2 Unix SMB/CIFS implementation.
4 Winbind ADS backend functions
6 Copyright (C) Andrew Tridgell 2001
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003
8 Copyright (C) Gerald (Jerry) Carter 2004
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
30 #define DBGC_CLASS DBGC_WINBIND
32 extern struct winbindd_methods reconnect_methods
;
35 return our ads connections structure for a domain. We keep the connection
36 open to make things faster
38 static ADS_STRUCT
*ads_cached_connection(struct winbindd_domain
*domain
)
43 struct sockaddr_storage dc_ss
;
45 DEBUG(10,("ads_cached_connection\n"));
47 if (domain
->private_data
) {
50 time_t now
= time(NULL
);
52 /* check for a valid structure */
53 ads
= (ADS_STRUCT
*)domain
->private_data
;
55 expire
= MIN(ads
->auth
.tgt_expire
, ads
->auth
.tgs_expire
);
57 DEBUG(7, ("Current tickets expire in %d seconds (at %d, time is now %d)\n",
58 (uint32
)expire
-(uint32
)now
, (uint32
) expire
, (uint32
) now
));
60 if ( ads
->config
.realm
&& (expire
> now
)) {
63 /* we own this ADS_STRUCT so make sure it goes away */
64 DEBUG(7,("Deleting expired krb5 credential cache\n"));
67 ads_kdestroy("MEMORY:winbind_ccache");
68 domain
->private_data
= NULL
;
72 /* we don't want this to affect the users ccache */
73 setenv("KRB5CCNAME", "MEMORY:winbind_ccache", 1);
75 ads
= ads_init(domain
->alt_name
, domain
->name
, NULL
);
77 DEBUG(1,("ads_init for domain %s failed\n", domain
->name
));
81 /* the machine acct password might have change - fetch it every time */
83 SAFE_FREE(ads
->auth
.password
);
84 SAFE_FREE(ads
->auth
.realm
);
90 if ( !pdb_get_trusteddom_pw( domain
->name
, &ads
->auth
.password
, &sid
, &last_set_time
) ) {
94 ads
->auth
.realm
= SMB_STRDUP( ads
->server
.realm
);
95 strupper_m( ads
->auth
.realm
);
98 struct winbindd_domain
*our_domain
= domain
;
100 ads
->auth
.password
= secrets_fetch_machine_password(lp_workgroup(), NULL
, NULL
);
102 /* always give preference to the alt_name in our
103 primary domain if possible */
105 if ( !domain
->primary
)
106 our_domain
= find_our_domain();
108 if ( our_domain
->alt_name
[0] != '\0' ) {
109 ads
->auth
.realm
= SMB_STRDUP( our_domain
->alt_name
);
110 strupper_m( ads
->auth
.realm
);
113 ads
->auth
.realm
= SMB_STRDUP( lp_realm() );
116 ads
->auth
.renewable
= WINBINDD_PAM_AUTH_KRB5_RENEW_TIME
;
118 /* Setup the server affinity cache. We don't reaally care
119 about the name. Just setup affinity and the KRB5_CONFIG
122 get_dc_name( ads
->server
.workgroup
, ads
->server
.realm
, dc_name
, &dc_ss
);
124 status
= ads_connect(ads
);
125 if (!ADS_ERR_OK(status
) || !ads
->config
.realm
) {
126 DEBUG(1,("ads_connect for domain %s failed: %s\n",
127 domain
->name
, ads_errstr(status
)));
130 /* if we get ECONNREFUSED then it might be a NT4
131 server, fall back to MSRPC */
132 if (status
.error_type
== ENUM_ADS_ERROR_SYSTEM
&&
133 status
.err
.rc
== ECONNREFUSED
) {
134 /* 'reconnect_methods' is the MS-RPC backend. */
135 DEBUG(1,("Trying MSRPC methods\n"));
136 domain
->backend
= &reconnect_methods
;
141 /* set the flag that says we don't own the memory even
142 though we do so that ads_destroy() won't destroy the
143 structure we pass back by reference */
145 ads
->is_mine
= False
;
147 domain
->private_data
= (void *)ads
;
152 /* Query display info for a realm. This is the basic user list fn */
153 static NTSTATUS
query_user_list(struct winbindd_domain
*domain
,
156 struct wbint_userinfo
**info
)
158 ADS_STRUCT
*ads
= NULL
;
159 const char *attrs
[] = { "*", NULL
};
162 LDAPMessage
*res
= NULL
;
163 LDAPMessage
*msg
= NULL
;
164 NTSTATUS status
= NT_STATUS_UNSUCCESSFUL
;
168 DEBUG(3,("ads: query_user_list\n"));
170 if ( !winbindd_can_contact_domain( domain
) ) {
171 DEBUG(10,("query_user_list: No incoming trust for domain %s\n",
176 ads
= ads_cached_connection(domain
);
179 domain
->last_status
= NT_STATUS_SERVER_DISABLED
;
183 rc
= ads_search_retry(ads
, &res
, "(objectCategory=user)", attrs
);
184 if (!ADS_ERR_OK(rc
) || !res
) {
185 DEBUG(1,("query_user_list ads_search: %s\n", ads_errstr(rc
)));
189 count
= ads_count_replies(ads
, res
);
191 DEBUG(1,("query_user_list: No users found\n"));
195 (*info
) = TALLOC_ZERO_ARRAY(mem_ctx
, struct wbint_userinfo
, count
);
197 status
= NT_STATUS_NO_MEMORY
;
203 for (msg
= ads_first_entry(ads
, res
); msg
; msg
= ads_next_entry(ads
, msg
)) {
205 const char *gecos
= NULL
;
206 const char *homedir
= NULL
;
207 const char *shell
= NULL
;
211 gid_t primary_gid
= (gid_t
)-1;
213 if (!ads_pull_uint32(ads
, msg
, "sAMAccountType", &atype
) ||
214 ds_atype_map(atype
) != SID_NAME_USER
) {
215 DEBUG(1,("Not a user account? atype=0x%x\n", atype
));
219 name
= ads_pull_username(ads
, mem_ctx
, msg
);
221 if ( ads_pull_sid( ads
, msg
, "objectSid", &user_sid
) ) {
222 status
= nss_get_info_cached( domain
, &user_sid
, mem_ctx
,
223 ads
, msg
, &homedir
, &shell
, &gecos
,
228 gecos
= ads_pull_string(ads
, mem_ctx
, msg
, "name");
231 if (!ads_pull_sid(ads
