2 Unix SMB/CIFS implementation.
4 Winbind ADS backend functions
6 Copyright (C) Andrew Tridgell 2001
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003
8 Copyright (C) Gerald (Jerry) Carter 2004
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
26 #include "../librpc/gen_ndr/cli_netlogon.h"
27 #include "../libds/common/flags.h"
32 #define DBGC_CLASS DBGC_WINBIND
34 extern struct winbindd_methods reconnect_methods;
37 return our ads connections structure for a domain. We keep the connection
38 open to make things faster
40 static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain)
45 struct sockaddr_storage dc_ss;
47 DEBUG(10,("ads_cached_connection\n"));
49 if (domain->private_data) {
52 time_t now = time(NULL);
54 /* check for a valid structure */
55 ads = (ADS_STRUCT *)domain->private_data;
57 expire = MIN(ads->auth.tgt_expire, ads->auth.tgs_expire);
59 DEBUG(7, ("Current tickets expire in %d seconds (at %d, time is now %d)\n",
60 (uint32)expire-(uint32)now, (uint32) expire, (uint32) now));
62 if ( ads->config.realm && (expire > now)) {
65 /* we own this ADS_STRUCT so make sure it goes away */
66 DEBUG(7,("Deleting expired krb5 credential cache\n"));
69 ads_kdestroy("MEMORY:winbind_ccache");
70 domain->private_data = NULL;
74 /* we don't want this to affect the users ccache */
75 setenv("KRB5CCNAME", "MEMORY:winbind_ccache", 1);
77 ads = ads_init(domain->alt_name, domain->name, NULL);
79 DEBUG(1,("ads_init for domain %s failed\n", domain->name));
83 /* the machine acct password might have change - fetch it every time */
85 SAFE_FREE(ads->auth.password);
86 SAFE_FREE(ads->auth.realm);
90 if ( !pdb_get_trusteddom_pw( domain->name, &ads->auth.password, NULL, NULL ) ) {
94 ads->auth.realm = SMB_STRDUP( ads->server.realm );
95 strupper_m( ads->auth.realm );
98 struct winbindd_domain *our_domain = domain;
100 ads->auth.password = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
102 /* always give preference to the alt_name in our
103 primary domain if possible */
105 if ( !domain->primary )
106 our_domain = find_our_domain();
108 if ( our_domain->alt_name[0] != '\0' ) {
109 ads->auth.realm = SMB_STRDUP( our_domain->alt_name );
110 strupper_m( ads->auth.realm );
113 ads->auth.realm = SMB_STRDUP( lp_realm() );
116 ads->auth.renewable = WINBINDD_PAM_AUTH_KRB5_RENEW_TIME;
118 /* Setup the server affinity cache. We don't reaally care
119 about the name. Just setup affinity and the KRB5_CONFIG
122 get_dc_name( ads->server.workgroup, ads->server.realm, dc_name, &dc_ss );
124 status = ads_connect(ads);
125 if (!ADS_ERR_OK(status) || !ads->config.realm) {
126 DEBUG(1,("ads_connect for domain %s failed: %s\n",
127 domain->name, ads_errstr(status)));
130 /* if we get ECONNREFUSED then it might be a NT4
131 server, fall back to MSRPC */
132 if (status.error_type == ENUM_ADS_ERROR_SYSTEM &&
133 status.err.rc == ECONNREFUSED) {
134 /* 'reconnect_methods' is the MS-RPC backend. */
135 DEBUG(1,("Trying MSRPC methods\n"));
136 domain->backend = &reconnect_methods;
141 /* set the flag that says we don't own the memory even
142 though we do so that ads_destroy() won't destroy the
143 structure we pass back by reference */
145 ads->is_mine = False;
147 domain->private_data = (void *)ads;
152 /* Query display info for a realm. This is the basic user list fn */
153 static NTSTATUS query_user_list(struct winbindd_domain *domain,
156 struct wbint_userinfo **info)
158 ADS_STRUCT *ads = NULL;
159 const char *attrs[] = { "*", NULL };
162 LDAPMessage *res = NULL;
163 LDAPMessage *msg = NULL;
164 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
168 DEBUG(3,("ads: query_user_list\n"));
170 if ( !winbindd_can_contact_domain( domain ) ) {
171 DEBUG(10,("query_user_list: No incoming trust for domain %s\n",
176 ads = ads_cached_connection(domain);
179 domain->last_status = NT_STATUS_SERVER_DISABLED;
183 rc = ads_search_retry(ads, &res, "(objectCategory=user)", attrs);
184 if (!ADS_ERR_OK(rc) || !res) {
185 DEBUG(1,("query_user_list ads_search: %s\n", ads_errstr(rc)));
189 count = ads_count_replies(ads, res);
191 DEBUG(1,("query_user_list: No users found\n"));
195 (*info) = TALLOC_ZERO_ARRAY(mem_ctx, struct wbint_userinfo, count);
197 status = NT_STATUS_NO_MEMORY;
203 for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
