selftest: mark samba3.smb2.durable-open reopen tests knownfail
[Samba.git] / source3 / winbindd / winbindd_ads.c
blob610db7a62b62e66a61f6056ab01988157297bc66
1 /*
2 Unix SMB/CIFS implementation.
4 Winbind ADS backend functions
6 Copyright (C) Andrew Tridgell 2001
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003
8 Copyright (C) Gerald (Jerry) Carter 2004
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #include "includes.h"
25 #include "winbindd.h"
26 #include "rpc_client/rpc_client.h"
27 #include "../librpc/gen_ndr/ndr_netlogon_c.h"
28 #include "../libds/common/flags.h"
29 #include "ads.h"
30 #include "secrets.h"
31 #include "../libcli/ldap/ldap_ndr.h"
32 #include "../libcli/security/security.h"
33 #include "../libds/common/flag_mapping.h"
34 #include "passdb.h"
36 #ifdef HAVE_ADS
38 #undef DBGC_CLASS
39 #define DBGC_CLASS DBGC_WINBIND
41 extern struct winbindd_methods reconnect_methods;
44 return our ads connections structure for a domain. We keep the connection
45 open to make things faster
47 static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain)
49 ADS_STRUCT *ads;
50 ADS_STATUS status;
51 fstring dc_name;
52 struct sockaddr_storage dc_ss;
54 DEBUG(10,("ads_cached_connection\n"));
56 if (domain->private_data) {
58 time_t expire;
59 time_t now = time(NULL);
61 /* check for a valid structure */
62 ads = (ADS_STRUCT *)domain->private_data;
64 expire = MIN(ads->auth.tgt_expire, ads->auth.tgs_expire);
66 DEBUG(7, ("Current tickets expire in %d seconds (at %d, time is now %d)\n",
67 (uint32)expire-(uint32)now, (uint32) expire, (uint32) now));
69 if ( ads->config.realm && (expire > now)) {
70 return ads;
71 } else {
72 /* we own this ADS_STRUCT so make sure it goes away */
73 DEBUG(7,("Deleting expired krb5 credential cache\n"));
74 ads->is_mine = True;
75 ads_destroy( &ads );
76 ads_kdestroy("MEMORY:winbind_ccache");
77 domain->private_data = NULL;
81 /* we don't want this to affect the users ccache */
82 setenv("KRB5CCNAME", "MEMORY:winbind_ccache", 1);
84 ads = ads_init(domain->alt_name, domain->name, NULL);
85 if (!ads) {
86 DEBUG(1,("ads_init for domain %s failed\n", domain->name));
87 return NULL;
90 /* the machine acct password might have change - fetch it every time */
92 SAFE_FREE(ads->auth.password);
93 SAFE_FREE(ads->auth.realm);
95 if ( IS_DC ) {
97 if ( !pdb_get_trusteddom_pw( domain->name, &ads->auth.password, NULL, NULL ) ) {
98 ads_destroy( &ads );
99 return NULL;
101 ads->auth.realm = SMB_STRDUP( ads->server.realm );
102 strupper_m( ads->auth.realm );
104 else {
105 struct winbindd_domain *our_domain = domain;
107 ads->auth.password = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
109 /* always give preference to the alt_name in our
110 primary domain if possible */
112 if ( !domain->primary )
113 our_domain = find_our_domain();
115 if ( our_domain->alt_name[0] != '\0' ) {
116 ads->auth.realm = SMB_STRDUP( our_domain->alt_name );
117 strupper_m( ads->auth.realm );
119 else
120 ads->auth.realm = SMB_STRDUP( lp_realm() );
123 ads->auth.renewable = WINBINDD_PAM_AUTH_KRB5_RENEW_TIME;
125 /* Setup the server affinity cache. We don't reaally care
126 about the name. Just setup affinity and the KRB5_CONFIG
127 file. */
129 get_dc_name( ads->server.workgroup, ads->server.realm, dc_name, &dc_ss );
131 status = ads_connect(ads);
132 if (!ADS_ERR_OK(status) || !ads->config.realm) {
133 DEBUG(1,("ads_connect for domain %s failed: %s\n",
134 domain->name, ads_errstr(status)));
135 ads_destroy(&ads);
137 /* if we get ECONNREFUSED then it might be a NT4
138 server, fall back to MSRPC */
139 if (status.error_type == ENUM_ADS_ERROR_SYSTEM &&
140 status.err.rc == ECONNREFUSED) {
141 /* 'reconnect_methods' is the MS-RPC backend. */
142 DEBUG(1,("Trying MSRPC methods\n"));
143 domain->backend = &reconnect_methods;
145 return NULL;
148 /* set the flag that says we don't own the memory even
149 though we do so that ads_destroy() won't destroy the
150 structure we pass back by reference */
152 ads->is_mine = False;
154 domain->private_data = (void *)ads;
155 return ads;
159 /* Query display info for a realm. This is the basic user list fn */
160 static NTSTATUS query_user_list(struct winbindd_domain *domain,
161 TALLOC_CTX *mem_ctx,
162 uint32 *num_entries,
163 struct wbint_userinfo **pinfo)
165 ADS_STRUCT *ads = NULL;
166 const char *attrs[] = { "*", NULL };
167 int i, count;
168 ADS_STATUS rc;
169 LDAPMessage *res = NULL;
170 LDAPMessage *msg = NULL;
171 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
173 *num_entries = 0;
175 DEBUG(3,("ads: query_user_list\n"));
177 if ( !winbindd_can_contact_domain( domain ) ) {
178 DEBUG(10,("query_user_list: No incoming trust for domain %s\n",
179 domain->name));
180 return NT_STATUS_OK;
183 ads = ads_cached_connection(domain);
185 if (!ads) {
186 domain->last_status = NT_STATUS_SERVER_DISABLED;
187 goto done;
190 rc = ads_search_retry(ads, &res, "(objectCategory=user)", attrs);
191 if (!ADS_ERR_OK(rc) || !res) {
192 DEBUG(1,("query_user_list ads_search: %s\n", ads_errstr(rc)));
193 goto done;
196 count = ads_count_replies(ads, res);
197 if (count == 0) {
198 DEBUG(1,("query_user_list: No users found\n"));
199 goto done;
202 (*pinfo) = talloc_zero_array(mem_ctx, struct wbint_userinfo, count);
203 if (!*pinfo) {
204 status = NT_STATUS_NO_MEMORY;
205 goto done;
208 count = 0;
210 for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