, msg
, "objectSid",
232 &(*info
)[i
].user_sid
)) {
233 DEBUG(1,("No sid for %s !?\n", name
));
236 if (!ads_pull_uint32(ads
, msg
, "primaryGroupID", &group
)) {
237 DEBUG(1,("No primary group for %s !?\n", name
));
241 (*info
)[i
].acct_name
= name
;
242 (*info
)[i
].full_name
= gecos
;
243 (*info
)[i
].homedir
= homedir
;
244 (*info
)[i
].shell
= shell
;
245 (*info
)[i
].primary_gid
= primary_gid
;
246 sid_compose(&(*info
)[i
].group_sid
, &domain
->sid
, group
);
251 status
= NT_STATUS_OK
;
253 DEBUG(3,("ads query_user_list gave %d entries\n", (*num_entries
)));
257 ads_msgfree(ads
, res
);
262 /* list all domain groups */
263 static NTSTATUS
enum_dom_groups(struct winbindd_domain
*domain
,
266 struct acct_info
**info
)
268 ADS_STRUCT
*ads
= NULL
;
269 const char *attrs
[] = {"userPrincipalName", "sAMAccountName",
270 "name", "objectSid", NULL
};
273 LDAPMessage
*res
= NULL
;
274 LDAPMessage
*msg
= NULL
;
275 NTSTATUS status
= NT_STATUS_UNSUCCESSFUL
;
277 bool enum_dom_local_groups
= False
;
281 DEBUG(3,("ads: enum_dom_groups\n"));
283 if ( !winbindd_can_contact_domain( domain
) ) {
284 DEBUG(10,("enum_dom_groups: No incoming trust for domain %s\n",
289 /* only grab domain local groups for our domain */
290 if ( domain
->active_directory
&& strequal(lp_realm(), domain
->alt_name
) ) {
291 enum_dom_local_groups
= True
;
294 /* Workaround ADS LDAP bug present in MS W2K3 SP0 and W2K SP4 w/o
297 * According to Section 5.1(4) of RFC 2251 if a value of a type is it's
298 * default value, it MUST be absent. In case of extensible matching the
299 * "dnattr" boolean defaults to FALSE and so it must be only be present
302 * When it is set to FALSE and the OpenLDAP lib (correctly) encodes a
303 * filter using bitwise matching rule then the buggy AD fails to decode
304 * the extensible match. As a workaround set it to TRUE and thereby add
305 * the dnAttributes "dn" field to cope with those older AD versions.
306 * It should not harm and won't put any additional load on the AD since
307 * none of the dn components have a bitmask-attribute.
309 * Thanks to Ralf Haferkamp for input and testing - Guenther */
311 filter
= talloc_asprintf(mem_ctx
, "(&(objectCategory=group)(&(groupType:dn:%s:=%d)(!(groupType:dn:%s:=%d))))",
312 ADS_LDAP_MATCHING_RULE_BIT_AND
, GROUP_TYPE_SECURITY_ENABLED
,
313 ADS_LDAP_MATCHING_RULE_BIT_AND
,
314 enum_dom_local_groups
? GROUP_TYPE_BUILTIN_LOCAL_GROUP
: GROUP_TYPE_RESOURCE_GROUP
);
316 if (filter
== NULL
) {
317 status
= NT_STATUS_NO_MEMORY
;
321 ads
= ads_cached_connection(domain
);
324 domain
->last_status
= NT_STATUS_SERVER_DISABLED
;
328 rc
= ads_search_retry(ads
, &res
, filter
, attrs
);
329 if (!ADS_ERR_OK(rc
) || !res
) {
330 DEBUG(1,("enum_dom_groups ads_search: %s\n", ads_errstr(rc
)));
334 count
= ads_count_replies(ads
, res
);
336 DEBUG(1,("enum_dom_groups: No groups found\n"));
340 (*info
) = TALLOC_ZERO_ARRAY(mem_ctx
, struct acct_info
, count
);
342 status
= NT_STATUS_NO_MEMORY
;
348 for (msg
= ads_first_entry(ads
, res
); msg
; msg
= ads_next_entry(ads
, msg
)) {
353 name
= ads_pull_username(ads
, mem_ctx
, msg
);
354 gecos
= ads_pull_string(ads
, mem_ctx
, msg
, "name");
355 if (!ads_pull_sid(ads
, msg
, "objectSid", &sid
)) {
356 DEBUG(1,("No sid for %s !?\n", name
));
360 if (!sid_peek_check_rid(&domain
->sid
, &sid
, &rid
)) {
361 DEBUG(1,("No rid for %s !?\n", name
));
365 fstrcpy((*info
)[i
].acct_name
, name
);
366 fstrcpy((*info
)[i
].acct_desc
, gecos
);
367 (*info
)[i
].rid
= rid
;
373 status
= NT_STATUS_OK
;
375 DEBUG(3,("ads enum_dom_groups gave %d entries\n", (*num_entries
)));
379 ads_msgfree(ads
, res
);
384 /* list all domain local groups */
385 static NTSTATUS
enum_local_groups(struct winbindd_domain
*domain
,
388 struct acct_info
**info
)
391 * This is a stub function only as we returned the domain
392 * local groups in enum_dom_groups() if the domain->native field
393 * was true. This is a simple performance optimization when
396 * if we ever need to enumerate domain local groups separately,
397 * then this optimization in enum_dom_groups() will need
405 /* convert a single name to a sid in a domain - use rpc methods */
406 static NTSTATUS
name_to_sid(struct winbindd_domain
*domain
,
408 const char *domain_name
,
412 enum lsa_SidType
*type
)
414 return reconnect_methods
.name_to_sid(domain
, mem_ctx
,
415 domain_name
, name
, flags
,
419 /* convert a domain SID to a user or group name - use rpc methods */
420 static NTSTATUS
sid_to_name(struct winbindd_domain
*domain
,
425 enum lsa_SidType
*type
)
427 return reconnect_methods
.sid_to_name(domain
, mem_ctx
, sid
,
428 domain_name
, name
, type
);
431 /* convert a list of rids to names - use rpc methods */
432 static NTSTATUS
rids_to_names(struct winbindd_domain
*domain
,
439 enum lsa_SidType
**types
)
441 return reconnect_methods
.rids_to_names(domain
, mem_ctx
, sid
,
443 domain_name
, names
, types
);
446 /* If you are looking for "dn_lookup": Yes, it used to be here!
