search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
docs-xml: Fix rid idmap backend documentation
[Samba.git] / source3 / winbindd / idmap_ad.c
blob5c9fe07db95e36f06b86d2f500a4c3e385c82bbd
1 /*
2 * idmap_ad: map between Active Directory and RFC 2307 accounts
3 *
4 * Copyright (C) Volker Lendecke 2015
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
18 */
19
20 #include "includes.h"
21 #include "winbindd.h"
22 #include "libsmb/namequery.h"
23 #include "idmap.h"
24 #include "tldap_gensec_bind.h"
25 #include "tldap_util.h"
26 #include "passdb.h"
27 #include "lib/param/param.h"
28 #include "auth/gensec/gensec.h"
29 #include "librpc/gen_ndr/ndr_netlogon.h"
30 #include "libads/ldap_schema_oids.h"
31 #include "../libds/common/flags.h"
32 #include "libcli/ldap/ldap_ndr.h"
33 #include "libcli/security/dom_sid.h"
34 #include "source3/libads/sitename_cache.h"
35 #include "source3/libads/kerberos_proto.h"
36 #include "source3/librpc/gen_ndr/ads.h"
37 #include "source3/lib/global_contexts.h"
38 #include <ldb.h>
39
40 struct idmap_ad_schema_names;
41
42 struct idmap_ad_context {
43 struct idmap_domain *dom;
44 struct tldap_context *ld;
45 struct idmap_ad_schema_names *schema;
46 const char *default_nc;
47
48 bool unix_primary_group;
49 bool unix_nss_info;
50
51 struct ldb_context *ldb;
52 struct ldb_dn **deny_ous;
53 struct ldb_dn **allow_ous;
54 };
55
56 static NTSTATUS idmap_ad_get_context(struct idmap_domain *dom,
57 struct idmap_ad_context **pctx);
58
59 static char *get_schema_path(TALLOC_CTX *mem_ctx, struct tldap_context *ld)
60 {
61 struct tldap_message *rootdse;
62
63 rootdse = tldap_rootdse(ld);
64 if (rootdse == NULL) {
65 return NULL;
66 }
67
68 return tldap_talloc_single_attribute(rootdse, "schemaNamingContext",
69 mem_ctx);
70 }
71
72 static char *get_default_nc(TALLOC_CTX *mem_ctx, struct tldap_context *ld)
73 {
74 struct tldap_message *rootdse;
75
76 rootdse = tldap_rootdse(ld);
77 if (rootdse == NULL) {
78 return NULL;
79 }
80
81 return tldap_talloc_single_attribute(rootdse, "defaultNamingContext",
82 mem_ctx);
83 }
84
85 struct idmap_ad_schema_names {
86 char *name;
87 char *uid;
88 char *gid;
89 char *gecos;
90 char *dir;
91 char *shell;
92 };
93
94 static TLDAPRC get_attrnames_by_oids(struct tldap_context *ld,
95 TALLOC_CTX *mem_ctx,
96 const char *schema_path,
97 size_t num_oids,
98 const char **oids,
99 char **names)
100 {
101 char *filter;
102 const char *attrs[] = { "lDAPDisplayName", "attributeId" };
103 size_t i;
104 TLDAPRC rc;
105 struct tldap_message **msgs;
106 size_t num_msgs;
107
108 filter = talloc_strdup(mem_ctx, "(|");
109
110 for (i=0; i<num_oids; i++) {
111 talloc_asprintf_addbuf(&filter, "(attributeId=%s)", oids[i]);
112 }
113 talloc_asprintf_addbuf(&filter, ")");
114
115 if (filter == NULL) {
116 return TLDAP_NO_MEMORY;
117 }
118
119 rc = tldap_search(ld, schema_path, TLDAP_SCOPE_SUB, filter,
120 attrs, ARRAY_SIZE(attrs), 0, NULL, 0, NULL, 0,
121 0, 0, 0, mem_ctx, &msgs);;
122 TALLOC_FREE(filter);
123 if (!TLDAP_RC_IS_SUCCESS(rc)) {
124 return rc;
125 }
126
127 for (i=0; i<num_oids; i++) {
128 names[i] = NULL;
129 }
130
131 num_msgs = talloc_array_length(msgs);
132
133 for (i=0; i<num_msgs; i++) {
134 struct tldap_message *msg = msgs[i];
135 char *oid;
136 size_t j;
137
138 if (tldap_msg_type(msg) != TLDAP_RES_SEARCH_ENTRY) {
139 /* Could be a TLDAP_RES_SEARCH_REFERENCE */
140 continue;
141 }
142
143 oid = tldap_talloc_single_attribute(
144 msg, "attributeId", msg);
145 if (oid == NULL) {
146 continue;
147 }
148
149 for (j=0; j<num_oids; j++) {
150 if (strequal(oid, oids[j])) {
151 break;
152 }
153 }
154 TALLOC_FREE(oid);
155
156 if (j == num_oids) {
157 /* not found */
158 continue;
159 }
160
161 names[j] = tldap_talloc_single_attribute(
162 msg, "lDAPDisplayName", mem_ctx);
163 }
164
165 TALLOC_FREE(msgs);
166 for (i=0; i<num_oids; i++) {
167 if (names[i] == NULL) {
168 DBG_ERR("Failed to retrieve schema name for "
