2 Unix SMB/CIFS implementation.
4 Winbind ADS backend functions
6 Copyright (C) Andrew Tridgell 2001
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003
8 Copyright (C) Gerald (Jerry) Carter 2004
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
26 #include "rpc_client/rpc_client.h"
27 #include "../librpc/gen_ndr/ndr_netlogon_c.h"
28 #include "../libds/common/flags.h"
31 #include "../libcli/ldap/ldap_ndr.h"
32 #include "../libcli/security/security.h"
33 #include "../libds/common/flag_mapping.h"
39 #define DBGC_CLASS DBGC_WINBIND
41 extern struct winbindd_methods reconnect_methods
;
44 * Check if cached connection can be reused. If the connection cannot
45 * be reused the ADS_STRUCT is freed and the pointer is set to NULL.
47 void ads_cached_connection_reuse(ADS_STRUCT
**adsp
)
50 ADS_STRUCT
*ads
= *adsp
;
54 time_t now
= time(NULL
);
56 expire
= MIN(ads
->auth
.tgt_expire
, ads
->auth
.tgs_expire
);
58 DEBUG(7, ("Current tickets expire in %d seconds (at %d, time "
59 "is now %d)\n", (uint32
)expire
- (uint32
)now
,
60 (uint32
) expire
, (uint32
) now
));
62 if ( ads
->config
.realm
&& (expire
> now
)) {
65 /* we own this ADS_STRUCT so make sure it goes away */
66 DEBUG(7,("Deleting expired krb5 credential cache\n"));
69 ads_kdestroy(WINBIND_CCACHE_NAME
);
76 return our ads connections structure for a domain. We keep the connection
77 open to make things faster
79 static ADS_STRUCT
*ads_cached_connection(struct winbindd_domain
*domain
)
84 struct sockaddr_storage dc_ss
;
86 DEBUG(10,("ads_cached_connection\n"));
87 ads_cached_connection_reuse((ADS_STRUCT
**)&domain
->private_data
);
89 if (domain
->private_data
) {
90 return (ADS_STRUCT
*)domain
->private_data
;
93 ads
= ads_init(domain
->alt_name
, domain
->name
, NULL
);
95 DEBUG(1,("ads_init for domain %s failed\n", domain
->name
));
99 /* we don't want ads operations to affect the default ccache */
100 ads
->auth
.ccache_name
= SMB_STRDUP("MEMORY:winbind_ccache");
102 /* the machine acct password might have change - fetch it every time */
104 SAFE_FREE(ads
->auth
.password
);
105 SAFE_FREE(ads
->auth
.realm
);
109 if ( !pdb_get_trusteddom_pw( domain
->name
, &ads
->auth
.password
, NULL
, NULL
) ) {
113 ads
->auth
.realm
= SMB_STRDUP( ads
->server
.realm
);
114 if (!strupper_m( ads
->auth
.realm
)) {
120 struct winbindd_domain
*our_domain
= domain
;
122 ads
->auth
.password
= secrets_fetch_machine_password(lp_workgroup(), NULL
, NULL
);
124 /* always give preference to the alt_name in our
125 primary domain if possible */
127 if ( !domain
->primary
)
128 our_domain
= find_our_domain();
130 if (our_domain
->alt_name
!= NULL
) {
131 ads
->auth
.realm
= SMB_STRDUP( our_domain
->alt_name
);
132 if (!strupper_m( ads
->auth
.realm
)) {
138 ads
->auth
.realm
= SMB_STRDUP( lp_realm() );
141 ads
->auth
.renewable
= WINBINDD_PAM_AUTH_KRB5_RENEW_TIME
;
143 /* Setup the server affinity cache. We don't reaally care
144 about the name. Just setup affinity and the KRB5_CONFIG
147 get_dc_name( ads
->server
.workgroup
, ads
->server
.realm
, dc_name
, &dc_ss
);
149 status
= ads_connect(ads
);
150 if (!ADS_ERR_OK(status
) || !ads
->config
.realm
) {
151 DEBUG(1,("ads_connect for domain %s failed: %s\n",
152 domain
->name
, ads_errstr(status
)));
155 /* if we get ECONNREFUSED then it might be a NT4
156 server, fall back to MSRPC */
157 if (status
.error_type
== ENUM_ADS_ERROR_SYSTEM
&&
158 status
.err
.rc
== ECONNREFUSED
) {
159 /* 'reconnect_methods' is the MS-RPC backend. */
160 DEBUG(1,("Trying MSRPC methods\n"));
161 domain
->backend
= &reconnect_methods
;
166 /* set the flag that says we don't own the memory even
167 though we do so that ads_destroy() won't destroy the
168 structure we pass back by reference */
170 ads
->is_mine
= False
;
172 domain
->private_data
= (void *)ads
;
177 /* Query display info for a realm. This is the basic user list fn */