447 * It has gone now since it was a major speed bottleneck in
448 * lookup_groupmem (its only use). It has been replaced by
449 * an rpc lookup sids call... R.I.P. */
451 /* Lookup user information from a rid */
452 static NTSTATUS
query_user(struct winbindd_domain
*domain
,
455 struct wbint_userinfo
*info
)
457 ADS_STRUCT
*ads
= NULL
;
458 const char *attrs
[] = { "*", NULL
};
461 LDAPMessage
*msg
= NULL
;
465 NTSTATUS status
= NT_STATUS_UNSUCCESSFUL
;
466 struct netr_SamInfo3
*user
= NULL
;
469 DEBUG(3,("ads: query_user\n"));
471 info
->homedir
= NULL
;
473 info
->primary_gid
= (gid_t
)-1;
475 /* try netsamlogon cache first */
477 if ( (user
= netsamlogon_cache_get( mem_ctx
, sid
)) != NULL
)
479 DEBUG(5,("query_user: Cache lookup succeeded for %s\n",
480 sid_string_dbg(sid
)));
482 sid_compose(&info
->user_sid
, &domain
->sid
, user
->base
.rid
);
483 sid_compose(&info
->group_sid
, &domain
->sid
, user
->base
.primary_gid
);
485 info
->acct_name
= talloc_strdup(mem_ctx
, user
->base
.account_name
.string
);
486 info
->full_name
= talloc_strdup(mem_ctx
, user
->base
.full_name
.string
);
488 nss_get_info_cached( domain
, sid
, mem_ctx
, NULL
, NULL
,
489 &info
->homedir
, &info
->shell
, &info
->full_name
,
491 info
->primary_gid
= gid
;
498 if ( !winbindd_can_contact_domain(domain
)) {
499 DEBUG(8,("query_user: No incoming trust from domain %s\n",
502 /* We still need to generate some basic information
503 about the user even if we cannot contact the
504 domain. Most of this stuff we can deduce. */
506 sid_copy( &info
->user_sid
, sid
);
508 /* Assume "Domain Users" for the primary group */
510 sid_compose(&info
->group_sid
, &domain
->sid
, DOMAIN_GROUP_RID_USERS
);
512 /* Try to fill in what the nss_info backend can do */
514 nss_get_info_cached( domain
, sid
, mem_ctx
, NULL
, NULL
,
515 &info
->homedir
, &info
->shell
, &info
->full_name
,
517 info
->primary_gid
= gid
;
519 status
= NT_STATUS_OK
;
523 /* no cache...do the query */
525 if ( (ads
= ads_cached_connection(domain
)) == NULL
) {
526 domain
->last_status
= NT_STATUS_SERVER_DISABLED
;
530 sidstr
= sid_binstring(talloc_tos(), sid
);
531 if (asprintf(&ldap_exp
, "(objectSid=%s)", sidstr
) == -1) {
532 status
= NT_STATUS_NO_MEMORY
;
535 rc
= ads_search_retry(ads
, &msg
, ldap_exp
, attrs
);
538 if (!ADS_ERR_OK(rc
) || !msg
) {
539 DEBUG(1,("query_user(sid=%s) ads_search: %s\n",
540 sid_string_dbg(sid
), ads_errstr(rc
)));
544 count
= ads_count_replies(ads
, msg
);
546 DEBUG(1,("query_user(sid=%s): Not found\n",
547 sid_string_dbg(sid
)));
551 info
->acct_name
= ads_pull_username(ads
, mem_ctx
, msg
);
553 nss_get_info_cached( domain
, sid
, mem_ctx
, ads
, msg
,
554 &info
->homedir
, &info
->shell
, &info
->full_name
,
556 info
->primary_gid
= gid
;
558 if (info
->full_name
== NULL
) {
559 info
->full_name
= ads_pull_string(ads
, mem_ctx
, msg
, "name");
562 if (!ads_pull_uint32(ads
, msg
, "primaryGroupID", &group_rid
)) {
563 DEBUG(1,("No primary group for %s !?\n",
564 sid_string_dbg(sid
)));
568 sid_copy(&info
->user_sid
, sid
);
569 sid_compose(&info
->group_sid
, &domain
->sid
, group_rid
);
571 status
= NT_STATUS_OK
;
573 DEBUG(3,("ads query_user gave %s\n", info
->acct_name
));
576 ads_msgfree(ads
, msg
);
581 /* Lookup groups a user is a member of - alternate method, for when
582 tokenGroups are not available. */
583 static NTSTATUS
lookup_usergroups_member(struct winbindd_domain
*domain
,
586 DOM_SID
*primary_group
,
587 size_t *p_num_groups
, DOM_SID
**user_sids
)
590 NTSTATUS status
= NT_STATUS_UNSUCCESSFUL
;
592 LDAPMessage
*res
= NULL
;
593 LDAPMessage
*msg
= NULL
;
596 const char *group_attrs
[] = {"objectSid", NULL
};
598 size_t num_groups
= 0;
600 DEBUG(3,("ads: lookup_usergroups_member\n"));
602 if ( !winbindd_can_contact_domain( domain
) ) {
603 DEBUG(10,("lookup_usergroups_members: No incoming trust for domain %s\n",
608 ads
= ads_cached_connection(domain
);
611 domain
->last_status
= NT_STATUS_SERVER_DISABLED
;
615 if (!(escaped_dn
= escape_ldap_string(talloc_tos(), user_dn
