s3-rpc_server: Give log messages on failure
[Samba.git] / source3 / winbindd / winbindd_ads.c
blob4f149a757bebf75b763cc4fd0aa2feb5fb923f3d
1 /*
2 Unix SMB/CIFS implementation.
4 Winbind ADS backend functions
6 Copyright (C) Andrew Tridgell 2001
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003
8 Copyright (C) Gerald (Jerry) Carter 2004
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #include "includes.h"
25 #include "winbindd.h"
26 #include "rpc_client/rpc_client.h"
27 #include "../librpc/gen_ndr/ndr_netlogon_c.h"
28 #include "../libds/common/flags.h"
29 #include "ads.h"
30 #include "../libcli/ldap/ldap_ndr.h"
31 #include "../libcli/security/security.h"
32 #include "../libds/common/flag_mapping.h"
33 #include "passdb.h"
35 #ifdef HAVE_ADS
37 #undef DBGC_CLASS
38 #define DBGC_CLASS DBGC_WINBIND
40 extern struct winbindd_methods reconnect_methods;
42 #define WINBIND_CCACHE_NAME "MEMORY:winbind_ccache"
44 /**
45 * Check if cached connection can be reused. If the connection cannot
46 * be reused the ADS_STRUCT is freed and the pointer is set to NULL.
48 static void ads_cached_connection_reuse(ADS_STRUCT **adsp)
51 ADS_STRUCT *ads = *adsp;
53 if (ads != NULL) {
54 time_t expire;
55 time_t now = time(NULL);
57 expire = MIN(ads->auth.tgt_expire, ads->auth.tgs_expire);
59 DEBUG(7, ("Current tickets expire in %d seconds (at %d, time "
60 "is now %d)\n", (uint32)expire - (uint32)now,
61 (uint32) expire, (uint32) now));
63 if ( ads->config.realm && (expire > now)) {
64 return;
65 } else {
66 /* we own this ADS_STRUCT so make sure it goes away */
67 DEBUG(7,("Deleting expired krb5 credential cache\n"));
68 ads->is_mine = True;
69 ads_destroy( &ads );
70 ads_kdestroy(WINBIND_CCACHE_NAME);
71 *adsp = NULL;
76 static ADS_STATUS ads_cached_connection_connect(ADS_STRUCT **adsp,
77 const char *dom_name_alt,
78 const char *dom_name,
79 const char *ldap_server,
80 char *password,
81 char *realm,
82 time_t renewable)
84 ADS_STRUCT *ads;
85 ADS_STATUS status;
86 struct sockaddr_storage dc_ss;
87 fstring dc_name;
89 if (realm == NULL) {
90 return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
93 /* we don't want this to affect the users ccache */
94 setenv("KRB5CCNAME", WINBIND_CCACHE_NAME, 1);
96 ads = ads_init(dom_name_alt, dom_name, ldap_server);
97 if (!ads) {
98 DEBUG(1,("ads_init for domain %s failed\n", dom_name));
99 return ADS_ERROR(LDAP_NO_MEMORY);
102 SAFE_FREE(ads->auth.password);
103 SAFE_FREE(ads->auth.realm);
105 ads->auth.renewable = renewable;
106 ads->auth.password = password;
108 ads->auth.realm = SMB_STRDUP(realm);
109 if (!strupper_m(ads->auth.realm)) {
110 ads_destroy(&ads);
111 return ADS_ERROR_NT(NT_STATUS_INTERNAL_ERROR);
114 /* Setup the server affinity cache. We don't reaally care
115 about the name. Just setup affinity and the KRB5_CONFIG
116 file. */
117 get_dc_name(ads->server.workgroup, ads->server.realm, dc_name, &dc_ss);
119 status = ads_connect(ads);
120 if (!ADS_ERR_OK(status)) {
121 DEBUG(1,("ads_connect for domain %s failed: %s\n",
122 dom_name, ads_errstr(status)));
123 ads_destroy(&ads);
124 return status;
127 /* set the flag that says we don't own the memory even
128 though we do so that ads_destroy() won't destroy the
129 structure we pass back by reference */
131 ads->is_mine = False;
133 *adsp = ads;
135 return status;
138 ADS_STATUS ads_idmap_cached_connection(ADS_STRUCT **adsp, const char *dom_name)
140 char *ldap_server, *realm, *password;
141 struct winbindd_domain *wb_dom;
142 ADS_STATUS status;
144 ads_cached_connection_reuse(adsp);
145 if (*adsp != NULL) {
146 return ADS_SUCCESS;
150 * At this point we only have the NetBIOS domain name.
151 * Check if we can get server nam and realm from SAF cache
152 * and the domain list.