169 "oid [%s]. Schema mode is incorrect "
170 "for this domain.\n", oids[i]);
171 return TLDAP_FILTER_ERROR;
172 }
173 }
174
175 return TLDAP_SUCCESS;
176 }
177
178 static TLDAPRC get_posix_schema_names(struct tldap_context *ld,
179 const char *schema_mode,
180 TALLOC_CTX *mem_ctx,
181 struct idmap_ad_schema_names **pschema)
182 {
183 char *schema_path;
184 struct idmap_ad_schema_names *schema;
185 char *names[6];
186 const char *oids_sfu[] = {
187 ADS_ATTR_SFU_UIDNUMBER_OID,
188 ADS_ATTR_SFU_GIDNUMBER_OID,
189 ADS_ATTR_SFU_HOMEDIR_OID,
190 ADS_ATTR_SFU_SHELL_OID,
191 ADS_ATTR_SFU_GECOS_OID,
192 ADS_ATTR_SFU_UID_OID
193 };
194 const char *oids_sfu20[] = {
195 ADS_ATTR_SFU20_UIDNUMBER_OID,
196 ADS_ATTR_SFU20_GIDNUMBER_OID,
197 ADS_ATTR_SFU20_HOMEDIR_OID,
198 ADS_ATTR_SFU20_SHELL_OID,
199 ADS_ATTR_SFU20_GECOS_OID,
200 ADS_ATTR_SFU20_UID_OID
201 };
202 const char *oids_rfc2307[] = {
203 ADS_ATTR_RFC2307_UIDNUMBER_OID,
204 ADS_ATTR_RFC2307_GIDNUMBER_OID,
205 ADS_ATTR_RFC2307_HOMEDIR_OID,
206 ADS_ATTR_RFC2307_SHELL_OID,
207 ADS_ATTR_RFC2307_GECOS_OID,
208 ADS_ATTR_RFC2307_UID_OID
209 };
210 const char **oids;
211
212 TLDAPRC rc;
213
214 schema = talloc(mem_ctx, struct idmap_ad_schema_names);
215 if (schema == NULL) {
216 return TLDAP_NO_MEMORY;
217 }
218
219 schema_path = get_schema_path(schema, ld);
220 if (schema_path == NULL) {
221 TALLOC_FREE(schema);
222 return TLDAP_NO_MEMORY;
223 }
224
225 oids = oids_rfc2307;
226
227 if ((schema_mode != NULL) && (schema_mode[0] != '\0')) {
228 if (strequal(schema_mode, "sfu")) {
229 oids = oids_sfu;
230 } else if (strequal(schema_mode, "sfu20")) {
231 oids = oids_sfu20;
232 } else if (strequal(schema_mode, "rfc2307" )) {
233 oids = oids_rfc2307;
234 } else {
235 DBG_WARNING("Unknown schema mode %s\n", schema_mode);
236 }
237 }
238
239 rc = get_attrnames_by_oids(ld, schema, schema_path, 6, oids, names);
240 TALLOC_FREE(schema_path);
241 if (!TLDAP_RC_IS_SUCCESS(rc)) {
242 TALLOC_FREE(schema);
243 return rc;
244 }
245
246 schema->uid = names[0];
247 schema->gid = names[1];
248 schema->dir = names[2];
249 schema->shell = names[3];
250 schema->gecos = names[4];
251 schema->name = names[5];
252
253 *pschema = schema;
254
255 return TLDAP_SUCCESS;
256 }
257
258 static void PRINTF_ATTRIBUTE(3, 0) idmap_ad_tldap_debug(
259 void *log_private,
260 enum tldap_debug_level level,
261 const char *fmt,
262 va_list ap)
263 {
264 int samba_level = -1;
265
266 switch (level) {
267 case TLDAP_DEBUG_FATAL:
268 samba_level = DBGLVL_ERR;
269 break;
270 case TLDAP_DEBUG_ERROR:
271 samba_level = DBGLVL_ERR;
272 break;
273 case TLDAP_DEBUG_WARNING:
274 samba_level = DBGLVL_WARNING;
275 break;
276 case TLDAP_DEBUG_TRACE:
277 samba_level = DBGLVL_DEBUG;
278 break;
279 }
280
281 if (CHECK_DEBUGLVL(samba_level)) {
282 char *s = NULL;
283 int ret;
284
285 ret = vasprintf(&s, fmt, ap);
286 if (ret == -1) {
287 return;
288 }
289 DEBUG(samba_level, ("idmap_ad_tldap: %s", s));
290 free(s);
291 }
292 }
293
294 static uint32_t gensec_features_from_ldap_sasl_wrapping(void)
295 {
296 int wrap_flags;
297 uint32_t gensec_features = 0;
298
299 wrap_flags = lp_client_ldap_sasl_wrapping();
300 if (wrap_flags == -1) {
301 wrap_flags = 0;
302 }
303
304 if (wrap_flags & ADS_AUTH_SASL_SEAL) {
305 gensec_features |= GENSEC_FEATURE_SEAL;
306 }
307 if (wrap_flags & ADS_AUTH_SASL_SIGN) {
308 gensec_features |= GENSEC_FEATURE_SIGN;
309 }
310
311 if (gensec_features != 0) {
312 gensec_features |= GENSEC_FEATURE_LDAP_STYLE;
313 }
314
315 return gensec_features;
316 }
317
318 static NTSTATUS idmap_ad_get_tldap_ctx(TALLOC_CTX *mem_ctx,
319 const char *domname,
320 struct tldap_context **pld)
321 {
322 struct netr_DsRGetDCNameInfo *dcinfo;
323 struct sockaddr_storage dcaddr;
324 struct cli_credentials *creds;
325 struct loadparm_context *lp_ctx;
326 struct tldap_context *ld;
327 uint32_t gensec_features = gensec_features_from_ldap_sasl_wrapping();
