2 Unix SMB/CIFS implementation.
4 Winbind ADS backend functions
6 Copyright (C) Andrew Tridgell 2001
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003
8 Copyright (C) Gerald (Jerry) Carter 2004
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 2 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program; if not, write to the Free Software
22 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
31 #define DBGC_CLASS DBGC_WINBIND
33 extern struct winbindd_methods reconnect_methods
;
36 return our ads connections structure for a domain. We keep the connection
37 open to make things faster
39 static ADS_STRUCT
*ads_cached_connection(struct winbindd_domain
*domain
)
43 enum wb_posix_mapping map_type
;
45 DEBUG(10,("ads_cached_connection\n"));
47 if (domain
->private_data
) {
48 ads
= (ADS_STRUCT
*)domain
->private_data
;
50 /* check for a valid structure */
52 DEBUG(7, ("Current tickets expire at %d, time is now %d\n",
53 (uint32
) ads
->auth
.expire
, (uint32
) time(NULL
)));
54 if ( ads
->config
.realm
&& (ads
->auth
.expire
> time(NULL
))) {
58 /* we own this ADS_STRUCT so make sure it goes away */
61 ads_kdestroy("MEMORY:winbind_ccache");
62 domain
->private_data
= NULL
;
66 /* we don't want this to affect the users ccache */
67 setenv("KRB5CCNAME", "MEMORY:winbind_ccache", 1);
69 ads
= ads_init(domain
->alt_name
, domain
->name
, NULL
);
71 DEBUG(1,("ads_init for domain %s failed\n", domain
->name
));
75 /* the machine acct password might have change - fetch it every time */
77 SAFE_FREE(ads
->auth
.password
);
78 SAFE_FREE(ads
->auth
.realm
);
84 if ( !secrets_fetch_trusted_domain_password( domain
->name
, &ads
->auth
.password
, &sid
, &last_set_time
) ) {
88 ads
->auth
.realm
= SMB_STRDUP( ads
->server
.realm
);
89 strupper_m( ads
->auth
.realm
);
92 struct winbindd_domain
*our_domain
= domain
;
94 ads
->auth
.password
= secrets_fetch_machine_password(lp_workgroup(), NULL
, NULL
);
96 /* always give preference to the alt_name in our
97 primary domain if possible */
99 if ( !domain
->primary
)
100 our_domain
= find_our_domain();
102 if ( our_domain
->alt_name
[0] != '\0' ) {
103 ads
->auth
.realm
= SMB_STRDUP( our_domain
->alt_name
);
104 strupper_m( ads
->auth
.realm
);
107 ads
->auth
.realm
= SMB_STRDUP( lp_realm() );
110 ads
->auth
.renewable
= WINBINDD_PAM_AUTH_KRB5_RENEW_TIME
;
112 status
= ads_connect(ads
);
113 if (!ADS_ERR_OK(status
) || !ads
->config
.realm
) {
114 DEBUG(1,("ads_connect for domain %s failed: %s\n",
115 domain
->name
, ads_errstr(status
)));
118 /* if we get ECONNREFUSED then it might be a NT4
119 server, fall back to MSRPC */
120 if (status
.error_type
== ENUM_ADS_ERROR_SYSTEM
&&
121 status
.err
.rc
== ECONNREFUSED
) {
122 /* 'reconnect_methods' is the MS-RPC backend. */
123 DEBUG(1,("Trying MSRPC methods\n"));
124 domain
->backend
= &reconnect_methods
;
129 map_type
= get_nss_info(domain
->name
);
131 if ((map_type
== WB_POSIX_MAP_RFC2307
)||
132 (map_type
== WB_POSIX_MAP_SFU
)) {
134 status
= ads_check_posix_schema_mapping(ads
, map_type
);
135 if (!ADS_ERR_OK(status
)) {
136 DEBUG(10,("ads_check_posix_schema_mapping failed "
137 "with: %s\n", ads_errstr(status
)));
141 /* set the flag that says we don't own the memory even
142 though we do so that ads_destroy() won't destroy the
143 structure we pass back by reference */
145 ads
->is_mine
= False
;
147 domain
->private_data
= (void *)ads
;
152 /* Query display info for a realm. This is the basic user list fn */
153 static NTSTATUS
query_user_list(struct winbindd_domain
*domain
,
156 WINBIND_USERINFO
**info
)
158 ADS_STRUCT
