2 Unix SMB/CIFS implementation.
4 Winbind ADS backend functions
6 Copyright (C) Andrew Tridgell 2001
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003
8 Copyright (C) Gerald (Jerry) Carter 2004
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
26 #include "winbindd_ads.h"
27 #include "rpc_client/rpc_client.h"
28 #include "../librpc/gen_ndr/ndr_netlogon_c.h"
29 #include "../libds/common/flags.h"
31 #include "../libcli/ldap/ldap_ndr.h"
32 #include "../libcli/security/security.h"
33 #include "../libds/common/flag_mapping.h"
34 #include "libsmb/samlogon_cache.h"
40 #define DBGC_CLASS DBGC_WINBIND
42 extern struct winbindd_methods reconnect_methods;
43 extern struct winbindd_methods msrpc_methods;
45 #define WINBIND_CCACHE_NAME "MEMORY:winbind_ccache"
48 * Check if cached connection can be reused. If the connection cannot
49 * be reused the ADS_STRUCT is freed and the pointer is set to NULL.
51 static void ads_cached_connection_reuse(ADS_STRUCT **adsp)
54 ADS_STRUCT *ads = *adsp;
58 time_t now = time(NULL);
60 expire = MIN(ads->auth.tgt_expire, ads->auth.tgs_expire);
62 DEBUG(7, ("Current tickets expire in %d seconds (at %d, time "
63 "is now %d)\n", (uint32_t)expire - (uint32_t)now,
64 (uint32_t) expire, (uint32_t) now));
66 if ( ads->config.realm && (expire > now)) {
69 /* we own this ADS_STRUCT so make sure it goes away */
70 DEBUG(7,("Deleting expired krb5 credential cache\n"));
73 ads_kdestroy(WINBIND_CCACHE_NAME);
80 * @brief Establish a connection to a DC
82 * @param[out] adsp ADS_STRUCT that will be created
83 * @param[in] target_realm Realm of domain to connect to
84 * @param[in] target_dom_name 'workgroup' name of domain to connect to
85 * @param[in] ldap_server DNS name of server to connect to
86 * @param[in] password Our machine acount secret
87 * @param[in] auth_realm Realm of local domain for creating krb token
88 * @param[in] renewable Renewable ticket time
92 static ADS_STATUS ads_cached_connection_connect(ADS_STRUCT **adsp,
93 const char *target_realm,
94 const char *target_dom_name,
95 const char *ldap_server,
102 struct sockaddr_storage dc_ss;
105 if (auth_realm == NULL) {
106 return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
109 /* we don't want this to affect the users ccache */
110 setenv("KRB5CCNAME", WINBIND_CCACHE_NAME, 1);
112 ads = ads_init(target_realm, target_dom_name, ldap_server);
114 DEBUG(1,("ads_init for domain %s failed\n", target_dom_name));
115 return ADS_ERROR(LDAP_NO_MEMORY);
118 SAFE_FREE(ads->auth.password);
119 SAFE_FREE(ads->auth.realm);
121 ads->auth.renewable = renewable;
122 ads->auth.password = password;
124 ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
126 ads->auth.realm = SMB_STRDUP(auth_realm);
127 if (!strupper_m(ads->auth.realm)) {
129 return ADS_ERROR_NT(NT_STATUS_INTERNAL_ERROR);
132 /* Setup the server affinity cache. We don't reaally care
133 about the name. Just setup affinity and the KRB5_CONFIG
135 get_dc_name(ads->server.workgroup, ads->server.realm, dc_name, &dc_ss);
137 status = ads_connect(ads);
138 if (!ADS_ERR_OK(status)) {
139 DEBUG(1,("ads_connect for domain %s failed: %s\n",
140 target_dom_name, ads_errstr(status)));
145 /* set the flag that says we don't own the memory even
146 though we do so that ads_destroy() won't destroy the
147 structure we pass back by reference */
149 ads->is_mine = False;
156 ADS_STATUS ads_idmap_cached_connection(ADS_STRUCT **adsp, const char *dom_name)
158 char *ldap_server, *realm, *password;
159 struct winbindd_domain *wb_dom;
162 ads_cached_connection_reuse(adsp);
168 * At this point we only have the NetBIOS domain name.
169 * Check if we can get server nam and realm from SAF cache
170 * and the domain list.