211 struct wbint_userinfo *info = &((*pinfo)[count]);
212 uint32 group;
213 uint32 atype;
215 if (!ads_pull_uint32(ads, msg, "sAMAccountType", &atype) ||
216 ds_atype_map(atype) != SID_NAME_USER) {
217 DEBUG(1,("Not a user account? atype=0x%x\n", atype));
218 continue;
221 info->acct_name = ads_pull_username(ads, mem_ctx, msg);
222 info->full_name = ads_pull_string(ads, mem_ctx, msg, "name");
223 info->homedir = NULL;
224 info->shell = NULL;
225 info->primary_gid = (gid_t)-1;
227 if (!ads_pull_sid(ads, msg, "objectSid",
228 &info->user_sid)) {
229 DEBUG(1, ("No sid for %s !?\n", info->acct_name));
230 continue;
233 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &group)) {
234 DEBUG(1, ("No primary group for %s !?\n",
235 info->acct_name));
236 continue;
238 sid_compose(&info->group_sid, &domain->sid, group);
240 count += 1;
243 (*num_entries) = count;
244 ads_msgfree(ads, res);
246 for (i=0; i<count; i++) {
247 struct wbint_userinfo *info = &((*pinfo)[i]);
248 const char *gecos = NULL;
249 gid_t primary_gid = (gid_t)-1;
251 status = nss_get_info_cached(domain, &info->user_sid, mem_ctx,
252 &info->homedir, &info->shell,
253 &gecos, &primary_gid);
254 if (!NT_STATUS_IS_OK(status)) {
256 * Deliberately ignore this error, there might be more
257 * users to fill
259 continue;
262 if (gecos != NULL) {
263 info->full_name = gecos;
265 info->primary_gid = primary_gid;
268 status = NT_STATUS_OK;
270 DEBUG(3,("ads query_user_list gave %d entries\n", (*num_entries)));
272 done:
273 return status;
276 /* list all domain groups */
277 static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
278 TALLOC_CTX *mem_ctx,
279 uint32 *num_entries,
280 struct wb_acct_info **info)
282 ADS_STRUCT *ads = NULL;
283 const char *attrs[] = {"userPrincipalName", "sAMAccountName",
284 "name", "objectSid", NULL};
285 int i, count;
286 ADS_STATUS rc;
287 LDAPMessage *res = NULL;
288 LDAPMessage *msg = NULL;
289 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
290 const char *filter;
291 bool enum_dom_local_groups = False;
293 *num_entries = 0;
295 DEBUG(3,("ads: enum_dom_groups\n"));
297 if ( !winbindd_can_contact_domain( domain ) ) {
298 DEBUG(10,("enum_dom_groups: No incoming trust for domain %s\n",
299 domain->name));
300 return NT_STATUS_OK;
303 /* only grab domain local groups for our domain */
304 if ( domain->active_directory && strequal(lp_realm(), domain->alt_name) ) {
305 enum_dom_local_groups = True;
308 /* Workaround ADS LDAP bug present in MS W2K3 SP0 and W2K SP4 w/o
309 * rollup-fixes:
311 * According to Section 5.1(4) of RFC 2251 if a value of a type is it's
312 * default value, it MUST be absent. In case of extensible matching the
313 * "dnattr" boolean defaults to FALSE and so it must be only be present
314 * when set to TRUE.
316 * When it is set to FALSE and the OpenLDAP lib (correctly) encodes a
317 * filter using bitwise matching rule then the buggy AD fails to decode
318 * the extensible match. As a workaround set it to TRUE and thereby add
319 * the dnAttributes "dn" field to cope with those older AD versions.
320 * It should not harm and won't put any additional load on the AD since
321 * none of the dn components have a bitmask-attribute.
323 * Thanks to Ralf Haferkamp for input and testing - Guenther */
325 filter = talloc_asprintf(mem_ctx, "(&(objectCategory=group)(&(groupType:dn:%s:=%d)(!(groupType:dn:%s:=%d))))",
326 ADS_LDAP_MATCHING_RULE_BIT_AND, GROUP_TYPE_SECURITY_ENABLED,
327 ADS_LDAP_MATCHING_RULE_BIT_AND,
328 enum_dom_local_groups ? GROUP_TYPE_BUILTIN_LOCAL_GROUP : GROUP_TYPE_RESOURCE_GROUP);
330 if (filter == NULL) {
331 status = NT_STATUS_NO_MEMORY;
332 goto done;
335 ads = ads_cached_connection(domain);
337 if (!ads) {
338 domain->last_status = NT_STATUS_SERVER_DISABLED;
339 goto done;
342 rc = ads_search_retry(ads, &res, filter, attrs);
343 if (!ADS_ERR_OK(rc) || !res) {
344 DEBUG(1,("enum_dom_groups ads_search: %s\n", ads_errstr(rc)));
345 goto done;
348 count = ads_count_replies(ads, res);
349 if (count == 0) {
350 DEBUG(1,("enum_dom_groups: No groups found\n"));
351 goto done;
354 (*info) = talloc_zero_array(mem_ctx, struct wb_acct_info, count);
355 if (!*info) {
356 status = NT_STATUS_NO_MEMORY;
357 goto done;
360 i = 0;
362 for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
363 char *name, *gecos;
364 struct dom_sid sid;
365 uint32 rid;
367 name = ads_pull_username(ads, mem_ctx, msg);
368 gecos = ads_pull_string(ads, mem_ctx, msg, "name");
369 if (!ads_pull_sid(ads, msg, "objectSid", &sid)) {
370 DEBUG(1,("No sid for %s !?\n", name));
371 continue;
374 if (!sid_peek_check_rid(&domain->sid, &sid, &rid)) {
375 DEBUG(1,("No rid for %s !?\n", name));
376 continue;
379 fstrcpy((*info)[i].acct_name, name);
380 fstrcpy((*info)[i].acct_desc, gecos);
381 (*info)[i].rid = rid;
382 i++;
385 (*num_entries) = i;
387 status = NT_STATUS_OK;
389 DEBUG(3,("ads enum_dom_groups gave %d entries\n", (*num_entries)));
391 done:
392 if (res)
393 ads_msgfree(ads, res);
395 return status;
398 /* list all domain local groups */
399 static NTSTATUS enum_local_groups(struct winbindd_domain *domain,
400 TALLOC_CTX *mem_ctx,
401 uint32 *num_entries,
402 struct wb_acct_info **info)
405 * This is a stub function only as we returned the domain
406 * local groups in enum_dom_groups() if the domain->native field
407 * was true. This is a simple performance optimization when
408 * using LDAP.