205 const char *gecos = NULL;
206 const char *homedir = NULL;
207 const char *shell = NULL;
210 struct dom_sid user_sid;
211 gid_t primary_gid = (gid_t)-1;
213 if (!ads_pull_uint32(ads, msg, "sAMAccountType", &atype) ||
214 ds_atype_map(atype) != SID_NAME_USER) {
215 DEBUG(1,("Not a user account? atype=0x%x\n", atype));
219 name = ads_pull_username(ads, mem_ctx, msg);
221 if ( ads_pull_sid( ads, msg, "objectSid", &user_sid ) ) {
222 status = nss_get_info_cached( domain, &user_sid, mem_ctx,
223 ads, msg, &homedir, &shell, &gecos,
228 gecos = ads_pull_string(ads, mem_ctx, msg, "name");
231 if (!ads_pull_sid(ads, msg, "objectSid",
232 &(*info)[i].user_sid)) {
233 DEBUG(1,("No sid for %s !?\n", name));
236 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &group)) {
237 DEBUG(1,("No primary group for %s !?\n", name));
241 (*info)[i].acct_name = name;
242 (*info)[i].full_name = gecos;
243 (*info)[i].homedir = homedir;
244 (*info)[i].shell = shell;
245 (*info)[i].primary_gid = primary_gid;
246 sid_compose(&(*info)[i].group_sid, &domain->sid, group);
251 status = NT_STATUS_OK;
253 DEBUG(3,("ads query_user_list gave %d entries\n", (*num_entries)));
257 ads_msgfree(ads, res);
262 /* list all domain groups */
263 static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
266 struct acct_info **info)
268 ADS_STRUCT *ads = NULL;
269 const char *attrs[] = {"userPrincipalName", "sAMAccountName",
270 "name", "objectSid", NULL};
273 LDAPMessage *res = NULL;
274 LDAPMessage *msg = NULL;
275 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
277 bool enum_dom_local_groups = False;
281 DEBUG(3,("ads: enum_dom_groups\n"));
283 if ( !winbindd_can_contact_domain( domain ) ) {
284 DEBUG(10,("enum_dom_groups: No incoming trust for domain %s\n",
289 /* only grab domain local groups for our domain */
290 if ( domain->active_directory && strequal(lp_realm(), domain->alt_name) ) {
291 enum_dom_local_groups = True;
294 /* Workaround ADS LDAP bug present in MS W2K3 SP0 and W2K SP4 w/o
297 * According to Section 5.1(4) of RFC 2251 if a value of a type is it's
298 * default value, it MUST be absent. In case of extensible matching the
299 * "dnattr" boolean defaults to FALSE and so it must be only be present
302 * When it is set to FALSE and the OpenLDAP lib (correctly) encodes a
303 * filter using bitwise matching rule then the buggy AD fails to decode
304 * the extensible match. As a workaround set it to TRUE and thereby add
305 * the dnAttributes "dn" field to cope with those older AD versions.
306 * It should not harm and won't put any additional load on the AD since
307 * none of the dn components have a bitmask-attribute.
309 * Thanks to Ralf Haferkamp for input and testing - Guenther */
311 filter = talloc_asprintf(mem_ctx, "(&(objectCategory=group)(&(groupType:dn:%s:=%d)(!(groupType:dn:%s:=%d))))",
312 ADS_LDAP_MATCHING_RULE_BIT_AND, GROUP_TYPE_SECURITY_ENABLED,
313 ADS_LDAP_MATCHING_RULE_BIT_AND,
314 enum_dom_local_groups ? GROUP_TYPE_BUILTIN_LOCAL_GROUP : GROUP_TYPE_RESOURCE_GROUP);
316 if (filter == NULL) {
317 status = NT_STATUS_NO_MEMORY;
321 ads = ads_cached_connection(domain);
324 domain->last_status = NT_STATUS_SERVER_DISABLED;
328 rc = ads_search_retry(ads, &res, filter, attrs);
329 if (!ADS_ERR_OK(rc) || !res) {
330 DEBUG(1,("enum_dom_groups ads_search: %s\n", ads_errstr(rc)));
334 count = ads_count_replies(ads, res);
336 DEBUG(1,("enum_dom_groups: No groups found\n"));
340 (*info) = TALLOC_ZERO_ARRAY(mem_ctx, struct acct_info, count);
342 status = NT_STATUS_NO_MEMORY;
348 for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
353 name = ads_pull_username(ads, mem_ctx, msg);
354 gecos = ads_pull_string(ads, mem_ctx, msg, "name");
355 if (!ads_pull_sid(ads, msg, "objectSid", &sid)) {
356 DEBUG(1,("No sid for %s !?\n", name));
360 if (!sid_peek_check_rid(&domain->sid, &sid, &rid)) {
361 DEBUG(1,("No rid for %s !?\n", name));
365 fstrcpy((*info)[i].acct_name, name);
366 fstrcpy((*info)[i].acct_desc, gecos);
367 (*info)[i].rid = rid;
373 status = NT_STATUS_OK;
375 DEBUG(3,("ads enum_dom_groups gave %d entries\n", (*num_entries)));
379 ads_msgfree(ads, res);
384 /* list all domain local groups */
385 static NTSTATUS enum_local_groups(struct winbindd_domain *domain,
388 struct acct_info **info)
391 * This is a stub function only as we returned the domain