178 static NTSTATUS
query_user_list(struct winbindd_domain
*domain
,
181 struct wbint_userinfo
**pinfo
)
183 ADS_STRUCT
*ads
= NULL
;
184 const char *attrs
[] = { "*", NULL
};
187 LDAPMessage
*res
= NULL
;
188 LDAPMessage
*msg
= NULL
;
189 NTSTATUS status
= NT_STATUS_UNSUCCESSFUL
;
193 DEBUG(3,("ads: query_user_list\n"));
195 if ( !winbindd_can_contact_domain( domain
) ) {
196 DEBUG(10,("query_user_list: No incoming trust for domain %s\n",
201 ads
= ads_cached_connection(domain
);
204 domain
->last_status
= NT_STATUS_SERVER_DISABLED
;
208 rc
= ads_search_retry(ads
, &res
, "(objectCategory=user)", attrs
);
209 if (!ADS_ERR_OK(rc
)) {
210 DEBUG(1,("query_user_list ads_search: %s\n", ads_errstr(rc
)));
211 status
= ads_ntstatus(rc
);
213 DEBUG(1,("query_user_list ads_search returned NULL res\n"));
218 count
= ads_count_replies(ads
, res
);
220 DEBUG(1,("query_user_list: No users found\n"));
224 (*pinfo
) = talloc_zero_array(mem_ctx
, struct wbint_userinfo
, count
);
226 status
= NT_STATUS_NO_MEMORY
;
232 for (msg
= ads_first_entry(ads
, res
); msg
; msg
= ads_next_entry(ads
, msg
)) {
233 struct wbint_userinfo
*info
= &((*pinfo
)[count
]);
237 if (!ads_pull_uint32(ads
, msg
, "sAMAccountType", &atype
) ||
238 ds_atype_map(atype
) != SID_NAME_USER
) {
239 DEBUG(1,("Not a user account? atype=0x%x\n", atype
));
243 info
->acct_name
= ads_pull_username(ads
, mem_ctx
, msg
);
244 info
->full_name
= ads_pull_string(ads
, mem_ctx
, msg
, "name");
245 info
->homedir
= NULL
;
247 info
->primary_gid
= (gid_t
)-1;
249 if (!ads_pull_sid(ads
, msg
, "objectSid",
251 DEBUG(1, ("No sid for %s !?\n", info
->acct_name
));
255 if (!ads_pull_uint32(ads
, msg
, "primaryGroupID", &group
)) {
256 DEBUG(1, ("No primary group for %s !?\n",
260 sid_compose(&info
->group_sid
, &domain
->sid
, group
);
265 (*num_entries
) = count
;
266 ads_msgfree(ads
, res
);
268 for (i
=0; i
<count
; i
++) {
269 struct wbint_userinfo
*info
= &((*pinfo
)[i
]);
270 const char *gecos
= NULL
;
271 gid_t primary_gid
= (gid_t
)-1;
273 status
= nss_get_info_cached(domain
, &info
->user_sid
, mem_ctx
,
274 &info
->homedir
, &info
->shell
,
275 &gecos
, &primary_gid
);
276 if (!NT_STATUS_IS_OK(status
)) {
278 * Deliberately ignore this error, there might be more
285 info
->full_name
= gecos
;
287 info
->primary_gid
= primary_gid
;
290 status
= NT_STATUS_OK
;
292 DEBUG(3,("ads query_user_list gave %d entries\n", (*num_entries
)));
298 /* list all domain groups */
299 static NTSTATUS
enum_dom_groups(struct winbindd_domain
*domain
,
302 struct wb_acct_info
**info
)
304 ADS_STRUCT
*ads
= NULL
;
305 const char *attrs
[] = {"userPrincipalName", "sAMAccountName",
306 "name", "objectSid", NULL
};
309 LDAPMessage
*res
= NULL
;
310 LDAPMessage
*msg
= NULL
;
311 NTSTATUS status
= NT_STATUS_UNSUCCESSFUL
;
313 bool enum_dom_local_groups
= False
;
317 DEBUG(3,("ads: enum_dom_groups\n"));
319 if ( !winbindd_can_contact_domain( domain
) ) {
320 DEBUG(10,("enum_dom_groups: No incoming trust for domain %s\n",
325 /* only grab domain local groups for our domain */
326 if ( domain
->active_directory
&& strequal(lp_realm(), domain
->alt_name
) ) {
327 enum_dom_local_groups
= True
;
330 /* Workaround ADS LDAP bug present in MS W2K3 SP0 and W2K SP4 w/o
333 * According to Section 5.1(4) of RFC 2251 if a value of a type is it's
334 * default value, it MUST be absent. In case of extensible matching the
335 * "dnattr" boolean defaults to FALSE and so it must be only be present
338 * When it is set to FALSE and the OpenLDAP lib (correctly) encodes a
339 * filter using bitwise matching rule then the buggy AD fails to decode
340 * the extensible match. As a workaround set it to TRUE and thereby add
341 * the dnAttributes "dn" field to cope with those older AD versions.
342 * It should not harm and won't put any additional load on the AD since
343 * none of the dn components have a bitmask-attribute.