*ads
= NULL
;
159 const char *attrs
[] = {"userPrincipalName",
161 "name", "objectSid", "primaryGroupID",
163 ADS_ATTR_SFU_HOMEDIR_OID
,
164 ADS_ATTR_SFU_SHELL_OID
,
165 ADS_ATTR_SFU_GECOS_OID
,
166 ADS_ATTR_RFC2307_HOMEDIR_OID
,
167 ADS_ATTR_RFC2307_SHELL_OID
,
168 ADS_ATTR_RFC2307_GECOS_OID
,
172 LDAPMessage
*res
= NULL
;
173 LDAPMessage
*msg
= NULL
;
174 NTSTATUS status
= NT_STATUS_UNSUCCESSFUL
;
178 DEBUG(3,("ads: query_user_list\n"));
180 ads
= ads_cached_connection(domain
);
183 domain
->last_status
= NT_STATUS_SERVER_DISABLED
;
187 rc
= ads_search_retry(ads
, &res
, "(objectCategory=user)", attrs
);
188 if (!ADS_ERR_OK(rc
) || !res
) {
189 DEBUG(1,("query_user_list ads_search: %s\n", ads_errstr(rc
)));
193 count
= ads_count_replies(ads
, res
);
195 DEBUG(1,("query_user_list: No users found\n"));
199 (*info
) = TALLOC_ZERO_ARRAY(mem_ctx
, WINBIND_USERINFO
, count
);
201 status
= NT_STATUS_NO_MEMORY
;
207 for (msg
= ads_first_entry(ads
, res
); msg
; msg
= ads_next_entry(ads
, msg
)) {
208 char *name
, *gecos
= NULL
;
209 char *homedir
= NULL
;
214 if (!ads_pull_uint32(ads
, msg
, "sAMAccountType", &atype
) ||
215 ads_atype_map(atype
) != SID_NAME_USER
) {
216 DEBUG(1,("Not a user account? atype=0x%x\n", atype
));
220 name
= ads_pull_username(ads
, mem_ctx
, msg
);
222 if (get_nss_info(domain
->name
) && ads
->schema
.map_type
) {
224 DEBUG(10,("pulling posix attributes (%s schema)\n",
225 wb_posix_map_str(ads
->schema
.map_type
)));
227 homedir
= ads_pull_string(ads
, mem_ctx
, msg
,
228 ads
->schema
.posix_homedir_attr
);
229 shell
= ads_pull_string(ads
, mem_ctx
, msg
,
230 ads
->schema
.posix_shell_attr
);
231 gecos
= ads_pull_string(ads
, mem_ctx
, msg
,
232 ads
->schema
.posix_gecos_attr
);
236 gecos
= ads_pull_string(ads
, mem_ctx
, msg
, "name");
239 if (!ads_pull_sid(ads
, msg
, "objectSid",
240 &(*info
)[i
].user_sid
)) {
241 DEBUG(1,("No sid for %s !?\n", name
));
244 if (!ads_pull_uint32(ads
, msg
, "primaryGroupID", &group
)) {
245 DEBUG(1,("No primary group for %s !?\n", name
));
249 (*info
)[i
].acct_name
= name
;
250 (*info
)[i
].full_name
= gecos
;
251 (*info
)[i
].homedir
= homedir
;
252 (*info
)[i
].shell
= shell
;
253 sid_compose(&(*info
)[i
].group_sid
, &domain
->sid
, group
);
258 status
= NT_STATUS_OK
;
260 DEBUG(3,("ads query_user_list gave %d entries\n", (*num_entries
)));
264 ads_msgfree(ads
, res
);
269 /* list all domain groups */
270 static NTSTATUS
enum_dom_groups(struct winbindd_domain
*domain
,
273 struct acct_info
**info
)
275 ADS_STRUCT
*ads
= NULL
;
276 const char *attrs
[] = {"userPrincipalName", "sAMAccountName",
277 "name", "objectSid", NULL
};
280 LDAPMessage
*res
= NULL
;
281 LDAPMessage
*msg
= NULL
;
282 NTSTATUS status
= NT_STATUS_UNSUCCESSFUL
;
284 BOOL enum_dom_local_groups
= False
;
288 DEBUG(3,("ads: enum_dom_groups\n"));
290 /* only grab domain local groups for our domain */
291 if ( domain
->native_mode
&& strequal(lp_realm(), domain
->alt_name
) ) {
292 enum_dom_local_groups
= True
;
295 /* Workaround ADS LDAP bug present in MS W2K3 SP0 and W2K SP4 w/o
298 * According to Section 5.1(4) of RFC 2251 if a value of a type is it's
299 * default value, it MUST be absent. In case of extensible matching the
300 * "dnattr" boolean defaults to FALSE and so it must be only be present
303 * When it is set to FALSE and the OpenLDAP lib (correctly) encodes a
304 * filter using bitwise matching rule then the buggy AD fails to decode
305 * the extensible match. As a workaround set it to TRUE and thereby add
306 * the dnAttributes "dn" field to cope with those older AD versions.
