search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
samba-tool group: Add --special parameter to add predefined special group
[Samba.git] / source3 / winbindd / winbindd_msrpc.c
blob3ac13b0e3d11f55ea6b52e300a1af68aac9128f3
1 /*
2 Unix SMB/CIFS implementation.
3
4 Winbind rpc backend functions
5
6 Copyright (C) Tim Potter 2000-2001,2003
7 Copyright (C) Andrew Tridgell 2001
8 Copyright (C) Volker Lendecke 2005
9 Copyright (C) Guenther Deschner 2008 (pidl conversion)
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 3 of the License, or
14 (at your option) any later version.
15
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
20
21 You should have received a copy of the GNU General Public License
22 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 */
24
25 #include "includes.h"
26 #include "winbindd.h"
27 #include "winbindd_rpc.h"
28
29 #include "../librpc/gen_ndr/ndr_samr_c.h"
30 #include "rpc_client/cli_pipe.h"
31 #include "rpc_client/cli_samr.h"
32 #include "rpc_client/cli_lsarpc.h"
33 #include "../libcli/security/security.h"
34 #include "libsmb/samlogon_cache.h"
35
36 #undef DBGC_CLASS
37 #define DBGC_CLASS DBGC_WINBIND
38
39 static NTSTATUS winbindd_lookup_names(TALLOC_CTX *mem_ctx,
40 struct winbindd_domain *domain,
41 uint32_t num_names,
42 const char **names,
43 const char ***domains,
44 struct dom_sid **sids,
45 enum lsa_SidType **types);
46
47 /* Query display info for a domain. This returns enough information plus a
48 bit extra to give an overview of domain users for the User Manager
49 application. */
50 static NTSTATUS msrpc_query_user_list(struct winbindd_domain *domain,
51 TALLOC_CTX *mem_ctx,
52 uint32_t **prids)
53 {
54 struct rpc_pipe_client *samr_pipe = NULL;
55 struct policy_handle dom_pol;
56 uint32_t *rids = NULL;
57 TALLOC_CTX *tmp_ctx;
58 NTSTATUS status;
59
60 DEBUG(3, ("msrpc_query_user_list\n"));
61
62 tmp_ctx = talloc_stackframe();
63 if (tmp_ctx == NULL) {
64 return NT_STATUS_NO_MEMORY;
65 }
66
67 if ( !winbindd_can_contact_domain( domain ) ) {
68 DEBUG(10,("query_user_list: No incoming trust for domain %s\n",
69 domain->name));
70 status = NT_STATUS_OK;
71 goto done;
72 }
73
74 status = cm_connect_sam(domain, tmp_ctx, false, &samr_pipe, &dom_pol);
75 if (!NT_STATUS_IS_OK(status)) {
76 goto done;
77 }
78
79 status = rpc_query_user_list(tmp_ctx,
80 samr_pipe,
81 &dom_pol,
82 &domain->sid,
83 &rids);
84 if (!NT_STATUS_IS_OK(status)) {
85 goto done;
86 }
87
88 if (prids) {
89 *prids = talloc_move(mem_ctx, &rids);
90 }
91
92 done:
93 TALLOC_FREE(rids);
94 TALLOC_FREE(tmp_ctx);
95 return status;
96 }
97
98 /* list all domain groups */
99 static NTSTATUS msrpc_enum_dom_groups(struct winbindd_domain *domain,
100 TALLOC_CTX *mem_ctx,
101 uint32_t *pnum_info,
102 struct wb_acct_info **pinfo)
103 {
104 struct rpc_pipe_client *samr_pipe;
105 struct policy_handle dom_pol;
106 struct wb_acct_info *info = NULL;
107 uint32_t num_info = 0;
108 TALLOC_CTX *tmp_ctx;
109 NTSTATUS status;
110
111 DEBUG(3,("msrpc_enum_dom_groups\n"));
112
113 if (pnum_info) {
114 *pnum_info = 0;
115 }
116
117 tmp_ctx = talloc_stackframe();
118 if (tmp_ctx == NULL) {
119 return NT_STATUS_NO_MEMORY;
120 }
121
122 if ( !winbindd_can_contact_domain( domain ) ) {
123 DEBUG(10,("enum_domain_groups: No incoming trust for domain %s\n",
124 domain->name));
125 status = NT_STATUS_OK;
126 goto done;
127 }
128
129 status = cm_connect_sam(domain, tmp_ctx, false, &samr_pipe, &dom_pol);
