2 Unix SMB/CIFS implementation.
4 Winbind rpc backend functions
6 Copyright (C) Tim Potter 2000-2001,2003
7 Copyright (C) Andrew Tridgell 2001
8 Copyright (C) Volker Lendecke 2005
9 Copyright (C) Guenther Deschner 2008 (pidl conversion)
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 3 of the License, or
14 (at your option) any later version.
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
21 You should have received a copy of the GNU General Public License
22 along with this program. If not, see <http://www.gnu.org/licenses/>.
27 #include "winbindd_rpc.h"
29 #include "../librpc/gen_ndr/ndr_samr_c.h"
30 #include "rpc_client/cli_pipe.h"
31 #include "rpc_client/cli_samr.h"
32 #include "rpc_client/cli_lsarpc.h"
33 #include "../libcli/security/security.h"
34 #include "libsmb/samlogon_cache.h"
37 #define DBGC_CLASS DBGC_WINBIND
39 static NTSTATUS winbindd_lookup_names(TALLOC_CTX *mem_ctx,
40 struct winbindd_domain *domain,
43 const char ***domains,
44 struct dom_sid **sids,
45 enum lsa_SidType **types);
47 /* Query display info for a domain. This returns enough information plus a
48 bit extra to give an overview of domain users for the User Manager
50 static NTSTATUS msrpc_query_user_list(struct winbindd_domain *domain,
54 struct rpc_pipe_client *samr_pipe = NULL;
55 struct policy_handle dom_pol;
56 uint32_t *rids = NULL;
60 DEBUG(3, ("msrpc_query_user_list\n"));
62 tmp_ctx = talloc_stackframe();
63 if (tmp_ctx == NULL) {
64 return NT_STATUS_NO_MEMORY;
67 if ( !winbindd_can_contact_domain( domain ) ) {
68 DEBUG(10,("query_user_list: No incoming trust for domain %s\n",
70 status = NT_STATUS_OK;
74 status = cm_connect_sam(domain, tmp_ctx, false, &samr_pipe, &dom_pol);
75 if (!NT_STATUS_IS_OK(status)) {
79 status = rpc_query_user_list(tmp_ctx,
84 if (!NT_STATUS_IS_OK(status)) {
89 *prids = talloc_move(mem_ctx, &rids);
98 /* list all domain groups */
99 static NTSTATUS msrpc_enum_dom_groups(struct winbindd_domain *domain,
102 struct wb_acct_info **pinfo)
104 struct rpc_pipe_client *samr_pipe;
105 struct policy_handle dom_pol;
106 struct wb_acct_info *info = NULL;
107 uint32_t num_info = 0;
111 DEBUG(3,("msrpc_enum_dom_groups\n"));
117 tmp_ctx = talloc_stackframe();
118 if (tmp_ctx == NULL) {
119 return NT_STATUS_NO_MEMORY;
122 if ( !winbindd_can_contact_domain( domain ) ) {
123 DEBUG(10,("enum_domain_groups: No incoming trust for domain %s\n",
125 status = NT_STATUS_OK;
129 status = cm_connect_sam(domain, tmp_ctx, false, &samr_pipe, &dom_pol);
130 if (!NT_STATUS_IS_OK(status)) {
134 status = rpc_enum_dom_groups(tmp_ctx,
139 if (!NT_STATUS_IS_OK(status)) {
144 *pnum_info = num_info;
148 *pinfo = talloc_move(mem_ctx, &info);
152 TALLOC_FREE(tmp_ctx);
156 /* List all domain groups */
158 static NTSTATUS msrpc_enum_local_groups(struct winbindd_domain *domain,
161 struct wb_acct_info **pinfo)
163 struct rpc_pipe_client *samr_pipe;
164 struct policy_handle dom_pol;
165 struct wb_acct_info *info = NULL;
166 uint32_t num_info = 0;
170 DEBUG(3,("msrpc_enum_local_groups\n"));
176 tmp_ctx = talloc_stackframe();
177 if (tmp_ctx == NULL) {
178 return NT_STATUS_NO_MEMORY;
181 if ( !winbindd_can_contact_domain( domain ) ) {
182 DEBUG(10,("enum_local_groups: No incoming trust for domain %s\n",
184 status = NT_STATUS_OK;
188 status = cm_connect_sam(domain, tmp_ctx, false, &samr_pipe, &dom_pol);
189 if (!NT_STATUS_IS_OK(status)) {
193 status = rpc_enum_local_groups(mem_ctx,
198 if (!NT_STATUS_IS_OK(status)) {
203 *pnum_info = num_info;
