[1];
230 const char **domains
;
231 NTSTATUS name_map_status
= NT_STATUS_UNSUCCESSFUL
;
232 char *mapped_name
= NULL
;
234 if (name
== NULL
|| *name
=='\0') {
235 full_name
= talloc_asprintf(mem_ctx
, "%s", domain_name
);
236 } else if (domain_name
== NULL
|| *domain_name
== '\0') {
237 full_name
= talloc_asprintf(mem_ctx
, "%s", name
);
239 full_name
= talloc_asprintf(mem_ctx
, "%s\\%s", domain_name
, name
);
242 DEBUG(0, ("talloc_asprintf failed!\n"));
243 return NT_STATUS_NO_MEMORY
;
246 DEBUG(3, ("msrpc_name_to_sid: name=%s\n", full_name
));
248 name_map_status
= normalize_name_unmap(mem_ctx
, full_name
,
251 /* Reset the full_name pointer if we mapped anything */
253 if (NT_STATUS_IS_OK(name_map_status
) ||
254 NT_STATUS_EQUAL(name_map_status
, NT_STATUS_FILE_RENAMED
))
256 full_name
= mapped_name
;
259 DEBUG(3,("name_to_sid [rpc] %s for domain %s\n",
260 full_name
?full_name
:"", domain_name
));
262 names
[0] = full_name
;
264 result
= winbindd_lookup_names(mem_ctx
, domain
, 1,
267 if (!NT_STATUS_IS_OK(result
))
270 /* Return rid and type if lookup successful */
272 if (pdom_name
!= NULL
) {
273 const char *dom_name
;
275 dom_name
= talloc_strdup(mem_ctx
, domains
[0]);
276 if (dom_name
== NULL
) {
277 return NT_STATUS_NO_MEMORY
;
280 *pdom_name
= dom_name
;
283 sid_copy(sid
, &sids
[0]);
290 convert a domain SID to a user or group name
292 static NTSTATUS
msrpc_sid_to_name(struct winbindd_domain
*domain
,
294 const struct dom_sid
*sid
,
297 enum lsa_SidType
*type
)
301 enum lsa_SidType
*types
= NULL
;
303 NTSTATUS name_map_status
= NT_STATUS_UNSUCCESSFUL
;
304 char *mapped_name
= NULL
;
305 struct dom_sid_buf buf
;
307 DEBUG(3, ("msrpc_sid_to_name: %s for domain %s\n",
308 dom_sid_str_buf(sid
, &buf
),
311 result
= winbindd_lookup_sids(mem_ctx
,
318 if (!NT_STATUS_IS_OK(result
)) {
319 DEBUG(2,("msrpc_sid_to_name: failed to lookup sids: %s\n",
325 *type
= (enum lsa_SidType
)types
[0];
326 *domain_name
= domains
[0];
329 DEBUG(5,("Mapped sid to [%s]\\[%s]\n", domains
[0], *name
));
331 name_map_status
= normalize_name_map(mem_ctx
, domain
->name
, *name
,
333 if (NT_STATUS_IS_OK(name_map_status
) ||
334 NT_STATUS_EQUAL(name_map_status
, NT_STATUS_FILE_RENAMED
))
337 DEBUG(5,("returning mapped name -- %s\n", *name
));
343 static NTSTATUS
msrpc_rids_to_names(struct winbindd_domain
*domain
,
345 const struct dom_sid
*sid
,
350 enum lsa_SidType
**types
)
354 struct dom_sid
*sids
;
358 DEBUG(3, ("msrpc_rids_to_names: domain %s\n", domain
->name
));
361 sids
= talloc_array(mem_ctx
, struct dom_sid
, num_rids
);
363 return NT_STATUS_NO_MEMORY
;
369 for (i
=0; i
<num_rids
; i
++) {
370 if (!sid_compose(&sids
[i
], sid
, rids
[i
])) {
371 return NT_STATUS_INTERNAL_ERROR
;
375 result
= winbindd_lookup_sids(mem_ctx
,
383 if (!NT_STATUS_IS_OK(result
) &&
384 !NT_STATUS_EQUAL(result
, STATUS_SOME_UNMAPPED
)) {
389 for (i
=0; i
<num_rids
; i
++) {
390 NTSTATUS name_map_status