130 if (!NT_STATUS_IS_OK(status)) {
131 goto done;
132 }
133
134 status = rpc_enum_dom_groups(tmp_ctx,
135 samr_pipe,
136 &dom_pol,
137 &num_info,
138 &info);
139 if (!NT_STATUS_IS_OK(status)) {
140 goto done;
141 }
142
143 if (pnum_info) {
144 *pnum_info = num_info;
145 }
146
147 if (pinfo) {
148 *pinfo = talloc_move(mem_ctx, &info);
149 }
150
151 done:
152 TALLOC_FREE(tmp_ctx);
153 return status;
154 }
155
156 /* List all domain groups */
157
158 static NTSTATUS msrpc_enum_local_groups(struct winbindd_domain *domain,
159 TALLOC_CTX *mem_ctx,
160 uint32_t *pnum_info,
161 struct wb_acct_info **pinfo)
162 {
163 struct rpc_pipe_client *samr_pipe;
164 struct policy_handle dom_pol;
165 struct wb_acct_info *info = NULL;
166 uint32_t num_info = 0;
167 TALLOC_CTX *tmp_ctx;
168 NTSTATUS status;
169
170 DEBUG(3,("msrpc_enum_local_groups\n"));
171
172 if (pnum_info) {
173 *pnum_info = 0;
174 }
175
176 tmp_ctx = talloc_stackframe();
177 if (tmp_ctx == NULL) {
178 return NT_STATUS_NO_MEMORY;
179 }
180
181 if ( !winbindd_can_contact_domain( domain ) ) {
182 DEBUG(10,("enum_local_groups: No incoming trust for domain %s\n",
183 domain->name));
184 status = NT_STATUS_OK;
185 goto done;
186 }
187
188 status = cm_connect_sam(domain, tmp_ctx, false, &samr_pipe, &dom_pol);
189 if (!NT_STATUS_IS_OK(status)) {
190 goto done;
191 }
192
193 status = rpc_enum_local_groups(mem_ctx,
194 samr_pipe,
195 &dom_pol,
196 &num_info,
197 &info);
198 if (!NT_STATUS_IS_OK(status)) {
199 goto done;
200 }
201
202 if (pnum_info) {
203 *pnum_info = num_info;
204 }
205
206 if (pinfo) {
207 *pinfo = talloc_move(mem_ctx, &info);
208 }
209
210 done:
211 TALLOC_FREE(tmp_ctx);
212 return status;
213 }
214
215 /* convert a single name to a sid in a domain */
216 static NTSTATUS msrpc_name_to_sid(struct winbindd_domain *domain,
217 TALLOC_CTX *mem_ctx,
218 const char *domain_name,
219 const char *name,
220 uint32_t flags,
221 const char **pdom_name,
222 struct dom_sid *sid,
223 enum lsa_SidType *type)
224 {
225 NTSTATUS result;
226 struct dom_sid *sids = NULL;
227 enum lsa_SidType *types = NULL;
228 char *full_name = NULL;
229 const char *names[1];
230 const char **domains;
231 NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL;
232 char *mapped_name = NULL;
233
234 if (name == NULL || *name=='\0') {
235 full_name = talloc_asprintf(mem_ctx, "%s", domain_name);
236 } else if (domain_name == NULL || *domain_name == '\0') {
237 full_name = talloc_asprintf(mem_ctx, "%s", name);
238 } else {
239 full_name = talloc_asprintf(mem_ctx, "%s\\%s", domain_name, name);
240 }
241 if (!full_name) {
242 DEBUG(0, ("talloc_asprintf failed!\n"));
243 return NT_STATUS_NO_MEMORY;
244 }
245
246 DEBUG(3, ("msrpc_name_to_sid: name=%s\n", full_name));
247
248 name_map_status = normalize_name_unmap(mem_ctx, full_name,
249 &mapped_name);
250
251 /* Reset the full_name pointer if we mapped anything */
252
253 if (NT_STATUS_IS_OK(name_map_status) ||
254 NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED))
255 {
256 full_name = mapped_name;
257 }
258
259 DEBUG(3,("name_to_sid [rpc] %s for domain %s\n",
260 full_name?full_name:"", domain_name ));
261
262 names[0] = full_name;
263
264 result = winbindd_lookup_names(mem_ctx, domain, 1,
265 names, &domains,
266 &sids, &types);
267 if (!NT_STATUS_IS_OK(result))
268 return result;
269
270 /* Return rid and type if lookup successful */
271
272 if (pdom_name != NULL) {
273 const char *dom_name;
274
275 dom_name = talloc_strdup(mem_ctx, domains[0]);