207 *pinfo = talloc_move(mem_ctx, &info);
211 TALLOC_FREE(tmp_ctx);
215 /* convert a single name to a sid in a domain */
216 static NTSTATUS msrpc_name_to_sid(struct winbindd_domain *domain,
218 const char *domain_name,
222 enum lsa_SidType *type)
225 struct dom_sid *sids = NULL;
226 enum lsa_SidType *types = NULL;
227 char *full_name = NULL;
228 const char *names[1];
229 const char **domains;
230 NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL;
231 char *mapped_name = NULL;
233 if (name == NULL || *name=='\0') {
234 full_name = talloc_asprintf(mem_ctx, "%s", domain_name);
235 } else if (domain_name == NULL || *domain_name == '\0') {
236 full_name = talloc_asprintf(mem_ctx, "%s", name);
238 full_name = talloc_asprintf(mem_ctx, "%s\\%s", domain_name, name);
241 DEBUG(0, ("talloc_asprintf failed!\n"));
242 return NT_STATUS_NO_MEMORY;
245 DEBUG(3, ("msrpc_name_to_sid: name=%s\n", full_name));
247 name_map_status = normalize_name_unmap(mem_ctx, full_name,
250 /* Reset the full_name pointer if we mapped anything */
252 if (NT_STATUS_IS_OK(name_map_status) ||
253 NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED))
255 full_name = mapped_name;
258 DEBUG(3,("name_to_sid [rpc] %s for domain %s\n",
259 full_name?full_name:"", domain_name ));
261 names[0] = full_name;
263 result = winbindd_lookup_names(mem_ctx, domain, 1,
266 if (!NT_STATUS_IS_OK(result))
269 /* Return rid and type if lookup successful */
271 sid_copy(sid, &sids[0]);
278 convert a domain SID to a user or group name
280 static NTSTATUS msrpc_sid_to_name(struct winbindd_domain *domain,
282 const struct dom_sid *sid,
285 enum lsa_SidType *type)
289 enum lsa_SidType *types = NULL;
291 NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL;
292 char *mapped_name = NULL;
293 struct dom_sid_buf buf;
295 DEBUG(3, ("msrpc_sid_to_name: %s for domain %s\n",
296 dom_sid_str_buf(sid, &buf),
299 result = winbindd_lookup_sids(mem_ctx,
306 if (!NT_STATUS_IS_OK(result)) {
307 DEBUG(2,("msrpc_sid_to_name: failed to lookup sids: %s\n",
313 *type = (enum lsa_SidType)types[0];
314 *domain_name = domains[0];
317 DEBUG(5,("Mapped sid to [%s]\\[%s]\n", domains[0], *name));
319 name_map_status = normalize_name_map(mem_ctx, domain->name, *name,
321 if (NT_STATUS_IS_OK(name_map_status) ||
322 NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED))
325 DEBUG(5,("returning mapped name -- %s\n", *name));
331 static NTSTATUS msrpc_rids_to_names(struct winbindd_domain *domain,
333 const struct dom_sid *sid,
338 enum lsa_SidType **types)
342 struct dom_sid *sids;
346 DEBUG(3, ("msrpc_rids_to_names: domain %s\n", domain->name ));
349 sids = talloc_array(mem_ctx, struct dom_sid, num_rids);
351 return NT_STATUS_NO_MEMORY;
357 for (i=0; i<num_rids; i++) {
358 if (!sid_compose(&sids[i], sid, rids[i])) {
359 return NT_STATUS_INTERNAL_ERROR;
363 result = winbindd_lookup_sids(mem_ctx,
371 if (!NT_STATUS_IS_OK(result) &&
372 !NT_STATUS_EQUAL(result, STATUS_SOME_UNMAPPED)) {
377 for (i=0; i<num_rids; i++) {
378 NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL;
379 char *mapped_name = NULL;
381 if ((*types)[i] != SID_NAME_UNKNOWN) {
382 name_map_status = normalize_name_map(mem_ctx,
386 if (NT_STATUS_IS_OK(name_map_status) ||
387 NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED))
389 ret_names[i] = mapped_name;
392 *domain_name = domains[i];
399 /* Lookup groups a user is a member of. I wish Unix had a call like this! */
400 static NTSTATUS msrpc_lookup_usergroups(struct winbindd_domain *domain,
