search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3-winbindd: Move code for verifying ADS connection to common helper function
[Samba/gebeck_regimport.git] / source3 / winbindd / winbindd_ads.c
blob03cbcf23a3326d822d1af13a261f00a1bd3b2f84
1 /*
2 Unix SMB/CIFS implementation.
3
4 Winbind ADS backend functions
5
6 Copyright (C) Andrew Tridgell 2001
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003
8 Copyright (C) Gerald (Jerry) Carter 2004
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "winbindd.h"
26 #include "rpc_client/rpc_client.h"
27 #include "../librpc/gen_ndr/ndr_netlogon_c.h"
28 #include "../libds/common/flags.h"
29 #include "ads.h"
30 #include "secrets.h"
31 #include "../libcli/ldap/ldap_ndr.h"
32 #include "../libcli/security/security.h"
33 #include "../libds/common/flag_mapping.h"
34 #include "passdb.h"
35
36 #ifdef HAVE_ADS
37
38 #undef DBGC_CLASS
39 #define DBGC_CLASS DBGC_WINBIND
40
41 extern struct winbindd_methods reconnect_methods;
42
43 /**
44 * Check if cached connection can be reused. If the connection cannot
45 * be reused the ADS_STRUCT is freed and the pointer is set to NULL.
46 */
47 void ads_cached_connection_reuse(ADS_STRUCT **adsp)
48 {
49
50 ADS_STRUCT *ads = *adsp;
51
52 if (ads != NULL) {
53 time_t expire;
54 time_t now = time(NULL);
55
56 expire = MIN(ads->auth.tgt_expire, ads->auth.tgs_expire);
57
58 DEBUG(7, ("Current tickets expire in %d seconds (at %d, time "
59 "is now %d)\n", (uint32)expire - (uint32)now,
60 (uint32) expire, (uint32) now));
61
62 if ( ads->config.realm && (expire > now)) {
63 return;
64 } else {
65 /* we own this ADS_STRUCT so make sure it goes away */
66 DEBUG(7,("Deleting expired krb5 credential cache\n"));
67 ads->is_mine = True;
68 ads_destroy( &ads );
69 ads_kdestroy(WINBIND_CCACHE_NAME);
70 *adsp = NULL;
71 }
72 }
73 }
74
75 /*
76 return our ads connections structure for a domain. We keep the connection
77 open to make things faster
78 */
79 static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain)
80 {
81 ADS_STRUCT *ads;
82 ADS_STATUS status;
83 fstring dc_name;
84 struct sockaddr_storage dc_ss;
85
86 DEBUG(10,("ads_cached_connection\n"));
87 ads_cached_connection_reuse((ADS_STRUCT **)&domain->private_data);
88
89 if (domain->private_data) {
90 return (ADS_STRUCT *)domain->private_data;
91 }
92
93 ads = ads_init(domain->alt_name, domain->name, NULL);
94 if (!ads) {
95 DEBUG(1,("ads_init for domain %s failed\n", domain->name));
96 return NULL;
97 }
98
99 /* we don't want ads operations to affect the default ccache */
100 ads->auth.ccache_name = SMB_STRDUP("MEMORY:winbind_ccache");
101
102 /* the machine acct password might have change - fetch it every time */
103
104 SAFE_FREE(ads->auth.password);
105 SAFE_FREE(ads->auth.realm);
106
107 if ( IS_DC ) {
108
109 if ( !pdb_get_trusteddom_pw( domain->name, &ads->auth.password, NULL, NULL ) ) {
110 ads_destroy( &ads );
111 return NULL;
112 }
113 ads->auth.realm = SMB_STRDUP( ads->server.realm );
114 if (!strupper_m( ads->auth.realm )) {
115 ads_destroy( &ads );
116 return NULL;
117 }
118 }
119 else {
120 struct winbindd_domain *our_domain = domain;
121
122 ads->auth.password = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
123
124 /* always give preference to the alt_name in our
125 primary domain if possible */
126
127 if ( !domain->primary )
128 our_domain = find_our_domain();
129
130 if (our_domain->alt_name != NULL) {
131 ads->auth.realm = SMB_STRDUP( our_domain->alt_name );
132 if (!strupper_m( ads->auth.realm )) {
133 ads_destroy( &ads );
134 return NULL;
135 }
136 }
137 else
138 ads->auth.realm = SMB_STRDUP( lp_realm() );
139 }
140
141 ads->auth.renewable = WINBINDD_PAM_AUTH_KRB5_RENEW_TIME;
142
143 /* Setup the server affinity cache. We don't reaally care
144 about the name. Just setup affinity and the KRB5_CONFIG
145 file. */
146
147 get_dc_name( ads->server.workgroup, ads->server.realm, dc_name, &dc_ss );
148
149 status = ads_connect(ads);
150 if (!ADS_ERR_OK(status) || !ads->config.realm) {
151 DEBUG(1,("ads_connect for domain %s failed: %s\n",
152 domain->name, ads_errstr(status)));
153 ads_destroy(&ads);
154
155 /* if we get ECONNREFUSED then it might be a NT4
156 server, fall back to MSRPC */
157 if (status.error_type == ENUM_ADS_ERROR_SYSTEM &&
158 status.err.rc == ECONNREFUSED) {
159 /* 'reconnect_methods' is the MS-RPC backend. */
160 DEBUG(1,("Trying MSRPC methods\n"));
161 domain->backend = &reconnect_methods;
162 }
163 return NULL;
164 }
165
166 /* set the flag that says we don't own the memory even
167 though we do so that ads_destroy() won't destroy the
168 structure we pass back by reference */
169
170 ads->is_mine = False;
171
172 domain->private_data = (void *)ads;
173 return ads;
174 }
175
176
177 /* Query display info for a realm. This is the basic user list fn */
178 static NTSTATUS query_user_list(struct winbindd_domain *domain,
179 TALLOC_CTX *mem_ctx,
180 uint32 *num_entries,
181 struct wbint_userinfo **pinfo)
182 {
183 ADS_STRUCT *ads = NULL;
184 const char *attrs[] = { "*", NULL };
185 int i, count;
186 ADS_STATUS rc;
187 LDAPMessage *res = NULL;
188 LDAPMessage *msg = NULL;
189 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
190
191 *num_entries = 0;
192
193 DEBUG(3,("ads: query_user_list\n"));
194
195 if ( !winbindd_can_contact_domain( domain ) ) {
196 DEBUG(10,("query_user_list: No incoming trust for domain %s\n",
197 domain->name));
198 return NT_STATUS_OK;
199 }
200
201 ads = ads_cached_connection(domain);
202
203 if (!ads) {
204 domain->last_status = NT_STATUS_SERVER_DISABLED;
205 goto done;
206 }
207
208 rc = ads_search_retry(ads, &res, "(objectCategory=user)", attrs);
209 if (!ADS_ERR_OK(rc)) {
210 DEBUG(1,("query_user_list ads_search: %s\n", ads_errstr(rc)));
211 status = ads_ntstatus(rc);
212 } else if (!res) {
213 DEBUG(1,("query_user_list ads_search returned NULL res\n"));
214
215 goto done;
216 }
217
218 count = ads_count_replies(ads, res);
219 if (count == 0) {
220 DEBUG(1,("query_user_list: No users found\n"));
221 goto done;
222 }
223
