search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
ctdb-logging: Remove log member from struct ctdb_context
[Samba.git] / source3 / winbindd / winbindd_msrpc.c
blob8454f93c03f597780956349a724b893337eca8dc
1 /*
2 Unix SMB/CIFS implementation.
3
4 Winbind rpc backend functions
5
6 Copyright (C) Tim Potter 2000-2001,2003
7 Copyright (C) Andrew Tridgell 2001
8 Copyright (C) Volker Lendecke 2005
9 Copyright (C) Guenther Deschner 2008 (pidl conversion)
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 3 of the License, or
14 (at your option) any later version.
15
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
20
21 You should have received a copy of the GNU General Public License
22 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 */
24
25 #include "includes.h"
26 #include "winbindd.h"
27 #include "winbindd_rpc.h"
28
29 #include "../librpc/gen_ndr/ndr_samr_c.h"
30 #include "rpc_client/cli_pipe.h"
31 #include "rpc_client/cli_samr.h"
32 #include "rpc_client/cli_lsarpc.h"
33 #include "../libcli/security/security.h"
34
35 #undef DBGC_CLASS
36 #define DBGC_CLASS DBGC_WINBIND
37
38 static NTSTATUS winbindd_lookup_names(TALLOC_CTX *mem_ctx,
39 struct winbindd_domain *domain,
40 uint32_t num_names,
41 const char **names,
42 const char ***domains,
43 struct dom_sid **sids,
44 enum lsa_SidType **types);
45
46 /* Query display info for a domain. This returns enough information plus a
47 bit extra to give an overview of domain users for the User Manager
48 application. */
49 static NTSTATUS msrpc_query_user_list(struct winbindd_domain *domain,
50 TALLOC_CTX *mem_ctx,
51 uint32_t *pnum_info,
52 struct wbint_userinfo **pinfo)
53 {
54 struct rpc_pipe_client *samr_pipe = NULL;
55 struct policy_handle dom_pol;
56 struct wbint_userinfo *info = NULL;
57 uint32_t num_info = 0;
58 TALLOC_CTX *tmp_ctx;
59 NTSTATUS status;
60
61 DEBUG(3, ("msrpc_query_user_list\n"));
62
63 if (pnum_info) {
64 *pnum_info = 0;
65 }
66
67 tmp_ctx = talloc_stackframe();
68 if (tmp_ctx == NULL) {
69 return NT_STATUS_NO_MEMORY;
70 }
71
72 if ( !winbindd_can_contact_domain( domain ) ) {
73 DEBUG(10,("query_user_list: No incoming trust for domain %s\n",
74 domain->name));
75 status = NT_STATUS_OK;
76 goto done;
77 }
78
79 status = cm_connect_sam(domain, tmp_ctx, false, &samr_pipe, &dom_pol);
80 if (!NT_STATUS_IS_OK(status)) {
81 goto done;
82 }
83
84 status = rpc_query_user_list(tmp_ctx,
85 samr_pipe,
86 &dom_pol,
87 &domain->sid,
88 &num_info,
89 &info);
90 if (!NT_STATUS_IS_OK(status)) {
91 goto done;
92 }
93
94 if (pnum_info) {
95 *pnum_info = num_info;
96 }
97
98 if (pinfo) {
99 *pinfo = talloc_move(mem_ctx, &info);
100 }
101
102 done:
103 TALLOC_FREE(tmp_ctx);
104 return status;
105 }
106
107 /* list all domain groups */
108 static NTSTATUS msrpc_enum_dom_groups(struct winbindd_domain *domain,
109 TALLOC_CTX *mem_ctx,
110 uint32_t *pnum_info,
111 struct wb_acct_info **pinfo)
112 {
113 struct rpc_pipe_client *samr_pipe;
114 struct policy_handle dom_pol;
115 struct wb_acct_info *info = NULL;
116 uint32_t num_info = 0;
117 TALLOC_CTX *tmp_ctx;
118 NTSTATUS status;
119
120 DEBUG(3,("msrpc_enum_dom_groups\n"));
121
122 if (pnum_info) {
123 *pnum_info = 0;
124 }
125
126 tmp_ctx = talloc_stackframe();
127 if (tmp_ctx == NULL) {
128 return NT_STATUS_NO_MEMORY;
129 }
130
131 if ( !winbindd_can_contact_domain( domain ) ) {
132 DEBUG(10,("enum_domain_groups: No incoming trust for domain %s\n",
133 domain->name));
134 status = NT_STATUS_OK;
135 goto done;
136 }
137
138 status = cm_connect_sam(domain, tmp_ctx, false, &samr_pipe, &dom_pol);
139 if (!NT_STATUS_IS_OK(status)) {
140 goto done;
141 }
142
143 status = rpc_enum_dom_groups(tmp_ctx,
144 samr_pipe,
145 &dom_pol,
146 &num_info,
147 &info);
148 if (!NT_STATUS_IS_OK(status)) {
149 goto done;
150 }
151
152 if (pnum_info) {
153 *pnum_info = num_info;
154 }
155
156 if (pinfo) {
157 *pinfo = talloc_move(mem_ctx, &info);
158 }
159
160 done:
161 TALLOC_FREE(tmp_ctx);
162 return status;
163 }
164
165 /* List all domain groups */
166
167 static NTSTATUS msrpc_enum_local_groups(struct winbindd_domain *domain,
168 TALLOC_CTX *mem_ctx,
169 uint32_t *pnum_info,
170 struct wb_acct_info **pinfo)
171 {
172 struct rpc_pipe_client *samr_pipe;