402 const struct dom_sid *user_sid,
403 uint32_t *pnum_groups,
404 struct dom_sid **puser_grpsids)
406 struct rpc_pipe_client *samr_pipe;
407 struct policy_handle dom_pol;
408 struct dom_sid *user_grpsids = NULL;
409 struct dom_sid_buf buf;
410 uint32_t num_groups = 0;
414 DEBUG(3,("msrpc_lookup_usergroups sid=%s\n",
415 dom_sid_str_buf(user_sid, &buf)));
419 tmp_ctx = talloc_stackframe();
420 if (tmp_ctx == NULL) {
421 return NT_STATUS_NO_MEMORY;
424 /* Check if we have a cached user_info_3 */
425 status = lookup_usergroups_cached(tmp_ctx,
429 if (NT_STATUS_IS_OK(status)) {
433 if ( !winbindd_can_contact_domain( domain ) ) {
434 DEBUG(10,("lookup_usergroups: No incoming trust for domain %s\n",
437 /* Tell the cache manager not to remember this one */
438 status = NT_STATUS_SYNCHRONIZATION_REQUIRED;
442 /* no cache; hit the wire */
443 status = cm_connect_sam(domain, tmp_ctx, false, &samr_pipe, &dom_pol);
444 if (!NT_STATUS_IS_OK(status)) {
448 status = rpc_lookup_usergroups(tmp_ctx,
455 if (!NT_STATUS_IS_OK(status)) {
460 *pnum_groups = num_groups;
463 *puser_grpsids = talloc_move(mem_ctx, &user_grpsids);
467 TALLOC_FREE(tmp_ctx);
472 #define MAX_SAM_ENTRIES_W2K 0x400 /* 1024 */
474 static NTSTATUS msrpc_lookup_useraliases(struct winbindd_domain *domain,
476 uint32_t num_sids, const struct dom_sid *sids,
477 uint32_t *pnum_aliases,
478 uint32_t **palias_rids)
480 struct rpc_pipe_client *samr_pipe;
481 struct policy_handle dom_pol;
482 uint32_t num_aliases = 0;
483 uint32_t *alias_rids = NULL;
487 DEBUG(3,("msrpc_lookup_useraliases\n"));
493 tmp_ctx = talloc_stackframe();
494 if (tmp_ctx == NULL) {
495 return NT_STATUS_NO_MEMORY;
498 if (!winbindd_can_contact_domain(domain)) {
499 DEBUG(10,("msrpc_lookup_useraliases: No incoming trust for domain %s\n",
501 /* Tell the cache manager not to remember this one */
502 status = NT_STATUS_SYNCHRONIZATION_REQUIRED;
506 status = cm_connect_sam(domain, tmp_ctx, false, &samr_pipe, &dom_pol);
507 if (!NT_STATUS_IS_OK(status)) {
511 status = rpc_lookup_useraliases(tmp_ctx,
518 if (!NT_STATUS_IS_OK(status)) {
523 *pnum_aliases = num_aliases;
527 *palias_rids = talloc_move(mem_ctx, &alias_rids);
531 TALLOC_FREE(tmp_ctx);
536 /* Lookup group membership given a rid. */
537 static NTSTATUS msrpc_lookup_groupmem(struct winbindd_domain *domain,
539 const struct dom_sid *group_sid,
540 enum lsa_SidType type,
542 struct dom_sid **sid_mem,
544 uint32_t **name_types)
546 NTSTATUS status, result;
547 uint32_t i, total_names = 0;
548 struct policy_handle dom_pol, group_pol;
549 uint32_t des_access = SEC_FLAG_MAXIMUM_ALLOWED;
550 uint32_t *rid_mem = NULL;
553 struct rpc_pipe_client *cli;
554 unsigned int orig_timeout;
555 struct samr_RidAttrArray *rids = NULL;
556 struct dcerpc_binding_handle *b;
557 struct dom_sid_buf buf;
559 DEBUG(3,("msrpc_lookup_groupmem: %s sid=%s\n", domain->name,
560 dom_sid_str_buf(group_sid, &buf)));
562 if ( !winbindd_can_contact_domain( domain ) ) {
563 DEBUG(10,("lookup_groupmem: No incoming trust for domain %s\n",
568 if (!sid_peek_check_rid(&domain->sid, group_sid, &group_rid))
569 return NT_STATUS_UNSUCCESSFUL;
573 result = cm_connect_sam(domain, mem_ctx, false, &cli, &dom_pol);
574 if (!NT_STATUS_IS_OK(result))
577 b = cli->binding_handle;
579 status = dcerpc_samr_OpenGroup(b, mem_ctx,
585 if (any_nt_status_not_ok(status, result, &status)) {
589 /* Step #1: Get a list of user rids that are the members of the
592 /* This call can take a long time - allow the server to time out.
