Allow HTML build of Samba 4 manpages
[Samba/bb.git] / source3 / winbindd / winbindd_ads.c
blob8be6a479983f5230953d963faab254fa12925030
1 /*
2 Unix SMB/CIFS implementation.
4 Winbind ADS backend functions
6 Copyright (C) Andrew Tridgell 2001
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003
8 Copyright (C) Gerald (Jerry) Carter 2004
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #include "includes.h"
25 #include "winbindd.h"
27 #ifdef HAVE_ADS
29 #undef DBGC_CLASS
30 #define DBGC_CLASS DBGC_WINBIND
32 extern struct winbindd_methods reconnect_methods;
35 return our ads connections structure for a domain. We keep the connection
36 open to make things faster
38 static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain)
40 ADS_STRUCT *ads;
41 ADS_STATUS status;
42 fstring dc_name;
43 struct sockaddr_storage dc_ss;
45 DEBUG(10,("ads_cached_connection\n"));
47 if (domain->private_data) {
49 time_t expire;
50 time_t now = time(NULL);
52 /* check for a valid structure */
53 ads = (ADS_STRUCT *)domain->private_data;
55 expire = MIN(ads->auth.tgt_expire, ads->auth.tgs_expire);
57 DEBUG(7, ("Current tickets expire in %d seconds (at %d, time is now %d)\n",
58 (uint32)expire-(uint32)now, (uint32) expire, (uint32) now));
60 if ( ads->config.realm && (expire > now)) {
61 return ads;
62 } else {
63 /* we own this ADS_STRUCT so make sure it goes away */
64 DEBUG(7,("Deleting expired krb5 credential cache\n"));
65 ads->is_mine = True;
66 ads_destroy( &ads );
67 ads_kdestroy("MEMORY:winbind_ccache");
68 domain->private_data = NULL;
72 /* we don't want this to affect the users ccache */
73 setenv("KRB5CCNAME", "MEMORY:winbind_ccache", 1);
75 ads = ads_init(domain->alt_name, domain->name, NULL);
76 if (!ads) {
77 DEBUG(1,("ads_init for domain %s failed\n", domain->name));
78 return NULL;
81 /* the machine acct password might have change - fetch it every time */
83 SAFE_FREE(ads->auth.password);
84 SAFE_FREE(ads->auth.realm);
86 if ( IS_DC ) {
87 DOM_SID sid;
88 time_t last_set_time;
90 if ( !pdb_get_trusteddom_pw( domain->name, &ads->auth.password, &sid, &last_set_time ) ) {
91 ads_destroy( &ads );
92 return NULL;
94 ads->auth.realm = SMB_STRDUP( ads->server.realm );
95 strupper_m( ads->auth.realm );
97 else {
98 struct winbindd_domain *our_domain = domain;
100 ads->auth.password = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
102 /* always give preference to the alt_name in our
103 primary domain if possible */
105 if ( !domain->primary )
106 our_domain = find_our_domain();
108 if ( our_domain->alt_name[0] != '\0' ) {
109 ads->auth.realm = SMB_STRDUP( our_domain->alt_name );
110 strupper_m( ads->auth.realm );
112 else
113 ads->auth.realm = SMB_STRDUP( lp_realm() );
116 ads->auth.renewable = WINBINDD_PAM_AUTH_KRB5_RENEW_TIME;
118 /* Setup the server affinity cache. We don't reaally care
119 about the name. Just setup affinity and the KRB5_CONFIG
120 file. */
122 get_dc_name( ads->server.workgroup, ads->server.realm, dc_name, &dc_ss );
124 status = ads_connect(ads);
125 if (!ADS_ERR_OK(status) || !ads->config.realm) {
126 DEBUG(1,("ads_connect for domain %s failed: %s\n",
127 domain->name, ads_errstr(status)));
128 ads_destroy(&ads);
130 /* if we get ECONNREFUSED then it might be a NT4
131 server, fall back to MSRPC */
132 if (status.error_type == ENUM_ADS_ERROR_SYSTEM &&
133 status.err.rc == ECONNREFUSED) {
134 /* 'reconnect_methods' is the MS-RPC backend. */
135 DEBUG(1,("Trying MSRPC methods\n"));
136 domain->backend = &reconnect_methods;
138 return NULL;
141 /* set the flag that says we don't own the memory even
142 though we do so that ads_destroy() won't destroy the
143 structure we pass back by reference */
145 ads->is_mine = False;
147 domain->private_data = (void *)ads;
148 return ads;
152 /* Query display info for a realm. This is the basic user list fn */
153 static NTSTATUS query_user_list(struct winbindd_domain *domain,
154 TALLOC_CTX *mem_ctx,
155 uint32 *num_entries,
156 WINBIND_USERINFO **info)
158 ADS_STRUCT *ads = NULL;
159 const char *attrs[] = { "*", NULL };
160 int i, count;
161 ADS_STATUS rc;
162 LDAPMessage *res = NULL;
163 LDAPMessage *msg = NULL;
164 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
166 *num_entries = 0;
168 DEBUG(3,("ads: query_user_list\n"));
170 if ( !winbindd_can_contact_domain( domain ) ) {
171 DEBUG(10,("query_user_list: No incoming trust for domain %s\n",
172 domain->name));
173 return NT_STATUS_OK;
176 ads = ads_cached_connection(domain);
178 if (!ads) {
179 domain->last_status = NT_STATUS_SERVER_DISABLED;
180 goto done;
183 rc = ads_search_retry(ads, &res, "(objectCategory=user)", attrs);
184 if (!ADS_ERR_OK(rc) || !res) {
185 DEBUG(1,("query_user_list ads_search: %s\n", ads_errstr(rc)));
186 goto done;
189 count = ads_count_replies(ads, res);
190 if (count == 0) {
191 DEBUG(1,("query_user_list: No users found\n"));
192 goto done;
195 (*info) = TALLOC_ZERO_ARRAY(mem_ctx, WINBIND_USERINFO, count);
196 if (!*info) {
197 status = NT_STATUS_NO_MEMORY;
198 goto done;
201 i = 0;
203 for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
204 char *name, *gecos = NULL;
205 char *homedir = NULL;
206 char *shell = NULL;