307 * It should not harm and won't put any additional load on the AD since
308 * none of the dn components have a bitmask-attribute.
310 * Thanks to Ralf Haferkamp for input and testing - Guenther */
312 filter
= talloc_asprintf(mem_ctx
, "(&(objectCategory=group)(&(groupType:dn:%s:=%d)(!(groupType:dn:%s:=%d))))",
313 ADS_LDAP_MATCHING_RULE_BIT_AND
, GROUP_TYPE_SECURITY_ENABLED
,
314 ADS_LDAP_MATCHING_RULE_BIT_AND
,
315 enum_dom_local_groups
? GROUP_TYPE_BUILTIN_LOCAL_GROUP
: GROUP_TYPE_RESOURCE_GROUP
);
317 if (filter
== NULL
) {
318 status
= NT_STATUS_NO_MEMORY
;
322 ads
= ads_cached_connection(domain
);
325 domain
->last_status
= NT_STATUS_SERVER_DISABLED
;
329 rc
= ads_search_retry(ads
, &res
, filter
, attrs
);
330 if (!ADS_ERR_OK(rc
) || !res
) {
331 DEBUG(1,("enum_dom_groups ads_search: %s\n", ads_errstr(rc
)));
335 count
= ads_count_replies(ads
, res
);
337 DEBUG(1,("enum_dom_groups: No groups found\n"));
341 (*info
) = TALLOC_ZERO_ARRAY(mem_ctx
, struct acct_info
, count
);
343 status
= NT_STATUS_NO_MEMORY
;
349 for (msg
= ads_first_entry(ads
, res
); msg
; msg
= ads_next_entry(ads
, msg
)) {
354 name
= ads_pull_username(ads
, mem_ctx
, msg
);
355 gecos
= ads_pull_string(ads
, mem_ctx
, msg
, "name");
356 if (!ads_pull_sid(ads
, msg
, "objectSid", &sid
)) {
357 DEBUG(1,("No sid for %s !?\n", name
));
361 if (!sid_peek_check_rid(&domain
->sid
, &sid
, &rid
)) {
362 DEBUG(1,("No rid for %s !?\n", name
));
366 fstrcpy((*info
)[i
].acct_name
, name
);
367 fstrcpy((*info
)[i
].acct_desc
, gecos
);
368 (*info
)[i
].rid
= rid
;
374 status
= NT_STATUS_OK
;
376 DEBUG(3,("ads enum_dom_groups gave %d entries\n", (*num_entries
)));
380 ads_msgfree(ads
, res
);
385 /* list all domain local groups */
386 static NTSTATUS
enum_local_groups(struct winbindd_domain
*domain
,
389 struct acct_info
**info
)
392 * This is a stub function only as we returned the domain
393 * local groups in enum_dom_groups() if the domain->native field
394 * was true. This is a simple performance optimization when
397 * if we ever need to enumerate domain local groups separately,
398 * then this the optimization in enum_dom_groups() will need
406 /* convert a DN to a name, SID and name type
407 this might become a major speed bottleneck if groups have
408 lots of users, in which case we could cache the results
410 static BOOL
dn_lookup(ADS_STRUCT
*ads
, TALLOC_CTX
*mem_ctx
,
412 char **name
, uint32
*name_type
, DOM_SID
*sid
)
414 LDAPMessage
*res
= NULL
;
415 const char *attrs
[] = {"userPrincipalName", "sAMAccountName",
416 "objectSid", "sAMAccountType", NULL
};
419 DEBUG(3,("ads: dn_lookup\n"));
421 rc
= ads_search_retry_dn(ads
, &res
, dn
, attrs
);
423 if (!ADS_ERR_OK(rc
) || !res
) {
427 (*name
) = ads_pull_username(ads
, mem_ctx
, res
);
429 if (!ads_pull_uint32(ads
, res
, "sAMAccountType", &atype
)) {
432 (*name_type
) = ads_atype_map(atype
);
434 if (!ads_pull_sid(ads
, res
, "objectSid", sid
)) {
439 ads_msgfree(ads