172 ldap_server = saf_fetch(talloc_tos(), dom_name);
173 DEBUG(10, ("ldap_server from saf cache: '%s'\n",
174 ldap_server ? ldap_server : ""));
176 wb_dom = find_domain_from_name(dom_name);
177 if (wb_dom == NULL) {
178 DEBUG(10, ("could not find domain '%s'\n", dom_name));
179 return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
182 DEBUG(10, ("find_domain_from_name found realm '%s' for "
183 " domain '%s'\n", wb_dom->alt_name, dom_name));
185 if (!get_trust_pw_clear(dom_name, &password, NULL, NULL)) {
186 TALLOC_FREE(ldap_server);
187 return ADS_ERROR_NT(NT_STATUS_CANT_ACCESS_DOMAIN_INFO);
191 SMB_ASSERT(wb_dom->alt_name != NULL);
192 realm = SMB_STRDUP(wb_dom->alt_name);
194 struct winbindd_domain *our_domain = wb_dom;
196 /* always give preference to the alt_name in our
197 primary domain if possible */
199 if (!wb_dom->primary) {
200 our_domain = find_our_domain();
203 if (our_domain->alt_name != NULL) {
204 realm = SMB_STRDUP(our_domain->alt_name);
206 realm = SMB_STRDUP(lp_realm());
210 status = ads_cached_connection_connect(
211 adsp, /* Returns ads struct. */
212 wb_dom->alt_name, /* realm to connect to. */
213 dom_name, /* 'workgroup' name for ads_init */
214 ldap_server, /* DNS name to connect to. */
215 password, /* password for auth realm. */
216 realm, /* realm used for krb5 ticket. */
217 0); /* renewable ticket time. */
220 TALLOC_FREE(ldap_server);
226 return our ads connections structure for a domain. We keep the connection
227 open to make things faster
229 static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain)
232 char *password, *realm;
234 DEBUG(10,("ads_cached_connection\n"));
235 ads_cached_connection_reuse((ADS_STRUCT **)&domain->private_data);
237 if (domain->private_data) {
238 return (ADS_STRUCT *)domain->private_data;
241 /* the machine acct password might have change - fetch it every time */
243 if (!get_trust_pw_clear(domain->name, &password, NULL, NULL)) {
248 SMB_ASSERT(domain->alt_name != NULL);
249 realm = SMB_STRDUP(domain->alt_name);
252 struct winbindd_domain *our_domain = domain;
255 /* always give preference to the alt_name in our
256 primary domain if possible */
258 if ( !domain->primary )
259 our_domain = find_our_domain();
261 if (our_domain->alt_name != NULL) {
262 realm = SMB_STRDUP( our_domain->alt_name );
265 realm = SMB_STRDUP( lp_realm() );
268 status = ads_cached_connection_connect(
269 (ADS_STRUCT **)&domain->private_data,
273 WINBINDD_PAM_AUTH_KRB5_RENEW_TIME);
276 if (!ADS_ERR_OK(status)) {
277 /* if we get ECONNREFUSED then it might be a NT4
278 server, fall back to MSRPC */
279 if (status.error_type == ENUM_ADS_ERROR_SYSTEM &&
280 status.err.rc == ECONNREFUSED) {
281 /* 'reconnect_methods' is the MS-RPC backend. */
282 DEBUG(1,("Trying MSRPC methods\n"));
283 domain->backend = &reconnect_methods;
288 return (ADS_STRUCT *)domain->private_data;
291 /* Query display info for a realm. This is the basic user list fn */
292 static NTSTATUS query_user_list(struct winbindd_domain *domain,
296 ADS_STRUCT *ads = NULL;
297 const char *attrs[] = { "sAMAccountType", "objectSid", NULL };
299 uint32_t *rids = NULL;
301 LDAPMessage *res = NULL;
302 LDAPMessage *msg = NULL;
303 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
305 DEBUG(3,("ads: query_user_list\n"));
307 if ( !winbindd_can_contact_domain( domain ) ) {
308 DEBUG(10,("query_user_list: No incoming trust for domain %s\n",
313 ads = ads_cached_connection(domain);
316 domain->last_status = NT_STATUS_SERVER_DISABLED;
320 rc = ads_search_retry(ads, &res, "(objectCategory=user)", attrs);
321 if (!ADS_ERR_OK(rc)) {
322 DEBUG(1,("query_user_list ads_search: %s\n", ads_errstr(rc)));
323 status = ads_ntstatus(rc);
326 DEBUG(1,("query_user_list ads_search returned NULL res\n"));
330 count = ads_count_replies(ads, res);
332 DEBUG(1,("query_user_list: No users found\n"));
336 rids = talloc_zero_array(mem_ctx, uint32_t, count);
338 status = NT_STATUS_NO_MEMORY;
344 for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
345 struct dom_sid user_sid;
349 ok = ads_pull_uint32(ads, msg, "sAMAccountType", &atype);
351 DBG_INFO("Object lacks sAMAccountType attribute\n");
354 if (ds_atype_map(atype) != SID_NAME_USER) {
355 DBG_INFO("Not a user account? atype=0x%x\n", atype);
359 if (!ads_pull_sid(ads, msg, "objectSid", &user_sid)) {
360 char *dn = ads_get_dn(ads, talloc_tos(), msg);
361 DBG_INFO("No sid for %s !?\n", dn);
366 if (!dom_sid_in_domain(&domain->sid, &user_sid)) {
367 fstring sidstr, domstr;
368 DBG_WARNING("Got sid %s in domain %s\n",
369 sid_to_fstring(sidstr, &user_sid),
370 sid_to_fstring(domstr, &domain->sid));
374 sid_split_rid(&user_sid, &rids[count]);
378 rids = talloc_realloc(mem_ctx, rids, uint32_t, count);
383 status = NT_STATUS_OK;
385 DBG_NOTICE("ads query_user_list gave %d entries\n", count);
391 /* list all domain groups */
392 static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
394 uint32_t *num_entries,
395 struct wb_acct_info **info)
397 ADS_STRUCT *ads = NULL;
398 const char *attrs[] = {"userPrincipalName", "sAMAccountName",
399 "name", "objectSid", NULL};
402 LDAPMessage *res = NULL;
403 LDAPMessage *msg = NULL;
404 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
406 bool enum_dom_local_groups = False;
410 DEBUG(3,("ads: enum_dom_groups\n"));
412 if ( !winbindd_can_contact_domain( domain ) ) {
413 DEBUG(10,("enum_dom_groups: No incoming trust for domain %s\n",
418 /* only grab domain local groups for our domain */
419 if ( domain->active_directory && strequal(lp_realm(), domain->alt_name) ) {
420 enum_dom_local_groups = True;
423 /* Workaround ADS LDAP bug present in MS W2K3 SP0 and W2K SP4 w/o
426 * According to Section 5.1(4) of RFC 2251 if a value of a type is it's
427 * default value, it MUST be absent. In case of extensible matching the
428 * "dnattr" boolean defaults to FALSE and so it must be only be present
431 * When it is set to FALSE and the OpenLDAP lib (correctly) encodes a
432 * filter using bitwise matching rule then the buggy AD fails to decode
433 * the extensible match. As a workaround set it to TRUE and thereby add
434 * the dnAttributes "dn" field to cope with those older AD versions.
