search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4:torture: test setting EOF of a stream to 0 with enabled AAPL extensions
[Samba.git] / source3 / winbindd / winbindd_msrpc.c
blobeb400f0ebf3ec76f2ed251b0bff80e5fed35b0d6
1 /*
2 Unix SMB/CIFS implementation.
3
4 Winbind rpc backend functions
5
6 Copyright (C) Tim Potter 2000-2001,2003
7 Copyright (C) Andrew Tridgell 2001
8 Copyright (C) Volker Lendecke 2005
9 Copyright (C) Guenther Deschner 2008 (pidl conversion)
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 3 of the License, or
14 (at your option) any later version.
15
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
20
21 You should have received a copy of the GNU General Public License
22 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 */
24
25 #include "includes.h"
26 #include "winbindd.h"
27 #include "winbindd_rpc.h"
28
29 #include "../librpc/gen_ndr/ndr_samr_c.h"
30 #include "rpc_client/cli_pipe.h"
31 #include "rpc_client/cli_samr.h"
32 #include "rpc_client/cli_lsarpc.h"
33 #include "../libcli/security/security.h"
34 #include "libsmb/samlogon_cache.h"
35
36 #undef DBGC_CLASS
37 #define DBGC_CLASS DBGC_WINBIND
38
39 static NTSTATUS winbindd_lookup_names(TALLOC_CTX *mem_ctx,
40 struct winbindd_domain *domain,
41 uint32_t num_names,
42 const char **names,
43 const char ***domains,
44 struct dom_sid **sids,
45 enum lsa_SidType **types);
46
47 /* Query display info for a domain. This returns enough information plus a
48 bit extra to give an overview of domain users for the User Manager
49 application. */
50 static NTSTATUS msrpc_query_user_list(struct winbindd_domain *domain,
51 TALLOC_CTX *mem_ctx,
52 uint32_t **prids)
53 {
54 struct rpc_pipe_client *samr_pipe = NULL;
55 struct policy_handle dom_pol;
56 uint32_t *rids = NULL;
57 TALLOC_CTX *tmp_ctx;
58 NTSTATUS status;
59
60 DEBUG(3, ("msrpc_query_user_list\n"));
61
62 tmp_ctx = talloc_stackframe();
63 if (tmp_ctx == NULL) {
64 return NT_STATUS_NO_MEMORY;
65 }
66
67 if ( !winbindd_can_contact_domain( domain ) ) {
68 DEBUG(10,("query_user_list: No incoming trust for domain %s\n",
69 domain->name));
70 status = NT_STATUS_OK;
71 goto done;
72 }
73
74 status = cm_connect_sam(domain, tmp_ctx, false, &samr_pipe, &dom_pol);
75 if (!NT_STATUS_IS_OK(status)) {
76 goto done;
77 }
78
79 status = rpc_query_user_list(tmp_ctx,
80 samr_pipe,
81 &dom_pol,
82 &domain->sid,
83 &rids);
84 if (!NT_STATUS_IS_OK(status)) {
85 goto done;
86 }
87
88 if (prids) {
89 *prids = talloc_move(mem_ctx, &rids);
90 }
91
92 done:
93 TALLOC_FREE(rids);
94 TALLOC_FREE(tmp_ctx);
95 return status;
96 }
97
98 /* list all domain groups */
99 static NTSTATUS msrpc_enum_dom_groups(struct winbindd_domain *domain,
100 TALLOC_CTX *mem_ctx,
101 uint32_t *pnum_info,
102 struct wb_acct_info **pinfo)
103 {
104 struct rpc_pipe_client *samr_pipe;
105 struct policy_handle dom_pol;
106 struct wb_acct_info *info = NULL;
107 uint32_t num_info = 0;
108 TALLOC_CTX *tmp_ctx;
109 NTSTATUS status;
110
111 DEBUG(3,("msrpc_enum_dom_groups\n"));
112
113 if (pnum_info) {
114 *pnum_info = 0;
115 }
116
117 tmp_ctx = talloc_stackframe();
118 if (tmp_ctx == NULL) {
119 return NT_STATUS_NO_MEMORY;
120 }
121
122 if ( !winbindd_can_contact_domain( domain ) ) {
123 DEBUG(10,("enum_domain_groups: No incoming trust for domain %s\n",
124 domain->name));
125 status = NT_STATUS_OK;
126 goto done;
127 }
128
129 status = cm_connect_sam(domain, tmp_ctx, false, &samr_pipe, &dom_pol);
130 if (!NT_STATUS_IS_OK(status)) {
131 goto done;
132 }
133
134 status = rpc_enum_dom_groups(tmp_ctx,
135 samr_pipe,
136 &dom_pol,
137 &num_info,
138 &info);
139 if (!NT_STATUS_IS_OK(status)) {