154 ldap_server = saf_fetch(talloc_tos(), dom_name);
155 DEBUG(10, ("ldap_server from saf cache: '%s'\n",
156 ldap_server ? ldap_server : ""));
158 wb_dom = find_domain_from_name(dom_name);
159 if (wb_dom == NULL) {
160 DEBUG(10, ("could not find domain '%s'\n", dom_name));
161 return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
164 DEBUG(10, ("find_domain_from_name found realm '%s' for "
165 " domain '%s'\n", wb_dom->alt_name, dom_name));
167 if (!get_trust_pw_clear(dom_name, &password, NULL, NULL)) {
168 TALLOC_FREE(ldap_server);
169 return ADS_ERROR_NT(NT_STATUS_CANT_ACCESS_DOMAIN_INFO);
172 if (IS_DC) {
173 realm = SMB_STRDUP(wb_dom->alt_name);
174 } else {
175 struct winbindd_domain *our_domain = wb_dom;
177 /* always give preference to the alt_name in our
178 primary domain if possible */
180 if (!wb_dom->primary) {
181 our_domain = find_our_domain();
184 if (our_domain->alt_name != NULL) {
185 realm = SMB_STRDUP(our_domain->alt_name);
186 } else {
187 realm = SMB_STRDUP(lp_realm());
191 status = ads_cached_connection_connect(adsp, realm, dom_name, ldap_server,
192 password, realm, 0);
193 SAFE_FREE(realm);
194 TALLOC_FREE(ldap_server);
196 return status;
200 return our ads connections structure for a domain. We keep the connection
201 open to make things faster
203 static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain)
205 ADS_STATUS status;
206 char *password, *realm;
208 DEBUG(10,("ads_cached_connection\n"));
209 ads_cached_connection_reuse((ADS_STRUCT **)&domain->private_data);
211 if (domain->private_data) {
212 return (ADS_STRUCT *)domain->private_data;
215 /* the machine acct password might have change - fetch it every time */
217 if (!get_trust_pw_clear(domain->name, &password, NULL, NULL)) {
218 return NULL;
221 if ( IS_DC ) {
223 realm = SMB_STRDUP(domain->alt_name);
225 else {
226 struct winbindd_domain *our_domain = domain;
229 /* always give preference to the alt_name in our
230 primary domain if possible */
232 if ( !domain->primary )
233 our_domain = find_our_domain();
235 if (our_domain->alt_name != NULL) {
236 realm = SMB_STRDUP( our_domain->alt_name );
238 else
239 realm = SMB_STRDUP( lp_realm() );
242 status = ads_cached_connection_connect(
243 (ADS_STRUCT **)&domain->private_data,
244 domain->alt_name,
245 domain->name, NULL,
246 password, realm,
247 WINBINDD_PAM_AUTH_KRB5_RENEW_TIME);
248 SAFE_FREE(realm);
250 if (!ADS_ERR_OK(status)) {
251 /* if we get ECONNREFUSED then it might be a NT4
252 server, fall back to MSRPC */
253 if (status.error_type == ENUM_ADS_ERROR_SYSTEM &&
254 status.err.rc == ECONNREFUSED) {
255 /* 'reconnect_methods' is the MS-RPC backend. */
256 DEBUG(1,("Trying MSRPC methods\n"));
257 domain->backend = &reconnect_methods;
259 return NULL;
262 return (ADS_STRUCT *)domain->private_data;
265 /* Query display info for a realm. This is the basic user list fn */
266 static NTSTATUS query_user_list(struct winbindd_domain *domain,
267 TALLOC_CTX *mem_ctx,
268 uint32 *num_entries,
269 struct wbint_userinfo **pinfo)
271 ADS_STRUCT *ads = NULL;
272 const char *attrs[] = { "*", NULL };
273 int i, count;
274 ADS_STATUS rc;
275 LDAPMessage *res = NULL;
276 LDAPMessage *msg = NULL;
277 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
279 *num_entries = 0;
281 DEBUG(3,("ads: query_user_list\n"));
283 if ( !winbindd_can_contact_domain( domain ) ) {
284 DEBUG(10,("query_user_list: No incoming trust for domain %s\n",
285 domain->name));
286 return NT_STATUS_OK;
289 ads = ads_cached_connection(domain);
291 if (!ads) {
292 domain->last_status = NT_STATUS_SERVER_DISABLED;
293 goto done;
296 rc = ads_search_retry(ads, &res, "(objectCategory=user)", attrs);
297 if (!ADS_ERR_OK(rc)) {
298 DEBUG(1,("query_user_list ads_search: %s\n", ads_errstr(rc)));
299 status = ads_ntstatus(rc);
300 goto done;
301 } else if (!res) {
302 DEBUG(1,("query_user_list ads_search returned NULL res\n"));
303 goto done;
306 count = ads_count_replies(ads, res);
307 if (count == 0) {
308 DEBUG(1,("query_user_list: No users found\n"));
309 goto done;
312 (*pinfo) = talloc_zero_array(mem_ctx, struct wbint_userinfo, count);
313 if (!*pinfo) {
314 status = NT_STATUS_NO_MEMORY;
315 goto done;
318 count = 0;
320 for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
321 struct wbint_userinfo *info = &((*pinfo)[count]);
322 uint32 group;
323 uint32 atype;
325 if (!ads_pull_uint32(ads, msg, "sAMAccountType", &atype) ||
326 ds_atype_map(atype) != SID_NAME_USER) {
327 DEBUG(1,("Not a user account? atype=0x%x\n", atype));
328 continue;
331 info->acct_name = ads_pull_username(ads, mem_ctx, msg);
332 info->full_name = ads_pull_string(ads, mem_ctx, msg, "name");
333 info->homedir = NULL;
334 info->shell = NULL;
335 info->primary_gid = (gid_t)-1;
337 if (!ads_pull_sid(ads, msg, "objectSid",
338 &info->user_sid)) {
339 DEBUG(1, ("No sid for %s !?\n", info->acct_name));
340 continue;
343 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &group)) {
344 DEBUG(1, ("No primary group for %s !?\n",
345 info->acct_name));
346 continue;
348 sid_compose(&info->group_sid, &domain->sid, group);
350 count += 1;
353 (*num_entries) = count;
354 ads_msgfree(ads, res);
356 for (i=0; i<count; i++) {
357 struct wbint_userinfo *info = &((*pinfo)[i]);
358 const char *gecos = NULL;
359 gid_t primary_gid = (gid_t)-1;
361 status = nss_get_info_cached(domain, &info->user_sid, mem_ctx,
362 &info->homedir, &info->shell,
363 &gecos, &primary_gid);
364 if (!NT_STATUS_IS_OK(status)) {
366 * Deliberately ignore this error, there might be more
367 * users to fill
369 continue;
372 if (gecos != NULL) {
373 info->full_name = gecos;
375 info->primary_gid = primary_gid;
378 status = NT_STATUS_OK;
380 DEBUG(3,("ads query_user_list gave %d entries\n", (*num_entries)));
382 done:
383 return status;
386 /* list all domain groups */
387 static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
388 TALLOC_CTX *mem_ctx,
389 uint32 *num_entries,
390 struct wb_acct_info **info)
392 ADS_STRUCT *ads = NULL;
393 const char *attrs[] = {"userPrincipalName", "sAMAccountName",
394 "name", "objectSid", NULL};
395 int i, count;
396 ADS_STATUS rc;
397 LDAPMessage *res = NULL;
398 LDAPMessage *msg = NULL;
399 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
400 const char *filter;
401 bool enum_dom_local_groups = False;
403 *num_entries = 0;
405 DEBUG(3,("ads: enum_dom_groups\n"));
407 if ( !winbindd_can_contact_domain( domain ) ) {
408 DEBUG(10,("enum_dom_groups: No incoming trust for domain %s\n",
409 domain->name));
410 return NT_STATUS_OK;
413 /* only grab domain local groups for our domain */
414 if ( domain->active_directory && strequal(lp_realm(), domain->alt_name) ) {
415 enum_dom_local_groups = True;
418 /* Workaround ADS LDAP bug present in MS W2K3 SP0 and W2K SP4 w/o
419 * rollup-fixes:
421 * According to Section 5.1(4) of RFC 2251 if a value of a type is it's
422 * default value, it MUST be absent. In case of extensible matching the
423 * "dnattr" boolean defaults to FALSE and so it must be only be present
424 * when set to TRUE.