= NT_STATUS_UNSUCCESSFUL
;
391 char *mapped_name
= NULL
;
393 if ((*types
)[i
] != SID_NAME_UNKNOWN
) {
394 name_map_status
= normalize_name_map(mem_ctx
,
398 if (NT_STATUS_IS_OK(name_map_status
) ||
399 NT_STATUS_EQUAL(name_map_status
, NT_STATUS_FILE_RENAMED
))
401 ret_names
[i
] = mapped_name
;
404 *domain_name
= domains
[i
];
411 /* Lookup groups a user is a member of. I wish Unix had a call like this! */
412 static NTSTATUS
msrpc_lookup_usergroups(struct winbindd_domain
*domain
,
414 const struct dom_sid
*user_sid
,
415 uint32_t *pnum_groups
,
416 struct dom_sid
**puser_grpsids
)
418 struct rpc_pipe_client
*samr_pipe
;
419 struct policy_handle dom_pol
;
420 struct dom_sid
*user_grpsids
= NULL
;
421 struct dom_sid_buf buf
;
422 uint32_t num_groups
= 0;
426 DEBUG(3,("msrpc_lookup_usergroups sid=%s\n",
427 dom_sid_str_buf(user_sid
, &buf
)));
431 tmp_ctx
= talloc_stackframe();
432 if (tmp_ctx
== NULL
) {
433 return NT_STATUS_NO_MEMORY
;
436 /* Check if we have a cached user_info_3 */
437 status
= lookup_usergroups_cached(tmp_ctx
,
441 if (NT_STATUS_IS_OK(status
)) {
445 if ( !winbindd_can_contact_domain( domain
) ) {
446 DEBUG(10,("lookup_usergroups: No incoming trust for domain %s\n",
449 /* Tell the cache manager not to remember this one */
450 status
= NT_STATUS_SYNCHRONIZATION_REQUIRED
;
454 /* no cache; hit the wire */
455 status
= cm_connect_sam(domain
, tmp_ctx
, false, &samr_pipe
, &dom_pol
);
456 if (!NT_STATUS_IS_OK(status
)) {
460 status
= rpc_lookup_usergroups(tmp_ctx
,
467 if (!NT_STATUS_IS_OK(status
)) {
472 *pnum_groups
= num_groups
;
475 *puser_grpsids
= talloc_move(mem_ctx
, &user_grpsids
);
479 TALLOC_FREE(tmp_ctx
);
484 #define MAX_SAM_ENTRIES_W2K 0x400 /* 1024 */
486 static NTSTATUS
msrpc_lookup_useraliases(struct winbindd_domain
*domain
,
488 uint32_t num_sids
, const struct dom_sid
*sids
,
489 uint32_t *pnum_aliases
,
490 uint32_t **palias_rids
)
492 struct rpc_pipe_client
*samr_pipe
;
493 struct policy_handle dom_pol
;
494 uint32_t num_aliases
= 0;
495 uint32_t *alias_rids
= NULL
;
499 DEBUG(3,("msrpc_lookup_useraliases\n"));
505 tmp_ctx
= talloc_stackframe();
506 if (tmp_ctx
== NULL
) {
507 return NT_STATUS_NO_MEMORY
;
510 if (!winbindd_can_contact_domain(domain
)) {
511 DEBUG(10,("msrpc_lookup_useraliases: No incoming trust for domain %s\n",
513 /* Tell the cache manager not to remember this one */
514 status
= NT_STATUS_SYNCHRONIZATION_REQUIRED
;
518 status
= cm_connect_sam(domain
, tmp_ctx
, false, &samr_pipe
, &dom_pol
);
519 if (!NT_STATUS_IS_OK(status
)) {
523 status
= rpc_lookup_useraliases(tmp_ctx
,
530 if (!NT_STATUS_IS_OK(status
)) {
535 *pnum_aliases
= num_aliases
;
539 *palias_rids
= talloc_move(mem_ctx
, &alias_rids
);
543 TALLOC_FREE(tmp_ctx
);
548 /* Lookup group membership given a rid. */
549 static NTSTATUS
msrpc_lookup_groupmem(struct winbindd_domain
*domain
,
551 const struct dom_sid
*group_sid
,
552 enum lsa_SidType type