224 (*pinfo) = talloc_zero_array(mem_ctx, struct wbint_userinfo, count);
225 if (!*pinfo) {
226 status = NT_STATUS_NO_MEMORY;
227 goto done;
228 }
229
230 count = 0;
231
232 for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
233 struct wbint_userinfo *info = &((*pinfo)[count]);
234 uint32 group;
235 uint32 atype;
236
237 if (!ads_pull_uint32(ads, msg, "sAMAccountType", &atype) ||
238 ds_atype_map(atype) != SID_NAME_USER) {
239 DEBUG(1,("Not a user account? atype=0x%x\n", atype));
240 continue;
241 }
242
243 info->acct_name = ads_pull_username(ads, mem_ctx, msg);
244 info->full_name = ads_pull_string(ads, mem_ctx, msg, "name");
245 info->homedir = NULL;
246 info->shell = NULL;
247 info->primary_gid = (gid_t)-1;
248
249 if (!ads_pull_sid(ads, msg, "objectSid",
250 &info->user_sid)) {
251 DEBUG(1, ("No sid for %s !?\n", info->acct_name));
252 continue;
253 }
254
255 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &group)) {
256 DEBUG(1, ("No primary group for %s !?\n",
257 info->acct_name));
258 continue;
259 }
260 sid_compose(&info->group_sid, &domain->sid, group);
261
262 count += 1;
263 }
264
265 (*num_entries) = count;
266 ads_msgfree(ads, res);
267
268 for (i=0; i<count; i++) {
269 struct wbint_userinfo *info = &((*pinfo)[i]);
270 const char *gecos = NULL;
271 gid_t primary_gid = (gid_t)-1;
272
273 status = nss_get_info_cached(domain, &info->user_sid, mem_ctx,
274 &info->homedir, &info->shell,
275 &gecos, &primary_gid);
276 if (!NT_STATUS_IS_OK(status)) {
277 /*
278 * Deliberately ignore this error, there might be more
279 * users to fill
280 */
281 continue;
282 }
283
284 if (gecos != NULL) {
285 info->full_name = gecos;
286 }
287 info->primary_gid = primary_gid;
288 }
289
290 status = NT_STATUS_OK;
291
292 DEBUG(3,("ads query_user_list gave %d entries\n", (*num_entries)));
293
294 done:
295 return status;
296 }
297
298 /* list all domain groups */
299 static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
300 TALLOC_CTX *mem_ctx,
301 uint32 *num_entries,
302 struct wb_acct_info **info)
303 {
304 ADS_STRUCT *ads = NULL;
305 const char *attrs[] = {"userPrincipalName", "sAMAccountName",
306 "name", "objectSid", NULL};
307 int i, count;
308 ADS_STATUS rc;
309 LDAPMessage *res = NULL;
310 LDAPMessage *msg = NULL;
311 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
312 const char *filter;
313 bool enum_dom_local_groups = False;
314
315 *num_entries = 0;
316
317 DEBUG(3,("ads: enum_dom_groups\n"));
318
319 if ( !winbindd_can_contact_domain( domain ) ) {
320 DEBUG(10,("enum_dom_groups: No incoming trust for domain %s\n",
321 domain->name));
322 return NT_STATUS_OK;
323 }
324
325 /* only grab domain local groups for our domain */
326 if ( domain->active_directory && strequal(lp_realm(), domain->alt_name) ) {
327 enum_dom_local_groups = True;
328 }
329
330 /* Workaround ADS LDAP bug present in MS W2K3 SP0 and W2K SP4 w/o
331 * rollup-fixes:
332 *
333 * According to Section 5.1(4) of RFC 2251 if a value of a type is it's
334 * default value, it MUST be absent. In case of extensible matching the
335 * "dnattr" boolean defaults to FALSE and so it must be only be present
336 * when set to TRUE.
337 *
338 * When it is set to FALSE and the OpenLDAP lib (correctly) encodes a
339 * filter using bitwise matching rule then the buggy AD fails to decode
340 * the extensible match. As a workaround set it to TRUE and thereby add
341 * the dnAttributes "dn" field to cope with those older AD versions.
342 * It should not harm and won't put any additional load on the AD since
343 * none of the dn components have a bitmask-attribute.
344 *
345 * Thanks to Ralf Haferkamp for input and testing - Guenther */
346
347 filter = talloc_asprintf(mem_ctx, "(&(objectCategory=group)(&(groupType:dn:%s:=%d)(!(groupType:dn:%s:=%d))))",
348 ADS_LDAP_MATCHING_RULE_BIT_AND, GROUP_TYPE_SECURITY_ENABLED,
349 ADS_LDAP_MATCHING_RULE_BIT_AND,
350 enum_dom_local_groups ? GROUP_TYPE_BUILTIN_LOCAL_GROUP : GROUP_TYPE_RESOURCE_GROUP);
351
352 if (filter == NULL) {
353 status = NT_STATUS_NO_MEMORY;
354 goto done;
355 }
356
357 ads = ads_cached_connection(domain);
358
359 if (!ads) {
360 domain->last_status = NT_STATUS_SERVER_DISABLED;
361 goto done;
362 }
363
364 rc = ads_search_retry(ads, &res, filter, attrs);
365 if (!ADS_ERR_OK(rc)) {
366 status = ads_ntstatus(rc);
367 DEBUG(1,("enum_dom_groups ads_search: %s\n", ads_errstr(rc)));
368 goto done;
369 } else if (!res) {
370 DEBUG(1,("enum_dom_groups ads_search returned NULL res\n"));
371 goto done;
372 }
373
374 count = ads_count_replies(ads, res);
375 if (count == 0) {
376 DEBUG(1,("enum_dom_groups: No groups found\n"));
377 goto done;
378 }
379
380 (*info) = talloc_zero_array(mem_ctx, struct wb_acct_info, count);
381 if (!*info) {
382 status = NT_STATUS_NO_MEMORY;
383 goto done;
384 }
385
386 i = 0;
387
388 for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
389 char *name, *gecos;
390 struct dom_sid sid;
391 uint32 rid;
392
393 name = ads_pull_username(ads, mem_ctx, msg);
394 gecos = ads_pull_string(ads, mem_ctx, msg, "name");
395 if (!ads_pull_sid(ads, msg, "objectSid", &sid)) {
396 DEBUG(1,("No sid for %s !?\n", name));
397 continue;
398 }
399
400 if (!sid_peek_check_rid(&domain->sid, &sid, &rid)) {
401 DEBUG(1,("No rid for %s !?\n", name));
402 continue;
403 }
404
405 fstrcpy((*info)[i].acct_name, name);
406 fstrcpy((*info)[i].acct_desc, gecos);
407 (*info)[i].rid = rid;
408 i++;
409 }
410
411 (*num_entries) = i;
412
413 status = NT_STATUS_OK;
414
415 DEBUG(3,("ads enum_dom_groups gave %d entries\n", (*num_entries)));
416
417 done:
418 if (res)
419 ads_msgfree(ads, res);
420
421 return status;
422 }
423
424 /* list all domain local groups */
425 static NTSTATUS enum_local_groups(struct winbindd_domain *domain,
426 TALLOC_CTX *mem_ctx,
427 uint32 *num_entries,
428 struct wb_acct_info **info)
429 {
430 /*
431 * This is a stub function only as we returned the domain
432 * local groups in enum_dom_groups() if the domain->native field
433 * was true. This is a simple performance optimization when
434 * using LDAP.