345 * Thanks to Ralf Haferkamp for input and testing - Guenther */
347 filter
= talloc_asprintf(mem_ctx
, "(&(objectCategory=group)(&(groupType:dn:%s:=%d)(!(groupType:dn:%s:=%d))))",
348 ADS_LDAP_MATCHING_RULE_BIT_AND
, GROUP_TYPE_SECURITY_ENABLED
,
349 ADS_LDAP_MATCHING_RULE_BIT_AND
,
350 enum_dom_local_groups
? GROUP_TYPE_BUILTIN_LOCAL_GROUP
: GROUP_TYPE_RESOURCE_GROUP
);
352 if (filter
== NULL
) {
353 status
= NT_STATUS_NO_MEMORY
;
357 ads
= ads_cached_connection(domain
);
360 domain
->last_status
= NT_STATUS_SERVER_DISABLED
;
364 rc
= ads_search_retry(ads
, &res
, filter
, attrs
);
365 if (!ADS_ERR_OK(rc
)) {
366 status
= ads_ntstatus(rc
);
367 DEBUG(1,("enum_dom_groups ads_search: %s\n", ads_errstr(rc
)));
370 DEBUG(1,("enum_dom_groups ads_search returned NULL res\n"));
374 count
= ads_count_replies(ads
, res
);
376 DEBUG(1,("enum_dom_groups: No groups found\n"));
380 (*info
) = talloc_zero_array(mem_ctx
, struct wb_acct_info
, count
);
382 status
= NT_STATUS_NO_MEMORY
;
388 for (msg
= ads_first_entry(ads
, res
); msg
; msg
= ads_next_entry(ads
, msg
)) {
393 name
= ads_pull_username(ads
, mem_ctx
, msg
);
394 gecos
= ads_pull_string(ads
, mem_ctx
, msg
, "name");
395 if (!ads_pull_sid(ads
, msg
, "objectSid", &sid
)) {
396 DEBUG(1,("No sid for %s !?\n", name
));
400 if (!sid_peek_check_rid(&domain
->sid
, &sid
, &rid
)) {
401 DEBUG(1,("No rid for %s !?\n", name
));
405 fstrcpy((*info
)[i
].acct_name
, name
);
406 fstrcpy((*info
)[i
].acct_desc
, gecos
);
407 (*info
)[i
].rid
= rid
;
413 status
= NT_STATUS_OK
;
415 DEBUG(3,("ads enum_dom_groups gave %d entries\n", (*num_entries
)));
419 ads_msgfree(ads
, res
);
424 /* list all domain local groups */
425 static NTSTATUS
enum_local_groups(struct winbindd_domain
*domain
,
428 struct wb_acct_info
**info
)
431 * This is a stub function only as we returned the domain
432 * local groups in enum_dom_groups() if the domain->native field
433 * was true. This is a simple performance optimization when
436 * if we ever need to enumerate domain local groups separately,
437 * then this optimization in enum_dom_groups() will need
445 /* convert a single name to a sid in a domain - use rpc methods */
446 static NTSTATUS
name_to_sid(struct winbindd_domain
*domain
,
448 const char *domain_name
,
452 enum lsa_SidType
*type
)
454 return reconnect_methods
.name_to_sid(domain
, mem_ctx
,
455 domain_name
, name
, flags
,
459 /* convert a domain SID to a user or group name - use rpc methods */
460 static NTSTATUS
sid_to_name(struct winbindd_domain
*domain
,
462 const struct dom_sid
*sid
,
465 enum lsa_SidType
*type
)
467 return reconnect_methods
.sid_to_name(domain
, mem_ctx
, sid
,
468 domain_name
, name
, type
);
471 /* convert a list of rids to names - use rpc methods */
472 static NTSTATUS
rids_to_names(struct winbindd_domain
*domain
,
474 const struct dom_sid
*sid
,
479 enum lsa_SidType
**types
)
481 return reconnect_methods
.rids_to_names(domain
, mem_ctx
, sid
,
483 domain_name
, names
, types
);
486 /* If you are looking for "dn_lookup": Yes, it used to be here!
487 * It has gone now since it was a major speed bottleneck in
488 * lookup_groupmem (its only use). It has been replaced by
489 * an rpc lookup sids call... R.I.P. */
491 /* Lookup user information from a rid */
492 static NTSTATUS
query_user(struct winbindd_domain
*domain
,
494 const struct dom_sid
*sid
,
495 struct wbint_userinfo
*info
)
497 ADS_STRUCT
*ads
= NULL
;
498 const char *attrs
[] = { "*", NULL
};
501 LDAPMessage
*msg
= NULL
;
505 NTSTATUS status
= NT_STATUS_UNSUCCESSFUL
;
506 struct netr_SamInfo3
*user
= NULL
;
511 DEBUG(3,("ads: query_user\n"));
513 info
->homedir
= NULL
;
516 /* try netsamlogon cache first */
518 if ( (user
= netsamlogon_cache_get( mem_ctx
, sid
)) != NULL
)
520 DEBUG(5,("query_user: Cache lookup succeeded for %s\n",
521 sid_string_dbg(sid
)));
523 sid_compose(&info
->user_sid
, &domain
->sid
, user
->base
.rid
);
524 sid_compose(&info
->group_sid
, &domain
->sid
, user
->base
.primary_gid
);
526 info
->acct_name
= talloc_strdup(mem_ctx
, user
->base
.account_name
.string
);
527 info
->full_name
= talloc_strdup(mem_ctx
, user
->base
.full_name
.string
);
529 nss_get_info_cached( domain
, sid
, mem_ctx
,
530 &info
->homedir
, &info
->shell
, &info
->full_name
,
532 info
->primary_gid
= gid
;
539 if ( !winbindd_can_contact_domain(domain
)) {
540 DEBUG(8,("query_user: No incoming trust from domain %s\n",
543 /* We still need to generate some basic information
544 about the user even if we cannot contact the
545 domain. Most of this stuff we can deduce. */
547 sid_copy( &info
->user_sid
, sid
);
549 /* Assume "Domain Users" for the primary group */
551 sid_compose(&info
->group_sid
, &domain
->sid
, DOMAIN_RID_USERS
);
553 /* Try to fill in what the nss_info backend can do */
555 nss_get_info_cached( domain
, sid
, mem_ctx
,
556 &info
->homedir
, &info
->shell
, &info
->full_name
,
558 info
->primary_gid
= gid
;
563 /* no cache...do the query */
565 if ( (ads
= ads_cached_connection(domain
)) == NULL
) {
566 domain
->last_status
= NT_STATUS_SERVER_DISABLED
;
567 return NT_STATUS_SERVER_DISABLED
;
570 sidstr
= ldap_encode_ndr_dom_sid(talloc_tos(), sid
);
572 ret
= asprintf(&ldap_exp
, "(objectSid=%s)", sidstr
);
575 return NT_STATUS_NO_MEMORY
;
577 rc
= ads_search_retry(ads
, &msg
, ldap_exp
, attrs
);
579 if (!ADS_ERR_OK(rc
)) {
580 DEBUG(1,("query_user(sid=%s) ads_search: %s\n",
581 sid_string_dbg(sid
), ads_errstr(rc
)));
582 return ads_ntstatus(rc
);
584 DEBUG(1,("query_user(sid=%s) ads_search returned NULL res\n",
585 sid_string_dbg(sid
)));
586 return NT_STATUS_INTERNAL_ERROR
;
589 count
= ads_count_replies(ads
, msg
);
591 DEBUG(1,("query_user(sid=%s): Not found\n",
592 sid_string_dbg(sid
)));
593 ads_msgfree(ads
, msg
);
594 return NT_STATUS_NO_SUCH_USER
;
597 info
->acct_name
= ads_pull_username(ads
, mem_ctx
, msg
);
599 if (!ads_pull_uint32(ads
, msg
, "primaryGroupID", &group_rid
)) {
600 DEBUG(1,("No primary group for %s !?\n",
601 sid_string_dbg(sid
)));
602 ads_msgfree(ads
, msg
);
603 return NT_STATUS_NO_SUCH_USER
;
605 sid_copy(&info
->user_sid
, sid
);
606 sid_compose(&info
->group_sid
, &domain
->sid
, group_rid
);
609 * We have to fetch the "name" attribute before doing the
610 * nss_get_info_cached call. nss_get_info_cached might destroy
611 * the ads struct, potentially invalidating the ldap message.