,
554 struct dom_sid
**sid_mem
,
556 uint32_t **name_types
)
558 NTSTATUS status
, result
;
559 uint32_t i
, total_names
= 0;
560 struct policy_handle dom_pol
, group_pol
;
561 uint32_t des_access
= SEC_FLAG_MAXIMUM_ALLOWED
;
562 uint32_t *rid_mem
= NULL
;
565 struct rpc_pipe_client
*cli
;
566 unsigned int orig_timeout
;
567 struct samr_RidAttrArray
*rids
= NULL
;
568 struct dcerpc_binding_handle
*b
;
569 struct dom_sid_buf buf
;
571 DEBUG(3,("msrpc_lookup_groupmem: %s sid=%s\n", domain
->name
,
572 dom_sid_str_buf(group_sid
, &buf
)));
574 if ( !winbindd_can_contact_domain( domain
) ) {
575 DEBUG(10,("lookup_groupmem: No incoming trust for domain %s\n",
580 if (!sid_peek_check_rid(&domain
->sid
, group_sid
, &group_rid
))
581 return NT_STATUS_UNSUCCESSFUL
;
585 result
= cm_connect_sam(domain
, mem_ctx
, false, &cli
, &dom_pol
);
586 if (!NT_STATUS_IS_OK(result
))
589 b
= cli
->binding_handle
;
591 status
= dcerpc_samr_OpenGroup(b
, mem_ctx
,
597 if (any_nt_status_not_ok(status
, result
, &status
)) {
601 /* Step #1: Get a list of user rids that are the members of the
604 /* This call can take a long time - allow the server to time out.
605 35 seconds should do it. */
607 orig_timeout
= rpccli_set_timeout(cli
, 35000);
609 status
= dcerpc_samr_QueryGroupMember(b
, mem_ctx
,
614 /* And restore our original timeout. */
615 rpccli_set_timeout(cli
, orig_timeout
);
619 dcerpc_samr_Close(b
, mem_ctx
, &group_pol
, &_result
);
622 if (any_nt_status_not_ok(status
, result
, &status
)) {
626 if (!rids
|| !rids
->count
) {
633 *num_names
= rids
->count
;
634 rid_mem
= rids
->rids
;
636 /* Step #2: Convert list of rids into list of usernames. Do this
637 in bunches of ~1000 to avoid crashing NT4. It looks like there
638 is a buffer overflow or something like that lurking around
641 #define MAX_LOOKUP_RIDS 900
643 *names
= talloc_zero_array(mem_ctx
, char *, *num_names
);
644 *name_types
= talloc_zero_array(mem_ctx
, uint32_t, *num_names
);
645 *sid_mem
= talloc_zero_array(mem_ctx
, struct dom_sid
, *num_names
);
647 for (j
=0;j
<(*num_names
);j
++)
648 sid_compose(&(*sid_mem
)[j
], &domain
->sid
, rid_mem
[j
]);
650 if (*num_names
>0 && (!*names
|| !*name_types
))
651 return NT_STATUS_NO_MEMORY
;
653 for (i
= 0; i
< *num_names
; i
+= MAX_LOOKUP_RIDS
) {
654 int num_lookup_rids
= MIN(*num_names
- i
, MAX_LOOKUP_RIDS
);
655 struct lsa_Strings tmp_names
;
656 struct samr_Ids tmp_types
;
658 /* Lookup a chunk of rids */
660 status
= dcerpc_samr_LookupRids(b
, mem_ctx
,
667 if (!NT_STATUS_IS_OK(status
)) {
671 /* see if we have a real error (and yes the
672 STATUS_SOME_UNMAPPED is the one returned from 2k) */
674 if (!NT_STATUS_IS_OK(result
) &&
675 !NT_STATUS_EQUAL(result
, STATUS_SOME_UNMAPPED
))
678 /* Copy result into array. The talloc system will take
679 care of freeing the temporary arrays later on. */
681 if (tmp_names
.count
!= num_lookup_rids
) {