328 char *sitename = NULL;
329 int fd;
330 NTSTATUS status;
331 bool ok;
332 TLDAPRC rc;
333
334 status = wb_dsgetdcname_gencache_get(mem_ctx, domname, &dcinfo);
335 if (!NT_STATUS_IS_OK(status)) {
336 DBG_DEBUG("Could not get dcinfo for %s: %s\n", domname,
337 nt_errstr(status));
338 return status;
339 }
340
341 if (dcinfo->dc_unc == NULL) {
342 TALLOC_FREE(dcinfo);
343 return NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
344 }
345 if (dcinfo->dc_unc[0] == '\\') {
346 dcinfo->dc_unc += 1;
347 }
348 if (dcinfo->dc_unc[0] == '\\') {
349 dcinfo->dc_unc += 1;
350 }
351
352 ok = resolve_name(dcinfo->dc_unc, &dcaddr, 0x20, true);
353 if (!ok) {
354 DBG_DEBUG("Could not resolve name %s\n", dcinfo->dc_unc);
355 TALLOC_FREE(dcinfo);
356 return NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
357 }
358
359 sitename = sitename_fetch(talloc_tos(), lp_realm());
360
361 /*
362 * create_local_private_krb5_conf_for_domain() can deal with
363 * sitename==NULL
364 */
365
366 ok = create_local_private_krb5_conf_for_domain(
367 lp_realm(), lp_workgroup(), sitename, &dcaddr);
368 TALLOC_FREE(sitename);
369 if (!ok) {
370 DBG_DEBUG("Could not create private krb5.conf\n");
371 TALLOC_FREE(dcinfo);
372 return NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
373 }
374
375 status = open_socket_out(&dcaddr, 389, 10000, &fd);
376 if (!NT_STATUS_IS_OK(status)) {
377 DBG_DEBUG("open_socket_out failed: %s\n", nt_errstr(status));
378 TALLOC_FREE(dcinfo);
379 return status;
380 }
381
382 ld = tldap_context_create(dcinfo, fd);
383 if (ld == NULL) {
384 DBG_DEBUG("tldap_context_create failed\n");
385 close(fd);
386 TALLOC_FREE(dcinfo);
387 return NT_STATUS_NO_MEMORY;
388 }
389 tldap_set_debug(ld, idmap_ad_tldap_debug, NULL);
390
391 /*
392 * Here we use or own machine account as
393 * we run as domain member.
394 */
395 status = pdb_get_trust_credentials(lp_workgroup(),
396 lp_realm(),
397 dcinfo,
398 &creds);
399 if (!NT_STATUS_IS_OK(status)) {
400 DBG_DEBUG("pdb_get_trust_credentials() failed - %s\n",
401 nt_errstr(status));
402 TALLOC_FREE(dcinfo);
403 return status;
404 }
405
406 lp_ctx = loadparm_init_s3(dcinfo, loadparm_s3_helpers());
407 if (lp_ctx == NULL) {
408 DBG_DEBUG("loadparm_init_s3 failed\n");
409 TALLOC_FREE(dcinfo);
410 return NT_STATUS_NO_MEMORY;
411 }
412
413 rc = tldap_gensec_bind(ld, creds, "ldap", dcinfo->dc_unc, NULL, lp_ctx,
414 gensec_features);
415 if (!TLDAP_RC_IS_SUCCESS(rc)) {
416 DBG_DEBUG("tldap_gensec_bind failed: %s\n",
417 tldap_errstr(dcinfo, ld, rc));
418 TALLOC_FREE(dcinfo);
419 return NT_STATUS_LDAP(TLDAP_RC_V(rc));
420 }
421
422 rc = tldap_fetch_rootdse(ld);
423 if (!TLDAP_RC_IS_SUCCESS(rc)) {
424 DBG_DEBUG("tldap_fetch_rootdse failed: %s\n",
425 tldap_errstr(dcinfo, ld, rc));
426 TALLOC_FREE(dcinfo);
427 return NT_STATUS_LDAP(TLDAP_RC_V(rc));
428 }
429
430 *pld = talloc_move(mem_ctx, &ld);
431 TALLOC_FREE(dcinfo);
432 return NT_STATUS_OK;
433 }
434
435 static int idmap_ad_context_destructor(struct idmap_ad_context *ctx)
436 {
437 if ((ctx->dom != NULL) && (ctx->dom->private_data == ctx)) {
438 ctx->dom->private_data = NULL;
439 }
440 return 0;
441 }
442
443 static struct ldb_dn **str_list_to_dns(TALLOC_CTX *mem_ctx,
444 const char *dbgmsg,
445 struct ldb_context *ldb,
446 const char **strlist)
447 {
448 size_t i, num_dns = str_list_length(strlist);
449 char *dbgstr = NULL;
450 struct ldb_dn **dns = NULL;
451
452 dns = talloc_array(mem_ctx, struct ldb_dn *, num_dns);
453 if (dns == NULL) {
454 TALLOC_FREE(dbgstr);
455 return NULL;
456 }
457
458 dbgstr = talloc_strdup(talloc_tos(), "");
459
460 for (i = 0; i < num_dns; i++) {
461 dns[i] = ldb_dn_new(dns, ldb, strlist[i]);
462 if (dns[i] == NULL) {
463 DBG_WARNING("ldb_dn_new(%s) failed\n", strlist[i]);
464 TALLOC_FREE(dns);
465 return NULL;
466 }
467 talloc_asprintf_addbuf(
468 &dbgstr,
469 "%s ",
470 ldb_dn_get_extended_linearized(dbgstr, dns[i], 1));
471 }
472