593 35 seconds should do it. */
595 orig_timeout = rpccli_set_timeout(cli, 35000);
597 status = dcerpc_samr_QueryGroupMember(b, mem_ctx,
602 /* And restore our original timeout. */
603 rpccli_set_timeout(cli, orig_timeout);
607 dcerpc_samr_Close(b, mem_ctx, &group_pol, &_result);
610 if (any_nt_status_not_ok(status, result, &status)) {
614 if (!rids || !rids->count) {
621 *num_names = rids->count;
622 rid_mem = rids->rids;
624 /* Step #2: Convert list of rids into list of usernames. Do this
625 in bunches of ~1000 to avoid crashing NT4. It looks like there
626 is a buffer overflow or something like that lurking around
629 #define MAX_LOOKUP_RIDS 900
631 *names = talloc_zero_array(mem_ctx, char *, *num_names);
632 *name_types = talloc_zero_array(mem_ctx, uint32_t, *num_names);
633 *sid_mem = talloc_zero_array(mem_ctx, struct dom_sid, *num_names);
635 for (j=0;j<(*num_names);j++)
636 sid_compose(&(*sid_mem)[j], &domain->sid, rid_mem[j]);
638 if (*num_names>0 && (!*names || !*name_types))
639 return NT_STATUS_NO_MEMORY;
641 for (i = 0; i < *num_names; i += MAX_LOOKUP_RIDS) {
642 int num_lookup_rids = MIN(*num_names - i, MAX_LOOKUP_RIDS);
643 struct lsa_Strings tmp_names;
644 struct samr_Ids tmp_types;
646 /* Lookup a chunk of rids */
648 status = dcerpc_samr_LookupRids(b, mem_ctx,
655 if (!NT_STATUS_IS_OK(status)) {
659 /* see if we have a real error (and yes the
660 STATUS_SOME_UNMAPPED is the one returned from 2k) */
662 if (!NT_STATUS_IS_OK(result) &&
663 !NT_STATUS_EQUAL(result, STATUS_SOME_UNMAPPED))
666 /* Copy result into array. The talloc system will take
667 care of freeing the temporary arrays later on. */
669 if (tmp_names.count != num_lookup_rids) {
670 return NT_STATUS_INVALID_NETWORK_RESPONSE;
672 if (tmp_types.count != num_lookup_rids) {
673 return NT_STATUS_INVALID_NETWORK_RESPONSE;
676 for (r=0; r<tmp_names.count; r++) {
677 if (tmp_types.ids[r] == SID_NAME_UNKNOWN) {
680 if (total_names >= *num_names) {
683 (*names)[total_names] = fill_domain_username_talloc(
684 mem_ctx, domain->name,
685 tmp_names.names[r].string, true);
686 (*name_types)[total_names] = tmp_types.ids[r];
691 *num_names = total_names;
700 static int get_ldap_seq(const char *server, struct sockaddr_storage *ss, int port, uint32_t *seq)
704 const char *attrs[] = {"highestCommittedUSN", NULL};
705 LDAPMessage *res = NULL;
706 char **values = NULL;
709 *seq = DOM_SEQUENCE_NONE;
712 * Parameterised (5) second timeout on open. This is needed as the
713 * search timeout doesn't seem to apply to doing an open as well. JRA.
