heimdal - remove unused variable
[Samba.git] / source3 / winbindd / winbindd_ads.c
blobf647a3ffaf19d8db53ad8ec227aaab41e31b36f5
1 /*
2 Unix SMB/CIFS implementation.
4 Winbind ADS backend functions
6 Copyright (C) Andrew Tridgell 2001
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003
8 Copyright (C) Gerald (Jerry) Carter 2004
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #include "includes.h"
25 #include "winbindd.h"
26 #include "../librpc/gen_ndr/cli_netlogon.h"
28 #ifdef HAVE_ADS
30 #undef DBGC_CLASS
31 #define DBGC_CLASS DBGC_WINBIND
33 extern struct winbindd_methods reconnect_methods;
36 return our ads connections structure for a domain. We keep the connection
37 open to make things faster
39 static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain)
41 ADS_STRUCT *ads;
42 ADS_STATUS status;
43 fstring dc_name;
44 struct sockaddr_storage dc_ss;
46 DEBUG(10,("ads_cached_connection\n"));
48 if (domain->private_data) {
50 time_t expire;
51 time_t now = time(NULL);
53 /* check for a valid structure */
54 ads = (ADS_STRUCT *)domain->private_data;
56 expire = MIN(ads->auth.tgt_expire, ads->auth.tgs_expire);
58 DEBUG(7, ("Current tickets expire in %d seconds (at %d, time is now %d)\n",
59 (uint32)expire-(uint32)now, (uint32) expire, (uint32) now));
61 if ( ads->config.realm && (expire > now)) {
62 return ads;
63 } else {
64 /* we own this ADS_STRUCT so make sure it goes away */
65 DEBUG(7,("Deleting expired krb5 credential cache\n"));
66 ads->is_mine = True;
67 ads_destroy( &ads );
68 ads_kdestroy("MEMORY:winbind_ccache");
69 domain->private_data = NULL;
73 /* we don't want this to affect the users ccache */
74 setenv("KRB5CCNAME", "MEMORY:winbind_ccache", 1);
76 ads = ads_init(domain->alt_name, domain->name, NULL);
77 if (!ads) {
78 DEBUG(1,("ads_init for domain %s failed\n", domain->name));
79 return NULL;
82 /* the machine acct password might have change - fetch it every time */
84 SAFE_FREE(ads->auth.password);
85 SAFE_FREE(ads->auth.realm);
87 if ( IS_DC ) {
89 if ( !pdb_get_trusteddom_pw( domain->name, &ads->auth.password, NULL, NULL ) ) {
90 ads_destroy( &ads );
91 return NULL;
93 ads->auth.realm = SMB_STRDUP( ads->server.realm );
94 strupper_m( ads->auth.realm );
96 else {
97 struct winbindd_domain *our_domain = domain;
99 ads->auth.password = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
101 /* always give preference to the alt_name in our
102 primary domain if possible */
104 if ( !domain->primary )
105 our_domain = find_our_domain();
107 if ( our_domain->alt_name[0] != '\0' ) {
108 ads->auth.realm = SMB_STRDUP( our_domain->alt_name );
109 strupper_m( ads->auth.realm );
111 else
112 ads->auth.realm = SMB_STRDUP( lp_realm() );
115 ads->auth.renewable = WINBINDD_PAM_AUTH_KRB5_RENEW_TIME;
117 /* Setup the server affinity cache. We don't reaally care
118 about the name. Just setup affinity and the KRB5_CONFIG
119 file. */
121 get_dc_name( ads->server.workgroup, ads->server.realm, dc_name, &dc_ss );
123 status = ads_connect(ads);
124 if (!ADS_ERR_OK(status) || !ads->config.realm) {
125 DEBUG(1,("ads_connect for domain %s failed: %s\n",
126 domain->name, ads_errstr(status)));
127 ads_destroy(&ads);
129 /* if we get ECONNREFUSED then it might be a NT4
130 server, fall back to MSRPC */
131 if (status.error_type == ENUM_ADS_ERROR_SYSTEM &&
132 status.err.rc == ECONNREFUSED) {
133 /* 'reconnect_methods' is the MS-RPC backend. */
134 DEBUG(1,("Trying MSRPC methods\n"));
135 domain->backend = &reconnect_methods;
137 return NULL;
140 /* set the flag that says we don't own the memory even
141 though we do so that ads_destroy() won't destroy the
142 structure we pass back by reference */
144 ads->is_mine = False;
146 domain->private_data = (void *)ads;
147 return ads;
151 /* Query display info for a realm. This is the basic user list fn */
152 static NTSTATUS query_user_list(struct winbindd_domain *domain,
153 TALLOC_CTX *mem_ctx,
154 uint32 *num_entries,
155 struct wbint_userinfo **info)
157 ADS_STRUCT *ads = NULL;
158 const char *attrs[] = { "*", NULL };
159 int i, count;
160 ADS_STATUS rc;
161 LDAPMessage *res = NULL;
162 LDAPMessage *msg = NULL;
163 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
165 *num_entries = 0;
167 DEBUG(3,("ads: query_user_list\n"));
169 if ( !winbindd_can_contact_domain( domain ) ) {
170 DEBUG(10,("query_user_list: No incoming trust for domain %s\n",
171 domain->name));
172 return NT_STATUS_OK;
175 ads = ads_cached_connection(domain);
177 if (!ads) {
178 domain->last_status = NT_STATUS_SERVER_DISABLED;
179 goto done;
182 rc = ads_search_retry(ads, &res, "(objectCategory=user)", attrs);
183 if (!ADS_ERR_OK(rc) || !res) {
184 DEBUG(1,("query_user_list ads_search: %s\n", ads_errstr(rc)));
185 goto done;
188 count = ads_count_replies(ads, res);
189 if (count == 0) {
190 DEBUG(1,("query_user_list: No users found\n"));
191 goto done;
194 (*info) = TALLOC_ZERO_ARRAY(mem_ctx, struct wbint_userinfo, count);
195 if (!*info) {
196 status = NT_STATUS_NO_MEMORY;
197 goto done;
200 i = 0;
202 for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
203 const char *name;
204 const char *gecos = NULL;
205 const char *homedir = NULL;