473 DBG_DEBUG("%s %s\n", dbgmsg, dbgstr);
474 TALLOC_FREE(dbgstr);
475
476 return dns;
477 }
478
479 static NTSTATUS idmap_ad_context_create(TALLOC_CTX *mem_ctx,
480 struct idmap_domain *dom,
481 const char *domname,
482 struct idmap_ad_context **pctx)
483 {
484 struct idmap_ad_context *ctx;
485 const char *schema_mode;
486 const char **allow = NULL;
487 const char **deny = NULL;
488 NTSTATUS status;
489 TLDAPRC rc;
490
491 ctx = talloc_zero(mem_ctx, struct idmap_ad_context);
492 if (ctx == NULL) {
493 return NT_STATUS_NO_MEMORY;
494 }
495 ctx->dom = dom;
496
497 talloc_set_destructor(ctx, idmap_ad_context_destructor);
498
499 status = idmap_ad_get_tldap_ctx(ctx, domname, &ctx->ld);
500 if (!NT_STATUS_IS_OK(status)) {
501 DBG_DEBUG("idmap_ad_get_tldap_ctx failed: %s\n",
502 nt_errstr(status));
503 TALLOC_FREE(ctx);
504 return status;
505 }
506
507 ctx->default_nc = get_default_nc(ctx, ctx->ld);
508 if (ctx->default_nc == NULL) {
509 DBG_DEBUG("No default nc\n");
510 TALLOC_FREE(ctx);
511 return status;
512 }
513
514 ctx->unix_primary_group = idmap_config_bool(
515 domname, "unix_primary_group", false);
516 ctx->unix_nss_info = idmap_config_bool(
517 domname, "unix_nss_info", false);
518
519 schema_mode = idmap_config_const_string(
520 domname, "schema_mode", "rfc2307");
521
522 rc = get_posix_schema_names(ctx->ld, schema_mode, ctx, &ctx->schema);
523 if (!TLDAP_RC_IS_SUCCESS(rc)) {
524 DBG_DEBUG("get_posix_schema_names failed: %s\n",
525 tldap_errstr(ctx, ctx->ld, rc));
526 TALLOC_FREE(ctx);
527 return NT_STATUS_LDAP(TLDAP_RC_V(rc));
528 }
529
530 deny = idmap_config_string_list(domname, "deny ous", NULL);
531 allow = idmap_config_string_list(domname, "allow ous", NULL);
532
533 if ((deny != NULL) || (allow != NULL)) {
534 int ret = ldb_global_init();
535 if (ret == -1) {
536 status = map_nt_error_from_unix(errno);
537 DBG_WARNING("ldb_global_init() failed: %s\n",
538 strerror(errno));
539 TALLOC_FREE(ctx);
540 return status;
541 }
542
543 ctx->ldb = ldb_init(ctx, global_event_context());
544 if (ctx->ldb == NULL) {
545 status = map_nt_error_from_unix(errno);
546 DBG_WARNING("ldb_init() failed: %s\n", strerror(errno));
547 TALLOC_FREE(ctx);
548 return status;
549 }
550 }
551
552 if (deny != NULL) {
553 ctx->deny_ous = str_list_to_dns(ctx, "Denying", ctx->ldb, deny);
554 if (ctx->deny_ous == NULL) {
555 DBG_DEBUG("str_list_to_dns failed\n");
556 TALLOC_FREE(ctx);
557 return NT_STATUS_NO_MEMORY;
558 }
559 }
560
561 if (allow != NULL) {
562 ctx->allow_ous =
563 str_list_to_dns(ctx, "Allowing", ctx->ldb, allow);
564 if (ctx->allow_ous == NULL) {
565 DBG_DEBUG("str_list_to_dns failed\n");
566 TALLOC_FREE(ctx);
567 return NT_STATUS_NO_MEMORY;
568 }
569 }
570
571 *pctx = ctx;
572 return NT_STATUS_OK;
573 }
574
575 static bool check_dn(struct ldb_dn **dns, struct ldb_dn *dn)
576 {
577 size_t i, num_dns = talloc_array_length(dns);
578
579 for (i = 0; i < num_dns; i++) {
580 struct ldb_dn *base = dns[i];
581 int ret = ldb_dn_compare_base(base, dn);
582 if (ret == 0) {
583 return true;
584 }
585 }
586 return false;
587 }
588
589 static bool idmap_ad_dn_filter(struct idmap_domain *dom, const char *dnstr)
590 {
591 struct idmap_ad_context *ctx = NULL;
592 struct ldb_dn *dn = NULL;
593 NTSTATUS status;
594 bool result = false;
595
596 status = idmap_ad_get_context(dom, &ctx);
597 if (!NT_STATUS_IS_OK(status)) {
598 DBG_DEBUG("idmap_ad_get_context failed: %s\n",
599 nt_errstr(status));
600 return false;
601 }
602
603 if ((ctx->allow_ous == NULL) && (ctx->deny_ous == NULL)) {
604 /*
605 * Nothing to check
606 */
607 return true;
608 }
609
610 dn = ldb_dn_new(talloc_tos(), ctx->ldb, dnstr);
611 if (dn == NULL) {
612 DBG_DEBUG("ldb_dn_new(%s) failed\n", dnstr);
613 return false;
614 }
615
616 if (ctx->deny_ous != NULL) {
617 bool denied = check_dn(ctx->deny_ous, dn);
618 if (denied) {
619 DBG_WARNING("Denied %s\n", dnstr);
620 TALLOC_FREE(dn);
621 return false;
622 }