173 struct policy_handle dom_pol;
174 struct wb_acct_info *info = NULL;
175 uint32_t num_info = 0;
176 TALLOC_CTX *tmp_ctx;
177 NTSTATUS status;
178
179 DEBUG(3,("msrpc_enum_local_groups\n"));
180
181 if (pnum_info) {
182 *pnum_info = 0;
183 }
184
185 tmp_ctx = talloc_stackframe();
186 if (tmp_ctx == NULL) {
187 return NT_STATUS_NO_MEMORY;
188 }
189
190 if ( !winbindd_can_contact_domain( domain ) ) {
191 DEBUG(10,("enum_local_groups: No incoming trust for domain %s\n",
192 domain->name));
193 status = NT_STATUS_OK;
194 goto done;
195 }
196
197 status = cm_connect_sam(domain, tmp_ctx, false, &samr_pipe, &dom_pol);
198 if (!NT_STATUS_IS_OK(status)) {
199 goto done;
200 }
201
202 status = rpc_enum_local_groups(mem_ctx,
203 samr_pipe,
204 &dom_pol,
205 &num_info,
206 &info);
207 if (!NT_STATUS_IS_OK(status)) {
208 goto done;
209 }
210
211 if (pnum_info) {
212 *pnum_info = num_info;
213 }
214
215 if (pinfo) {
216 *pinfo = talloc_move(mem_ctx, &info);
217 }
218
219 done:
220 TALLOC_FREE(tmp_ctx);
221 return status;
222 }
223
224 /* convert a single name to a sid in a domain */
225 static NTSTATUS msrpc_name_to_sid(struct winbindd_domain *domain,
226 TALLOC_CTX *mem_ctx,
227 const char *domain_name,
228 const char *name,
229 uint32_t flags,
230 struct dom_sid *sid,
231 enum lsa_SidType *type)
232 {
233 NTSTATUS result;
234 struct dom_sid *sids = NULL;
235 enum lsa_SidType *types = NULL;
236 char *full_name = NULL;
237 NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL;
238 char *mapped_name = NULL;
239
240 if (name == NULL || *name=='\0') {
241 full_name = talloc_asprintf(mem_ctx, "%s", domain_name);
242 } else if (domain_name == NULL || *domain_name == '\0') {
243 full_name = talloc_asprintf(mem_ctx, "%s", name);
244 } else {
245 full_name = talloc_asprintf(mem_ctx, "%s\\%s", domain_name, name);
246 }
247 if (!full_name) {
248 DEBUG(0, ("talloc_asprintf failed!\n"));
249 return NT_STATUS_NO_MEMORY;
250 }
251
252 DEBUG(3, ("msrpc_name_to_sid: name=%s\n", full_name));
253
254 name_map_status = normalize_name_unmap(mem_ctx, full_name,
255 &mapped_name);
256
257 /* Reset the full_name pointer if we mapped anything */
258
259 if (NT_STATUS_IS_OK(name_map_status) ||
260 NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED))
261 {
262 full_name = mapped_name;
263 }
264
265 DEBUG(3,("name_to_sid [rpc] %s for domain %s\n",
266 full_name?full_name:"", domain_name ));
267
268 result = winbindd_lookup_names(mem_ctx, domain, 1,
269 (const char **)&full_name, NULL,
270 &sids, &types);
271 if (!NT_STATUS_IS_OK(result))
272 return result;
273
274 /* Return rid and type if lookup successful */
275
276 sid_copy(sid, &sids[0]);
277 *type = types[0];
278
279 return NT_STATUS_OK;
280 }
281
282 /*
283 convert a domain SID to a user or group name
284 */
285 static NTSTATUS msrpc_sid_to_name(struct winbindd_domain *domain,
286 TALLOC_CTX *mem_ctx,
287 const struct dom_sid *sid,
288 char **domain_name,
289 char **name,
290 enum lsa_SidType *type)
291 {
292 char **domains;
293 char **names;
294 enum lsa_SidType *types = NULL;
295 NTSTATUS result;
296 NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL;
297 char *mapped_name = NULL;
298
299 DEBUG(3, ("msrpc_sid_to_name: %s for domain %s\n", sid_string_dbg(sid),
300 domain->name ));
301
302 result = winbindd_lookup_sids(mem_ctx,
303 domain,
304 1,
305 sid,
306 &domains,
307 &names,
308 &types);
309 if (!NT_STATUS_IS_OK(result)) {
310 DEBUG(2,("msrpc_sid_to_name: failed to lookup sids: %s\n",
311 nt_errstr(result)));
312 return result;
313 }
314
315
316 *type = (enum lsa_SidType)types[0];
317 *domain_name = domains[0];
318 *name = names[0];
319
320 DEBUG(5,("Mapped sid to [%s]\\[%s]\n", domains[0], *name));
321
322 name_map_status = normalize_name_map(mem_ctx, domain, *name,
323 &mapped_name);
324 if (NT_STATUS_IS_OK(name_map_status) ||
325 NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED))
326 {
327 *name = mapped_name;
328 DEBUG(5,("returning mapped name -- %s\n", *name));
329 }
330
331 return NT_STATUS_OK;
332 }
333
334 static NTSTATUS msrpc_rids_to_names(struct winbindd_domain *domain,
335 TALLOC_CTX *mem_ctx,
336 const struct dom_sid *sid,
337 uint32 *rids,
338 size_t num_rids,