426 * When it is set to FALSE and the OpenLDAP lib (correctly) encodes a
427 * filter using bitwise matching rule then the buggy AD fails to decode
428 * the extensible match. As a workaround set it to TRUE and thereby add
429 * the dnAttributes "dn" field to cope with those older AD versions.
430 * It should not harm and won't put any additional load on the AD since
431 * none of the dn components have a bitmask-attribute.
433 * Thanks to Ralf Haferkamp for input and testing - Guenther */
435 filter = talloc_asprintf(mem_ctx, "(&(objectCategory=group)(&(groupType:dn:%s:=%d)(!(groupType:dn:%s:=%d))))",
436 ADS_LDAP_MATCHING_RULE_BIT_AND, GROUP_TYPE_SECURITY_ENABLED,
437 ADS_LDAP_MATCHING_RULE_BIT_AND,
438 enum_dom_local_groups ? GROUP_TYPE_BUILTIN_LOCAL_GROUP : GROUP_TYPE_RESOURCE_GROUP);
440 if (filter == NULL) {
441 status = NT_STATUS_NO_MEMORY;
442 goto done;
445 ads = ads_cached_connection(domain);
447 if (!ads) {
448 domain->last_status = NT_STATUS_SERVER_DISABLED;
449 goto done;
452 rc = ads_search_retry(ads, &res, filter, attrs);
453 if (!ADS_ERR_OK(rc)) {
454 status = ads_ntstatus(rc);
455 DEBUG(1,("enum_dom_groups ads_search: %s\n", ads_errstr(rc)));
456 goto done;
457 } else if (!res) {
458 DEBUG(1,("enum_dom_groups ads_search returned NULL res\n"));
459 goto done;
462 count = ads_count_replies(ads, res);
463 if (count == 0) {
464 DEBUG(1,("enum_dom_groups: No groups found\n"));
465 goto done;
468 (*info) = talloc_zero_array(mem_ctx, struct wb_acct_info, count);
469 if (!*info) {
470 status = NT_STATUS_NO_MEMORY;
471 goto done;
474 i = 0;
476 for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
477 char *name, *gecos;
478 struct dom_sid sid;
479 uint32 rid;
481 name = ads_pull_username(ads, mem_ctx, msg);
482 gecos = ads_pull_string(ads, mem_ctx, msg, "name");
483 if (!ads_pull_sid(ads, msg, "objectSid", &sid)) {
484 DEBUG(1,("No sid for %s !?\n", name));
485 continue;
488 if (!sid_peek_check_rid(&domain->sid, &sid, &rid)) {
489 DEBUG(1,("No rid for %s !?\n", name));
490 continue;
493 fstrcpy((*info)[i].acct_name, name);
494 fstrcpy((*info)[i].acct_desc, gecos);
495 (*info)[i].rid = rid;
496 i++;
499 (*num_entries) = i;
501 status = NT_STATUS_OK;
503 DEBUG(3,("ads enum_dom_groups gave %d entries\n", (*num_entries)));
505 done:
506 if (res)
507 ads_msgfree(ads, res);
509 return status;
512 /* list all domain local groups */
513 static NTSTATUS enum_local_groups(struct winbindd_domain *domain,
514 TALLOC_CTX *mem_ctx,
515 uint32 *num_entries,
516 struct wb_acct_info **info)
519 * This is a stub function only as we returned the domain
520 * local groups in enum_dom_groups() if the domain->native field
521 * was true. This is a simple performance optimization when
522 * using LDAP.
524 * if we ever need to enumerate domain local groups separately,
525 * then this optimization in enum_dom_groups() will need
526 * to be split out
528 *num_entries = 0;
530 return NT_STATUS_OK;
533 /* convert a single name to a sid in a domain - use rpc methods */
534 static NTSTATUS name_to_sid(struct winbindd_domain *domain,
535 TALLOC_CTX *mem_ctx,
536 const char *domain_name,
537 const char *name,
538 uint32_t flags,
539 struct dom_sid *sid,
540 enum lsa_SidType *type)
542 return reconnect_methods.name_to_sid(domain, mem_ctx,
543 domain_name, name, flags,
544 sid, type);
547 /* convert a domain SID to a user or group name - use rpc methods */
548 static NTSTATUS sid_to_name(struct winbindd_domain *domain,
549 TALLOC_CTX *mem_ctx,
550 const struct dom_sid *sid,
551 char **domain_name,
552 char **name,
553 enum lsa_SidType *type)
555 return reconnect_methods.sid_to_name(domain, mem_ctx, sid,
556 domain_name, name, type);
559 /* convert a list of rids to names - use rpc methods */
560 static NTSTATUS rids_to_names(struct winbindd_domain *domain,
561 TALLOC_CTX *mem_ctx,
562 const struct dom_sid *sid,
563 uint32 *rids,
564 size_t num_rids,
565 char **domain_name,
566 char ***names,
567 enum lsa_SidType **types)
569 return reconnect_methods.rids_to_names(domain, mem_ctx, sid,
570 rids, num_rids,
571 domain_name, names, types);
574 /* If you are looking for "dn_lookup": Yes, it used to be here!