613 ads_name
= ads_pull_string(ads
, mem_ctx
, msg
, "name");
615 ads_msgfree(ads
, msg
);
618 status
= nss_get_info_cached( domain
, sid
, mem_ctx
,
619 &info
->homedir
, &info
->shell
, &info
->full_name
,
621 info
->primary_gid
= gid
;
622 if (!NT_STATUS_IS_OK(status
)) {
623 DEBUG(1, ("nss_get_info_cached failed: %s\n",
628 if (info
->full_name
== NULL
) {
629 info
->full_name
= ads_name
;
631 TALLOC_FREE(ads_name
);
634 status
= NT_STATUS_OK
;
636 DEBUG(3,("ads query_user gave %s\n", info
->acct_name
));
640 /* Lookup groups a user is a member of - alternate method, for when
641 tokenGroups are not available. */
642 static NTSTATUS
lookup_usergroups_member(struct winbindd_domain
*domain
,
645 struct dom_sid
*primary_group
,
646 uint32_t *p_num_groups
, struct dom_sid
**user_sids
)
649 NTSTATUS status
= NT_STATUS_UNSUCCESSFUL
;
651 LDAPMessage
*res
= NULL
;
652 LDAPMessage
*msg
= NULL
;
655 const char *group_attrs
[] = {"objectSid", NULL
};
657 uint32_t num_groups
= 0;
659 DEBUG(3,("ads: lookup_usergroups_member\n"));
661 if ( !winbindd_can_contact_domain( domain
) ) {
662 DEBUG(10,("lookup_usergroups_members: No incoming trust for domain %s\n",
667 ads
= ads_cached_connection(domain
);
670 domain
->last_status
= NT_STATUS_SERVER_DISABLED
;
674 if (!(escaped_dn
= escape_ldap_string(talloc_tos(), user_dn
))) {
675 status
= NT_STATUS_NO_MEMORY
;
679 ldap_exp
= talloc_asprintf(mem_ctx
,
680 "(&(member=%s)(objectCategory=group)(groupType:dn:%s:=%d))",
682 ADS_LDAP_MATCHING_RULE_BIT_AND
,
683 GROUP_TYPE_SECURITY_ENABLED
);
685 DEBUG(1,("lookup_usergroups(dn=%s) asprintf failed!\n", user_dn
));
686 TALLOC_FREE(escaped_dn
);
687 status
= NT_STATUS_NO_MEMORY
;
691 TALLOC_FREE(escaped_dn
);
693 rc
= ads_search_retry(ads
, &res
, ldap_exp
, group_attrs
);
695 if (!ADS_ERR_OK(rc
)) {
696 DEBUG(1,("lookup_usergroups ads_search member=%s: %s\n", user_dn
, ads_errstr(rc
)));
697 return ads_ntstatus(rc
);
699 DEBUG(1,("lookup_usergroups ads_search returned NULL res\n"));
700 return NT_STATUS_INTERNAL_ERROR
;
704 count
= ads_count_replies(ads
, res
);
709 /* always add the primary group to the sid array */
710 status
= add_sid_to_array(mem_ctx
, primary_group
, user_sids
,
712 if (!NT_STATUS_IS_OK(status
)) {
717 for (msg
= ads_first_entry(ads
, res
); msg
;
718 msg
= ads_next_entry(ads
, msg
)) {
719 struct dom_sid group_sid
;
721 if (!ads_pull_sid(ads
, msg
, "objectSid", &group_sid
)) {
722 DEBUG(1,("No sid for this group ?!?\n"));
726 /* ignore Builtin groups from ADS - Guenther */
727 if (sid_check_is_in_builtin(&group_sid
)) {
731 status
= add_sid_to_array(mem_ctx
, &group_sid
,
732 user_sids
, &num_groups
);
733 if (!NT_STATUS_IS_OK(status
)) {
740 *p_num_groups
= num_groups
;
741 status
= (user_sids
!= NULL
) ? NT_STATUS_OK
: NT_STATUS_NO_MEMORY
;
743 DEBUG(3,("ads lookup_usergroups (member) succeeded for dn=%s\n", user_dn
));
746 ads_msgfree(ads
, res
);
751 /* Lookup groups a user is a member of - alternate method, for when
752 tokenGroups are not available. */
753 static NTSTATUS
lookup_usergroups_memberof(struct winbindd_domain
*domain
,
756 struct dom_sid
*primary_group
,
757 uint32_t *p_num_groups
,
758 struct dom_sid
**user_sids
)
761 NTSTATUS status
= NT_STATUS_UNSUCCESSFUL
;
763 const char *attrs
[] = {"memberOf", NULL
};
764 uint32_t num_groups
= 0;
765 struct dom_sid
*group_sids
= NULL
;
767 char **strings
= NULL
;
768 size_t num_strings
= 0, num_sids
= 0;
771 DEBUG(3,("ads: lookup_usergroups_memberof\n"));
773 if ( !winbindd_can_contact_domain( domain
) ) {
774 DEBUG(10,("lookup_usergroups_memberof: No incoming trust for "
775 "domain %s\n", domain
->name
));
779 ads
= ads_cached_connection(domain
);
782 domain
->last_status
= NT_STATUS_SERVER_DISABLED
;
783 return NT_STATUS_UNSUCCESSFUL
;
786 rc
= ads_search_retry_extended_dn_ranged(ads
