2 Unix SMB/CIFS implementation.
4 Winbind rpc backend functions
6 Copyright (C) Tim Potter 2000-2001,2003
7 Copyright (C) Andrew Tridgell 2001
8 Copyright (C) Volker Lendecke 2005
9 Copyright (C) Guenther Deschner 2008 (pidl conversion)
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 3 of the License, or
14 (at your option) any later version.
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
21 You should have received a copy of the GNU General Public License
22 along with this program. If not, see <http://www.gnu.org/licenses/>.
27 #include "winbindd_rpc.h"
29 #include "../librpc/gen_ndr/cli_samr.h"
30 #include "rpc_client/cli_samr.h"
31 #include "../librpc/gen_ndr/cli_lsa.h"
32 #include "rpc_client/cli_lsarpc.h"
35 #define DBGC_CLASS DBGC_WINBIND
38 /* Query display info for a domain. This returns enough information plus a
39 bit extra to give an overview of domain users for the User Manager
41 static NTSTATUS
msrpc_query_user_list(struct winbindd_domain
*domain
,
44 struct wbint_userinfo
**pinfo
)
46 struct rpc_pipe_client
*samr_pipe
= NULL
;
47 struct policy_handle dom_pol
;
48 struct wbint_userinfo
*info
= NULL
;
49 uint32_t num_info
= 0;
53 DEBUG(3,("rpc_query_user_list\n"));
59 tmp_ctx
= talloc_stackframe();
60 if (tmp_ctx
== NULL
) {
61 return NT_STATUS_NO_MEMORY
;
64 if ( !winbindd_can_contact_domain( domain
) ) {
65 DEBUG(10,("query_user_list: No incoming trust for domain %s\n",
67 status
= NT_STATUS_OK
;
71 status
= cm_connect_sam(domain
, tmp_ctx
, &samr_pipe
, &dom_pol
);
72 if (!NT_STATUS_IS_OK(status
)) {
76 status
= rpc_query_user_list(tmp_ctx
,
82 if (!NT_STATUS_IS_OK(status
)) {
87 *pnum_info
= num_info
;
91 *pinfo
= talloc_move(mem_ctx
, &info
);
99 /* list all domain groups */
100 static NTSTATUS
msrpc_enum_dom_groups(struct winbindd_domain
*domain
,
103 struct acct_info
**pinfo
)
105 struct rpc_pipe_client
*samr_pipe
;
106 struct policy_handle dom_pol
;
107 struct acct_info
*info
= NULL
;
108 uint32_t num_info
= 0;
112 DEBUG(3,("msrpc_enum_dom_groups\n"));
118 tmp_ctx
= talloc_stackframe();
119 if (tmp_ctx
== NULL
) {
120 return NT_STATUS_NO_MEMORY
;
123 if ( !winbindd_can_contact_domain( domain
) ) {
124 DEBUG(10,("enum_domain_groups: No incoming trust for domain %s\n",
126 status
= NT_STATUS_OK
;
130 status
= cm_connect_sam(domain
, tmp_ctx
, &samr_pipe
, &dom_pol
);
131 if (!NT_STATUS_IS_OK(status
)) {
135 status
= rpc_enum_dom_groups(tmp_ctx
,
140 if (!NT_STATUS_IS_OK(status
)) {
145 *pnum_info
= num_info
;
149 *pinfo
= talloc_move(mem_ctx
, &info
);
153 TALLOC_FREE(tmp_ctx
);
157 /* List all domain groups */
159 static NTSTATUS
enum_local_groups(struct winbindd_domain
*domain
,
162 struct acct_info
**info
)
164 struct policy_handle dom_pol
;
166 struct rpc_pipe_client
*cli
;
171 DEBUG(3,("rpc: enum_local_groups\n"));
173 if ( !winbindd_can_contact_domain( domain
) ) {
174 DEBUG(10,("enum_local_groups: No incoming trust for domain %s\n",
179 result
= cm_connect_sam(domain
, mem_ctx
, &cli
, &dom_pol
);
180 if (!NT_STATUS_IS_OK(result
))
184 struct samr_SamArray
*sam_array
= NULL
;
185 uint32 count
= 0, start
= *num_entries
;
186 TALLOC_CTX
*mem_ctx2
;
189 mem_ctx2
= talloc_init("enum_dom_local_groups[rpc]");
191 result
= rpccli_samr_EnumDomainAliases(cli
, mem_ctx2
,
195 0xFFFF, /* buffer size? */
197 if (!NT_STATUS_IS_OK(result
) &&
198 !NT_STATUS_EQUAL(result
