2 Unix SMB/CIFS implementation.
4 Winbind ADS backend functions
6 Copyright (C) Andrew Tridgell 2001
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003
8 Copyright (C) Gerald (Jerry) Carter 2004
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 2 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program; if not, write to the Free Software
22 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
31 #define DBGC_CLASS DBGC_WINBIND
33 extern struct winbindd_methods reconnect_methods
;
36 return our ads connections structure for a domain. We keep the connection
37 open to make things faster
39 static ADS_STRUCT
*ads_cached_connection(struct winbindd_domain
*domain
)
46 DEBUG(10,("ads_cached_connection\n"));
48 if (domain
->private_data
) {
51 time_t now
= time(NULL
);
53 /* check for a valid structure */
54 ads
= (ADS_STRUCT
*)domain
->private_data
;
56 expire
= MIN(ads
->auth
.tgt_expire
, ads
->auth
.tgs_expire
);
58 DEBUG(7, ("Current tickets expire in %d seconds (at %d, time is now %d)\n",
59 (uint32
)expire
-(uint32
)now
, (uint32
) expire
, (uint32
) now
));
61 if ( ads
->config
.realm
&& (expire
> now
)) {
64 /* we own this ADS_STRUCT so make sure it goes away */
65 DEBUG(7,("Deleting expired krb5 credential cache\n"));
68 ads_kdestroy("MEMORY:winbind_ccache");
69 domain
->private_data
= NULL
;
73 /* we don't want this to affect the users ccache */
74 setenv("KRB5CCNAME", "MEMORY:winbind_ccache", 1);
76 ads
= ads_init(domain
->alt_name
, domain
->name
, NULL
);
78 DEBUG(1,("ads_init for domain %s failed\n", domain
->name
));
82 /* the machine acct password might have change - fetch it every time */
84 SAFE_FREE(ads
->auth
.password
);
85 SAFE_FREE(ads
->auth
.realm
);
91 if ( !pdb_get_trusteddom_pw( domain
->name
, &ads
->auth
.password
, &sid
, &last_set_time
) ) {
95 ads
->auth
.realm
= SMB_STRDUP( ads
->server
.realm
);
96 strupper_m( ads
->auth
.realm
);
99 struct winbindd_domain
*our_domain
= domain
;
101 ads
->auth
.password
= secrets_fetch_machine_password(lp_workgroup(), NULL
, NULL
);
103 /* always give preference to the alt_name in our
104 primary domain if possible */
106 if ( !domain
->primary
)
107 our_domain
= find_our_domain();
109 if ( our_domain
->alt_name
[0] != '\0' ) {
110 ads
->auth
.realm
= SMB_STRDUP( our_domain
->alt_name
);
111 strupper_m( ads
->auth
.realm
);
114 ads
->auth
.realm
= SMB_STRDUP( lp_realm() );
117 ads
->auth
.renewable
= WINBINDD_PAM_AUTH_KRB5_RENEW_TIME
;
119 /* Setup the server affinity cache. We don't reaally care
120 about the name. Just setup affinity and the KRB5_CONFIG
123 get_dc_name( ads
->server
.workgroup
, ads
->server
.realm
, dc_name
, &dc_ip
);
125 status
= ads_connect(ads
);
126 if (!ADS_ERR_OK(status
) || !ads
->config
.realm
) {
127 DEBUG(1,("ads_connect for domain %s failed: %s\n",
128 domain
->name
, ads_errstr(status
)));
131 /* if we get ECONNREFUSED then it might be a NT4
132 server, fall back to MSRPC */
133 if (status
.error_type
== ENUM_ADS_ERROR_SYSTEM
&&
134 status
.err
.rc
== ECONNREFUSED
) {
135 /* 'reconnect_methods' is the MS-RPC backend. */
136 DEBUG(1,("Trying MSRPC methods\n"));
137 domain
->backend
= &reconnect_methods
;
142 /* set the flag that says we don't own the memory even
143 though we do so that ads_destroy() won't destroy the
144 structure we pass back by reference */
146 ads
->is_mine
= False
;
148 domain