575 * It has gone now since it was a major speed bottleneck in
576 * lookup_groupmem (its only use). It has been replaced by
577 * an rpc lookup sids call... R.I.P. */
579 /* Lookup user information from a rid */
580 static NTSTATUS query_user(struct winbindd_domain *domain,
581 TALLOC_CTX *mem_ctx,
582 const struct dom_sid *sid,
583 struct wbint_userinfo *info)
585 ADS_STRUCT *ads = NULL;
586 const char *attrs[] = { "*", NULL };
587 ADS_STATUS rc;
588 int count;
589 LDAPMessage *msg = NULL;
590 char *ldap_exp;
591 char *sidstr;
592 uint32 group_rid;
593 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
594 struct netr_SamInfo3 *user = NULL;
595 gid_t gid = -1;
596 int ret;
597 char *ads_name;
599 DEBUG(3,("ads: query_user\n"));
601 info->homedir = NULL;
602 info->shell = NULL;
604 /* try netsamlogon cache first */
606 if ( (user = netsamlogon_cache_get( mem_ctx, sid )) != NULL )
608 DEBUG(5,("query_user: Cache lookup succeeded for %s\n",
609 sid_string_dbg(sid)));
611 sid_compose(&info->user_sid, &domain->sid, user->base.rid);
612 sid_compose(&info->group_sid, &domain->sid, user->base.primary_gid);
614 info->acct_name = talloc_strdup(mem_ctx, user->base.account_name.string);
615 info->full_name = talloc_strdup(mem_ctx, user->base.full_name.string);
617 nss_get_info_cached( domain, sid, mem_ctx,
618 &info->homedir, &info->shell, &info->full_name,
619 &gid );
620 info->primary_gid = gid;
622 TALLOC_FREE(user);
624 return NT_STATUS_OK;
627 if ( !winbindd_can_contact_domain(domain)) {
628 DEBUG(8,("query_user: No incoming trust from domain %s\n",
629 domain->name));
631 /* We still need to generate some basic information
632 about the user even if we cannot contact the
633 domain. Most of this stuff we can deduce. */
635 sid_copy( &info->user_sid, sid );
637 /* Assume "Domain Users" for the primary group */
639 sid_compose(&info->group_sid, &domain->sid, DOMAIN_RID_USERS );
641 /* Try to fill in what the nss_info backend can do */
643 nss_get_info_cached( domain, sid, mem_ctx,
644 &info->homedir, &info->shell, &info->full_name,
645 &gid);
646 info->primary_gid = gid;
648 return NT_STATUS_OK;
651 /* no cache...do the query */
653 if ( (ads = ads_cached_connection(domain)) == NULL ) {
654 domain->last_status = NT_STATUS_SERVER_DISABLED;
655 return NT_STATUS_SERVER_DISABLED;
658 sidstr = ldap_encode_ndr_dom_sid(talloc_tos(), sid);
660 ret = asprintf(&ldap_exp, "(objectSid=%s)", sidstr);
661 TALLOC_FREE(sidstr);
662 if (ret == -1) {
663 return NT_STATUS_NO_MEMORY;
665 rc = ads_search_retry(ads, &msg, ldap_exp, attrs);
666 SAFE_FREE(ldap_exp);
667 if (!ADS_ERR_OK(rc)) {
668 DEBUG(1,("query_user(sid=%s) ads_search: %s\n",
669 sid_string_dbg(sid), ads_errstr(rc)));
670 return ads_ntstatus(rc);
671 } else if (!msg) {
672 DEBUG(1,("query_user(sid=%s) ads_search returned NULL res\n",
673 sid_string_dbg(sid)));
674 return NT_STATUS_INTERNAL_ERROR;
677 count = ads_count_replies(ads, msg);
678 if (count != 1) {
679 DEBUG(1,("query_user(sid=%s): Not found\n",
680 sid_string_dbg(sid)));
681 ads_msgfree(ads, msg);
682 return NT_STATUS_NO_SUCH_USER;
685 info->acct_name = ads_pull_username(ads, mem_ctx, msg);
687 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &group_rid)) {
688 DEBUG(1,("No primary group for %s !?\n",
689 sid_string_dbg(sid)));
690 ads_msgfree(ads, msg);
691 return NT_STATUS_NO_SUCH_USER;
693 sid_copy(&info->user_sid, sid);
694 sid_compose(&info->group_sid, &domain->sid, group_rid);
697 * We have to fetch the "name" attribute before doing the
698 * nss_get_info_cached call. nss_get_info_cached might destroy
699 * the ads struct, potentially invalidating the ldap message.
701 ads_name = ads_pull_string(ads, mem_ctx, msg, "name");
703 ads_msgfree(ads, msg);
704 msg = NULL;
706 status = nss_get_info_cached( domain, sid, mem_ctx,
707 &info->homedir, &info->shell, &info->full_name,
708 &gid);
709 info->primary_gid = gid;
710 if (!NT_STATUS_IS_OK(status)) {
711 DEBUG(1, ("nss_get_info_cached failed: %s\n",
712 nt_errstr(status)));
713 return status;
716 if (info->full_name == NULL) {
717 info->full_name = ads_name;
718 } else {
719 TALLOC_FREE(ads_name);
722 status = NT_STATUS_OK;
724 DEBUG(3,("ads query_user gave %s\n", info->acct_name));
725 return NT_STATUS_OK;
728 /* Lookup groups a user is a member of - alternate method, for when
729 tokenGroups are not available. */
730 static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain,
731 TALLOC_CTX *mem_ctx,
732 const char *user_dn,
733 struct dom_sid *primary_group,
734 uint32_t *p_num_groups, struct dom_sid **user_sids)
736 ADS_STATUS rc;
737 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
738 int count;
739 LDAPMessage *res = NULL;
740 LDAPMessage *msg = NULL;
741 char *ldap_exp;
742 ADS_STRUCT *ads;
743 const char *group_attrs[] = {"objectSid", NULL};
744 char *escaped_dn;
745 uint32_t num_groups = 0;
747 DEBUG(3,("ads: lookup_usergroups_member\n"));
749 if ( !winbindd_can_contact_domain( domain ) ) {
750 DEBUG(10,("lookup_usergroups_members: No incoming trust for domain %s\n",
751 domain->name));
752 return NT_STATUS_OK;
755 ads = ads_cached_connection(domain);
757 if (!ads) {
758 domain->last_status = NT_STATUS_SERVER_DISABLED;
759 goto done;
762 if (!(escaped_dn = escape_ldap_string(talloc_tos(), user_dn))) {
763 status = NT_STATUS_NO_MEMORY;
764 goto done;
767 ldap_exp = talloc_asprintf(mem_ctx,
768 "(&(member=%s)(objectCategory=group)(groupType:dn:%s:=%d))",
769 escaped_dn,
770 ADS_LDAP_MATCHING_RULE_BIT_AND,
771 GROUP_TYPE_SECURITY_ENABLED);
772 if (!ldap_exp) {
773 DEBUG(1,("lookup_usergroups(dn=%s) asprintf failed!\n", user_dn));