410 * if we ever need to enumerate domain local groups separately,
411 * then this optimization in enum_dom_groups() will need
412 * to be split out
414 *num_entries = 0;
416 return NT_STATUS_OK;
419 /* convert a single name to a sid in a domain - use rpc methods */
420 static NTSTATUS name_to_sid(struct winbindd_domain *domain,
421 TALLOC_CTX *mem_ctx,
422 const char *domain_name,
423 const char *name,
424 uint32_t flags,
425 struct dom_sid *sid,
426 enum lsa_SidType *type)
428 return reconnect_methods.name_to_sid(domain, mem_ctx,
429 domain_name, name, flags,
430 sid, type);
433 /* convert a domain SID to a user or group name - use rpc methods */
434 static NTSTATUS sid_to_name(struct winbindd_domain *domain,
435 TALLOC_CTX *mem_ctx,
436 const struct dom_sid *sid,
437 char **domain_name,
438 char **name,
439 enum lsa_SidType *type)
441 return reconnect_methods.sid_to_name(domain, mem_ctx, sid,
442 domain_name, name, type);
445 /* convert a list of rids to names - use rpc methods */
446 static NTSTATUS rids_to_names(struct winbindd_domain *domain,
447 TALLOC_CTX *mem_ctx,
448 const struct dom_sid *sid,
449 uint32 *rids,
450 size_t num_rids,
451 char **domain_name,
452 char ***names,
453 enum lsa_SidType **types)
455 return reconnect_methods.rids_to_names(domain, mem_ctx, sid,
456 rids, num_rids,
457 domain_name, names, types);
460 /* If you are looking for "dn_lookup": Yes, it used to be here!
461 * It has gone now since it was a major speed bottleneck in
462 * lookup_groupmem (its only use). It has been replaced by
463 * an rpc lookup sids call... R.I.P. */
465 /* Lookup user information from a rid */
466 static NTSTATUS query_user(struct winbindd_domain *domain,
467 TALLOC_CTX *mem_ctx,
468 const struct dom_sid *sid,
469 struct wbint_userinfo *info)
471 ADS_STRUCT *ads = NULL;
472 const char *attrs[] = { "*", NULL };
473 ADS_STATUS rc;
474 int count;
475 LDAPMessage *msg = NULL;
476 char *ldap_exp;
477 char *sidstr;
478 uint32 group_rid;
479 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
480 struct netr_SamInfo3 *user = NULL;
481 gid_t gid = -1;
482 int ret;
483 char *ads_name;
485 DEBUG(3,("ads: query_user\n"));
487 info->homedir = NULL;
488 info->shell = NULL;
490 /* try netsamlogon cache first */
492 if (winbindd_use_cache() && (user = netsamlogon_cache_get( mem_ctx, sid )) != NULL )
494 DEBUG(5,("query_user: Cache lookup succeeded for %s\n",
495 sid_string_dbg(sid)));
497 sid_compose(&info->user_sid, &domain->sid, user->base.rid);
498 sid_compose(&info->group_sid, &domain->sid, user->base.primary_gid);
500 info->acct_name = talloc_strdup(mem_ctx, user->base.account_name.string);
501 info->full_name = talloc_strdup(mem_ctx, user->base.full_name.string);
503 nss_get_info_cached( domain, sid, mem_ctx,
504 &info->homedir, &info->shell, &info->full_name,
505 &gid );
506 info->primary_gid = gid;
508 TALLOC_FREE(user);
510 return NT_STATUS_OK;
513 if ( !winbindd_can_contact_domain(domain)) {
514 DEBUG(8,("query_user: No incoming trust from domain %s\n",
515 domain->name));
517 /* We still need to generate some basic information
518 about the user even if we cannot contact the
519 domain. Most of this stuff we can deduce. */
521 sid_copy( &info->user_sid, sid );
523 /* Assume "Domain Users" for the primary group */
525 sid_compose(&info->group_sid, &domain->sid, DOMAIN_RID_USERS );
527 /* Try to fill in what the nss_info backend can do */
529 nss_get_info_cached( domain, sid, mem_ctx,
530 &info->homedir, &info->shell, &info->full_name,
531 &gid);
532 info->primary_gid = gid;
534 return NT_STATUS_OK;
537 /* no cache...do the query */
539 if ( (ads = ads_cached_connection(domain)) == NULL ) {
540 domain->last_status = NT_STATUS_SERVER_DISABLED;
541 return NT_STATUS_SERVER_DISABLED;
544 sidstr = ldap_encode_ndr_dom_sid(talloc_tos(), sid);
546 ret = asprintf(&ldap_exp, "(objectSid=%s)", sidstr);
547 TALLOC_FREE(sidstr);
548 if (ret == -1) {
549 return NT_STATUS_NO_MEMORY;
551 rc = ads_search_retry(ads, &msg, ldap_exp, attrs);
552 SAFE_FREE(ldap_exp);
553 if (!ADS_ERR_OK(rc) || !msg) {
554 DEBUG(1,("query_user(sid=%s) ads_search: %s\n",
555 sid_string_dbg(sid), ads_errstr(rc)));
556 return ads_ntstatus(rc);
559 count = ads_count_replies(ads, msg);
560 if (count != 1) {
561 DEBUG(1,("query_user(sid=%s): Not found\n",
562 sid_string_dbg(sid)));
563 ads_msgfree(ads, msg);
564 return NT_STATUS_NO_SUCH_USER;
567 info->acct_name = ads_pull_username(ads, mem_ctx, msg);
569 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &group_rid)) {
570 DEBUG(1,("No primary group for %s !?\n",
571 sid_string_dbg(sid)));
572 ads_msgfree(ads, msg);
573 return NT_STATUS_NO_SUCH_USER;
575 sid_copy(&info->user_sid, sid);
576 sid_compose(&info->group_sid, &domain->sid, group_rid);
579 * We have to fetch the "name" attribute before doing the
580 * nss_get_info_cached call. nss_get_info_cached might destroy
581 * the ads struct, potentially invalidating the ldap message.