339 char **domain_name,
340 char ***names,
341 enum lsa_SidType **types)
342 {
343 char **domains;
344 NTSTATUS result;
345 struct dom_sid *sids;
346 size_t i;
347 char **ret_names;
348
349 DEBUG(3, ("msrpc_rids_to_names: domain %s\n", domain->name ));
350
351 if (num_rids) {
352 sids = talloc_array(mem_ctx, struct dom_sid, num_rids);
353 if (sids == NULL) {
354 return NT_STATUS_NO_MEMORY;
355 }
356 } else {
357 sids = NULL;
358 }
359
360 for (i=0; i<num_rids; i++) {
361 if (!sid_compose(&sids[i], sid, rids[i])) {
362 return NT_STATUS_INTERNAL_ERROR;
363 }
364 }
365
366 result = winbindd_lookup_sids(mem_ctx,
367 domain,
368 num_rids,
369 sids,
370 &domains,
371 names,
372 types);
373
374 if (!NT_STATUS_IS_OK(result) &&
375 !NT_STATUS_EQUAL(result, STATUS_SOME_UNMAPPED)) {
376 return result;
377 }
378
379 ret_names = *names;
380 for (i=0; i<num_rids; i++) {
381 NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL;
382 char *mapped_name = NULL;
383
384 if ((*types)[i] != SID_NAME_UNKNOWN) {
385 name_map_status = normalize_name_map(mem_ctx,
386 domain,
387 ret_names[i],
388 &mapped_name);
389 if (NT_STATUS_IS_OK(name_map_status) ||
390 NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED))
391 {
392 ret_names[i] = mapped_name;
393 }
394
395 *domain_name = domains[i];
396 }
397 }
398
399 return result;
400 }
401
402 /* Lookup user information from a rid or username. */
403 static NTSTATUS msrpc_query_user(struct winbindd_domain *domain,
404 TALLOC_CTX *mem_ctx,
405 const struct dom_sid *user_sid,
406 struct wbint_userinfo *user_info)
407 {
408 struct rpc_pipe_client *samr_pipe;
409 struct policy_handle dom_pol;
410 struct netr_SamInfo3 *user;
411 TALLOC_CTX *tmp_ctx;
412 NTSTATUS status;
413
414 DEBUG(3,("msrpc_query_user sid=%s\n", sid_string_dbg(user_sid)));
415
416 tmp_ctx = talloc_stackframe();
417 if (tmp_ctx == NULL) {
418 return NT_STATUS_NO_MEMORY;
419 }
420
421 if (user_info) {
422 user_info->homedir = NULL;
423 user_info->shell = NULL;
424 user_info->primary_gid = (gid_t)-1;
425 }
426
427 /* try netsamlogon cache first */
428 user = netsamlogon_cache_get(tmp_ctx, user_sid);
429 if (user != NULL) {
430 DEBUG(5,("msrpc_query_user: Cache lookup succeeded for %s\n",
431 sid_string_dbg(user_sid)));
432
433 sid_compose(&user_info->user_sid, &domain->sid, user->base.rid);
434 sid_compose(&user_info->group_sid, &domain->sid,
435 user->base.primary_gid);
436
437 user_info->acct_name = talloc_strdup(user_info,
438 user->base.account_name.string);
439 user_info->full_name = talloc_strdup(user_info,
440 user->base.full_name.string);
441
442 if (user_info->full_name == NULL) {
443 /* this might fail so we dont check the return code */
444 wcache_query_user_fullname(domain,
445 mem_ctx,
446 user_sid,
447 &user_info->full_name);
448 }
449
450 status = NT_STATUS_OK;
451 goto done;
452 }
453
454 if ( !winbindd_can_contact_domain( domain ) ) {
455 DEBUG(10,("query_user: No incoming trust for domain %s\n",
456 domain->name));
457 /* Tell the cache manager not to remember this one */
458 status = NT_STATUS_SYNCHRONIZATION_REQUIRED;
459 goto done;
460 }
461
462 /* no cache; hit the wire */
463 status = cm_connect_sam(domain, tmp_ctx, false, &samr_pipe, &dom_pol);
464 if (!NT_STATUS_IS_OK(status)) {
465 goto done;
466 }
467
468 status = rpc_query_user(tmp_ctx,
469 samr_pipe,
470 &dom_pol,
471 &domain->sid,
472 user_sid,
473 user_info);
474
475 done:
476 TALLOC_FREE(tmp_ctx);
477 return status;
478 }
479
480 /* Lookup groups a user is a member of. I wish Unix had a call like this! */
481 static NTSTATUS msrpc_lookup_usergroups(struct winbindd_domain *domain,
482 TALLOC_CTX *mem_ctx,
483 const struct dom_sid *user_sid,
484 uint32_t *pnum_groups,
485 struct dom_sid **puser_grpsids)
486 {
487 struct rpc_pipe_client *samr_pipe;
488 struct policy_handle dom_pol;
489 struct dom_sid *user_grpsids = NULL;
490 uint32_t num_groups = 0;
491 TALLOC_CTX *tmp_ctx;
492 NTSTATUS status;
493
494 DEBUG(3,("msrpc_lookup_usergroups sid=%s\n", sid_string_dbg(user_sid)));
495
496 *pnum_groups = 0;
497
498 tmp_ctx = talloc_stackframe();
499 if (tmp_ctx == NULL) {
500 return NT_STATUS_NO_MEMORY;
501 }
502
503 /* Check if we have a cached user_info_3 */