716 ldp = ldap_open_with_timeout(server, ss, port, lp_ldap_timeout());
720 /* Timeout if no response within 20 seconds. */
724 if (ldap_search_st(ldp, "", LDAP_SCOPE_BASE, "(objectclass=*)",
725 discard_const_p(char *, attrs), 0, &to, &res))
728 if (ldap_count_entries(ldp, res) != 1)
731 values = ldap_get_values(ldp, res, "highestCommittedUSN");
732 if (!values || !values[0])
735 *seq = atoi(values[0]);
741 ldap_value_free(values);
749 /**********************************************************************
750 Get the sequence number for a Windows AD native mode domain using
752 **********************************************************************/
754 static int get_ldap_sequence_number(struct winbindd_domain *domain, uint32_t *seq)
757 char addr[INET6_ADDRSTRLEN];
759 print_sockaddr(addr, sizeof(addr), &domain->dcaddr);
760 if ((ret = get_ldap_seq(addr, &domain->dcaddr, LDAP_PORT, seq)) == 0) {
761 DEBUG(3, ("get_ldap_sequence_number: Retrieved sequence "
762 "number for Domain (%s) from DC (%s)\n",
763 domain->name, addr));
768 #endif /* HAVE_LDAP */
770 /* find the sequence number for a domain */
771 static NTSTATUS msrpc_sequence_number(struct winbindd_domain *domain,
774 struct rpc_pipe_client *samr_pipe;
775 struct policy_handle dom_pol;
776 uint32_t seq = DOM_SEQUENCE_NONE;
780 DEBUG(3, ("msrpc_sequence_number: fetch sequence_number for %s\n", domain->name));
783 *pseq = DOM_SEQUENCE_NONE;
786 tmp_ctx = talloc_stackframe();
787 if (tmp_ctx == NULL) {
788 return NT_STATUS_NO_MEMORY;
791 if ( !winbindd_can_contact_domain( domain ) ) {
792 DEBUG(10,("sequence_number: No incoming trust for domain %s\n",
797 status = NT_STATUS_OK;
802 if (domain->active_directory) {
805 DEBUG(8,("using get_ldap_seq() to retrieve the "
806 "sequence number\n"));
808 rc = get_ldap_sequence_number(domain, &seq);
810 DEBUG(10,("domain_sequence_number: LDAP for "
818 status = NT_STATUS_OK;
822 DEBUG(10,("domain_sequence_number: failed to get LDAP "
823 "sequence number for domain %s\n",
826 #endif /* HAVE_LDAP */
828 status = cm_connect_sam(domain, tmp_ctx, false, &samr_pipe, &dom_pol);
829 if (!NT_STATUS_IS_OK(status)) {
833 status = rpc_sequence_number(tmp_ctx,
838 if (!NT_STATUS_IS_OK(status)) {
847 TALLOC_FREE(tmp_ctx);
851 /* get a list of trusted domains */
852 static NTSTATUS msrpc_trusted_domains(struct winbindd_domain *domain,
854 struct netr_DomainTrustList *ptrust_list)
856 struct rpc_pipe_client *lsa_pipe;
857 struct policy_handle lsa_policy;
858 struct netr_DomainTrust *trusts = NULL;
859 uint32_t num_trusts = 0;
863 DEBUG(3,("msrpc_trusted_domains\n"));
866 ZERO_STRUCTP(ptrust_list);
869 tmp_ctx = talloc_stackframe();
870 if (tmp_ctx == NULL) {
871 return NT_STATUS_NO_MEMORY;
874 status = cm_connect_lsa(domain, tmp_ctx, &lsa_pipe, &lsa_policy);
875 if (!NT_STATUS_IS_OK(status)) {
879 status = rpc_trusted_domains(tmp_ctx,
884 if (!NT_STATUS_IS_OK(status)) {
889 ptrust_list->count = num_trusts;
890 ptrust_list->array = talloc_move(mem_ctx, &trusts);
894 TALLOC_FREE(tmp_ctx);
898 /* find the lockout policy for a domain */
899 static NTSTATUS msrpc_lockout_policy(struct winbindd_domain *domain,
901 struct samr_DomInfo12 *lockout_policy)
903 NTSTATUS status, result;
904 struct rpc_pipe_client *cli;
905 struct policy_handle dom_pol;
906 union samr_DomainInfo *info = NULL;
907 struct dcerpc_binding_handle *b;
909 DEBUG(3, ("msrpc_lockout_policy: fetch lockout policy for %s\n", domain->name));
911 if ( !winbindd_can_contact_domain( domain ) ) {
912 DEBUG(10,("msrpc_lockout_policy: No incoming trust for domain %s\n",
914 return NT_STATUS_NOT_SUPPORTED;
917 status = cm_connect_sam(domain, mem_ctx, false, &cli, &dom_pol);
918 if (!NT_STATUS_IS_OK(status)) {
922 b = cli->binding_handle;
924 status = dcerpc_samr_QueryDomainInfo(b, mem_ctx,
926 DomainLockoutInformation,