, mem_ctx
, user_dn
, attrs
,
787 ADS_EXTENDED_DN_HEX_STRING
,
788 &strings
, &num_strings
);
790 if (!ADS_ERR_OK(rc
)) {
791 DEBUG(1,("lookup_usergroups_memberof ads_search "
792 "member=%s: %s\n", user_dn
, ads_errstr(rc
)));
793 return ads_ntstatus(rc
);
799 /* always add the primary group to the sid array */
800 status
= add_sid_to_array(mem_ctx
, primary_group
, user_sids
,
802 if (!NT_STATUS_IS_OK(status
)) {
806 group_sids
= talloc_zero_array(mem_ctx
, struct dom_sid
, num_strings
+ 1);
808 status
= NT_STATUS_NO_MEMORY
;
812 for (i
=0; i
<num_strings
; i
++) {
813 rc
= ads_get_sid_from_extended_dn(mem_ctx
, strings
[i
],
814 ADS_EXTENDED_DN_HEX_STRING
,
816 if (!ADS_ERR_OK(rc
)) {
817 /* ignore members without SIDs */
818 if (NT_STATUS_EQUAL(ads_ntstatus(rc
),
819 NT_STATUS_NOT_FOUND
)) {
823 status
= ads_ntstatus(rc
);
831 DEBUG(1,("No memberOf for this user?!?\n"));
832 status
= NT_STATUS_NO_MEMORY
;
836 for (i
=0; i
<num_sids
; i
++) {
838 /* ignore Builtin groups from ADS - Guenther */
839 if (sid_check_is_in_builtin(&group_sids
[i
])) {
843 status
= add_sid_to_array(mem_ctx
, &group_sids
[i
], user_sids
,
845 if (!NT_STATUS_IS_OK(status
)) {
851 *p_num_groups
= num_groups
;
852 status
= (*user_sids
!= NULL
) ? NT_STATUS_OK
: NT_STATUS_NO_MEMORY
;
854 DEBUG(3,("ads lookup_usergroups (memberof) succeeded for dn=%s\n",
858 TALLOC_FREE(strings
);
859 TALLOC_FREE(group_sids
);
865 /* Lookup groups a user is a member of. */
866 static NTSTATUS
lookup_usergroups(struct winbindd_domain
*domain
,
868 const struct dom_sid
*sid
,
869 uint32
*p_num_groups
, struct dom_sid
**user_sids
)
871 ADS_STRUCT
*ads
= NULL
;
872 const char *attrs
[] = {"tokenGroups", "primaryGroupID", NULL
};
875 LDAPMessage
*msg
= NULL
;
876 char *user_dn
= NULL
;
877 struct dom_sid
*sids
;
879 struct dom_sid primary_group
;
880 uint32 primary_group_rid
;
881 NTSTATUS status
= NT_STATUS_UNSUCCESSFUL
;
882 uint32_t num_groups
= 0;
884 DEBUG(3,("ads: lookup_usergroups\n"));
887 status
= lookup_usergroups_cached(domain
, mem_ctx
, sid
,
888 p_num_groups
, user_sids
);
889 if (NT_STATUS_IS_OK(status
)) {
893 if ( !winbindd_can_contact_domain( domain
) ) {
894 DEBUG(10,("lookup_usergroups: No incoming trust for domain %s\n",
897 /* Tell the cache manager not to remember this one */
899 return NT_STATUS_SYNCHRONIZATION_REQUIRED
;
902 ads
= ads_cached_connection(domain
);
905 domain
->last_status
= NT_STATUS_SERVER_DISABLED
;
906 status
= NT_STATUS_SERVER_DISABLED
;
910 rc
= ads_search_retry_sid(ads
, &msg
, sid
, attrs
);
912 if (!ADS_ERR_OK(rc
)) {
913 status
= ads_ntstatus(rc
);
914 DEBUG(1, ("lookup_usergroups(sid=%s) ads_search tokenGroups: "
915 "%s\n", sid_string_dbg(sid
), ads_errstr(rc
)));
919 count
= ads_count_replies(ads
, msg
);
921 status
= NT_STATUS_UNSUCCESSFUL
;
922 DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: "
923 "invalid number of results (count=%d)\n",
924 sid_string_dbg(sid
), count
));
929 DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: NULL msg\n",
930 sid_string_dbg(sid
)));
931 status
= NT_STATUS_UNSUCCESSFUL
;
935 user_dn
= ads_get_dn(ads
, mem_ctx
, msg
);
936 if (user_dn
== NULL
) {
937 status
= NT_STATUS_NO_MEMORY
;
941 if (!ads_pull_uint32(ads
, msg
, "primaryGroupID", &primary_group_rid
)) {
942 DEBUG(1,("%s: No primary group for sid=%s !?\n",
943 domain
->name
, sid_string_dbg(sid
)));
947 sid_compose(&primary_group
, &domain
->sid
, primary_group_rid
);
949 count
= ads_pull_sids(ads
, mem_ctx
, msg
, "tokenGroups", &sids
);
951 /* there must always be at least one group in the token,
952 unless we are talking to a buggy Win2k server */
954 /* actually this only happens when the machine account has no read
955 * permissions on the tokenGroup attribute - gd */
961 /* lookup what groups this user is a member of by DN search on