583 ads_name = ads_pull_string(ads, mem_ctx, msg, "name");
585 ads_msgfree(ads, msg);
586 msg = NULL;
588 status = nss_get_info_cached( domain, sid, mem_ctx,
589 &info->homedir, &info->shell, &info->full_name,
590 &gid);
591 info->primary_gid = gid;
592 if (!NT_STATUS_IS_OK(status)) {
593 DEBUG(1, ("nss_get_info_cached failed: %s\n",
594 nt_errstr(status)));
595 return status;
598 if (info->full_name == NULL) {
599 info->full_name = ads_name;
600 } else {
601 TALLOC_FREE(ads_name);
604 status = NT_STATUS_OK;
606 DEBUG(3,("ads query_user gave %s\n", info->acct_name));
607 return NT_STATUS_OK;
610 /* Lookup groups a user is a member of - alternate method, for when
611 tokenGroups are not available. */
612 static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain,
613 TALLOC_CTX *mem_ctx,
614 const char *user_dn,
615 struct dom_sid *primary_group,
616 uint32_t *p_num_groups, struct dom_sid **user_sids)
618 ADS_STATUS rc;
619 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
620 int count;
621 LDAPMessage *res = NULL;
622 LDAPMessage *msg = NULL;
623 char *ldap_exp;
624 ADS_STRUCT *ads;
625 const char *group_attrs[] = {"objectSid", NULL};
626 char *escaped_dn;
627 uint32_t num_groups = 0;
629 DEBUG(3,("ads: lookup_usergroups_member\n"));
631 if ( !winbindd_can_contact_domain( domain ) ) {
632 DEBUG(10,("lookup_usergroups_members: No incoming trust for domain %s\n",
633 domain->name));
634 return NT_STATUS_OK;
637 ads = ads_cached_connection(domain);
639 if (!ads) {
640 domain->last_status = NT_STATUS_SERVER_DISABLED;
641 goto done;
644 if (!(escaped_dn = escape_ldap_string(talloc_tos(), user_dn))) {
645 status = NT_STATUS_NO_MEMORY;
646 goto done;
649 ldap_exp = talloc_asprintf(mem_ctx,
650 "(&(member=%s)(objectCategory=group)(groupType:dn:%s:=%d))",
651 escaped_dn,
652 ADS_LDAP_MATCHING_RULE_BIT_AND,
653 GROUP_TYPE_SECURITY_ENABLED);
654 if (!ldap_exp) {
655 DEBUG(1,("lookup_usergroups(dn=%s) asprintf failed!\n", user_dn));
656 TALLOC_FREE(escaped_dn);
657 status = NT_STATUS_NO_MEMORY;
658 goto done;
661 TALLOC_FREE(escaped_dn);
663 rc = ads_search_retry(ads, &res, ldap_exp, group_attrs);
665 if (!ADS_ERR_OK(rc) || !res) {
666 DEBUG(1,("lookup_usergroups ads_search member=%s: %s\n", user_dn, ads_errstr(rc)));
667 return ads_ntstatus(rc);
670 count = ads_count_replies(ads, res);
672 *user_sids = NULL;
673 num_groups = 0;
675 /* always add the primary group to the sid array */
676 status = add_sid_to_array(mem_ctx, primary_group, user_sids,
677 &num_groups);
678 if (!NT_STATUS_IS_OK(status)) {
679 goto done;
682 if (count > 0) {
683 for (msg = ads_first_entry(ads, res); msg;
684 msg = ads_next_entry(ads, msg)) {
685 struct dom_sid group_sid;
687 if (!ads_pull_sid(ads, msg, "objectSid", &group_sid)) {
688 DEBUG(1,("No sid for this group ?!?\n"));
689 continue;
692 /* ignore Builtin groups from ADS - Guenther */
693 if (sid_check_is_in_builtin(&group_sid)) {
694 continue;
697 status = add_sid_to_array(mem_ctx, &group_sid,
698 user_sids, &num_groups);
699 if (!NT_STATUS_IS_OK(status)) {
700 goto done;
706 *p_num_groups = num_groups;
707 status = (user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
709 DEBUG(3,("ads lookup_usergroups (member) succeeded for dn=%s\n", user_dn));
710 done:
711 if (res)
712 ads_msgfree(ads, res);
714 return status;
717 /* Lookup groups a user is a member of - alternate method, for when
718 tokenGroups are not available. */
719 static NTSTATUS lookup_usergroups_memberof(struct winbindd_domain *domain,
720 TALLOC_CTX *mem_ctx,
721 const char *user_dn,
722 struct dom_sid *primary_group,
723 uint32_t *p_num_groups,
724 struct dom_sid **user_sids)
726 ADS_STATUS rc;
727 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
728 ADS_STRUCT *ads;
729 const char *attrs[] = {"memberOf", NULL};
730 uint32_t num_groups = 0;
731 struct dom_sid *group_sids = NULL;
732 int i;
733 char **strings = NULL;
734 size_t num_strings = 0, num_sids = 0;
737 DEBUG(3,("ads: lookup_usergroups_memberof\n"));
739 if ( !winbindd_can_contact_domain( domain ) ) {
740 DEBUG(10,("lookup_usergroups_memberof: No incoming trust for "
741 "domain %s\n", domain->name));
742 return NT_STATUS_OK;
745 ads = ads_cached_connection(domain);
747 if (!ads) {
748 domain->last_status = NT_STATUS_SERVER_DISABLED;
749 return NT_STATUS_UNSUCCESSFUL;