929 if (any_nt_status_not_ok(status, result, &status)) {
933 *lockout_policy = info->info12;
935 DEBUG(10,("msrpc_lockout_policy: lockout_threshold %d\n",
936 info->info12.lockout_threshold));
943 /* find the password policy for a domain */
944 static NTSTATUS msrpc_password_policy(struct winbindd_domain *domain,
946 struct samr_DomInfo1 *password_policy)
948 NTSTATUS status, result;
949 struct rpc_pipe_client *cli;
950 struct policy_handle dom_pol;
951 union samr_DomainInfo *info = NULL;
952 struct dcerpc_binding_handle *b;
954 DEBUG(3, ("msrpc_password_policy: fetch password policy for %s\n",
957 if ( !winbindd_can_contact_domain( domain ) ) {
958 DEBUG(10,("msrpc_password_policy: No incoming trust for domain %s\n",
960 return NT_STATUS_NOT_SUPPORTED;
963 status = cm_connect_sam(domain, mem_ctx, false, &cli, &dom_pol);
964 if (!NT_STATUS_IS_OK(status)) {
968 b = cli->binding_handle;
970 status = dcerpc_samr_QueryDomainInfo(b, mem_ctx,
972 DomainPasswordInformation,
975 if (!NT_STATUS_IS_OK(status)) {
978 if (!NT_STATUS_IS_OK(result)) {
982 *password_policy = info->info1;
984 DEBUG(10,("msrpc_password_policy: min_length_password %d\n",
985 info->info1.min_password_length));
992 static enum lsa_LookupNamesLevel winbindd_lookup_level(
993 struct winbindd_domain *domain)
995 enum lsa_LookupNamesLevel level = LSA_LOOKUP_NAMES_DOMAINS_ONLY;
997 if (domain->internal) {
998 level = LSA_LOOKUP_NAMES_ALL;
999 } else if (domain->secure_channel_type == SEC_CHAN_DNS_DOMAIN) {
1000 if (domain->domain_flags & NETR_TRUST_FLAG_IN_FOREST) {
1004 * Depending on what we want to resolve. We need to use:
1005 * 1. LsapLookupXForestReferral(5)/LSA_LOOKUP_NAMES_FOREST_TRUSTS_ONLY
1006 * if we want to pass the request into the direction of the forest
1007 * root domain. The forest root domain uses
1008 * LsapLookupXForestResolve(6)/LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2
1009 * when passing the request to trusted forests.
1010 * 2. LsapLookupGC(4)/LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY
1011 * if we're not a GC and want to resolve a name within our own forest.
1013 * As we don't support more than one domain in our own forest
1014 * and always try to be a GC for now, we just set
1015 * LSA_LOOKUP_NAMES_FOREST_TRUSTS_ONLY.
1017 level = LSA_LOOKUP_NAMES_FOREST_TRUSTS_ONLY;
1018 } else if (domain->domain_trust_attribs & LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) {
1020 * This is LsapLookupXForestResolve(6)/LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2
1022 level = LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2;
1025 * This is LsapLookupTDL(3)/LSA_LOOKUP_NAMES_PRIMARY_DOMAIN_ONLY
1027 level = LSA_LOOKUP_NAMES_PRIMARY_DOMAIN_ONLY;
1029 } else if (domain->secure_channel_type == SEC_CHAN_DOMAIN) {
1031 * This is LsapLookupTDL(3)/LSA_LOOKUP_NAMES_PRIMARY_DOMAIN_ONLY
1033 level = LSA_LOOKUP_NAMES_PRIMARY_DOMAIN_ONLY;
1034 } else if (domain->rodc) {
1035 level = LSA_LOOKUP_NAMES_RODC_REFERRAL_TO_FULL_DC;
1038 * This is LsapLookupPDC(2)/LSA_LOOKUP_NAMES_DOMAINS_ONLY
1040 level = LSA_LOOKUP_NAMES_DOMAINS_ONLY;
1046 NTSTATUS winbindd_lookup_sids(TALLOC_CTX *mem_ctx,
1047 struct winbindd_domain *domain,
1049 const struct dom_sid *sids,
1052 enum lsa_SidType **types)
1056 struct rpc_pipe_client *cli = NULL;
1057 struct dcerpc_binding_handle *b = NULL;
1058 struct policy_handle lsa_policy;
1059 unsigned int orig_timeout;
1060 bool use_lookupsids3 = false;
1061 bool retried = false;
1062 enum lsa_LookupNamesLevel level = LSA_LOOKUP_NAMES_ALL;
1065 status = cm_connect_lsat(domain, mem_ctx, &cli, &lsa_policy);
1066 if (!NT_STATUS_IS_OK(status)) {
1070 b = cli->binding_handle;
1072 if (cli->transport->transport == NCACN_IP_TCP) {
1073 use_lookupsids3 = true;
1076 level = winbindd_lookup_level(domain);
1079 * This call can take a long time
1080 * allow the server to time out.