, res
);
445 ads_msgfree(ads
, res
);
450 /* Lookup user information from a rid */
451 static NTSTATUS
query_user(struct winbindd_domain
*domain
,
454 WINBIND_USERINFO
*info
)
456 ADS_STRUCT
*ads
= NULL
;
457 const char *attrs
[] = {"userPrincipalName",
461 ADS_ATTR_SFU_HOMEDIR_OID
,
462 ADS_ATTR_SFU_SHELL_OID
,
463 ADS_ATTR_SFU_GECOS_OID
,
464 ADS_ATTR_RFC2307_HOMEDIR_OID
,
465 ADS_ATTR_RFC2307_SHELL_OID
,
466 ADS_ATTR_RFC2307_GECOS_OID
,
470 LDAPMessage
*msg
= NULL
;
474 NTSTATUS status
= NT_STATUS_UNSUCCESSFUL
;
476 DEBUG(3,("ads: query_user\n"));
478 ads
= ads_cached_connection(domain
);
481 domain
->last_status
= NT_STATUS_SERVER_DISABLED
;
485 sidstr
= sid_binstring(sid
);
486 asprintf(&ldap_exp
, "(objectSid=%s)", sidstr
);
487 rc
= ads_search_retry(ads
, &msg
, ldap_exp
, attrs
);
490 if (!ADS_ERR_OK(rc
) || !msg
) {
491 DEBUG(1,("query_user(sid=%s) ads_search: %s\n",
492 sid_string_static(sid
), ads_errstr(rc
)));
496 count
= ads_count_replies(ads
, msg
);
498 DEBUG(1,("query_user(sid=%s): Not found\n",
499 sid_string_static(sid
)));
503 info
->acct_name
= ads_pull_username(ads
, mem_ctx
, msg
);
505 if (get_nss_info(domain
->name
) && ads
->schema
.map_type
) {
507 DEBUG(10,("pulling posix attributes (%s schema)\n",
508 wb_posix_map_str(ads
->schema
.map_type
)));
510 info
->homedir
= ads_pull_string(ads
, mem_ctx
, msg
,
511 ads
->schema
.posix_homedir_attr
);
512 info
->shell
= ads_pull_string(ads
, mem_ctx
, msg
,
513 ads
->schema
.posix_shell_attr
);
514 info
->full_name
= ads_pull_string(ads
, mem_ctx
, msg
,
515 ads
->schema
.posix_gecos_attr
);
518 if (info
->full_name
== NULL
) {
519 info
->full_name
= ads_pull_string(ads
, mem_ctx
, msg
, "name");
522 if (!ads_pull_uint32(ads
, msg
, "primaryGroupID", &group_rid
)) {
523 DEBUG(1,("No primary group for %s !?\n",
524 sid_string_static(sid
)));
528 sid_copy(&info
->user_sid
, sid
);
529 sid_compose(&info
->group_sid
, &domain
->sid
, group_rid
);
531 status
= NT_STATUS_OK
;
533 DEBUG(3,("ads query_user gave %s\n", info
->acct_name
));
536 ads_msgfree(ads
, msg
);
541 /* Lookup groups a user is a member of - alternate method, for when
542 tokenGroups are not available. */
543 static NTSTATUS
lookup_usergroups_member(struct winbindd_domain
*domain
,
546 DOM_SID
*primary_group
,
547 size_t *p_num_groups
, DOM_SID
**user_sids
)
550 NTSTATUS status
= NT_STATUS_UNSUCCESSFUL
;
552 LDAPMessage
*res
= NULL
;
553 LDAPMessage
*msg
= NULL
;
556 const char *group_attrs
[] = {"objectSid", NULL
};
558 size_t num_groups
= 0;
560 DEBUG(3,("ads: lookup_usergroups_member\n"));
562 ads
= ads_cached_connection(domain
);
565 domain
->last_status
= NT_STATUS_SERVER_DISABLED
;
569 if (!(escaped_dn
= escape_ldap_string_alloc(user_dn
))) {
570 status
= NT_STATUS_NO_MEMORY
;
574 if (!(ldap_exp
= talloc_asprintf(mem_ctx
, "(&(member=%s)(objectCategory=group))", escaped_dn
))) {
575 DEBUG(1,("lookup_usergroups(dn=%s) asprintf failed!\n", user_dn
));