))) {
616 status
= NT_STATUS_NO_MEMORY
;
620 ldap_exp
= talloc_asprintf(mem_ctx
,
621 "(&(member=%s)(objectCategory=group)(groupType:dn:%s:=%d))",
623 ADS_LDAP_MATCHING_RULE_BIT_AND
,
624 GROUP_TYPE_SECURITY_ENABLED
);
626 DEBUG(1,("lookup_usergroups(dn=%s) asprintf failed!\n", user_dn
));
627 TALLOC_FREE(escaped_dn
);
628 status
= NT_STATUS_NO_MEMORY
;
632 TALLOC_FREE(escaped_dn
);
634 rc
= ads_search_retry(ads
, &res
, ldap_exp
, group_attrs
);
636 if (!ADS_ERR_OK(rc
) || !res
) {
637 DEBUG(1,("lookup_usergroups ads_search member=%s: %s\n", user_dn
, ads_errstr(rc
)));
638 return ads_ntstatus(rc
);
641 count
= ads_count_replies(ads
, res
);
646 /* always add the primary group to the sid array */
647 status
= add_sid_to_array(mem_ctx
, primary_group
, user_sids
,
649 if (!NT_STATUS_IS_OK(status
)) {
654 for (msg
= ads_first_entry(ads
, res
); msg
;
655 msg
= ads_next_entry(ads
, msg
)) {
658 if (!ads_pull_sid(ads
, msg
, "objectSid", &group_sid
)) {
659 DEBUG(1,("No sid for this group ?!?\n"));
663 /* ignore Builtin groups from ADS - Guenther */
664 if (sid_check_is_in_builtin(&group_sid
)) {
668 status
= add_sid_to_array(mem_ctx
, &group_sid
,
669 user_sids
, &num_groups
);
670 if (!NT_STATUS_IS_OK(status
)) {
677 *p_num_groups
= num_groups
;
678 status
= (user_sids
!= NULL
) ? NT_STATUS_OK
: NT_STATUS_NO_MEMORY
;
680 DEBUG(3,("ads lookup_usergroups (member) succeeded for dn=%s\n", user_dn
));
683 ads_msgfree(ads
, res
);
688 /* Lookup groups a user is a member of - alternate method, for when
689 tokenGroups are not available. */
690 static NTSTATUS
lookup_usergroups_memberof(struct winbindd_domain
*domain
,
693 DOM_SID
*primary_group
,
694 size_t *p_num_groups
,
698 NTSTATUS status
= NT_STATUS_UNSUCCESSFUL
;
700 const char *attrs
[] = {"memberOf", NULL
};
701 size_t num_groups
= 0;
702 DOM_SID
*group_sids
= NULL
;
704 char **strings
= NULL
;
705 size_t num_strings
= 0, num_sids
= 0;
708 DEBUG(3,("ads: lookup_usergroups_memberof\n"));
710 if ( !winbindd_can_contact_domain( domain
) ) {
711 DEBUG(10,("lookup_usergroups_memberof: No incoming trust for "
712 "domain %s\n", domain
->name
));
716 ads
= ads_cached_connection(domain
);
719 domain
->last_status
= NT_STATUS_SERVER_DISABLED
;
720 return NT_STATUS_UNSUCCESSFUL
;
723 rc
= ads_search_retry_extended_dn_ranged(ads
, mem_ctx
, user_dn
, attrs
,
724 ADS_EXTENDED_DN_HEX_STRING
,
725 &strings
, &num_strings
);
727 if (!ADS_ERR_OK(rc
)) {
728 DEBUG(1,("lookup_usergroups_memberof ads_search "
729 "member=%s: %s\n", user_dn
, ads_errstr(rc
)));
730 return ads_ntstatus(rc
);
736 /* always add the primary group to the sid array */
737 status
= add_sid_to_array(mem_ctx
, primary_group
, user_sids
,
739 if (!NT_STATUS_IS_OK(status
)) {
743 group_sids
= TALLOC_ZERO_ARRAY(mem_ctx
, DOM_SID
, num_strings
+ 1);
745 status
= NT_STATUS_NO_MEMORY
;
749 for (i
=0; i
<num_strings
; i
++) {
750 rc
= ads_get_sid_from_extended_dn(mem_ctx
, strings
[i
],
751 ADS_EXTENDED_DN_HEX_STRING
,
753 if (!ADS_ERR_OK(rc
)) {
754 /* ignore members without SIDs */
755 if (NT_STATUS_EQUAL(ads_ntstatus(rc
),
756 NT_STATUS_NOT_FOUND
)) {
760 status
= ads_ntstatus(rc
);
768 DEBUG(1,("No memberOf for this user?!?\n"));
769 status
= NT_STATUS_NO_MEMORY
;
773 for (i
=0; i
<num_sids
; i
++) {
775 /* ignore Builtin groups from ADS - Guenther */
776 if (sid_check_is_in_builtin(&group_sids
[i
])) {
780 status
= add_sid_to_array(mem_ctx
, &group_sids
[i
], user_sids
,
782 if (!NT_STATUS_IS_OK(status
)) {
788 *p_num_groups
= num_groups
;
789 status
= (*user_sids
!= NULL
) ? NT_STATUS_OK
: NT_STATUS_NO_MEMORY
;
791 DEBUG(3,("ads lookup_usergroups (memberof) succeeded for dn=%s\n",
795 TALLOC_FREE(strings
);
796 TALLOC_FREE(group_sids
);
802 /* Lookup groups a user is a member of. */
803 static NTSTATUS
lookup_usergroups(struct winbindd_domain
*domain
,
806 uint32
*p_num_groups
, DOM_SID
**user_sids
)
808 ADS_STRUCT
*ads
= NULL
;
809 const char *attrs
[] = {"tokenGroups", "primaryGroupID", NULL
};
812 LDAPMessage
*msg
= NULL
;