682 return NT_STATUS_INVALID_NETWORK_RESPONSE
;
684 if (tmp_types
.count
!= num_lookup_rids
) {
685 return NT_STATUS_INVALID_NETWORK_RESPONSE
;
688 for (r
=0; r
<tmp_names
.count
; r
++) {
689 if (tmp_types
.ids
[r
] == SID_NAME_UNKNOWN
) {
692 if (total_names
>= *num_names
) {
695 (*names
)[total_names
] = fill_domain_username_talloc(
696 mem_ctx
, domain
->name
,
697 tmp_names
.names
[r
].string
, true);
698 (*name_types
)[total_names
] = tmp_types
.ids
[r
];
703 *num_names
= total_names
;
712 static int get_ldap_seq(const char *server
, struct sockaddr_storage
*ss
, int port
, uint32_t *seq
)
716 const char *attrs
[] = {"highestCommittedUSN", NULL
};
717 LDAPMessage
*res
= NULL
;
718 char **values
= NULL
;
721 *seq
= DOM_SEQUENCE_NONE
;
724 * Parameterised (5) second timeout on open. This is needed as the
725 * search timeout doesn't seem to apply to doing an open as well. JRA.
728 ldp
= ldap_open_with_timeout(server
, ss
, port
, lp_ldap_timeout());
732 /* Timeout if no response within 20 seconds. */
736 if (ldap_search_st(ldp
, "", LDAP_SCOPE_BASE
, "(objectclass=*)",
737 discard_const_p(char *, attrs
), 0, &to
, &res
))
740 if (ldap_count_entries(ldp
, res
) != 1)
743 values
= ldap_get_values(ldp
, res
, "highestCommittedUSN");
744 if (!values
|| !values
[0])
747 *seq
= atoi(values
[0]);
753 ldap_value_free(values
);
761 /**********************************************************************
762 Get the sequence number for a Windows AD native mode domain using
764 **********************************************************************/
766 static int get_ldap_sequence_number(struct winbindd_domain
*domain
, uint32_t *seq
)
769 char addr
[INET6_ADDRSTRLEN
];
771 print_sockaddr(addr
, sizeof(addr
), &domain
->dcaddr
);
772 if ((ret
= get_ldap_seq(addr
, &domain
->dcaddr
, LDAP_PORT
, seq
)) == 0) {
773 DEBUG(3, ("get_ldap_sequence_number: Retrieved sequence "
774 "number for Domain (%s) from DC (%s)\n",
775 domain
->name
, addr
));
780 #endif /* HAVE_LDAP */
782 /* find the sequence number for a domain */
783 static NTSTATUS
msrpc_sequence_number(struct winbindd_domain
*domain
,
786 struct rpc_pipe_client
*samr_pipe
;
787 struct policy_handle dom_pol
;
788 uint32_t seq
= DOM_SEQUENCE_NONE
;
792 DEBUG(3, ("msrpc_sequence_number: fetch sequence_number for %s\n", domain
->name
));
795 *pseq
= DOM_SEQUENCE_NONE
;
798 tmp_ctx
= talloc_stackframe();
799 if (tmp_ctx
== NULL
) {
800 return NT_STATUS_NO_MEMORY
;
803 if ( !winbindd_can_contact_domain( domain
) ) {
804 DEBUG(10,("sequence_number: No incoming trust for domain %s\n",
809 status
= NT_STATUS_OK
;
814 if (domain
->active_directory
) {
817 DEBUG(8,("using get_ldap_seq() to retrieve the "
818 "sequence number\n"));
820 rc
= get_ldap_sequence_number(domain
, &seq
);
822 DEBUG(10,("domain_sequence_number: LDAP for "
830 status
= NT_STATUS_OK
;
834 DEBUG(10,("domain_sequence_number: failed to get LDAP "
835 "sequence number for domain %s\n",