435 *
436 * if we ever need to enumerate domain local groups separately,
437 * then this optimization in enum_dom_groups() will need
438 * to be split out
439 */
440 *num_entries = 0;
441
442 return NT_STATUS_OK;
443 }
444
445 /* convert a single name to a sid in a domain - use rpc methods */
446 static NTSTATUS name_to_sid(struct winbindd_domain *domain,
447 TALLOC_CTX *mem_ctx,
448 const char *domain_name,
449 const char *name,
450 uint32_t flags,
451 struct dom_sid *sid,
452 enum lsa_SidType *type)
453 {
454 return reconnect_methods.name_to_sid(domain, mem_ctx,
455 domain_name, name, flags,
456 sid, type);
457 }
458
459 /* convert a domain SID to a user or group name - use rpc methods */
460 static NTSTATUS sid_to_name(struct winbindd_domain *domain,
461 TALLOC_CTX *mem_ctx,
462 const struct dom_sid *sid,
463 char **domain_name,
464 char **name,
465 enum lsa_SidType *type)
466 {
467 return reconnect_methods.sid_to_name(domain, mem_ctx, sid,
468 domain_name, name, type);
469 }
470
471 /* convert a list of rids to names - use rpc methods */
472 static NTSTATUS rids_to_names(struct winbindd_domain *domain,
473 TALLOC_CTX *mem_ctx,
474 const struct dom_sid *sid,
475 uint32 *rids,
476 size_t num_rids,
477 char **domain_name,
478 char ***names,
479 enum lsa_SidType **types)
480 {
481 return reconnect_methods.rids_to_names(domain, mem_ctx, sid,
482 rids, num_rids,
483 domain_name, names, types);
484 }
485
486 /* If you are looking for "dn_lookup": Yes, it used to be here!
487 * It has gone now since it was a major speed bottleneck in
488 * lookup_groupmem (its only use). It has been replaced by
489 * an rpc lookup sids call... R.I.P. */
490
491 /* Lookup user information from a rid */
492 static NTSTATUS query_user(struct winbindd_domain *domain,
493 TALLOC_CTX *mem_ctx,
494 const struct dom_sid *sid,
495 struct wbint_userinfo *info)
496 {
497 ADS_STRUCT *ads = NULL;
498 const char *attrs[] = { "*", NULL };
499 ADS_STATUS rc;
500 int count;
501 LDAPMessage *msg = NULL;
502 char *ldap_exp;
503 char *sidstr;
504 uint32 group_rid;
505 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
506 struct netr_SamInfo3 *user = NULL;
507 gid_t gid = -1;
508 int ret;
509 char *ads_name;
510
511 DEBUG(3,("ads: query_user\n"));
512
513 info->homedir = NULL;
514 info->shell = NULL;
515
516 /* try netsamlogon cache first */
517
518 if ( (user = netsamlogon_cache_get( mem_ctx, sid )) != NULL )
519 {
520 DEBUG(5,("query_user: Cache lookup succeeded for %s\n",
521 sid_string_dbg(sid)));
522
523 sid_compose(&info->user_sid, &domain->sid, user->base.rid);
524 sid_compose(&info->group_sid, &domain->sid, user->base.primary_gid);
525
526 info->acct_name = talloc_strdup(mem_ctx, user->base.account_name.string);
527 info->full_name = talloc_strdup(mem_ctx, user->base.full_name.string);
528
529 nss_get_info_cached( domain, sid, mem_ctx,
530 &info->homedir, &info->shell, &info->full_name,
531 &gid );
532 info->primary_gid = gid;
533
534 TALLOC_FREE(user);
535
536 return NT_STATUS_OK;
537 }
538
539 if ( !winbindd_can_contact_domain(domain)) {
540 DEBUG(8,("query_user: No incoming trust from domain %s\n",
541 domain->name));
542
543 /* We still need to generate some basic information
544 about the user even if we cannot contact the
545 domain. Most of this stuff we can deduce. */
546
547 sid_copy( &info->user_sid, sid );
548
549 /* Assume "Domain Users" for the primary group */
550
551 sid_compose(&info->group_sid, &domain->sid, DOMAIN_RID_USERS );
552
553 /* Try to fill in what the nss_info backend can do */
554
555 nss_get_info_cached( domain, sid, mem_ctx,
556 &info->homedir, &info->shell, &info->full_name,
557 &gid);
558 info->primary_gid = gid;
559
560 return NT_STATUS_OK;
561 }
562
563 /* no cache...do the query */
564
565 if ( (ads = ads_cached_connection(domain)) == NULL ) {
566 domain->last_status = NT_STATUS_SERVER_DISABLED;
567 return NT_STATUS_SERVER_DISABLED;
568 }
569
570 sidstr = ldap_encode_ndr_dom_sid(talloc_tos(), sid);
571
572 ret = asprintf(&ldap_exp, "(objectSid=%s)", sidstr);
573 TALLOC_FREE(sidstr);
574 if (ret == -1) {
575 return NT_STATUS_NO_MEMORY;
576 }
577 rc = ads_search_retry(ads, &msg, ldap_exp, attrs);
578 SAFE_FREE(ldap_exp);
579 if (!ADS_ERR_OK(rc)) {
580 DEBUG(1,("query_user(sid=%s) ads_search: %s\n",
581 sid_string_dbg(sid), ads_errstr(rc)));
582 return ads_ntstatus(rc);
583 } else if (!msg) {
584 DEBUG(1,("query_user(sid=%s) ads_search returned NULL res\n",
585 sid_string_dbg(sid)));
586 return NT_STATUS_INTERNAL_ERROR;
587 }
588
589 count = ads_count_replies(ads, msg);
590 if (count != 1) {
591 DEBUG(1,("query_user(sid=%s): Not found\n",
592 sid_string_dbg(sid)));
593 ads_msgfree(ads, msg);
594 return NT_STATUS_NO_SUCH_USER;
595 }
596
597 info->acct_name = ads_pull_username(ads, mem_ctx, msg);
598
599 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &group_rid)) {
600 DEBUG(1,("No primary group for %s !?\n",
601 sid_string_dbg(sid)));
602 ads_msgfree(ads, msg);
603 return NT_STATUS_NO_SUCH_USER;
604 }
605 sid_copy(&info->user_sid, sid);
606 sid_compose(&info->group_sid, &domain->sid, group_rid);
607
608 /*
609 * We have to fetch the "name" attribute before doing the
610 * nss_get_info_cached call. nss_get_info_cached might destroy
611 * the ads struct, potentially invalidating the ldap message.