752 rc = ads_search_retry_extended_dn_ranged(ads, mem_ctx, user_dn, attrs,
753 ADS_EXTENDED_DN_HEX_STRING,
754 &strings, &num_strings);
756 if (!ADS_ERR_OK(rc)) {
757 DEBUG(1,("lookup_usergroups_memberof ads_search "
758 "member=%s: %s\n", user_dn, ads_errstr(rc)));
759 return ads_ntstatus(rc);
762 *user_sids = NULL;
763 num_groups = 0;
765 /* always add the primary group to the sid array */
766 status = add_sid_to_array(mem_ctx, primary_group, user_sids,
767 &num_groups);
768 if (!NT_STATUS_IS_OK(status)) {
769 goto done;
772 group_sids = talloc_zero_array(mem_ctx, struct dom_sid, num_strings + 1);
773 if (!group_sids) {
774 status = NT_STATUS_NO_MEMORY;
775 goto done;
778 for (i=0; i<num_strings; i++) {
779 rc = ads_get_sid_from_extended_dn(mem_ctx, strings[i],
780 ADS_EXTENDED_DN_HEX_STRING,
781 &(group_sids)[i]);
782 if (!ADS_ERR_OK(rc)) {
783 /* ignore members without SIDs */
784 if (NT_STATUS_EQUAL(ads_ntstatus(rc),
785 NT_STATUS_NOT_FOUND)) {
786 continue;
788 else {
789 status = ads_ntstatus(rc);
790 goto done;
793 num_sids++;
796 if (i == 0) {
797 DEBUG(1,("No memberOf for this user?!?\n"));
798 status = NT_STATUS_NO_MEMORY;
799 goto done;
802 for (i=0; i<num_sids; i++) {
804 /* ignore Builtin groups from ADS - Guenther */
805 if (sid_check_is_in_builtin(&group_sids[i])) {
806 continue;
809 status = add_sid_to_array(mem_ctx, &group_sids[i], user_sids,
810 &num_groups);
811 if (!NT_STATUS_IS_OK(status)) {
812 goto done;
817 *p_num_groups = num_groups;
818 status = (*user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
820 DEBUG(3,("ads lookup_usergroups (memberof) succeeded for dn=%s\n",
821 user_dn));
823 done:
824 TALLOC_FREE(strings);
825 TALLOC_FREE(group_sids);
827 return status;
831 /* Lookup groups a user is a member of. */
832 static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
833 TALLOC_CTX *mem_ctx,
834 const struct dom_sid *sid,
835 uint32 *p_num_groups, struct dom_sid **user_sids)
837 ADS_STRUCT *ads = NULL;
838 const char *attrs[] = {"tokenGroups", "primaryGroupID", NULL};
839 ADS_STATUS rc;
840 int count;
841 LDAPMessage *msg = NULL;
842 char *user_dn = NULL;
843 struct dom_sid *sids;
844 int i;
845 struct dom_sid primary_group;
846 uint32 primary_group_rid;
847 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
848 uint32_t num_groups = 0;
850 DEBUG(3,("ads: lookup_usergroups\n"));
851 *p_num_groups = 0;
853 status = lookup_usergroups_cached(domain, mem_ctx, sid,
854 p_num_groups, user_sids);
855 if (NT_STATUS_IS_OK(status)) {
856 return NT_STATUS_OK;
859 if ( !winbindd_can_contact_domain( domain ) ) {
860 DEBUG(10,("lookup_usergroups: No incoming trust for domain %s\n",
861 domain->name));
863 /* Tell the cache manager not to remember this one */
865 return NT_STATUS_SYNCHRONIZATION_REQUIRED;
868 ads = ads_cached_connection(domain);
870 if (!ads) {
871 domain->last_status = NT_STATUS_SERVER_DISABLED;
872 status = NT_STATUS_SERVER_DISABLED;
873 goto done;
876 rc = ads_search_retry_sid(ads, &msg, sid, attrs);
878 if (!ADS_ERR_OK(rc)) {
879 status = ads_ntstatus(rc);
880 DEBUG(1, ("lookup_usergroups(sid=%s) ads_search tokenGroups: "
881 "%s\n", sid_string_dbg(sid), ads_errstr(rc)));
882 goto done;
885 count = ads_count_replies(ads, msg);
886 if (count != 1) {
887 status = NT_STATUS_UNSUCCESSFUL;
888 DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: "
889 "invalid number of results (count=%d)\n",
890 sid_string_dbg(sid), count));
891 goto done;
894 if (!msg) {
895 DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: NULL msg\n",
896 sid_string_dbg(sid)));
897 status = NT_STATUS_UNSUCCESSFUL;
898 goto done;
901 user_dn = ads_get_dn(ads, mem_ctx, msg);
902 if (user_dn == NULL) {
903 status = NT_STATUS_NO_MEMORY;
904 goto done;
907 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &primary_group_rid)) {
908 DEBUG(1,("%s: No primary group for sid=%s !?\n",
909 domain->name, sid_string_dbg(sid)));
910 goto done;
913 sid_compose(&primary_group, &domain->sid, primary_group_rid);
915 count = ads_pull_sids(ads, mem_ctx, msg, "tokenGroups", &sids);
917 /* there must always be at least one group in the token,
918 unless we are talking to a buggy Win2k server */
920 /* actually this only happens when the machine account has no read
921 * permissions on the tokenGroup attribute - gd */
923 if (count == 0) {
925 /* no tokenGroups */