774 TALLOC_FREE(escaped_dn);
775 status = NT_STATUS_NO_MEMORY;
776 goto done;
779 TALLOC_FREE(escaped_dn);
781 rc = ads_search_retry(ads, &res, ldap_exp, group_attrs);
783 if (!ADS_ERR_OK(rc)) {
784 DEBUG(1,("lookup_usergroups ads_search member=%s: %s\n", user_dn, ads_errstr(rc)));
785 return ads_ntstatus(rc);
786 } else if (!res) {
787 DEBUG(1,("lookup_usergroups ads_search returned NULL res\n"));
788 return NT_STATUS_INTERNAL_ERROR;
792 count = ads_count_replies(ads, res);
794 *user_sids = NULL;
795 num_groups = 0;
797 /* always add the primary group to the sid array */
798 status = add_sid_to_array(mem_ctx, primary_group, user_sids,
799 &num_groups);
800 if (!NT_STATUS_IS_OK(status)) {
801 goto done;
804 if (count > 0) {
805 for (msg = ads_first_entry(ads, res); msg;
806 msg = ads_next_entry(ads, msg)) {
807 struct dom_sid group_sid;
809 if (!ads_pull_sid(ads, msg, "objectSid", &group_sid)) {
810 DEBUG(1,("No sid for this group ?!?\n"));
811 continue;
814 /* ignore Builtin groups from ADS - Guenther */
815 if (sid_check_is_in_builtin(&group_sid)) {
816 continue;
819 status = add_sid_to_array(mem_ctx, &group_sid,
820 user_sids, &num_groups);
821 if (!NT_STATUS_IS_OK(status)) {
822 goto done;
828 *p_num_groups = num_groups;
829 status = (user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
831 DEBUG(3,("ads lookup_usergroups (member) succeeded for dn=%s\n", user_dn));
832 done:
833 if (res)
834 ads_msgfree(ads, res);
836 return status;
839 /* Lookup groups a user is a member of - alternate method, for when
840 tokenGroups are not available. */
841 static NTSTATUS lookup_usergroups_memberof(struct winbindd_domain *domain,
842 TALLOC_CTX *mem_ctx,
843 const char *user_dn,
844 struct dom_sid *primary_group,
845 uint32_t *p_num_groups,
846 struct dom_sid **user_sids)
848 ADS_STATUS rc;
849 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
850 ADS_STRUCT *ads;
851 const char *attrs[] = {"memberOf", NULL};
852 uint32_t num_groups = 0;
853 struct dom_sid *group_sids = NULL;
854 int i;
855 char **strings = NULL;
856 size_t num_strings = 0, num_sids = 0;
859 DEBUG(3,("ads: lookup_usergroups_memberof\n"));
861 if ( !winbindd_can_contact_domain( domain ) ) {
862 DEBUG(10,("lookup_usergroups_memberof: No incoming trust for "
863 "domain %s\n", domain->name));
864 return NT_STATUS_OK;
867 ads = ads_cached_connection(domain);
869 if (!ads) {
870 domain->last_status = NT_STATUS_SERVER_DISABLED;
871 return NT_STATUS_UNSUCCESSFUL;
874 rc = ads_search_retry_extended_dn_ranged(ads, mem_ctx, user_dn, attrs,
875 ADS_EXTENDED_DN_HEX_STRING,
876 &strings, &num_strings);
878 if (!ADS_ERR_OK(rc)) {
879 DEBUG(1,("lookup_usergroups_memberof ads_search "
880 "member=%s: %s\n", user_dn, ads_errstr(rc)));
881 return ads_ntstatus(rc);
884 *user_sids = NULL;
885 num_groups = 0;
887 /* always add the primary group to the sid array */
888 status = add_sid_to_array(mem_ctx, primary_group, user_sids,
889 &num_groups);
890 if (!NT_STATUS_IS_OK(status)) {
891 goto done;
894 group_sids = talloc_zero_array(mem_ctx, struct dom_sid, num_strings + 1);
895 if (!group_sids) {
896 status = NT_STATUS_NO_MEMORY;
897 goto done;
900 for (i=0; i<num_strings; i++) {
901 rc = ads_get_sid_from_extended_dn(mem_ctx, strings[i],
902 ADS_EXTENDED_DN_HEX_STRING,
903 &(group_sids)[i]);
904 if (!ADS_ERR_OK(rc)) {
905 /* ignore members without SIDs */
906 if (NT_STATUS_EQUAL(ads_ntstatus(rc),
907 NT_STATUS_NOT_FOUND)) {
908 continue;
910 else {
911 status = ads_ntstatus(rc);
912 goto done;
915 num_sids++;
918 if (i == 0) {
919 DEBUG(1,("No memberOf for this user?!?\n"));
920 status = NT_STATUS_NO_MEMORY;
921 goto done;
924 for (i=0; i<num_sids; i++) {
926 /* ignore Builtin groups from ADS - Guenther */
927 if (sid_check_is_in_builtin(&group_sids[i])) {
928 continue;
931 status = add_sid_to_array(mem_ctx, &group_sids[i], user_sids,
932 &num_groups);
933 if (!NT_STATUS_IS_OK(status)) {
934 goto done;
939 *p_num_groups = num_groups;
940 status = (*user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
942 DEBUG(3,("ads lookup_usergroups (memberof) succeeded for dn=%s\n",
943 user_dn));
945 done:
946 TALLOC_FREE(strings);
947 TALLOC_FREE(group_sids);
949 return status;
953 /* Lookup groups a user is a member of. */
954 static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
955 TALLOC_CTX *mem_ctx,
956 const struct dom_sid *sid,
957 uint32 *p_num_groups, struct dom_sid **user_sids)
959 ADS_STRUCT *ads = NULL;
960 const char *attrs[] = {"tokenGroups", "primaryGroupID", NULL};
961 ADS_STATUS rc;
962 int count;
963 LDAPMessage *msg = NULL;
964 char *user_dn = NULL;
965 struct dom_sid *sids;
966 int i;
967 struct dom_sid primary_group;
968 uint32 primary_group_rid;
969 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
970 uint32_t num_groups = 0;
972 DEBUG(3,("ads: lookup_usergroups\n"));
973 *p_num_groups = 0;
975 status = lookup_usergroups_cached(domain, mem_ctx, sid,
976 p_num_groups, user_sids);
977 if (NT_STATUS_IS_OK(status)) {
978 return NT_STATUS_OK;
981 if ( !winbindd_can_contact_domain( domain ) ) {
982 DEBUG(10,("lookup_usergroups: No incoming trust for domain %s\n",
983 domain->name));
985 /* Tell the cache manager not to remember this one */
987 return NT_STATUS_SYNCHRONIZATION_REQUIRED;
990 ads = ads_cached_connection(domain);
992 if (!ads) {
993 domain->last_status = NT_STATUS_SERVER_DISABLED;
994 status = NT_STATUS_SERVER_DISABLED;
995 goto done;
998 rc = ads_search_retry_sid(ads, &msg, sid, attrs);
1000 if (!ADS_ERR_OK(rc)) {
1001 status = ads_ntstatus(rc);
1002 DEBUG(1, ("lookup_usergroups(sid=%s) ads_search tokenGroups: "