612 */
613 ads_name = ads_pull_string(ads, mem_ctx, msg, "name");
614
615 ads_msgfree(ads, msg);
616 msg = NULL;
617
618 status = nss_get_info_cached( domain, sid, mem_ctx,
619 &info->homedir, &info->shell, &info->full_name,
620 &gid);
621 info->primary_gid = gid;
622 if (!NT_STATUS_IS_OK(status)) {
623 DEBUG(1, ("nss_get_info_cached failed: %s\n",
624 nt_errstr(status)));
625 return status;
626 }
627
628 if (info->full_name == NULL) {
629 info->full_name = ads_name;
630 } else {
631 TALLOC_FREE(ads_name);
632 }
633
634 status = NT_STATUS_OK;
635
636 DEBUG(3,("ads query_user gave %s\n", info->acct_name));
637 return NT_STATUS_OK;
638 }
639
640 /* Lookup groups a user is a member of - alternate method, for when
641 tokenGroups are not available. */
642 static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain,
643 TALLOC_CTX *mem_ctx,
644 const char *user_dn,
645 struct dom_sid *primary_group,
646 uint32_t *p_num_groups, struct dom_sid **user_sids)
647 {
648 ADS_STATUS rc;
649 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
650 int count;
651 LDAPMessage *res = NULL;
652 LDAPMessage *msg = NULL;
653 char *ldap_exp;
654 ADS_STRUCT *ads;
655 const char *group_attrs[] = {"objectSid", NULL};
656 char *escaped_dn;
657 uint32_t num_groups = 0;
658
659 DEBUG(3,("ads: lookup_usergroups_member\n"));
660
661 if ( !winbindd_can_contact_domain( domain ) ) {
662 DEBUG(10,("lookup_usergroups_members: No incoming trust for domain %s\n",
663 domain->name));
664 return NT_STATUS_OK;
665 }
666
667 ads = ads_cached_connection(domain);
668
669 if (!ads) {
670 domain->last_status = NT_STATUS_SERVER_DISABLED;
671 goto done;
672 }
673
674 if (!(escaped_dn = escape_ldap_string(talloc_tos(), user_dn))) {
675 status = NT_STATUS_NO_MEMORY;
676 goto done;
677 }
678
679 ldap_exp = talloc_asprintf(mem_ctx,
680 "(&(member=%s)(objectCategory=group)(groupType:dn:%s:=%d))",
681 escaped_dn,
682 ADS_LDAP_MATCHING_RULE_BIT_AND,
683 GROUP_TYPE_SECURITY_ENABLED);
684 if (!ldap_exp) {
685 DEBUG(1,("lookup_usergroups(dn=%s) asprintf failed!\n", user_dn));
686 TALLOC_FREE(escaped_dn);
687 status = NT_STATUS_NO_MEMORY;
688 goto done;
689 }
690
691 TALLOC_FREE(escaped_dn);
692
693 rc = ads_search_retry(ads, &res, ldap_exp, group_attrs);
694
695 if (!ADS_ERR_OK(rc)) {
696 DEBUG(1,("lookup_usergroups ads_search member=%s: %s\n", user_dn, ads_errstr(rc)));
697 return ads_ntstatus(rc);
698 } else if (!res) {
699 DEBUG(1,("lookup_usergroups ads_search returned NULL res\n"));
700 return NT_STATUS_INTERNAL_ERROR;
701 }
702
703
704 count = ads_count_replies(ads, res);
705
706 *user_sids = NULL;
707 num_groups = 0;
708
709 /* always add the primary group to the sid array */
710 status = add_sid_to_array(mem_ctx, primary_group, user_sids,
711 &num_groups);
712 if (!NT_STATUS_IS_OK(status)) {
713 goto done;
714 }
715
716 if (count > 0) {
717 for (msg = ads_first_entry(ads, res); msg;
718 msg = ads_next_entry(ads, msg)) {
719 struct dom_sid group_sid;
720
721 if (!ads_pull_sid(ads, msg, "objectSid", &group_sid)) {
722 DEBUG(1,("No sid for this group ?!?\n"));
723 continue;
724 }
725
726 /* ignore Builtin groups from ADS - Guenther */
727 if (sid_check_is_in_builtin(&group_sid)) {
728 continue;
729 }
730
731 status = add_sid_to_array(mem_ctx, &group_sid,
732 user_sids, &num_groups);
733 if (!NT_STATUS_IS_OK(status)) {
734 goto done;
735 }
736 }
737
738 }
739
740 *p_num_groups = num_groups;
741 status = (user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
742
743 DEBUG(3,("ads lookup_usergroups (member) succeeded for dn=%s\n", user_dn));
744 done:
745 if (res)
746 ads_msgfree(ads, res);
747
748 return status;
749 }
750
751 /* Lookup groups a user is a member of - alternate method, for when
752 tokenGroups are not available. */
753 static NTSTATUS lookup_usergroups_memberof(struct winbindd_domain *domain,
754 TALLOC_CTX *mem_ctx,
755 const char *user_dn,
756 struct dom_sid *primary_group,
757 uint32_t *p_num_groups,
758 struct dom_sid **user_sids)
759 {
760 ADS_STATUS rc;
761 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
762 ADS_STRUCT *ads;
763 const char *attrs[] = {"memberOf", NULL};
764 uint32_t num_groups = 0;
765 struct dom_sid *group_sids = NULL;
766 int i;
767 char **strings = NULL;
768 size_t num_strings = 0, num_sids = 0;
769
770
771 DEBUG(3,("ads: lookup_usergroups_memberof\n"));
772
773 if ( !winbindd_can_contact_domain( domain ) ) {
774 DEBUG(10,("lookup_usergroups_memberof: No incoming trust for "
775 "domain %s\n", domain->name));
776 return NT_STATUS_OK;
777 }
778
779 ads = ads_cached_connection(domain);
780
781 if (!ads) {
782 domain->last_status = NT_STATUS_SERVER_DISABLED;