623
624 if (ctx->allow_ous == NULL) {
625 /*
626 * Only a few denied OUs around, allow by
627 * default
628 */
629 result = true;
630 }
631 }
632
633 if (ctx->allow_ous != NULL) {
634 bool allowed = check_dn(ctx->allow_ous, dn);
635 if (allowed) {
636 return true;
637 }
638 DBG_WARNING("Did not allow %s\n", dnstr);
639 }
640
641 return result;
642 }
643
644 static NTSTATUS idmap_ad_query_user(struct idmap_domain *domain,
645 struct wbint_userinfo *info)
646 {
647 struct idmap_ad_context *ctx;
648 TLDAPRC rc;
649 NTSTATUS status;
650 char *sidstr, *filter;
651 const char *attrs[4];
652 size_t i, num_msgs;
653 struct tldap_message **msgs;
654
655 status = idmap_ad_get_context(domain, &ctx);
656 if (!NT_STATUS_IS_OK(status)) {
657 return status;
658 }
659
660 if (!(ctx->unix_primary_group || ctx->unix_nss_info)) {
661 return NT_STATUS_OK;
662 }
663
664 attrs[0] = ctx->schema->gid;
665 attrs[1] = ctx->schema->gecos;
666 attrs[2] = ctx->schema->dir;
667 attrs[3] = ctx->schema->shell;
668
669 sidstr = ldap_encode_ndr_dom_sid(talloc_tos(), &info->user_sid);
670 if (sidstr == NULL) {
671 return NT_STATUS_NO_MEMORY;
672 }
673
674 filter = talloc_asprintf(talloc_tos(), "(objectsid=%s)", sidstr);
675 TALLOC_FREE(sidstr);
676 if (filter == NULL) {
677 return NT_STATUS_NO_MEMORY;
678 }
679
680 DBG_DEBUG("Filter: [%s]\n", filter);
681
682 rc = tldap_search(ctx->ld, ctx->default_nc, TLDAP_SCOPE_SUB, filter,
683 attrs, ARRAY_SIZE(attrs), 0, NULL, 0, NULL, 0,
684 0, 0, 0, talloc_tos(), &msgs);
685 if (!TLDAP_RC_IS_SUCCESS(rc)) {
686 return NT_STATUS_LDAP(TLDAP_RC_V(rc));
687 }
688
689 TALLOC_FREE(filter);
690
691 num_msgs = talloc_array_length(msgs);
692
693 for (i=0; i<num_msgs; i++) {
694 struct tldap_message *msg = msgs[i];
695 char *dn = NULL;
696 bool ok;
697
698 if (tldap_msg_type(msg) != TLDAP_RES_SEARCH_ENTRY) {
699 continue;
700 }
701 ok = tldap_entry_dn(msg, &dn);
702 if (!ok) {
703 continue;
704 }
705 ok = idmap_ad_dn_filter(domain, dn);
706 if (!ok) {
707 DBG_DEBUG("%s filtered out\n", dn);
708 continue;
709 }
710
711 if (ctx->unix_primary_group) {
712 uint32_t gid;
713
714 ok = tldap_pull_uint32(msg, ctx->schema->gid, &gid);
715 if (ok) {
716 DBG_DEBUG("Setting primary group "
717 "to %"PRIu32" from attr %s\n",
718 gid, ctx->schema->gid);
719 info->primary_gid = gid;
720 }
721 }
722
723 if (ctx->unix_nss_info) {
724 char *attr;
725
726 attr = tldap_talloc_single_attribute(
727 msg, ctx->schema->dir, talloc_tos());
728 if (attr != NULL) {
729 info->homedir = talloc_move(info, &attr);
730 }
731 TALLOC_FREE(attr);
732
733 attr = tldap_talloc_single_attribute(
734 msg, ctx->schema->shell, talloc_tos());
735 if (attr != NULL) {
736 info->shell = talloc_move(info, &attr);
737 }
738 TALLOC_FREE(attr);
739
740 attr = tldap_talloc_single_attribute(
741 msg, ctx->schema->gecos, talloc_tos());
742 if (attr != NULL) {
743 info->full_name = talloc_move(info, &attr);
744 }
745 TALLOC_FREE(attr);
746 }
747 }
748
749 return NT_STATUS_OK;
750 }
751
752 static NTSTATUS idmap_ad_query_user_retry(struct idmap_domain *domain,
753 struct wbint_userinfo *info)
754 {
755 const NTSTATUS status_server_down =
756 NT_STATUS_LDAP(TLDAP_RC_V(TLDAP_SERVER_DOWN));
757 NTSTATUS status;
758
759 status = idmap_ad_query_user(domain, info);
760
761 if (NT_STATUS_EQUAL(status, status_server_down)) {
762 TALLOC_FREE(domain->private_data);
763 status = idmap_ad_query_user(domain, info);
764 }
765
766 return status;
767 }
768
769 static NTSTATUS idmap_ad_initialize(struct idmap_domain *dom)
770 {
771 dom->query_user = idmap_ad_query_user_retry;
772 dom->private_data = NULL;
773 return NT_STATUS_OK;
774 }
775
776 static NTSTATUS idmap_ad_get_context(struct idmap_domain *dom,
777 struct idmap_ad_context **pctx)
778 {
779 struct idmap_ad_context *ctx = NULL;
780 NTSTATUS status;
781
782 if (IS_AD_DC) {
783 /*
784 * Make sure we never try to use LDAP against
785 * a trusted domain as AD_DC.