->private_data
= (void *)ads
;
153 /* Query display info for a realm. This is the basic user list fn */
154 static NTSTATUS
query_user_list(struct winbindd_domain
*domain
,
157 WINBIND_USERINFO
**info
)
159 ADS_STRUCT
*ads
= NULL
;
160 const char *attrs
[] = { "*", NULL
};
163 LDAPMessage
*res
= NULL
;
164 LDAPMessage
*msg
= NULL
;
165 NTSTATUS status
= NT_STATUS_UNSUCCESSFUL
;
169 DEBUG(3,("ads: query_user_list\n"));
171 ads
= ads_cached_connection(domain
);
174 domain
->last_status
= NT_STATUS_SERVER_DISABLED
;
178 rc
= ads_search_retry(ads
, &res
, "(objectCategory=user)", attrs
);
179 if (!ADS_ERR_OK(rc
) || !res
) {
180 DEBUG(1,("query_user_list ads_search: %s\n", ads_errstr(rc
)));
184 count
= ads_count_replies(ads
, res
);
186 DEBUG(1,("query_user_list: No users found\n"));
190 (*info
) = TALLOC_ZERO_ARRAY(mem_ctx
, WINBIND_USERINFO
, count
);
192 status
= NT_STATUS_NO_MEMORY
;
198 for (msg
= ads_first_entry(ads
, res
); msg
; msg
= ads_next_entry(ads
, msg
)) {
199 char *name
, *gecos
= NULL
;
200 char *homedir
= NULL
;
205 gid_t primary_gid
= (gid_t
)-1;
207 if (!ads_pull_uint32(ads
, msg
, "sAMAccountType", &atype
) ||
208 ads_atype_map(atype
) != SID_NAME_USER
) {
209 DEBUG(1,("Not a user account? atype=0x%x\n", atype
));
213 name
= ads_pull_username(ads
, mem_ctx
, msg
);
215 if ( ads_pull_sid( ads
, msg
, "objectSid", &user_sid
) ) {
216 status
= nss_get_info( domain
->name
, &user_sid
, mem_ctx
,
217 ads
, msg
, &homedir
, &shell
, &gecos
,
222 gecos
= ads_pull_string(ads
, mem_ctx
, msg
, "name");
225 if (!ads_pull_sid(ads
, msg
, "objectSid",
226 &(*info
)[i
].user_sid
)) {
227 DEBUG(1,("No sid for %s !?\n", name
));
230 if (!ads_pull_uint32(ads
, msg
, "primaryGroupID", &group
)) {
231 DEBUG(1,("No primary group for %s !?\n", name
));
235 (*info
)[i
].acct_name
= name
;
236 (*info
)[i
].full_name
= gecos
;
237 (*info
)[i
].homedir
= homedir
;
238 (*info
)[i
].shell
= shell
;
239 (*info
)[i
].primary_gid
= primary_gid
;
240 sid_compose(&(*info
)[i
].group_sid
, &domain
->sid
, group
);
245 status
= NT_STATUS_OK
;
247 DEBUG(3,("ads query_user_list gave %d entries\n", (*num_entries
)));
251 ads_msgfree(ads
, res
);
256 /* list all domain groups */
257 static NTSTATUS
enum_dom_groups(struct winbindd_domain
*domain
,
260 struct acct_info
**info
)
262 ADS_STRUCT
*ads
= NULL
;
263 const char *attrs
[] = {"userPrincipalName", "sAMAccountName",
264 "name", "objectSid", NULL
};
267 LDAPMessage
*res
= NULL
;
268 LDAPMessage
*msg
= NULL
;
269 NTSTATUS status
= NT_STATUS_UNSUCCESSFUL
;
271 BOOL enum_dom_local_groups
= False
;
275 DEBUG(3,("ads: enum_dom_groups\n"));
277 /* only grab domain local groups for our domain */
278 if ( domain
->native_mode
&& strequal(lp_realm(), domain
->alt_name
) ) {
279 enum_dom_local_groups
= True
;
282 /* Workaround ADS LDAP bug present in MS W2K3 SP0 and W2K SP4 w/o
285 * According to Section 5.1(4) of RFC 2251 if a value of a type is it's
286 * default value, it MUST be absent. In case of extensible matching the
287 * "dnattr" boolean defaults to FALSE and so it must be only be present
290 * When it is set to FALSE and the OpenLDAP lib (correctly) encodes a
291 * filter using bitwise matching rule then the buggy AD fails to decode
292 * the extensible match. As a workaround set it to TRUE and thereby add
293 * the dnAttributes "dn" field to cope with those older AD versions.