576 SAFE_FREE(escaped_dn
);
577 status
= NT_STATUS_NO_MEMORY
;
581 SAFE_FREE(escaped_dn
);
583 rc
= ads_search_retry(ads
, &res
, ldap_exp
, group_attrs
);
585 if (!ADS_ERR_OK(rc
) || !res
) {
586 DEBUG(1,("lookup_usergroups ads_search member=%s: %s\n", user_dn
, ads_errstr(rc
)));
587 return ads_ntstatus(rc
);
590 count
= ads_count_replies(ads
, res
);
595 /* always add the primary group to the sid array */
596 if (!add_sid_to_array(mem_ctx
, primary_group
, user_sids
, &num_groups
)) {
597 status
= NT_STATUS_NO_MEMORY
;
602 for (msg
= ads_first_entry(ads
, res
); msg
;
603 msg
= ads_next_entry(ads
, msg
)) {
606 if (!ads_pull_sid(ads
, msg
, "objectSid", &group_sid
)) {
607 DEBUG(1,("No sid for this group ?!?\n"));
611 /* ignore Builtin groups from ADS - Guenther */
612 if (sid_check_is_in_builtin(&group_sid
)) {
616 if (!add_sid_to_array(mem_ctx
, &group_sid
, user_sids
,
618 status
= NT_STATUS_NO_MEMORY
;
625 *p_num_groups
= num_groups
;
626 status
= (user_sids
!= NULL
) ? NT_STATUS_OK
: NT_STATUS_NO_MEMORY
;
628 DEBUG(3,("ads lookup_usergroups (member) succeeded for dn=%s\n", user_dn
));
631 ads_msgfree(ads
, res
);
636 /* Lookup groups a user is a member of - alternate method, for when
637 tokenGroups are not available. */
638 static NTSTATUS
lookup_usergroups_memberof(struct winbindd_domain
*domain
,
641 DOM_SID
*primary_group
,
642 size_t *p_num_groups
, DOM_SID
**user_sids
)
645 NTSTATUS status
= NT_STATUS_UNSUCCESSFUL
;
647 LDAPMessage
*res
= NULL
;
649 const char *attrs
[] = {"memberOf", NULL
};
650 size_t num_groups
= 0;
651 DOM_SID
*group_sids
= NULL
;
654 DEBUG(3,("ads: lookup_usergroups_memberof\n"));
656 ads
= ads_cached_connection(domain
);
659 domain
->last_status
= NT_STATUS_SERVER_DISABLED
;
663 rc
= ads_search_retry_extended_dn(ads
, &res
, user_dn
, attrs
,
664 ADS_EXTENDED_DN_HEX_STRING
);
666 if (!ADS_ERR_OK(rc
) || !res
) {
667 DEBUG(1,("lookup_usergroups_memberof ads_search member=%s: %s\n",
668 user_dn
, ads_errstr(rc
)));
669 return ads_ntstatus(rc
);
672 count
= ads_count_replies(ads
, res
);
675 status
= NT_STATUS_NO_SUCH_USER
;
682 /* always add the primary group to the sid array */
683 if (!add_sid_to_array(mem_ctx
, primary_group
, user_sids
, &num_groups
)) {
684 status
= NT_STATUS_NO_MEMORY
;
688 count
= ads_pull_sids_from_extendeddn(ads
, mem_ctx
, res
, "memberOf",
689 ADS_EXTENDED_DN_HEX_STRING
,
692 DEBUG(1,("No memberOf for this user?!?\n"));
693 status
= NT_STATUS_NO_MEMORY
;
697 for (i
=0; i
<count
; i
++) {
699 /* ignore Builtin groups from ADS - Guenther */
700 if (sid_check_is_in_builtin(&group_sids
[i
])) {
704 if (!add_sid_to_array(mem_ctx
, &group_sids
[i
], user_sids
,
706 status
= NT_STATUS_NO_MEMORY
;
712 *p_num_groups
= num_groups
;
713 status
= (*user_sids
!= NULL
) ? NT_STATUS_OK
: NT_STATUS_NO_MEMORY
;
715 DEBUG(3,("ads lookup_usergroups (memberof) succeeded for dn=%s\n", user_dn
));
717 TALLOC_FREE(group_sids
);
719 ads_msgfree(ads
, res