786 *
787 * This shouldn't be called currently,
788 * but you never know what happens in future.
789 */
790 return NT_STATUS_REQUEST_NOT_ACCEPTED;
791 }
792
793 if (dom->private_data != NULL) {
794 *pctx = talloc_get_type_abort(dom->private_data,
795 struct idmap_ad_context);
796 return NT_STATUS_OK;
797 }
798
799 status = idmap_ad_context_create(dom, dom, dom->name, &ctx);
800 if (!NT_STATUS_IS_OK(status)) {
801 DBG_DEBUG("idmap_ad_context_create failed: %s\n",
802 nt_errstr(status));
803 return status;
804 }
805
806 dom->private_data = ctx;
807 *pctx = ctx;
808 return NT_STATUS_OK;
809 }
810
811 static NTSTATUS idmap_ad_unixids_to_sids(struct idmap_domain *dom,
812 struct id_map **ids)
813 {
814 struct idmap_ad_context *ctx;
815 TLDAPRC rc;
816 NTSTATUS status;
817 struct tldap_message **msgs;
818
819 size_t i, num_msgs;
820 char *u_filter, *g_filter, *filter;
821
822 const char *attrs[] = {
823 "sAMAccountType",
824 "objectSid",
825 NULL, /* attr_uidnumber */
826 NULL, /* attr_gidnumber */
827 };
828
829 status = idmap_ad_get_context(dom, &ctx);
830 if (!NT_STATUS_IS_OK(status)) {
831 return status;
832 }
833
834 attrs[2] = ctx->schema->uid;
835 attrs[3] = ctx->schema->gid;
836
837 u_filter = talloc_strdup(talloc_tos(), "");
838 if (u_filter == NULL) {
839 return NT_STATUS_NO_MEMORY;
840 }
841
842 g_filter = talloc_strdup(talloc_tos(), "");
843 if (g_filter == NULL) {
844 return NT_STATUS_NO_MEMORY;
845 }
846
847 for (i=0; ids[i] != NULL; i++) {
848 struct id_map *id = ids[i];
849
850 id->status = ID_UNKNOWN;
851
852 switch (id->xid.type) {
853 case ID_TYPE_UID: {
854 u_filter = talloc_asprintf_append_buffer(
855 u_filter, "(%s=%ju)", ctx->schema->uid,
856 (uintmax_t)id->xid.id);
857 if (u_filter == NULL) {
858 return NT_STATUS_NO_MEMORY;
859 }
860 break;
861 }
862
863 case ID_TYPE_GID: {
864 g_filter = talloc_asprintf_append_buffer(
865 g_filter, "(%s=%ju)", ctx->schema->gid,
866 (uintmax_t)id->xid.id);
867 if (g_filter == NULL) {
868 return NT_STATUS_NO_MEMORY;
869 }
870 break;
871 }
872
873 default:
874 DBG_WARNING("Unknown id type: %u\n",
875 (unsigned)id->xid.type);
876 break;
877 }
878 }
879
880 filter = talloc_strdup(talloc_tos(), "(|");
881 if (filter == NULL) {
882 return NT_STATUS_NO_MEMORY;
883 }
884
885 if (*u_filter != '\0') {
886 filter = talloc_asprintf_append_buffer(
887 filter,
888 "(&(|(sAMAccountType=%d)(sAMAccountType=%d)"
889 "(sAMAccountType=%d))(|%s))",
890 ATYPE_NORMAL_ACCOUNT, ATYPE_WORKSTATION_TRUST,
891 ATYPE_INTERDOMAIN_TRUST, u_filter);
892 if (filter == NULL) {
893 return NT_STATUS_NO_MEMORY;
894 }
895 }
896 TALLOC_FREE(u_filter);
897
898 if (*g_filter != '\0') {
899 filter = talloc_asprintf_append_buffer(
900 filter,
901 "(&(|(sAMAccountType=%d)(sAMAccountType=%d))(|%s))",
902 ATYPE_SECURITY_GLOBAL_GROUP,
903 ATYPE_SECURITY_LOCAL_GROUP,
904 g_filter);
905 if (filter == NULL) {
906 return NT_STATUS_NO_MEMORY;
907 }
908 }
909 TALLOC_FREE(g_filter);
910
911 filter = talloc_asprintf_append_buffer(filter, ")");
912 if (filter == NULL) {
913 return NT_STATUS_NO_MEMORY;
914 }
915
916 DBG_DEBUG("Filter: [%s]\n", filter);
917
918 rc = tldap_search(ctx->ld, ctx->default_nc, TLDAP_SCOPE_SUB, filter,
919 attrs, ARRAY_SIZE(attrs), 0, NULL, 0, NULL, 0,
920 0, 0, 0, talloc_tos(), &msgs);
921 if (!TLDAP_RC_IS_SUCCESS(rc)) {
922 return NT_STATUS_LDAP(TLDAP_RC_V(rc));
923 }
924
925 TALLOC_FREE(filter);
926
927 num_msgs = talloc_array_length(msgs);
928
929 for (i=0; i<num_msgs; i++) {
930 struct tldap_message *msg = msgs[i];
931 char *dn;
932 struct id_map *map;
933 struct dom_sid sid;
934 size_t j;
935 bool ok;
936 uint32_t atype, xid;
937 enum id_type type;
938 struct dom_sid_buf sidbuf;
939
940 if (tldap_msg_type(msg) != TLDAP_RES_SEARCH_ENTRY) {
941 continue;
942 }
943
944 ok = tldap_entry_dn(msg, &dn);
945 if (!ok) {
946 DBG_DEBUG("No dn found in msg %zu\n", i);
947 continue;
948 }
949
950 ok = idmap_ad_dn_filter(dom, dn);
951 if (!ok) {
952 DBG_DEBUG("%s filtered out\n", dn);
953 continue;
954 }
955
956 ok = tldap_pull_uint32(msg, "sAMAccountType", &atype);
957 if (!ok) {
958 DBG_DEBUG("No atype in object %s\n", dn);
959 continue;
960 }
961
962 switch (atype & 0xF0000000) {
963 case ATYPE_SECURITY_GLOBAL_GROUP:
964 case ATYPE_SECURITY_LOCAL_GROUP:
965 type = ID_TYPE_GID;
966 break;
967 case ATYPE_NORMAL_ACCOUNT:
968 case ATYPE_WORKSTATION_TRUST:
969 case ATYPE_INTERDOMAIN_TRUST:
970 type = ID_TYPE_UID;
971 break;
972 default:
973 DBG_WARNING("unrecognized SAM account type %08x\n",
974 atype);
975 continue;
976 }
977
978 ok = tldap_pull_uint32(msg, (type == ID_TYPE_UID) ?
