2 * idmap_adex: Support for AD Forests
4 * Copyright (C) Gerald (Jerry) Carter 2006-2008
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
24 #include "idmap_adex.h"
25 #include "../libds/common/flags.h"
28 #define DBGC_CLASS DBGC_IDMAP
30 /**********************************************************************
31 **********************************************************************/
33 char *find_attr_string(char **list
, size_t num_lines
, const char *substr
)
36 int cmplen
= strlen(substr
);
38 for (i
= 0; i
< num_lines
; i
++) {
39 /* make sure to avoid substring matches like uid
41 if ((strncasecmp_m(list
[i
], substr
, cmplen
) == 0) &&
42 (list
[i
][cmplen
] == '=')) {
43 /* Don't return an empty string */
44 if (list
[i
][cmplen
+ 1] != '\0')
45 return &(list
[i
][cmplen
+ 1]);
54 /**********************************************************************
55 **********************************************************************/
57 bool is_object_class(char **list
, size_t num_lines
, const char *substr
)
61 for (i
= 0; i
< num_lines
; i
++) {
62 if (strequal(list
[i
], substr
)) {
70 /**********************************************************************
71 Find out about the cell (e.g. use2307Attrs, etc...)
72 **********************************************************************/
74 NTSTATUS
cell_lookup_settings(struct likewise_cell
* cell
)
76 NTSTATUS nt_status
= NT_STATUS_UNSUCCESSFUL
;
81 nt_status
= NT_STATUS_INVALID_PARAMETER
;
82 BAIL_ON_NTSTATUS_ERROR(nt_status
);
85 /* Only supporting Forest-wide, schema based searches */
87 cell_set_flags(cell
, LWCELL_FLAG_USE_RFC2307_ATTRS
);
88 cell_set_flags(cell
, LWCELL_FLAG_SEARCH_FOREST
);
90 cell
->provider
= &ccp_unified
;
92 nt_status
= NT_STATUS_OK
;
95 if (!NT_STATUS_IS_OK(nt_status
)) {
96 DEBUG(1,("LWI: Failed to obtain cell settings (%s)\n",
97 nt_errstr(nt_status
)));
104 static NTSTATUS
cell_lookup_forest(struct likewise_cell
*c
)
106 NTSTATUS nt_status
= NT_STATUS_UNSUCCESSFUL
;
107 struct gc_info
*gc
= NULL
;
110 return NT_STATUS_INVALID_PARAMETER
;
113 if ((gc
= talloc_zero(NULL
, struct gc_info
)) == NULL
) {
114 nt_status
= NT_STATUS_NO_MEMORY
;
115 BAIL_ON_NTSTATUS_ERROR(nt_status
);
118 /* Query the rootDSE for the forest root naming conect first.
119 Check that the a GC server for the forest has not already
122 nt_status
= gc_find_forest_root(gc
, cell_dns_domain(c
));
123 BAIL_ON_NTSTATUS_ERROR(nt_status
);
125 c
->forest_name
= talloc_strdup(c
, gc
->forest_name
);
126 BAIL_ON_PTR_ERROR(c
->forest_name
, nt_status
);
136 /**********************************************************************
137 **********************************************************************/
139 NTSTATUS
cell_locate_membership(ADS_STRUCT
* ads
)
142 char *domain_dn
= ads_build_dn(lp_realm());
143 NTSTATUS nt_status
= NT_STATUS_UNSUCCESSFUL
;
145 struct likewise_cell
*cell
= NULL
;
147 /* In the Likewise plugin, I had to support the concept of cells
148 based on the machine's membership in an OU. However, now I'll
149 just assume our membership in the forest cell */