294 * It should not harm and won't put any additional load on the AD since
295 * none of the dn components have a bitmask-attribute.
297 * Thanks to Ralf Haferkamp for input and testing - Guenther */
299 filter
= talloc_asprintf(mem_ctx
, "(&(objectCategory=group)(&(groupType:dn:%s:=%d)(!(groupType:dn:%s:=%d))))",
300 ADS_LDAP_MATCHING_RULE_BIT_AND
, GROUP_TYPE_SECURITY_ENABLED
,
301 ADS_LDAP_MATCHING_RULE_BIT_AND
,
302 enum_dom_local_groups
? GROUP_TYPE_BUILTIN_LOCAL_GROUP
: GROUP_TYPE_RESOURCE_GROUP
);
304 if (filter
== NULL
) {
305 status
= NT_STATUS_NO_MEMORY
;
309 ads
= ads_cached_connection(domain
);
312 domain
->last_status
= NT_STATUS_SERVER_DISABLED
;
316 rc
= ads_search_retry(ads
, &res
, filter
, attrs
);
317 if (!ADS_ERR_OK(rc
) || !res
) {
318 DEBUG(1,("enum_dom_groups ads_search: %s\n", ads_errstr(rc
)));
322 count
= ads_count_replies(ads
, res
);
324 DEBUG(1,("enum_dom_groups: No groups found\n"));
328 (*info
) = TALLOC_ZERO_ARRAY(mem_ctx
, struct acct_info
, count
);
330 status
= NT_STATUS_NO_MEMORY
;
336 for (msg
= ads_first_entry(ads
, res
); msg
; msg
= ads_next_entry(ads
, msg
)) {
341 name
= ads_pull_username(ads
, mem_ctx
, msg
);
342 gecos
= ads_pull_string(ads
, mem_ctx
, msg
, "name");
343 if (!ads_pull_sid(ads
, msg
, "objectSid", &sid
)) {
344 DEBUG(1,("No sid for %s !?\n", name
));
348 if (!sid_peek_check_rid(&domain
->sid
, &sid
, &rid
)) {
349 DEBUG(1,("No rid for %s !?\n", name
));
353 fstrcpy((*info
)[i
].acct_name
, name
);
354 fstrcpy((*info
)[i
].acct_desc
, gecos
);
355 (*info
)[i
].rid
= rid
;
361 status
= NT_STATUS_OK
;
363 DEBUG(3,("ads enum_dom_groups gave %d entries\n", (*num_entries
)));
367 ads_msgfree(ads
, res
);
372 /* list all domain local groups */
373 static NTSTATUS
enum_local_groups(struct winbindd_domain
*domain
,
376 struct acct_info
**info
)
379 * This is a stub function only as we returned the domain
380 * local groups in enum_dom_groups() if the domain->native field
381 * was true. This is a simple performance optimization when
384 * if we ever need to enumerate domain local groups separately,
385 * then this the optimization in enum_dom_groups() will need
393 /* convert a DN to a name, SID and name type
394 this might become a major speed bottleneck if groups have
395 lots of users, in which case we could cache the results
397 static BOOL
dn_lookup(ADS_STRUCT
*ads
, TALLOC_CTX
*mem_ctx
,
399 char **name
, uint32
*name_type
, DOM_SID
*sid
)
401 LDAPMessage
*res
= NULL
;
402 const char *attrs
[] = {"userPrincipalName", "sAMAccountName",
403 "objectSid", "sAMAccountType", NULL
};
406 DEBUG(3,("ads: dn_lookup\n"));
408 rc
= ads_search_retry_dn(ads
, &res
, dn
, attrs
);
410 if (!ADS_ERR_OK(rc
) || !res
) {
414 (*name
) = ads_pull_username(ads
, mem_ctx
, res
);
416 if (!ads_pull_uint32(ads
, res
, "sAMAccountType", &atype
)) {
419 (*name_type
) = ads_atype_map(atype
);
421 if (!ads_pull_sid(ads