, STATUS_MORE_ENTRIES
) )
200 talloc_destroy(mem_ctx2
);
204 (*info
) = TALLOC_REALLOC_ARRAY(mem_ctx
, *info
,
206 (*num_entries
) + count
);
208 talloc_destroy(mem_ctx2
);
209 return NT_STATUS_NO_MEMORY
;
212 for (g
=0; g
< count
; g
++) {
214 fstrcpy((*info
)[*num_entries
+ g
].acct_name
,
215 sam_array
->entries
[g
].name
.string
);
216 (*info
)[*num_entries
+ g
].rid
= sam_array
->entries
[g
].idx
;
219 (*num_entries
) += count
;
220 talloc_destroy(mem_ctx2
);
222 } while (NT_STATUS_EQUAL(result
, STATUS_MORE_ENTRIES
));
227 /* convert a single name to a sid in a domain */
228 static NTSTATUS
msrpc_name_to_sid(struct winbindd_domain
*domain
,
230 const char *domain_name
,
234 enum lsa_SidType
*type
)
237 struct dom_sid
*sids
= NULL
;
238 enum lsa_SidType
*types
= NULL
;
239 char *full_name
= NULL
;
240 NTSTATUS name_map_status
= NT_STATUS_UNSUCCESSFUL
;
241 char *mapped_name
= NULL
;
243 if (name
== NULL
|| *name
=='\0') {
244 full_name
= talloc_asprintf(mem_ctx
, "%s", domain_name
);
245 } else if (domain_name
== NULL
|| *domain_name
== '\0') {
246 full_name
= talloc_asprintf(mem_ctx
, "%s", name
);
248 full_name
= talloc_asprintf(mem_ctx
, "%s\\%s", domain_name
, name
);
251 DEBUG(0, ("talloc_asprintf failed!\n"));
252 return NT_STATUS_NO_MEMORY
;
255 DEBUG(3,("rpc: name_to_sid name=%s\n", full_name
));
257 name_map_status
= normalize_name_unmap(mem_ctx
, full_name
,
260 /* Reset the full_name pointer if we mapped anytthing */
262 if (NT_STATUS_IS_OK(name_map_status
) ||
263 NT_STATUS_EQUAL(name_map_status
, NT_STATUS_FILE_RENAMED
))
265 full_name
= mapped_name
;
268 DEBUG(3,("name_to_sid [rpc] %s for domain %s\n",
269 full_name
?full_name
:"", domain_name
));
271 result
= winbindd_lookup_names(mem_ctx
, domain
, 1,
272 (const char **)&full_name
, NULL
,
274 if (!NT_STATUS_IS_OK(result
))
277 /* Return rid and type if lookup successful */
279 sid_copy(sid
, &sids
[0]);
286 convert a domain SID to a user or group name
288 static NTSTATUS
msrpc_sid_to_name(struct winbindd_domain
*domain
,
290 const struct dom_sid
*sid
,
293 enum lsa_SidType
*type
)
297 enum lsa_SidType
*types
= NULL
;
299 NTSTATUS name_map_status
= NT_STATUS_UNSUCCESSFUL
;
300 char *mapped_name
= NULL
;
302 DEBUG(3,("sid_to_name [rpc] %s for domain %s\n", sid_string_dbg(sid
),
305 result
= winbindd_lookup_sids(mem_ctx
,
312 if (!NT_STATUS_IS_OK(result
)) {
313 DEBUG(2,("msrpc_sid_to_name: failed to lookup sids: %s\n",
319 *type
= (enum lsa_SidType
)types
[0];
320 *domain_name
= domains
[0];
323 DEBUG(5,("Mapped sid to [%s]\\[%s]\n", domains
[0], *name
));
325 name_map_status
= normalize_name_map(mem_ctx
, domain
, *name
,
327 if (NT_STATUS_IS_OK(name_map_status
) ||
328 NT_STATUS_EQUAL(name_map_status
, NT_STATUS_FILE_RENAMED
))
331 DEBUG(5,("returning mapped name -- %s\n", *name
));
337 static NTSTATUS
msrpc_rids_to_names(struct winbindd_domain
*domain
,
339 const struct dom_sid
*sid
,
344 enum lsa_SidType
**types
)
348 struct dom_sid
*sids
;
352 DEBUG(3, ("rids_to_names [rpc] for domain %s\n", domain
->name
));
355 sids
= TALLOC_ARRAY(mem_ctx
, struct dom_sid
, num_rids
);
357 return NT_STATUS_NO_MEMORY
;
363 for (i
=0; i
<num_rids
; i
++) {
364 if (!sid_compose(&sids
[i
], sid
, rids
[i
])) {
365 return NT_STATUS_INTERNAL_ERROR
;
369 result
= winbindd_lookup_sids(mem_ctx
,
377 if (!NT_STATUS_IS_OK(result
) &&