1003 "%s\n", sid_string_dbg(sid), ads_errstr(rc)));
1004 goto done;
1007 count = ads_count_replies(ads, msg);
1008 if (count != 1) {
1009 status = NT_STATUS_UNSUCCESSFUL;
1010 DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: "
1011 "invalid number of results (count=%d)\n",
1012 sid_string_dbg(sid), count));
1013 goto done;
1016 if (!msg) {
1017 DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: NULL msg\n",
1018 sid_string_dbg(sid)));
1019 status = NT_STATUS_UNSUCCESSFUL;
1020 goto done;
1023 user_dn = ads_get_dn(ads, mem_ctx, msg);
1024 if (user_dn == NULL) {
1025 status = NT_STATUS_NO_MEMORY;
1026 goto done;
1029 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &primary_group_rid)) {
1030 DEBUG(1,("%s: No primary group for sid=%s !?\n",
1031 domain->name, sid_string_dbg(sid)));
1032 goto done;
1035 sid_compose(&primary_group, &domain->sid, primary_group_rid);
1037 count = ads_pull_sids(ads, mem_ctx, msg, "tokenGroups", &sids);
1039 /* there must always be at least one group in the token,
1040 unless we are talking to a buggy Win2k server */
1042 /* actually this only happens when the machine account has no read
1043 * permissions on the tokenGroup attribute - gd */
1045 if (count == 0) {
1047 /* no tokenGroups */
1049 /* lookup what groups this user is a member of by DN search on
1050 * "memberOf" */
1052 status = lookup_usergroups_memberof(domain, mem_ctx, user_dn,
1053 &primary_group,
1054 &num_groups, user_sids);
1055 *p_num_groups = num_groups;
1056 if (NT_STATUS_IS_OK(status)) {
1057 goto done;
1060 /* lookup what groups this user is a member of by DN search on
1061 * "member" */
1063 status = lookup_usergroups_member(domain, mem_ctx, user_dn,
1064 &primary_group,
1065 &num_groups, user_sids);
1066 *p_num_groups = num_groups;
1067 goto done;
1070 *user_sids = NULL;
1071 num_groups = 0;
1073 status = add_sid_to_array(mem_ctx, &primary_group, user_sids,
1074 &num_groups);
1075 if (!NT_STATUS_IS_OK(status)) {
1076 goto done;
1079 for (i=0;i<count;i++) {
1081 /* ignore Builtin groups from ADS - Guenther */
1082 if (sid_check_is_in_builtin(&sids[i])) {
1083 continue;
1086 status = add_sid_to_array_unique(mem_ctx, &sids[i],
1087 user_sids, &num_groups);
1088 if (!NT_STATUS_IS_OK(status)) {
1089 goto done;
1093 *p_num_groups = (uint32)num_groups;
1094 status = (*user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
1096 DEBUG(3,("ads lookup_usergroups (tokenGroups) succeeded for sid=%s\n",
1097 sid_string_dbg(sid)));
1098 done:
1099 TALLOC_FREE(user_dn);
1100 ads_msgfree(ads, msg);
1101 return status;
1104 /* Lookup aliases a user is member of - use rpc methods */
1105 static NTSTATUS lookup_useraliases(struct winbindd_domain *domain,
1106 TALLOC_CTX *mem_ctx,
1107 uint32 num_sids, const struct dom_sid *sids,
1108 uint32 *num_aliases, uint32 **alias_rids)
1110 return reconnect_methods.lookup_useraliases(domain, mem_ctx,
1111 num_sids, sids,
1112 num_aliases,
1113 alias_rids);
1117 find the members of a group, given a group rid and domain
1119 static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
1120 TALLOC_CTX *mem_ctx,
1121 const struct dom_sid *group_sid,
1122 enum lsa_SidType type,
1123 uint32 *num_names,
1124 struct dom_sid **sid_mem, char ***names,
1125 uint32 **name_types)
1127 ADS_STATUS rc;
1128 ADS_STRUCT *ads = NULL;
1129 char *ldap_exp;
1130 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
1131 char *sidbinstr;
1132 char **members = NULL;
1133 int i;
1134 size_t num_members = 0;
1135 ads_control args;
1136 struct dom_sid *sid_mem_nocache = NULL;
1137 char **names_nocache = NULL;
1138 enum lsa_SidType *name_types_nocache = NULL;
1139 char **domains_nocache = NULL; /* only needed for rpccli_lsa_lookup_sids */
1140 uint32 num_nocache = 0;
1141 TALLOC_CTX *tmp_ctx = NULL;
1143 DEBUG(10,("ads: lookup_groupmem %s sid=%s\n", domain->name,
1144 sid_string_dbg(group_sid)));
1146 *num_names = 0;
1148 tmp_ctx = talloc_new(mem_ctx);
1149 if (!tmp_ctx) {
1150 DEBUG(1, ("ads: lookup_groupmem: talloc failed\n"));
1151 status = NT_STATUS_NO_MEMORY;
1152 goto done;
1155 if ( !winbindd_can_contact_domain( domain ) ) {
1156 DEBUG(10,("lookup_groupmem: No incoming trust for domain %s\n",
1157 domain->name));
1158 return NT_STATUS_OK;
1161 ads = ads_cached_connection(domain);
1163 if (!ads) {
1164 domain->last_status = NT_STATUS_SERVER_DISABLED;
1165 goto done;
1168 if ((sidbinstr = ldap_encode_ndr_dom_sid(talloc_tos(), group_sid)) == NULL) {
1169 status = NT_STATUS_NO_MEMORY;
1170 goto done;
1173 /* search for all members of the group */
1174 ldap_exp = talloc_asprintf(tmp_ctx, "(objectSid=%s)", sidbinstr);
1175 TALLOC_FREE(sidbinstr);
1176 if (ldap_exp == NULL) {
1177 DEBUG(1, ("ads: lookup_groupmem: talloc_asprintf for ldap_exp failed!\n"));
1178 status = NT_STATUS_NO_MEMORY;
1179 goto done;
1182 args.control = ADS_EXTENDED_DN_OID;
1183 args.val = ADS_EXTENDED_DN_HEX_STRING;
1184 args.critical = True;
1186 rc = ads_ranged_search(ads, tmp_ctx, LDAP_SCOPE_SUBTREE, ads->config.bind_path,
1187 ldap_exp, &args, "member", &members, &num_members);
1189 if (!ADS_ERR_OK(rc)) {
1190 DEBUG(0,("ads_ranged_search failed with: %s\n", ads_errstr(rc)));
1191 status = NT_STATUS_UNSUCCESSFUL;
1192 goto done;
1195 DEBUG(10, ("ads lookup_groupmem: got %d sids via extended dn call\n", (int)num_members));
1197 /* Now that we have a list of sids, we need to get the
1198 * lists of names and name_types belonging to these sids.
1199 * even though conceptually not quite clean, we use the
1200 * RPC call lsa_lookup_sids for this since it can handle a
1201 * list of sids. ldap calls can just resolve one sid at a time.