813 char *user_dn
= NULL
;
816 DOM_SID primary_group
;
817 uint32 primary_group_rid
;
818 NTSTATUS status
= NT_STATUS_UNSUCCESSFUL
;
819 size_t num_groups
= 0;
821 DEBUG(3,("ads: lookup_usergroups\n"));
824 status
= lookup_usergroups_cached(domain
, mem_ctx
, sid
,
825 p_num_groups
, user_sids
);
826 if (NT_STATUS_IS_OK(status
)) {
830 if ( !winbindd_can_contact_domain( domain
) ) {
831 DEBUG(10,("lookup_usergroups: No incoming trust for domain %s\n",
834 /* Tell the cache manager not to remember this one */
836 return NT_STATUS_SYNCHRONIZATION_REQUIRED
;
839 ads
= ads_cached_connection(domain
);
842 domain
->last_status
= NT_STATUS_SERVER_DISABLED
;
843 status
= NT_STATUS_SERVER_DISABLED
;
847 rc
= ads_search_retry_sid(ads
, &msg
, sid
, attrs
);
849 if (!ADS_ERR_OK(rc
)) {
850 status
= ads_ntstatus(rc
);
851 DEBUG(1, ("lookup_usergroups(sid=%s) ads_search tokenGroups: "
852 "%s\n", sid_string_dbg(sid
), ads_errstr(rc
)));
856 count
= ads_count_replies(ads
, msg
);
858 status
= NT_STATUS_UNSUCCESSFUL
;
859 DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: "
860 "invalid number of results (count=%d)\n",
861 sid_string_dbg(sid
), count
));
866 DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: NULL msg\n",
867 sid_string_dbg(sid
)));
868 status
= NT_STATUS_UNSUCCESSFUL
;
872 user_dn
= ads_get_dn(ads
, mem_ctx
, msg
);
873 if (user_dn
== NULL
) {
874 status
= NT_STATUS_NO_MEMORY
;
878 if (!ads_pull_uint32(ads
, msg
, "primaryGroupID", &primary_group_rid
)) {
879 DEBUG(1,("%s: No primary group for sid=%s !?\n",
880 domain
->name
, sid_string_dbg(sid
)));
884 sid_copy(&primary_group
, &domain
->sid
);
885 sid_append_rid(&primary_group
, primary_group_rid
);
887 count
= ads_pull_sids(ads
, mem_ctx
, msg
, "tokenGroups", &sids
);
889 /* there must always be at least one group in the token,
890 unless we are talking to a buggy Win2k server */
892 /* actually this only happens when the machine account has no read
893 * permissions on the tokenGroup attribute - gd */
899 /* lookup what groups this user is a member of by DN search on
902 status
= lookup_usergroups_memberof(domain
, mem_ctx
, user_dn
,
904 &num_groups
, user_sids
);
905 *p_num_groups
= (uint32
)num_groups
;
906 if (NT_STATUS_IS_OK(status
)) {
910 /* lookup what groups this user is a member of by DN search on
913 status
= lookup_usergroups_member(domain
, mem_ctx
, user_dn
,
915 &num_groups
, user_sids
);
916 *p_num_groups
= (uint32
)num_groups
;
923 status
= add_sid_to_array(mem_ctx
, &primary_group
, user_sids
,
925 if (!NT_STATUS_IS_OK(status
)) {
929 for (i
=0;i
<count
;i
++) {
931 /* ignore Builtin groups from ADS - Guenther */
932 if (sid_check_is_in_builtin(&sids
[i
])) {
936 status
= add_sid_to_array_unique(mem_ctx
, &sids
[i
],
937 user_sids
, &num_groups
);
938 if (!NT_STATUS_IS_OK(status
)) {
943 *p_num_groups
= (uint32
)num_groups
;
944 status
= (*user_sids
!= NULL
) ? NT_STATUS_OK
: NT_STATUS_NO_MEMORY
;
946 DEBUG(3,("ads lookup_usergroups (tokenGroups) succeeded for sid=%s\n",
947 sid_string_dbg(sid
)));
949 TALLOC_FREE(user_dn
);
950 ads_msgfree(ads
, msg
);
954 /* Lookup aliases a user is member of - use rpc methods */
955 static NTSTATUS
lookup_useraliases(struct winbindd_domain
*domain
,
957 uint32 num_sids
, const DOM_SID
*sids
,
958 uint32
*num_aliases
, uint32
**alias_rids
)
960 return reconnect_methods
.lookup_useraliases(domain
, mem_ctx
,
967 find the members of a group, given a group rid and domain
969 static NTSTATUS
lookup_groupmem(struct winbindd_domain
*domain
,
971 const DOM_SID
*group_sid
,
972 enum lsa_SidType type
,
974 DOM_SID
**sid_mem
, char ***names
,
978 ADS_STRUCT
*ads
= NULL
;
980 NTSTATUS status
= NT_STATUS_UNSUCCESSFUL
;
982 char **members
= NULL
;
984 size_t num_members
= 0;
986 struct rpc_pipe_client
*cli
;
987 struct policy_handle lsa_policy
;
988 DOM_SID
*sid_mem_nocache
= NULL
;
989 char **names_nocache
= NULL
;
990 enum lsa_SidType
*name_types_nocache
= NULL
;
991 char **domains_nocache
= NULL
; /* only needed for rpccli_lsa_lookup_sids */