276 if (dom_name == NULL) {
277 return NT_STATUS_NO_MEMORY;
278 }
279
280 *pdom_name = dom_name;
281 }
282
283 sid_copy(sid, &sids[0]);
284 *type = types[0];
285
286 return NT_STATUS_OK;
287 }
288
289 /*
290 convert a domain SID to a user or group name
291 */
292 static NTSTATUS msrpc_sid_to_name(struct winbindd_domain *domain,
293 TALLOC_CTX *mem_ctx,
294 const struct dom_sid *sid,
295 char **domain_name,
296 char **name,
297 enum lsa_SidType *type)
298 {
299 char **domains;
300 char **names;
301 enum lsa_SidType *types = NULL;
302 NTSTATUS result;
303 NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL;
304 char *mapped_name = NULL;
305 struct dom_sid_buf buf;
306
307 DEBUG(3, ("msrpc_sid_to_name: %s for domain %s\n",
308 dom_sid_str_buf(sid, &buf),
309 domain->name));
310
311 result = winbindd_lookup_sids(mem_ctx,
312 domain,
313 1,
314 sid,
315 &domains,
316 &names,
317 &types);
318 if (!NT_STATUS_IS_OK(result)) {
319 DEBUG(2,("msrpc_sid_to_name: failed to lookup sids: %s\n",
320 nt_errstr(result)));
321 return result;
322 }
323
324
325 *type = (enum lsa_SidType)types[0];
326 *domain_name = domains[0];
327 *name = names[0];
328
329 DEBUG(5,("Mapped sid to [%s]\\[%s]\n", domains[0], *name));
330
331 name_map_status = normalize_name_map(mem_ctx, domain->name, *name,
332 &mapped_name);
333 if (NT_STATUS_IS_OK(name_map_status) ||
334 NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED))
335 {
336 *name = mapped_name;
337 DEBUG(5,("returning mapped name -- %s\n", *name));
338 }
339
340 return NT_STATUS_OK;
341 }
342
343 static NTSTATUS msrpc_rids_to_names(struct winbindd_domain *domain,
344 TALLOC_CTX *mem_ctx,
345 const struct dom_sid *sid,
346 uint32_t *rids,
347 size_t num_rids,
348 char **domain_name,
349 char ***names,
350 enum lsa_SidType **types)
351 {
352 char **domains;
353 NTSTATUS result;
354 struct dom_sid *sids;
355 size_t i;
356 char **ret_names;
357
358 DEBUG(3, ("msrpc_rids_to_names: domain %s\n", domain->name ));
359
360 if (num_rids) {
361 sids = talloc_array(mem_ctx, struct dom_sid, num_rids);
362 if (sids == NULL) {
363 return NT_STATUS_NO_MEMORY;
364 }
365 } else {
366 sids = NULL;
367 }
368
369 for (i=0; i<num_rids; i++) {
370 if (!sid_compose(&sids[i], sid, rids[i])) {
371 return NT_STATUS_INTERNAL_ERROR;
372 }
373 }
374
375 result = winbindd_lookup_sids(mem_ctx,
376 domain,
377 num_rids,
378 sids,
379 &domains,
380 names,
381 types);
382
383 if (!NT_STATUS_IS_OK(result) &&
384 !NT_STATUS_EQUAL(result, STATUS_SOME_UNMAPPED)) {
385 return result;
386 }
387
388 ret_names = *names;
389 for (i=0; i<num_rids; i++) {
390 NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL;
391 char *mapped_name = NULL;
392
393 if ((*types)[i] != SID_NAME_UNKNOWN) {
394 name_map_status = normalize_name_map(mem_ctx,
395 domain->name,
396 ret_names[i],
397 &mapped_name);
398 if (NT_STATUS_IS_OK(name_map_status) ||
399 NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED))
400 {
401 ret_names[i] = mapped_name;
402 }
403
404 *domain_name = domains[i];
405 }
406 }
407
408 return result;
409 }
410
411 /* Lookup groups a user is a member of. I wish Unix had a call like this! */
412 static NTSTATUS msrpc_lookup_usergroups(struct winbindd_domain *domain,
413 TALLOC_CTX *mem_ctx,
414 const struct dom_sid *user_sid,
415 uint32_t *pnum_groups,
416 struct dom_sid **puser_grpsids)
417 {
418 struct rpc_pipe_client *samr_pipe;
419 struct policy_handle dom_pol;
420 struct dom_sid *user_grpsids = NULL;