207 uint32 group;
208 uint32 atype;
209 DOM_SID user_sid;
210 gid_t primary_gid = (gid_t)-1;
212 if (!ads_pull_uint32(ads, msg, "sAMAccountType", &atype) ||
213 ads_atype_map(atype) != SID_NAME_USER) {
214 DEBUG(1,("Not a user account? atype=0x%x\n", atype));
215 continue;
218 name = ads_pull_username(ads, mem_ctx, msg);
220 if ( ads_pull_sid( ads, msg, "objectSid", &user_sid ) ) {
221 status = nss_get_info_cached( domain, &user_sid, mem_ctx,
222 ads, msg, &homedir, &shell, &gecos,
223 &primary_gid );
226 if (gecos == NULL) {
227 gecos = ads_pull_string(ads, mem_ctx, msg, "name");
230 if (!ads_pull_sid(ads, msg, "objectSid",
231 &(*info)[i].user_sid)) {
232 DEBUG(1,("No sid for %s !?\n", name));
233 continue;
235 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &group)) {
236 DEBUG(1,("No primary group for %s !?\n", name));
237 continue;
240 (*info)[i].acct_name = name;
241 (*info)[i].full_name = gecos;
242 (*info)[i].homedir = homedir;
243 (*info)[i].shell = shell;
244 (*info)[i].primary_gid = primary_gid;
245 sid_compose(&(*info)[i].group_sid, &domain->sid, group);
246 i++;
249 (*num_entries) = i;
250 status = NT_STATUS_OK;
252 DEBUG(3,("ads query_user_list gave %d entries\n", (*num_entries)));
254 done:
255 if (res)
256 ads_msgfree(ads, res);
258 return status;
261 /* list all domain groups */
262 static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
263 TALLOC_CTX *mem_ctx,
264 uint32 *num_entries,
265 struct acct_info **info)
267 ADS_STRUCT *ads = NULL;
268 const char *attrs[] = {"userPrincipalName", "sAMAccountName",
269 "name", "objectSid", NULL};
270 int i, count;
271 ADS_STATUS rc;
272 LDAPMessage *res = NULL;
273 LDAPMessage *msg = NULL;
274 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
275 const char *filter;
276 bool enum_dom_local_groups = False;
278 *num_entries = 0;
280 DEBUG(3,("ads: enum_dom_groups\n"));
282 if ( !winbindd_can_contact_domain( domain ) ) {
283 DEBUG(10,("enum_dom_groups: No incoming trust for domain %s\n",
284 domain->name));
285 return NT_STATUS_OK;
288 /* only grab domain local groups for our domain */
289 if ( domain->active_directory && strequal(lp_realm(), domain->alt_name) ) {
290 enum_dom_local_groups = True;
293 /* Workaround ADS LDAP bug present in MS W2K3 SP0 and W2K SP4 w/o
294 * rollup-fixes:
296 * According to Section 5.1(4) of RFC 2251 if a value of a type is it's
297 * default value, it MUST be absent. In case of extensible matching the
298 * "dnattr" boolean defaults to FALSE and so it must be only be present
299 * when set to TRUE.
301 * When it is set to FALSE and the OpenLDAP lib (correctly) encodes a
302 * filter using bitwise matching rule then the buggy AD fails to decode
303 * the extensible match. As a workaround set it to TRUE and thereby add
304 * the dnAttributes "dn" field to cope with those older AD versions.
305 * It should not harm and won't put any additional load on the AD since
306 * none of the dn components have a bitmask-attribute.
308 * Thanks to Ralf Haferkamp for input and testing - Guenther */
310 filter = talloc_asprintf(mem_ctx, "(&(objectCategory=group)(&(groupType:dn:%s:=%d)(!(groupType:dn:%s:=%d))))",
311 ADS_LDAP_MATCHING_RULE_BIT_AND, GROUP_TYPE_SECURITY_ENABLED,
312 ADS_LDAP_MATCHING_RULE_BIT_AND,
313 enum_dom_local_groups ? GROUP_TYPE_BUILTIN_LOCAL_GROUP : GROUP_TYPE_RESOURCE_GROUP);
315 if (filter == NULL) {
316 status = NT_STATUS_NO_MEMORY;
317 goto done;
320 ads = ads_cached_connection(domain);
322 if (!ads) {
323 domain->last_status = NT_STATUS_SERVER_DISABLED;
324 goto done;
327 rc = ads_search_retry(ads, &res, filter, attrs);
328 if (!ADS_ERR_OK(rc) || !res) {
329 DEBUG(1,("enum_dom_groups ads_search: %s\n", ads_errstr(rc)));
330 goto done;
333 count = ads_count_replies(ads, res);
334 if (count == 0) {
335 DEBUG(1,("enum_dom_groups: No groups found\n"));
336 goto done;
339 (*info) = TALLOC_ZERO_ARRAY(mem_ctx, struct acct_info, count);
340 if (!*info) {
341 status = NT_STATUS_NO_MEMORY;
342 goto done;
345 i = 0;
347 for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
348 char *name, *gecos;
349 DOM_SID sid;
350 uint32 rid;
352 name = ads_pull_username(ads, mem_ctx, msg);
353 gecos = ads_pull_string(ads, mem_ctx, msg, "name");
354 if (!ads_pull_sid(ads, msg, "objectSid", &sid)) {
355 DEBUG(1,("No sid for %s !?\n", name));
356 continue;
359 if (!sid_peek_check_rid(&domain->sid, &sid, &rid)) {
360 DEBUG(1,("No rid for %s !?\n", name));
361 continue;
364 fstrcpy((*info)[i].acct_name, name);
365 fstrcpy((*info)[i].acct_desc, gecos);
366 (*info)[i].rid = rid;
367 i++;
370 (*num_entries) = i;
372 status = NT_STATUS_OK;
374 DEBUG(3,("ads enum_dom_groups gave %d entries\n", (*num_entries)));
376 done:
377 if (res)
378 ads_msgfree(ads, res);
380 return status;
383 /* list all domain local groups */
384 static NTSTATUS enum_local_groups(struct winbindd_domain *domain,
385 TALLOC_CTX *mem_ctx,
386 uint32 *num_entries,
387 struct acct_info **info)
390 * This is a stub function only as we returned the domain
391 * local groups in enum_dom_groups() if the domain->native field
392 * was true. This is a simple performance optimization when
393 * using LDAP.
