2 Unix SMB/CIFS implementation.
4 Winbind ADS backend functions
6 Copyright (C) Andrew Tridgell 2001
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003
8 Copyright (C) Gerald (Jerry) Carter 2004
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 2 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program; if not, write to the Free Software
22 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
31 #define DBGC_CLASS DBGC_WINBIND
34 return our ads connections structure for a domain. We keep the connection
35 open to make things faster
37 static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain)
41 enum wb_posix_mapping map_type;
43 DEBUG(10,("ads_cached_connection\n"));
45 if (domain->private_data) {
46 ads = (ADS_STRUCT *)domain->private_data;
48 /* check for a valid structure */
50 DEBUG(7, ("Current tickets expire at %d, time is now %d\n",
51 (uint32) ads->auth.expire, (uint32) time(NULL)));
52 if ( ads->config.realm && (ads->auth.expire > time(NULL))) {
56 /* we own this ADS_STRUCT so make sure it goes away */
59 ads_kdestroy("MEMORY:winbind_ccache");
60 domain->private_data = NULL;
64 /* we don't want this to affect the users ccache */
65 setenv("KRB5CCNAME", "MEMORY:winbind_ccache", 1);
67 ads = ads_init(domain->alt_name, domain->name, NULL);
69 DEBUG(1,("ads_init for domain %s failed\n", domain->name));
73 /* the machine acct password might have change - fetch it every time */
75 SAFE_FREE(ads->auth.password);
76 SAFE_FREE(ads->auth.realm);
82 if ( !secrets_fetch_trusted_domain_password( domain->name, &ads->auth.password, &sid, &last_set_time ) ) {
86 ads->auth.realm = SMB_STRDUP( ads->server.realm );
87 strupper_m( ads->auth.realm );
90 struct winbindd_domain *our_domain = domain;
92 ads->auth.password = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
94 /* always give preference to the alt_name in our
95 primary domain if possible */
97 if ( !domain->primary )
98 our_domain = find_our_domain();
100 if ( our_domain->alt_name[0] != '\0' ) {
101 ads->auth.realm = SMB_STRDUP( our_domain->alt_name );
102 strupper_m( ads->auth.realm );
105 ads->auth.realm = SMB_STRDUP( lp_realm() );
108 ads->auth.renewable = WINBINDD_PAM_AUTH_KRB5_RENEW_TIME;
110 status = ads_connect(ads);
111 if (!ADS_ERR_OK(status) || !ads->config.realm) {
112 extern struct winbindd_methods msrpc_methods, cache_methods;
113 DEBUG(1,("ads_connect for domain %s failed: %s\n",
114 domain->name, ads_errstr(status)));
117 /* if we get ECONNREFUSED then it might be a NT4
118 server, fall back to MSRPC */
119 if (status.error_type == ENUM_ADS_ERROR_SYSTEM &&
120 status.err.rc == ECONNREFUSED) {
121 DEBUG(1,("Trying MSRPC methods\n"));
122 if (domain->methods == &cache_methods) {
123 domain->backend = &msrpc_methods;
125 domain->methods = &msrpc_methods;
131 map_type = get_nss_info(domain->name);
133 if ((map_type == WB_POSIX_MAP_RFC2307)||
134 (map_type == WB_POSIX_MAP_SFU)) {
136 status = ads_check_posix_schema_mapping(ads, map_type);
137 if (!ADS_ERR_OK(status)) {
138 DEBUG(10,("ads_check_posix_schema_mapping failed "
139 "with: %s\n", ads_errstr(status)));
143 /* set the flag that says we don't own the memory even
144 though we do so that ads_destroy() won't destroy the
145 structure we pass back by reference */
147 ads->is_mine = False;
149 domain->private_data = (void *)ads;
154 /* Query display info for a realm. This is the basic user list fn */
155 static NTSTATUS query_user_list(struct winbindd_domain *domain,
158 WINBIND_USERINFO **info)