378 !NT_STATUS_EQUAL(result
, STATUS_SOME_UNMAPPED
)) {
383 for (i
=0; i
<num_rids
; i
++) {
384 NTSTATUS name_map_status
= NT_STATUS_UNSUCCESSFUL
;
385 char *mapped_name
= NULL
;
387 if ((*types
)[i
] != SID_NAME_UNKNOWN
) {
388 name_map_status
= normalize_name_map(mem_ctx
,
392 if (NT_STATUS_IS_OK(name_map_status
) ||
393 NT_STATUS_EQUAL(name_map_status
, NT_STATUS_FILE_RENAMED
))
395 ret_names
[i
] = mapped_name
;
398 *domain_name
= domains
[i
];
405 /* Lookup user information from a rid or username. */
406 static NTSTATUS
query_user(struct winbindd_domain
*domain
,
408 const struct dom_sid
*user_sid
,
409 struct wbint_userinfo
*user_info
)
411 NTSTATUS result
= NT_STATUS_UNSUCCESSFUL
;
412 struct policy_handle dom_pol
, user_pol
;
413 union samr_UserInfo
*info
= NULL
;
415 struct netr_SamInfo3
*user
;
416 struct rpc_pipe_client
*cli
;
418 DEBUG(3,("rpc: query_user sid=%s\n", sid_string_dbg(user_sid
)));
420 if (!sid_peek_check_rid(&domain
->sid
, user_sid
, &user_rid
))
421 return NT_STATUS_UNSUCCESSFUL
;
423 user_info
->homedir
= NULL
;
424 user_info
->shell
= NULL
;
425 user_info
->primary_gid
= (gid_t
)-1;
427 /* try netsamlogon cache first */
429 if ( (user
= netsamlogon_cache_get( mem_ctx
, user_sid
)) != NULL
)
432 DEBUG(5,("query_user: Cache lookup succeeded for %s\n",
433 sid_string_dbg(user_sid
)));
435 sid_compose(&user_info
->user_sid
, &domain
->sid
, user
->base
.rid
);
436 sid_compose(&user_info
->group_sid
, &domain
->sid
,
437 user
->base
.primary_gid
);
439 user_info
->acct_name
= talloc_strdup(mem_ctx
,
440 user
->base
.account_name
.string
);
441 user_info
->full_name
= talloc_strdup(mem_ctx
,
442 user
->base
.full_name
.string
);
449 if ( !winbindd_can_contact_domain( domain
) ) {
450 DEBUG(10,("query_user: No incoming trust for domain %s\n",
455 /* no cache; hit the wire */
457 result
= cm_connect_sam(domain
, mem_ctx
, &cli
, &dom_pol
);
458 if (!NT_STATUS_IS_OK(result
))
461 /* Get user handle */
462 result
= rpccli_samr_OpenUser(cli
, mem_ctx
,
464 SEC_FLAG_MAXIMUM_ALLOWED
,
468 if (!NT_STATUS_IS_OK(result
))
472 result
= rpccli_samr_QueryUserInfo(cli
, mem_ctx
,
477 rpccli_samr_Close(cli
, mem_ctx
, &user_pol
);
479 if (!NT_STATUS_IS_OK(result
))
482 sid_compose(&user_info
->user_sid
, &domain
->sid
, user_rid
);
483 sid_compose(&user_info
->group_sid
, &domain
->sid
,
484 info
->info21
.primary_gid
);
485 user_info
->acct_name
= talloc_strdup(mem_ctx
,
486 info
->info21
.account_name
.string
);
487 user_info
->full_name
= talloc_strdup(mem_ctx
,
488 info
->info21
.full_name
.string
);
489 user_info
->homedir
= NULL
;
490 user_info
->shell
= NULL
;
491 user_info
->primary_gid
= (gid_t
)-1;
496 /* Lookup groups a user is a member of. I wish Unix had a call like this! */
497 static NTSTATUS
lookup_usergroups(struct winbindd_domain
*domain
,
499 const struct dom_sid
*user_sid
,
500 uint32
*num_groups
, struct dom_sid
**user_grpsids
)
502 NTSTATUS result
= NT_STATUS_UNSUCCESSFUL
;
503 struct policy_handle dom_pol
, user_pol
;
504 uint32 des_access
= SEC_FLAG_MAXIMUM_ALLOWED
;
505 struct samr_RidWithAttributeArray
*rid_array
= NULL
;
508 struct rpc_pipe_client
*cli
;
510 DEBUG(3,("rpc: lookup_usergroups sid=%s\n", sid_string_dbg(user_sid
)));
512 if (!sid_peek_check_rid(&domain
->sid
, user_sid
, &user_rid
))
513 return NT_STATUS_UNSUCCESSFUL
;
516 *user_grpsids
= NULL
;