421 struct dom_sid_buf buf;
422 uint32_t num_groups = 0;
423 TALLOC_CTX *tmp_ctx;
424 NTSTATUS status;
425
426 DEBUG(3,("msrpc_lookup_usergroups sid=%s\n",
427 dom_sid_str_buf(user_sid, &buf)));
428
429 *pnum_groups = 0;
430
431 tmp_ctx = talloc_stackframe();
432 if (tmp_ctx == NULL) {
433 return NT_STATUS_NO_MEMORY;
434 }
435
436 /* Check if we have a cached user_info_3 */
437 status = lookup_usergroups_cached(tmp_ctx,
438 user_sid,
439 &num_groups,
440 &user_grpsids);
441 if (NT_STATUS_IS_OK(status)) {
442 goto cached;
443 }
444
445 if ( !winbindd_can_contact_domain( domain ) ) {
446 DEBUG(10,("lookup_usergroups: No incoming trust for domain %s\n",
447 domain->name));
448
449 /* Tell the cache manager not to remember this one */
450 status = NT_STATUS_SYNCHRONIZATION_REQUIRED;
451 goto done;
452 }
453
454 /* no cache; hit the wire */
455 status = cm_connect_sam(domain, tmp_ctx, false, &samr_pipe, &dom_pol);
456 if (!NT_STATUS_IS_OK(status)) {
457 goto done;
458 }
459
460 status = rpc_lookup_usergroups(tmp_ctx,
461 samr_pipe,
462 &dom_pol,
463 &domain->sid,
464 user_sid,
465 &num_groups,
466 &user_grpsids);
467 if (!NT_STATUS_IS_OK(status)) {
468 goto done;
469 }
470
471 cached:
472 *pnum_groups = num_groups;
473
474 if (puser_grpsids) {
475 *puser_grpsids = talloc_move(mem_ctx, &user_grpsids);
476 }
477
478 done:
479 TALLOC_FREE(tmp_ctx);
480 return status;
481 return NT_STATUS_OK;
482 }
483
484 #define MAX_SAM_ENTRIES_W2K 0x400 /* 1024 */
485
486 static NTSTATUS msrpc_lookup_useraliases(struct winbindd_domain *domain,
487 TALLOC_CTX *mem_ctx,
488 uint32_t num_sids, const struct dom_sid *sids,
489 uint32_t *pnum_aliases,
490 uint32_t **palias_rids)
491 {
492 struct rpc_pipe_client *samr_pipe;
493 struct policy_handle dom_pol;
494 uint32_t num_aliases = 0;
495 uint32_t *alias_rids = NULL;
496 TALLOC_CTX *tmp_ctx;
497 NTSTATUS status;
498
499 DEBUG(3,("msrpc_lookup_useraliases\n"));
500
501 if (pnum_aliases) {
502 *pnum_aliases = 0;
503 }
504
505 tmp_ctx = talloc_stackframe();
506 if (tmp_ctx == NULL) {
507 return NT_STATUS_NO_MEMORY;
508 }
509
510 if (!winbindd_can_contact_domain(domain)) {
511 DEBUG(10,("msrpc_lookup_useraliases: No incoming trust for domain %s\n",
512 domain->name));
513 /* Tell the cache manager not to remember this one */
514 status = NT_STATUS_SYNCHRONIZATION_REQUIRED;
515 goto done;
516 }
517
518 status = cm_connect_sam(domain, tmp_ctx, false, &samr_pipe, &dom_pol);
519 if (!NT_STATUS_IS_OK(status)) {
520 goto done;
521 }
522
523 status = rpc_lookup_useraliases(tmp_ctx,
524 samr_pipe,
525 &dom_pol,
526 num_sids,
527 sids,
528 &num_aliases,
529 &alias_rids);
530 if (!NT_STATUS_IS_OK(status)) {
531 goto done;
532 }
533
534 if (pnum_aliases) {
535 *pnum_aliases = num_aliases;
536 }
537
538 if (palias_rids) {
539 *palias_rids = talloc_move(mem_ctx, &alias_rids);
540 }
541
542 done:
543 TALLOC_FREE(tmp_ctx);
544 return status;
545 }
546
547
548 /* Lookup group membership given a rid. */
549 static NTSTATUS msrpc_lookup_groupmem(struct winbindd_domain *domain,
550 TALLOC_CTX *mem_ctx,
551 const struct dom_sid *group_sid,
552 enum lsa_SidType type,
553 uint32_t *num_names,
554 struct dom_sid **sid_mem,
555 char ***names,
556 uint32_t **name_types)
557 {
558 NTSTATUS status, result;
559 uint32_t i, total_names = 0;
560 struct policy_handle dom_pol, group_pol;
561 uint32_t des_access = SEC_FLAG_MAXIMUM_ALLOWED;
562 uint32_t *rid_mem = NULL;
563 uint32_t group_rid;