140 goto done;
141 }
142
143 if (pnum_info) {
144 *pnum_info = num_info;
145 }
146
147 if (pinfo) {
148 *pinfo = talloc_move(mem_ctx, &info);
149 }
150
151 done:
152 TALLOC_FREE(tmp_ctx);
153 return status;
154 }
155
156 /* List all domain groups */
157
158 static NTSTATUS msrpc_enum_local_groups(struct winbindd_domain *domain,
159 TALLOC_CTX *mem_ctx,
160 uint32_t *pnum_info,
161 struct wb_acct_info **pinfo)
162 {
163 struct rpc_pipe_client *samr_pipe;
164 struct policy_handle dom_pol;
165 struct wb_acct_info *info = NULL;
166 uint32_t num_info = 0;
167 TALLOC_CTX *tmp_ctx;
168 NTSTATUS status;
169
170 DEBUG(3,("msrpc_enum_local_groups\n"));
171
172 if (pnum_info) {
173 *pnum_info = 0;
174 }
175
176 tmp_ctx = talloc_stackframe();
177 if (tmp_ctx == NULL) {
178 return NT_STATUS_NO_MEMORY;
179 }
180
181 if ( !winbindd_can_contact_domain( domain ) ) {
182 DEBUG(10,("enum_local_groups: No incoming trust for domain %s\n",
183 domain->name));
184 status = NT_STATUS_OK;
185 goto done;
186 }
187
188 status = cm_connect_sam(domain, tmp_ctx, false, &samr_pipe, &dom_pol);
189 if (!NT_STATUS_IS_OK(status)) {
190 goto done;
191 }
192
193 status = rpc_enum_local_groups(mem_ctx,
194 samr_pipe,
195 &dom_pol,
196 &num_info,
197 &info);
198 if (!NT_STATUS_IS_OK(status)) {
199 goto done;
200 }
201
202 if (pnum_info) {
203 *pnum_info = num_info;
204 }
205
206 if (pinfo) {
207 *pinfo = talloc_move(mem_ctx, &info);
208 }
209
210 done:
211 TALLOC_FREE(tmp_ctx);
212 return status;
213 }
214
215 /* convert a single name to a sid in a domain */
216 static NTSTATUS msrpc_name_to_sid(struct winbindd_domain *domain,
217 TALLOC_CTX *mem_ctx,
218 const char *domain_name,
219 const char *name,
220 uint32_t flags,
221 struct dom_sid *sid,
222 enum lsa_SidType *type)
223 {
224 NTSTATUS result;
225 struct dom_sid *sids = NULL;
226 enum lsa_SidType *types = NULL;
227 char *full_name = NULL;
228 const char *names[1];
229 NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL;
230 char *mapped_name = NULL;
231
232 if (name == NULL || *name=='\0') {
233 full_name = talloc_asprintf(mem_ctx, "%s", domain_name);
234 } else if (domain_name == NULL || *domain_name == '\0') {
235 full_name = talloc_asprintf(mem_ctx, "%s", name);
236 } else {
237 full_name = talloc_asprintf(mem_ctx, "%s\\%s", domain_name, name);
238 }
239 if (!full_name) {
240 DEBUG(0, ("talloc_asprintf failed!\n"));
241 return NT_STATUS_NO_MEMORY;
242 }
243
244 DEBUG(3, ("msrpc_name_to_sid: name=%s\n", full_name));
245
246 name_map_status = normalize_name_unmap(mem_ctx, full_name,
247 &mapped_name);
248
249 /* Reset the full_name pointer if we mapped anything */
250
251 if (NT_STATUS_IS_OK(name_map_status) ||
252 NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED))
253 {
254 full_name = mapped_name;
255 }
256
257 DEBUG(3,("name_to_sid [rpc] %s for domain %s\n",
258 full_name?full_name:"", domain_name ));
259
260 names[0] = full_name;
261
262 result = winbindd_lookup_names(mem_ctx, domain, 1,
263 names, NULL,
264 &sids, &types);
265 if (!NT_STATUS_IS_OK(result))
266 return result;
267
268 /* Return rid and type if lookup successful */
269
270 sid_copy(sid, &sids[0]);
271 *type = types[0];
272
273 return NT_STATUS_OK;
274 }
275
276 /*
277 convert a domain SID to a user or group name
278 */
279 static NTSTATUS msrpc_sid_to_name(struct winbindd_domain *domain,
280 TALLOC_CTX *mem_ctx,
281 const struct dom_sid *sid,
282 char **domain_name,
283 char **name,
284 enum lsa_SidType *type)
285 {
286 char **domains;
287 char **names;
288 enum lsa_SidType *types = NULL;
289 NTSTATUS result;
290 NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL;
291 char *mapped_name = NULL;