979 ctx->schema->uid : ctx->schema->gid,
980 &xid);
981 if (!ok) {
982 DBG_WARNING("No unix id in object %s\n", dn);
983 continue;
984 }
985
986 ok = tldap_pull_binsid(msg, "objectSid", &sid);
987 if (!ok) {
988 DBG_DEBUG("No objectSid in object %s\n", dn);
989 continue;
990 }
991
992 map = NULL;
993 for (j=0; ids[j]; j++) {
994 if ((type == ids[j]->xid.type) &&
995 (xid == ids[j]->xid.id)) {
996 map = ids[j];
997 break;
998 }
999 }
1000 if (map == NULL) {
1001 DBG_DEBUG("Got unexpected sid %s from object %s\n",
1002 dom_sid_str_buf(&sid, &sidbuf),
1003 dn);
1004 continue;
1005 }
1006
1007 sid_copy(map->sid, &sid);
1008 map->status = ID_MAPPED;
1009
1010 DBG_DEBUG("Mapped %s -> %ju (%d)\n",
1011 dom_sid_str_buf(map->sid, &sidbuf),
1012 (uintmax_t)map->xid.id, map->xid.type);
1013 }
1014
1015 TALLOC_FREE(msgs);
1016
1017 return NT_STATUS_OK;
1018 }
1019
1020 static NTSTATUS idmap_ad_sids_to_unixids(struct idmap_domain *dom,
1021 struct id_map **ids)
1022 {
1023 struct idmap_ad_context *ctx;
1024 TLDAPRC rc;
1025 NTSTATUS status;
1026 struct tldap_message **msgs;
1027
1028 char *filter;
1029 size_t i, num_msgs;
1030
1031 const char *attrs[] = {
1032 "sAMAccountType",
1033 "objectSid",
1034 NULL, /* attr_uidnumber */
1035 NULL, /* attr_gidnumber */
1036 };
1037
1038 status = idmap_ad_get_context(dom, &ctx);
1039 if (!NT_STATUS_IS_OK(status)) {
1040 return status;
1041 }
1042
1043 attrs[2] = ctx->schema->uid;
1044 attrs[3] = ctx->schema->gid;
1045
1046 filter = talloc_asprintf(
1047 talloc_tos(),
1048 "(&(|(sAMAccountType=%d)(sAMAccountType=%d)(sAMAccountType=%d)"
1049 "(sAMAccountType=%d)(sAMAccountType=%d))(|",
1050 ATYPE_NORMAL_ACCOUNT, ATYPE_WORKSTATION_TRUST,
1051 ATYPE_INTERDOMAIN_TRUST, ATYPE_SECURITY_GLOBAL_GROUP,
1052 ATYPE_SECURITY_LOCAL_GROUP);
1053 if (filter == NULL) {
1054 return NT_STATUS_NO_MEMORY;
1055 }
1056
1057 for (i=0; ids[i]; i++) {
1058 char *sidstr;
1059
1060 ids[i]->status = ID_UNKNOWN;
1061
1062 sidstr = ldap_encode_ndr_dom_sid(talloc_tos(), ids[i]->sid);
1063 if (sidstr == NULL) {
1064 return NT_STATUS_NO_MEMORY;
1065 }
1066
1067 filter = talloc_asprintf_append_buffer(
1068 filter, "(objectSid=%s)", sidstr);
1069 TALLOC_FREE(sidstr);
1070 if (filter == NULL) {
1071 return NT_STATUS_NO_MEMORY;
1072 }
1073 }
1074
1075 filter = talloc_asprintf_append_buffer(filter, "))");
1076 if (filter == NULL) {
1077 return NT_STATUS_NO_MEMORY;
1078 }
1079
1080 DBG_DEBUG("Filter: [%s]\n", filter);
1081
1082 rc = tldap_search(ctx->ld, ctx->default_nc, TLDAP_SCOPE_SUB, filter,
1083 attrs, ARRAY_SIZE(attrs), 0, NULL, 0, NULL, 0,
1084 0, 0, 0, talloc_tos(), &msgs);
1085 if (!TLDAP_RC_IS_SUCCESS(rc)) {
1086 return NT_STATUS_LDAP(TLDAP_RC_V(rc));
1087 }
1088
1089 TALLOC_FREE(filter);
1090
1091 num_msgs = talloc_array_length(msgs);
1092
1093 for (i=0; i<num_msgs; i++) {
1094 struct tldap_message *msg = msgs[i];
1095 char *dn;
1096 struct id_map *map;
1097 struct dom_sid sid;
1098 size_t j;
1099 bool ok;
1100 uint64_t account_type, xid;
1101 enum id_type type;
1102 struct dom_sid_buf buf;
1103
1104 if (tldap_msg_type(msg) != TLDAP_RES_SEARCH_ENTRY) {
1105 continue;
1106 }
1107
1108 ok = tldap_entry_dn(msg, &dn);
1109 if (!ok) {
1110 DBG_DEBUG("No dn found in msg %zu\n", i);
1111 continue;