206 const char *shell = NULL;
207 uint32 group;
208 uint32 atype;
209 DOM_SID user_sid;
210 gid_t primary_gid = (gid_t)-1;
212 if (!ads_pull_uint32(ads, msg, "sAMAccountType", &atype) ||
213 ds_atype_map(atype) != SID_NAME_USER) {
214 DEBUG(1,("Not a user account? atype=0x%x\n", atype));
215 continue;
218 name = ads_pull_username(ads, mem_ctx, msg);
220 if ( ads_pull_sid( ads, msg, "objectSid", &user_sid ) ) {
221 status = nss_get_info_cached( domain, &user_sid, mem_ctx,
222 ads, msg, &homedir, &shell, &gecos,
223 &primary_gid );
226 if (gecos == NULL) {
227 gecos = ads_pull_string(ads, mem_ctx, msg, "name");
230 if (!ads_pull_sid(ads, msg, "objectSid",
231 &(*info)[i].user_sid)) {
232 DEBUG(1,("No sid for %s !?\n", name));
233 continue;
235 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &group)) {
236 DEBUG(1,("No primary group for %s !?\n", name));
237 continue;
240 (*info)[i].acct_name = name;
241 (*info)[i].full_name = gecos;
242 (*info)[i].homedir = homedir;
243 (*info)[i].shell = shell;
244 (*info)[i].primary_gid = primary_gid;
245 sid_compose(&(*info)[i].group_sid, &domain->sid, group);
246 i++;
249 (*num_entries) = i;
250 status = NT_STATUS_OK;
252 DEBUG(3,("ads query_user_list gave %d entries\n", (*num_entries)));
254 done:
255 if (res)
256 ads_msgfree(ads, res);
258 return status;
261 /* list all domain groups */
262 static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
263 TALLOC_CTX *mem_ctx,
264 uint32 *num_entries,
265 struct acct_info **info)
267 ADS_STRUCT *ads = NULL;
268 const char *attrs[] = {"userPrincipalName", "sAMAccountName",
269 "name", "objectSid", NULL};
270 int i, count;
271 ADS_STATUS rc;
272 LDAPMessage *res = NULL;
273 LDAPMessage *msg = NULL;
274 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
275 const char *filter;
276 bool enum_dom_local_groups = False;
278 *num_entries = 0;
280 DEBUG(3,("ads: enum_dom_groups\n"));
282 if ( !winbindd_can_contact_domain( domain ) ) {
283 DEBUG(10,("enum_dom_groups: No incoming trust for domain %s\n",
284 domain->name));
285 return NT_STATUS_OK;
288 /* only grab domain local groups for our domain */
289 if ( domain->active_directory && strequal(lp_realm(), domain->alt_name) ) {
290 enum_dom_local_groups = True;
293 /* Workaround ADS LDAP bug present in MS W2K3 SP0 and W2K SP4 w/o
294 * rollup-fixes:
296 * According to Section 5.1(4) of RFC 2251 if a value of a type is it's
297 * default value, it MUST be absent. In case of extensible matching the
298 * "dnattr" boolean defaults to FALSE and so it must be only be present
299 * when set to TRUE.
301 * When it is set to FALSE and the OpenLDAP lib (correctly) encodes a
302 * filter using bitwise matching rule then the buggy AD fails to decode
303 * the extensible match. As a workaround set it to TRUE and thereby add
304 * the dnAttributes "dn" field to cope with those older AD versions.
305 * It should not harm and won't put any additional load on the AD since
306 * none of the dn components have a bitmask-attribute.
308 * Thanks to Ralf Haferkamp for input and testing - Guenther */
310 filter = talloc_asprintf(mem_ctx, "(&(objectCategory=group)(&(groupType:dn:%s:=%d)(!(groupType:dn:%s:=%d))))",
311 ADS_LDAP_MATCHING_RULE_BIT_AND, GROUP_TYPE_SECURITY_ENABLED,
312 ADS_LDAP_MATCHING_RULE_BIT_AND,
313 enum_dom_local_groups ? GROUP_TYPE_BUILTIN_LOCAL_GROUP : GROUP_TYPE_RESOURCE_GROUP);
315 if (filter == NULL) {
316 status = NT_STATUS_NO_MEMORY;
317 goto done;
320 ads = ads_cached_connection(domain);
322 if (!ads) {
323 domain->last_status = NT_STATUS_SERVER_DISABLED;
324 goto done;
327 rc = ads_search_retry(ads, &res, filter, attrs);
328 if (!ADS_ERR_OK(rc) || !res) {
329 DEBUG(1,("enum_dom_groups ads_search: %s\n", ads_errstr(rc)));
330 goto done;
333 count = ads_count_replies(ads, res);
334 if (count == 0) {
335 DEBUG(1,("enum_dom_groups: No groups found\n"));
336 goto done;
339 (*info) = TALLOC_ZERO_ARRAY(mem_ctx, struct acct_info, count);
340 if (!*info) {
341 status = NT_STATUS_NO_MEMORY;
342 goto done;
345 i = 0;
347 for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
348 char *name, *gecos;
349 DOM_SID sid;
350 uint32 rid;
352 name = ads_pull_username(ads, mem_ctx, msg);
353 gecos = ads_pull_string(ads, mem_ctx, msg, "name");
354 if (!ads_pull_sid(ads, msg, "objectSid", &sid)) {
355 DEBUG(1,("No sid for %s !?\n", name));
356 continue;
359 if (!sid_peek_check_rid(&domain->sid, &sid, &rid)) {
360 DEBUG(1,("No rid for %s !?\n", name));
361 continue;
364 fstrcpy((*info)[i].acct_name, name);
365 fstrcpy((*info)[i].acct_desc, gecos);
366 (*info)[i].rid = rid;
367 i++;
370 (*num_entries) = i;
372 status = NT_STATUS_OK;
374 DEBUG(3,("ads enum_dom_groups gave %d entries\n", (*num_entries)));
376 done:
377 if (res)
378 ads_msgfree(ads, res);
380 return status;
383 /* list all domain local groups */
384 static NTSTATUS enum_local_groups(struct winbindd_domain *domain,
385 TALLOC_CTX *mem_ctx,
386 uint32 *num_entries,
387 struct acct_info **info)
390 * This is a stub function only as we returned the domain
391 * local groups in enum_dom_groups() if the domain->native field
392 * was true. This is a simple performance optimization when
393 * using LDAP.