564 unsigned int j, r;
565 struct rpc_pipe_client *cli;
566 unsigned int orig_timeout;
567 struct samr_RidAttrArray *rids = NULL;
568 struct dcerpc_binding_handle *b;
569 struct dom_sid_buf buf;
570
571 DEBUG(3,("msrpc_lookup_groupmem: %s sid=%s\n", domain->name,
572 dom_sid_str_buf(group_sid, &buf)));
573
574 if ( !winbindd_can_contact_domain( domain ) ) {
575 DEBUG(10,("lookup_groupmem: No incoming trust for domain %s\n",
576 domain->name));
577 return NT_STATUS_OK;
578 }
579
580 if (!sid_peek_check_rid(&domain->sid, group_sid, &group_rid))
581 return NT_STATUS_UNSUCCESSFUL;
582
583 *num_names = 0;
584
585 result = cm_connect_sam(domain, mem_ctx, false, &cli, &dom_pol);
586 if (!NT_STATUS_IS_OK(result))
587 return result;
588
589 b = cli->binding_handle;
590
591 status = dcerpc_samr_OpenGroup(b, mem_ctx,
592 &dom_pol,
593 des_access,
594 group_rid,
595 &group_pol,
596 &result);
597 if (any_nt_status_not_ok(status, result, &status)) {
598 return status;
599 }
600
601 /* Step #1: Get a list of user rids that are the members of the
602 group. */
603
604 /* This call can take a long time - allow the server to time out.
605 35 seconds should do it. */
606
607 orig_timeout = rpccli_set_timeout(cli, 35000);
608
609 status = dcerpc_samr_QueryGroupMember(b, mem_ctx,
610 &group_pol,
611 &rids,
612 &result);
613
614 /* And restore our original timeout. */
615 rpccli_set_timeout(cli, orig_timeout);
616
617 {
618 NTSTATUS _result;
619 dcerpc_samr_Close(b, mem_ctx, &group_pol, &_result);
620 }
621
622 if (any_nt_status_not_ok(status, result, &status)) {
623 return status;
624 }
625
626 if (!rids || !rids->count) {
627 names = NULL;
628 name_types = NULL;
629 sid_mem = NULL;
630 return NT_STATUS_OK;
631 }
632
633 *num_names = rids->count;
634 rid_mem = rids->rids;
635
636 /* Step #2: Convert list of rids into list of usernames. Do this
637 in bunches of ~1000 to avoid crashing NT4. It looks like there
638 is a buffer overflow or something like that lurking around
639 somewhere. */
640
641 #define MAX_LOOKUP_RIDS 900
642
643 *names = talloc_zero_array(mem_ctx, char *, *num_names);
644 *name_types = talloc_zero_array(mem_ctx, uint32_t, *num_names);
645 *sid_mem = talloc_zero_array(mem_ctx, struct dom_sid, *num_names);
646
647 for (j=0;j<(*num_names);j++)
648 sid_compose(&(*sid_mem)[j], &domain->sid, rid_mem[j]);
649
650 if (*num_names>0 && (!*names || !*name_types))
651 return NT_STATUS_NO_MEMORY;
652
653 for (i = 0; i < *num_names; i += MAX_LOOKUP_RIDS) {
654 int num_lookup_rids = MIN(*num_names - i, MAX_LOOKUP_RIDS);
655 struct lsa_Strings tmp_names;
656 struct samr_Ids tmp_types;
657
658 /* Lookup a chunk of rids */
659
660 status = dcerpc_samr_LookupRids(b, mem_ctx,
661 &dom_pol,
662 num_lookup_rids,
663 &rid_mem[i],
664 &tmp_names,
665 &tmp_types,
666 &result);
667 if (!NT_STATUS_IS_OK(status)) {
668 return status;
669 }
670
671 /* see if we have a real error (and yes the
672 STATUS_SOME_UNMAPPED is the one returned from 2k) */
673
674 if (!NT_STATUS_IS_OK(result) &&
675 !NT_STATUS_EQUAL(result, STATUS_SOME_UNMAPPED))
676 return result;
677
678 /* Copy result into array. The talloc system will take
679 care of freeing the temporary arrays later on. */
680
681 if (tmp_names.count != num_lookup_rids) {
682 return NT_STATUS_INVALID_NETWORK_RESPONSE;
683 }
684 if (tmp_types.count != num_lookup_rids) {
685 return NT_STATUS_INVALID_NETWORK_RESPONSE;
686 }
687
688 for (r=0; r<tmp_names.count; r++) {