);
725 /* Lookup groups a user is a member of. */
726 static NTSTATUS
lookup_usergroups(struct winbindd_domain
*domain
,
729 uint32
*p_num_groups
, DOM_SID
**user_sids
)
731 ADS_STRUCT
*ads
= NULL
;
732 const char *attrs
[] = {"tokenGroups", "primaryGroupID", NULL
};
735 LDAPMessage
*msg
= NULL
;
736 char *user_dn
= NULL
;
739 DOM_SID primary_group
;
740 uint32 primary_group_rid
;
742 NTSTATUS status
= NT_STATUS_UNSUCCESSFUL
;
743 size_t num_groups
= 0;
745 DEBUG(3,("ads: lookup_usergroups\n"));
748 status
= lookup_usergroups_cached(domain
, mem_ctx
, sid
,
749 p_num_groups
, user_sids
);
750 if (NT_STATUS_IS_OK(status
)) {
754 ads
= ads_cached_connection(domain
);
757 domain
->last_status
= NT_STATUS_SERVER_DISABLED
;
758 status
= NT_STATUS_SERVER_DISABLED
;
762 rc
= ads_search_retry_sid(ads
, &msg
, sid
, attrs
);
764 if (!ADS_ERR_OK(rc
)) {
765 status
= ads_ntstatus(rc
);
766 DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: %s\n",
767 sid_to_string(sid_string
, sid
), ads_errstr(rc
)));
771 count
= ads_count_replies(ads
, msg
);
773 status
= NT_STATUS_UNSUCCESSFUL
;
774 DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: "
775 "invalid number of results (count=%d)\n",
776 sid_to_string(sid_string
, sid
), count
));
781 DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: NULL msg\n",
782 sid_to_string(sid_string
, sid
)));
783 status
= NT_STATUS_UNSUCCESSFUL
;
787 user_dn
= ads_get_dn(ads
, msg
);
788 if (user_dn
== NULL
) {
789 status
= NT_STATUS_NO_MEMORY
;
793 if (!ads_pull_uint32(ads
, msg
, "primaryGroupID", &primary_group_rid
)) {
794 DEBUG(1,("%s: No primary group for sid=%s !?\n",
795 domain
->name
, sid_to_string(sid_string
, sid
)));
799 sid_copy(&primary_group
, &domain
->sid
);
800 sid_append_rid(&primary_group
, primary_group_rid
);
802 count
= ads_pull_sids(ads
, mem_ctx
, msg
, "tokenGroups", &sids
);
804 /* there must always be at least one group in the token,
805 unless we are talking to a buggy Win2k server */
807 /* actually this only happens when the machine account has no read
808 * permissions on the tokenGroup attribute - gd */
814 /* lookup what groups this user is a member of by DN search on
817 status
= lookup_usergroups_memberof(domain
, mem_ctx
, user_dn
,
819 &num_groups
, user_sids
);
820 *p_num_groups
= (uint32
)num_groups
;
821 if (NT_STATUS_IS_OK(status
)) {
825 /* lookup what groups this user is a member of by DN search on
828 status
= lookup_usergroups_member(domain
, mem_ctx
, user_dn
,
830 &num_groups
, user_sids
);
831 *p_num_groups
= (uint32
)num_groups
;
838 if (!add_sid_to_array(mem_ctx
, &primary_group
, user_sids
, &num_groups
)) {
839 status
= NT_STATUS_NO_MEMORY
;
843 for (i
=0;i
<count
;i
++) {
845 /* ignore Builtin groups from ADS - Guenther */
846 if (sid_check_is_in_builtin(&sids
[i
])) {
850 if (!add_sid_to_array_unique(mem_ctx
, &sids
[i
],
851 user_sids
, &num_groups
)) {
852 status
= NT_STATUS_NO_MEMORY
;
857 *p_num_groups