395 * if we ever need to enumerate domain local groups separately,
396 * then this optimization in enum_dom_groups() will need
397 * to be split out
399 *num_entries = 0;
401 return NT_STATUS_OK;
404 /* convert a single name to a sid in a domain - use rpc methods */
405 static NTSTATUS name_to_sid(struct winbindd_domain *domain,
406 TALLOC_CTX *mem_ctx,
407 const char *domain_name,
408 const char *name,
409 uint32_t flags,
410 DOM_SID *sid,
411 enum lsa_SidType *type)
413 return reconnect_methods.name_to_sid(domain, mem_ctx,
414 domain_name, name, flags,
415 sid, type);
418 /* convert a domain SID to a user or group name - use rpc methods */
419 static NTSTATUS sid_to_name(struct winbindd_domain *domain,
420 TALLOC_CTX *mem_ctx,
421 const DOM_SID *sid,
422 char **domain_name,
423 char **name,
424 enum lsa_SidType *type)
426 return reconnect_methods.sid_to_name(domain, mem_ctx, sid,
427 domain_name, name, type);
430 /* convert a list of rids to names - use rpc methods */
431 static NTSTATUS rids_to_names(struct winbindd_domain *domain,
432 TALLOC_CTX *mem_ctx,
433 const DOM_SID *sid,
434 uint32 *rids,
435 size_t num_rids,
436 char **domain_name,
437 char ***names,
438 enum lsa_SidType **types)
440 return reconnect_methods.rids_to_names(domain, mem_ctx, sid,
441 rids, num_rids,
442 domain_name, names, types);
445 /* If you are looking for "dn_lookup": Yes, it used to be here!
446 * It has gone now since it was a major speed bottleneck in
447 * lookup_groupmem (its only use). It has been replaced by
448 * an rpc lookup sids call... R.I.P. */
450 /* Lookup user information from a rid */
451 static NTSTATUS query_user(struct winbindd_domain *domain,
452 TALLOC_CTX *mem_ctx,
453 const DOM_SID *sid,
454 struct wbint_userinfo *info)
456 ADS_STRUCT *ads = NULL;
457 const char *attrs[] = { "*", NULL };
458 ADS_STATUS rc;
459 int count;
460 LDAPMessage *msg = NULL;
461 char *ldap_exp;
462 char *sidstr;
463 uint32 group_rid;
464 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
465 struct netr_SamInfo3 *user = NULL;
466 gid_t gid;
468 DEBUG(3,("ads: query_user\n"));
470 info->homedir = NULL;
471 info->shell = NULL;
472 info->primary_gid = (gid_t)-1;
474 /* try netsamlogon cache first */
476 if ( (user = netsamlogon_cache_get( mem_ctx, sid )) != NULL )
478 DEBUG(5,("query_user: Cache lookup succeeded for %s\n",
479 sid_string_dbg(sid)));
481 sid_compose(&info->user_sid, &domain->sid, user->base.rid);
482 sid_compose(&info->group_sid, &domain->sid, user->base.primary_gid);
484 info->acct_name = talloc_strdup(mem_ctx, user->base.account_name.string);
485 info->full_name = talloc_strdup(mem_ctx, user->base.full_name.string);
487 nss_get_info_cached( domain, sid, mem_ctx, NULL, NULL,
488 &info->homedir, &info->shell, &info->full_name,
489 &gid );
490 info->primary_gid = gid;
492 TALLOC_FREE(user);
494 return NT_STATUS_OK;
497 if ( !winbindd_can_contact_domain(domain)) {
498 DEBUG(8,("query_user: No incoming trust from domain %s\n",
499 domain->name));
501 /* We still need to generate some basic information
502 about the user even if we cannot contact the
503 domain. Most of this stuff we can deduce. */
505 sid_copy( &info->user_sid, sid );
507 /* Assume "Domain Users" for the primary group */
509 sid_compose(&info->group_sid, &domain->sid, DOMAIN_GROUP_RID_USERS );
511 /* Try to fill in what the nss_info backend can do */
513 nss_get_info_cached( domain, sid, mem_ctx, NULL, NULL,
514 &info->homedir, &info->shell, &info->full_name,
515 &gid);
516 info->primary_gid = gid;
518 status = NT_STATUS_OK;
519 goto done;
522 /* no cache...do the query */
524 if ( (ads = ads_cached_connection(domain)) == NULL ) {
525 domain->last_status = NT_STATUS_SERVER_DISABLED;
526 goto done;
529 sidstr = sid_binstring(talloc_tos(), sid);
530 if (asprintf(&ldap_exp, "(objectSid=%s)", sidstr) == -1) {
531 status = NT_STATUS_NO_MEMORY;
532 goto done;
534 rc = ads_search_retry(ads, &msg, ldap_exp, attrs);
535 free(ldap_exp);
536 TALLOC_FREE(sidstr);
537 if (!ADS_ERR_OK(rc) || !msg) {
538 DEBUG(1,("query_user(sid=%s) ads_search: %s\n",
539 sid_string_dbg(sid), ads_errstr(rc)));
540 goto done;
543 count = ads_count_replies(ads, msg);
544 if (count != 1) {
545 DEBUG(1,("query_user(sid=%s): Not found\n",
546 sid_string_dbg(sid)));
547 goto done;
550 info->acct_name = ads_pull_username(ads, mem_ctx, msg);