689 if (tmp_types.ids[r] == SID_NAME_UNKNOWN) {
690 continue;
691 }
692 if (total_names >= *num_names) {
693 break;
694 }
695 (*names)[total_names] = fill_domain_username_talloc(
696 mem_ctx, domain->name,
697 tmp_names.names[r].string, true);
698 (*name_types)[total_names] = tmp_types.ids[r];
699 total_names += 1;
700 }
701 }
702
703 *num_names = total_names;
704
705 return NT_STATUS_OK;
706 }
707
708 /* get a list of trusted domains */
709 static NTSTATUS msrpc_trusted_domains(struct winbindd_domain *domain,
710 TALLOC_CTX *mem_ctx,
711 struct netr_DomainTrustList *ptrust_list)
712 {
713 struct rpc_pipe_client *lsa_pipe;
714 struct policy_handle lsa_policy;
715 struct netr_DomainTrust *trusts = NULL;
716 uint32_t num_trusts = 0;
717 TALLOC_CTX *tmp_ctx;
718 NTSTATUS status;
719
720 DEBUG(3,("msrpc_trusted_domains\n"));
721
722 if (ptrust_list) {
723 ZERO_STRUCTP(ptrust_list);
724 }
725
726 tmp_ctx = talloc_stackframe();
727 if (tmp_ctx == NULL) {
728 return NT_STATUS_NO_MEMORY;
729 }
730
731 status = cm_connect_lsa(domain, tmp_ctx, &lsa_pipe, &lsa_policy);
732 if (!NT_STATUS_IS_OK(status)) {
733 goto done;
734 }
735
736 status = rpc_trusted_domains(tmp_ctx,
737 lsa_pipe,
738 &lsa_policy,
739 &num_trusts,
740 &trusts);
741 if (!NT_STATUS_IS_OK(status)) {
742 goto done;
743 }
744
745 if (ptrust_list) {
746 ptrust_list->count = num_trusts;
747 ptrust_list->array = talloc_move(mem_ctx, &trusts);
748 }
749
750 done:
751 TALLOC_FREE(tmp_ctx);
752 return status;
753 }
754
755 /* find the lockout policy for a domain */
756 static NTSTATUS msrpc_lockout_policy(struct winbindd_domain *domain,
757 TALLOC_CTX *mem_ctx,
758 struct samr_DomInfo12 *lockout_policy)
759 {
760 NTSTATUS status, result;
761 struct rpc_pipe_client *cli;
762 struct policy_handle dom_pol;
763 union samr_DomainInfo *info = NULL;
764 struct dcerpc_binding_handle *b;
765
766 DEBUG(3, ("msrpc_lockout_policy: fetch lockout policy for %s\n", domain->name));
767
768 if ( !winbindd_can_contact_domain( domain ) ) {
769 DEBUG(10,("msrpc_lockout_policy: No incoming trust for domain %s\n",
770 domain->name));
771 return NT_STATUS_NOT_SUPPORTED;
772 }
773
774 status = cm_connect_sam(domain, mem_ctx, false, &cli, &dom_pol);
775 if (!NT_STATUS_IS_OK(status)) {
776 goto done;
777 }
778
779 b = cli->binding_handle;
780
781 status = dcerpc_samr_QueryDomainInfo(b, mem_ctx,
782 &dom_pol,
783 DomainLockoutInformation,
784 &info,
785 &result);
786 if (any_nt_status_not_ok(status, result, &status)) {
787 return status;
788 }
789
790 *lockout_policy = info->info12;
791
792 DEBUG(10,("msrpc_lockout_policy: lockout_threshold %d\n",
793 info->info12.lockout_threshold));
794
795 done:
796
797 return status;
798 }
799
800 /* find the password policy for a domain */
801 static NTSTATUS msrpc_password_policy(struct winbindd_domain *domain,
802 TALLOC_CTX *mem_ctx,
803 struct samr_DomInfo1 *password_policy)
804 {
805 NTSTATUS status, result;
806 struct rpc_pipe_client *cli;
807 struct policy_handle dom_pol;
808 union samr_DomainInfo *info = NULL;
809 struct dcerpc_binding_handle *b;
810
811 DEBUG(3, ("msrpc_password_policy: fetch password policy for %s\n",
812 domain->name));
813
814 if ( !winbindd_can_contact_domain( domain ) ) {
815 DEBUG(10,("msrpc_password_policy: No incoming trust for domain %s\n",
816 domain->name));
817 return NT_STATUS_NOT_SUPPORTED;
818 }
819
820 status = cm_connect_sam(domain, mem_ctx, false, &cli, &dom_pol);
821 if (!NT_STATUS_IS_OK(status)) {
822 goto done;