992 uint32 num_nocache
= 0;
993 TALLOC_CTX
*tmp_ctx
= NULL
;
995 DEBUG(10,("ads: lookup_groupmem %s sid=%s\n", domain
->name
,
996 sid_string_dbg(group_sid
)));
1000 tmp_ctx
= talloc_new(mem_ctx
);
1002 DEBUG(1, ("ads: lookup_groupmem: talloc failed\n"));
1003 status
= NT_STATUS_NO_MEMORY
;
1007 if ( !winbindd_can_contact_domain( domain
) ) {
1008 DEBUG(10,("lookup_groupmem: No incoming trust for domain %s\n",
1010 return NT_STATUS_OK
;
1013 ads
= ads_cached_connection(domain
);
1016 domain
->last_status
= NT_STATUS_SERVER_DISABLED
;
1020 if ((sidbinstr
= sid_binstring(talloc_tos(), group_sid
)) == NULL
) {
1021 status
= NT_STATUS_NO_MEMORY
;
1025 /* search for all members of the group */
1026 ldap_exp
= talloc_asprintf(tmp_ctx
, "(objectSid=%s)", sidbinstr
);
1027 TALLOC_FREE(sidbinstr
);
1028 if (ldap_exp
== NULL
) {
1029 DEBUG(1, ("ads: lookup_groupmem: talloc_asprintf for ldap_exp failed!\n"));
1030 status
= NT_STATUS_NO_MEMORY
;
1034 args
.control
= ADS_EXTENDED_DN_OID
;
1035 args
.val
= ADS_EXTENDED_DN_HEX_STRING
;
1036 args
.critical
= True
;
1038 rc
= ads_ranged_search(ads
, tmp_ctx
, LDAP_SCOPE_SUBTREE
, ads
->config
.bind_path
,
1039 ldap_exp
, &args
, "member", &members
, &num_members
);
1041 if (!ADS_ERR_OK(rc
)) {
1042 DEBUG(0,("ads_ranged_search failed with: %s\n", ads_errstr(rc
)));
1043 status
= NT_STATUS_UNSUCCESSFUL
;
1047 DEBUG(10, ("ads lookup_groupmem: got %d sids via extended dn call\n", (int)num_members
));
1049 /* Now that we have a list of sids, we need to get the
1050 * lists of names and name_types belonging to these sids.
1051 * even though conceptually not quite clean, we use the
1052 * RPC call lsa_lookup_sids for this since it can handle a
1053 * list of sids. ldap calls can just resolve one sid at a time.
1055 * At this stage, the sids are still hidden in the exetended dn
1056 * member output format. We actually do a little better than
1057 * stated above: In extracting the sids from the member strings,
1058 * we try to resolve as many sids as possible from the
1059 * cache. Only the rest is passed to the lsa_lookup_sids call. */
1062 (*sid_mem
) = TALLOC_ZERO_ARRAY(mem_ctx
, DOM_SID
, num_members
);
1063 (*names
) = TALLOC_ZERO_ARRAY(mem_ctx
, char *, num_members
);
1064 (*name_types
) = TALLOC_ZERO_ARRAY(mem_ctx
, uint32
, num_members
);
1065 (sid_mem_nocache
) = TALLOC_ZERO_ARRAY(tmp_ctx
, DOM_SID
, num_members
);
1067 if ((members
== NULL
) || (*sid_mem
== NULL
) ||
1068 (*names
== NULL
) || (*name_types
== NULL
) ||
1069 (sid_mem_nocache
== NULL
))
1071 DEBUG(1, ("ads: lookup_groupmem: talloc failed\n"));
1072 status
= NT_STATUS_NO_MEMORY
;
1079 (*name_types
) = NULL
;
1082 for (i
=0; i
<num_members
; i
++) {
1083 enum lsa_SidType name_type
;
1084 char *name
, *domain_name
;
1087 rc
= ads_get_sid_from_extended_dn(tmp_ctx
, members
[i
], args
.val
,
1089 if (!ADS_ERR_OK(rc
)) {
1090 if (NT_STATUS_EQUAL(ads_ntstatus(rc
),
1091 NT_STATUS_NOT_FOUND
)) {
1092 /* Group members can be objects, like Exchange
1093 * Public Folders, that don't have a SID. Skip
1098 status
= ads_ntstatus(rc
);
1102 if (lookup_cached_sid(mem_ctx
, &sid
, &domain_name
, &name
,
1104 DEBUG(10,("ads: lookup_groupmem: got sid %s from "
1105 "cache\n", sid_string_dbg(&sid
)));
1106 sid_copy(&(*sid_mem
)[*num_names
], &sid
);
1107 (*names
)[*num_names
] = fill_domain_username_talloc(
1113 (*name_types
)[*num_names
] = name_type
;
1117 DEBUG(10, ("ads: lookup_groupmem: sid %s not found in "
1118 "cache\n", sid_string_dbg(&sid
)));
1119 sid_copy(&(sid_mem_nocache
)[num_nocache
], &sid
);
1124 DEBUG(10, ("ads: lookup_groupmem: %d sids found in cache, "
1125 "%d left for lsa_lookupsids\n", *num_names
, num_nocache
));
1127 /* handle sids not resolved from cache by lsa_lookup_sids */
1128 if (num_nocache
> 0) {
1129 unsigned int orig_timeout
;
1131 status
= cm_connect_lsa(domain
, tmp_ctx
, &cli
, &lsa_policy
);
1133 if (!NT_STATUS_IS_OK(status
)) {
1138 * This call can take a long time
1139 * allow the server to time out.
1140 * 35 seconds should do it.