292
293 DEBUG(3, ("msrpc_sid_to_name: %s for domain %s\n", sid_string_dbg(sid),
294 domain->name ));
295
296 result = winbindd_lookup_sids(mem_ctx,
297 domain,
298 1,
299 sid,
300 &domains,
301 &names,
302 &types);
303 if (!NT_STATUS_IS_OK(result)) {
304 DEBUG(2,("msrpc_sid_to_name: failed to lookup sids: %s\n",
305 nt_errstr(result)));
306 return result;
307 }
308
309
310 *type = (enum lsa_SidType)types[0];
311 *domain_name = domains[0];
312 *name = names[0];
313
314 DEBUG(5,("Mapped sid to [%s]\\[%s]\n", domains[0], *name));
315
316 name_map_status = normalize_name_map(mem_ctx, domain->name, *name,
317 &mapped_name);
318 if (NT_STATUS_IS_OK(name_map_status) ||
319 NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED))
320 {
321 *name = mapped_name;
322 DEBUG(5,("returning mapped name -- %s\n", *name));
323 }
324
325 return NT_STATUS_OK;
326 }
327
328 static NTSTATUS msrpc_rids_to_names(struct winbindd_domain *domain,
329 TALLOC_CTX *mem_ctx,
330 const struct dom_sid *sid,
331 uint32_t *rids,
332 size_t num_rids,
333 char **domain_name,
334 char ***names,
335 enum lsa_SidType **types)
336 {
337 char **domains;
338 NTSTATUS result;
339 struct dom_sid *sids;
340 size_t i;
341 char **ret_names;
342
343 DEBUG(3, ("msrpc_rids_to_names: domain %s\n", domain->name ));
344
345 if (num_rids) {
346 sids = talloc_array(mem_ctx, struct dom_sid, num_rids);
347 if (sids == NULL) {
348 return NT_STATUS_NO_MEMORY;
349 }
350 } else {
351 sids = NULL;
352 }
353
354 for (i=0; i<num_rids; i++) {
355 if (!sid_compose(&sids[i], sid, rids[i])) {
356 return NT_STATUS_INTERNAL_ERROR;
357 }
358 }
359
360 result = winbindd_lookup_sids(mem_ctx,
361 domain,
362 num_rids,
363 sids,
364 &domains,
365 names,
366 types);
367
368 if (!NT_STATUS_IS_OK(result) &&
369 !NT_STATUS_EQUAL(result, STATUS_SOME_UNMAPPED)) {
370 return result;
371 }
372
373 ret_names = *names;
374 for (i=0; i<num_rids; i++) {
375 NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL;
376 char *mapped_name = NULL;
377
378 if ((*types)[i] != SID_NAME_UNKNOWN) {
379 name_map_status = normalize_name_map(mem_ctx,
380 domain->name,
381 ret_names[i],
382 &mapped_name);
383 if (NT_STATUS_IS_OK(name_map_status) ||
384 NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED))
385 {
386 ret_names[i] = mapped_name;
387 }
388
389 *domain_name = domains[i];
390 }
391 }
392
393 return result;
394 }
395
396 /* Lookup groups a user is a member of. I wish Unix had a call like this! */
397 static NTSTATUS msrpc_lookup_usergroups(struct winbindd_domain *domain,
398 TALLOC_CTX *mem_ctx,
399 const struct dom_sid *user_sid,
400 uint32_t *pnum_groups,
401 struct dom_sid **puser_grpsids)
402 {
403 struct rpc_pipe_client *samr_pipe;
404 struct policy_handle dom_pol;
405 struct dom_sid *user_grpsids = NULL;
406 uint32_t num_groups = 0;
407 TALLOC_CTX *tmp_ctx;
408 NTSTATUS status;
409
410 DEBUG(3,("msrpc_lookup_usergroups sid=%s\n", sid_string_dbg(user_sid)));
411
412 *pnum_groups = 0;
413
414 tmp_ctx = talloc_stackframe();
415 if (tmp_ctx == NULL) {
416 return NT_STATUS_NO_MEMORY;
417 }
418
419 /* Check if we have a cached user_info_3 */
420 status = lookup_usergroups_cached(tmp_ctx,
421 user_sid,
422 &num_groups,
423 &user_grpsids);
424 if (NT_STATUS_IS_OK(status)) {
425 goto cached;
426 }
427
428 if ( !winbindd_can_contact_domain( domain ) ) {
429 DEBUG(10,("lookup_usergroups: No incoming trust for domain %s\n",
430 domain->name));
431
432 /* Tell the cache manager not to remember this one */
433 status = NT_STATUS_SYNCHRONIZATION_REQUIRED;
434 goto done;
435 }
436
437 /* no cache; hit the wire */
438 status = cm_connect_sam(domain, tmp_ctx, false, &samr_pipe, &dom_pol);