964 status
= lookup_usergroups_memberof(domain
, mem_ctx
, user_dn
,
966 &num_groups
, user_sids
);
967 *p_num_groups
= num_groups
;
968 if (NT_STATUS_IS_OK(status
)) {
972 /* lookup what groups this user is a member of by DN search on
975 status
= lookup_usergroups_member(domain
, mem_ctx
, user_dn
,
977 &num_groups
, user_sids
);
978 *p_num_groups
= num_groups
;
985 status
= add_sid_to_array(mem_ctx
, &primary_group
, user_sids
,
987 if (!NT_STATUS_IS_OK(status
)) {
991 for (i
=0;i
<count
;i
++) {
993 /* ignore Builtin groups from ADS - Guenther */
994 if (sid_check_is_in_builtin(&sids
[i
])) {
998 status
= add_sid_to_array_unique(mem_ctx
, &sids
[i
],
999 user_sids
, &num_groups
);
1000 if (!NT_STATUS_IS_OK(status
)) {
1005 *p_num_groups
= (uint32
)num_groups
;
1006 status
= (*user_sids
!= NULL
) ? NT_STATUS_OK
: NT_STATUS_NO_MEMORY
;
1008 DEBUG(3,("ads lookup_usergroups (tokenGroups) succeeded for sid=%s\n",
1009 sid_string_dbg(sid
)));
1011 TALLOC_FREE(user_dn
);
1012 ads_msgfree(ads
, msg
);
1016 /* Lookup aliases a user is member of - use rpc methods */
1017 static NTSTATUS
lookup_useraliases(struct winbindd_domain
*domain
,
1018 TALLOC_CTX
*mem_ctx
,
1019 uint32 num_sids
, const struct dom_sid
*sids
,
1020 uint32
*num_aliases
, uint32
**alias_rids
)
1022 return reconnect_methods
.lookup_useraliases(domain
, mem_ctx
,
1029 find the members of a group, given a group rid and domain
1031 static NTSTATUS
lookup_groupmem(struct winbindd_domain
*domain
,
1032 TALLOC_CTX
*mem_ctx
,
1033 const struct dom_sid
*group_sid
,
1034 enum lsa_SidType type
,
1036 struct dom_sid
**sid_mem
, char ***names
,
1037 uint32
**name_types
)
1040 ADS_STRUCT
*ads
= NULL
;
1042 NTSTATUS status
= NT_STATUS_UNSUCCESSFUL
;
1044 char **members
= NULL
;
1046 size_t num_members
= 0;
1048 struct dom_sid
*sid_mem_nocache
= NULL
;
1049 char **names_nocache
= NULL
;
1050 enum lsa_SidType
*name_types_nocache
= NULL
;
1051 char **domains_nocache
= NULL
; /* only needed for rpccli_lsa_lookup_sids */
1052 uint32 num_nocache
= 0;
1053 TALLOC_CTX
*tmp_ctx
= NULL
;
1055 DEBUG(10,("ads: lookup_groupmem %s sid=%s\n", domain
->name
,
1056 sid_string_dbg(group_sid
)));
1060 tmp_ctx
= talloc_new(mem_ctx
);
1062 DEBUG(1, ("ads: lookup_groupmem: talloc failed\n"));
1063 status
= NT_STATUS_NO_MEMORY
;
1067 if ( !winbindd_can_contact_domain( domain
) ) {
1068 DEBUG(10,("lookup_groupmem: No incoming trust for domain %s\n",
1070 return NT_STATUS_OK
;
1073 ads
= ads_cached_connection(domain
);
1076 domain
->last_status
= NT_STATUS_SERVER_DISABLED
;
1080 if ((sidbinstr
= ldap_encode_ndr_dom_sid(talloc_tos(), group_sid
)) == NULL
) {
1081 status
= NT_STATUS_NO_MEMORY
;
1085 /* search for all members of the group */
1086 ldap_exp
= talloc_asprintf(tmp_ctx
, "(objectSid=%s)", sidbinstr
);
1087 TALLOC_FREE(sidbinstr
);
1088 if (ldap_exp
== NULL
) {
1089 DEBUG(1, ("ads: lookup_groupmem: talloc_asprintf for ldap_exp failed!\n"));
1090 status
= NT_STATUS_NO_MEMORY
;
1094 args
.control
= ADS_EXTENDED_DN_OID
;
1095 args
.val
= ADS_EXTENDED_DN_HEX_STRING
;
1096 args
.critical
= True
;
1098 rc
= ads_ranged_search(ads
, tmp_ctx
, LDAP_SCOPE_SUBTREE
, ads
->config
.bind_path
,
1099 ldap_exp
, &args
, "member", &members
, &num_members
);
1101 if (!ADS_ERR_OK(rc
)) {
1102 DEBUG(0,("ads_ranged_search failed with: %s\n", ads_errstr(rc
)));
1103 status
= NT_STATUS_UNSUCCESSFUL
;
1107 DEBUG(10, ("ads lookup_groupmem: got %d sids via extended dn call\n", (int)num_members
));
1109 /* Now that we have a list of sids, we need to get the
1110 * lists of names and name_types belonging to these sids.
1111 * even though conceptually not quite clean, we use the
1112 * RPC call lsa_lookup_sids for this since it can handle a
1113 * list of sids. ldap calls can just resolve one sid at a time.