160 ADS_STRUCT *ads = NULL;
161 const char *attrs[] = {"userPrincipalName",
163 "name", "objectSid", "primaryGroupID",
165 ADS_ATTR_SFU_HOMEDIR_OID,
166 ADS_ATTR_SFU_SHELL_OID,
167 ADS_ATTR_SFU_GECOS_OID,
168 ADS_ATTR_RFC2307_HOMEDIR_OID,
169 ADS_ATTR_RFC2307_SHELL_OID,
170 ADS_ATTR_RFC2307_GECOS_OID,
176 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
180 DEBUG(3,("ads: query_user_list\n"));
182 ads = ads_cached_connection(domain);
185 domain->last_status = NT_STATUS_SERVER_DISABLED;
189 rc = ads_search_retry(ads, &res, "(objectCategory=user)", attrs);
190 if (!ADS_ERR_OK(rc) || !res) {
191 DEBUG(1,("query_user_list ads_search: %s\n", ads_errstr(rc)));
195 count = ads_count_replies(ads, res);
197 DEBUG(1,("query_user_list: No users found\n"));
201 (*info) = TALLOC_ZERO_ARRAY(mem_ctx, WINBIND_USERINFO, count);
203 status = NT_STATUS_NO_MEMORY;
209 for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
210 char *name, *gecos = NULL;
211 char *homedir = NULL;
216 if (!ads_pull_uint32(ads, msg, "sAMAccountType", &atype) ||
217 ads_atype_map(atype) != SID_NAME_USER) {
218 DEBUG(1,("Not a user account? atype=0x%x\n", atype));
222 name = ads_pull_username(ads, mem_ctx, msg);
224 if (get_nss_info(domain->name) && ads->schema.map_type) {
226 DEBUG(10,("pulling posix attributes (%s schema)\n",
227 wb_posix_map_str(ads->schema.map_type)));
229 homedir = ads_pull_string(ads, mem_ctx, msg,
230 ads->schema.posix_homedir_attr);
231 shell = ads_pull_string(ads, mem_ctx, msg,
232 ads->schema.posix_shell_attr);
233 gecos = ads_pull_string(ads, mem_ctx, msg,
234 ads->schema.posix_gecos_attr);
238 gecos = ads_pull_string(ads, mem_ctx, msg, "name");
241 if (!ads_pull_sid(ads, msg, "objectSid",
242 &(*info)[i].user_sid)) {
243 DEBUG(1,("No sid for %s !?\n", name));
246 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &group)) {
247 DEBUG(1,("No primary group for %s !?\n", name));
251 (*info)[i].acct_name = name;
252 (*info)[i].full_name = gecos;
253 (*info)[i].homedir = homedir;
254 (*info)[i].shell = shell;
255 sid_compose(&(*info)[i].group_sid, &domain->sid, group);
260 status = NT_STATUS_OK;
262 DEBUG(3,("ads query_user_list gave %d entries\n", (*num_entries)));
266 ads_msgfree(ads, res);
271 /* list all domain groups */
272 static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
275 struct acct_info **info)
277 ADS_STRUCT *ads = NULL;
278 const char *attrs[] = {"userPrincipalName", "sAMAccountName",
279 "name", "objectSid", NULL};
284 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
286 BOOL enum_dom_local_groups = False;
290 DEBUG(3,("ads: enum_dom_groups\n"));
292 /* only grab domain local groups for our domain */
293 if ( domain->native_mode && strequal(lp_realm(), domain->alt_name) ) {
294 enum_dom_local_groups = True;
297 /* Workaround ADS LDAP bug present in MS W2K3 SP0 and W2K SP4 w/o
300 * According to Section 5.1(4) of RFC 2251 if a value of a type is it's
301 * default value, it MUST be absent. In case of extensible matching the
302 * "dnattr" boolean defaults to FALSE and so it must be only be present
305 * When it is set to FALSE and the OpenLDAP lib (correctly) encodes a
306 * filter using bitwise matching rule then the buggy AD fails to decode
307 * the extensible match. As a workaround set it to TRUE and thereby add
308 * the dnAttributes "dn" field to cope with those older AD versions.
309 * It should not harm and won't put any additional load on the AD since
310 * none of the dn components have a bitmask-attribute.