392 * local groups in enum_dom_groups() if the domain->native field
393 * was true. This is a simple performance optimization when
396 * if we ever need to enumerate domain local groups separately,
397 * then this optimization in enum_dom_groups() will need
405 /* convert a single name to a sid in a domain - use rpc methods */
406 static NTSTATUS name_to_sid(struct winbindd_domain *domain,
408 const char *domain_name,
412 enum lsa_SidType *type)
414 return reconnect_methods.name_to_sid(domain, mem_ctx,
415 domain_name, name, flags,
419 /* convert a domain SID to a user or group name - use rpc methods */
420 static NTSTATUS sid_to_name(struct winbindd_domain *domain,
422 const struct dom_sid *sid,
425 enum lsa_SidType *type)
427 return reconnect_methods.sid_to_name(domain, mem_ctx, sid,
428 domain_name, name, type);
431 /* convert a list of rids to names - use rpc methods */
432 static NTSTATUS rids_to_names(struct winbindd_domain *domain,
434 const struct dom_sid *sid,
439 enum lsa_SidType **types)
441 return reconnect_methods.rids_to_names(domain, mem_ctx, sid,
443 domain_name, names, types);
446 /* If you are looking for "dn_lookup": Yes, it used to be here!
447 * It has gone now since it was a major speed bottleneck in
448 * lookup_groupmem (its only use). It has been replaced by
449 * an rpc lookup sids call... R.I.P. */
451 /* Lookup user information from a rid */
452 static NTSTATUS query_user(struct winbindd_domain *domain,
454 const struct dom_sid *sid,
455 struct wbint_userinfo *info)
457 ADS_STRUCT *ads = NULL;
458 const char *attrs[] = { "*", NULL };
461 LDAPMessage *msg = NULL;
465 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
466 struct netr_SamInfo3 *user = NULL;
471 DEBUG(3,("ads: query_user\n"));
473 info->homedir = NULL;
476 /* try netsamlogon cache first */
478 if ( (user = netsamlogon_cache_get( mem_ctx, sid )) != NULL )
480 DEBUG(5,("query_user: Cache lookup succeeded for %s\n",
481 sid_string_dbg(sid)));
483 sid_compose(&info->user_sid, &domain->sid, user->base.rid);
484 sid_compose(&info->group_sid, &domain->sid, user->base.primary_gid);
486 info->acct_name = talloc_strdup(mem_ctx, user->base.account_name.string);
487 info->full_name = talloc_strdup(mem_ctx, user->base.full_name.string);
489 nss_get_info_cached( domain, sid, mem_ctx, NULL, NULL,
490 &info->homedir, &info->shell, &info->full_name,
492 info->primary_gid = gid;
499 if ( !winbindd_can_contact_domain(domain)) {
500 DEBUG(8,("query_user: No incoming trust from domain %s\n",
503 /* We still need to generate some basic information
504 about the user even if we cannot contact the
505 domain. Most of this stuff we can deduce. */
507 sid_copy( &info->user_sid, sid );
509 /* Assume "Domain Users" for the primary group */
511 sid_compose(&info->group_sid, &domain->sid, DOMAIN_RID_USERS );
513 /* Try to fill in what the nss_info backend can do */
515 nss_get_info_cached( domain, sid, mem_ctx, NULL, NULL,
516 &info->homedir, &info->shell, &info->full_name,
518 info->primary_gid = gid;
523 /* no cache...do the query */
525 if ( (ads = ads_cached_connection(domain)) == NULL ) {
526 domain->last_status = NT_STATUS_SERVER_DISABLED;
527 return NT_STATUS_SERVER_DISABLED;
530 sidstr = sid_binstring(talloc_tos(), sid);
532 ret = asprintf(&ldap_exp, "(objectSid=%s)", sidstr);
535 return NT_STATUS_NO_MEMORY;
537 rc = ads_search_retry(ads, &msg, ldap_exp, attrs);
539 if (!ADS_ERR_OK(rc) || !msg) {
540 DEBUG(1,("query_user(sid=%s) ads_search: %s\n",
541 sid_string_dbg(sid), ads_errstr(rc)));
542 return ads_ntstatus(rc);
545 count = ads_count_replies(ads, msg);
547 DEBUG(1,("query_user(sid=%s): Not found\n",
548 sid_string_dbg(sid)));
549 ads_msgfree(ads, msg);
550 return NT_STATUS_NO_SUCH_USER;
553 info->acct_name = ads_pull_username(ads, mem_ctx, msg);
555 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &group_rid)) {
556 DEBUG(1,("No primary group for %s !?\n",
557 sid_string_dbg(sid)));
558 ads_msgfree(ads, msg);
559 return NT_STATUS_NO_SUCH_USER;
561 sid_copy(&info->user_sid, sid);
562 sid_compose(&info->group_sid, &domain->sid, group_rid);
565 * We have to fetch the "name" attribute before doing the
566 * nss_get_info_cached call. nss_get_info_cached might destroy
567 * the ads struct, potentially invalidating the ldap message.