838 #endif /* HAVE_LDAP */
840 status
= cm_connect_sam(domain
, tmp_ctx
, false, &samr_pipe
, &dom_pol
);
841 if (!NT_STATUS_IS_OK(status
)) {
845 status
= rpc_sequence_number(tmp_ctx
,
850 if (!NT_STATUS_IS_OK(status
)) {
859 TALLOC_FREE(tmp_ctx
);
863 /* get a list of trusted domains */
864 static NTSTATUS
msrpc_trusted_domains(struct winbindd_domain
*domain
,
866 struct netr_DomainTrustList
*ptrust_list
)
868 struct rpc_pipe_client
*lsa_pipe
;
869 struct policy_handle lsa_policy
;
870 struct netr_DomainTrust
*trusts
= NULL
;
871 uint32_t num_trusts
= 0;
875 DEBUG(3,("msrpc_trusted_domains\n"));
878 ZERO_STRUCTP(ptrust_list
);
881 tmp_ctx
= talloc_stackframe();
882 if (tmp_ctx
== NULL
) {
883 return NT_STATUS_NO_MEMORY
;
886 status
= cm_connect_lsa(domain
, tmp_ctx
, &lsa_pipe
, &lsa_policy
);
887 if (!NT_STATUS_IS_OK(status
)) {
891 status
= rpc_trusted_domains(tmp_ctx
,
896 if (!NT_STATUS_IS_OK(status
)) {
901 ptrust_list
->count
= num_trusts
;
902 ptrust_list
->array
= talloc_move(mem_ctx
, &trusts
);
906 TALLOC_FREE(tmp_ctx
);
910 /* find the lockout policy for a domain */
911 static NTSTATUS
msrpc_lockout_policy(struct winbindd_domain
*domain
,
913 struct samr_DomInfo12
*lockout_policy
)
915 NTSTATUS status
, result
;
916 struct rpc_pipe_client
*cli
;
917 struct policy_handle dom_pol
;
918 union samr_DomainInfo
*info
= NULL
;
919 struct dcerpc_binding_handle
*b
;
921 DEBUG(3, ("msrpc_lockout_policy: fetch lockout policy for %s\n", domain
->name
));
923 if ( !winbindd_can_contact_domain( domain
) ) {
924 DEBUG(10,("msrpc_lockout_policy: No incoming trust for domain %s\n",
926 return NT_STATUS_NOT_SUPPORTED
;
929 status
= cm_connect_sam(domain
, mem_ctx
, false, &cli
, &dom_pol
);
930 if (!NT_STATUS_IS_OK(status
)) {
934 b
= cli
->binding_handle
;
936 status
= dcerpc_samr_QueryDomainInfo(b
, mem_ctx
,
938 DomainLockoutInformation
,
941 if (any_nt_status_not_ok(status
, result
, &status
)) {
945 *lockout_policy
= info
->info12
;
947 DEBUG(10,("msrpc_lockout_policy: lockout_threshold %d\n",
948 info
->info12
.lockout_threshold
));
955 /* find the password policy for a domain */
956 static NTSTATUS
msrpc_password_policy(struct winbindd_domain
*domain
,
958 struct samr_DomInfo1
*password_policy
)
960 NTSTATUS status
, result
;
961 struct rpc_pipe_client
*cli
;
962 struct policy_handle dom_pol
;
963 union samr_DomainInfo
*info
= NULL
;
964 struct dcerpc_binding_handle
*b
;
966 DEBUG(3, ("msrpc_password_policy: fetch password policy for %s\n",
969 if ( !winbindd_can_contact_domain( domain
) ) {
970 DEBUG(10,("msrpc_password_policy: No incoming trust for domain %s\n",
972 return NT_STATUS_NOT_SUPPORTED
;
975 status
= cm_connect_sam(domain
, mem_ctx
, false, &cli
, &dom_pol
);
976 if (!NT_STATUS_IS_OK(status
)) {
980 b
= cli
->binding_handle
;
982 status
= dcerpc_samr_QueryDomainInfo(b
, mem_ctx
,
984 DomainPasswordInformation
,
987 if (!NT_STATUS_IS_OK(status