312 * Thanks to Ralf Haferkamp for input and testing - Guenther */
314 filter = talloc_asprintf(mem_ctx, "(&(objectCategory=group)(&(groupType:dn:%s:=%d)(!(groupType:dn:%s:=%d))))",
315 ADS_LDAP_MATCHING_RULE_BIT_AND, GROUP_TYPE_SECURITY_ENABLED,
316 ADS_LDAP_MATCHING_RULE_BIT_AND,
317 enum_dom_local_groups ? GROUP_TYPE_BUILTIN_LOCAL_GROUP : GROUP_TYPE_RESOURCE_GROUP);
319 if (filter == NULL) {
320 status = NT_STATUS_NO_MEMORY;
324 ads = ads_cached_connection(domain);
327 domain->last_status = NT_STATUS_SERVER_DISABLED;
331 rc = ads_search_retry(ads, &res, filter, attrs);
332 if (!ADS_ERR_OK(rc) || !res) {
333 DEBUG(1,("enum_dom_groups ads_search: %s\n", ads_errstr(rc)));
337 count = ads_count_replies(ads, res);
339 DEBUG(1,("enum_dom_groups: No groups found\n"));
343 (*info) = TALLOC_ZERO_ARRAY(mem_ctx, struct acct_info, count);
345 status = NT_STATUS_NO_MEMORY;
351 for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
356 name = ads_pull_username(ads, mem_ctx, msg);
357 gecos = ads_pull_string(ads, mem_ctx, msg, "name");
358 if (!ads_pull_sid(ads, msg, "objectSid", &sid)) {
359 DEBUG(1,("No sid for %s !?\n", name));
363 if (!sid_peek_check_rid(&domain->sid, &sid, &rid)) {
364 DEBUG(1,("No rid for %s !?\n", name));
368 fstrcpy((*info)[i].acct_name, name);
369 fstrcpy((*info)[i].acct_desc, gecos);
370 (*info)[i].rid = rid;
376 status = NT_STATUS_OK;
378 DEBUG(3,("ads enum_dom_groups gave %d entries\n", (*num_entries)));
382 ads_msgfree(ads, res);
387 /* list all domain local groups */
388 static NTSTATUS enum_local_groups(struct winbindd_domain *domain,
391 struct acct_info **info)
394 * This is a stub function only as we returned the domain
395 * local groups in enum_dom_groups() if the domain->native field
396 * was true. This is a simple performance optimization when
399 * if we ever need to enumerate domain local groups separately,
400 * then this the optimization in enum_dom_groups() will need
408 /* convert a DN to a name, SID and name type
409 this might become a major speed bottleneck if groups have
410 lots of users, in which case we could cache the results
412 static BOOL dn_lookup(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx,
414 char **name, uint32 *name_type, DOM_SID *sid)
417 const char *attrs[] = {"userPrincipalName", "sAMAccountName",
418 "objectSid", "sAMAccountType", NULL};
421 DEBUG(3,("ads: dn_lookup\n"));
423 rc = ads_search_retry_dn(ads, &res, dn, attrs);
425 if (!ADS_ERR_OK(rc) || !res) {
429 (*name) = ads_pull_username(ads, mem_ctx, res);
431 if (!ads_pull_uint32(ads, res, "sAMAccountType", &atype)) {
434 (*name_type) = ads_atype_map(atype);
436 if (!ads_pull_sid(ads, res, "objectSid", sid)) {
441 ads_msgfree(ads, res);
447 ads_msgfree(ads, res);
452 /* Lookup user information from a rid */
453 static NTSTATUS query_user(struct winbindd_domain *domain,
456 WINBIND_USERINFO *info)
458 ADS_STRUCT *ads = NULL;
459 const char *attrs[] = {"userPrincipalName",
463 ADS_ATTR_SFU_HOMEDIR_OID,
464 ADS_ATTR_SFU_SHELL_OID,
465 ADS_ATTR_SFU_GECOS_OID,
466 ADS_ATTR_RFC2307_HOMEDIR_OID,
467 ADS_ATTR_RFC2307_SHELL_OID,
468 ADS_ATTR_RFC2307_GECOS_OID,
476 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
478 DEBUG(3,("ads: query_user\n"));
480 ads = ads_cached_connection(domain);
483 domain->last_status = NT_STATUS_SERVER_DISABLED;
487 sidstr = sid_binstring(sid);
488 asprintf(&ldap_exp, "(objectSid=%s)", sidstr);
489 rc = ads_search_retry(ads, &msg, ldap_exp, attrs);
492 if (!ADS_ERR_OK(rc) || !msg) {
493 DEBUG(1,("query_user(sid=%s) ads_search: %s\n",
494 sid_string_static(sid), ads_errstr(rc)));