1203 * At this stage, the sids are still hidden in the exetended dn
1204 * member output format. We actually do a little better than
1205 * stated above: In extracting the sids from the member strings,
1206 * we try to resolve as many sids as possible from the
1207 * cache. Only the rest is passed to the lsa_lookup_sids call. */
1209 if (num_members) {
1210 (*sid_mem) = talloc_zero_array(mem_ctx, struct dom_sid, num_members);
1211 (*names) = talloc_zero_array(mem_ctx, char *, num_members);
1212 (*name_types) = talloc_zero_array(mem_ctx, uint32, num_members);
1213 (sid_mem_nocache) = talloc_zero_array(tmp_ctx, struct dom_sid, num_members);
1215 if ((members == NULL) || (*sid_mem == NULL) ||
1216 (*names == NULL) || (*name_types == NULL) ||
1217 (sid_mem_nocache == NULL))
1219 DEBUG(1, ("ads: lookup_groupmem: talloc failed\n"));
1220 status = NT_STATUS_NO_MEMORY;
1221 goto done;
1224 else {
1225 (*sid_mem) = NULL;
1226 (*names) = NULL;
1227 (*name_types) = NULL;
1230 for (i=0; i<num_members; i++) {
1231 enum lsa_SidType name_type;
1232 char *name, *domain_name;
1233 struct dom_sid sid;
1235 rc = ads_get_sid_from_extended_dn(tmp_ctx, members[i], args.val,
1236 &sid);
1237 if (!ADS_ERR_OK(rc)) {
1238 if (NT_STATUS_EQUAL(ads_ntstatus(rc),
1239 NT_STATUS_NOT_FOUND)) {
1240 /* Group members can be objects, like Exchange
1241 * Public Folders, that don't have a SID. Skip
1242 * them. */
1243 continue;
1245 else {
1246 status = ads_ntstatus(rc);
1247 goto done;
1250 if (lookup_cached_sid(mem_ctx, &sid, &domain_name, &name,
1251 &name_type)) {
1252 DEBUG(10,("ads: lookup_groupmem: got sid %s from "
1253 "cache\n", sid_string_dbg(&sid)));
1254 sid_copy(&(*sid_mem)[*num_names], &sid);
1255 (*names)[*num_names] = fill_domain_username_talloc(
1256 *names,
1257 domain_name,
1258 name,
1259 true);
1261 (*name_types)[*num_names] = name_type;
1262 (*num_names)++;
1264 else {
1265 DEBUG(10, ("ads: lookup_groupmem: sid %s not found in "
1266 "cache\n", sid_string_dbg(&sid)));
1267 sid_copy(&(sid_mem_nocache)[num_nocache], &sid);
1268 num_nocache++;
1272 DEBUG(10, ("ads: lookup_groupmem: %d sids found in cache, "
1273 "%d left for lsa_lookupsids\n", *num_names, num_nocache));
1275 /* handle sids not resolved from cache by lsa_lookup_sids */
1276 if (num_nocache > 0) {
1278 status = winbindd_lookup_sids(tmp_ctx,
1279 domain,
1280 num_nocache,
1281 sid_mem_nocache,
1282 &domains_nocache,
1283 &names_nocache,
1284 &name_types_nocache);
1286 if (!(NT_STATUS_IS_OK(status) ||
1287 NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED) ||
1288 NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)))
1290 DEBUG(1, ("lsa_lookupsids call failed with %s "
1291 "- retrying...\n", nt_errstr(status)));
1293 status = winbindd_lookup_sids(tmp_ctx,
1294 domain,
1295 num_nocache,
1296 sid_mem_nocache,
1297 &domains_nocache,
1298 &names_nocache,
1299 &name_types_nocache);
1302 if (NT_STATUS_IS_OK(status) ||
1303 NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED))
1305 /* Copy the entries over from the "_nocache" arrays
1306 * to the result arrays, skipping the gaps the
1307 * lookup_sids call left. */
1308 for (i=0; i < num_nocache; i++) {
1309 if (((names_nocache)[i] != NULL) &&
1310 ((name_types_nocache)[i] != SID_NAME_UNKNOWN))
1312 sid_copy(&(*sid_mem)[*num_names],
1313 &sid_mem_nocache[i]);
1314 (*names)[*num_names] =
1315 fill_domain_username_talloc(
1316 *names,
1317 domains_nocache[i],
1318 names_nocache[i],
1319 true);
1320 (*name_types)[*num_names] = name_types_nocache[i];
1321 (*num_names)++;
1325 else if (NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)) {
1326 DEBUG(10, ("lookup_groupmem: lsa_lookup_sids could "
1327 "not map any SIDs at all.\n"));
1328 /* Don't handle this as an error here.
1329 * There is nothing left to do with respect to the
1330 * overall result... */
1332 else if (!NT_STATUS_IS_OK(status)) {
1333 DEBUG(10, ("lookup_groupmem: Error looking up %d "
1334 "sids via rpc_lsa_lookup_sids: %s\n",
1335 (int)num_members, nt_errstr(status)));
1336 goto done;
1340 status = NT_STATUS_OK;
1341 DEBUG(3,("ads lookup_groupmem for sid=%s succeeded\n",
1342 sid_string_dbg(group_sid)));
1344 done:
1346 TALLOC_FREE(tmp_ctx);
1348 return status;
1351 /* find the sequence number for a domain */
1352 static NTSTATUS sequence_number(struct winbindd_domain *domain, uint32 *seq)
1354 ADS_STRUCT *ads = NULL;
1355 ADS_STATUS rc;
1357 DEBUG(3,("ads: fetch sequence_number for %s\n", domain->name));
1359 if ( !winbindd_can_contact_domain( domain ) ) {
1360 DEBUG(10,("sequence: No incoming trust for domain %s\n",
1361 domain->name));
1362 *seq = time(NULL);
1363 return NT_STATUS_OK;
1366 *seq = DOM_SEQUENCE_NONE;
1368 ads = ads_cached_connection(domain);
1370 if (!ads) {
1371 domain->last_status = NT_STATUS_SERVER_DISABLED;
1372 return NT_STATUS_UNSUCCESSFUL;
1375 rc = ads_USN(ads, seq);
1377 if (!ADS_ERR_OK(rc)) {
1379 /* its a dead connection, destroy it */
1381 if (domain->private_data) {
1382 ads = (ADS_STRUCT *)domain->private_data;
1383 ads->is_mine = True;
1384 ads_destroy(&ads);
1385 ads_kdestroy(WINBIND_CCACHE_NAME);
1386 domain->private_data = NULL;
1389 return ads_ntstatus(rc);
1392 /* find the lockout policy of a domain - use rpc methods */
1393 static NTSTATUS lockout_policy(struct winbindd_domain *domain,
1394 TALLOC_CTX *mem_ctx,
1395 struct samr_DomInfo12 *policy)