)) {
990 if (!NT_STATUS_IS_OK(result
)) {
994 *password_policy
= info
->info1
;
996 DEBUG(10,("msrpc_password_policy: min_length_password %d\n",
997 info
->info1
.min_password_length
));
1004 static enum lsa_LookupNamesLevel
winbindd_lookup_level(
1005 struct winbindd_domain
*domain
)
1007 enum lsa_LookupNamesLevel level
= LSA_LOOKUP_NAMES_DOMAINS_ONLY
;
1009 if (domain
->internal
) {
1010 level
= LSA_LOOKUP_NAMES_ALL
;
1011 } else if (domain
->secure_channel_type
== SEC_CHAN_DNS_DOMAIN
) {
1012 if (domain
->domain_flags
& NETR_TRUST_FLAG_IN_FOREST
) {
1016 * Depending on what we want to resolve. We need to use:
1017 * 1. LsapLookupXForestReferral(5)/LSA_LOOKUP_NAMES_FOREST_TRUSTS_ONLY
1018 * if we want to pass the request into the direction of the forest
1019 * root domain. The forest root domain uses
1020 * LsapLookupXForestResolve(6)/LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2
1021 * when passing the request to trusted forests.
1022 * 2. LsapLookupGC(4)/LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY
1023 * if we're not a GC and want to resolve a name within our own forest.
1025 * As we don't support more than one domain in our own forest
1026 * and always try to be a GC for now, we just set
1027 * LSA_LOOKUP_NAMES_FOREST_TRUSTS_ONLY.
1029 level
= LSA_LOOKUP_NAMES_FOREST_TRUSTS_ONLY
;
1030 } else if (domain
->domain_trust_attribs
& LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE
) {
1032 * This is LsapLookupXForestResolve(6)/LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2
1034 level
= LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2
;
1037 * This is LsapLookupTDL(3)/LSA_LOOKUP_NAMES_PRIMARY_DOMAIN_ONLY
1039 level
= LSA_LOOKUP_NAMES_PRIMARY_DOMAIN_ONLY
;
1041 } else if (domain
->secure_channel_type
== SEC_CHAN_DOMAIN
) {
1043 * This is LsapLookupTDL(3)/LSA_LOOKUP_NAMES_PRIMARY_DOMAIN_ONLY
1045 level
= LSA_LOOKUP_NAMES_PRIMARY_DOMAIN_ONLY
;
1046 } else if (domain
->rodc
) {
1047 level
= LSA_LOOKUP_NAMES_RODC_REFERRAL_TO_FULL_DC
;
1050 * This is LsapLookupPDC(2)/LSA_LOOKUP_NAMES_DOMAINS_ONLY
1052 level
= LSA_LOOKUP_NAMES_DOMAINS_ONLY
;
1058 NTSTATUS
winbindd_lookup_sids(TALLOC_CTX
*mem_ctx
,
1059 struct winbindd_domain
*domain
,
1061 const struct dom_sid
*sids
,
1064 enum lsa_SidType
**types
)
1068 struct rpc_pipe_client
*cli
= NULL
;
1069 struct dcerpc_binding_handle
*b
= NULL
;
1070 struct policy_handle lsa_policy
;
1071 unsigned int orig_timeout
;
1072 bool use_lookupsids3
= false;
1073 bool retried
= false;
1074 enum lsa_LookupNamesLevel level
= LSA_LOOKUP_NAMES_ALL
;
1077 status
= cm_connect_lsat(domain
, mem_ctx
, &cli
, &lsa_policy
);
1078 if (!NT_STATUS_IS_OK(status
)) {
1082 b
= cli
->binding_handle
;
1084 if (cli
->transport
->transport
== NCACN_IP_TCP
) {
1085 use_lookupsids3
= true;
1088 level
= winbindd_lookup_level(domain
);
1091 * This call can take a long time
1092 * allow the server to time out.