439 if (!NT_STATUS_IS_OK(status)) {
440 goto done;
441 }
442
443 status = rpc_lookup_usergroups(tmp_ctx,
444 samr_pipe,
445 &dom_pol,
446 &domain->sid,
447 user_sid,
448 &num_groups,
449 &user_grpsids);
450 if (!NT_STATUS_IS_OK(status)) {
451 goto done;
452 }
453
454 cached:
455 *pnum_groups = num_groups;
456
457 if (puser_grpsids) {
458 *puser_grpsids = talloc_move(mem_ctx, &user_grpsids);
459 }
460
461 done:
462 TALLOC_FREE(tmp_ctx);
463 return status;
464 return NT_STATUS_OK;
465 }
466
467 #define MAX_SAM_ENTRIES_W2K 0x400 /* 1024 */
468
469 static NTSTATUS msrpc_lookup_useraliases(struct winbindd_domain *domain,
470 TALLOC_CTX *mem_ctx,
471 uint32_t num_sids, const struct dom_sid *sids,
472 uint32_t *pnum_aliases,
473 uint32_t **palias_rids)
474 {
475 struct rpc_pipe_client *samr_pipe;
476 struct policy_handle dom_pol;
477 uint32_t num_aliases = 0;
478 uint32_t *alias_rids = NULL;
479 TALLOC_CTX *tmp_ctx;
480 NTSTATUS status;
481
482 DEBUG(3,("msrpc_lookup_useraliases\n"));
483
484 if (pnum_aliases) {
485 *pnum_aliases = 0;
486 }
487
488 tmp_ctx = talloc_stackframe();
489 if (tmp_ctx == NULL) {
490 return NT_STATUS_NO_MEMORY;
491 }
492
493 if (!winbindd_can_contact_domain(domain)) {
494 DEBUG(10,("msrpc_lookup_useraliases: No incoming trust for domain %s\n",
495 domain->name));
496 /* Tell the cache manager not to remember this one */
497 status = NT_STATUS_SYNCHRONIZATION_REQUIRED;
498 goto done;
499 }
500
501 status = cm_connect_sam(domain, tmp_ctx, false, &samr_pipe, &dom_pol);
502 if (!NT_STATUS_IS_OK(status)) {
503 goto done;
504 }
505
506 status = rpc_lookup_useraliases(tmp_ctx,
507 samr_pipe,
508 &dom_pol,
509 num_sids,
510 sids,
511 &num_aliases,
512 &alias_rids);
513 if (!NT_STATUS_IS_OK(status)) {
514 goto done;
515 }
516
517 if (pnum_aliases) {
518 *pnum_aliases = num_aliases;
519 }
520
521 if (palias_rids) {
522 *palias_rids = talloc_move(mem_ctx, &alias_rids);
523 }
524
525 done:
526 TALLOC_FREE(tmp_ctx);
527 return status;
528 }
529
530
531 /* Lookup group membership given a rid. */
532 static NTSTATUS msrpc_lookup_groupmem(struct winbindd_domain *domain,
533 TALLOC_CTX *mem_ctx,
534 const struct dom_sid *group_sid,
535 enum lsa_SidType type,
536 uint32_t *num_names,
537 struct dom_sid **sid_mem,
538 char ***names,
539 uint32_t **name_types)
540 {
541 NTSTATUS status, result;
542 uint32_t i, total_names = 0;
543 struct policy_handle dom_pol, group_pol;
544 uint32_t des_access = SEC_FLAG_MAXIMUM_ALLOWED;
545 uint32_t *rid_mem = NULL;
546 uint32_t group_rid;
547 unsigned int j, r;
548 struct rpc_pipe_client *cli;
549 unsigned int orig_timeout;
550 struct samr_RidAttrArray *rids = NULL;
551 struct dcerpc_binding_handle *b;
552
553 DEBUG(3,("msrpc_lookup_groupmem: %s sid=%s\n", domain->name,
554 sid_string_dbg(group_sid)));
555
556 if ( !winbindd_can_contact_domain( domain ) ) {
557 DEBUG(10,("lookup_groupmem: No incoming trust for domain %s\n",
558 domain->name));
559 return NT_STATUS_OK;
560 }
561
562 if (!sid_peek_check_rid(&domain->sid, group_sid, &group_rid))
563 return NT_STATUS_UNSUCCESSFUL;
564
565 *num_names = 0;
566
567 result = cm_connect_sam(domain, mem_ctx, false, &cli, &dom_pol);
568 if (!NT_STATUS_IS_OK(result))
569 return result;
570
571 b = cli->binding_handle;
572
573 status = dcerpc_samr_OpenGroup(b, mem_ctx,
574 &dom_pol,
575 des_access,
576 group_rid,
577 &group_pol,
578 &result);
579 if (any_nt_status_not_ok(status, result, &status)) {
580 return status;
581 }
582
583 /* Step #1: Get a list of user rids that are the members of the
584 group. */
585
586 /* This call can take a long time - allow the server to time out.