504 status = lookup_usergroups_cached(domain,
505 tmp_ctx,
506 user_sid,
507 &num_groups,
508 &user_grpsids);
509 if (NT_STATUS_IS_OK(status)) {
510 goto cached;
511 }
512
513 if ( !winbindd_can_contact_domain( domain ) ) {
514 DEBUG(10,("lookup_usergroups: No incoming trust for domain %s\n",
515 domain->name));
516
517 /* Tell the cache manager not to remember this one */
518 status = NT_STATUS_SYNCHRONIZATION_REQUIRED;
519 goto done;
520 }
521
522 /* no cache; hit the wire */
523 status = cm_connect_sam(domain, tmp_ctx, false, &samr_pipe, &dom_pol);
524 if (!NT_STATUS_IS_OK(status)) {
525 goto done;
526 }
527
528 status = rpc_lookup_usergroups(tmp_ctx,
529 samr_pipe,
530 &dom_pol,
531 &domain->sid,
532 user_sid,
533 &num_groups,
534 &user_grpsids);
535 if (!NT_STATUS_IS_OK(status)) {
536 goto done;
537 }
538
539 cached:
540 *pnum_groups = num_groups;
541
542 if (puser_grpsids) {
543 *puser_grpsids = talloc_move(mem_ctx, &user_grpsids);
544 }
545
546 done:
547 TALLOC_FREE(tmp_ctx);
548 return status;
549 return NT_STATUS_OK;
550 }
551
552 #define MAX_SAM_ENTRIES_W2K 0x400 /* 1024 */
553
554 static NTSTATUS msrpc_lookup_useraliases(struct winbindd_domain *domain,
555 TALLOC_CTX *mem_ctx,
556 uint32 num_sids, const struct dom_sid *sids,
557 uint32 *pnum_aliases,
558 uint32 **palias_rids)
559 {
560 struct rpc_pipe_client *samr_pipe;
561 struct policy_handle dom_pol;
562 uint32_t num_aliases = 0;
563 uint32_t *alias_rids = NULL;
564 TALLOC_CTX *tmp_ctx;
565 NTSTATUS status;
566
567 DEBUG(3,("msrpc_lookup_useraliases\n"));
568
569 if (pnum_aliases) {
570 *pnum_aliases = 0;
571 }
572
573 tmp_ctx = talloc_stackframe();
574 if (tmp_ctx == NULL) {
575 return NT_STATUS_NO_MEMORY;
576 }
577
578 if (!winbindd_can_contact_domain(domain)) {
579 DEBUG(10,("msrpc_lookup_useraliases: No incoming trust for domain %s\n",
580 domain->name));
581 /* Tell the cache manager not to remember this one */
582 status = NT_STATUS_SYNCHRONIZATION_REQUIRED;
583 goto done;
584 }
585
586 status = cm_connect_sam(domain, tmp_ctx, false, &samr_pipe, &dom_pol);
587 if (!NT_STATUS_IS_OK(status)) {
588 goto done;
589 }
590
591 status = rpc_lookup_useraliases(tmp_ctx,
592 samr_pipe,
593 &dom_pol,
594 num_sids,
595 sids,
596 &num_aliases,
597 &alias_rids);
598 if (!NT_STATUS_IS_OK(status)) {
599 goto done;
600 }
601
602 if (pnum_aliases) {
603 *pnum_aliases = num_aliases;
604 }
605
606 if (palias_rids) {
607 *palias_rids = talloc_move(mem_ctx, &alias_rids);
608 }
609
610 done:
611 TALLOC_FREE(tmp_ctx);
612 return status;
613 }
614
615
616 /* Lookup group membership given a rid. */
617 static NTSTATUS msrpc_lookup_groupmem(struct winbindd_domain *domain,
618 TALLOC_CTX *mem_ctx,
619 const struct dom_sid *group_sid,
620 enum lsa_SidType type,
621 uint32_t *num_names,
622 struct dom_sid **sid_mem,
623 char ***names,
624 uint32_t **name_types)
625 {
626 NTSTATUS status, result;
627 uint32 i, total_names = 0;
628 struct policy_handle dom_pol, group_pol;
629 uint32 des_access = SEC_FLAG_MAXIMUM_ALLOWED;
630 uint32 *rid_mem = NULL;
631 uint32 group_rid;
632 unsigned int j, r;
633 struct rpc_pipe_client *cli;
634 unsigned int orig_timeout;
635 struct samr_RidAttrArray *rids = NULL;
636 struct dcerpc_binding_handle *b;
637
638 DEBUG(3,("msrpc_lookup_groupmem: %s sid=%s\n", domain->name,
639 sid_string_dbg(group_sid)));
640
641 if ( !winbindd_can_contact_domain( domain ) ) {
642 DEBUG(10,("lookup_groupmem: No incoming trust for domain %s\n",
643 domain->name));
644 return NT_STATUS_OK;
645 }
646
647 if (!sid_peek_check_rid(&domain->sid, group_sid, &group_rid))
648 return NT_STATUS_UNSUCCESSFUL;
649
650 *num_names = 0;
651
652 result = cm_connect_sam(domain, mem_ctx, false, &cli, &dom_pol);
653 if (!NT_STATUS_IS_OK(result))
654 return result;
655
656 b = cli->binding_handle;
657
658 status = dcerpc_samr_OpenGroup(b, mem_ctx,
659 &dom_pol,
660 des_access,
661 group_rid,
662 &group_pol,
663 &result);
664 if (!NT_STATUS_IS_OK(status)) {
665 return status;
666 }
667 if (!NT_STATUS_IS_OK(result)) {
668 return result;
669 }
670
671 /* Step #1: Get a list of user rids that are the members of the
672 group. */
673
674 /* This call can take a long time - allow the server to time out.