1142 orig_timeout
= rpccli_set_timeout(cli
, 35000);
1144 status
= rpccli_lsa_lookup_sids(cli
, tmp_ctx
,
1150 &name_types_nocache
);
1152 /* And restore our original timeout. */
1153 rpccli_set_timeout(cli
, orig_timeout
);
1155 if (!(NT_STATUS_IS_OK(status
) ||
1156 NT_STATUS_EQUAL(status
, STATUS_SOME_UNMAPPED
) ||
1157 NT_STATUS_EQUAL(status
, NT_STATUS_NONE_MAPPED
)))
1159 DEBUG(1, ("lsa_lookupsids call failed with %s "
1160 "- retrying...\n", nt_errstr(status
)));
1162 status
= cm_connect_lsa(domain
, tmp_ctx
, &cli
,
1165 if (!NT_STATUS_IS_OK(status
)) {
1170 * This call can take a long time
1171 * allow the server to time out.
1172 * 35 seconds should do it.
1174 orig_timeout
= rpccli_set_timeout(cli
, 35000);
1176 status
= rpccli_lsa_lookup_sids(cli
, tmp_ctx
,
1182 &name_types_nocache
);
1184 /* And restore our original timeout. */
1185 rpccli_set_timeout(cli
, orig_timeout
);
1188 if (NT_STATUS_IS_OK(status
) ||
1189 NT_STATUS_EQUAL(status
, STATUS_SOME_UNMAPPED
))
1191 /* Copy the entries over from the "_nocache" arrays
1192 * to the result arrays, skipping the gaps the
1193 * lookup_sids call left. */
1194 for (i
=0; i
< num_nocache
; i
++) {
1195 if (((names_nocache
)[i
] != NULL
) &&
1196 ((name_types_nocache
)[i
] != SID_NAME_UNKNOWN
))
1198 sid_copy(&(*sid_mem
)[*num_names
],
1199 &sid_mem_nocache
[i
]);
1200 (*names
)[*num_names
] =
1201 fill_domain_username_talloc(
1206 (*name_types
)[*num_names
] = name_types_nocache
[i
];
1211 else if (NT_STATUS_EQUAL(status
, NT_STATUS_NONE_MAPPED
)) {
1212 DEBUG(10, ("lookup_groupmem: lsa_lookup_sids could "
1213 "not map any SIDs at all.\n"));
1214 /* Don't handle this as an error here.
1215 * There is nothing left to do with respect to the
1216 * overall result... */
1218 else if (!NT_STATUS_IS_OK(status
)) {
1219 DEBUG(10, ("lookup_groupmem: Error looking up %d "
1220 "sids via rpc_lsa_lookup_sids: %s\n",
1221 (int)num_members
, nt_errstr(status
)));
1226 status
= NT_STATUS_OK
;
1227 DEBUG(3,("ads lookup_groupmem for sid=%s succeeded\n",
1228 sid_string_dbg(group_sid
)));
1232 TALLOC_FREE(tmp_ctx
);
1237 /* find the sequence number for a domain */
1238 static NTSTATUS
sequence_number(struct winbindd_domain
*domain
, uint32
*seq
)
1240 ADS_STRUCT
*ads
= NULL
;
1243 DEBUG(3,("ads: fetch sequence_number for %s\n", domain
->name
));
1245 if ( !winbindd_can_contact_domain( domain
) ) {
1246 DEBUG(10,("sequence: No incoming trust for domain %s\n",
1249 return NT_STATUS_OK
;
1252 *seq
= DOM_SEQUENCE_NONE
;
1254 ads
= ads_cached_connection(domain
);
1257 domain
->last_status
= NT_STATUS_SERVER_DISABLED
;
1258 return NT_STATUS_UNSUCCESSFUL
;
1261 rc
= ads_USN(ads
, seq
);
1263 if (!ADS_ERR_OK(rc
)) {
1265 /* its a dead connection, destroy it */
1267 if (domain
->private_data
) {
1268 ads
= (ADS_STRUCT
*)domain
->private_data
;
1269 ads
->is_mine
= True
;
1271 ads_kdestroy("MEMORY:winbind_ccache");
1272 domain
->private_data
= NULL
;
1275 return ads_ntstatus(rc
);
1278 /* find the lockout policy of a domain - use rpc methods */
1279 static NTSTATUS
lockout_policy(struct winbindd_domain
*domain
,
1280 TALLOC_CTX
*mem_ctx
,
1281 struct samr_DomInfo12
*policy
)
1283 return reconnect_methods
.lockout_policy(domain
, mem_ctx
, policy
);
1286 /* find the password policy of a domain - use rpc methods */
1287 static NTSTATUS
password_policy(struct winbindd_domain
*domain
,
1288 TALLOC_CTX
*mem_ctx
,
1289 struct samr_DomInfo1
*policy
)
1291 return reconnect_methods
.password_policy(domain
, mem_ctx
, policy
);
1294 /* get a list of trusted domains */
1295 static NTSTATUS
trusted_domains(struct winbindd_domain
*domain
,
1296 TALLOC_CTX
*mem_ctx
,
1297 uint32
*num_domains
,
1302 NTSTATUS result
= NT_STATUS_UNSUCCESSFUL
;
1303 struct netr_DomainTrustList trusts
;
1306 struct rpc_pipe_client
*cli
;
1307 uint32 fr_flags
= (NETR_TRUST_FLAG_IN_FOREST
| NETR_TRUST_FLAG_TREEROOT
);
1310 DEBUG(3,("ads: trusted_domains\n"));
1317 /* If this is our primary domain or a root in our forest,
1318 query for all trusts. If not, then just look for domain
1319 trusts in the target forest */
1321 if ( domain
->primary
||
1322 ((domain
->domain_flags
&fr_flags
) == fr_flags
) )
1324 flags
= NETR_TRUST_FLAG_OUTBOUND
|
1325 NETR_TRUST_FLAG_INBOUND
|
1326 NETR_TRUST_FLAG_IN_FOREST
;
1328 flags
= NETR_TRUST_FLAG_IN_FOREST
;
1331 result
= cm_connect_netlogon(domain
, &cli
);
1333 if (!NT_STATUS_IS_OK(result
)) {
1334 DEBUG(5, ("trusted_domains: Could not open a connection to %s "