569 ads_name = ads_pull_string(ads, mem_ctx, msg, "name");
571 ads_msgfree(ads, msg);
574 status = nss_get_info_cached( domain, sid, mem_ctx, ads, msg,
575 &info->homedir, &info->shell, &info->full_name,
577 info->primary_gid = gid;
578 if (!NT_STATUS_IS_OK(status)) {
579 DEBUG(1, ("nss_get_info_cached failed: %s\n",
584 if (info->full_name == NULL) {
585 info->full_name = ads_name;
587 TALLOC_FREE(ads_name);
590 status = NT_STATUS_OK;
592 DEBUG(3,("ads query_user gave %s\n", info->acct_name));
596 /* Lookup groups a user is a member of - alternate method, for when
597 tokenGroups are not available. */
598 static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain,
601 struct dom_sid *primary_group,
602 size_t *p_num_groups, struct dom_sid **user_sids)
605 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
607 LDAPMessage *res = NULL;
608 LDAPMessage *msg = NULL;
611 const char *group_attrs[] = {"objectSid", NULL};
613 size_t num_groups = 0;
615 DEBUG(3,("ads: lookup_usergroups_member\n"));
617 if ( !winbindd_can_contact_domain( domain ) ) {
618 DEBUG(10,("lookup_usergroups_members: No incoming trust for domain %s\n",
623 ads = ads_cached_connection(domain);
626 domain->last_status = NT_STATUS_SERVER_DISABLED;
630 if (!(escaped_dn = escape_ldap_string(talloc_tos(), user_dn))) {
631 status = NT_STATUS_NO_MEMORY;
635 ldap_exp = talloc_asprintf(mem_ctx,
636 "(&(member=%s)(objectCategory=group)(groupType:dn:%s:=%d))",
638 ADS_LDAP_MATCHING_RULE_BIT_AND,
639 GROUP_TYPE_SECURITY_ENABLED);
641 DEBUG(1,("lookup_usergroups(dn=%s) asprintf failed!\n", user_dn));
642 TALLOC_FREE(escaped_dn);
643 status = NT_STATUS_NO_MEMORY;
647 TALLOC_FREE(escaped_dn);
649 rc = ads_search_retry(ads, &res, ldap_exp, group_attrs);
651 if (!ADS_ERR_OK(rc) || !res) {
652 DEBUG(1,("lookup_usergroups ads_search member=%s: %s\n", user_dn, ads_errstr(rc)));
653 return ads_ntstatus(rc);
656 count = ads_count_replies(ads, res);
661 /* always add the primary group to the sid array */
662 status = add_sid_to_array(mem_ctx, primary_group, user_sids,
664 if (!NT_STATUS_IS_OK(status)) {
669 for (msg = ads_first_entry(ads, res); msg;
670 msg = ads_next_entry(ads, msg)) {
671 struct dom_sid group_sid;
673 if (!ads_pull_sid(ads, msg, "objectSid", &group_sid)) {
674 DEBUG(1,("No sid for this group ?!?\n"));
678 /* ignore Builtin groups from ADS - Guenther */
679 if (sid_check_is_in_builtin(&group_sid)) {
683 status = add_sid_to_array(mem_ctx, &group_sid,
684 user_sids, &num_groups);
685 if (!NT_STATUS_IS_OK(status)) {
692 *p_num_groups = num_groups;
693 status = (user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
695 DEBUG(3,("ads lookup_usergroups (member) succeeded for dn=%s\n", user_dn));
698 ads_msgfree(ads, res);
703 /* Lookup groups a user is a member of - alternate method, for when
704 tokenGroups are not available. */
705 static NTSTATUS lookup_usergroups_memberof(struct winbindd_domain *domain,
708 struct dom_sid *primary_group,
709 size_t *p_num_groups,
710 struct dom_sid **user_sids)
713 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
715 const char *attrs[] = {"memberOf", NULL};
716 size_t num_groups = 0;
717 struct dom_sid *group_sids = NULL;
719 char **strings = NULL;
720 size_t num_strings = 0, num_sids = 0;
723 DEBUG(3,("ads: lookup_usergroups_memberof\n"));
725 if ( !winbindd_can_contact_domain( domain ) ) {
726 DEBUG(10,("lookup_usergroups_memberof: No incoming trust for "
727 "domain %s\n", domain->name));
731 ads = ads_cached_connection(domain);
734 domain->last_status = NT_STATUS_SERVER_DISABLED;
735 return NT_STATUS_UNSUCCESSFUL;
738 rc = ads_search_retry_extended_dn_ranged(ads, mem_ctx, user_dn, attrs,