395 * if we ever need to enumerate domain local groups separately,
396 * then this the optimization in enum_dom_groups() will need
397 * to be split out
399 *num_entries = 0;
401 return NT_STATUS_OK;
404 /* If you are looking for "dn_lookup": Yes, it used to be here!
405 * It has gone now since it was a major speed bottleneck in
406 * lookup_groupmem (its only use). It has been replaced by
407 * an rpc lookup sids call... R.I.P. */
409 /* Lookup user information from a rid */
410 static NTSTATUS query_user(struct winbindd_domain *domain,
411 TALLOC_CTX *mem_ctx,
412 const DOM_SID *sid,
413 WINBIND_USERINFO *info)
415 ADS_STRUCT *ads = NULL;
416 const char *attrs[] = { "*", NULL };
417 ADS_STATUS rc;
418 int count;
419 LDAPMessage *msg = NULL;
420 char *ldap_exp;
421 char *sidstr;
422 uint32 group_rid;
423 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
424 struct netr_SamInfo3 *user = NULL;
426 DEBUG(3,("ads: query_user\n"));
428 info->homedir = NULL;
429 info->shell = NULL;
430 info->primary_gid = (gid_t)-1;
432 /* try netsamlogon cache first */
434 if ( (user = netsamlogon_cache_get( mem_ctx, sid )) != NULL )
437 DEBUG(5,("query_user: Cache lookup succeeded for %s\n",
438 sid_string_dbg(sid)));
440 sid_compose(&info->user_sid, &domain->sid, user->base.rid);
441 sid_compose(&info->group_sid, &domain->sid, user->base.primary_gid);
443 info->acct_name = talloc_strdup(mem_ctx, user->base.account_name.string);
444 info->full_name = talloc_strdup(mem_ctx, user->base.full_name.string);
446 nss_get_info_cached( domain, sid, mem_ctx, NULL, NULL,
447 &info->homedir, &info->shell, &info->full_name,
448 &info->primary_gid );
450 TALLOC_FREE(user);
452 return NT_STATUS_OK;
455 if ( !winbindd_can_contact_domain(domain)) {
456 DEBUG(8,("query_user: No incoming trust from domain %s\n",
457 domain->name));
459 /* We still need to generate some basic information
460 about the user even if we cannot contact the
461 domain. Most of this stuff we can deduce. */
463 sid_copy( &info->user_sid, sid );
465 /* Assume "Domain Users" for the primary group */
467 sid_compose(&info->group_sid, &domain->sid, DOMAIN_GROUP_RID_USERS );
469 /* Try to fill in what the nss_info backend can do */
471 nss_get_info_cached( domain, sid, mem_ctx, NULL, NULL,
472 &info->homedir, &info->shell, &info->full_name,
473 &info->primary_gid );
475 status = NT_STATUS_OK;
476 goto done;
479 /* no cache...do the query */
481 if ( (ads = ads_cached_connection(domain)) == NULL ) {
482 domain->last_status = NT_STATUS_SERVER_DISABLED;
483 goto done;
486 sidstr = sid_binstring(sid);
487 asprintf(&ldap_exp, "(objectSid=%s)", sidstr);
488 rc = ads_search_retry(ads, &msg, ldap_exp, attrs);
489 free(ldap_exp);
490 free(sidstr);
491 if (!ADS_ERR_OK(rc) || !msg) {
492 DEBUG(1,("query_user(sid=%s) ads_search: %s\n",
493 sid_string_dbg(sid), ads_errstr(rc)));
494 goto done;
497 count = ads_count_replies(ads, msg);
498 if (count != 1) {
499 DEBUG(1,("query_user(sid=%s): Not found\n",
500 sid_string_dbg(sid)));
501 goto done;
504 info->acct_name = ads_pull_username(ads, mem_ctx, msg);
506 nss_get_info_cached( domain, sid, mem_ctx, ads, msg,
507 &info->homedir, &info->shell, &info->full_name,
508 &info->primary_gid );
510 if (info->full_name == NULL) {
511 info->full_name = ads_pull_string(ads, mem_ctx, msg, "name");
514 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &group_rid)) {
515 DEBUG(1,("No primary group for %s !?\n",
516 sid_string_dbg(sid)));
517 goto done;
520 sid_copy(&info->user_sid, sid);
521 sid_compose(&info->group_sid, &domain->sid, group_rid);
523 status = NT_STATUS_OK;
525 DEBUG(3,("ads query_user gave %s\n", info->acct_name));
526 done:
527 if (msg)
528 ads_msgfree(ads, msg);
530 return status;
533 /* Lookup groups a user is a member of - alternate method, for when
534 tokenGroups are not available. */
535 static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain,
536 TALLOC_CTX *mem_ctx,
537 const char *user_dn,
538 DOM_SID *primary_group,
539 size_t *p_num_groups, DOM_SID **user_sids)
541 ADS_STATUS rc;
542 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
543 int count;
544 LDAPMessage *res = NULL;
545 LDAPMessage *msg = NULL;
546 char *ldap_exp;
547 ADS_STRUCT *ads;
548 const char *group_attrs[] = {"objectSid", NULL};
549 char *escaped_dn;
550 size_t num_groups = 0;