1397 return reconnect_methods.lockout_policy(domain, mem_ctx, policy);
1400 /* find the password policy of a domain - use rpc methods */
1401 static NTSTATUS password_policy(struct winbindd_domain *domain,
1402 TALLOC_CTX *mem_ctx,
1403 struct samr_DomInfo1 *policy)
1405 return reconnect_methods.password_policy(domain, mem_ctx, policy);
1408 /* get a list of trusted domains */
1409 static NTSTATUS trusted_domains(struct winbindd_domain *domain,
1410 TALLOC_CTX *mem_ctx,
1411 struct netr_DomainTrustList *trusts)
1413 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1414 WERROR werr;
1415 int i;
1416 uint32 flags;
1417 struct rpc_pipe_client *cli;
1418 int ret_count;
1419 struct dcerpc_binding_handle *b;
1421 DEBUG(3,("ads: trusted_domains\n"));
1423 ZERO_STRUCTP(trusts);
1425 /* If this is our primary domain or a root in our forest,
1426 query for all trusts. If not, then just look for domain
1427 trusts in the target forest */
1429 if (domain->primary || domain_is_forest_root(domain)) {
1430 flags = NETR_TRUST_FLAG_OUTBOUND |
1431 NETR_TRUST_FLAG_INBOUND |
1432 NETR_TRUST_FLAG_IN_FOREST;
1433 } else {
1434 flags = NETR_TRUST_FLAG_IN_FOREST;
1437 result = cm_connect_netlogon(domain, &cli);
1439 if (!NT_STATUS_IS_OK(result)) {
1440 DEBUG(5, ("trusted_domains: Could not open a connection to %s "
1441 "for PIPE_NETLOGON (%s)\n",
1442 domain->name, nt_errstr(result)));
1443 return NT_STATUS_UNSUCCESSFUL;
1446 b = cli->binding_handle;
1448 result = dcerpc_netr_DsrEnumerateDomainTrusts(b, mem_ctx,
1449 cli->desthost,
1450 flags,
1451 trusts,
1452 &werr);
1453 if (!NT_STATUS_IS_OK(result)) {
1454 return result;
1457 if (!W_ERROR_IS_OK(werr)) {
1458 return werror_to_ntstatus(werr);
1460 if (trusts->count == 0) {
1461 return NT_STATUS_OK;
1464 /* Copy across names and sids */
1466 ret_count = 0;
1467 for (i = 0; i < trusts->count; i++) {
1468 struct netr_DomainTrust *trust = &trusts->array[i];
1469 struct winbindd_domain d;
1471 ZERO_STRUCT(d);
1474 * drop external trusts if this is not our primary
1475 * domain. This means that the returned number of
1476 * domains may be less that the ones actually trusted
1477 * by the DC.
1480 if ((trust->trust_attributes
1481 == NETR_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN) &&
1482 !domain->primary )
1484 DEBUG(10,("trusted_domains: Skipping external trusted "
1485 "domain %s because it is outside of our "
1486 "primary domain\n",
1487 trust->netbios_name));
1488 continue;
1491 /* add to the trusted domain cache */
1493 d.name = discard_const_p(char, trust->netbios_name);
1494 d.alt_name = discard_const_p(char, trust->dns_name);
1496 if (trust->sid) {
1497 sid_copy(&d.sid, trust->sid);
1498 } else {
1499 sid_copy(&d.sid, &global_sid_NULL);
1502 if ( domain->primary ) {
1503 DEBUG(10,("trusted_domains(ads): Searching "
1504 "trusted domain list of %s and storing "
1505 "trust flags for domain %s\n",
1506 domain->name, d.alt_name));
1508 d.domain_flags = trust->trust_flags;
1509 d.domain_type = trust->trust_type;
1510 d.domain_trust_attribs = trust->trust_attributes;
1512 wcache_tdc_add_domain( &d );
1513 ret_count++;
1514 } else if (domain_is_forest_root(domain)) {
1515 /* Check if we already have this record. If
1516 * we are following our forest root that is not
1517 * our primary domain, we want to keep trust
1518 * flags from the perspective of our primary
1519 * domain not our forest root. */
1520 struct winbindd_tdc_domain *exist = NULL;
1522 exist = wcache_tdc_fetch_domain(
1523 talloc_tos(), trust->netbios_name);
1524 if (!exist) {
1525 DEBUG(10,("trusted_domains(ads): Searching "
1526 "trusted domain list of %s and "
1527 "storing trust flags for domain "
1528 "%s\n", domain->name, d.alt_name));
1529 d.domain_flags = trust->trust_flags;
1530 d.domain_type = trust->trust_type;
1531 d.domain_trust_attribs =
1532 trust->trust_attributes;
1534 wcache_tdc_add_domain( &d );
1535 ret_count++;
1537 TALLOC_FREE(exist);
1538 } else {
1539 /* This gets a little tricky. If we are
1540 following a transitive forest trust, then
1541 innerit the flags, type, and attribs from
1542 the domain we queried to make sure we don't
1543 record the view of the trust from the wrong
1544 side. Always view it from the side of our
1545 primary domain. --jerry */
1546 struct winbindd_tdc_domain *parent = NULL;
1548 DEBUG(10,("trusted_domains(ads): Searching "
1549 "trusted domain list of %s and inheriting "
1550 "trust flags for domain %s\n",
1551 domain->name, d.alt_name));
1553 parent = wcache_tdc_fetch_domain(talloc_tos(),
1554 domain->name);
1555 if (parent) {
1556 d.domain_flags = parent->trust_flags;
1557 d.domain_type = parent->trust_type;
1558 d.domain_trust_attribs = parent->trust_attribs;
1559 } else {
1560 d.domain_flags = domain->domain_flags;
1561 d.domain_type = domain->domain_type;
1562 d.domain_trust_attribs =
1563 domain->domain_trust_attribs;
1565 TALLOC_FREE(parent);
1567 wcache_tdc_add_domain( &d );
1568 ret_count++;
1571 return result;
1574 /* the ADS backend methods are exposed via this structure */
1575 struct winbindd_methods ads_methods = {
1576 True,
1577 query_user_list,
1578 enum_dom_groups,
1579 enum_local_groups,
1580 name_to_sid,
1581 sid_to_name,
1582 rids_to_names,
1583 query_user,
1584 lookup_usergroups,
1585 lookup_useraliases,
1586 lookup_groupmem,
1587 sequence_number,
1588 lockout_policy,
1589 password_policy,
1590 trusted_domains,
1593 #endif