739 ADS_EXTENDED_DN_HEX_STRING,
740 &strings, &num_strings);
742 if (!ADS_ERR_OK(rc)) {
743 DEBUG(1,("lookup_usergroups_memberof ads_search "
744 "member=%s: %s\n", user_dn, ads_errstr(rc)));
745 return ads_ntstatus(rc);
751 /* always add the primary group to the sid array */
752 status = add_sid_to_array(mem_ctx, primary_group, user_sids,
754 if (!NT_STATUS_IS_OK(status)) {
758 group_sids = TALLOC_ZERO_ARRAY(mem_ctx, struct dom_sid, num_strings + 1);
760 status = NT_STATUS_NO_MEMORY;
764 for (i=0; i<num_strings; i++) {
765 rc = ads_get_sid_from_extended_dn(mem_ctx, strings[i],
766 ADS_EXTENDED_DN_HEX_STRING,
768 if (!ADS_ERR_OK(rc)) {
769 /* ignore members without SIDs */
770 if (NT_STATUS_EQUAL(ads_ntstatus(rc),
771 NT_STATUS_NOT_FOUND)) {
775 status = ads_ntstatus(rc);
783 DEBUG(1,("No memberOf for this user?!?\n"));
784 status = NT_STATUS_NO_MEMORY;
788 for (i=0; i<num_sids; i++) {
790 /* ignore Builtin groups from ADS - Guenther */
791 if (sid_check_is_in_builtin(&group_sids[i])) {
795 status = add_sid_to_array(mem_ctx, &group_sids[i], user_sids,
797 if (!NT_STATUS_IS_OK(status)) {
803 *p_num_groups = num_groups;
804 status = (*user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
806 DEBUG(3,("ads lookup_usergroups (memberof) succeeded for dn=%s\n",
810 TALLOC_FREE(strings);
811 TALLOC_FREE(group_sids);
817 /* Lookup groups a user is a member of. */
818 static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
820 const struct dom_sid *sid,
821 uint32 *p_num_groups, struct dom_sid **user_sids)
823 ADS_STRUCT *ads = NULL;
824 const char *attrs[] = {"tokenGroups", "primaryGroupID", NULL};
827 LDAPMessage *msg = NULL;
828 char *user_dn = NULL;
829 struct dom_sid *sids;
831 struct dom_sid primary_group;
832 uint32 primary_group_rid;
833 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
834 size_t num_groups = 0;
836 DEBUG(3,("ads: lookup_usergroups\n"));
839 status = lookup_usergroups_cached(domain, mem_ctx, sid,
840 p_num_groups, user_sids);
841 if (NT_STATUS_IS_OK(status)) {
845 if ( !winbindd_can_contact_domain( domain ) ) {
846 DEBUG(10,("lookup_usergroups: No incoming trust for domain %s\n",
849 /* Tell the cache manager not to remember this one */
851 return NT_STATUS_SYNCHRONIZATION_REQUIRED;
854 ads = ads_cached_connection(domain);
857 domain->last_status = NT_STATUS_SERVER_DISABLED;
858 status = NT_STATUS_SERVER_DISABLED;
862 rc = ads_search_retry_sid(ads, &msg, sid, attrs);
864 if (!ADS_ERR_OK(rc)) {
865 status = ads_ntstatus(rc);
866 DEBUG(1, ("lookup_usergroups(sid=%s) ads_search tokenGroups: "
867 "%s\n", sid_string_dbg(sid), ads_errstr(rc)));
871 count = ads_count_replies(ads, msg);
873 status = NT_STATUS_UNSUCCESSFUL;
874 DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: "
875 "invalid number of results (count=%d)\n",
876 sid_string_dbg(sid), count));
881 DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: NULL msg\n",
882 sid_string_dbg(sid)));
883 status = NT_STATUS_UNSUCCESSFUL;
887 user_dn = ads_get_dn(ads, mem_ctx, msg);
888 if (user_dn == NULL) {
889 status = NT_STATUS_NO_MEMORY;
893 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &primary_group_rid)) {
894 DEBUG(1,("%s: No primary group for sid=%s !?\n",
895 domain->name, sid_string_dbg(sid)));
899 sid_compose(&primary_group, &domain->sid, primary_group_rid);
901 count = ads_pull_sids(ads, mem_ctx, msg, "tokenGroups", &sids);
903 /* there must always be at least one group in the token,
904 unless we are talking to a buggy Win2k server */
906 /* actually this only happens when the machine account has no read
907 * permissions on the tokenGroup attribute - gd */