552 DEBUG(3,("ads: lookup_usergroups_member\n"));
554 if ( !winbindd_can_contact_domain( domain ) ) {
555 DEBUG(10,("lookup_usergroups_members: No incoming trust for domain %s\n",
556 domain->name));
557 return NT_STATUS_OK;
560 ads = ads_cached_connection(domain);
562 if (!ads) {
563 domain->last_status = NT_STATUS_SERVER_DISABLED;
564 goto done;
567 if (!(escaped_dn = escape_ldap_string_alloc(user_dn))) {
568 status = NT_STATUS_NO_MEMORY;
569 goto done;
572 ldap_exp = talloc_asprintf(mem_ctx,
573 "(&(member=%s)(objectCategory=group)(groupType:dn:%s:=%d))",
574 escaped_dn,
575 ADS_LDAP_MATCHING_RULE_BIT_AND,
576 GROUP_TYPE_SECURITY_ENABLED);
577 if (!ldap_exp) {
578 DEBUG(1,("lookup_usergroups(dn=%s) asprintf failed!\n", user_dn));
579 SAFE_FREE(escaped_dn);
580 status = NT_STATUS_NO_MEMORY;
581 goto done;
584 SAFE_FREE(escaped_dn);
586 rc = ads_search_retry(ads, &res, ldap_exp, group_attrs);
588 if (!ADS_ERR_OK(rc) || !res) {
589 DEBUG(1,("lookup_usergroups ads_search member=%s: %s\n", user_dn, ads_errstr(rc)));
590 return ads_ntstatus(rc);
593 count = ads_count_replies(ads, res);
595 *user_sids = NULL;
596 num_groups = 0;
598 /* always add the primary group to the sid array */
599 status = add_sid_to_array(mem_ctx, primary_group, user_sids,
600 &num_groups);
601 if (!NT_STATUS_IS_OK(status)) {
602 goto done;
605 if (count > 0) {
606 for (msg = ads_first_entry(ads, res); msg;
607 msg = ads_next_entry(ads, msg)) {
608 DOM_SID group_sid;
610 if (!ads_pull_sid(ads, msg, "objectSid", &group_sid)) {
611 DEBUG(1,("No sid for this group ?!?\n"));
612 continue;
615 /* ignore Builtin groups from ADS - Guenther */
616 if (sid_check_is_in_builtin(&group_sid)) {
617 continue;
620 status = add_sid_to_array(mem_ctx, &group_sid,
621 user_sids, &num_groups);
622 if (!NT_STATUS_IS_OK(status)) {
623 goto done;
629 *p_num_groups = num_groups;
630 status = (user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
632 DEBUG(3,("ads lookup_usergroups (member) succeeded for dn=%s\n", user_dn));
633 done:
634 if (res)
635 ads_msgfree(ads, res);
637 return status;
640 /* Lookup groups a user is a member of - alternate method, for when
641 tokenGroups are not available. */
642 static NTSTATUS lookup_usergroups_memberof(struct winbindd_domain *domain,
643 TALLOC_CTX *mem_ctx,
644 const char *user_dn,
645 DOM_SID *primary_group,
646 size_t *p_num_groups, DOM_SID **user_sids)
648 ADS_STATUS rc;
649 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
650 ADS_STRUCT *ads;
651 const char *attrs[] = {"memberOf", NULL};
652 size_t num_groups = 0;
653 DOM_SID *group_sids = NULL;
654 int i;
655 char **strings;
656 size_t num_strings = 0;
659 DEBUG(3,("ads: lookup_usergroups_memberof\n"));
661 if ( !winbindd_can_contact_domain( domain ) ) {
662 DEBUG(10,("lookup_usergroups_memberof: No incoming trust for domain %s\n",
663 domain->name));
664 return NT_STATUS_OK;
667 ads = ads_cached_connection(domain);
669 if (!ads) {
670 domain->last_status = NT_STATUS_SERVER_DISABLED;
671 goto done;
674 rc = ads_search_retry_extended_dn_ranged(ads, mem_ctx, user_dn, attrs,
675 ADS_EXTENDED_DN_HEX_STRING,
676 &strings, &num_strings);
678 if (!ADS_ERR_OK(rc)) {
679 DEBUG(1,("lookup_usergroups_memberof ads_search member=%s: %s\n",
680 user_dn, ads_errstr(rc)));
681 return ads_ntstatus(rc);
684 *user_sids = NULL;
685 num_groups = 0;
687 /* always add the primary group to the sid array */
688 status = add_sid_to_array(mem_ctx, primary_group, user_sids,
689 &num_groups);
690 if (!NT_STATUS_IS_OK(status)) {
691 goto done;
694 group_sids = TALLOC_ZERO_ARRAY(mem_ctx, DOM_SID, num_strings + 1);
695 if (!group_sids) {
696 TALLOC_FREE(strings);
697 status = NT_STATUS_NO_MEMORY;
698 goto done;
701 for (i=0; i<num_strings; i++) {
703 if (!ads_get_sid_from_extended_dn(mem_ctx, strings[i],
704 ADS_EXTENDED_DN_HEX_STRING,
705 &(group_sids)[i])) {
706 TALLOC_FREE(group_sids);
707 TALLOC_FREE(strings);
708 status = NT_STATUS_NO_MEMORY;
709 goto done;
713 if (i == 0) {
714 DEBUG(1,("No memberOf for this user?!?\n"));
715 status = NT_STATUS_NO_MEMORY;
716 goto done;
719 for (i=0; i<num_strings; i++) {
721 /* ignore Builtin groups from ADS - Guenther */
722 if (sid_check_is_in_builtin(&group_sids[i])) {
723 continue;
726 status = add_sid_to_array(mem_ctx, &group_sids[i], user_sids,
727 &num_groups);