783 return NT_STATUS_UNSUCCESSFUL;
784 }
785
786 rc = ads_search_retry_extended_dn_ranged(ads, mem_ctx, user_dn, attrs,
787 ADS_EXTENDED_DN_HEX_STRING,
788 &strings, &num_strings);
789
790 if (!ADS_ERR_OK(rc)) {
791 DEBUG(1,("lookup_usergroups_memberof ads_search "
792 "member=%s: %s\n", user_dn, ads_errstr(rc)));
793 return ads_ntstatus(rc);
794 }
795
796 *user_sids = NULL;
797 num_groups = 0;
798
799 /* always add the primary group to the sid array */
800 status = add_sid_to_array(mem_ctx, primary_group, user_sids,
801 &num_groups);
802 if (!NT_STATUS_IS_OK(status)) {
803 goto done;
804 }
805
806 group_sids = talloc_zero_array(mem_ctx, struct dom_sid, num_strings + 1);
807 if (!group_sids) {
808 status = NT_STATUS_NO_MEMORY;
809 goto done;
810 }
811
812 for (i=0; i<num_strings; i++) {
813 rc = ads_get_sid_from_extended_dn(mem_ctx, strings[i],
814 ADS_EXTENDED_DN_HEX_STRING,
815 &(group_sids)[i]);
816 if (!ADS_ERR_OK(rc)) {
817 /* ignore members without SIDs */
818 if (NT_STATUS_EQUAL(ads_ntstatus(rc),
819 NT_STATUS_NOT_FOUND)) {
820 continue;
821 }
822 else {
823 status = ads_ntstatus(rc);
824 goto done;
825 }
826 }
827 num_sids++;
828 }
829
830 if (i == 0) {
831 DEBUG(1,("No memberOf for this user?!?\n"));
832 status = NT_STATUS_NO_MEMORY;
833 goto done;
834 }
835
836 for (i=0; i<num_sids; i++) {
837
838 /* ignore Builtin groups from ADS - Guenther */
839 if (sid_check_is_in_builtin(&group_sids[i])) {
840 continue;
841 }
842
843 status = add_sid_to_array(mem_ctx, &group_sids[i], user_sids,
844 &num_groups);
845 if (!NT_STATUS_IS_OK(status)) {
846 goto done;
847 }
848
849 }
850
851 *p_num_groups = num_groups;
852 status = (*user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
853
854 DEBUG(3,("ads lookup_usergroups (memberof) succeeded for dn=%s\n",
855 user_dn));
856
857 done:
858 TALLOC_FREE(strings);
859 TALLOC_FREE(group_sids);
860
861 return status;
862 }
863
864
865 /* Lookup groups a user is a member of. */
866 static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
867 TALLOC_CTX *mem_ctx,
868 const struct dom_sid *sid,
869 uint32 *p_num_groups, struct dom_sid **user_sids)
870 {
871 ADS_STRUCT *ads = NULL;
872 const char *attrs[] = {"tokenGroups", "primaryGroupID", NULL};
873 ADS_STATUS rc;
874 int count;
875 LDAPMessage *msg = NULL;
876 char *user_dn = NULL;
877 struct dom_sid *sids;
878 int i;
879 struct dom_sid primary_group;
880 uint32 primary_group_rid;
881 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
882 uint32_t num_groups = 0;
883
884 DEBUG(3,("ads: lookup_usergroups\n"));
885 *p_num_groups = 0;
886
887 status = lookup_usergroups_cached(domain, mem_ctx, sid,
888 p_num_groups, user_sids);
889 if (NT_STATUS_IS_OK(status)) {
890 return NT_STATUS_OK;
891 }
892
893 if ( !winbindd_can_contact_domain( domain ) ) {
894 DEBUG(10,("lookup_usergroups: No incoming trust for domain %s\n",
895 domain->name));
896
897 /* Tell the cache manager not to remember this one */
898
899 return NT_STATUS_SYNCHRONIZATION_REQUIRED;
900 }
901
902 ads = ads_cached_connection(domain);
903
904 if (!ads) {
905 domain->last_status = NT_STATUS_SERVER_DISABLED;
906 status = NT_STATUS_SERVER_DISABLED;
907 goto done;
908 }
909
910 rc = ads_search_retry_sid(ads, &msg, sid, attrs);
911
912 if (!ADS_ERR_OK(rc)) {
913 status = ads_ntstatus(rc);
914 DEBUG(1, ("lookup_usergroups(sid=%s) ads_search tokenGroups: "
915 "%s\n", sid_string_dbg(sid), ads_errstr(rc)));
916 goto done;
917 }
918
919 count = ads_count_replies(ads, msg);
920 if (count != 1) {
921 status = NT_STATUS_UNSUCCESSFUL;
922 DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: "
923 "invalid number of results (count=%d)\n",
924 sid_string_dbg(sid), count));
925 goto done;
926 }
927
928 if (!msg) {
929 DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: NULL msg\n",
930 sid_string_dbg(sid)));
931 status = NT_STATUS_UNSUCCESSFUL;
932 goto done;
933 }
934
935 user_dn = ads_get_dn(ads, mem_ctx, msg);
936 if (user_dn == NULL) {
937 status = NT_STATUS_NO_MEMORY;
938 goto done;
939 }
940
941 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &primary_group_rid)) {
942 DEBUG(1,("%s: No primary group for sid=%s !?\n",
943 domain->name, sid_string_dbg(sid)));
944 goto done;
945 }
946
947 sid_compose(&primary_group, &domain->sid, primary_group_rid);
948
949 count = ads_pull_sids(ads, mem_ctx, msg, "tokenGroups", &sids);
950
951 /* there must always be at least one group in the token,
952 unless we are talking to a buggy Win2k server */
953
954 /* actually this only happens when the machine account has no read
955 * permissions on the tokenGroup attribute - gd */
956