1093 * 35 seconds should do it.
1095 orig_timeout
= dcerpc_binding_handle_set_timeout(b
, 35000);
1097 status
= dcerpc_lsa_lookup_sids_generic(b
,
1109 /* And restore our original timeout. */
1110 dcerpc_binding_handle_set_timeout(b
, orig_timeout
);
1112 if (NT_STATUS_EQUAL(status
, NT_STATUS_ACCESS_DENIED
) ||
1113 NT_STATUS_EQUAL(status
, NT_STATUS_RPC_SEC_PKG_ERROR
) ||
1114 NT_STATUS_EQUAL(status
, NT_STATUS_NETWORK_ACCESS_DENIED
)) {
1116 * This can happen if the schannel key is not
1117 * valid anymore, we need to invalidate the
1118 * all connections to the dc and reestablish
1119 * a netlogon connection first.
1121 invalidate_cm_connection(domain
);
1122 domain
->can_do_ncacn_ip_tcp
= domain
->active_directory
;
1127 status
= NT_STATUS_ACCESS_DENIED
;
1130 if (any_nt_status_not_ok(status
, result
, &status
)) {
1134 return NT_STATUS_OK
;
1137 static NTSTATUS
winbindd_lookup_names(TALLOC_CTX
*mem_ctx
,
1138 struct winbindd_domain
*domain
,
1141 const char ***domains
,
1142 struct dom_sid
**sids
,
1143 enum lsa_SidType
**types
)
1147 struct rpc_pipe_client
*cli
= NULL
;
1148 struct dcerpc_binding_handle
*b
= NULL
;
1149 struct policy_handle lsa_policy
;
1150 unsigned int orig_timeout
= 0;
1151 bool use_lookupnames4
= false;
1152 bool retried
= false;
1153 enum lsa_LookupNamesLevel level
= LSA_LOOKUP_NAMES_ALL
;
1156 status
= cm_connect_lsat(domain
, mem_ctx
, &cli
, &lsa_policy
);
1157 if (!NT_STATUS_IS_OK(status
)) {
1161 b
= cli
->binding_handle
;
1163 if (cli
->transport
->transport
== NCACN_IP_TCP
) {
1164 use_lookupnames4
= true;
1167 level
= winbindd_lookup_level(domain
);
1170 * This call can take a long time
1171 * allow the server to time out.
1172 * 35 seconds should do it.
1174 orig_timeout
= dcerpc_binding_handle_set_timeout(b
, 35000);
1176 status
= dcerpc_lsa_lookup_names_generic(b
,
1180 (const char **) names
,
1188 /* And restore our original timeout. */
1189 dcerpc_binding_handle_set_timeout(b
, orig_timeout
);
1191 if (NT_STATUS_EQUAL(status
, NT_STATUS_ACCESS_DENIED
) ||
1192 NT_STATUS_EQUAL(status
, NT_STATUS_RPC_SEC_PKG_ERROR
) ||
1193 NT_STATUS_EQUAL(status
, NT_STATUS_NETWORK_ACCESS_DENIED
)) {
1195 * This can happen if the schannel key is not
1196 * valid anymore, we need to invalidate the
1197 * all connections to the dc and reestablish
1198 * a netlogon connection first.
1200 invalidate_cm_connection(domain
);
1205 status
= NT_STATUS_ACCESS_DENIED
;
1208 if (any_nt_status_not_ok(status
, result
, &status
)) {
1212 return NT_STATUS_OK
;
1215 /* the rpc backend methods are exposed via this structure */
1216 struct winbindd_methods msrpc_methods
= {
1218 msrpc_query_user_list
,
1219 msrpc_enum_dom_groups
,
1220 msrpc_enum_local_groups
,
1223 msrpc_rids_to_names
,
1224 msrpc_lookup_usergroups
,
1225 msrpc_lookup_useraliases
,
1226 msrpc_lookup_groupmem
,
1227 msrpc_sequence_number
,
1228 msrpc_lockout_policy
,
1229 msrpc_password_policy
,
1230 msrpc_trusted_domains
,