1115 * At this stage, the sids are still hidden in the exetended dn
1116 * member output format. We actually do a little better than
1117 * stated above: In extracting the sids from the member strings,
1118 * we try to resolve as many sids as possible from the
1119 * cache. Only the rest is passed to the lsa_lookup_sids call. */
1122 (*sid_mem
) = talloc_zero_array(mem_ctx
, struct dom_sid
, num_members
);
1123 (*names
) = talloc_zero_array(mem_ctx
, char *, num_members
);
1124 (*name_types
) = talloc_zero_array(mem_ctx
, uint32
, num_members
);
1125 (sid_mem_nocache
) = talloc_zero_array(tmp_ctx
, struct dom_sid
, num_members
);
1127 if ((members
== NULL
) || (*sid_mem
== NULL
) ||
1128 (*names
== NULL
) || (*name_types
== NULL
) ||
1129 (sid_mem_nocache
== NULL
))
1131 DEBUG(1, ("ads: lookup_groupmem: talloc failed\n"));
1132 status
= NT_STATUS_NO_MEMORY
;
1139 (*name_types
) = NULL
;
1142 for (i
=0; i
<num_members
; i
++) {
1143 enum lsa_SidType name_type
;
1144 char *name
, *domain_name
;
1147 rc
= ads_get_sid_from_extended_dn(tmp_ctx
, members
[i
], args
.val
,
1149 if (!ADS_ERR_OK(rc
)) {
1150 if (NT_STATUS_EQUAL(ads_ntstatus(rc
),
1151 NT_STATUS_NOT_FOUND
)) {
1152 /* Group members can be objects, like Exchange
1153 * Public Folders, that don't have a SID. Skip
1158 status
= ads_ntstatus(rc
);
1162 if (lookup_cached_sid(mem_ctx
, &sid
, &domain_name
, &name
,
1164 DEBUG(10,("ads: lookup_groupmem: got sid %s from "
1165 "cache\n", sid_string_dbg(&sid
)));
1166 sid_copy(&(*sid_mem
)[*num_names
], &sid
);
1167 (*names
)[*num_names
] = fill_domain_username_talloc(
1173 (*name_types
)[*num_names
] = name_type
;
1177 DEBUG(10, ("ads: lookup_groupmem: sid %s not found in "
1178 "cache\n", sid_string_dbg(&sid
)));
1179 sid_copy(&(sid_mem_nocache
)[num_nocache
], &sid
);
1184 DEBUG(10, ("ads: lookup_groupmem: %d sids found in cache, "
1185 "%d left for lsa_lookupsids\n", *num_names
, num_nocache
));
1187 /* handle sids not resolved from cache by lsa_lookup_sids */
1188 if (num_nocache
> 0) {
1190 status
= winbindd_lookup_sids(tmp_ctx
,
1196 &name_types_nocache
);
1198 if (!(NT_STATUS_IS_OK(status
) ||
1199 NT_STATUS_EQUAL(status
, STATUS_SOME_UNMAPPED
) ||
1200 NT_STATUS_EQUAL(status
, NT_STATUS_NONE_MAPPED
)))
1202 DEBUG(1, ("lsa_lookupsids call failed with %s "
1203 "- retrying...\n", nt_errstr(status
)));
1205 status
= winbindd_lookup_sids(tmp_ctx
,
1211 &name_types_nocache
);
1214 if (NT_STATUS_IS_OK(status
) ||
1215 NT_STATUS_EQUAL(status
, STATUS_SOME_UNMAPPED
))
1217 /* Copy the entries over from the "_nocache" arrays
1218 * to the result arrays, skipping the gaps the
1219 * lookup_sids call left. */
1220 for (i
=0; i
< num_nocache
; i
++) {
1221 if (((names_nocache
)[i
] != NULL
) &&
1222 ((name_types_nocache
)[i
] != SID_NAME_UNKNOWN
))
1224 sid_copy(&(*sid_mem
)[*num_names
],
1225 &sid_mem_nocache
[i
]);
1226 (*names
)[*num_names
] =
1227 fill_domain_username_talloc(
1232 (*name_types
)[*num_names
] = name_types_nocache
[i
];
1237 else if (NT_STATUS_EQUAL(status
, NT_STATUS_NONE_MAPPED
)) {
1238 DEBUG(10, ("lookup_groupmem: lsa_lookup_sids could "
1239 "not map any SIDs at all.\n"));
1240 /* Don't handle this as an error here.
1241 * There is nothing left to do with respect to the
1242 * overall result... */
1244 else if (!NT_STATUS_IS_OK(status
)) {
1245 DEBUG(10, ("lookup_groupmem: Error looking up %d "
1246 "sids via rpc_lsa_lookup_sids: %s\n",
1247 (int)num_members
, nt_errstr(status
)));
1252 status
= NT_STATUS_OK
;
1253 DEBUG(3,("ads lookup_groupmem for sid=%s succeeded\n",
1254 sid_string_dbg(group_sid
)));
1258 TALLOC_FREE(tmp_ctx
);
1263 /* find the sequence number for a domain */
1264 static NTSTATUS
sequence_number(struct winbindd_domain
*domain
, uint32
*seq
)
1266 ADS_STRUCT
*ads
= NULL
;
1269 DEBUG(3,("ads: fetch sequence_number for %s\n", domain
->name
));
1271 if ( !winbindd_can_contact_domain( domain
) ) {
1272 DEBUG(10,("sequence: No incoming trust for domain %s\n",
1275 return NT_STATUS_OK
;
1278 *seq
= DOM_SEQUENCE_NONE
;
1280 ads
= ads_cached_connection(domain
);
1283 domain
->last_status
= NT_STATUS_SERVER_DISABLED
;
1284 return NT_STATUS_UNSUCCESSFUL
;
1287 rc
= ads_USN(ads
, seq
);
1289 if (!ADS_ERR_OK(rc
)) {
1291 /* its a dead connection, destroy it */
1293 if (domain
->private_data
) {
1294 ads
= (ADS_STRUCT
*)domain
->private_data
;
1295 ads
->is_mine
= True
;
1297 ads_kdestroy(WINBIND_CCACHE_NAME
);
1298 domain
->private_data
= NULL
;
1301 return ads_ntstatus(rc
);
1304 /* find the lockout policy of a domain - use rpc methods */
1305 static NTSTATUS
lockout_policy(struct winbindd_domain
*domain
,
1306 TALLOC_CTX
*mem_ctx
,
1307 struct samr_DomInfo12
*policy
)