823 }
824
825 b = cli->binding_handle;
826
827 status = dcerpc_samr_QueryDomainInfo(b, mem_ctx,
828 &dom_pol,
829 DomainPasswordInformation,
830 &info,
831 &result);
832 if (!NT_STATUS_IS_OK(status)) {
833 goto done;
834 }
835 if (!NT_STATUS_IS_OK(result)) {
836 goto done;
837 }
838
839 *password_policy = info->info1;
840
841 DEBUG(10,("msrpc_password_policy: min_length_password %d\n",
842 info->info1.min_password_length));
843
844 done:
845
846 return status;
847 }
848
849 static enum lsa_LookupNamesLevel winbindd_lookup_level(
850 struct winbindd_domain *domain)
851 {
852 enum lsa_LookupNamesLevel level = LSA_LOOKUP_NAMES_DOMAINS_ONLY;
853
854 if (domain->internal) {
855 level = LSA_LOOKUP_NAMES_ALL;
856 } else if (domain->secure_channel_type == SEC_CHAN_DNS_DOMAIN) {
857 if (domain->domain_flags & NETR_TRUST_FLAG_IN_FOREST) {
858 /*
859 * TODO:
860 *
861 * Depending on what we want to resolve. We need to use:
862 * 1. LsapLookupXForestReferral(5)/LSA_LOOKUP_NAMES_FOREST_TRUSTS_ONLY
863 * if we want to pass the request into the direction of the forest
864 * root domain. The forest root domain uses
865 * LsapLookupXForestResolve(6)/LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2
866 * when passing the request to trusted forests.
867 * 2. LsapLookupGC(4)/LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY
868 * if we're not a GC and want to resolve a name within our own forest.
869 *
870 * As we don't support more than one domain in our own forest
871 * and always try to be a GC for now, we just set
872 * LSA_LOOKUP_NAMES_FOREST_TRUSTS_ONLY.
873 */
874 level = LSA_LOOKUP_NAMES_FOREST_TRUSTS_ONLY;
875 } else if (domain->domain_trust_attribs & LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) {
876 /*
877 * This is LsapLookupXForestResolve(6)/LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2
878 */
879 level = LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2;
880 } else {
881 /*
882 * This is LsapLookupTDL(3)/LSA_LOOKUP_NAMES_PRIMARY_DOMAIN_ONLY
883 */
884 level = LSA_LOOKUP_NAMES_PRIMARY_DOMAIN_ONLY;
885 }
886 } else if (domain->secure_channel_type == SEC_CHAN_DOMAIN) {
887 /*
888 * This is LsapLookupTDL(3)/LSA_LOOKUP_NAMES_PRIMARY_DOMAIN_ONLY
889 */
890 level = LSA_LOOKUP_NAMES_PRIMARY_DOMAIN_ONLY;
891 } else if (domain->rodc) {
892 level = LSA_LOOKUP_NAMES_RODC_REFERRAL_TO_FULL_DC;
893 } else {
894 /*
895 * This is LsapLookupPDC(2)/LSA_LOOKUP_NAMES_DOMAINS_ONLY
896 */
897 level = LSA_LOOKUP_NAMES_DOMAINS_ONLY;
898 }
899
900 return level;
901 }
902
903 NTSTATUS winbindd_lookup_sids(TALLOC_CTX *mem_ctx,
904 struct winbindd_domain *domain,
905 uint32_t num_sids,
906 const struct dom_sid *sids,
907 char ***domains,
908 char ***names,
909 enum lsa_SidType **types)
910 {
911 NTSTATUS status;
912 NTSTATUS result;
913 struct rpc_pipe_client *cli = NULL;
914 struct dcerpc_binding_handle *b = NULL;
915 struct policy_handle lsa_policy;
916 unsigned int orig_timeout;
917 bool use_lookupsids3 = false;
918 bool retried = false;
919 enum lsa_LookupNamesLevel level = LSA_LOOKUP_NAMES_ALL;
920
921 connect:
922 status = cm_connect_lsat(domain, mem_ctx, &cli, &lsa_policy);
923 if (!NT_STATUS_IS_OK(status)) {
924 return status;
925 }
926
927 b = cli->binding_handle;
928
929 if (cli->transport->transport == NCACN_IP_TCP) {
930 use_lookupsids3 = true;
931 }
932
933 level = winbindd_lookup_level(domain);
934
935 /*
936 * This call can take a long time
937 * allow the server to time out.