151 DEBUG(2, ("locate_cell_membership: Located membership "
152 "in cell \"%s\"\n", domain_dn
));
154 if ((cell
= cell_new()) == NULL
) {
155 nt_status
= NT_STATUS_NO_MEMORY
;
156 BAIL_ON_NTSTATUS_ERROR(nt_status
);
159 status
= ads_domain_sid(ads
, &sid
);
160 if (!ADS_ERR_OK(status
)) {
161 DEBUG(3,("locate_cell_membership: Failed to find "
162 "domain SID for %s\n", domain_dn
));
165 /* save the SID and search base for our domain */
167 cell_set_dns_domain(cell
, lp_realm());
168 cell_set_connection(cell
, ads
);
169 cell_set_dn(cell
, domain_dn
);
170 cell_set_domain_sid(cell
, &sid
);
172 /* Now save our forest root */
174 cell_lookup_forest(cell
);
176 /* Add the cell to the list */
178 if (!cell_list_add(cell
)) {
179 nt_status
= NT_STATUS_INSUFFICIENT_RESOURCES
;
180 BAIL_ON_NTSTATUS_ERROR(nt_status
);
184 nt_status
= NT_STATUS_OK
;
187 if (!NT_STATUS_IS_OK(nt_status
)) {
188 DEBUG(0,("LWI: Failed to locate cell membership (%s)\n",
189 nt_errstr(nt_status
)));
192 SAFE_FREE(domain_dn
);
197 /*********************************************************************
198 ********************************************************************/
200 int min_id_value(void)
204 id_val
= lp_parm_int(-1, "lwidentity", "min_id_value", MIN_ID_VALUE
);
206 /* Still don't let it go below 50 */
208 return MAX(50, id_val
);
211 /********************************************************************
212 *******************************************************************/
214 char *cell_dn_to_dns(const char *dn
)
216 NTSTATUS nt_status
= NT_STATUS_UNSUCCESSFUL
;
218 char *dns_name
= NULL
;
221 TALLOC_CTX
*frame
= talloc_stackframe();
227 tmp_dn
= talloc_strdup(frame
, dn
);
228 BAIL_ON_PTR_ERROR(tmp_dn
, nt_status
);
230 while (next_token_talloc(frame
, &tmp_dn
, &buffer
, ",")) {
232 /* skip everything up the where DC=... begins */
233 if (strncasecmp_m(buffer
, "DC=", 3) != 0)
237 domain
= talloc_strdup(frame
, &buffer
[3]);
239 domain
= talloc_asprintf_append(domain
, ".%s",
242 BAIL_ON_PTR_ERROR(domain
, nt_status
);
245 dns_name
= SMB_STRDUP(domain
);
246 BAIL_ON_PTR_ERROR(dns_name
, nt_status
);
248 nt_status
= NT_STATUS_OK
;
251 PRINT_NTSTATUS_ERROR(nt_status
, "cell_dn_to_dns", 1);
253 talloc_destroy(frame
);
258 /*********************************************************************
259 ********************************************************************/
261 NTSTATUS
get_sid_type(ADS_STRUCT
*ads
,
263 enum lsa_SidType
*type
)
265 NTSTATUS nt_status
= NT_STATUS_UNSUCCESSFUL
;
268 if (!ads_pull_uint32(ads
, msg
, "sAMAccountType", &atype
)) {
269 nt_status
= NT_STATUS_INVALID_USER_BUFFER
;
270 BAIL_ON_NTSTATUS_ERROR(nt_status
);
273 switch (atype
&0xF0000000) {
274 case ATYPE_SECURITY_GLOBAL_GROUP
:
275 *type
= SID_NAME_DOM_GRP
;
277 case ATYPE_SECURITY_LOCAL_GROUP
:
278 *type
= SID_NAME_ALIAS
;
280 case ATYPE_NORMAL_ACCOUNT
:
281 case ATYPE_WORKSTATION_TRUST
:
282 case ATYPE_INTERDOMAIN_TRUST
:
283 *type
= SID_NAME_USER
;
286 *type
= SID_NAME_USE_NONE
;
287 nt_status
= NT_STATUS_INVALID_ACCOUNT_NAME
;
288 BAIL_ON_NTSTATUS_ERROR(nt_status
);
291 nt_status
= NT_STATUS_OK
;