, res
, "objectSid", sid
)) {
426 ads_msgfree(ads
, res
);
432 ads_msgfree(ads
, res
);
437 /* Lookup user information from a rid */
438 static NTSTATUS
query_user(struct winbindd_domain
*domain
,
441 WINBIND_USERINFO
*info
)
443 ADS_STRUCT
*ads
= NULL
;
444 const char *attrs
[] = { "*", NULL
};
447 LDAPMessage
*msg
= NULL
;
451 NTSTATUS status
= NT_STATUS_UNSUCCESSFUL
;
453 DEBUG(3,("ads: query_user\n"));
455 if ( (ads
= ads_cached_connection(domain
)) == NULL
) {
456 domain
->last_status
= NT_STATUS_SERVER_DISABLED
;
460 sidstr
= sid_binstring(sid
);
461 asprintf(&ldap_exp
, "(objectSid=%s)", sidstr
);
462 rc
= ads_search_retry(ads
, &msg
, ldap_exp
, attrs
);
465 if (!ADS_ERR_OK(rc
) || !msg
) {
466 DEBUG(1,("query_user(sid=%s) ads_search: %s\n",
467 sid_string_static(sid
), ads_errstr(rc
)));
471 count
= ads_count_replies(ads
, msg
);
473 DEBUG(1,("query_user(sid=%s): Not found\n",
474 sid_string_static(sid
)));
478 info
->acct_name
= ads_pull_username(ads
, mem_ctx
, msg
);
480 info
->primary_gid
= (gid_t
)-1;
481 nss_get_info( domain
->name
, sid
, mem_ctx
, ads
, msg
,
482 &info
->homedir
, &info
->shell
, &info
->full_name
, &info
->primary_gid
);
484 if (info
->full_name
== NULL
) {
485 info
->full_name
= ads_pull_string(ads
, mem_ctx
, msg
, "name");
488 if (!ads_pull_uint32(ads
, msg
, "primaryGroupID", &group_rid
)) {
489 DEBUG(1,("No primary group for %s !?\n",
490 sid_string_static(sid
)));
494 sid_copy(&info
->user_sid
, sid
);
495 sid_compose(&info
->group_sid
, &domain
->sid
, group_rid
);
497 status
= NT_STATUS_OK
;
499 DEBUG(3,("ads query_user gave %s\n", info
->acct_name
));
502 ads_msgfree(ads
, msg
);
507 /* Lookup groups a user is a member of - alternate method, for when
508 tokenGroups are not available. */
509 static NTSTATUS
lookup_usergroups_member(struct winbindd_domain
*domain
,
512 DOM_SID
*primary_group
,
513 size_t *p_num_groups
, DOM_SID
**user_sids
)
516 NTSTATUS status
= NT_STATUS_UNSUCCESSFUL
;
518 LDAPMessage
*res
= NULL
;
519 LDAPMessage
*msg
= NULL
;
522 const char *group_attrs
[] = {"objectSid", NULL
};
524 size_t num_groups
= 0;
526 DEBUG(3,("ads: lookup_usergroups_member\n"));
528 ads
= ads_cached_connection(domain
);
531 domain
->last_status
= NT_STATUS_SERVER_DISABLED
;
535 if (!(escaped_dn
= escape_ldap_string_alloc(user_dn
))) {
536 status
= NT_STATUS_NO_MEMORY
;
540 if (!(ldap_exp
= talloc_asprintf(mem_ctx
, "(&(member=%s)(objectCategory=group))", escaped_dn
))) {
541 DEBUG(1,("lookup_usergroups(dn=%s) asprintf failed!\n", user_dn
));
542 SAFE_FREE(escaped_dn
);
543 status
= NT_STATUS_NO_MEMORY
;
547 SAFE_FREE(escaped_dn
);
549 rc
= ads_search_retry(ads
, &res
, ldap_exp
, group_attrs
);
551 if (!ADS_ERR_OK(rc
) || !res
) {
552 DEBUG(1,("lookup_usergroups ads_search member=%s: %s\n", user_dn
, ads_errstr(rc
)));
553 return ads_ntstatus(rc
);
556 count
= ads_count_replies(ads
, res
);