927 /* lookup what groups this user is a member of by DN search on
928 * "memberOf" */
930 status = lookup_usergroups_memberof(domain, mem_ctx, user_dn,
931 &primary_group,
932 &num_groups, user_sids);
933 *p_num_groups = num_groups;
934 if (NT_STATUS_IS_OK(status)) {
935 goto done;
938 /* lookup what groups this user is a member of by DN search on
939 * "member" */
941 status = lookup_usergroups_member(domain, mem_ctx, user_dn,
942 &primary_group,
943 &num_groups, user_sids);
944 *p_num_groups = num_groups;
945 goto done;
948 *user_sids = NULL;
949 num_groups = 0;
951 status = add_sid_to_array(mem_ctx, &primary_group, user_sids,
952 &num_groups);
953 if (!NT_STATUS_IS_OK(status)) {
954 goto done;
957 for (i=0;i<count;i++) {
959 /* ignore Builtin groups from ADS - Guenther */
960 if (sid_check_is_in_builtin(&sids[i])) {
961 continue;
964 status = add_sid_to_array_unique(mem_ctx, &sids[i],
965 user_sids, &num_groups);
966 if (!NT_STATUS_IS_OK(status)) {
967 goto done;
971 *p_num_groups = (uint32)num_groups;
972 status = (*user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
974 DEBUG(3,("ads lookup_usergroups (tokenGroups) succeeded for sid=%s\n",
975 sid_string_dbg(sid)));
976 done:
977 TALLOC_FREE(user_dn);
978 ads_msgfree(ads, msg);
979 return status;
982 /* Lookup aliases a user is member of - use rpc methods */
983 static NTSTATUS lookup_useraliases(struct winbindd_domain *domain,
984 TALLOC_CTX *mem_ctx,
985 uint32 num_sids, const struct dom_sid *sids,
986 uint32 *num_aliases, uint32 **alias_rids)
988 return reconnect_methods.lookup_useraliases(domain, mem_ctx,
989 num_sids, sids,
990 num_aliases,
991 alias_rids);
995 find the members of a group, given a group rid and domain
997 static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
998 TALLOC_CTX *mem_ctx,
999 const struct dom_sid *group_sid,
1000 enum lsa_SidType type,
1001 uint32 *num_names,
1002 struct dom_sid **sid_mem, char ***names,
1003 uint32 **name_types)
1005 ADS_STATUS rc;
1006 ADS_STRUCT *ads = NULL;
1007 char *ldap_exp;
1008 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
1009 char *sidbinstr;
1010 char **members = NULL;
1011 int i;
1012 size_t num_members = 0;
1013 ads_control args;
1014 struct dom_sid *sid_mem_nocache = NULL;
1015 char **names_nocache = NULL;
1016 enum lsa_SidType *name_types_nocache = NULL;
1017 char **domains_nocache = NULL; /* only needed for rpccli_lsa_lookup_sids */
1018 uint32 num_nocache = 0;
1019 TALLOC_CTX *tmp_ctx = NULL;
1021 DEBUG(10,("ads: lookup_groupmem %s sid=%s\n", domain->name,
1022 sid_string_dbg(group_sid)));
1024 *num_names = 0;
1026 tmp_ctx = talloc_new(mem_ctx);
1027 if (!tmp_ctx) {
1028 DEBUG(1, ("ads: lookup_groupmem: talloc failed\n"));
1029 status = NT_STATUS_NO_MEMORY;
1030 goto done;
1033 if ( !winbindd_can_contact_domain( domain ) ) {
1034 DEBUG(10,("lookup_groupmem: No incoming trust for domain %s\n",
1035 domain->name));
1036 return NT_STATUS_OK;
1039 ads = ads_cached_connection(domain);
1041 if (!ads) {
1042 domain->last_status = NT_STATUS_SERVER_DISABLED;
1043 goto done;
1046 if ((sidbinstr = ldap_encode_ndr_dom_sid(talloc_tos(), group_sid)) == NULL) {
1047 status = NT_STATUS_NO_MEMORY;
1048 goto done;
1051 /* search for all members of the group */
1052 ldap_exp = talloc_asprintf(tmp_ctx, "(objectSid=%s)", sidbinstr);
1053 TALLOC_FREE(sidbinstr);
1054 if (ldap_exp == NULL) {
1055 DEBUG(1, ("ads: lookup_groupmem: talloc_asprintf for ldap_exp failed!\n"));
1056 status = NT_STATUS_NO_MEMORY;
1057 goto done;
1060 args.control = ADS_EXTENDED_DN_OID;
1061 args.val = ADS_EXTENDED_DN_HEX_STRING;
1062 args.critical = True;
1064 rc = ads_ranged_search(ads, tmp_ctx, LDAP_SCOPE_SUBTREE, ads->config.bind_path,
1065 ldap_exp, &args, "member", &members, &num_members);
1067 if (!ADS_ERR_OK(rc)) {
1068 DEBUG(0,("ads_ranged_search failed with: %s\n", ads_errstr(rc)));
1069 status = NT_STATUS_UNSUCCESSFUL;
1070 goto done;
1073 DEBUG(10, ("ads lookup_groupmem: got %d sids via extended dn call\n", (int)num_members));
1075 /* Now that we have a list of sids, we need to get the
1076 * lists of names and name_types belonging to these sids.
1077 * even though conceptually not quite clean, we use the
1078 * RPC call lsa_lookup_sids for this since it can handle a
1079 * list of sids. ldap calls can just resolve one sid at a time.