587 35 seconds should do it. */
588
589 orig_timeout = rpccli_set_timeout(cli, 35000);
590
591 status = dcerpc_samr_QueryGroupMember(b, mem_ctx,
592 &group_pol,
593 &rids,
594 &result);
595
596 /* And restore our original timeout. */
597 rpccli_set_timeout(cli, orig_timeout);
598
599 {
600 NTSTATUS _result;
601 dcerpc_samr_Close(b, mem_ctx, &group_pol, &_result);
602 }
603
604 if (any_nt_status_not_ok(status, result, &status)) {
605 return status;
606 }
607
608 if (!rids || !rids->count) {
609 names = NULL;
610 name_types = NULL;
611 sid_mem = NULL;
612 return NT_STATUS_OK;
613 }
614
615 *num_names = rids->count;
616 rid_mem = rids->rids;
617
618 /* Step #2: Convert list of rids into list of usernames. Do this
619 in bunches of ~1000 to avoid crashing NT4. It looks like there
620 is a buffer overflow or something like that lurking around
621 somewhere. */
622
623 #define MAX_LOOKUP_RIDS 900
624
625 *names = talloc_zero_array(mem_ctx, char *, *num_names);
626 *name_types = talloc_zero_array(mem_ctx, uint32_t, *num_names);
627 *sid_mem = talloc_zero_array(mem_ctx, struct dom_sid, *num_names);
628
629 for (j=0;j<(*num_names);j++)
630 sid_compose(&(*sid_mem)[j], &domain->sid, rid_mem[j]);
631
632 if (*num_names>0 && (!*names || !*name_types))
633 return NT_STATUS_NO_MEMORY;
634
635 for (i = 0; i < *num_names; i += MAX_LOOKUP_RIDS) {
636 int num_lookup_rids = MIN(*num_names - i, MAX_LOOKUP_RIDS);
637 struct lsa_Strings tmp_names;
638 struct samr_Ids tmp_types;
639
640 /* Lookup a chunk of rids */
641
642 status = dcerpc_samr_LookupRids(b, mem_ctx,
643 &dom_pol,
644 num_lookup_rids,
645 &rid_mem[i],
646 &tmp_names,
647 &tmp_types,
648 &result);
649 if (!NT_STATUS_IS_OK(status)) {
650 return status;
651 }
652
653 /* see if we have a real error (and yes the
654 STATUS_SOME_UNMAPPED is the one returned from 2k) */
655
656 if (!NT_STATUS_IS_OK(result) &&
657 !NT_STATUS_EQUAL(result, STATUS_SOME_UNMAPPED))
658 return result;
659
660 /* Copy result into array. The talloc system will take
661 care of freeing the temporary arrays later on. */
662
663 if (tmp_names.count != num_lookup_rids) {
664 return NT_STATUS_INVALID_NETWORK_RESPONSE;
665 }
666 if (tmp_types.count != num_lookup_rids) {
667 return NT_STATUS_INVALID_NETWORK_RESPONSE;
668 }
669
670 for (r=0; r<tmp_names.count; r++) {
671 if (tmp_types.ids[r] == SID_NAME_UNKNOWN) {
672 continue;
673 }
674 if (total_names >= *num_names) {
675 break;
676 }
677 (*names)[total_names] = fill_domain_username_talloc(
678 mem_ctx, domain->name,
679 tmp_names.names[r].string, true);
680 (*name_types)[total_names] = tmp_types.ids[r];
681 total_names += 1;
682 }
683 }
684
685 *num_names = total_names;
686
687 return NT_STATUS_OK;
688 }
689
690 #ifdef HAVE_LDAP
691
692 #include "ads.h"
693
694 static int get_ldap_seq(const char *server, struct sockaddr_storage *ss, int port, uint32_t *seq)
695 {
696 int ret = -1;
697 struct timeval to;
698 const char *attrs[] = {"highestCommittedUSN", NULL};
699 LDAPMessage *res = NULL;
700 char **values = NULL;
701 LDAP *ldp = NULL;
702
703 *seq = DOM_SEQUENCE_NONE;
704
705 /*
706 * Parameterised (5) second timeout on open. This is needed as the
707 * search timeout doesn't seem to apply to doing an open as well. JRA.
708 */
709
710 ldp = ldap_open_with_timeout(server, ss, port, lp_ldap_timeout());
711 if (ldp == NULL)
712 return -1;
713
714 /* Timeout if no response within 20 seconds. */
715 to.tv_sec = 10;
716 to.tv_usec = 0;
717
718 if (ldap_search_st(ldp, "", LDAP_SCOPE_BASE, "(objectclass=*)",
719 discard_const_p(char *, attrs), 0, &to, &res))
720 goto done;
721
722 if (ldap_count_entries(ldp, res) != 1)
723 goto done;
724
725 values = ldap_get_values(ldp, res, "highestCommittedUSN");
726 if (!values || !values[0])
727 goto done;
728
729 *seq = atoi(values[0]);
730 ret = 0;
731
732 done:
733
734 if (values)
735 ldap_value_free(values);
736 if (res)
737 ldap_msgfree(res);
738 if (ldp)
739 ldap_unbind(ldp);
740 return ret;