561 /* always add the primary group to the sid array */
562 if (!add_sid_to_array(mem_ctx
, primary_group
, user_sids
, &num_groups
)) {
563 status
= NT_STATUS_NO_MEMORY
;
568 for (msg
= ads_first_entry(ads
, res
); msg
;
569 msg
= ads_next_entry(ads
, msg
)) {
572 if (!ads_pull_sid(ads
, msg
, "objectSid", &group_sid
)) {
573 DEBUG(1,("No sid for this group ?!?\n"));
577 /* ignore Builtin groups from ADS - Guenther */
578 if (sid_check_is_in_builtin(&group_sid
)) {
582 if (!add_sid_to_array(mem_ctx
, &group_sid
, user_sids
,
584 status
= NT_STATUS_NO_MEMORY
;
591 *p_num_groups
= num_groups
;
592 status
= (user_sids
!= NULL
) ? NT_STATUS_OK
: NT_STATUS_NO_MEMORY
;
594 DEBUG(3,("ads lookup_usergroups (member) succeeded for dn=%s\n", user_dn
));
597 ads_msgfree(ads
, res
);
602 /* Lookup groups a user is a member of - alternate method, for when
603 tokenGroups are not available. */
604 static NTSTATUS
lookup_usergroups_memberof(struct winbindd_domain
*domain
,
607 DOM_SID
*primary_group
,
608 size_t *p_num_groups
, DOM_SID
**user_sids
)
611 NTSTATUS status
= NT_STATUS_UNSUCCESSFUL
;
613 LDAPMessage
*res
= NULL
;
615 const char *attrs
[] = {"memberOf", NULL
};
616 size_t num_groups
= 0;
617 DOM_SID
*group_sids
= NULL
;
620 DEBUG(3,("ads: lookup_usergroups_memberof\n"));
622 ads
= ads_cached_connection(domain
);
625 domain
->last_status
= NT_STATUS_SERVER_DISABLED
;
629 rc
= ads_search_retry_extended_dn(ads
, &res
, user_dn
, attrs
,
630 ADS_EXTENDED_DN_HEX_STRING
);
632 if (!ADS_ERR_OK(rc
) || !res
) {
633 DEBUG(1,("lookup_usergroups_memberof ads_search member=%s: %s\n",
634 user_dn
, ads_errstr(rc
)));
635 return ads_ntstatus(rc
);
638 count
= ads_count_replies(ads
, res
);
641 status
= NT_STATUS_NO_SUCH_USER
;
648 /* always add the primary group to the sid array */
649 if (!add_sid_to_array(mem_ctx
, primary_group
, user_sids
, &num_groups
)) {
650 status
= NT_STATUS_NO_MEMORY
;
654 count
= ads_pull_sids_from_extendeddn(ads
, mem_ctx
, res
, "memberOf",
655 ADS_EXTENDED_DN_HEX_STRING
,
658 DEBUG(1,("No memberOf for this user?!?\n"));
659 status
= NT_STATUS_NO_MEMORY
;
663 for (i
=0; i
<count
; i
++) {
665 /* ignore Builtin groups from ADS - Guenther */
666 if (sid_check_is_in_builtin(&group_sids
[i
])) {
670 if (!add_sid_to_array(mem_ctx
, &group_sids
[i
], user_sids
,
672 status
= NT_STATUS_NO_MEMORY
;
678 *p_num_groups
= num_groups
;
679 status
= (*user_sids
!= NULL
) ? NT_STATUS_OK
: NT_STATUS_NO_MEMORY
;
681 DEBUG(3,("ads lookup_usergroups (memberof) succeeded for dn=%s\n", user_dn
));
683 TALLOC_FREE(group_sids
);
685 ads_msgfree(ads
, res
);
691 /* Lookup groups a user is a member of. */
692 static NTSTATUS
lookup_usergroups(struct winbindd_domain
*domain
,
695 uint32
*p_num_groups
, DOM_SID
**user_sids
)
697 ADS_STRUCT
*ads
= NULL
;
698 const char *attrs
[] = {"tokenGroups", "primaryGroupID", NULL
};
701 LDAPMessage
*msg
= NULL
;
702 char *user_dn