957 if (count == 0) {
958
959 /* no tokenGroups */
960
961 /* lookup what groups this user is a member of by DN search on
962 * "memberOf" */
963
964 status = lookup_usergroups_memberof(domain, mem_ctx, user_dn,
965 &primary_group,
966 &num_groups, user_sids);
967 *p_num_groups = num_groups;
968 if (NT_STATUS_IS_OK(status)) {
969 goto done;
970 }
971
972 /* lookup what groups this user is a member of by DN search on
973 * "member" */
974
975 status = lookup_usergroups_member(domain, mem_ctx, user_dn,
976 &primary_group,
977 &num_groups, user_sids);
978 *p_num_groups = num_groups;
979 goto done;
980 }
981
982 *user_sids = NULL;
983 num_groups = 0;
984
985 status = add_sid_to_array(mem_ctx, &primary_group, user_sids,
986 &num_groups);
987 if (!NT_STATUS_IS_OK(status)) {
988 goto done;
989 }
990
991 for (i=0;i<count;i++) {
992
993 /* ignore Builtin groups from ADS - Guenther */
994 if (sid_check_is_in_builtin(&sids[i])) {
995 continue;
996 }
997
998 status = add_sid_to_array_unique(mem_ctx, &sids[i],
999 user_sids, &num_groups);
1000 if (!NT_STATUS_IS_OK(status)) {
1001 goto done;
1002 }
1003 }
1004
1005 *p_num_groups = (uint32)num_groups;
1006 status = (*user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
1007
1008 DEBUG(3,("ads lookup_usergroups (tokenGroups) succeeded for sid=%s\n",
1009 sid_string_dbg(sid)));
1010 done:
1011 TALLOC_FREE(user_dn);
1012 ads_msgfree(ads, msg);
1013 return status;
1014 }
1015
1016 /* Lookup aliases a user is member of - use rpc methods */
1017 static NTSTATUS lookup_useraliases(struct winbindd_domain *domain,
1018 TALLOC_CTX *mem_ctx,
1019 uint32 num_sids, const struct dom_sid *sids,
1020 uint32 *num_aliases, uint32 **alias_rids)
1021 {
1022 return reconnect_methods.lookup_useraliases(domain, mem_ctx,
1023 num_sids, sids,
1024 num_aliases,
1025 alias_rids);
1026 }
1027
1028 /*
1029 find the members of a group, given a group rid and domain
1030 */
1031 static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
1032 TALLOC_CTX *mem_ctx,
1033 const struct dom_sid *group_sid,
1034 enum lsa_SidType type,
1035 uint32 *num_names,
1036 struct dom_sid **sid_mem, char ***names,
1037 uint32 **name_types)
1038 {
1039 ADS_STATUS rc;
1040 ADS_STRUCT *ads = NULL;
1041 char *ldap_exp;
1042 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
1043 char *sidbinstr;
1044 char **members = NULL;
1045 int i;
1046 size_t num_members = 0;
1047 ads_control args;
1048 struct dom_sid *sid_mem_nocache = NULL;
1049 char **names_nocache = NULL;
1050 enum lsa_SidType *name_types_nocache = NULL;
1051 char **domains_nocache = NULL; /* only needed for rpccli_lsa_lookup_sids */
1052 uint32 num_nocache = 0;
1053 TALLOC_CTX *tmp_ctx = NULL;
1054
1055 DEBUG(10,("ads: lookup_groupmem %s sid=%s\n", domain->name,
1056 sid_string_dbg(group_sid)));
1057
1058 *num_names = 0;
1059
1060 tmp_ctx = talloc_new(mem_ctx);
1061 if (!tmp_ctx) {
1062 DEBUG(1, ("ads: lookup_groupmem: talloc failed\n"));
1063 status = NT_STATUS_NO_MEMORY;
1064 goto done;
1065 }
1066
1067 if ( !winbindd_can_contact_domain( domain ) ) {
1068 DEBUG(10,("lookup_groupmem: No incoming trust for domain %s\n",
1069 domain->name));
1070 return NT_STATUS_OK;
1071 }
1072
1073 ads = ads_cached_connection(domain);
1074
1075 if (!ads) {
1076 domain->last_status = NT_STATUS_SERVER_DISABLED;
1077 goto done;
1078 }
1079
1080 if ((sidbinstr = ldap_encode_ndr_dom_sid(talloc_tos(), group_sid)) == NULL) {
1081 status = NT_STATUS_NO_MEMORY;
1082 goto done;
1083 }
1084
1085 /* search for all members of the group */
1086 ldap_exp = talloc_asprintf(tmp_ctx, "(objectSid=%s)", sidbinstr);
1087 TALLOC_FREE(sidbinstr);
1088 if (ldap_exp == NULL) {
1089 DEBUG(1, ("ads: lookup_groupmem: talloc_asprintf for ldap_exp failed!\n"));
1090 status = NT_STATUS_NO_MEMORY;
1091 goto done;
1092 }
1093
1094 args.control = ADS_EXTENDED_DN_OID;
1095 args.val = ADS_EXTENDED_DN_HEX_STRING;
1096 args.critical = True;
1097
1098 rc = ads_ranged_search(ads, tmp_ctx, LDAP_SCOPE_SUBTREE, ads->config.bind_path,
1099 ldap_exp, &args, "member", &members, &num_members);
1100
1101 if (!ADS_ERR_OK(rc)) {
1102 DEBUG(0,("ads_ranged_search failed with: %s\n", ads_errstr(rc)));
1103 status = NT_STATUS_UNSUCCESSFUL;
1104 goto done;
1105 }
1106
1107 DEBUG(10, ("ads lookup_groupmem: got %d sids via extended dn call\n", (int)num_members));
1108
1109 /* Now that we have a list of sids, we need to get the
1110 * lists of names and name_types belonging to these sids.
1111 * even though conceptually not quite clean, we use the
1112 * RPC call lsa_lookup_sids for this since it can handle a
1113 * list of sids. ldap calls can just resolve one sid at a time.