1081 * 35 seconds should do it.
1083 orig_timeout = dcerpc_binding_handle_set_timeout(b, 35000);
1085 status = dcerpc_lsa_lookup_sids_generic(b,
1097 /* And restore our original timeout. */
1098 dcerpc_binding_handle_set_timeout(b, orig_timeout);
1100 if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) ||
1101 NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR) ||
1102 NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED)) {
1104 * This can happen if the schannel key is not
1105 * valid anymore, we need to invalidate the
1106 * all connections to the dc and reestablish
1107 * a netlogon connection first.
1109 invalidate_cm_connection(domain);
1110 domain->can_do_ncacn_ip_tcp = domain->active_directory;
1115 status = NT_STATUS_ACCESS_DENIED;
1118 if (any_nt_status_not_ok(status, result, &status)) {
1122 return NT_STATUS_OK;
1125 static NTSTATUS winbindd_lookup_names(TALLOC_CTX *mem_ctx,
1126 struct winbindd_domain *domain,
1129 const char ***domains,
1130 struct dom_sid **sids,
1131 enum lsa_SidType **types)
1135 struct rpc_pipe_client *cli = NULL;
1136 struct dcerpc_binding_handle *b = NULL;
1137 struct policy_handle lsa_policy;
1138 unsigned int orig_timeout = 0;
1139 bool use_lookupnames4 = false;
1140 bool retried = false;
1141 enum lsa_LookupNamesLevel level = LSA_LOOKUP_NAMES_ALL;
1144 status = cm_connect_lsat(domain, mem_ctx, &cli, &lsa_policy);
1145 if (!NT_STATUS_IS_OK(status)) {
1149 b = cli->binding_handle;
1151 if (cli->transport->transport == NCACN_IP_TCP) {
1152 use_lookupnames4 = true;
1155 level = winbindd_lookup_level(domain);
1158 * This call can take a long time
1159 * allow the server to time out.
1160 * 35 seconds should do it.
1162 orig_timeout = dcerpc_binding_handle_set_timeout(b, 35000);
1164 status = dcerpc_lsa_lookup_names_generic(b,
1168 (const char **) names,
1176 /* And restore our original timeout. */
1177 dcerpc_binding_handle_set_timeout(b, orig_timeout);
1179 if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) ||
1180 NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR) ||
1181 NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED)) {
1183 * This can happen if the schannel key is not
1184 * valid anymore, we need to invalidate the
1185 * all connections to the dc and reestablish
1186 * a netlogon connection first.
1188 invalidate_cm_connection(domain);
1193 status = NT_STATUS_ACCESS_DENIED;
1196 if (any_nt_status_not_ok(status, result, &status)) {
1200 return NT_STATUS_OK;
1203 /* the rpc backend methods are exposed via this structure */
1204 struct winbindd_methods msrpc_methods = {
1206 msrpc_query_user_list,
1207 msrpc_enum_dom_groups,
1208 msrpc_enum_local_groups,
1211 msrpc_rids_to_names,
1212 msrpc_lookup_usergroups,
1213 msrpc_lookup_useraliases,
1214 msrpc_lookup_groupmem,
1215 msrpc_sequence_number,
1216 msrpc_lockout_policy,
1217 msrpc_password_policy,
1218 msrpc_trusted_domains,