= NULL
;
705 DOM_SID primary_group
;
706 uint32 primary_group_rid
;
708 NTSTATUS status
= NT_STATUS_UNSUCCESSFUL
;
709 size_t num_groups
= 0;
711 DEBUG(3,("ads: lookup_usergroups\n"));
714 status
= lookup_usergroups_cached(domain
, mem_ctx
, sid
,
715 p_num_groups
, user_sids
);
716 if (NT_STATUS_IS_OK(status
)) {
720 ads
= ads_cached_connection(domain
);
723 domain
->last_status
= NT_STATUS_SERVER_DISABLED
;
724 status
= NT_STATUS_SERVER_DISABLED
;
728 rc
= ads_search_retry_sid(ads
, &msg
, sid
, attrs
);
730 if (!ADS_ERR_OK(rc
)) {
731 status
= ads_ntstatus(rc
);
732 DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: %s\n",
733 sid_to_string(sid_string
, sid
), ads_errstr(rc
)));
737 count
= ads_count_replies(ads
, msg
);
739 status
= NT_STATUS_UNSUCCESSFUL
;
740 DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: "
741 "invalid number of results (count=%d)\n",
742 sid_to_string(sid_string
, sid
), count
));
747 DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: NULL msg\n",
748 sid_to_string(sid_string
, sid
)));
749 status
= NT_STATUS_UNSUCCESSFUL
;
753 user_dn
= ads_get_dn(ads
, msg
);
754 if (user_dn
== NULL
) {
755 status
= NT_STATUS_NO_MEMORY
;
759 if (!ads_pull_uint32(ads
, msg
, "primaryGroupID", &primary_group_rid
)) {
760 DEBUG(1,("%s: No primary group for sid=%s !?\n",
761 domain
->name
, sid_to_string(sid_string
, sid
)));
765 sid_copy(&primary_group
, &domain
->sid
);
766 sid_append_rid(&primary_group
, primary_group_rid
);
768 count
= ads_pull_sids(ads
, mem_ctx
, msg
, "tokenGroups", &sids
);
770 /* there must always be at least one group in the token,
771 unless we are talking to a buggy Win2k server */
773 /* actually this only happens when the machine account has no read
774 * permissions on the tokenGroup attribute - gd */
780 /* lookup what groups this user is a member of by DN search on
783 status
= lookup_usergroups_memberof(domain
, mem_ctx
, user_dn
,
785 &num_groups
, user_sids
);
786 *p_num_groups
= (uint32
)num_groups
;
787 if (NT_STATUS_IS_OK(status
)) {
791 /* lookup what groups this user is a member of by DN search on
794 status
= lookup_usergroups_member(domain
, mem_ctx
, user_dn
,
796 &num_groups
, user_sids
);
797 *p_num_groups
= (uint32
)num_groups
;
804 if (!add_sid_to_array(mem_ctx
, &primary_group
, user_sids
, &num_groups
)) {
805 status
= NT_STATUS_NO_MEMORY
;
809 for (i
=0;i
<count
;i
++) {
811 /* ignore Builtin groups from ADS - Guenther */
812 if (sid_check_is_in_builtin(&sids
[i
])) {
816 if (!add_sid_to_array_unique(mem_ctx
, &sids
[i
],
817 user_sids
, &num_groups
)) {
818 status
= NT_STATUS_NO_MEMORY
;
823 *p_num_groups
= (uint32
)num_groups
;
824 status
= (*user_sids
!= NULL
) ? NT_STATUS_OK
: NT_STATUS_NO_MEMORY
;
826 DEBUG(3,("ads lookup_usergroups (tokenGroups) succeeded for sid=%s\n",
827 sid_to_string(sid_string
, sid
)));
829 ads_memfree(ads
, user_dn
);
830 ads_msgfree(ads