552 nss_get_info_cached( domain, sid, mem_ctx, ads, msg,
553 &info->homedir, &info->shell, &info->full_name,
554 &gid);
555 info->primary_gid = gid;
557 if (info->full_name == NULL) {
558 info->full_name = ads_pull_string(ads, mem_ctx, msg, "name");
561 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &group_rid)) {
562 DEBUG(1,("No primary group for %s !?\n",
563 sid_string_dbg(sid)));
564 goto done;
567 sid_copy(&info->user_sid, sid);
568 sid_compose(&info->group_sid, &domain->sid, group_rid);
570 status = NT_STATUS_OK;
572 DEBUG(3,("ads query_user gave %s\n", info->acct_name));
573 done:
574 if (msg)
575 ads_msgfree(ads, msg);
577 return status;
580 /* Lookup groups a user is a member of - alternate method, for when
581 tokenGroups are not available. */
582 static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain,
583 TALLOC_CTX *mem_ctx,
584 const char *user_dn,
585 DOM_SID *primary_group,
586 size_t *p_num_groups, DOM_SID **user_sids)
588 ADS_STATUS rc;
589 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
590 int count;
591 LDAPMessage *res = NULL;
592 LDAPMessage *msg = NULL;
593 char *ldap_exp;
594 ADS_STRUCT *ads;
595 const char *group_attrs[] = {"objectSid", NULL};
596 char *escaped_dn;
597 size_t num_groups = 0;
599 DEBUG(3,("ads: lookup_usergroups_member\n"));
601 if ( !winbindd_can_contact_domain( domain ) ) {
602 DEBUG(10,("lookup_usergroups_members: No incoming trust for domain %s\n",
603 domain->name));
604 return NT_STATUS_OK;
607 ads = ads_cached_connection(domain);
609 if (!ads) {
610 domain->last_status = NT_STATUS_SERVER_DISABLED;
611 goto done;
614 if (!(escaped_dn = escape_ldap_string(talloc_tos(), user_dn))) {
615 status = NT_STATUS_NO_MEMORY;
616 goto done;
619 ldap_exp = talloc_asprintf(mem_ctx,
620 "(&(member=%s)(objectCategory=group)(groupType:dn:%s:=%d))",
621 escaped_dn,
622 ADS_LDAP_MATCHING_RULE_BIT_AND,
623 GROUP_TYPE_SECURITY_ENABLED);
624 if (!ldap_exp) {
625 DEBUG(1,("lookup_usergroups(dn=%s) asprintf failed!\n", user_dn));
626 TALLOC_FREE(escaped_dn);
627 status = NT_STATUS_NO_MEMORY;
628 goto done;
631 TALLOC_FREE(escaped_dn);
633 rc = ads_search_retry(ads, &res, ldap_exp, group_attrs);
635 if (!ADS_ERR_OK(rc) || !res) {
636 DEBUG(1,("lookup_usergroups ads_search member=%s: %s\n", user_dn, ads_errstr(rc)));
637 return ads_ntstatus(rc);
640 count = ads_count_replies(ads, res);
642 *user_sids = NULL;
643 num_groups = 0;
645 /* always add the primary group to the sid array */
646 status = add_sid_to_array(mem_ctx, primary_group, user_sids,
647 &num_groups);
648 if (!NT_STATUS_IS_OK(status)) {
649 goto done;
652 if (count > 0) {
653 for (msg = ads_first_entry(ads, res); msg;
654 msg = ads_next_entry(ads, msg)) {
655 DOM_SID group_sid;
657 if (!ads_pull_sid(ads, msg, "objectSid", &group_sid)) {
658 DEBUG(1,("No sid for this group ?!?\n"));
659 continue;
662 /* ignore Builtin groups from ADS - Guenther */
663 if (sid_check_is_in_builtin(&group_sid)) {
664 continue;
667 status = add_sid_to_array(mem_ctx, &group_sid,
668 user_sids, &num_groups);
669 if (!NT_STATUS_IS_OK(status)) {
670 goto done;
676 *p_num_groups = num_groups;
677 status = (user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
679 DEBUG(3,("ads lookup_usergroups (member) succeeded for dn=%s\n", user_dn));
680 done:
681 if (res)
682 ads_msgfree(ads, res);
684 return status;
687 /* Lookup groups a user is a member of - alternate method, for when
688 tokenGroups are not available. */
689 static NTSTATUS lookup_usergroups_memberof(struct winbindd_domain *domain,
690 TALLOC_CTX *mem_ctx,
691 const char *user_dn,
692 DOM_SID *primary_group,
693 size_t *p_num_groups,
694 DOM_SID **user_sids)
696 ADS_STATUS rc;
697 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
698 ADS_STRUCT *ads;
699 const char *attrs[] = {"memberOf", NULL};
700 size_t num_groups = 0;
701 DOM_SID *group_sids = NULL;
702 int i;
703 char **strings = NULL;
704 size_t num_strings = 0, num_sids = 0;
707 DEBUG(3,("ads: lookup_usergroups_memberof\n"));
709 if ( !winbindd_can_contact_domain( domain ) ) {
710 DEBUG(10,("lookup_usergroups_memberof: No incoming trust for "
711 "domain %s\n", domain->name));
712 return NT_STATUS_OK;
715 ads = ads_cached_connection(domain);
717 if (!ads) {
718 domain->last_status = NT_STATUS_SERVER_DISABLED;