498 count = ads_count_replies(ads, msg);
500 DEBUG(1,("query_user(sid=%s): Not found\n",
501 sid_string_static(sid)));
505 info->acct_name = ads_pull_username(ads, mem_ctx, msg);
507 if (get_nss_info(domain->name) && ads->schema.map_type) {
509 DEBUG(10,("pulling posix attributes (%s schema)\n",
510 wb_posix_map_str(ads->schema.map_type)));
512 info->homedir = ads_pull_string(ads, mem_ctx, msg,
513 ads->schema.posix_homedir_attr);
514 info->shell = ads_pull_string(ads, mem_ctx, msg,
515 ads->schema.posix_shell_attr);
516 info->full_name = ads_pull_string(ads, mem_ctx, msg,
517 ads->schema.posix_gecos_attr);
520 if (info->full_name == NULL) {
521 info->full_name = ads_pull_string(ads, mem_ctx, msg, "name");
524 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &group_rid)) {
525 DEBUG(1,("No primary group for %s !?\n",
526 sid_string_static(sid)));
530 sid_copy(&info->user_sid, sid);
531 sid_compose(&info->group_sid, &domain->sid, group_rid);
533 status = NT_STATUS_OK;
535 DEBUG(3,("ads query_user gave %s\n", info->acct_name));
538 ads_msgfree(ads, msg);
543 /* Lookup groups a user is a member of - alternate method, for when
544 tokenGroups are not available. */
545 static NTSTATUS lookup_usergroups_alt(struct winbindd_domain *domain,
548 DOM_SID *primary_group,
549 size_t *p_num_groups, DOM_SID **user_sids)
552 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
558 const char *group_attrs[] = {"objectSid", NULL};
560 size_t num_groups = 0;
562 DEBUG(3,("ads: lookup_usergroups_alt\n"));
564 ads = ads_cached_connection(domain);
567 domain->last_status = NT_STATUS_SERVER_DISABLED;
571 if (!(escaped_dn = escape_ldap_string_alloc(user_dn))) {
572 status = NT_STATUS_NO_MEMORY;
576 /* buggy server, no tokenGroups. Instead lookup what groups this user
577 is a member of by DN search on member*/
579 if (!(ldap_exp = talloc_asprintf(mem_ctx, "(&(member=%s)(objectCategory=group))", escaped_dn))) {
580 DEBUG(1,("lookup_usergroups(dn=%s) asprintf failed!\n", user_dn));
581 SAFE_FREE(escaped_dn);
582 status = NT_STATUS_NO_MEMORY;
586 SAFE_FREE(escaped_dn);
588 rc = ads_search_retry(ads, &res, ldap_exp, group_attrs);
590 if (!ADS_ERR_OK(rc) || !res) {
591 DEBUG(1,("lookup_usergroups ads_search member=%s: %s\n", user_dn, ads_errstr(rc)));
592 return ads_ntstatus(rc);
595 count = ads_count_replies(ads, res);
600 /* always add the primary group to the sid array */
601 add_sid_to_array(mem_ctx, primary_group, user_sids, &num_groups);
604 for (msg = ads_first_entry(ads, res); msg;
605 msg = ads_next_entry(ads, msg)) {
608 if (!ads_pull_sid(ads, msg, "objectSid", &group_sid)) {
609 DEBUG(1,("No sid for this group ?!?\n"));
613 /* ignore Builtin groups from ADS - Guenther */
614 if (sid_check_is_in_builtin(&group_sid)) {
618 add_sid_to_array(mem_ctx, &group_sid, user_sids,
624 *p_num_groups = num_groups;
625 status = (user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
627 DEBUG(3,("ads lookup_usergroups (alt) for dn=%s\n", user_dn));
630 ads_msgfree(ads, res);
635 /* Lookup groups a user is a member of. */
636 static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
639 uint32 *p_num_groups, DOM_SID **user_sids)
641 ADS_STRUCT *ads = NULL;
642 const char *attrs[] = {"tokenGroups", "primaryGroupID", NULL};
645 LDAPMessage *msg = NULL;
649 DOM_SID primary_group;
650 uint32 primary_group_rid;
652 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
653 size_t num_groups = 0;
655 DEBUG(3,("ads: lookup_usergroups\n"));
658 status = lookup_usergroups_cached(domain, mem_ctx, sid,
659 p_num_groups, user_sids);