, msg
);
835 find the members of a group, given a group rid and domain
837 static NTSTATUS
lookup_groupmem(struct winbindd_domain
*domain
,
839 const DOM_SID
*group_sid
, uint32
*num_names
,
840 DOM_SID
**sid_mem
, char ***names
,
845 LDAPMessage
*res
=NULL
;
846 ADS_STRUCT
*ads
= NULL
;
848 NTSTATUS status
= NT_STATUS_UNSUCCESSFUL
;
860 DEBUG(10,("ads: lookup_groupmem %s sid=%s\n", domain
->name
,
861 sid_string_static(group_sid
)));
865 ads
= ads_cached_connection(domain
);
868 domain
->last_status
= NT_STATUS_SERVER_DISABLED
;
872 if ((sidstr
= sid_binstring(group_sid
)) == NULL
) {
873 status
= NT_STATUS_NO_MEMORY
;
877 /* search for all members of the group */
878 if (!(ldap_exp
= talloc_asprintf(mem_ctx
, "(objectSid=%s)",sidstr
))) {
880 DEBUG(1, ("ads: lookup_groupmem: tallloc_asprintf for ldap_exp failed!\n"));
881 status
= NT_STATUS_NO_MEMORY
;
889 if ((attrs
= TALLOC_ARRAY(mem_ctx
, const char *, 3)) == NULL
) {
890 status
= NT_STATUS_NO_MEMORY
;
894 attrs
[1] = talloc_strdup(mem_ctx
, "usnChanged");
898 if (num_members
== 0)
899 attrs
[0] = talloc_strdup(mem_ctx
, "member");
901 DEBUG(10, ("Searching for attrs[0] = %s, attrs[1] = %s\n", attrs
[0], attrs
[1]));
903 rc
= ads_search_retry(ads
, &res
, ldap_exp
, attrs
);
905 if (!ADS_ERR_OK(rc
) || !res
) {
906 DEBUG(1,("ads: lookup_groupmem ads_search: %s\n",
908 status
= ads_ntstatus(rc
);
912 count
= ads_count_replies(ads
, res
);
916 if (num_members
== 0) {
917 if (!ads_pull_uint32(ads
, res
, "usnChanged", &first_usn
)) {
918 DEBUG(1, ("ads: lookup_groupmem could not pull usnChanged!\n"));
923 if (!ads_pull_uint32(ads
, res
, "usnChanged", ¤t_usn
)) {
924 DEBUG(1, ("ads: lookup_groupmem could not pull usnChanged!\n"));
928 if (first_usn
!= current_usn
) {
929 DEBUG(5, ("ads: lookup_groupmem USN on this record changed"
930 " - restarting search\n"));
931 if (num_retries
< 5) {
934 ads_msgfree(ads
, res
);
938 DEBUG(5, ("ads: lookup_groupmem USN on this record changed"
939 " - restarted search too many times, aborting!\n"));
940 status
= NT_STATUS_UNSUCCESSFUL
;
945 members
= ads_pull_strings_range(ads
, mem_ctx
, res
,
952 ads_msgfree(ads
, res
);
955 if ((members
== NULL
) || (num_members
== 0))
958 } while (more_values
);
960 /* now we need to turn a list of members into rids, names and name types
961 the problem is that the members are in the form of distinguised names
964 (*sid_mem
) = TALLOC_ZERO_ARRAY(mem_ctx
, DOM_SID
, num_members
);
965 (*name_types
) = TALLOC_ZERO_ARRAY(mem_ctx
, uint32
, num_members
);
966 (*names
) = TALLOC_ZERO_ARRAY(mem_ctx
, char *, num_members
);
968 if ((num_members
!= 0) &&
969 ((members
== NULL
) || (*sid_mem
== NULL
) ||
970 (*name_types
== NULL
) || (*names
== NULL
))) {
971 DEBUG(1, ("talloc failed\n"));
972 status
= NT_STATUS_NO_MEMORY
;
976 for (i
=0;i
<num_members
;i
++) {
981 if (dn_lookup(ads
, mem_ctx
, members
[i
], &name