719 return NT_STATUS_UNSUCCESSFUL;
722 rc = ads_search_retry_extended_dn_ranged(ads, mem_ctx, user_dn, attrs,
723 ADS_EXTENDED_DN_HEX_STRING,
724 &strings, &num_strings);
726 if (!ADS_ERR_OK(rc)) {
727 DEBUG(1,("lookup_usergroups_memberof ads_search "
728 "member=%s: %s\n", user_dn, ads_errstr(rc)));
729 return ads_ntstatus(rc);
732 *user_sids = NULL;
733 num_groups = 0;
735 /* always add the primary group to the sid array */
736 status = add_sid_to_array(mem_ctx, primary_group, user_sids,
737 &num_groups);
738 if (!NT_STATUS_IS_OK(status)) {
739 goto done;
742 group_sids = TALLOC_ZERO_ARRAY(mem_ctx, DOM_SID, num_strings + 1);
743 if (!group_sids) {
744 status = NT_STATUS_NO_MEMORY;
745 goto done;
748 for (i=0; i<num_strings; i++) {
749 rc = ads_get_sid_from_extended_dn(mem_ctx, strings[i],
750 ADS_EXTENDED_DN_HEX_STRING,
751 &(group_sids)[i]);
752 if (!ADS_ERR_OK(rc)) {
753 /* ignore members without SIDs */
754 if (NT_STATUS_EQUAL(ads_ntstatus(rc),
755 NT_STATUS_NOT_FOUND)) {
756 continue;
758 else {
759 status = ads_ntstatus(rc);
760 goto done;
763 num_sids++;
766 if (i == 0) {
767 DEBUG(1,("No memberOf for this user?!?\n"));
768 status = NT_STATUS_NO_MEMORY;
769 goto done;
772 for (i=0; i<num_sids; i++) {
774 /* ignore Builtin groups from ADS - Guenther */
775 if (sid_check_is_in_builtin(&group_sids[i])) {
776 continue;
779 status = add_sid_to_array(mem_ctx, &group_sids[i], user_sids,
780 &num_groups);
781 if (!NT_STATUS_IS_OK(status)) {
782 goto done;
787 *p_num_groups = num_groups;
788 status = (*user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
790 DEBUG(3,("ads lookup_usergroups (memberof) succeeded for dn=%s\n",
791 user_dn));
793 done:
794 TALLOC_FREE(strings);
795 TALLOC_FREE(group_sids);
797 return status;
801 /* Lookup groups a user is a member of. */
802 static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
803 TALLOC_CTX *mem_ctx,
804 const DOM_SID *sid,
805 uint32 *p_num_groups, DOM_SID **user_sids)
807 ADS_STRUCT *ads = NULL;
808 const char *attrs[] = {"tokenGroups", "primaryGroupID", NULL};
809 ADS_STATUS rc;
810 int count;
811 LDAPMessage *msg = NULL;
812 char *user_dn = NULL;
813 DOM_SID *sids;
814 int i;
815 DOM_SID primary_group;
816 uint32 primary_group_rid;
817 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
818 size_t num_groups = 0;
820 DEBUG(3,("ads: lookup_usergroups\n"));
821 *p_num_groups = 0;
823 status = lookup_usergroups_cached(domain, mem_ctx, sid,
824 p_num_groups, user_sids);
825 if (NT_STATUS_IS_OK(status)) {
826 return NT_STATUS_OK;
829 if ( !winbindd_can_contact_domain( domain ) ) {
830 DEBUG(10,("lookup_usergroups: No incoming trust for domain %s\n",
831 domain->name));
833 /* Tell the cache manager not to remember this one */
835 return NT_STATUS_SYNCHRONIZATION_REQUIRED;
838 ads = ads_cached_connection(domain);
840 if (!ads) {
841 domain->last_status = NT_STATUS_SERVER_DISABLED;
842 status = NT_STATUS_SERVER_DISABLED;
843 goto done;
846 rc = ads_search_retry_sid(ads, &msg, sid, attrs);
848 if (!ADS_ERR_OK(rc)) {
849 status = ads_ntstatus(rc);
850 DEBUG(1, ("lookup_usergroups(sid=%s) ads_search tokenGroups: "
851 "%s\n", sid_string_dbg(sid), ads_errstr(rc)));
852 goto done;
855 count = ads_count_replies(ads, msg);
856 if (count != 1) {
857 status = NT_STATUS_UNSUCCESSFUL;
858 DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: "
859 "invalid number of results (count=%d)\n",
860 sid_string_dbg(sid), count));
861 goto done;
864 if (!msg) {
865 DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: NULL msg\n",
866 sid_string_dbg(sid)));
867 status = NT_STATUS_UNSUCCESSFUL;
868 goto done;
871 user_dn = ads_get_dn(ads, mem_ctx, msg);
872 if (user_dn == NULL) {
873 status = NT_STATUS_NO_MEMORY;
874 goto done;
877 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &primary_group_rid)) {
878 DEBUG(1,("%s: No primary group for sid=%s !?\n",
879 domain->name, sid_string_dbg(sid)));
880 goto done;
883 sid_compose(&primary_group, &domain->sid, primary_group_rid);
885 count = ads_pull_sids(ads, mem_ctx, msg, "tokenGroups", &sids);
887 /* there must always be at least one group in the token,
888 unless we are talking to a buggy Win2k server */
890 /* actually this only happens when the machine account has no read
891 * permissions on the tokenGroup attribute - gd */