660 if (NT_STATUS_IS_OK(status)) {
664 ads = ads_cached_connection(domain);
667 domain->last_status = NT_STATUS_SERVER_DISABLED;
668 status = NT_STATUS_SERVER_DISABLED;
672 rc = ads_search_retry_sid(ads, (void**)(void *)&msg, sid, attrs);
674 if (!ADS_ERR_OK(rc)) {
675 status = ads_ntstatus(rc);
676 DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: %s\n",
677 sid_to_string(sid_string, sid), ads_errstr(rc)));
681 count = ads_count_replies(ads, msg);
683 status = NT_STATUS_UNSUCCESSFUL;
684 DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: "
685 "invalid number of results (count=%d)\n",
686 sid_to_string(sid_string, sid), count));
691 DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: NULL msg\n",
692 sid_to_string(sid_string, sid)));
693 status = NT_STATUS_UNSUCCESSFUL;
697 user_dn = ads_get_dn(ads, msg);
698 if (user_dn == NULL) {
699 status = NT_STATUS_NO_MEMORY;
703 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &primary_group_rid)) {
704 DEBUG(1,("%s: No primary group for sid=%s !?\n",
705 domain->name, sid_to_string(sid_string, sid)));
709 sid_copy(&primary_group, &domain->sid);
710 sid_append_rid(&primary_group, primary_group_rid);
712 count = ads_pull_sids(ads, mem_ctx, msg, "tokenGroups", &sids);
715 ads_msgfree(ads, msg);
717 /* there must always be at least one group in the token,
718 unless we are talking to a buggy Win2k server */
722 status = lookup_usergroups_alt(domain, mem_ctx, user_dn,
724 &num_groups, user_sids);
725 *p_num_groups = (uint32)num_groups;
732 add_sid_to_array(mem_ctx, &primary_group, user_sids, &num_groups);
734 for (i=0;i<count;i++) {
736 /* ignore Builtin groups from ADS - Guenther */
737 if (sid_check_is_in_builtin(&sids[i])) {
741 add_sid_to_array_unique(mem_ctx, &sids[i],
742 user_sids, &num_groups);
745 *p_num_groups = (uint32)num_groups;
746 status = (user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
748 DEBUG(3,("ads lookup_usergroups for sid=%s\n",
749 sid_to_string(sid_string, sid)));
755 find the members of a group, given a group rid and domain
757 static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
759 const DOM_SID *group_sid, uint32 *num_names,
760 DOM_SID **sid_mem, char ***names,
766 ADS_STRUCT *ads = NULL;
768 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
780 DEBUG(10,("ads: lookup_groupmem %s sid=%s\n", domain->name,
781 sid_string_static(group_sid)));
785 ads = ads_cached_connection(domain);
788 domain->last_status = NT_STATUS_SERVER_DISABLED;
792 sidstr = sid_binstring(group_sid);
794 /* search for all members of the group */
795 if (!(ldap_exp = talloc_asprintf(mem_ctx, "(objectSid=%s)",sidstr))) {
797 DEBUG(1, ("ads: lookup_groupmem: tallloc_asprintf for ldap_exp failed!\n"));
798 status = NT_STATUS_NO_MEMORY;
806 attrs = TALLOC_ARRAY(mem_ctx, const char *, 3);
807 attrs[1] = talloc_strdup(mem_ctx, "usnChanged");
811 if (num_members == 0)
812 attrs[0] = talloc_strdup(mem_ctx, "member");
814 DEBUG(10, ("Searching for attrs[0] = %s, attrs[1] = %s\n", attrs[0], attrs[1]));
816 rc = ads_search_retry(ads, &res, ldap_exp, attrs);
818 if (!ADS_ERR_OK(rc) || !res) {
819 DEBUG(1,("ads: lookup_groupmem ads_search: %s\n",
821 status = ads_ntstatus(rc);
825 count = ads_count_replies(ads, res);
829 if (num_members == 0) {
830 if (!ads_pull_uint32(ads, res, "usnChanged", &first_usn)) {
831 DEBUG(1, ("ads: lookup_groupmem could not pull usnChanged!\n"));
836 if (!ads_pull_uint32(ads, res, "usnChanged", ¤t_usn)) {
837 DEBUG(1, ("ads: lookup_groupmem could not pull usnChanged!\n"));
841 if (first_usn != current_usn) {
842 DEBUG(5, ("ads: lookup_groupmem USN on this record changed"