913 /* lookup what groups this user is a member of by DN search on
916 status = lookup_usergroups_memberof(domain, mem_ctx, user_dn,
918 &num_groups, user_sids);
919 *p_num_groups = (uint32)num_groups;
920 if (NT_STATUS_IS_OK(status)) {
924 /* lookup what groups this user is a member of by DN search on
927 status = lookup_usergroups_member(domain, mem_ctx, user_dn,
929 &num_groups, user_sids);
930 *p_num_groups = (uint32)num_groups;
937 status = add_sid_to_array(mem_ctx, &primary_group, user_sids,
939 if (!NT_STATUS_IS_OK(status)) {
943 for (i=0;i<count;i++) {
945 /* ignore Builtin groups from ADS - Guenther */
946 if (sid_check_is_in_builtin(&sids[i])) {
950 status = add_sid_to_array_unique(mem_ctx, &sids[i],
951 user_sids, &num_groups);
952 if (!NT_STATUS_IS_OK(status)) {
957 *p_num_groups = (uint32)num_groups;
958 status = (*user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
960 DEBUG(3,("ads lookup_usergroups (tokenGroups) succeeded for sid=%s\n",
961 sid_string_dbg(sid)));
963 TALLOC_FREE(user_dn);
964 ads_msgfree(ads, msg);
968 /* Lookup aliases a user is member of - use rpc methods */
969 static NTSTATUS lookup_useraliases(struct winbindd_domain *domain,
971 uint32 num_sids, const struct dom_sid *sids,
972 uint32 *num_aliases, uint32 **alias_rids)
974 return reconnect_methods.lookup_useraliases(domain, mem_ctx,
981 find the members of a group, given a group rid and domain
983 static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
985 const struct dom_sid *group_sid,
986 enum lsa_SidType type,
988 struct dom_sid **sid_mem, char ***names,
992 ADS_STRUCT *ads = NULL;
994 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
996 char **members = NULL;
998 size_t num_members = 0;
1000 struct dom_sid *sid_mem_nocache = NULL;
1001 char **names_nocache = NULL;
1002 enum lsa_SidType *name_types_nocache = NULL;
1003 char **domains_nocache = NULL; /* only needed for rpccli_lsa_lookup_sids */
1004 uint32 num_nocache = 0;
1005 TALLOC_CTX *tmp_ctx = NULL;
1007 DEBUG(10,("ads: lookup_groupmem %s sid=%s\n", domain->name,
1008 sid_string_dbg(group_sid)));
1012 tmp_ctx = talloc_new(mem_ctx);
1014 DEBUG(1, ("ads: lookup_groupmem: talloc failed\n"));
1015 status = NT_STATUS_NO_MEMORY;
1019 if ( !winbindd_can_contact_domain( domain ) ) {
1020 DEBUG(10,("lookup_groupmem: No incoming trust for domain %s\n",
1022 return NT_STATUS_OK;
1025 ads = ads_cached_connection(domain);
1028 domain->last_status = NT_STATUS_SERVER_DISABLED;
1032 if ((sidbinstr = sid_binstring(talloc_tos(), group_sid)) == NULL) {
1033 status = NT_STATUS_NO_MEMORY;
1037 /* search for all members of the group */
1038 ldap_exp = talloc_asprintf(tmp_ctx, "(objectSid=%s)", sidbinstr);
1039 TALLOC_FREE(sidbinstr);
1040 if (ldap_exp == NULL) {
1041 DEBUG(1, ("ads: lookup_groupmem: talloc_asprintf for ldap_exp failed!\n"));
1042 status = NT_STATUS_NO_MEMORY;
1046 args.control = ADS_EXTENDED_DN_OID;
1047 args.val = ADS_EXTENDED_DN_HEX_STRING;
1048 args.critical = True;
1050 rc = ads_ranged_search(ads, tmp_ctx, LDAP_SCOPE_SUBTREE, ads->config.bind_path,
1051 ldap_exp, &args, "member", &members, &num_members);
1053 if (!ADS_ERR_OK(rc)) {
1054 DEBUG(0,("ads_ranged_search failed with: %s\n", ads_errstr(rc)));
1055 status = NT_STATUS_UNSUCCESSFUL;
1059 DEBUG(10, ("ads lookup_groupmem: got %d sids via extended dn call\n", (int)num_members));
1061 /* Now that we have a list of sids, we need to get the
1062 * lists of names and name_types belonging to these sids.
1063 * even though conceptually not quite clean, we use the
1064 * RPC call lsa_lookup_sids for this since it can handle a
1065 * list of sids. ldap calls can just resolve one sid at a time.