741 }
742
743 /**********************************************************************
744 Get the sequence number for a Windows AD native mode domain using
745 LDAP queries.
746 **********************************************************************/
747
748 static int get_ldap_sequence_number(struct winbindd_domain *domain, uint32_t *seq)
749 {
750 int ret = -1;
751 char addr[INET6_ADDRSTRLEN];
752
753 print_sockaddr(addr, sizeof(addr), &domain->dcaddr);
754 if ((ret = get_ldap_seq(addr, &domain->dcaddr, LDAP_PORT, seq)) == 0) {
755 DEBUG(3, ("get_ldap_sequence_number: Retrieved sequence "
756 "number for Domain (%s) from DC (%s)\n",
757 domain->name, addr));
758 }
759 return ret;
760 }
761
762 #endif /* HAVE_LDAP */
763
764 /* find the sequence number for a domain */
765 static NTSTATUS msrpc_sequence_number(struct winbindd_domain *domain,
766 uint32_t *pseq)
767 {
768 struct rpc_pipe_client *samr_pipe;
769 struct policy_handle dom_pol;
770 uint32_t seq = DOM_SEQUENCE_NONE;
771 TALLOC_CTX *tmp_ctx;
772 NTSTATUS status;
773
774 DEBUG(3, ("msrpc_sequence_number: fetch sequence_number for %s\n", domain->name));
775
776 if (pseq) {
777 *pseq = DOM_SEQUENCE_NONE;
778 }
779
780 tmp_ctx = talloc_stackframe();
781 if (tmp_ctx == NULL) {
782 return NT_STATUS_NO_MEMORY;
783 }
784
785 if ( !winbindd_can_contact_domain( domain ) ) {
786 DEBUG(10,("sequence_number: No incoming trust for domain %s\n",
787 domain->name));
788 if (pseq) {
789 *pseq = time(NULL);
790 }
791 status = NT_STATUS_OK;
792 goto done;
793 }
794
795 #ifdef HAVE_LDAP
796 if (domain->active_directory) {
797 int rc;
798
799 DEBUG(8,("using get_ldap_seq() to retrieve the "
800 "sequence number\n"));
801
802 rc = get_ldap_sequence_number(domain, &seq);
803 if (rc == 0) {
804 DEBUG(10,("domain_sequence_number: LDAP for "
805 "domain %s is %u\n",
806 domain->name, seq));
807
808 if (pseq) {
809 *pseq = seq;
810 }
811
812 status = NT_STATUS_OK;
813 goto done;
814 }
815
816 DEBUG(10,("domain_sequence_number: failed to get LDAP "
817 "sequence number for domain %s\n",
818 domain->name ));
819 }
820 #endif /* HAVE_LDAP */
821
822 status = cm_connect_sam(domain, tmp_ctx, false, &samr_pipe, &dom_pol);
823 if (!NT_STATUS_IS_OK(status)) {
824 goto done;
825 }
826
827 status = rpc_sequence_number(tmp_ctx,
828 samr_pipe,
829 &dom_pol,
830 domain->name,
831 &seq);
832 if (!NT_STATUS_IS_OK(status)) {
833 goto done;
834 }
835
836 if (pseq) {
837 *pseq = seq;
838 }
839
840 done:
841 TALLOC_FREE(tmp_ctx);
842 return status;
843 }
844
845 /* get a list of trusted domains */
846 static NTSTATUS msrpc_trusted_domains(struct winbindd_domain *domain,
847 TALLOC_CTX *mem_ctx,
848 struct netr_DomainTrustList *ptrust_list)
849 {
850 struct rpc_pipe_client *lsa_pipe;
851 struct policy_handle lsa_policy;
852 struct netr_DomainTrust *trusts = NULL;
853 uint32_t num_trusts = 0;
854 TALLOC_CTX *tmp_ctx;
855 NTSTATUS status;
856
857 DEBUG(3,("msrpc_trusted_domains\n"));
858
859 if (ptrust_list) {
860 ZERO_STRUCTP(ptrust_list);
861 }
862
863 tmp_ctx = talloc_stackframe();
864 if (tmp_ctx == NULL) {
865 return NT_STATUS_NO_MEMORY;
866 }
867
868 status = cm_connect_lsa(domain, tmp_ctx, &lsa_pipe, &lsa_policy);
869 if (!NT_STATUS_IS_OK(status)) {
870 goto done;
871 }
872
873 status = rpc_trusted_domains(tmp_ctx,
874 lsa_pipe,
875 &lsa_policy,
876 &num_trusts,
877 &trusts);
878 if (!NT_STATUS_IS_OK(status)) {
879 goto done;
880 }
881
882 if (ptrust_list) {
883 ptrust_list->count = num_trusts;
884 ptrust_list->array = talloc_move(mem_ctx, &trusts);
885 }
886
887 done:
888 TALLOC_FREE(tmp_ctx);
889 return status;
890 }
891
892 /* find the lockout policy for a domain */
893 static NTSTATUS msrpc_lockout_policy(struct winbindd_domain *domain,
894 TALLOC_CTX *mem_ctx,
895 struct samr_DomInfo12 *lockout_policy)
896 {
897 NTSTATUS status, result;
898 struct rpc_pipe_client *cli;
899 struct policy_handle dom_pol;
900 union samr_DomainInfo *info = NULL;
901 struct dcerpc_binding_handle *b;
902
903 DEBUG(3, ("msrpc_lockout_policy: fetch lockout policy for %s\n", domain->name));
904
905 if ( !winbindd_can_contact_domain( domain ) ) {
906 DEBUG(10,("msrpc_lockout_policy: No incoming trust for domain %s\n",
907 domain->name));
908 return NT_STATUS_NOT_SUPPORTED;
909 }
910
911 status = cm_connect_sam(domain, mem_ctx, false, &cli, &dom_pol);
912 if (!NT_STATUS_IS_OK(status)) {
913 goto done;
914 }
915
916 b = cli->binding_handle;
917
918 status = dcerpc_samr_QueryDomainInfo(b, mem_ctx,
919 &dom_pol,
920 DomainLockoutInformation,
921 &info,
922 &result);