893 if (count == 0) {
895 /* no tokenGroups */
897 /* lookup what groups this user is a member of by DN search on
898 * "memberOf" */
900 status = lookup_usergroups_memberof(domain, mem_ctx, user_dn,
901 &primary_group,
902 &num_groups, user_sids);
903 *p_num_groups = (uint32)num_groups;
904 if (NT_STATUS_IS_OK(status)) {
905 goto done;
908 /* lookup what groups this user is a member of by DN search on
909 * "member" */
911 status = lookup_usergroups_member(domain, mem_ctx, user_dn,
912 &primary_group,
913 &num_groups, user_sids);
914 *p_num_groups = (uint32)num_groups;
915 goto done;
918 *user_sids = NULL;
919 num_groups = 0;
921 status = add_sid_to_array(mem_ctx, &primary_group, user_sids,
922 &num_groups);
923 if (!NT_STATUS_IS_OK(status)) {
924 goto done;
927 for (i=0;i<count;i++) {
929 /* ignore Builtin groups from ADS - Guenther */
930 if (sid_check_is_in_builtin(&sids[i])) {
931 continue;
934 status = add_sid_to_array_unique(mem_ctx, &sids[i],
935 user_sids, &num_groups);
936 if (!NT_STATUS_IS_OK(status)) {
937 goto done;
941 *p_num_groups = (uint32)num_groups;
942 status = (*user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
944 DEBUG(3,("ads lookup_usergroups (tokenGroups) succeeded for sid=%s\n",
945 sid_string_dbg(sid)));
946 done:
947 TALLOC_FREE(user_dn);
948 ads_msgfree(ads, msg);
949 return status;
952 /* Lookup aliases a user is member of - use rpc methods */
953 static NTSTATUS lookup_useraliases(struct winbindd_domain *domain,
954 TALLOC_CTX *mem_ctx,
955 uint32 num_sids, const DOM_SID *sids,
956 uint32 *num_aliases, uint32 **alias_rids)
958 return reconnect_methods.lookup_useraliases(domain, mem_ctx,
959 num_sids, sids,
960 num_aliases,
961 alias_rids);
965 find the members of a group, given a group rid and domain
967 static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
968 TALLOC_CTX *mem_ctx,
969 const DOM_SID *group_sid,
970 enum lsa_SidType type,
971 uint32 *num_names,
972 DOM_SID **sid_mem, char ***names,
973 uint32 **name_types)
975 ADS_STATUS rc;
976 ADS_STRUCT *ads = NULL;
977 char *ldap_exp;
978 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
979 char *sidbinstr;
980 char **members = NULL;
981 int i;
982 size_t num_members = 0;
983 ads_control args;
984 DOM_SID *sid_mem_nocache = NULL;
985 char **names_nocache = NULL;
986 enum lsa_SidType *name_types_nocache = NULL;
987 char **domains_nocache = NULL; /* only needed for rpccli_lsa_lookup_sids */
988 uint32 num_nocache = 0;
989 TALLOC_CTX *tmp_ctx = NULL;
991 DEBUG(10,("ads: lookup_groupmem %s sid=%s\n", domain->name,
992 sid_string_dbg(group_sid)));
994 *num_names = 0;
996 tmp_ctx = talloc_new(mem_ctx);
997 if (!tmp_ctx) {
998 DEBUG(1, ("ads: lookup_groupmem: talloc failed\n"));
999 status = NT_STATUS_NO_MEMORY;
1000 goto done;
1003 if ( !winbindd_can_contact_domain( domain ) ) {
1004 DEBUG(10,("lookup_groupmem: No incoming trust for domain %s\n",
1005 domain->name));
1006 return NT_STATUS_OK;
1009 ads = ads_cached_connection(domain);
1011 if (!ads) {
1012 domain->last_status = NT_STATUS_SERVER_DISABLED;
1013 goto done;
1016 if ((sidbinstr = sid_binstring(talloc_tos(), group_sid)) == NULL) {
1017 status = NT_STATUS_NO_MEMORY;
1018 goto done;
1021 /* search for all members of the group */
1022 ldap_exp = talloc_asprintf(tmp_ctx, "(objectSid=%s)", sidbinstr);
1023 TALLOC_FREE(sidbinstr);
1024 if (ldap_exp == NULL) {
1025 DEBUG(1, ("ads: lookup_groupmem: talloc_asprintf for ldap_exp failed!\n"));
1026 status = NT_STATUS_NO_MEMORY;
1027 goto done;
1030 args.control = ADS_EXTENDED_DN_OID;
1031 args.val = ADS_EXTENDED_DN_HEX_STRING;
1032 args.critical = True;
1034 rc = ads_ranged_search(ads, tmp_ctx, LDAP_SCOPE_SUBTREE, ads->config.bind_path,
1035 ldap_exp, &args, "member", &members, &num_members);
1037 if (!ADS_ERR_OK(rc)) {
1038 DEBUG(0,("ads_ranged_search failed with: %s\n", ads_errstr(rc)));
1039 status = NT_STATUS_UNSUCCESSFUL;
1040 goto done;
1043 DEBUG(10, ("ads lookup_groupmem: got %d sids via extended dn call\n", (int)num_members));
1045 /* Now that we have a list of sids, we need to get the
1046 * lists of names and name_types belonging to these sids.
1047 * even though conceptually not quite clean, we use the
1048 * RPC call lsa_lookup_sids for this since it can handle a
1049 * list of sids. ldap calls can just resolve one sid at a time.