728 if (!NT_STATUS_IS_OK(status)) {
729 goto done;
734 *p_num_groups = num_groups;
735 status = (*user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
737 DEBUG(3,("ads lookup_usergroups (memberof) succeeded for dn=%s\n", user_dn));
738 done:
739 TALLOC_FREE(group_sids);
741 return status;
745 /* Lookup groups a user is a member of. */
746 static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
747 TALLOC_CTX *mem_ctx,
748 const DOM_SID *sid,
749 uint32 *p_num_groups, DOM_SID **user_sids)
751 ADS_STRUCT *ads = NULL;
752 const char *attrs[] = {"tokenGroups", "primaryGroupID", NULL};
753 ADS_STATUS rc;
754 int count;
755 LDAPMessage *msg = NULL;
756 char *user_dn = NULL;
757 DOM_SID *sids;
758 int i;
759 DOM_SID primary_group;
760 uint32 primary_group_rid;
761 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
762 size_t num_groups = 0;
764 DEBUG(3,("ads: lookup_usergroups\n"));
765 *p_num_groups = 0;
767 status = lookup_usergroups_cached(domain, mem_ctx, sid,
768 p_num_groups, user_sids);
769 if (NT_STATUS_IS_OK(status)) {
770 return NT_STATUS_OK;
773 if ( !winbindd_can_contact_domain( domain ) ) {
774 DEBUG(10,("lookup_usergroups: No incoming trust for domain %s\n",
775 domain->name));
777 /* Tell the cache manager not to remember this one */
779 return NT_STATUS_SYNCHRONIZATION_REQUIRED;
782 ads = ads_cached_connection(domain);
784 if (!ads) {
785 domain->last_status = NT_STATUS_SERVER_DISABLED;
786 status = NT_STATUS_SERVER_DISABLED;
787 goto done;
790 rc = ads_search_retry_sid(ads, &msg, sid, attrs);
792 if (!ADS_ERR_OK(rc)) {
793 status = ads_ntstatus(rc);
794 DEBUG(1, ("lookup_usergroups(sid=%s) ads_search tokenGroups: "
795 "%s\n", sid_string_dbg(sid), ads_errstr(rc)));
796 goto done;
799 count = ads_count_replies(ads, msg);
800 if (count != 1) {
801 status = NT_STATUS_UNSUCCESSFUL;
802 DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: "
803 "invalid number of results (count=%d)\n",
804 sid_string_dbg(sid), count));
805 goto done;
808 if (!msg) {
809 DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: NULL msg\n",
810 sid_string_dbg(sid)));
811 status = NT_STATUS_UNSUCCESSFUL;
812 goto done;
815 user_dn = ads_get_dn(ads, msg);
816 if (user_dn == NULL) {
817 status = NT_STATUS_NO_MEMORY;
818 goto done;
821 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &primary_group_rid)) {
822 DEBUG(1,("%s: No primary group for sid=%s !?\n",
823 domain->name, sid_string_dbg(sid)));
824 goto done;
827 sid_copy(&primary_group, &domain->sid);
828 sid_append_rid(&primary_group, primary_group_rid);
830 count = ads_pull_sids(ads, mem_ctx, msg, "tokenGroups", &sids);
832 /* there must always be at least one group in the token,
833 unless we are talking to a buggy Win2k server */
835 /* actually this only happens when the machine account has no read
836 * permissions on the tokenGroup attribute - gd */
838 if (count == 0) {
840 /* no tokenGroups */
842 /* lookup what groups this user is a member of by DN search on
843 * "memberOf" */
845 status = lookup_usergroups_memberof(domain, mem_ctx, user_dn,
846 &primary_group,
847 &num_groups, user_sids);
848 *p_num_groups = (uint32)num_groups;
849 if (NT_STATUS_IS_OK(status)) {
850 goto done;
853 /* lookup what groups this user is a member of by DN search on
854 * "member" */
856 status = lookup_usergroups_member(domain, mem_ctx, user_dn,
857 &primary_group,
858 &num_groups, user_sids);
859 *p_num_groups = (uint32)num_groups;
860 goto done;
863 *user_sids = NULL;
864 num_groups = 0;
866 status = add_sid_to_array(mem_ctx, &primary_group, user_sids,
867 &num_groups);
868 if (!NT_STATUS_IS_OK(status)) {
869 goto done;
872 for (i=0;i<count;i++) {
874 /* ignore Builtin groups from ADS - Guenther */
875 if (sid_check_is_in_builtin(&sids[i])) {
876 continue;
879 status = add_sid_to_array_unique(mem_ctx, &sids[i],
880 user_sids, &num_groups);
881 if (!NT_STATUS_IS_OK(status)) {
882 goto done;
886 *p_num_groups = (uint32)num_groups;
887 status = (*user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
889 DEBUG(3,("ads lookup_usergroups (tokenGroups) succeeded for sid=%s\n",
890 sid_string_dbg(sid)));
891 done:
892 ads_memfree(ads, user_dn);
893 ads_msgfree(ads, msg);
894 return status;
898 find the members of a group, given a group rid and domain
900 static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