923 if (any_nt_status_not_ok(status, result, &status)) {
924 return status;
925 }
926
927 *lockout_policy = info->info12;
928
929 DEBUG(10,("msrpc_lockout_policy: lockout_threshold %d\n",
930 info->info12.lockout_threshold));
931
932 done:
933
934 return status;
935 }
936
937 /* find the password policy for a domain */
938 static NTSTATUS msrpc_password_policy(struct winbindd_domain *domain,
939 TALLOC_CTX *mem_ctx,
940 struct samr_DomInfo1 *password_policy)
941 {
942 NTSTATUS status, result;
943 struct rpc_pipe_client *cli;
944 struct policy_handle dom_pol;
945 union samr_DomainInfo *info = NULL;
946 struct dcerpc_binding_handle *b;
947
948 DEBUG(3, ("msrpc_password_policy: fetch password policy for %s\n",
949 domain->name));
950
951 if ( !winbindd_can_contact_domain( domain ) ) {
952 DEBUG(10,("msrpc_password_policy: No incoming trust for domain %s\n",
953 domain->name));
954 return NT_STATUS_NOT_SUPPORTED;
955 }
956
957 status = cm_connect_sam(domain, mem_ctx, false, &cli, &dom_pol);
958 if (!NT_STATUS_IS_OK(status)) {
959 goto done;
960 }
961
962 b = cli->binding_handle;
963
964 status = dcerpc_samr_QueryDomainInfo(b, mem_ctx,
965 &dom_pol,
966 DomainPasswordInformation,
967 &info,
968 &result);
969 if (!NT_STATUS_IS_OK(status)) {
970 goto done;
971 }
972 if (!NT_STATUS_IS_OK(result)) {
973 goto done;
974 }
975
976 *password_policy = info->info1;
977
978 DEBUG(10,("msrpc_password_policy: min_length_password %d\n",
979 info->info1.min_password_length));
980
981 done:
982
983 return status;
984 }
985
986 static enum lsa_LookupNamesLevel winbindd_lookup_level(
987 struct winbindd_domain *domain)
988 {
989 enum lsa_LookupNamesLevel level = LSA_LOOKUP_NAMES_DOMAINS_ONLY;
990
991 if (domain->internal) {
992 level = LSA_LOOKUP_NAMES_ALL;
993 } else if (domain->secure_channel_type == SEC_CHAN_DNS_DOMAIN) {
994 if (domain->domain_flags & NETR_TRUST_FLAG_IN_FOREST) {
995 /*
996 * TODO:
997 *
998 * Depending on what we want to resolve. We need to use:
999 * 1. LsapLookupXForestReferral(5)/LSA_LOOKUP_NAMES_FOREST_TRUSTS_ONLY
1000 * if we want to pass the request into the direction of the forest
1001 * root domain. The forest root domain uses
1002 * LsapLookupXForestResolve(6)/LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2
1003 * when passing the request to trusted forests.
1004 * 2. LsapLookupGC(4)/LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY
1005 * if we're not a GC and want to resolve a name within our own forest.
1006 *
1007 * As we don't support more than one domain in our own forest
1008 * and always try to be a GC for now, we just set
1009 * LSA_LOOKUP_NAMES_FOREST_TRUSTS_ONLY.
1010 */
1011 level = LSA_LOOKUP_NAMES_FOREST_TRUSTS_ONLY;
1012 } else if (domain->domain_trust_attribs & LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) {
1013 /*
1014 * This is LsapLookupXForestResolve(6)/LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2
1015 */
1016 level = LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2;
1017 } else {
1018 /*
1019 * This is LsapLookupTDL(3)/LSA_LOOKUP_NAMES_PRIMARY_DOMAIN_ONLY
1020 */
1021 level = LSA_LOOKUP_NAMES_PRIMARY_DOMAIN_ONLY;
1022 }
1023 } else if (domain->secure_channel_type == SEC_CHAN_DOMAIN) {
1024 /*
1025 * This is LsapLookupTDL(3)/LSA_LOOKUP_NAMES_PRIMARY_DOMAIN_ONLY
1026 */
1027 level = LSA_LOOKUP_NAMES_PRIMARY_DOMAIN_ONLY;
1028 } else if (domain->rodc) {
1029 level = LSA_LOOKUP_NAMES_RODC_REFERRAL_TO_FULL_DC;
1030 } else {
1031 /*
1032 * This is LsapLookupPDC(2)/LSA_LOOKUP_NAMES_DOMAINS_ONLY
1033 */
1034 level = LSA_LOOKUP_NAMES_DOMAINS_ONLY;
1035 }
1036
1037 return level;
1038 }
1039
1040 NTSTATUS winbindd_lookup_sids(TALLOC_CTX *mem_ctx,
1041 struct winbindd_domain *domain,
1042 uint32_t num_sids,
1043 const struct dom_sid *sids,
1044 char ***domains,
1045 char ***names,
1046 enum lsa_SidType **types)
1047 {
1048 NTSTATUS status;
1049 NTSTATUS result;
1050 struct rpc_pipe_client *cli = NULL;
1051 struct dcerpc_binding_handle *b = NULL;
1052 struct policy_handle lsa_policy;
1053 unsigned int orig_timeout;
1054 bool use_lookupsids3 = false;
1055 bool retried = false;
1056 enum lsa_LookupNamesLevel level = LSA_LOOKUP_NAMES_ALL;
1057
1058 connect:
1059 status = cm_connect_lsat(domain, mem_ctx, &cli, &lsa_policy);
1060 if (!NT_STATUS_IS_OK(status)) {
1061 return status;
1062 }
1063
1064 b = cli->binding_handle;
1065
1066 if (cli->transport->transport == NCACN_IP_TCP) {
1067 use_lookupsids3 = true;
1068 }
1069
1070 level = winbindd_lookup_level(domain);
1071
1072 /*
1073 * This call can take a long time
1074 * allow the server to time out.