675 35 seconds should do it. */
676
677 orig_timeout = rpccli_set_timeout(cli, 35000);
678
679 status = dcerpc_samr_QueryGroupMember(b, mem_ctx,
680 &group_pol,
681 &rids,
682 &result);
683
684 /* And restore our original timeout. */
685 rpccli_set_timeout(cli, orig_timeout);
686
687 {
688 NTSTATUS _result;
689 dcerpc_samr_Close(b, mem_ctx, &group_pol, &_result);
690 }
691
692 if (!NT_STATUS_IS_OK(status)) {
693 return status;
694 }
695
696 if (!NT_STATUS_IS_OK(result)) {
697 return result;
698 }
699
700 if (!rids || !rids->count) {
701 names = NULL;
702 name_types = NULL;
703 sid_mem = NULL;
704 return NT_STATUS_OK;
705 }
706
707 *num_names = rids->count;
708 rid_mem = rids->rids;
709
710 /* Step #2: Convert list of rids into list of usernames. Do this
711 in bunches of ~1000 to avoid crashing NT4. It looks like there
712 is a buffer overflow or something like that lurking around
713 somewhere. */
714
715 #define MAX_LOOKUP_RIDS 900
716
717 *names = talloc_zero_array(mem_ctx, char *, *num_names);
718 *name_types = talloc_zero_array(mem_ctx, uint32, *num_names);
719 *sid_mem = talloc_zero_array(mem_ctx, struct dom_sid, *num_names);
720
721 for (j=0;j<(*num_names);j++)
722 sid_compose(&(*sid_mem)[j], &domain->sid, rid_mem[j]);
723
724 if (*num_names>0 && (!*names || !*name_types))
725 return NT_STATUS_NO_MEMORY;
726
727 for (i = 0; i < *num_names; i += MAX_LOOKUP_RIDS) {
728 int num_lookup_rids = MIN(*num_names - i, MAX_LOOKUP_RIDS);
729 struct lsa_Strings tmp_names;
730 struct samr_Ids tmp_types;
731
732 /* Lookup a chunk of rids */
733
734 status = dcerpc_samr_LookupRids(b, mem_ctx,
735 &dom_pol,
736 num_lookup_rids,
737 &rid_mem[i],
738 &tmp_names,
739 &tmp_types,
740 &result);
741 if (!NT_STATUS_IS_OK(status)) {
742 return status;
743 }
744
745 /* see if we have a real error (and yes the
746 STATUS_SOME_UNMAPPED is the one returned from 2k) */
747
748 if (!NT_STATUS_IS_OK(result) &&
749 !NT_STATUS_EQUAL(result, STATUS_SOME_UNMAPPED))
750 return result;
751
752 /* Copy result into array. The talloc system will take
753 care of freeing the temporary arrays later on. */
754
755 if (tmp_names.count != num_lookup_rids) {
756 return NT_STATUS_INVALID_NETWORK_RESPONSE;
757 }
758 if (tmp_types.count != num_lookup_rids) {
759 return NT_STATUS_INVALID_NETWORK_RESPONSE;
760 }
761
762 for (r=0; r<tmp_names.count; r++) {
763 if (tmp_types.ids[r] == SID_NAME_UNKNOWN) {
764 continue;
765 }
766 if (total_names >= *num_names) {
767 break;
768 }
769 (*names)[total_names] = fill_domain_username_talloc(
770 mem_ctx, domain->name,
771 tmp_names.names[r].string, true);
772 (*name_types)[total_names] = tmp_types.ids[r];
773 total_names += 1;
774 }
775 }
776
777 *num_names = total_names;
778
779 return NT_STATUS_OK;
780 }
781
782 #ifdef HAVE_LDAP
783
784 #include "ads.h"
785
786 static int get_ldap_seq(const char *server, struct sockaddr_storage *ss, int port, uint32 *seq)
787 {
788 int ret = -1;
789 struct timeval to;
790 const char *attrs[] = {"highestCommittedUSN", NULL};
791 LDAPMessage *res = NULL;
792 char **values = NULL;
793 LDAP *ldp = NULL;
794
795 *seq = DOM_SEQUENCE_NONE;
796
797 /*
798 * Parameterised (5) second timeout on open. This is needed as the
799 * search timeout doesn't seem to apply to doing an open as well. JRA.