518 /* so lets see if we have a cached user_info_3 */
519 result
= lookup_usergroups_cached(domain
, mem_ctx
, user_sid
,
520 num_groups
, user_grpsids
);
522 if (NT_STATUS_IS_OK(result
)) {
526 if ( !winbindd_can_contact_domain( domain
) ) {
527 DEBUG(10,("lookup_usergroups: No incoming trust for domain %s\n",
530 /* Tell the cache manager not to remember this one */
532 return NT_STATUS_SYNCHRONIZATION_REQUIRED
;
535 /* no cache; hit the wire */
537 result
= cm_connect_sam(domain
, mem_ctx
, &cli
, &dom_pol
);
538 if (!NT_STATUS_IS_OK(result
))
541 /* Get user handle */
542 result
= rpccli_samr_OpenUser(cli
, mem_ctx
,
548 if (!NT_STATUS_IS_OK(result
))
551 /* Query user rids */
552 result
= rpccli_samr_GetGroupsForUser(cli
, mem_ctx
,
555 *num_groups
= rid_array
->count
;
557 rpccli_samr_Close(cli
, mem_ctx
, &user_pol
);
559 if (!NT_STATUS_IS_OK(result
) || (*num_groups
) == 0)
562 (*user_grpsids
) = TALLOC_ARRAY(mem_ctx
, struct dom_sid
, *num_groups
);
563 if (!(*user_grpsids
))
564 return NT_STATUS_NO_MEMORY
;
566 for (i
=0;i
<(*num_groups
);i
++) {
567 sid_compose(&((*user_grpsids
)[i
]), &domain
->sid
,
568 rid_array
->rids
[i
].rid
);
574 #define MAX_SAM_ENTRIES_W2K 0x400 /* 1024 */
576 static NTSTATUS
msrpc_lookup_useraliases(struct winbindd_domain
*domain
,
578 uint32 num_sids
, const struct dom_sid
*sids
,
582 NTSTATUS result
= NT_STATUS_UNSUCCESSFUL
;
583 struct policy_handle dom_pol
;
584 uint32 num_query_sids
= 0;
586 struct rpc_pipe_client
*cli
;
587 struct samr_Ids alias_rids_query
;
588 int rangesize
= MAX_SAM_ENTRIES_W2K
;
589 uint32 total_sids
= 0;
595 DEBUG(3,("rpc: lookup_useraliases\n"));
597 if ( !winbindd_can_contact_domain( domain
) ) {
598 DEBUG(10,("msrpc_lookup_useraliases: No incoming trust for domain %s\n",
603 result
= cm_connect_sam(domain
, mem_ctx
, &cli
, &dom_pol
);
604 if (!NT_STATUS_IS_OK(result
))
609 struct lsa_SidArray sid_array
;
611 ZERO_STRUCT(sid_array
);
613 num_query_sids
= MIN(num_sids
- total_sids
, rangesize
);
615 DEBUG(10,("rpc: lookup_useraliases: entering query %d for %d sids\n",
616 num_queries
, num_query_sids
));
618 if (num_query_sids
) {
619 sid_array
.sids
= TALLOC_ZERO_ARRAY(mem_ctx
, struct lsa_SidPtr
, num_query_sids
);
620 if (sid_array
.sids
== NULL
) {
621 return NT_STATUS_NO_MEMORY
;
624 sid_array
.sids
= NULL
;
627 for (i
=0; i
<num_query_sids
; i
++) {
628 sid_array
.sids
[i
].sid
= sid_dup_talloc(mem_ctx
, &sids
[total_sids
++]);
629 if (!sid_array
.sids
[i
].sid
) {
630 TALLOC_FREE(sid_array
.sids
);
631 return NT_STATUS_NO_MEMORY
;
634 sid_array
.num_sids
= num_query_sids
;
637 result
= rpccli_samr_GetAliasMembership(cli
, mem_ctx
,
642 if (!NT_STATUS_IS_OK(result
)) {
645 TALLOC_FREE(sid_array
.sids
);
651 for (i
=0; i
<alias_rids_query
.count
; i
++) {
652 size_t na
= *num_aliases
;
653 if (!add_rid_to_array_unique(mem_ctx
, alias_rids_query
.ids
[i
],
655 return NT_STATUS_NO_MEMORY
;
660 TALLOC_FREE(sid_array
.sids
);
664 } while (total_sids
< num_sids
);
667 DEBUG(10,("rpc: lookup_useraliases: got %d aliases in %d queries "
668 "(rangesize: %d)\n", *num_aliases
, num_queries
, rangesize
));
674 /* Lookup group membership given a rid. */
675 static NTSTATUS
lookup_groupmem(struct winbindd_domain
*domain
,
677 const struct dom_sid
*group_sid
,
678 enum lsa_SidType type
,
680 struct dom_sid
**sid_mem
, char ***names
,