1067 * At this stage, the sids are still hidden in the exetended dn
1068 * member output format. We actually do a little better than
1069 * stated above: In extracting the sids from the member strings,
1070 * we try to resolve as many sids as possible from the
1071 * cache. Only the rest is passed to the lsa_lookup_sids call. */
1074 (*sid_mem) = TALLOC_ZERO_ARRAY(mem_ctx, struct dom_sid, num_members);
1075 (*names) = TALLOC_ZERO_ARRAY(mem_ctx, char *, num_members);
1076 (*name_types) = TALLOC_ZERO_ARRAY(mem_ctx, uint32, num_members);
1077 (sid_mem_nocache) = TALLOC_ZERO_ARRAY(tmp_ctx, struct dom_sid, num_members);
1079 if ((members == NULL) || (*sid_mem == NULL) ||
1080 (*names == NULL) || (*name_types == NULL) ||
1081 (sid_mem_nocache == NULL))
1083 DEBUG(1, ("ads: lookup_groupmem: talloc failed\n"));
1084 status = NT_STATUS_NO_MEMORY;
1091 (*name_types) = NULL;
1094 for (i=0; i<num_members; i++) {
1095 enum lsa_SidType name_type;
1096 char *name, *domain_name;
1099 rc = ads_get_sid_from_extended_dn(tmp_ctx, members[i], args.val,
1101 if (!ADS_ERR_OK(rc)) {
1102 if (NT_STATUS_EQUAL(ads_ntstatus(rc),
1103 NT_STATUS_NOT_FOUND)) {
1104 /* Group members can be objects, like Exchange
1105 * Public Folders, that don't have a SID. Skip
1110 status = ads_ntstatus(rc);
1114 if (lookup_cached_sid(mem_ctx, &sid, &domain_name, &name,
1116 DEBUG(10,("ads: lookup_groupmem: got sid %s from "
1117 "cache\n", sid_string_dbg(&sid)));
1118 sid_copy(&(*sid_mem)[*num_names], &sid);
1119 (*names)[*num_names] = fill_domain_username_talloc(
1125 (*name_types)[*num_names] = name_type;
1129 DEBUG(10, ("ads: lookup_groupmem: sid %s not found in "
1130 "cache\n", sid_string_dbg(&sid)));
1131 sid_copy(&(sid_mem_nocache)[num_nocache], &sid);
1136 DEBUG(10, ("ads: lookup_groupmem: %d sids found in cache, "
1137 "%d left for lsa_lookupsids\n", *num_names, num_nocache));
1139 /* handle sids not resolved from cache by lsa_lookup_sids */
1140 if (num_nocache > 0) {
1142 status = winbindd_lookup_sids(tmp_ctx,
1148 &name_types_nocache);
1150 if (!(NT_STATUS_IS_OK(status) ||
1151 NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED) ||
1152 NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)))
1154 DEBUG(1, ("lsa_lookupsids call failed with %s "
1155 "- retrying...\n", nt_errstr(status)));
1157 status = winbindd_lookup_sids(tmp_ctx,
1163 &name_types_nocache);
1166 if (NT_STATUS_IS_OK(status) ||
1167 NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED))
1169 /* Copy the entries over from the "_nocache" arrays
1170 * to the result arrays, skipping the gaps the
1171 * lookup_sids call left. */
1172 for (i=0; i < num_nocache; i++) {
1173 if (((names_nocache)[i] != NULL) &&
1174 ((name_types_nocache)[i] != SID_NAME_UNKNOWN))
1176 sid_copy(&(*sid_mem)[*num_names],
1177 &sid_mem_nocache[i]);
1178 (*names)[*num_names] =
1179 fill_domain_username_talloc(
1184 (*name_types)[*num_names] = name_types_nocache[i];
1189 else if (NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)) {
1190 DEBUG(10, ("lookup_groupmem: lsa_lookup_sids could "
1191 "not map any SIDs at all.\n"));
1192 /* Don't handle this as an error here.
1193 * There is nothing left to do with respect to the
1194 * overall result... */
1196 else if (!NT_STATUS_IS_OK(status)) {
1197 DEBUG(10, ("lookup_groupmem: Error looking up %d "
1198 "sids via rpc_lsa_lookup_sids: %s\n",
1199 (int)num_members, nt_errstr(status)));
1204 status = NT_STATUS_OK;
1205 DEBUG(3,("ads lookup_groupmem for sid=%s succeeded\n",
1206 sid_string_dbg(group_sid)));
1210 TALLOC_FREE(tmp_ctx);
1215 /* find the sequence number for a domain */
1216 static NTSTATUS sequence_number(struct winbindd_domain *domain, uint32 *seq)
1218 ADS_STRUCT *ads = NULL;
1221 DEBUG(3,("ads: fetch sequence_number for %s\n", domain->name));
1223 if ( !winbindd_can_contact_domain( domain ) ) {
1224 DEBUG(10,("sequence: No incoming trust for domain %s\n",
1227 return NT_STATUS_OK;
1230 *seq = DOM_SEQUENCE_NONE;
1232 ads = ads_cached_connection(domain);
1235 domain->last_status = NT_STATUS_SERVER_DISABLED;
1236 return NT_STATUS_UNSUCCESSFUL;
1239 rc = ads_USN(ads, seq);
1241 if (!ADS_ERR_OK(rc)) {
1243 /* its a dead connection, destroy it */
1245 if (domain->private_data) {
1246 ads = (ADS_STRUCT *)domain->private_data;
1247 ads->is_mine = True;
1249 ads_kdestroy("MEMORY:winbind_ccache");
1250 domain->private_data = NULL;
1253 return ads_ntstatus(rc);
1256 /* find the lockout policy of a domain - use rpc methods */