1114 *
1115 * At this stage, the sids are still hidden in the exetended dn
1116 * member output format. We actually do a little better than
1117 * stated above: In extracting the sids from the member strings,
1118 * we try to resolve as many sids as possible from the
1119 * cache. Only the rest is passed to the lsa_lookup_sids call. */
1120
1121 if (num_members) {
1122 (*sid_mem) = talloc_zero_array(mem_ctx, struct dom_sid, num_members);
1123 (*names) = talloc_zero_array(mem_ctx, char *, num_members);
1124 (*name_types) = talloc_zero_array(mem_ctx, uint32, num_members);
1125 (sid_mem_nocache) = talloc_zero_array(tmp_ctx, struct dom_sid, num_members);
1126
1127 if ((members == NULL) || (*sid_mem == NULL) ||
1128 (*names == NULL) || (*name_types == NULL) ||
1129 (sid_mem_nocache == NULL))
1130 {
1131 DEBUG(1, ("ads: lookup_groupmem: talloc failed\n"));
1132 status = NT_STATUS_NO_MEMORY;
1133 goto done;
1134 }
1135 }
1136 else {
1137 (*sid_mem) = NULL;
1138 (*names) = NULL;
1139 (*name_types) = NULL;
1140 }
1141
1142 for (i=0; i<num_members; i++) {
1143 enum lsa_SidType name_type;
1144 char *name, *domain_name;
1145 struct dom_sid sid;
1146
1147 rc = ads_get_sid_from_extended_dn(tmp_ctx, members[i], args.val,
1148 &sid);
1149 if (!ADS_ERR_OK(rc)) {
1150 if (NT_STATUS_EQUAL(ads_ntstatus(rc),
1151 NT_STATUS_NOT_FOUND)) {
1152 /* Group members can be objects, like Exchange
1153 * Public Folders, that don't have a SID. Skip
1154 * them. */
1155 continue;
1156 }
1157 else {
1158 status = ads_ntstatus(rc);
1159 goto done;
1160 }
1161 }
1162 if (lookup_cached_sid(mem_ctx, &sid, &domain_name, &name,
1163 &name_type)) {
1164 DEBUG(10,("ads: lookup_groupmem: got sid %s from "
1165 "cache\n", sid_string_dbg(&sid)));
1166 sid_copy(&(*sid_mem)[*num_names], &sid);
1167 (*names)[*num_names] = fill_domain_username_talloc(
1168 *names,
1169 domain_name,
1170 name,
1171 true);
1172
1173 (*name_types)[*num_names] = name_type;
1174 (*num_names)++;
1175 }
1176 else {
1177 DEBUG(10, ("ads: lookup_groupmem: sid %s not found in "
1178 "cache\n", sid_string_dbg(&sid)));
1179 sid_copy(&(sid_mem_nocache)[num_nocache], &sid);
1180 num_nocache++;
1181 }
1182 }
1183
1184 DEBUG(10, ("ads: lookup_groupmem: %d sids found in cache, "
1185 "%d left for lsa_lookupsids\n", *num_names, num_nocache));
1186
1187 /* handle sids not resolved from cache by lsa_lookup_sids */
1188 if (num_nocache > 0) {
1189
1190 status = winbindd_lookup_sids(tmp_ctx,
1191 domain,
1192 num_nocache,
1193 sid_mem_nocache,
1194 &domains_nocache,
1195 &names_nocache,
1196 &name_types_nocache);
1197
1198 if (!(NT_STATUS_IS_OK(status) ||
1199 NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED) ||
1200 NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)))
1201 {
1202 DEBUG(1, ("lsa_lookupsids call failed with %s "
1203 "- retrying...\n", nt_errstr(status)));
1204
1205 status = winbindd_lookup_sids(tmp_ctx,
1206 domain,
1207 num_nocache,
1208 sid_mem_nocache,
1209 &domains_nocache,
1210 &names_nocache,
1211 &name_types_nocache);
1212 }
1213
1214 if (NT_STATUS_IS_OK(status) ||
1215 NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED))
1216 {
1217 /* Copy the entries over from the "_nocache" arrays
1218 * to the result arrays, skipping the gaps the
1219 * lookup_sids call left. */
1220 for (i=0; i < num_nocache; i++) {
1221 if (((names_nocache)[i] != NULL) &&
1222 ((name_types_nocache)[i] != SID_NAME_UNKNOWN))
1223 {
1224 sid_copy(&(*sid_mem)[*num_names],
1225 &sid_mem_nocache[i]);
1226 (*names)[*num_names] =
1227 fill_domain_username_talloc(
1228 *names,
1229 domains_nocache[i],
1230 names_nocache[i],
1231 true);
1232 (*name_types)[*num_names] = name_types_nocache[i];
1233 (*num_names)++;
1234 }
1235 }
1236 }
1237 else if (NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)) {
1238 DEBUG(10, ("lookup_groupmem: lsa_lookup_sids could "
1239 "not map any SIDs at all.\n"));
1240 /* Don't handle this as an error here.
1241 * There is nothing left to do with respect to the
1242 * overall result... */
1243 }
1244 else if (!NT_STATUS_IS_OK(status)) {
1245 DEBUG(10, ("lookup_groupmem: Error looking up %d "
1246 "sids via rpc_lsa_lookup_sids: %s\n",
1247 (int)num_members, nt_errstr(status)));
1248 goto done;
1249 }
1250 }
1251
1252 status = NT_STATUS_OK;
1253 DEBUG(3,("ads lookup_groupmem for sid=%s succeeded\n",
1254 sid_string_dbg(group_sid)));
1255
1256 done:
1257
1258 TALLOC_FREE(tmp_ctx);
1259
1260 return status;
1261 }
1262
1263 /* find the sequence number for a domain */
1264 static NTSTATUS sequence_number(struct winbindd_domain *domain, uint32 *seq)
1265 {
1266 ADS_STRUCT *ads = NULL;
1267 ADS_STATUS rc;
1268
1269 DEBUG(3,("ads: fetch sequence_number for %s\n", domain->name));
1270
1271 if ( !winbindd_can_contact_domain( domain ) ) {
1272 DEBUG(10,("sequence: No incoming trust for domain %s\n",
1273 domain->name));
1274 *seq = time(NULL);
1275 return NT_STATUS_OK;
1276 }
1277
1278 *seq = DOM_SEQUENCE_NONE;
1279
1280 ads = ads_cached_connection(domain);
1281
1282 if (!ads) {
1283 domain->last_status = NT_STATUS_SERVER_DISABLED;
1284 return NT_STATUS_UNSUCCESSFUL;
1285 }
1286
1287 rc = ads_USN(ads, seq);
1288
1289 if (!ADS_ERR_OK(rc)) {
1290
1291 /* its a dead connection, destroy it */
1292
1293 if (domain->private_data) {
1294 ads = (ADS_STRUCT *)domain->private_data;
1295 ads->is_mine = True;
1296 ads_destroy(&ads);
1297 ads_kdestroy(WINBIND_CCACHE_NAME);
1298 domain->private_data = NULL;
1299 }
1300 }
1301 return ads_ntstatus(rc);
1302 }
1303
1304 /* find the lockout policy of a domain - use rpc methods */
1305 static NTSTATUS lockout_policy(struct winbindd_domain *domain,
1306 TALLOC_CTX *mem_ctx,
1307 struct samr_DomInfo12 *policy)
1308 {