683 NTSTATUS result
= NT_STATUS_UNSUCCESSFUL
;
684 uint32 i
, total_names
= 0;
685 struct policy_handle dom_pol
, group_pol
;
686 uint32 des_access
= SEC_FLAG_MAXIMUM_ALLOWED
;
687 uint32
*rid_mem
= NULL
;
690 struct rpc_pipe_client
*cli
;
691 unsigned int orig_timeout
;
692 struct samr_RidTypeArray
*rids
= NULL
;
694 DEBUG(10,("rpc: lookup_groupmem %s sid=%s\n", domain
->name
,
695 sid_string_dbg(group_sid
)));
697 if ( !winbindd_can_contact_domain( domain
) ) {
698 DEBUG(10,("lookup_groupmem: No incoming trust for domain %s\n",
703 if (!sid_peek_check_rid(&domain
->sid
, group_sid
, &group_rid
))
704 return NT_STATUS_UNSUCCESSFUL
;
708 result
= cm_connect_sam(domain
, mem_ctx
, &cli
, &dom_pol
);
709 if (!NT_STATUS_IS_OK(result
))
712 result
= rpccli_samr_OpenGroup(cli
, mem_ctx
,
718 if (!NT_STATUS_IS_OK(result
))
721 /* Step #1: Get a list of user rids that are the members of the
724 /* This call can take a long time - allow the server to time out.
725 35 seconds should do it. */
727 orig_timeout
= rpccli_set_timeout(cli
, 35000);
729 result
= rpccli_samr_QueryGroupMember(cli
, mem_ctx
,
733 /* And restore our original timeout. */
734 rpccli_set_timeout(cli
, orig_timeout
);
736 rpccli_samr_Close(cli
, mem_ctx
, &group_pol
);
738 if (!NT_STATUS_IS_OK(result
))
741 if (!rids
|| !rids
->count
) {
748 *num_names
= rids
->count
;
749 rid_mem
= rids
->rids
;
751 /* Step #2: Convert list of rids into list of usernames. Do this
752 in bunches of ~1000 to avoid crashing NT4. It looks like there
753 is a buffer overflow or something like that lurking around
756 #define MAX_LOOKUP_RIDS 900
758 *names
= TALLOC_ZERO_ARRAY(mem_ctx
, char *, *num_names
);
759 *name_types
= TALLOC_ZERO_ARRAY(mem_ctx
, uint32
, *num_names
);
760 *sid_mem
= TALLOC_ZERO_ARRAY(mem_ctx
, struct dom_sid
, *num_names
);
762 for (j
=0;j
<(*num_names
);j
++)
763 sid_compose(&(*sid_mem
)[j
], &domain
->sid
, rid_mem
[j
]);
765 if (*num_names
>0 && (!*names
|| !*name_types
))
766 return NT_STATUS_NO_MEMORY
;
768 for (i
= 0; i
< *num_names
; i
+= MAX_LOOKUP_RIDS
) {
769 int num_lookup_rids
= MIN(*num_names
- i
, MAX_LOOKUP_RIDS
);
770 struct lsa_Strings tmp_names
;
771 struct samr_Ids tmp_types
;
773 /* Lookup a chunk of rids */
775 result
= rpccli_samr_LookupRids(cli
, mem_ctx
,
782 /* see if we have a real error (and yes the
783 STATUS_SOME_UNMAPPED is the one returned from 2k) */
785 if (!NT_STATUS_IS_OK(result
) &&
786 !NT_STATUS_EQUAL(result
, STATUS_SOME_UNMAPPED
))
789 /* Copy result into array. The talloc system will take
790 care of freeing the temporary arrays later on. */
792 if (tmp_names
.count
!= tmp_types
.count
) {
793 return NT_STATUS_UNSUCCESSFUL
;
796 for (r
=0; r
<tmp_names
.count
; r
++) {
797 if (tmp_types
.ids
[r
] == SID_NAME_UNKNOWN
) {
800 (*names
)[total_names
] = fill_domain_username_talloc(
801 mem_ctx
, domain
->name
,
802 tmp_names
.names
[r
].string
, true);
803 (*name_types
)[total_names
] = tmp_types
.ids
[r
];
808 *num_names
= total_names
;
817 static int get_ldap_seq(const char *server
, int port
, uint32
*seq
)
821 const char *attrs
[] = {"highestCommittedUSN", NULL
};
822 LDAPMessage
*res
= NULL
;
823 char **values
= NULL
;
826 *seq
= DOM_SEQUENCE_NONE
;
829 * Parameterised (5) second timeout on open. This is needed as the
830 * search timeout doesn't seem to apply to doing an open as well. JRA.