1335 "for PIPE_NETLOGON (%s)\n",
1336 domain
->name
, nt_errstr(result
)));
1337 return NT_STATUS_UNSUCCESSFUL
;
1340 result
= rpccli_netr_DsrEnumerateDomainTrusts(cli
, mem_ctx
,
1345 if ( NT_STATUS_IS_OK(result
) && trusts
.count
) {
1347 /* Allocate memory for trusted domain names and sids */
1349 if ( !(*names
= TALLOC_ARRAY(mem_ctx
, char *, trusts
.count
)) ) {
1350 DEBUG(0, ("trusted_domains: out of memory\n"));
1351 return NT_STATUS_NO_MEMORY
;
1354 if ( !(*alt_names
= TALLOC_ARRAY(mem_ctx
, char *, trusts
.count
)) ) {
1355 DEBUG(0, ("trusted_domains: out of memory\n"));
1356 return NT_STATUS_NO_MEMORY
;
1359 if ( !(*dom_sids
= TALLOC_ARRAY(mem_ctx
, DOM_SID
, trusts
.count
)) ) {
1360 DEBUG(0, ("trusted_domains: out of memory\n"));
1361 return NT_STATUS_NO_MEMORY
;
1364 /* Copy across names and sids */
1368 for (i
= 0; i
< trusts
.count
; i
++) {
1369 struct winbindd_domain d
;
1373 /* drop external trusts if this is not our primary
1374 domain. This means that the returned number of
1375 domains may be less that the ones actually trusted
1378 if ( (trusts
.array
[i
].trust_attributes
== NETR_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN
) &&
1381 DEBUG(10,("trusted_domains: Skipping external trusted domain "
1382 "%s because it is outside of our primary domain\n",
1383 trusts
.array
[i
].netbios_name
));
1387 /* We must check that the SID of each trusted domain
1388 * was returned to work around a bug in Windows:
1389 * http://support.microsoft.com/kb/922832 */
1391 (*names
)[ret_count
] = CONST_DISCARD(char *, trusts
.array
[i
].netbios_name
);
1392 (*alt_names
)[ret_count
] = CONST_DISCARD(char *, trusts
.array
[i
].dns_name
);
1393 if (trusts
.array
[i
].sid
) {
1394 sid_copy(&(*dom_sids
)[ret_count
], trusts
.array
[i
].sid
);
1396 sid_copy(&(*dom_sids
)[ret_count
], &global_sid_NULL
);
1399 /* add to the trusted domain cache */
1401 fstrcpy( d
.name
, trusts
.array
[i
].netbios_name
);
1402 fstrcpy( d
.alt_name
, trusts
.array
[i
].dns_name
);
1403 if (trusts
.array
[i
].sid
) {
1404 sid_copy( &d
.sid
, trusts
.array
[i
].sid
);
1406 sid_copy(&d
.sid
, &global_sid_NULL
);
1409 if ( domain
->primary
) {
1410 DEBUG(10,("trusted_domains(ads): Searching "
1411 "trusted domain list of %s and storing "
1412 "trust flags for domain %s\n",
1413 domain
->name
, d
.alt_name
));
1415 d
.domain_flags
= trusts
.array
[i
].trust_flags
;
1416 d
.domain_type
= trusts
.array
[i
].trust_type
;
1417 d
.domain_trust_attribs
= trusts
.array
[i
].trust_attributes
;
1419 wcache_tdc_add_domain( &d
);
1421 } else if ( (domain
->domain_flags
&fr_flags
) == fr_flags
) {
1422 /* Check if we already have this record. If
1423 * we are following our forest root that is not
1424 * our primary domain, we want to keep trust
1425 * flags from the perspective of our primary
1426 * domain not our forest root. */
1427 struct winbindd_tdc_domain
*exist
= NULL
;
1430 wcache_tdc_fetch_domain(NULL
, trusts
.array
[i
].netbios_name
);
1432 DEBUG(10,("trusted_domains(ads): Searching "
1433 "trusted domain list of %s and storing "
1434 "trust flags for domain %s\n",
1435 domain
->name
, d
.alt_name
));
1436 d
.domain_flags
= trusts
.array
[i
].trust_flags
;
1437 d
.domain_type
= trusts
.array
[i
].trust_type
;
1438 d
.domain_trust_attribs
= trusts
.array
[i
].trust_attributes
;
1440 wcache_tdc_add_domain( &d
);
1445 /* This gets a little tricky. If we are
1446 following a transitive forest trust, then
1447 innerit the flags, type, and attribs from
1448 the domain we queried to make sure we don't
1449 record the view of the trust from the wrong
1450 side. Always view it from the side of our
1451 primary domain. --jerry */
1452 struct winbindd_tdc_domain
*parent
= NULL
;
1454 DEBUG(10,("trusted_domains(ads): Searching "
1455 "trusted domain list of %s and inheriting "
1456 "trust flags for domain %s\n",
1457 domain
->name
, d
.alt_name
));
1459 parent
= wcache_tdc_fetch_domain(NULL
, domain
->name
);
1461 d
.domain_flags
= parent
->trust_flags
;
1462 d
.domain_type
= parent
->trust_type
;
1463 d
.domain_trust_attribs
= parent
->trust_attribs
;
1465 d
.domain_flags
= domain
->domain_flags
;
1466 d
.domain_type
= domain
->domain_type
;
1467 d
.domain_trust_attribs
= domain
->domain_trust_attribs
;
1469 TALLOC_FREE(parent
);
1471 wcache_tdc_add_domain( &d
);
1476 *num_domains
= ret_count
;
1482 /* the ADS backend methods are exposed via this structure */
1483 struct winbindd_methods ads_methods
= {