1112 }
1113
1114 ok = idmap_ad_dn_filter(dom, dn);
1115 if (!ok) {
1116 DBG_DEBUG("%s filtered out\n", dn);
1117 continue;
1118 }
1119
1120 ok = tldap_pull_binsid(msg, "objectSid", &sid);
1121 if (!ok) {
1122 DBG_DEBUG("No objectSid in object %s\n", dn);
1123 continue;
1124 }
1125
1126 map = NULL;
1127 for (j=0; ids[j]; j++) {
1128 if (dom_sid_equal(&sid, ids[j]->sid)) {
1129 map = ids[j];
1130 break;
1131 }
1132 }
1133 if (map == NULL) {
1134 DBG_DEBUG("Got unexpected sid %s from object %s\n",
1135 dom_sid_str_buf(&sid, &buf),
1136 dn);
1137 continue;
1138 }
1139
1140 ok = tldap_pull_uint64(msg, "sAMAccountType", &account_type);
1141 if (!ok) {
1142 DBG_DEBUG("No sAMAccountType in %s\n", dn);
1143 continue;
1144 }
1145
1146 switch (account_type & 0xF0000000) {
1147 case ATYPE_SECURITY_GLOBAL_GROUP:
1148 case ATYPE_SECURITY_LOCAL_GROUP:
1149 type = ID_TYPE_GID;
1150 break;
1151 case ATYPE_NORMAL_ACCOUNT:
1152 case ATYPE_WORKSTATION_TRUST:
1153 case ATYPE_INTERDOMAIN_TRUST:
1154 type = ID_TYPE_UID;
1155 break;
1156 default:
1157 DBG_WARNING("unrecognized SAM account type %"PRIu64"\n",
1158 account_type);
1159 continue;
1160 }
1161
1162 ok = tldap_pull_uint64(msg,
1163 type == ID_TYPE_UID ?
1164 ctx->schema->uid : ctx->schema->gid,
1165 &xid);
1166 if (!ok) {
1167 DBG_DEBUG("No xid in %s\n", dn);
1168 continue;
1169 }
1170
1171 /* mapped */
1172 map->xid.type = type;
1173 map->xid.id = xid;
1174 map->status = ID_MAPPED;
1175
1176 DEBUG(10, ("Mapped %s -> %lu (%d)\n",
1177 dom_sid_str_buf(map->sid, &buf),
1178 (unsigned long)map->xid.id, map->xid.type));
1179 }
1180
1181 TALLOC_FREE(msgs);
1182
1183 return NT_STATUS_OK;
1184 }
1185
1186 static NTSTATUS idmap_ad_unixids_to_sids_retry(struct idmap_domain *dom,
1187 struct id_map **ids)
1188 {
1189 const NTSTATUS status_server_down =
1190 NT_STATUS_LDAP(TLDAP_RC_V(TLDAP_SERVER_DOWN));
1191 NTSTATUS status;
1192
1193 status = idmap_ad_unixids_to_sids(dom, ids);
1194
1195 if (NT_STATUS_EQUAL(status, status_server_down)) {
1196 TALLOC_FREE(dom->private_data);
1197 status = idmap_ad_unixids_to_sids(dom, ids);
1198 }
1199
1200 return status;
1201 }
1202
1203 static NTSTATUS idmap_ad_sids_to_unixids_retry(struct idmap_domain *dom,
1204 struct id_map **ids)
1205 {
1206 const NTSTATUS status_server_down =
1207 NT_STATUS_LDAP(TLDAP_RC_V(TLDAP_SERVER_DOWN));
1208 NTSTATUS status;
1209
1210 status = idmap_ad_sids_to_unixids(dom, ids);
1211
1212 if (NT_STATUS_EQUAL(status, status_server_down)) {
1213 TALLOC_FREE(dom->private_data);
1214 status = idmap_ad_sids_to_unixids(dom, ids);
1215 }
1216
1217 return status;
1218 }
1219
1220 static const struct idmap_methods ad_methods = {
1221 .init = idmap_ad_initialize,
1222 .unixids_to_sids = idmap_ad_unixids_to_sids_retry,
1223 .sids_to_unixids = idmap_ad_sids_to_unixids_retry,
1224 };
1225
1226 static_decl_idmap;
1227 NTSTATUS idmap_ad_init(TALLOC_CTX *ctx)
1228 {
1229 NTSTATUS status;
1230
1231 status = smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION,
1232 "ad", &ad_methods);
1233 if (!NT_STATUS_IS_OK(status)) {
1234 return status;
1235 }
1236
1237 status = idmap_ad_nss_init(ctx);
1238 if (!NT_STATUS_IS_OK(status)) {
1239 return status;
1240 }
1241
1242 return NT_STATUS_OK;
1243 }
Samba GIT mirror