833 ldp
= ldap_open_with_timeout(server
, port
, lp_ldap_timeout());
837 /* Timeout if no response within 20 seconds. */
841 if (ldap_search_st(ldp
, "", LDAP_SCOPE_BASE
, "(objectclass=*)",
842 CONST_DISCARD(char **, attrs
), 0, &to
, &res
))
845 if (ldap_count_entries(ldp
, res
) != 1)
848 values
= ldap_get_values(ldp
, res
, "highestCommittedUSN");
849 if (!values
|| !values
[0])
852 *seq
= atoi(values
[0]);
858 ldap_value_free(values
);
866 /**********************************************************************
867 Get the sequence number for a Windows AD native mode domain using
869 **********************************************************************/
871 static int get_ldap_sequence_number(struct winbindd_domain
*domain
, uint32
*seq
)
874 char addr
[INET6_ADDRSTRLEN
];
876 print_sockaddr(addr
, sizeof(addr
), &domain
->dcaddr
);
877 if ((ret
= get_ldap_seq(addr
, LDAP_PORT
, seq
)) == 0) {
878 DEBUG(3, ("get_ldap_sequence_number: Retrieved sequence "
879 "number for Domain (%s) from DC (%s)\n",
880 domain
->name
, addr
));
885 #endif /* HAVE_LDAP */
887 /* find the sequence number for a domain */
888 static NTSTATUS
sequence_number(struct winbindd_domain
*domain
, uint32
*seq
)
891 union samr_DomainInfo
*info
= NULL
;
893 struct policy_handle dom_pol
;
894 bool got_seq_num
= False
;
895 struct rpc_pipe_client
*cli
;
897 DEBUG(10,("rpc: fetch sequence_number for %s\n", domain
->name
));
899 if ( !winbindd_can_contact_domain( domain
) ) {
900 DEBUG(10,("sequence_number: No incoming trust for domain %s\n",
906 *seq
= DOM_SEQUENCE_NONE
;
908 if (!(mem_ctx
= talloc_init("sequence_number[rpc]")))
909 return NT_STATUS_NO_MEMORY
;
912 if ( domain
->active_directory
)
916 DEBUG(8,("using get_ldap_seq() to retrieve the "
917 "sequence number\n"));
919 res
= get_ldap_sequence_number( domain
, seq
);
922 result
= NT_STATUS_OK
;
923 DEBUG(10,("domain_sequence_number: LDAP for "
925 domain
->name
, *seq
));
929 DEBUG(10,("domain_sequence_number: failed to get LDAP "
930 "sequence number for domain %s\n",
933 #endif /* HAVE_LDAP */
935 result
= cm_connect_sam(domain
, mem_ctx
, &cli
, &dom_pol
);
936 if (!NT_STATUS_IS_OK(result
)) {
940 /* Query domain info */
942 result
= rpccli_samr_QueryDomainInfo(cli
, mem_ctx
,
947 if (NT_STATUS_IS_OK(result
)) {
948 *seq
= info
->info8
.sequence_num
;
953 /* retry with info-level 2 in case the dc does not support info-level 8
954 * (like all older samba2 and samba3 dc's) - Guenther */
956 result
= rpccli_samr_QueryDomainInfo(cli
, mem_ctx
,
961 if (NT_STATUS_IS_OK(result
)) {
962 *seq
= info
->general
.sequence_num
;
968 DEBUG(10,("domain_sequence_number: for domain %s is %u\n",
969 domain
->name
, (unsigned)*seq
));
971 DEBUG(10,("domain_sequence_number: failed to get sequence "
972 "number (%u) for domain %s\n",
973 (unsigned)*seq
, domain
->name
));
978 talloc_destroy(mem_ctx
);
983 /* get a list of trusted domains */
984 static NTSTATUS