901 TALLOC_CTX *mem_ctx,
902 const DOM_SID *group_sid, uint32 *num_names,
903 DOM_SID **sid_mem, char ***names,
904 uint32 **name_types)
906 ADS_STATUS rc;
907 ADS_STRUCT *ads = NULL;
908 char *ldap_exp;
909 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
910 char *sidbinstr;
911 char **members = NULL;
912 int i;
913 size_t num_members = 0;
914 ads_control args;
915 struct rpc_pipe_client *cli;
916 POLICY_HND lsa_policy;
917 DOM_SID *sid_mem_nocache = NULL;
918 char **names_nocache = NULL;
919 enum lsa_SidType *name_types_nocache = NULL;
920 char **domains_nocache = NULL; /* only needed for rpccli_lsa_lookup_sids */
921 uint32 num_nocache = 0;
922 TALLOC_CTX *tmp_ctx = NULL;
924 DEBUG(10,("ads: lookup_groupmem %s sid=%s\n", domain->name,
925 sid_string_dbg(group_sid)));
927 *num_names = 0;
929 tmp_ctx = talloc_new(mem_ctx);
930 if (!tmp_ctx) {
931 DEBUG(1, ("ads: lookup_groupmem: talloc failed\n"));
932 status = NT_STATUS_NO_MEMORY;
933 goto done;
936 if ( !winbindd_can_contact_domain( domain ) ) {
937 DEBUG(10,("lookup_groupmem: No incoming trust for domain %s\n",
938 domain->name));
939 return NT_STATUS_OK;
942 ads = ads_cached_connection(domain);
944 if (!ads) {
945 domain->last_status = NT_STATUS_SERVER_DISABLED;
946 goto done;
949 if ((sidbinstr = sid_binstring(group_sid)) == NULL) {
950 status = NT_STATUS_NO_MEMORY;
951 goto done;
954 /* search for all members of the group */
955 if (!(ldap_exp = talloc_asprintf(tmp_ctx, "(objectSid=%s)",
956 sidbinstr)))
958 SAFE_FREE(sidbinstr);
959 DEBUG(1, ("ads: lookup_groupmem: talloc_asprintf for ldap_exp failed!\n"));
960 status = NT_STATUS_NO_MEMORY;
961 goto done;
963 SAFE_FREE(sidbinstr);
965 args.control = ADS_EXTENDED_DN_OID;
966 args.val = ADS_EXTENDED_DN_HEX_STRING;
967 args.critical = True;
969 rc = ads_ranged_search(ads, tmp_ctx, LDAP_SCOPE_SUBTREE, ads->config.bind_path,
970 ldap_exp, &args, "member", &members, &num_members);
972 if (!ADS_ERR_OK(rc)) {
973 DEBUG(0,("ads_ranged_search failed with: %s\n", ads_errstr(rc)));
974 status = NT_STATUS_UNSUCCESSFUL;
975 goto done;
978 DEBUG(10, ("ads lookup_groupmem: got %d sids via extended dn call\n", (int)num_members));
980 /* Now that we have a list of sids, we need to get the
981 * lists of names and name_types belonging to these sids.
982 * even though conceptually not quite clean, we use the
983 * RPC call lsa_lookup_sids for this since it can handle a
984 * list of sids. ldap calls can just resolve one sid at a time.
986 * At this stage, the sids are still hidden in the exetended dn
987 * member output format. We actually do a little better than
988 * stated above: In extracting the sids from the member strings,
989 * we try to resolve as many sids as possible from the
990 * cache. Only the rest is passed to the lsa_lookup_sids call. */
992 if (num_members) {
993 (*sid_mem) = TALLOC_ZERO_ARRAY(mem_ctx, DOM_SID, num_members);
994 (*names) = TALLOC_ZERO_ARRAY(mem_ctx, char *, num_members);
995 (*name_types) = TALLOC_ZERO_ARRAY(mem_ctx, uint32, num_members);
996 (sid_mem_nocache) = TALLOC_ZERO_ARRAY(tmp_ctx, DOM_SID, num_members);
998 if ((members == NULL) || (*sid_mem == NULL) ||
999 (*names == NULL) || (*name_types == NULL) ||
1000 (sid_mem_nocache == NULL))
1002 DEBUG(1, ("ads: lookup_groupmem: talloc failed\n"));
1003 status = NT_STATUS_NO_MEMORY;
1004 goto done;
1007 else {
1008 (*sid_mem) = NULL;
1009 (*names) = NULL;
1010 (*name_types) = NULL;
1013 for (i=0; i<num_members; i++) {
1014 enum lsa_SidType name_type;
1015 char *name, *domain_name;
1016 DOM_SID sid;
1018 if (!ads_get_sid_from_extended_dn(tmp_ctx, members[i], args.val, &sid)) {
1019 status = NT_STATUS_INVALID_PARAMETER;
1020 goto done;
1022 if (lookup_cached_sid(mem_ctx, &sid, &domain_name, &name, &name_type)) {
1023 DEBUG(10,("ads: lookup_groupmem: got sid %s from "
1024 "cache\n", sid_string_dbg(&sid)));
1025 sid_copy(&(*sid_mem)[*num_names], &sid);
1026 (*names)[*num_names] = talloc_asprintf(*names, "%s%c%s",
1027 domain_name,
1028 *lp_winbind_separator(),
1029 name );
1031 (*name_types)[*num_names] = name_type;
1032 (*num_names)++;
1034 else {
1035 DEBUG(10, ("ads: lookup_groupmem: sid %s not found in "
1036 "cache\n", sid_string_dbg(&sid)));
1037 sid_copy(&(sid_mem_nocache)[num_nocache], &sid);
1038 num_nocache++;