800 */
801
802 ldp = ldap_open_with_timeout(server, ss, port, lp_ldap_timeout());
803 if (ldp == NULL)
804 return -1;
805
806 /* Timeout if no response within 20 seconds. */
807 to.tv_sec = 10;
808 to.tv_usec = 0;
809
810 if (ldap_search_st(ldp, "", LDAP_SCOPE_BASE, "(objectclass=*)",
811 discard_const_p(char *, attrs), 0, &to, &res))
812 goto done;
813
814 if (ldap_count_entries(ldp, res) != 1)
815 goto done;
816
817 values = ldap_get_values(ldp, res, "highestCommittedUSN");
818 if (!values || !values[0])
819 goto done;
820
821 *seq = atoi(values[0]);
822 ret = 0;
823
824 done:
825
826 if (values)
827 ldap_value_free(values);
828 if (res)
829 ldap_msgfree(res);
830 if (ldp)
831 ldap_unbind(ldp);
832 return ret;
833 }
834
835 /**********************************************************************
836 Get the sequence number for a Windows AD native mode domain using
837 LDAP queries.
838 **********************************************************************/
839
840 static int get_ldap_sequence_number(struct winbindd_domain *domain, uint32 *seq)
841 {
842 int ret = -1;
843 char addr[INET6_ADDRSTRLEN];
844
845 print_sockaddr(addr, sizeof(addr), &domain->dcaddr);
846 if ((ret = get_ldap_seq(addr, &domain->dcaddr, LDAP_PORT, seq)) == 0) {
847 DEBUG(3, ("get_ldap_sequence_number: Retrieved sequence "
848 "number for Domain (%s) from DC (%s)\n",
849 domain->name, addr));
850 }
851 return ret;
852 }
853
854 #endif /* HAVE_LDAP */
855
856 /* find the sequence number for a domain */
857 static NTSTATUS msrpc_sequence_number(struct winbindd_domain *domain,
858 uint32_t *pseq)
859 {
860 struct rpc_pipe_client *samr_pipe;
861 struct policy_handle dom_pol;
862 uint32_t seq;
863 TALLOC_CTX *tmp_ctx;
864 NTSTATUS status;
865
866 DEBUG(3, ("msrpc_sequence_number: fetch sequence_number for %s\n", domain->name));
867
868 if (pseq) {
869 *pseq = DOM_SEQUENCE_NONE;
870 }
871
872 tmp_ctx = talloc_stackframe();
873 if (tmp_ctx == NULL) {
874 return NT_STATUS_NO_MEMORY;
875 }
876
877 if ( !winbindd_can_contact_domain( domain ) ) {
878 DEBUG(10,("sequence_number: No incoming trust for domain %s\n",
879 domain->name));
880 if (pseq) {
881 *pseq = time(NULL);
882 }
883 status = NT_STATUS_OK;
884 goto done;
885 }
886
887 #ifdef HAVE_LDAP
888 if (domain->active_directory) {
889 int rc;
890
891 DEBUG(8,("using get_ldap_seq() to retrieve the "
892 "sequence number\n"));
893
894 rc = get_ldap_sequence_number(domain, &seq);
895 if (rc == 0) {
896 DEBUG(10,("domain_sequence_number: LDAP for "
897 "domain %s is %u\n",
898 domain->name, seq));
899
900 if (pseq) {
901 *pseq = seq;
902 }
903
904 status = NT_STATUS_OK;
905 goto done;
906 }
907
908 DEBUG(10,("domain_sequence_number: failed to get LDAP "
909 "sequence number for domain %s\n",
910 domain->name ));
911 }
912 #endif /* HAVE_LDAP */
913
914 status = cm_connect_sam(domain, tmp_ctx, false, &samr_pipe, &dom_pol);
915 if (!NT_STATUS_IS_OK(status)) {
916 goto done;
917 }
918
919 status = rpc_sequence_number(tmp_ctx,
920 samr_pipe,
921 &dom_pol,
922 domain->name,
923 &seq);
924 if (!NT_STATUS_IS_OK(status)) {
925 goto done;
926 }
927
928 if (pseq) {
929 *pseq = seq;
930 }
931
932 done:
933 TALLOC_FREE(tmp_ctx);
934 return status;
935 }
936
937 /* get a list of trusted domains */
938 static NTSTATUS msrpc_trusted_domains(struct winbindd_domain *domain,
939 TALLOC_CTX *mem_ctx,
940 struct netr_DomainTrustList *ptrust_list)
941 {
942 struct rpc_pipe_client *lsa_pipe;
943 struct policy_handle lsa_policy;
944 struct netr_DomainTrust *trusts = NULL;
945 uint32_t num_trusts = 0;
946 TALLOC_CTX *tmp_ctx;
947 NTSTATUS status;
948
949 DEBUG(3,("msrpc_trusted_domains\n"));
950
951 if (ptrust_list) {
952 ZERO_STRUCTP(ptrust_list);
953 }
954
955 tmp_ctx = talloc_stackframe();
956 if (tmp_ctx == NULL) {
957 return NT_STATUS_NO_MEMORY;
958 }
959
960 status = cm_connect_lsa(domain, tmp_ctx, &lsa_pipe, &lsa_policy);