trusted_domains(struct winbindd_domain
*domain
,
986 struct netr_DomainTrustList
*trusts
)
988 NTSTATUS result
= NT_STATUS_UNSUCCESSFUL
;
990 struct rpc_pipe_client
*cli
;
991 struct policy_handle lsa_policy
;
993 DEBUG(3,("rpc: trusted_domains\n"));
995 ZERO_STRUCTP(trusts
);
997 result
= cm_connect_lsa(domain
, mem_ctx
, &cli
, &lsa_policy
);
998 if (!NT_STATUS_IS_OK(result
))
1001 result
= STATUS_MORE_ENTRIES
;
1003 while (NT_STATUS_EQUAL(result
, STATUS_MORE_ENTRIES
)) {
1006 struct lsa_DomainList dom_list
;
1008 result
= rpccli_lsa_EnumTrustDom(cli
, mem_ctx
,
1014 if (!NT_STATUS_IS_OK(result
) &&
1015 !NT_STATUS_EQUAL(result
, STATUS_MORE_ENTRIES
))
1018 start_idx
= trusts
->count
;
1019 trusts
->count
+= dom_list
.count
;
1021 trusts
->array
= talloc_realloc(
1022 mem_ctx
, trusts
->array
, struct netr_DomainTrust
,
1024 if (trusts
->array
== NULL
) {
1025 return NT_STATUS_NO_MEMORY
;
1028 for (i
=0; i
<dom_list
.count
; i
++) {
1029 struct netr_DomainTrust
*trust
= &trusts
->array
[i
];
1030 struct dom_sid
*sid
;
1032 ZERO_STRUCTP(trust
);
1034 trust
->netbios_name
= talloc_move(
1036 &dom_list
.domains
[i
].name
.string
);
1037 trust
->dns_name
= NULL
;
1039 sid
= talloc(trusts
->array
, struct dom_sid
);
1041 return NT_STATUS_NO_MEMORY
;
1043 sid_copy(sid
, dom_list
.domains
[i
].sid
);
1050 /* find the lockout policy for a domain */
1051 static NTSTATUS
msrpc_lockout_policy(struct winbindd_domain
*domain
,
1052 TALLOC_CTX
*mem_ctx
,
1053 struct samr_DomInfo12
*lockout_policy
)
1056 struct rpc_pipe_client
*cli
;
1057 struct policy_handle dom_pol
;
1058 union samr_DomainInfo
*info
= NULL
;
1060 DEBUG(10,("rpc: fetch lockout policy for %s\n", domain
->name
));
1062 if ( !winbindd_can_contact_domain( domain
) ) {
1063 DEBUG(10,("msrpc_lockout_policy: No incoming trust for domain %s\n",
1065 return NT_STATUS_NOT_SUPPORTED
;
1068 result
= cm_connect_sam(domain
, mem_ctx
, &cli
, &dom_pol
);
1069 if (!NT_STATUS_IS_OK(result
)) {
1073 result
= rpccli_samr_QueryDomainInfo(cli
, mem_ctx
,
1077 if (!NT_STATUS_IS_OK(result
)) {
1081 *lockout_policy
= info
->info12
;
1083 DEBUG(10,("msrpc_lockout_policy: lockout_threshold %d\n",
1084 info
->info12
.lockout_threshold
));
1091 /* find the password policy for a domain */
1092 static NTSTATUS
msrpc_password_policy(struct winbindd_domain
*domain
,
1093 TALLOC_CTX
*mem_ctx
,
1094 struct samr_DomInfo1
*password_policy
)
1097 struct rpc_pipe_client
*cli
;
1098 struct policy_handle dom_pol
;
1099 union samr_DomainInfo
*info
= NULL
;
1101 DEBUG(10,("rpc: fetch password policy for %s\n", domain
->name
));
1103 if ( !winbindd_can_contact_domain( domain
) ) {
1104 DEBUG(10,("msrpc_password_policy: No incoming trust for domain %s\n",
1106 return NT_STATUS_NOT_SUPPORTED
;
1109 result
= cm_connect_sam(domain
, mem_ctx
, &cli
, &dom_pol
);
1110 if (!NT_STATUS_IS_OK(result
)) {
1114 result
= rpccli_samr_QueryDomainInfo(cli
, mem_ctx
,
1118 if (!NT_STATUS_IS_OK(result