938 * 35 seconds should do it.
939 */
940 orig_timeout = dcerpc_binding_handle_set_timeout(b, 35000);
941
942 status = dcerpc_lsa_lookup_sids_generic(b,
943 mem_ctx,
944 &lsa_policy,
945 num_sids,
946 sids,
947 level,
948 domains,
949 names,
950 types,
951 use_lookupsids3,
952 &result);
953
954 /* And restore our original timeout. */
955 dcerpc_binding_handle_set_timeout(b, orig_timeout);
956
957 if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) ||
958 NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR) ||
959 NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED)) {
960 /*
961 * This can happen if the schannel key is not
962 * valid anymore, we need to invalidate the
963 * all connections to the dc and reestablish
964 * a netlogon connection first.
965 */
966 invalidate_cm_connection(domain);
967 domain->can_do_ncacn_ip_tcp = domain->active_directory;
968 if (!retried) {
969 retried = true;
970 goto connect;
971 }
972 status = NT_STATUS_ACCESS_DENIED;
973 }
974
975 if (any_nt_status_not_ok(status, result, &status)) {
976 return status;
977 }
978
979 return NT_STATUS_OK;
980 }
981
982 static NTSTATUS winbindd_lookup_names(TALLOC_CTX *mem_ctx,
983 struct winbindd_domain *domain,
984 uint32_t num_names,
985 const char **names,
986 const char ***domains,
987 struct dom_sid **sids,
988 enum lsa_SidType **types)
989 {
990 NTSTATUS status;
991 NTSTATUS result;
992 struct rpc_pipe_client *cli = NULL;
993 struct dcerpc_binding_handle *b = NULL;
994 struct policy_handle lsa_policy;
995 unsigned int orig_timeout = 0;
996 bool use_lookupnames4 = false;
997 bool retried = false;
998 enum lsa_LookupNamesLevel level = LSA_LOOKUP_NAMES_ALL;
999
1000 connect:
1001 status = cm_connect_lsat(domain, mem_ctx, &cli, &lsa_policy);
1002 if (!NT_STATUS_IS_OK(status)) {
1003 return status;
1004 }
1005
1006 b = cli->binding_handle;
1007
1008 if (cli->transport->transport == NCACN_IP_TCP) {
1009 use_lookupnames4 = true;
1010 }
1011
1012 level = winbindd_lookup_level(domain);
1013
1014 /*
1015 * This call can take a long time
1016 * allow the server to time out.
1017 * 35 seconds should do it.
1018 */
1019 orig_timeout = dcerpc_binding_handle_set_timeout(b, 35000);
1020
1021 status = dcerpc_lsa_lookup_names_generic(b,
1022 mem_ctx,
1023 &lsa_policy,
1024 num_names,
1025 (const char **) names,
1026 domains,
1027 level,
1028 sids,
1029 types,
1030 use_lookupnames4,
1031 &result);
1032
1033 /* And restore our original timeout. */
1034 dcerpc_binding_handle_set_timeout(b, orig_timeout);
1035
1036 if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) ||
1037 NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR) ||
1038 NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED)) {
1039 /*
1040 * This can happen if the schannel key is not
1041 * valid anymore, we need to invalidate the
1042 * all connections to the dc and reestablish
1043 * a netlogon connection first.
1044 */
1045 invalidate_cm_connection(domain);
1046 if (!retried) {
1047 retried = true;
1048 goto connect;
1049 }
1050 status = NT_STATUS_ACCESS_DENIED;
1051 }
1052
1053 if (any_nt_status_not_ok(status, result, &status)) {
1054 return status;
1055 }
1056
1057 return NT_STATUS_OK;
1058 }
1059
1060 /* the rpc backend methods are exposed via this structure */
1061 struct winbindd_methods msrpc_methods = {
1062 False,
1063 msrpc_query_user_list,
1064 msrpc_enum_dom_groups,
1065 msrpc_enum_local_groups,
1066 msrpc_name_to_sid,
1067 msrpc_sid_to_name,
1068 msrpc_rids_to_names,
1069 msrpc_lookup_usergroups,
1070 msrpc_lookup_useraliases,
1071 msrpc_lookup_groupmem,
1072 msrpc_lockout_policy,
1073 msrpc_password_policy,
1074 msrpc_trusted_domains,
1075 };
Samba GIT mirror