1309 return reconnect_methods
.lockout_policy(domain
, mem_ctx
, policy
);
1312 /* find the password policy of a domain - use rpc methods */
1313 static NTSTATUS
password_policy(struct winbindd_domain
*domain
,
1314 TALLOC_CTX
*mem_ctx
,
1315 struct samr_DomInfo1
*policy
)
1317 return reconnect_methods
.password_policy(domain
, mem_ctx
, policy
);
1320 /* get a list of trusted domains */
1321 static NTSTATUS
trusted_domains(struct winbindd_domain
*domain
,
1322 TALLOC_CTX
*mem_ctx
,
1323 struct netr_DomainTrustList
*trusts
)
1325 NTSTATUS result
= NT_STATUS_UNSUCCESSFUL
;
1329 struct rpc_pipe_client
*cli
;
1331 struct dcerpc_binding_handle
*b
;
1333 DEBUG(3,("ads: trusted_domains\n"));
1335 ZERO_STRUCTP(trusts
);
1337 /* If this is our primary domain or a root in our forest,
1338 query for all trusts. If not, then just look for domain
1339 trusts in the target forest */
1341 if (domain
->primary
|| domain_is_forest_root(domain
)) {
1342 flags
= NETR_TRUST_FLAG_OUTBOUND
|
1343 NETR_TRUST_FLAG_INBOUND
|
1344 NETR_TRUST_FLAG_IN_FOREST
;
1346 flags
= NETR_TRUST_FLAG_IN_FOREST
;
1349 result
= cm_connect_netlogon(domain
, &cli
);
1351 if (!NT_STATUS_IS_OK(result
)) {
1352 DEBUG(5, ("trusted_domains: Could not open a connection to %s "
1353 "for PIPE_NETLOGON (%s)\n",
1354 domain
->name
, nt_errstr(result
)));
1355 return NT_STATUS_UNSUCCESSFUL
;
1358 b
= cli
->binding_handle
;
1360 result
= dcerpc_netr_DsrEnumerateDomainTrusts(b
, mem_ctx
,
1365 if (!NT_STATUS_IS_OK(result
)) {
1369 if (!W_ERROR_IS_OK(werr
)) {
1370 return werror_to_ntstatus(werr
);
1372 if (trusts
->count
== 0) {
1373 return NT_STATUS_OK
;
1376 /* Copy across names and sids */
1379 for (i
= 0; i
< trusts
->count
; i
++) {
1380 struct netr_DomainTrust
*trust
= &trusts
->array
[i
];
1381 struct winbindd_domain d
;
1386 * drop external trusts if this is not our primary
1387 * domain. This means that the returned number of
1388 * domains may be less that the ones actually trusted
1392 if ((trust
->trust_attributes
1393 == NETR_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN
) &&
1396 DEBUG(10,("trusted_domains: Skipping external trusted "
1397 "domain %s because it is outside of our "
1399 trust
->netbios_name
));
1403 /* add to the trusted domain cache */
1405 d
.name
= discard_const_p(char, trust
->netbios_name
);
1406 d
.alt_name
= discard_const_p(char, trust
->dns_name
);
1409 sid_copy(&d
.sid
, trust
->sid
);
1411 sid_copy(&d
.sid
, &global_sid_NULL
);
1414 if ( domain
->primary
) {
1415 DEBUG(10,("trusted_domains(ads): Searching "
1416 "trusted domain list of %s and storing "
1417 "trust flags for domain %s\n",
1418 domain
->name
, d
.alt_name
));
1420 d
.domain_flags
= trust
->trust_flags
;
1421 d
.domain_type
= trust
->trust_type
;
1422 d
.domain_trust_attribs
= trust
->trust_attributes
;
1424 wcache_tdc_add_domain( &d
);
1426 } else if (domain_is_forest_root(domain
)) {
1427 /* Check if we already have this record. If
1428 * we are following our forest root that is not
1429 * our primary domain, we want to keep trust
1430 * flags from the perspective of our primary
1431 * domain not our forest root. */
1432 struct winbindd_tdc_domain
*exist
= NULL
;
1434 exist
= wcache_tdc_fetch_domain(
1435 talloc_tos(), trust
->netbios_name
);
1437 DEBUG(10,("trusted_domains(ads): Searching "
1438 "trusted domain list of %s and "
1439 "storing trust flags for domain "
1440 "%s\n", domain
->name
, d
.alt_name
));
1441 d
.domain_flags
= trust
->trust_flags
;
1442 d
.domain_type
= trust
->trust_type
;
1443 d
.domain_trust_attribs
=
1444 trust
->trust_attributes
;
1446 wcache_tdc_add_domain( &d
);
1451 /* This gets a little tricky. If we are
1452 following a transitive forest trust, then
1453 innerit the flags, type, and attribs from
1454 the domain we queried to make sure we don't
1455 record the view of the trust from the wrong
1456 side. Always view it from the side of our
1457 primary domain. --jerry */
1458 struct winbindd_tdc_domain
*parent
= NULL
;
1460 DEBUG(10,("trusted_domains(ads): Searching "
1461 "trusted domain list of %s and inheriting "
1462 "trust flags for domain %s\n",
1463 domain
->name
, d
.alt_name
));
1465 parent
= wcache_tdc_fetch_domain(talloc_tos(),
1468 d
.domain_flags
= parent
->trust_flags
;
1469 d
.domain_type
= parent
->trust_type
;
1470 d
.domain_trust_attribs
= parent
->trust_attribs
;
1472 d
.domain_flags
= domain
->domain_flags
;
1473 d
.domain_type
= domain
->domain_type
;
1474 d
.domain_trust_attribs
=
1475 domain
->domain_trust_attribs
;
1477 TALLOC_FREE(parent
);
1479 wcache_tdc_add_domain( &d
);
1486 /* the ADS backend methods are exposed via this structure */
1487 struct winbindd_methods ads_methods
= {