1075 * 35 seconds should do it.
1076 */
1077 orig_timeout = dcerpc_binding_handle_set_timeout(b, 35000);
1078
1079 status = dcerpc_lsa_lookup_sids_generic(b,
1080 mem_ctx,
1081 &lsa_policy,
1082 num_sids,
1083 sids,
1084 level,
1085 domains,
1086 names,
1087 types,
1088 use_lookupsids3,
1089 &result);
1090
1091 /* And restore our original timeout. */
1092 dcerpc_binding_handle_set_timeout(b, orig_timeout);
1093
1094 if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) ||
1095 NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR) ||
1096 NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED)) {
1097 /*
1098 * This can happen if the schannel key is not
1099 * valid anymore, we need to invalidate the
1100 * all connections to the dc and reestablish
1101 * a netlogon connection first.
1102 */
1103 invalidate_cm_connection(domain);
1104 domain->can_do_ncacn_ip_tcp = domain->active_directory;
1105 if (!retried) {
1106 retried = true;
1107 goto connect;
1108 }
1109 status = NT_STATUS_ACCESS_DENIED;
1110 }
1111
1112 if (any_nt_status_not_ok(status, result, &status)) {
1113 return status;
1114 }
1115
1116 return NT_STATUS_OK;
1117 }
1118
1119 static NTSTATUS winbindd_lookup_names(TALLOC_CTX *mem_ctx,
1120 struct winbindd_domain *domain,
1121 uint32_t num_names,
1122 const char **names,
1123 const char ***domains,
1124 struct dom_sid **sids,
1125 enum lsa_SidType **types)
1126 {
1127 NTSTATUS status;
1128 NTSTATUS result;
1129 struct rpc_pipe_client *cli = NULL;
1130 struct dcerpc_binding_handle *b = NULL;
1131 struct policy_handle lsa_policy;
1132 unsigned int orig_timeout = 0;
1133 bool use_lookupnames4 = false;
1134 bool retried = false;
1135 enum lsa_LookupNamesLevel level = LSA_LOOKUP_NAMES_ALL;
1136
1137 connect:
1138 status = cm_connect_lsat(domain, mem_ctx, &cli, &lsa_policy);
1139 if (!NT_STATUS_IS_OK(status)) {
1140 return status;
1141 }
1142
1143 b = cli->binding_handle;
1144
1145 if (cli->transport->transport == NCACN_IP_TCP) {
1146 use_lookupnames4 = true;
1147 }
1148
1149 level = winbindd_lookup_level(domain);
1150
1151 /*
1152 * This call can take a long time
1153 * allow the server to time out.
1154 * 35 seconds should do it.
1155 */
1156 orig_timeout = dcerpc_binding_handle_set_timeout(b, 35000);
1157
1158 status = dcerpc_lsa_lookup_names_generic(b,
1159 mem_ctx,
1160 &lsa_policy,
1161 num_names,
1162 (const char **) names,
1163 domains,
1164 level,
1165 sids,
1166 types,
1167 use_lookupnames4,
1168 &result);
1169
1170 /* And restore our original timeout. */
1171 dcerpc_binding_handle_set_timeout(b, orig_timeout);
1172
1173 if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) ||
1174 NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR) ||
1175 NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED)) {
1176 /*
1177 * This can happen if the schannel key is not
1178 * valid anymore, we need to invalidate the
1179 * all connections to the dc and reestablish
1180 * a netlogon connection first.
1181 */
1182 invalidate_cm_connection(domain);
1183 if (!retried) {
1184 retried = true;
1185 goto connect;
1186 }
1187 status = NT_STATUS_ACCESS_DENIED;
1188 }
1189
1190 if (any_nt_status_not_ok(status, result, &status)) {
1191 return status;
1192 }
1193
1194 return NT_STATUS_OK;
1195 }
1196
1197 /* the rpc backend methods are exposed via this structure */
1198 struct winbindd_methods msrpc_methods = {
1199 False,
1200 msrpc_query_user_list,
1201 msrpc_enum_dom_groups,
1202 msrpc_enum_local_groups,
1203 msrpc_name_to_sid,
1204 msrpc_sid_to_name,
1205 msrpc_rids_to_names,
1206 msrpc_lookup_usergroups,
1207 msrpc_lookup_useraliases,
1208 msrpc_lookup_groupmem,
1209 msrpc_sequence_number,
1210 msrpc_lockout_policy,
1211 msrpc_password_policy,
1212 msrpc_trusted_domains,
1213 };
Samba GIT mirror