961 if (!NT_STATUS_IS_OK(status)) {
962 goto done;
963 }
964
965 status = rpc_trusted_domains(tmp_ctx,
966 lsa_pipe,
967 &lsa_policy,
968 &num_trusts,
969 &trusts);
970 if (!NT_STATUS_IS_OK(status)) {
971 goto done;
972 }
973
974 if (ptrust_list) {
975 ptrust_list->count = num_trusts;
976 ptrust_list->array = talloc_move(mem_ctx, &trusts);
977 }
978
979 done:
980 TALLOC_FREE(tmp_ctx);
981 return status;
982 }
983
984 /* find the lockout policy for a domain */
985 static NTSTATUS msrpc_lockout_policy(struct winbindd_domain *domain,
986 TALLOC_CTX *mem_ctx,
987 struct samr_DomInfo12 *lockout_policy)
988 {
989 NTSTATUS status, result;
990 struct rpc_pipe_client *cli;
991 struct policy_handle dom_pol;
992 union samr_DomainInfo *info = NULL;
993 struct dcerpc_binding_handle *b;
994
995 DEBUG(3, ("msrpc_lockout_policy: fetch lockout policy for %s\n", domain->name));
996
997 if ( !winbindd_can_contact_domain( domain ) ) {
998 DEBUG(10,("msrpc_lockout_policy: No incoming trust for domain %s\n",
999 domain->name));
1000 return NT_STATUS_NOT_SUPPORTED;
1001 }
1002
1003 status = cm_connect_sam(domain, mem_ctx, false, &cli, &dom_pol);
1004 if (!NT_STATUS_IS_OK(status)) {
1005 goto done;
1006 }
1007
1008 b = cli->binding_handle;
1009
1010 status = dcerpc_samr_QueryDomainInfo(b, mem_ctx,
1011 &dom_pol,
1012 DomainLockoutInformation,
1013 &info,
1014 &result);
1015 if (!NT_STATUS_IS_OK(status)) {
1016 goto done;
1017 }
1018 if (!NT_STATUS_IS_OK(result)) {
1019 status = result;
1020 goto done;
1021 }
1022
1023 *lockout_policy = info->info12;
1024
1025 DEBUG(10,("msrpc_lockout_policy: lockout_threshold %d\n",
1026 info->info12.lockout_threshold));
1027
1028 done:
1029
1030 return status;
1031 }
1032
1033 /* find the password policy for a domain */
1034 static NTSTATUS msrpc_password_policy(struct winbindd_domain *domain,
1035 TALLOC_CTX *mem_ctx,
1036 struct samr_DomInfo1 *password_policy)
1037 {
1038 NTSTATUS status, result;
1039 struct rpc_pipe_client *cli;
1040 struct policy_handle dom_pol;
1041 union samr_DomainInfo *info = NULL;
1042 struct dcerpc_binding_handle *b;
1043
1044 DEBUG(3, ("msrpc_password_policy: fetch password policy for %s\n",
1045 domain->name));
1046
1047 if ( !winbindd_can_contact_domain( domain ) ) {
1048 DEBUG(10,("msrpc_password_policy: No incoming trust for domain %s\n",
1049 domain->name));
1050 return NT_STATUS_NOT_SUPPORTED;
1051 }
1052
1053 status = cm_connect_sam(domain, mem_ctx, false, &cli, &dom_pol);
1054 if (!NT_STATUS_IS_OK(status)) {
1055 goto done;
1056 }
1057
1058 b = cli->binding_handle;
1059
1060 status = dcerpc_samr_QueryDomainInfo(b, mem_ctx,
1061 &dom_pol,
1062 DomainPasswordInformation,
1063 &info,
1064 &result);
1065 if (!NT_STATUS_IS_OK(status)) {
1066 goto done;
1067 }
1068 if (!NT_STATUS_IS_OK(result)) {
1069 goto done;
1070 }
1071
1072 *password_policy = info->info1;
1073
1074 DEBUG(10,("msrpc_password_policy: min_length_password %d\n",
1075 info->info1.min_password_length));
1076
1077 done:
1078
1079 return status;
1080 }
1081
1082 NTSTATUS winbindd_lookup_sids(TALLOC_CTX *mem_ctx,
1083 struct winbindd_domain *domain,
1084 uint32_t num_sids,
1085 const struct dom_sid *sids,
1086 char ***domains,
1087 char ***names,
1088 enum lsa_SidType **types)
1089 {
1090 NTSTATUS status;
1091 NTSTATUS result;
1092 struct rpc_pipe_client *cli = NULL;
1093 struct dcerpc_binding_handle *b = NULL;
1094 struct policy_handle lsa_policy;
1095 unsigned int orig_timeout;
1096 bool use_lookupsids3 = false;
1097 bool retried = false;
1098
1099 connect:
1100 status = cm_connect_lsat(domain, mem_ctx, &cli, &lsa_policy);
1101 if (!NT_STATUS_IS_OK(status)) {
1102 return status;
1103 }
1104
1105 b = cli->binding_handle;
1106
1107 if (cli->transport->transport == NCACN_IP_TCP) {
1108 use_lookupsids3 = true;
1109 }
1110
1111 /*
1112 * This call can take a long time
1113 * allow the server to time out.