1309 return reconnect_methods.lockout_policy(domain, mem_ctx, policy);
1310 }
1311
1312 /* find the password policy of a domain - use rpc methods */
1313 static NTSTATUS password_policy(struct winbindd_domain *domain,
1314 TALLOC_CTX *mem_ctx,
1315 struct samr_DomInfo1 *policy)
1316 {
1317 return reconnect_methods.password_policy(domain, mem_ctx, policy);
1318 }
1319
1320 /* get a list of trusted domains */
1321 static NTSTATUS trusted_domains(struct winbindd_domain *domain,
1322 TALLOC_CTX *mem_ctx,
1323 struct netr_DomainTrustList *trusts)
1324 {
1325 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1326 WERROR werr;
1327 int i;
1328 uint32 flags;
1329 struct rpc_pipe_client *cli;
1330 int ret_count;
1331 struct dcerpc_binding_handle *b;
1332
1333 DEBUG(3,("ads: trusted_domains\n"));
1334
1335 ZERO_STRUCTP(trusts);
1336
1337 /* If this is our primary domain or a root in our forest,
1338 query for all trusts. If not, then just look for domain
1339 trusts in the target forest */
1340
1341 if (domain->primary || domain_is_forest_root(domain)) {
1342 flags = NETR_TRUST_FLAG_OUTBOUND |
1343 NETR_TRUST_FLAG_INBOUND |
1344 NETR_TRUST_FLAG_IN_FOREST;
1345 } else {
1346 flags = NETR_TRUST_FLAG_IN_FOREST;
1347 }
1348
1349 result = cm_connect_netlogon(domain, &cli);
1350
1351 if (!NT_STATUS_IS_OK(result)) {
1352 DEBUG(5, ("trusted_domains: Could not open a connection to %s "
1353 "for PIPE_NETLOGON (%s)\n",
1354 domain->name, nt_errstr(result)));
1355 return NT_STATUS_UNSUCCESSFUL;
1356 }
1357
1358 b = cli->binding_handle;
1359
1360 result = dcerpc_netr_DsrEnumerateDomainTrusts(b, mem_ctx,
1361 cli->desthost,
1362 flags,
1363 trusts,
1364 &werr);
1365 if (!NT_STATUS_IS_OK(result)) {
1366 return result;
1367 }
1368
1369 if (!W_ERROR_IS_OK(werr)) {
1370 return werror_to_ntstatus(werr);
1371 }
1372 if (trusts->count == 0) {
1373 return NT_STATUS_OK;
1374 }
1375
1376 /* Copy across names and sids */
1377
1378 ret_count = 0;
1379 for (i = 0; i < trusts->count; i++) {
1380 struct netr_DomainTrust *trust = &trusts->array[i];
1381 struct winbindd_domain d;
1382
1383 ZERO_STRUCT(d);
1384
1385 /*
1386 * drop external trusts if this is not our primary
1387 * domain. This means that the returned number of
1388 * domains may be less that the ones actually trusted
1389 * by the DC.
1390 */
1391
1392 if ((trust->trust_attributes
1393 == NETR_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN) &&
1394 !domain->primary )
1395 {
1396 DEBUG(10,("trusted_domains: Skipping external trusted "
1397 "domain %s because it is outside of our "
1398 "primary domain\n",
1399 trust->netbios_name));
1400 continue;
1401 }
1402
1403 /* add to the trusted domain cache */
1404
1405 d.name = discard_const_p(char, trust->netbios_name);
1406 d.alt_name = discard_const_p(char, trust->dns_name);
1407
1408 if (trust->sid) {
1409 sid_copy(&d.sid, trust->sid);
1410 } else {
1411 sid_copy(&d.sid, &global_sid_NULL);
1412 }
1413
1414 if ( domain->primary ) {
1415 DEBUG(10,("trusted_domains(ads): Searching "
1416 "trusted domain list of %s and storing "
1417 "trust flags for domain %s\n",
1418 domain->name, d.alt_name));
1419
1420 d.domain_flags = trust->trust_flags;
1421 d.domain_type = trust->trust_type;
1422 d.domain_trust_attribs = trust->trust_attributes;
1423
1424 wcache_tdc_add_domain( &d );
1425 ret_count++;
1426 } else if (domain_is_forest_root(domain)) {
1427 /* Check if we already have this record. If
1428 * we are following our forest root that is not
1429 * our primary domain, we want to keep trust
1430 * flags from the perspective of our primary
1431 * domain not our forest root. */
1432 struct winbindd_tdc_domain *exist = NULL;
1433
1434 exist = wcache_tdc_fetch_domain(
1435 talloc_tos(), trust->netbios_name);
1436 if (!exist) {
1437 DEBUG(10,("trusted_domains(ads): Searching "
1438 "trusted domain list of %s and "
1439 "storing trust flags for domain "
1440 "%s\n", domain->name, d.alt_name));
1441 d.domain_flags = trust->trust_flags;
1442 d.domain_type = trust->trust_type;
1443 d.domain_trust_attribs =
1444 trust->trust_attributes;
1445
1446 wcache_tdc_add_domain( &d );
1447 ret_count++;
1448 }
1449 TALLOC_FREE(exist);
1450 } else {
1451 /* This gets a little tricky. If we are
1452 following a transitive forest trust, then
1453 innerit the flags, type, and attribs from
1454 the domain we queried to make sure we don't
1455 record the view of the trust from the wrong
1456 side. Always view it from the side of our
1457 primary domain. --jerry */
1458 struct winbindd_tdc_domain *parent = NULL;
1459
1460 DEBUG(10,("trusted_domains(ads): Searching "
1461 "trusted domain list of %s and inheriting "
1462 "trust flags for domain %s\n",
1463 domain->name, d.alt_name));
1464
1465 parent = wcache_tdc_fetch_domain(talloc_tos(),
1466 domain->name);
1467 if (parent) {
1468 d.domain_flags = parent->trust_flags;
1469 d.domain_type = parent->trust_type;
1470 d.domain_trust_attribs = parent->trust_attribs;
1471 } else {
1472 d.domain_flags = domain->domain_flags;
1473 d.domain_type = domain->domain_type;
1474 d.domain_trust_attribs =
1475 domain->domain_trust_attribs;
1476 }
1477 TALLOC_FREE(parent);
1478
1479 wcache_tdc_add_domain( &d );
1480 ret_count++;
1481 }
1482 }
1483 return result;
1484 }
1485
1486 /* the ADS backend methods are exposed via this structure */
1487 struct winbindd_methods ads_methods = {
1488 True,
1489 query_user_list,
1490 enum_dom_groups,
1491 enum_local_groups,
1492 name_to_sid,
1493 sid_to_name,
1494 rids_to_names,
1495 query_user,
1496 lookup_usergroups,
1497 lookup_useraliases,
1498 lookup_groupmem,
1499 sequence_number,
1500 lockout_policy,
1501 password_policy,
1502 trusted_domains,
1503 };
1504
1505 #endif
reg import