1042 DEBUG(10, ("ads: lookup_groupmem: %d sids found in cache, "
1043 "%d left for lsa_lookupsids\n", *num_names, num_nocache));
1045 /* handle sids not resolved from cache by lsa_lookup_sids */
1046 if (num_nocache > 0) {
1048 status = cm_connect_lsa(domain, tmp_ctx, &cli, &lsa_policy);
1050 if (!NT_STATUS_IS_OK(status)) {
1051 goto done;
1054 status = rpccli_lsa_lookup_sids(cli, tmp_ctx,
1055 &lsa_policy,
1056 num_nocache,
1057 sid_mem_nocache,
1058 &domains_nocache,
1059 &names_nocache,
1060 &name_types_nocache);
1062 if (NT_STATUS_IS_OK(status) ||
1063 NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED))
1065 /* Copy the entries over from the "_nocache" arrays
1066 * to the result arrays, skipping the gaps the
1067 * lookup_sids call left. */
1068 for (i=0; i < num_nocache; i++) {
1069 if (((names_nocache)[i] != NULL) &&
1070 ((name_types_nocache)[i] != SID_NAME_UNKNOWN))
1072 sid_copy(&(*sid_mem)[*num_names],
1073 &sid_mem_nocache[i]);
1074 (*names)[*num_names] = talloc_asprintf( *names,
1075 "%s%c%s",
1076 domains_nocache[i],
1077 *lp_winbind_separator(),
1078 names_nocache[i] );
1079 (*name_types)[*num_names] = name_types_nocache[i];
1080 (*num_names)++;
1084 else if (NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)) {
1085 DEBUG(10, ("lookup_groupmem: lsa_lookup_sids could "
1086 "not map any SIDs at all.\n"));
1087 /* Don't handle this as an error here.
1088 * There is nothing left to do with respect to the
1089 * overall result... */
1091 else if (!NT_STATUS_IS_OK(status)) {
1092 DEBUG(10, ("lookup_groupmem: Error looking up %d "
1093 "sids via rpc_lsa_lookup_sids: %s\n",
1094 (int)num_members, nt_errstr(status)));
1095 goto done;
1099 status = NT_STATUS_OK;
1100 DEBUG(3,("ads lookup_groupmem for sid=%s succeeded\n",
1101 sid_string_dbg(group_sid)));
1103 done:
1105 TALLOC_FREE(tmp_ctx);
1107 return status;
1110 /* find the sequence number for a domain */
1111 static NTSTATUS sequence_number(struct winbindd_domain *domain, uint32 *seq)
1113 ADS_STRUCT *ads = NULL;
1114 ADS_STATUS rc;
1116 DEBUG(3,("ads: fetch sequence_number for %s\n", domain->name));
1118 if ( !winbindd_can_contact_domain( domain ) ) {
1119 DEBUG(10,("sequence: No incoming trust for domain %s\n",
1120 domain->name));
1121 *seq = time(NULL);
1122 return NT_STATUS_OK;
1125 *seq = DOM_SEQUENCE_NONE;
1127 ads = ads_cached_connection(domain);
1129 if (!ads) {
1130 domain->last_status = NT_STATUS_SERVER_DISABLED;
1131 return NT_STATUS_UNSUCCESSFUL;
1134 rc = ads_USN(ads, seq);
1136 if (!ADS_ERR_OK(rc)) {
1138 /* its a dead connection, destroy it */
1140 if (domain->private_data) {
1141 ads = (ADS_STRUCT *)domain->private_data;
1142 ads->is_mine = True;
1143 ads_destroy(&ads);
1144 ads_kdestroy("MEMORY:winbind_ccache");
1145 domain->private_data = NULL;
1148 return ads_ntstatus(rc);
1151 /* get a list of trusted domains */
1152 static NTSTATUS trusted_domains(struct winbindd_domain *domain,
1153 TALLOC_CTX *mem_ctx,
1154 uint32 *num_domains,
1155 char ***names,
1156 char ***alt_names,
1157 DOM_SID **dom_sids)
1159 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1160 struct netr_DomainTrustList trusts;
1161 int i;
1162 uint32 flags;
1163 struct rpc_pipe_client *cli;
1164 uint32 fr_flags = (NETR_TRUST_FLAG_IN_FOREST | NETR_TRUST_FLAG_TREEROOT);
1165 int ret_count;
1167 DEBUG(3,("ads: trusted_domains\n"));
1169 *num_domains = 0;
1170 *alt_names = NULL;
1171 *names = NULL;
1172 *dom_sids = NULL;
1174 /* If this is our primary domain or a root in our forest,
1175 query for all trusts. If not, then just look for domain
1176 trusts in the target forest */
1178 if ( domain->primary ||
1179 ((domain->domain_flags&fr_flags) == fr_flags) )
1181 flags = NETR_TRUST_FLAG_OUTBOUND |
1182 NETR_TRUST_FLAG_INBOUND |
1183 NETR_TRUST_FLAG_IN_FOREST;
1184 } else {
1185 flags = NETR_TRUST_FLAG_IN_FOREST;
1188 result = cm_connect_netlogon(domain, &cli);
1190 if (!NT_STATUS_IS_OK(result)) {
1191 DEBUG(5, ("trusted_domains: Could not open a connection to %s "
1192 "for PIPE_NETLOGON (%s)\n",
1193 domain->name, nt_errstr(result)));
1194 return NT_STATUS_UNSUCCESSFUL;
1197 result = rpccli_netr_DsrEnumerateDomainTrusts(cli, mem_ctx,
1198 cli->desthost,
1199 flags,
1200 &trusts,
1201 NULL);
1202 if ( NT_STATUS_IS_OK(result) && trusts.count) {
1204 /* Allocate memory for trusted domain names and sids */