1051 * At this stage, the sids are still hidden in the exetended dn
1052 * member output format. We actually do a little better than
1053 * stated above: In extracting the sids from the member strings,
1054 * we try to resolve as many sids as possible from the
1055 * cache. Only the rest is passed to the lsa_lookup_sids call. */
1057 if (num_members) {
1058 (*sid_mem) = TALLOC_ZERO_ARRAY(mem_ctx, DOM_SID, num_members);
1059 (*names) = TALLOC_ZERO_ARRAY(mem_ctx, char *, num_members);
1060 (*name_types) = TALLOC_ZERO_ARRAY(mem_ctx, uint32, num_members);
1061 (sid_mem_nocache) = TALLOC_ZERO_ARRAY(tmp_ctx, DOM_SID, num_members);
1063 if ((members == NULL) || (*sid_mem == NULL) ||
1064 (*names == NULL) || (*name_types == NULL) ||
1065 (sid_mem_nocache == NULL))
1067 DEBUG(1, ("ads: lookup_groupmem: talloc failed\n"));
1068 status = NT_STATUS_NO_MEMORY;
1069 goto done;
1072 else {
1073 (*sid_mem) = NULL;
1074 (*names) = NULL;
1075 (*name_types) = NULL;
1078 for (i=0; i<num_members; i++) {
1079 enum lsa_SidType name_type;
1080 char *name, *domain_name;
1081 DOM_SID sid;
1083 rc = ads_get_sid_from_extended_dn(tmp_ctx, members[i], args.val,
1084 &sid);
1085 if (!ADS_ERR_OK(rc)) {
1086 if (NT_STATUS_EQUAL(ads_ntstatus(rc),
1087 NT_STATUS_NOT_FOUND)) {
1088 /* Group members can be objects, like Exchange
1089 * Public Folders, that don't have a SID. Skip
1090 * them. */
1091 continue;
1093 else {
1094 status = ads_ntstatus(rc);
1095 goto done;
1098 if (lookup_cached_sid(mem_ctx, &sid, &domain_name, &name,
1099 &name_type)) {
1100 DEBUG(10,("ads: lookup_groupmem: got sid %s from "
1101 "cache\n", sid_string_dbg(&sid)));
1102 sid_copy(&(*sid_mem)[*num_names], &sid);
1103 (*names)[*num_names] = fill_domain_username_talloc(
1104 *names,
1105 domain_name,
1106 name,
1107 true);
1109 (*name_types)[*num_names] = name_type;
1110 (*num_names)++;
1112 else {
1113 DEBUG(10, ("ads: lookup_groupmem: sid %s not found in "
1114 "cache\n", sid_string_dbg(&sid)));
1115 sid_copy(&(sid_mem_nocache)[num_nocache], &sid);
1116 num_nocache++;
1120 DEBUG(10, ("ads: lookup_groupmem: %d sids found in cache, "
1121 "%d left for lsa_lookupsids\n", *num_names, num_nocache));
1123 /* handle sids not resolved from cache by lsa_lookup_sids */
1124 if (num_nocache > 0) {
1126 status = winbindd_lookup_sids(tmp_ctx,
1127 domain,
1128 num_nocache,
1129 sid_mem_nocache,
1130 &domains_nocache,
1131 &names_nocache,
1132 &name_types_nocache);
1134 if (!(NT_STATUS_IS_OK(status) ||
1135 NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED) ||
1136 NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)))
1138 DEBUG(1, ("lsa_lookupsids call failed with %s "
1139 "- retrying...\n", nt_errstr(status)));
1141 status = winbindd_lookup_sids(tmp_ctx,
1142 domain,
1143 num_nocache,
1144 sid_mem_nocache,
1145 &domains_nocache,
1146 &names_nocache,
1147 &name_types_nocache);
1150 if (NT_STATUS_IS_OK(status) ||
1151 NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED))
1153 /* Copy the entries over from the "_nocache" arrays
1154 * to the result arrays, skipping the gaps the
1155 * lookup_sids call left. */
1156 for (i=0; i < num_nocache; i++) {
1157 if (((names_nocache)[i] != NULL) &&
1158 ((name_types_nocache)[i] != SID_NAME_UNKNOWN))
1160 sid_copy(&(*sid_mem)[*num_names],
1161 &sid_mem_nocache[i]);
1162 (*names)[*num_names] =
1163 fill_domain_username_talloc(
1164 *names,
1165 domains_nocache[i],
1166 names_nocache[i],
1167 true);
1168 (*name_types)[*num_names] = name_types_nocache[i];
1169 (*num_names)++;
1173 else if (NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)) {
1174 DEBUG(10, ("lookup_groupmem: lsa_lookup_sids could "
1175 "not map any SIDs at all.\n"));
1176 /* Don't handle this as an error here.
1177 * There is nothing left to do with respect to the
1178 * overall result... */
1180 else if (!NT_STATUS_IS_OK(status)) {
1181 DEBUG(10, ("lookup_groupmem: Error looking up %d "
1182 "sids via rpc_lsa_lookup_sids: %s\n",
1183 (int)num_members, nt_errstr(status)));
1184 goto done;
1188 status = NT_STATUS_OK;
1189 DEBUG(3,("ads lookup_groupmem for sid=%s succeeded\n",
1190 sid_string_dbg(group_sid)));
1192 done:
1194 TALLOC_FREE(tmp_ctx);
1196 return status;
1199 /* find the sequence number for a domain */
1200 static NTSTATUS sequence_number(struct winbindd_domain *domain, uint32 *seq)
1202 ADS_STRUCT *ads = NULL;
1203 ADS_STATUS rc;
1205 DEBUG(3,("ads: fetch sequence_number for %s\n", domain->name));
1207 if ( !winbindd_can_contact_domain( domain ) ) {
1208 DEBUG(10,("sequence: No incoming trust for domain %s\n",
1209 domain->name));
1210 *seq = time(NULL);
1211 return NT_STATUS_OK;
1214 *seq = DOM_SEQUENCE_NONE;
1216 ads = ads_cached_connection(domain);
1218 if (!ads) {
1219 domain->last_status = NT_STATUS_SERVER_DISABLED;
1220 return NT_STATUS_UNSUCCESSFUL;
1223 rc = ads_USN(ads, seq);
1225 if (!ADS_ERR_OK(rc)) {
1227 /* its a dead connection, destroy it */
1229 if (domain->private_data) {
1230 ads = (ADS_STRUCT *)domain->private_data;
1231 ads->is_mine = True;
1232 ads_destroy(&ads);
1233 ads_kdestroy("MEMORY:winbind_ccache");
1234 domain->private_data = NULL;
1237 return ads_ntstatus(rc);
1240 /* find the lockout policy of a domain - use rpc methods */
1241 static NTSTATUS lockout_policy(struct winbindd_domain *domain,