843 " - restarting search\n"));
844 if (num_retries < 5) {
849 DEBUG(5, ("ads: lookup_groupmem USN on this record changed"
850 " - restarted search too many times, aborting!\n"));
851 status = NT_STATUS_UNSUCCESSFUL;
856 members = ads_pull_strings_range(ads, mem_ctx, res,
863 if ((members == NULL) || (num_members == 0))
866 } while (more_values);
868 /* now we need to turn a list of members into rids, names and name types
869 the problem is that the members are in the form of distinguised names
872 (*sid_mem) = TALLOC_ZERO_ARRAY(mem_ctx, DOM_SID, num_members);
873 (*name_types) = TALLOC_ZERO_ARRAY(mem_ctx, uint32, num_members);
874 (*names) = TALLOC_ZERO_ARRAY(mem_ctx, char *, num_members);
876 if ((num_members != 0) &&
877 ((members == NULL) || (*sid_mem == NULL) ||
878 (*name_types == NULL) || (*names == NULL))) {
879 DEBUG(1, ("talloc failed\n"));
880 status = NT_STATUS_NO_MEMORY;
884 for (i=0;i<num_members;i++) {
889 if (dn_lookup(ads, mem_ctx, members[i], &name, &name_type, &sid)) {
890 (*names)[*num_names] = name;
891 (*name_types)[*num_names] = name_type;
892 sid_copy(&(*sid_mem)[*num_names], &sid);
897 status = NT_STATUS_OK;
898 DEBUG(3,("ads lookup_groupmem for sid=%s\n", sid_to_string(sid_string, group_sid)));
902 ads_msgfree(ads, res);
907 /* find the sequence number for a domain */
908 static NTSTATUS sequence_number(struct winbindd_domain *domain, uint32 *seq)
910 ADS_STRUCT *ads = NULL;
913 DEBUG(3,("ads: fetch sequence_number for %s\n", domain->name));
915 *seq = DOM_SEQUENCE_NONE;
917 ads = ads_cached_connection(domain);
920 domain->last_status = NT_STATUS_SERVER_DISABLED;
921 return NT_STATUS_UNSUCCESSFUL;
924 rc = ads_USN(ads, seq);
926 if (!ADS_ERR_OK(rc)) {
928 /* its a dead connection ; don't destroy it
929 through since ads_USN() has already done
932 domain->private_data = NULL;
934 return ads_ntstatus(rc);
937 /* get a list of trusted domains */
938 static NTSTATUS trusted_domains(struct winbindd_domain *domain,
945 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
946 struct ds_domain_trust *domains = NULL;
949 uint32 flags = DS_DOMAIN_DIRECT_OUTBOUND;
950 struct rpc_pipe_client *cli;
952 DEBUG(3,("ads: trusted_domains\n"));
959 result = cm_connect_netlogon(domain, &cli);
961 if (!NT_STATUS_IS_OK(result)) {
962 DEBUG(5, ("trusted_domains: Could not open a connection to %s "
963 "for PIPE_NETLOGON (%s)\n",
964 domain->name, nt_errstr(result)));
965 return NT_STATUS_UNSUCCESSFUL;
968 if ( NT_STATUS_IS_OK(result) ) {
969 result = rpccli_ds_enum_domain_trusts(cli, mem_ctx,
972 (unsigned int *)&count);
975 if ( NT_STATUS_IS_OK(result) && count) {
977 /* Allocate memory for trusted domain names and sids */
979 if ( !(*names = TALLOC_ARRAY(mem_ctx, char *, count)) ) {
980 DEBUG(0, ("trusted_domains: out of memory\n"));
981 return NT_STATUS_NO_MEMORY;
984 if ( !(*alt_names = TALLOC_ARRAY(mem_ctx, char *, count)) ) {
985 DEBUG(0, ("trusted_domains: out of memory\n"));
986 return NT_STATUS_NO_MEMORY;
989 if ( !(*dom_sids = TALLOC_ARRAY(mem_ctx, DOM_SID, count)) ) {
990 DEBUG(0, ("trusted_domains: out of memory\n"));
991 return NT_STATUS_NO_MEMORY;
994 /* Copy across names and sids */
996 for (i = 0; i < count; i++) {
997 (*names)[i] = domains[i].netbios_domain;
998 (*alt_names)[i] = domains[i].dns_domain;
1000 sid_copy(&(*dom_sids)[i], &domains[i].sid);
1003 *num_domains = count;
1009 /* the ADS backend methods are exposed via this structure */
1010 struct winbindd_methods ads_methods = {
1019 msrpc_lookup_useraliases,
1022 msrpc_lockout_policy,
1023 msrpc_password_policy,