1081 * At this stage, the sids are still hidden in the exetended dn
1082 * member output format. We actually do a little better than
1083 * stated above: In extracting the sids from the member strings,
1084 * we try to resolve as many sids as possible from the
1085 * cache. Only the rest is passed to the lsa_lookup_sids call. */
1087 if (num_members) {
1088 (*sid_mem) = talloc_zero_array(mem_ctx, struct dom_sid, num_members);
1089 (*names) = talloc_zero_array(mem_ctx, char *, num_members);
1090 (*name_types) = talloc_zero_array(mem_ctx, uint32, num_members);
1091 (sid_mem_nocache) = talloc_zero_array(tmp_ctx, struct dom_sid, num_members);
1093 if ((members == NULL) || (*sid_mem == NULL) ||
1094 (*names == NULL) || (*name_types == NULL) ||
1095 (sid_mem_nocache == NULL))
1097 DEBUG(1, ("ads: lookup_groupmem: talloc failed\n"));
1098 status = NT_STATUS_NO_MEMORY;
1099 goto done;
1102 else {
1103 (*sid_mem) = NULL;
1104 (*names) = NULL;
1105 (*name_types) = NULL;
1108 for (i=0; i<num_members; i++) {
1109 enum lsa_SidType name_type;
1110 char *name, *domain_name;
1111 struct dom_sid sid;
1113 rc = ads_get_sid_from_extended_dn(tmp_ctx, members[i], args.val,
1114 &sid);
1115 if (!ADS_ERR_OK(rc)) {
1116 if (NT_STATUS_EQUAL(ads_ntstatus(rc),
1117 NT_STATUS_NOT_FOUND)) {
1118 /* Group members can be objects, like Exchange
1119 * Public Folders, that don't have a SID. Skip
1120 * them. */
1121 continue;
1123 else {
1124 status = ads_ntstatus(rc);
1125 goto done;
1128 if (lookup_cached_sid(mem_ctx, &sid, &domain_name, &name,
1129 &name_type)) {
1130 DEBUG(10,("ads: lookup_groupmem: got sid %s from "
1131 "cache\n", sid_string_dbg(&sid)));
1132 sid_copy(&(*sid_mem)[*num_names], &sid);
1133 (*names)[*num_names] = fill_domain_username_talloc(
1134 *names,
1135 domain_name,
1136 name,
1137 true);
1139 (*name_types)[*num_names] = name_type;
1140 (*num_names)++;
1142 else {
1143 DEBUG(10, ("ads: lookup_groupmem: sid %s not found in "
1144 "cache\n", sid_string_dbg(&sid)));
1145 sid_copy(&(sid_mem_nocache)[num_nocache], &sid);
1146 num_nocache++;
1150 DEBUG(10, ("ads: lookup_groupmem: %d sids found in cache, "
1151 "%d left for lsa_lookupsids\n", *num_names, num_nocache));
1153 /* handle sids not resolved from cache by lsa_lookup_sids */
1154 if (num_nocache > 0) {
1156 status = winbindd_lookup_sids(tmp_ctx,
1157 domain,
1158 num_nocache,
1159 sid_mem_nocache,
1160 &domains_nocache,
1161 &names_nocache,
1162 &name_types_nocache);
1164 if (!(NT_STATUS_IS_OK(status) ||
1165 NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED) ||
1166 NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)))
1168 DEBUG(1, ("lsa_lookupsids call failed with %s "
1169 "- retrying...\n", nt_errstr(status)));
1171 status = winbindd_lookup_sids(tmp_ctx,
1172 domain,
1173 num_nocache,
1174 sid_mem_nocache,
1175 &domains_nocache,
1176 &names_nocache,
1177 &name_types_nocache);
1180 if (NT_STATUS_IS_OK(status) ||
1181 NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED))
1183 /* Copy the entries over from the "_nocache" arrays
1184 * to the result arrays, skipping the gaps the
1185 * lookup_sids call left. */
1186 for (i=0; i < num_nocache; i++) {
1187 if (((names_nocache)[i] != NULL) &&
1188 ((name_types_nocache)[i] != SID_NAME_UNKNOWN))
1190 sid_copy(&(*sid_mem)[*num_names],
1191 &sid_mem_nocache[i]);
1192 (*names)[*num_names] =
1193 fill_domain_username_talloc(
1194 *names,
1195 domains_nocache[i],
1196 names_nocache[i],
1197 true);
1198 (*name_types)[*num_names] = name_types_nocache[i];
1199 (*num_names)++;
1203 else if (NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)) {
1204 DEBUG(10, ("lookup_groupmem: lsa_lookup_sids could "
1205 "not map any SIDs at all.\n"));
1206 /* Don't handle this as an error here.
1207 * There is nothing left to do with respect to the
1208 * overall result... */
1210 else if (!NT_STATUS_IS_OK(status)) {
1211 DEBUG(10, ("lookup_groupmem: Error looking up %d "
1212 "sids via rpc_lsa_lookup_sids: %s\n",
1213 (int)num_members, nt_errstr(status)));
1214 goto done;
1218 status = NT_STATUS_OK;
1219 DEBUG(3,("ads lookup_groupmem for sid=%s succeeded\n",
1220 sid_string_dbg(group_sid)));
1222 done:
1224 TALLOC_FREE(tmp_ctx);
1226 return status;
1229 /* find the sequence number for a domain */
1230 static NTSTATUS sequence_number(struct winbindd_domain *domain, uint32 *seq)
1232 ADS_STRUCT *ads = NULL;
1233 ADS_STATUS rc;
1235 DEBUG(3,("ads: fetch sequence_number for %s\n", domain->name));
1237 if ( !winbindd_can_contact_domain( domain ) ) {
1238 DEBUG(10,("sequence: No incoming trust for domain %s\n",
1239 domain->name));
1240 *seq = time(NULL);
1241 return NT_STATUS_OK;
1244 *seq = DOM_SEQUENCE_NONE;
1246 ads = ads_cached_connection(domain);
1248 if (!ads) {
1249 domain->last_status = NT_STATUS_SERVER_DISABLED;
1250 return NT_STATUS_UNSUCCESSFUL;
1253 rc = ads_USN(ads, seq);
1255 if (!ADS_ERR_OK(rc)) {
1257 /* its a dead connection, destroy it */
1259 if (domain->private_data) {
1260 ads = (ADS_STRUCT *)domain->private_data;
1261 ads->is_mine = True;
1262 ads_destroy(&ads);
1263 ads_kdestroy("MEMORY:winbind_ccache");
1264 domain->private_data = NULL;
1267 return ads_ntstatus(rc);
1270 /* find the lockout policy of a domain - use rpc methods */
1271 static NTSTATUS lockout_policy(struct winbindd_domain *domain,
1272 TALLOC_CTX *mem_ctx,
1273 struct samr_DomInfo12 *policy)