, &name_type
, &sid
)) {
982 (*names
)[*num_names
] = name
;
983 (*name_types
)[*num_names
] = name_type
;
984 sid_copy(&(*sid_mem
)[*num_names
], &sid
);
989 status
= NT_STATUS_OK
;
990 DEBUG(3,("ads lookup_groupmem for sid=%s\n", sid_to_string(sid_string
, group_sid
)));
994 ads_msgfree(ads
, res
);
999 /* find the sequence number for a domain */
1000 static NTSTATUS
sequence_number(struct winbindd_domain
*domain
, uint32
*seq
)
1002 ADS_STRUCT
*ads
= NULL
;
1005 DEBUG(3,("ads: fetch sequence_number for %s\n", domain
->name
));
1007 *seq
= DOM_SEQUENCE_NONE
;
1009 ads
= ads_cached_connection(domain
);
1012 domain
->last_status
= NT_STATUS_SERVER_DISABLED
;
1013 return NT_STATUS_UNSUCCESSFUL
;
1016 rc
= ads_USN(ads
, seq
);
1018 if (!ADS_ERR_OK(rc
)) {
1020 /* its a dead connection, destroy it */
1022 if (domain
->private_data
) {
1023 ads
= (ADS_STRUCT
*)domain
->private_data
;
1024 ads
->is_mine
= True
;
1026 ads_kdestroy("MEMORY:winbind_ccache");
1027 domain
->private_data
= NULL
;
1030 return ads_ntstatus(rc
);
1033 /* get a list of trusted domains */
1034 static NTSTATUS
trusted_domains(struct winbindd_domain
*domain
,
1035 TALLOC_CTX
*mem_ctx
,
1036 uint32
*num_domains
,
1041 NTSTATUS result
= NT_STATUS_UNSUCCESSFUL
;
1042 struct ds_domain_trust
*domains
= NULL
;
1045 uint32 flags
= DS_DOMAIN_IN_FOREST
| DS_DOMAIN_DIRECT_OUTBOUND
;
1046 struct rpc_pipe_client
*cli
;
1048 DEBUG(3,("ads: trusted_domains\n"));
1055 result
= cm_connect_netlogon(domain
, &cli
);
1057 if (!NT_STATUS_IS_OK(result
)) {
1058 DEBUG(5, ("trusted_domains: Could not open a connection to %s "
1059 "for PIPE_NETLOGON (%s)\n",
1060 domain
->name
, nt_errstr(result
)));
1061 return NT_STATUS_UNSUCCESSFUL
;
1064 if ( NT_STATUS_IS_OK(result
) ) {
1065 result
= rpccli_ds_enum_domain_trusts(cli
, mem_ctx
,
1068 (unsigned int *)&count
);
1071 if ( NT_STATUS_IS_OK(result
) && count
) {
1073 /* Allocate memory for trusted domain names and sids */
1075 if ( !(*names
= TALLOC_ARRAY(mem_ctx
, char *, count
)) ) {
1076 DEBUG(0, ("trusted_domains: out of memory\n"));
1077 return NT_STATUS_NO_MEMORY
;
1080 if ( !(*alt_names
= TALLOC_ARRAY(mem_ctx
, char *, count
)) ) {
1081 DEBUG(0, ("trusted_domains: out of memory\n"));
1082 return NT_STATUS_NO_MEMORY
;
1085 if ( !(*dom_sids
= TALLOC_ARRAY(mem_ctx
, DOM_SID
, count
)) ) {
1086 DEBUG(0, ("trusted_domains: out of memory\n"));
1087 return NT_STATUS_NO_MEMORY
;
1090 /* Copy across names and sids */
1092 for (i
= 0; i
< count
; i
++) {
1093 (*names
)[i
] = domains
[i
].netbios_domain
;
1094 (*alt_names
)[i
] = domains
[i
].dns_domain
;
1096 sid_copy(&(*dom_sids
)[i
], &domains
[i
].sid
);
1099 *num_domains
= count
;
1105 /* the ADS backend methods are exposed via this structure */
1106 struct winbindd_methods ads_methods
= {
1113 msrpc_rids_to_names
,
1116 msrpc_lookup_useraliases
,
1119 msrpc_lockout_policy
,
1120 msrpc_password_policy
,