1114 * 35 seconds should do it.
1115 */
1116 orig_timeout = dcerpc_binding_handle_set_timeout(b, 35000);
1117
1118 status = dcerpc_lsa_lookup_sids_generic(b,
1119 mem_ctx,
1120 &lsa_policy,
1121 num_sids,
1122 sids,
1123 domains,
1124 names,
1125 types,
1126 use_lookupsids3,
1127 &result);
1128
1129 /* And restore our original timeout. */
1130 dcerpc_binding_handle_set_timeout(b, orig_timeout);
1131
1132 if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) ||
1133 NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR) ||
1134 NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED)) {
1135 /*
1136 * This can happen if the schannel key is not
1137 * valid anymore, we need to invalidate the
1138 * all connections to the dc and reestablish
1139 * a netlogon connection first.
1140 */
1141 invalidate_cm_connection(domain);
1142 domain->can_do_ncacn_ip_tcp = domain->active_directory;
1143 if (!retried) {
1144 retried = true;
1145 goto connect;
1146 }
1147 status = NT_STATUS_ACCESS_DENIED;
1148 }
1149
1150 if (!NT_STATUS_IS_OK(status)) {
1151 return status;
1152 }
1153
1154 if (!NT_STATUS_IS_OK(result)) {
1155 return result;
1156 }
1157
1158 return NT_STATUS_OK;
1159 }
1160
1161 static NTSTATUS winbindd_lookup_names(TALLOC_CTX *mem_ctx,
1162 struct winbindd_domain *domain,
1163 uint32_t num_names,
1164 const char **names,
1165 const char ***domains,
1166 struct dom_sid **sids,
1167 enum lsa_SidType **types)
1168 {
1169 NTSTATUS status;
1170 NTSTATUS result;
1171 struct rpc_pipe_client *cli = NULL;
1172 struct dcerpc_binding_handle *b = NULL;
1173 struct policy_handle lsa_policy;
1174 unsigned int orig_timeout = 0;
1175 bool use_lookupnames4 = false;
1176 bool retried = false;
1177
1178 connect:
1179 status = cm_connect_lsat(domain, mem_ctx, &cli, &lsa_policy);
1180 if (!NT_STATUS_IS_OK(status)) {
1181 return status;
1182 }
1183
1184 b = cli->binding_handle;
1185
1186 if (cli->transport->transport == NCACN_IP_TCP) {
1187 use_lookupnames4 = true;
1188 }
1189
1190 /*
1191 * This call can take a long time
1192 * allow the server to time out.
1193 * 35 seconds should do it.
1194 */
1195 orig_timeout = dcerpc_binding_handle_set_timeout(b, 35000);
1196
1197 status = dcerpc_lsa_lookup_names_generic(b,
1198 mem_ctx,
1199 &lsa_policy,
1200 num_names,
1201 (const char **) names,
1202 domains,
1203 1,
1204 sids,
1205 types,
1206 use_lookupnames4,
1207 &result);
1208
1209 /* And restore our original timeout. */
1210 dcerpc_binding_handle_set_timeout(b, orig_timeout);
1211
1212 if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) ||
1213 NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR) ||
1214 NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED)) {
1215 /*
1216 * This can happen if the schannel key is not
1217 * valid anymore, we need to invalidate the
1218 * all connections to the dc and reestablish
1219 * a netlogon connection first.
1220 */
1221 invalidate_cm_connection(domain);
1222 if (!retried) {
1223 retried = true;
1224 goto connect;
1225 }
1226 status = NT_STATUS_ACCESS_DENIED;
1227 }
1228
1229 if (!NT_STATUS_IS_OK(status)) {
1230 return status;
1231 }
1232
1233 if (!NT_STATUS_IS_OK(result)) {
1234 return result;
1235 }
1236
1237 return NT_STATUS_OK;
1238 }
1239
1240 /* the rpc backend methods are exposed via this structure */
1241 struct winbindd_methods msrpc_methods = {
1242 False,
1243 msrpc_query_user_list,
1244 msrpc_enum_dom_groups,
1245 msrpc_enum_local_groups,
1246 msrpc_name_to_sid,
1247 msrpc_sid_to_name,
1248 msrpc_rids_to_names,
1249 msrpc_query_user,
1250 msrpc_lookup_usergroups,
1251 msrpc_lookup_useraliases,
1252 msrpc_lookup_groupmem,
1253 msrpc_sequence_number,
1254 msrpc_lockout_policy,
1255 msrpc_password_policy,
1256 msrpc_trusted_domains,
1257 };
Samba GIT mirror