1275 return reconnect_methods.lockout_policy(domain, mem_ctx, policy);
1278 /* find the password policy of a domain - use rpc methods */
1279 static NTSTATUS password_policy(struct winbindd_domain *domain,
1280 TALLOC_CTX *mem_ctx,
1281 struct samr_DomInfo1 *policy)
1283 return reconnect_methods.password_policy(domain, mem_ctx, policy);
1286 /* get a list of trusted domains */
1287 static NTSTATUS trusted_domains(struct winbindd_domain *domain,
1288 TALLOC_CTX *mem_ctx,
1289 struct netr_DomainTrustList *trusts)
1291 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1292 WERROR werr;
1293 int i;
1294 uint32 flags;
1295 struct rpc_pipe_client *cli;
1296 int ret_count;
1297 struct dcerpc_binding_handle *b;
1299 DEBUG(3,("ads: trusted_domains\n"));
1301 ZERO_STRUCTP(trusts);
1303 /* If this is our primary domain or a root in our forest,
1304 query for all trusts. If not, then just look for domain
1305 trusts in the target forest */
1307 if (domain->primary || domain_is_forest_root(domain)) {
1308 flags = NETR_TRUST_FLAG_OUTBOUND |
1309 NETR_TRUST_FLAG_INBOUND |
1310 NETR_TRUST_FLAG_IN_FOREST;
1311 } else {
1312 flags = NETR_TRUST_FLAG_IN_FOREST;
1315 result = cm_connect_netlogon(domain, &cli);
1317 if (!NT_STATUS_IS_OK(result)) {
1318 DEBUG(5, ("trusted_domains: Could not open a connection to %s "
1319 "for PIPE_NETLOGON (%s)\n",
1320 domain->name, nt_errstr(result)));
1321 return NT_STATUS_UNSUCCESSFUL;
1324 b = cli->binding_handle;
1326 result = dcerpc_netr_DsrEnumerateDomainTrusts(b, mem_ctx,
1327 cli->desthost,
1328 flags,
1329 trusts,
1330 &werr);
1331 if (!NT_STATUS_IS_OK(result)) {
1332 return result;
1335 if (!W_ERROR_IS_OK(werr)) {
1336 return werror_to_ntstatus(werr);
1338 if (trusts->count == 0) {
1339 return NT_STATUS_OK;
1342 /* Copy across names and sids */
1344 ret_count = 0;
1345 for (i = 0; i < trusts->count; i++) {
1346 struct netr_DomainTrust *trust = &trusts->array[i];
1347 struct winbindd_domain d;
1349 ZERO_STRUCT(d);
1352 * drop external trusts if this is not our primary
1353 * domain. This means that the returned number of
1354 * domains may be less that the ones actually trusted
1355 * by the DC.
1358 if ((trust->trust_attributes
1359 == NETR_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN) &&
1360 !domain->primary )
1362 DEBUG(10,("trusted_domains: Skipping external trusted "
1363 "domain %s because it is outside of our "
1364 "primary domain\n",
1365 trust->netbios_name));
1366 continue;
1369 /* add to the trusted domain cache */
1371 fstrcpy(d.name, trust->netbios_name);
1372 fstrcpy(d.alt_name, trust->dns_name);
1373 if (trust->sid) {
1374 sid_copy(&d.sid, trust->sid);
1375 } else {
1376 sid_copy(&d.sid, &global_sid_NULL);
1379 if ( domain->primary ) {
1380 DEBUG(10,("trusted_domains(ads): Searching "
1381 "trusted domain list of %s and storing "
1382 "trust flags for domain %s\n",
1383 domain->name, d.alt_name));
1385 d.domain_flags = trust->trust_flags;
1386 d.domain_type = trust->trust_type;
1387 d.domain_trust_attribs = trust->trust_attributes;
1389 wcache_tdc_add_domain( &d );
1390 ret_count++;
1391 } else if (domain_is_forest_root(domain)) {
1392 /* Check if we already have this record. If
1393 * we are following our forest root that is not
1394 * our primary domain, we want to keep trust
1395 * flags from the perspective of our primary
1396 * domain not our forest root. */
1397 struct winbindd_tdc_domain *exist = NULL;
1399 exist = wcache_tdc_fetch_domain(
1400 talloc_tos(), trust->netbios_name);
1401 if (!exist) {
1402 DEBUG(10,("trusted_domains(ads): Searching "
1403 "trusted domain list of %s and "
1404 "storing trust flags for domain "
1405 "%s\n", domain->name, d.alt_name));
1406 d.domain_flags = trust->trust_flags;
1407 d.domain_type = trust->trust_type;
1408 d.domain_trust_attribs =
1409 trust->trust_attributes;
1411 wcache_tdc_add_domain( &d );
1412 ret_count++;
1414 TALLOC_FREE(exist);
1415 } else {
1416 /* This gets a little tricky. If we are
1417 following a transitive forest trust, then
1418 innerit the flags, type, and attribs from
1419 the domain we queried to make sure we don't
1420 record the view of the trust from the wrong
1421 side. Always view it from the side of our
1422 primary domain. --jerry */
1423 struct winbindd_tdc_domain *parent = NULL;
1425 DEBUG(10,("trusted_domains(ads): Searching "
1426 "trusted domain list of %s and inheriting "
1427 "trust flags for domain %s\n",
1428 domain->name, d.alt_name));
1430 parent = wcache_tdc_fetch_domain(talloc_tos(),
1431 domain->name);
1432 if (parent) {
1433 d.domain_flags = parent->trust_flags;
1434 d.domain_type = parent->trust_type;
1435 d.domain_trust_attribs = parent->trust_attribs;
1436 } else {
1437 d.domain_flags = domain->domain_flags;
1438 d.domain_type = domain->domain_type;
1439 d.domain_trust_attribs =
1440 domain->domain_trust_attribs;
1442 TALLOC_FREE(parent);
1444 wcache_tdc_add_domain( &d );
1445 ret_count++;
1448 return result;
1451 /* the ADS backend methods are exposed via this structure */
1452 struct winbindd_methods ads_methods = {
1453 True,
1454 query_user_list,
1455 enum_dom_groups,
1456 enum_local_groups,
1457 name_to_sid,
1458 sid_to_name,
1459 rids_to_names,
1460 query_user,
1461 lookup_usergroups,
1462 lookup_useraliases,
1463 lookup_groupmem,
1464 sequence_number,
1465 lockout_policy,
1466 password_policy,
1467 trusted_domains,
1470 #endif