1257 static NTSTATUS lockout_policy(struct winbindd_domain *domain,
1258 TALLOC_CTX *mem_ctx,
1259 struct samr_DomInfo12 *policy)
1261 return reconnect_methods.lockout_policy(domain, mem_ctx, policy);
1264 /* find the password policy of a domain - use rpc methods */
1265 static NTSTATUS password_policy(struct winbindd_domain *domain,
1266 TALLOC_CTX *mem_ctx,
1267 struct samr_DomInfo1 *policy)
1269 return reconnect_methods.password_policy(domain, mem_ctx, policy);
1272 /* get a list of trusted domains */
1273 static NTSTATUS trusted_domains(struct winbindd_domain *domain,
1274 TALLOC_CTX *mem_ctx,
1275 struct netr_DomainTrustList *trusts)
1277 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1280 struct rpc_pipe_client *cli;
1283 DEBUG(3,("ads: trusted_domains\n"));
1285 ZERO_STRUCTP(trusts);
1287 /* If this is our primary domain or a root in our forest,
1288 query for all trusts. If not, then just look for domain
1289 trusts in the target forest */
1291 if (domain->primary || domain_is_forest_root(domain)) {
1292 flags = NETR_TRUST_FLAG_OUTBOUND |
1293 NETR_TRUST_FLAG_INBOUND |
1294 NETR_TRUST_FLAG_IN_FOREST;
1296 flags = NETR_TRUST_FLAG_IN_FOREST;
1299 result = cm_connect_netlogon(domain, &cli);
1301 if (!NT_STATUS_IS_OK(result)) {
1302 DEBUG(5, ("trusted_domains: Could not open a connection to %s "
1303 "for PIPE_NETLOGON (%s)\n",
1304 domain->name, nt_errstr(result)));
1305 return NT_STATUS_UNSUCCESSFUL;
1308 result = rpccli_netr_DsrEnumerateDomainTrusts(cli, mem_ctx,
1313 if (!NT_STATUS_IS_OK(result)) {
1316 if (trusts->count == 0) {
1317 return NT_STATUS_OK;
1320 /* Copy across names and sids */
1323 for (i = 0; i < trusts->count; i++) {
1324 struct netr_DomainTrust *trust = &trusts->array[i];
1325 struct winbindd_domain d;
1330 * drop external trusts if this is not our primary
1331 * domain. This means that the returned number of
1332 * domains may be less that the ones actually trusted
1336 if ((trust->trust_attributes
1337 == NETR_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN) &&
1340 DEBUG(10,("trusted_domains: Skipping external trusted "
1341 "domain %s because it is outside of our "
1343 trust->netbios_name));
1347 /* add to the trusted domain cache */
1349 fstrcpy(d.name, trust->netbios_name);
1350 fstrcpy(d.alt_name, trust->dns_name);
1352 sid_copy(&d.sid, trust->sid);
1354 sid_copy(&d.sid, &global_sid_NULL);
1357 if ( domain->primary ) {
1358 DEBUG(10,("trusted_domains(ads): Searching "
1359 "trusted domain list of %s and storing "
1360 "trust flags for domain %s\n",
1361 domain->name, d.alt_name));
1363 d.domain_flags = trust->trust_flags;
1364 d.domain_type = trust->trust_type;
1365 d.domain_trust_attribs = trust->trust_attributes;
1367 wcache_tdc_add_domain( &d );
1369 } else if (domain_is_forest_root(domain)) {
1370 /* Check if we already have this record. If
1371 * we are following our forest root that is not
1372 * our primary domain, we want to keep trust
1373 * flags from the perspective of our primary
1374 * domain not our forest root. */
1375 struct winbindd_tdc_domain *exist = NULL;
1377 exist = wcache_tdc_fetch_domain(
1378 talloc_tos(), trust->netbios_name);
1380 DEBUG(10,("trusted_domains(ads): Searching "
1381 "trusted domain list of %s and "
1382 "storing trust flags for domain "
1383 "%s\n", domain->name, d.alt_name));
1384 d.domain_flags = trust->trust_flags;
1385 d.domain_type = trust->trust_type;
1386 d.domain_trust_attribs =
1387 trust->trust_attributes;
1389 wcache_tdc_add_domain( &d );
1394 /* This gets a little tricky. If we are
1395 following a transitive forest trust, then
1396 innerit the flags, type, and attribs from
1397 the domain we queried to make sure we don't
1398 record the view of the trust from the wrong
1399 side. Always view it from the side of our
1400 primary domain. --jerry */
1401 struct winbindd_tdc_domain *parent = NULL;
1403 DEBUG(10,("trusted_domains(ads): Searching "
1404 "trusted domain list of %s and inheriting "
1405 "trust flags for domain %s\n",
1406 domain->name, d.alt_name));
1408 parent = wcache_tdc_fetch_domain(talloc_tos(),
1411 d.domain_flags = parent->trust_flags;
1412 d.domain_type = parent->trust_type;
1413 d.domain_trust_attribs = parent->trust_attribs;
1415 d.domain_flags = domain->domain_flags;
1416 d.domain_type = domain->domain_type;
1417 d.domain_trust_attribs =
1418 domain->domain_trust_attribs;
1420 TALLOC_FREE(parent);
1422 wcache_tdc_add_domain( &d );
1429 /* the ADS backend methods are exposed via this structure */
1430 struct winbindd_methods ads_methods = {