1206 if ( !(*names = TALLOC_ARRAY(mem_ctx, char *, trusts.count)) ) {
1207 DEBUG(0, ("trusted_domains: out of memory\n"));
1208 return NT_STATUS_NO_MEMORY;
1211 if ( !(*alt_names = TALLOC_ARRAY(mem_ctx, char *, trusts.count)) ) {
1212 DEBUG(0, ("trusted_domains: out of memory\n"));
1213 return NT_STATUS_NO_MEMORY;
1216 if ( !(*dom_sids = TALLOC_ARRAY(mem_ctx, DOM_SID, trusts.count)) ) {
1217 DEBUG(0, ("trusted_domains: out of memory\n"));
1218 return NT_STATUS_NO_MEMORY;
1221 /* Copy across names and sids */
1224 ret_count = 0;
1225 for (i = 0; i < trusts.count; i++) {
1226 struct winbindd_domain d;
1228 /* drop external trusts if this is not our primary
1229 domain. This means that the returned number of
1230 domains may be less that the ones actually trusted
1231 by the DC. */
1233 if ( (trusts.array[i].trust_attributes == NETR_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN) &&
1234 !domain->primary )
1236 DEBUG(10,("trusted_domains: Skipping external trusted domain "
1237 "%s because it is outside of our primary domain\n",
1238 trusts.array[i].netbios_name));
1239 continue;
1242 (*names)[ret_count] = CONST_DISCARD(char *, trusts.array[i].netbios_name);
1243 (*alt_names)[ret_count] = CONST_DISCARD(char *, trusts.array[i].dns_name);
1244 sid_copy(&(*dom_sids)[ret_count], trusts.array[i].sid);
1246 /* add to the trusted domain cache */
1248 fstrcpy( d.name, trusts.array[i].netbios_name);
1249 fstrcpy( d.alt_name, trusts.array[i].dns_name);
1250 sid_copy( &d.sid, trusts.array[i].sid);
1252 if ( domain->primary ) {
1253 DEBUG(10,("trusted_domains(ads): Searching "
1254 "trusted domain list of %s and storing "
1255 "trust flags for domain %s\n",
1256 domain->name, d.alt_name));
1258 d.domain_flags = trusts.array[i].trust_flags;
1259 d.domain_type = trusts.array[i].trust_type;
1260 d.domain_trust_attribs = trusts.array[i].trust_attributes;
1262 wcache_tdc_add_domain( &d );
1263 ret_count++;
1264 } else if ( (domain->domain_flags&fr_flags) == fr_flags ) {
1265 /* Check if we already have this record. If
1266 * we are following our forest root that is not
1267 * our primary domain, we want to keep trust
1268 * flags from the perspective of our primary
1269 * domain not our forest root. */
1270 struct winbindd_tdc_domain *exist = NULL;
1272 exist =
1273 wcache_tdc_fetch_domain(NULL, trusts.array[i].netbios_name);
1274 if (!exist) {
1275 DEBUG(10,("trusted_domains(ads): Searching "
1276 "trusted domain list of %s and storing "
1277 "trust flags for domain %s\n",
1278 domain->name, d.alt_name));
1279 d.domain_flags = trusts.array[i].trust_flags;
1280 d.domain_type = trusts.array[i].trust_type;
1281 d.domain_trust_attribs = trusts.array[i].trust_attributes;
1283 wcache_tdc_add_domain( &d );
1284 ret_count++;
1286 TALLOC_FREE(exist);
1287 } else {
1288 /* This gets a little tricky. If we are
1289 following a transitive forest trust, then
1290 innerit the flags, type, and attribs from
1291 the domain we queried to make sure we don't
1292 record the view of the trust from the wrong
1293 side. Always view it from the side of our
1294 primary domain. --jerry */
1295 struct winbindd_tdc_domain *parent = NULL;
1297 DEBUG(10,("trusted_domains(ads): Searching "
1298 "trusted domain list of %s and inheriting "
1299 "trust flags for domain %s\n",
1300 domain->name, d.alt_name));
1302 parent = wcache_tdc_fetch_domain(NULL, domain->name);
1303 if (parent) {
1304 d.domain_flags = parent->trust_flags;
1305 d.domain_type = parent->trust_type;
1306 d.domain_trust_attribs = parent->trust_attribs;
1307 } else {
1308 d.domain_flags = domain->domain_flags;
1309 d.domain_type = domain->domain_type;
1310 d.domain_trust_attribs = domain->domain_trust_attribs;
1312 TALLOC_FREE(parent);
1314 wcache_tdc_add_domain( &d );
1315 ret_count++;
1319 *num_domains = ret_count;
1322 return result;
1325 /* the ADS backend methods are exposed via this structure */
1326 struct winbindd_methods ads_methods = {
1327 True,
1328 query_user_list,
1329 enum_dom_groups,
1330 enum_local_groups,
1331 msrpc_name_to_sid,
1332 msrpc_sid_to_name,
1333 msrpc_rids_to_names,
1334 query_user,
1335 lookup_usergroups,
1336 msrpc_lookup_useraliases,
1337 lookup_groupmem,
1338 sequence_number,
1339 msrpc_lockout_policy,
1340 msrpc_password_policy,
1341 trusted_domains,
1344 #endif