= (uint32
)num_groups
;
858 status
= (*user_sids
!= NULL
) ? NT_STATUS_OK
: NT_STATUS_NO_MEMORY
;
860 DEBUG(3,("ads lookup_usergroups (tokenGroups) succeeded for sid=%s\n",
861 sid_to_string(sid_string
, sid
)));
863 ads_memfree(ads
, user_dn
);
864 ads_msgfree(ads
, msg
);
869 find the members of a group, given a group rid and domain
871 static NTSTATUS
lookup_groupmem(struct winbindd_domain
*domain
,
873 const DOM_SID
*group_sid
, uint32
*num_names
,
874 DOM_SID
**sid_mem
, char ***names
,
879 LDAPMessage
*res
=NULL
;
880 ADS_STRUCT
*ads
= NULL
;
882 NTSTATUS status
= NT_STATUS_UNSUCCESSFUL
;
894 DEBUG(10,("ads: lookup_groupmem %s sid=%s\n", domain
->name
,
895 sid_string_static(group_sid
)));
899 ads
= ads_cached_connection(domain
);
902 domain
->last_status
= NT_STATUS_SERVER_DISABLED
;
906 if ((sidstr
= sid_binstring(group_sid
)) == NULL
) {
907 status
= NT_STATUS_NO_MEMORY
;
911 /* search for all members of the group */
912 if (!(ldap_exp
= talloc_asprintf(mem_ctx
, "(objectSid=%s)",sidstr
))) {
914 DEBUG(1, ("ads: lookup_groupmem: tallloc_asprintf for ldap_exp failed!\n"));
915 status
= NT_STATUS_NO_MEMORY
;
923 if ((attrs
= TALLOC_ARRAY(mem_ctx
, const char *, 3)) == NULL
) {
924 status
= NT_STATUS_NO_MEMORY
;
928 attrs
[1] = talloc_strdup(mem_ctx
, "usnChanged");
932 if (num_members
== 0)
933 attrs
[0] = talloc_strdup(mem_ctx
, "member");
935 DEBUG(10, ("Searching for attrs[0] = %s, attrs[1] = %s\n", attrs
[0], attrs
[1]));
937 rc
= ads_search_retry(ads
, &res
, ldap_exp
, attrs
);
939 if (!ADS_ERR_OK(rc
) || !res
) {
940 DEBUG(1,("ads: lookup_groupmem ads_search: %s\n",
942 status
= ads_ntstatus(rc
);
946 count
= ads_count_replies(ads
, res
);
950 if (num_members
== 0) {
951 if (!ads_pull_uint32(ads
, res
, "usnChanged", &first_usn
)) {
952 DEBUG(1, ("ads: lookup_groupmem could not pull usnChanged!\n"));
957 if (!ads_pull_uint32(ads
, res
, "usnChanged", ¤t_usn
)) {
958 DEBUG(1, ("ads: lookup_groupmem could not pull usnChanged!\n"));
962 if (first_usn
!= current_usn
) {
963 DEBUG(5, ("ads: lookup_groupmem USN on this record changed"
964 " - restarting search\n"));
965 if (num_retries
< 5) {
970 DEBUG(5, ("ads: lookup_groupmem USN on this record changed"
971 " - restarted search too many times, aborting!\n"));
972 status
= NT_STATUS_UNSUCCESSFUL
;
977 members
= ads_pull_strings_range(ads
, mem_ctx
, res
,
984 if ((members
== NULL
) || (num_members
== 0))
987 } while (more_values
);
989 /* now we need to turn a list of members into rids, names and name types
990 the problem is that the members are in the form of distinguised names
993 (*sid_mem
) = TALLOC_ZERO_ARRAY(mem_ctx
, DOM_SID
, num_members
);
994 (*name_types
) = TALLOC_ZERO_ARRAY(mem_ctx
, uint32
, num_members
);
995 (*names
) = TALLOC_ZERO_ARRAY(mem_ctx
, char *, num_members
);
997 if ((num_members
!= 0) &&
998 ((members
== NULL
) || (*sid_mem
== NULL
) ||
999 (*name_types
== NULL
) || (*names
== NULL
))) {
1000 DEBUG(1, ("talloc failed\n"));