)) {
1122 *password_policy
= info
->info1
;
1124 DEBUG(10,("msrpc_password_policy: min_length_password %d\n",
1125 info
->info1
.min_password_length
));
1132 typedef NTSTATUS (*lookup_sids_fn_t
)(struct rpc_pipe_client
*cli
,
1133 TALLOC_CTX
*mem_ctx
,
1134 struct policy_handle
*pol
,
1136 const struct dom_sid
*sids
,
1139 enum lsa_SidType
**ptypes
);
1141 NTSTATUS
winbindd_lookup_sids(TALLOC_CTX
*mem_ctx
,
1142 struct winbindd_domain
*domain
,
1144 const struct dom_sid
*sids
,
1147 enum lsa_SidType
**types
)
1150 struct rpc_pipe_client
*cli
= NULL
;
1151 struct policy_handle lsa_policy
;
1152 unsigned int orig_timeout
;
1153 lookup_sids_fn_t lookup_sids_fn
= rpccli_lsa_lookup_sids
;
1155 if (domain
->can_do_ncacn_ip_tcp
) {
1156 status
= cm_connect_lsa_tcp(domain
, mem_ctx
, &cli
);
1157 if (NT_STATUS_IS_OK(status
)) {
1158 lookup_sids_fn
= rpccli_lsa_lookup_sids3
;
1161 domain
->can_do_ncacn_ip_tcp
= false;
1163 status
= cm_connect_lsa(domain
, mem_ctx
, &cli
, &lsa_policy
);
1165 if (!NT_STATUS_IS_OK(status
)) {
1171 * This call can take a long time
1172 * allow the server to time out.
1173 * 35 seconds should do it.
1175 orig_timeout
= rpccli_set_timeout(cli
, 35000);
1177 status
= lookup_sids_fn(cli
,
1186 /* And restore our original timeout. */
1187 rpccli_set_timeout(cli
, orig_timeout
);
1189 if (!NT_STATUS_IS_OK(status
)) {
1196 typedef NTSTATUS (*lookup_names_fn_t
)(struct rpc_pipe_client
*cli
,
1197 TALLOC_CTX
*mem_ctx
,
1198 struct policy_handle
*pol
,
1201 const char ***dom_names
,
1203 struct dom_sid
**sids
,
1204 enum lsa_SidType
**types
);
1206 NTSTATUS
winbindd_lookup_names(TALLOC_CTX
*mem_ctx
,
1207 struct winbindd_domain
*domain
,
1210 const char ***domains
,
1211 struct dom_sid
**sids
,
1212 enum lsa_SidType
**types
)
1215 struct rpc_pipe_client
*cli
= NULL
;
1216 struct policy_handle lsa_policy
;
1217 unsigned int orig_timeout
= 0;
1218 lookup_names_fn_t lookup_names_fn
= rpccli_lsa_lookup_names
;
1220 if (domain
->can_do_ncacn_ip_tcp
) {
1221 status
= cm_connect_lsa_tcp(domain
, mem_ctx
, &cli
);
1222 if (NT_STATUS_IS_OK(status
)) {
1223 lookup_names_fn
= rpccli_lsa_lookup_names4
;
1226 domain
->can_do_ncacn_ip_tcp
= false;
1228 status
= cm_connect_lsa(domain
, mem_ctx
, &cli
, &lsa_policy
);
1230 if (!NT_STATUS_IS_OK(status
)) {
1237 * This call can take a long time
1238 * allow the server to time out.
1239 * 35 seconds should do it.
1241 orig_timeout
= rpccli_set_timeout(cli
, 35000);
1243 status
= lookup_names_fn(cli
,
1247 (const char **) names
,
1253 /* And restore our original timeout. */
1254 rpccli_set_timeout(cli
, orig_timeout
);
1256 if (!NT_STATUS_IS_OK(status
)) {
1263 /* the rpc backend methods are exposed via this structure */
1264 struct winbindd_methods msrpc_methods
= {
1266 msrpc_query_user_list
,
1267 msrpc_enum_dom_groups
,
1271 msrpc_rids_to_names
,
1274 msrpc_lookup_useraliases
,
1277 msrpc_lockout_policy
,
1278 msrpc_password_policy
,