1242 TALLOC_CTX *mem_ctx,
1243 struct samr_DomInfo12 *policy)
1245 return reconnect_methods.lockout_policy(domain, mem_ctx, policy);
1248 /* find the password policy of a domain - use rpc methods */
1249 static NTSTATUS password_policy(struct winbindd_domain *domain,
1250 TALLOC_CTX *mem_ctx,
1251 struct samr_DomInfo1 *policy)
1253 return reconnect_methods.password_policy(domain, mem_ctx, policy);
1256 /* get a list of trusted domains */
1257 static NTSTATUS trusted_domains(struct winbindd_domain *domain,
1258 TALLOC_CTX *mem_ctx,
1259 struct netr_DomainTrustList *trusts)
1261 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1262 int i;
1263 uint32 flags;
1264 struct rpc_pipe_client *cli;
1265 int ret_count;
1267 DEBUG(3,("ads: trusted_domains\n"));
1269 ZERO_STRUCTP(trusts);
1271 /* If this is our primary domain or a root in our forest,
1272 query for all trusts. If not, then just look for domain
1273 trusts in the target forest */
1275 if (domain->primary || domain_is_forest_root(domain)) {
1276 flags = NETR_TRUST_FLAG_OUTBOUND |
1277 NETR_TRUST_FLAG_INBOUND |
1278 NETR_TRUST_FLAG_IN_FOREST;
1279 } else {
1280 flags = NETR_TRUST_FLAG_IN_FOREST;
1283 result = cm_connect_netlogon(domain, &cli);
1285 if (!NT_STATUS_IS_OK(result)) {
1286 DEBUG(5, ("trusted_domains: Could not open a connection to %s "
1287 "for PIPE_NETLOGON (%s)\n",
1288 domain->name, nt_errstr(result)));
1289 return NT_STATUS_UNSUCCESSFUL;
1292 result = rpccli_netr_DsrEnumerateDomainTrusts(cli, mem_ctx,
1293 cli->desthost,
1294 flags,
1295 trusts,
1296 NULL);
1297 if (!NT_STATUS_IS_OK(result)) {
1298 return result;
1300 if (trusts->count == 0) {
1301 return NT_STATUS_OK;
1304 /* Copy across names and sids */
1306 ret_count = 0;
1307 for (i = 0; i < trusts->count; i++) {
1308 struct netr_DomainTrust *trust = &trusts->array[i];
1309 struct winbindd_domain d;
1311 ZERO_STRUCT(d);
1314 * drop external trusts if this is not our primary
1315 * domain. This means that the returned number of
1316 * domains may be less that the ones actually trusted
1317 * by the DC.
1320 if ((trust->trust_attributes
1321 == NETR_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN) &&
1322 !domain->primary )
1324 DEBUG(10,("trusted_domains: Skipping external trusted "
1325 "domain %s because it is outside of our "
1326 "primary domain\n",
1327 trust->netbios_name));
1328 continue;
1331 /* add to the trusted domain cache */
1333 fstrcpy(d.name, trust->netbios_name);
1334 fstrcpy(d.alt_name, trust->dns_name);
1335 if (trust->sid) {
1336 sid_copy(&d.sid, trust->sid);
1337 } else {
1338 sid_copy(&d.sid, &global_sid_NULL);
1341 if ( domain->primary ) {
1342 DEBUG(10,("trusted_domains(ads): Searching "
1343 "trusted domain list of %s and storing "
1344 "trust flags for domain %s\n",
1345 domain->name, d.alt_name));
1347 d.domain_flags = trust->trust_flags;
1348 d.domain_type = trust->trust_type;
1349 d.domain_trust_attribs = trust->trust_attributes;
1351 wcache_tdc_add_domain( &d );
1352 ret_count++;
1353 } else if (domain_is_forest_root(domain)) {
1354 /* Check if we already have this record. If
1355 * we are following our forest root that is not
1356 * our primary domain, we want to keep trust
1357 * flags from the perspective of our primary
1358 * domain not our forest root. */
1359 struct winbindd_tdc_domain *exist = NULL;
1361 exist = wcache_tdc_fetch_domain(
1362 talloc_tos(), trust->netbios_name);
1363 if (!exist) {
1364 DEBUG(10,("trusted_domains(ads): Searching "
1365 "trusted domain list of %s and "
1366 "storing trust flags for domain "
1367 "%s\n", domain->name, d.alt_name));
1368 d.domain_flags = trust->trust_flags;
1369 d.domain_type = trust->trust_type;
1370 d.domain_trust_attribs =
1371 trust->trust_attributes;
1373 wcache_tdc_add_domain( &d );
1374 ret_count++;
1376 TALLOC_FREE(exist);
1377 } else {
1378 /* This gets a little tricky. If we are
1379 following a transitive forest trust, then
1380 innerit the flags, type, and attribs from
1381 the domain we queried to make sure we don't
1382 record the view of the trust from the wrong
1383 side. Always view it from the side of our
1384 primary domain. --jerry */
1385 struct winbindd_tdc_domain *parent = NULL;
1387 DEBUG(10,("trusted_domains(ads): Searching "
1388 "trusted domain list of %s and inheriting "
1389 "trust flags for domain %s\n",
1390 domain->name, d.alt_name));
1392 parent = wcache_tdc_fetch_domain(talloc_tos(),
1393 domain->name);
1394 if (parent) {
1395 d.domain_flags = parent->trust_flags;
1396 d.domain_type = parent->trust_type;
1397 d.domain_trust_attribs = parent->trust_attribs;
1398 } else {
1399 d.domain_flags = domain->domain_flags;
1400 d.domain_type = domain->domain_type;
1401 d.domain_trust_attribs =
1402 domain->domain_trust_attribs;
1404 TALLOC_FREE(parent);
1406 wcache_tdc_add_domain( &d );
1407 ret_count++;
1410 return result;
1413 /* the ADS backend methods are exposed via this structure */
1414 struct winbindd_methods ads_methods = {
1415 True,
1416 query_user_list,
1417 enum_dom_groups,
1418 enum_local_groups,
1419 name_to_sid,
1420 sid_to_name,
1421 rids_to_names,
1422 query_user,
1423 lookup_usergroups,
1424 lookup_useraliases,
1425 lookup_groupmem,
1426 sequence_number,
1427 lockout_policy,
1428 password_policy,
1429 trusted_domains,
1432 #endif