1001 status
= NT_STATUS_NO_MEMORY
;
1005 for (i
=0;i
<num_members
;i
++) {
1010 if (dn_lookup(ads
, mem_ctx
, members
[i
], &name
, &name_type
, &sid
)) {
1011 (*names
)[*num_names
] = name
;
1012 (*name_types
)[*num_names
] = name_type
;
1013 sid_copy(&(*sid_mem
)[*num_names
], &sid
);
1018 status
= NT_STATUS_OK
;
1019 DEBUG(3,("ads lookup_groupmem for sid=%s\n", sid_to_string(sid_string
, group_sid
)));
1023 ads_msgfree(ads
, res
);
1028 /* find the sequence number for a domain */
1029 static NTSTATUS
sequence_number(struct winbindd_domain
*domain
, uint32
*seq
)
1031 ADS_STRUCT
*ads
= NULL
;
1034 DEBUG(3,("ads: fetch sequence_number for %s\n", domain
->name
));
1036 *seq
= DOM_SEQUENCE_NONE
;
1038 ads
= ads_cached_connection(domain
);
1041 domain
->last_status
= NT_STATUS_SERVER_DISABLED
;
1042 return NT_STATUS_UNSUCCESSFUL
;
1045 rc
= ads_USN(ads
, seq
);
1047 if (!ADS_ERR_OK(rc
)) {
1049 /* its a dead connection ; don't destroy it
1050 through since ads_USN() has already done
1053 domain
->private_data
= NULL
;
1055 return ads_ntstatus(rc
);
1058 /* get a list of trusted domains */
1059 static NTSTATUS
trusted_domains(struct winbindd_domain
*domain
,
1060 TALLOC_CTX
*mem_ctx
,
1061 uint32
*num_domains
,
1066 NTSTATUS result
= NT_STATUS_UNSUCCESSFUL
;
1067 struct ds_domain_trust
*domains
= NULL
;
1070 uint32 flags
= DS_DOMAIN_IN_FOREST
| DS_DOMAIN_DIRECT_OUTBOUND
;
1071 struct rpc_pipe_client
*cli
;
1073 DEBUG(3,("ads: trusted_domains\n"));
1080 result
= cm_connect_netlogon(domain
, &cli
);
1082 if (!NT_STATUS_IS_OK(result
)) {
1083 DEBUG(5, ("trusted_domains: Could not open a connection to %s "
1084 "for PIPE_NETLOGON (%s)\n",
1085 domain
->name
, nt_errstr(result
)));
1086 return NT_STATUS_UNSUCCESSFUL
;
1089 if ( NT_STATUS_IS_OK(result
) ) {
1090 result
= rpccli_ds_enum_domain_trusts(cli
, mem_ctx
,
1093 (unsigned int *)&count
);
1096 if ( NT_STATUS_IS_OK(result
) && count
) {
1098 /* Allocate memory for trusted domain names and sids */
1100 if ( !(*names
= TALLOC_ARRAY(mem_ctx
, char *, count
)) ) {
1101 DEBUG(0, ("trusted_domains: out of memory\n"));
1102 return NT_STATUS_NO_MEMORY
;
1105 if ( !(*alt_names
= TALLOC_ARRAY(mem_ctx
, char *, count
)) ) {
1106 DEBUG(0, ("trusted_domains: out of memory\n"));
1107 return NT_STATUS_NO_MEMORY
;
1110 if ( !(*dom_sids
= TALLOC_ARRAY(mem_ctx
, DOM_SID
, count
)) ) {
1111 DEBUG(0, ("trusted_domains: out of memory\n"));
1112 return NT_STATUS_NO_MEMORY
;
1115 /* Copy across names and sids */
1117 for (i
= 0; i
< count
; i
++) {
1118 (*names
)[i
] = domains
[i
].netbios_domain
;
1119 (*alt_names
)[i
] = domains
[i
].dns_domain
;
1121 sid_copy(&(*dom_sids
)[i
], &domains
[i
].sid
);
1124 *num_domains
= count
;
1130 /* the ADS backend methods are exposed via this structure */
1131 struct winbindd_methods ads_methods
= {
1138 msrpc_rids_to_names
,
1141 msrpc_lookup_useraliases
,
1144 msrpc_lockout_policy
,
1145 msrpc_password_policy
,