435 * It should not harm and won't put any additional load on the AD since
436 * none of the dn components have a bitmask-attribute.
438 * Thanks to Ralf Haferkamp for input and testing - Guenther */
440 filter = talloc_asprintf(mem_ctx, "(&(objectCategory=group)(&(groupType:dn:%s:=%d)(!(groupType:dn:%s:=%d))))",
441 ADS_LDAP_MATCHING_RULE_BIT_AND, GROUP_TYPE_SECURITY_ENABLED,
442 ADS_LDAP_MATCHING_RULE_BIT_AND,
443 enum_dom_local_groups ? GROUP_TYPE_BUILTIN_LOCAL_GROUP : GROUP_TYPE_RESOURCE_GROUP);
445 if (filter == NULL) {
446 status = NT_STATUS_NO_MEMORY;
450 ads = ads_cached_connection(domain);
453 domain->last_status = NT_STATUS_SERVER_DISABLED;
457 rc = ads_search_retry(ads, &res, filter, attrs);
458 if (!ADS_ERR_OK(rc)) {
459 status = ads_ntstatus(rc);
460 DEBUG(1,("enum_dom_groups ads_search: %s\n", ads_errstr(rc)));
463 DEBUG(1,("enum_dom_groups ads_search returned NULL res\n"));
467 count = ads_count_replies(ads, res);
469 DEBUG(1,("enum_dom_groups: No groups found\n"));
473 (*info) = talloc_zero_array(mem_ctx, struct wb_acct_info, count);
475 status = NT_STATUS_NO_MEMORY;
481 for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
486 name = ads_pull_username(ads, mem_ctx, msg);
487 gecos = ads_pull_string(ads, mem_ctx, msg, "name");
488 if (!ads_pull_sid(ads, msg, "objectSid", &sid)) {
489 DEBUG(1,("No sid for %s !?\n", name));
493 if (!sid_peek_check_rid(&domain->sid, &sid, &rid)) {
494 DEBUG(1,("No rid for %s !?\n", name));
498 fstrcpy((*info)[i].acct_name, name);
499 fstrcpy((*info)[i].acct_desc, gecos);
500 (*info)[i].rid = rid;
506 status = NT_STATUS_OK;
508 DEBUG(3,("ads enum_dom_groups gave %d entries\n", (*num_entries)));
512 ads_msgfree(ads, res);
517 /* list all domain local groups */
518 static NTSTATUS enum_local_groups(struct winbindd_domain *domain,
520 uint32_t *num_entries,
521 struct wb_acct_info **info)
524 * This is a stub function only as we returned the domain
525 * local groups in enum_dom_groups() if the domain->native field
526 * was true. This is a simple performance optimization when
529 * if we ever need to enumerate domain local groups separately,
530 * then this optimization in enum_dom_groups() will need
538 /* convert a single name to a sid in a domain - use rpc methods */
539 static NTSTATUS name_to_sid(struct winbindd_domain *domain,
541 const char *domain_name,
545 enum lsa_SidType *type)
547 return msrpc_methods.name_to_sid(domain, mem_ctx, domain_name, name,
551 /* convert a domain SID to a user or group name - use rpc methods */
552 static NTSTATUS sid_to_name(struct winbindd_domain *domain,
554 const struct dom_sid *sid,
557 enum lsa_SidType *type)
559 return msrpc_methods.sid_to_name(domain, mem_ctx, sid,
560 domain_name, name, type);
563 /* convert a list of rids to names - use rpc methods */
564 static NTSTATUS rids_to_names(struct winbindd_domain *domain,
566 const struct dom_sid *sid,
571 enum lsa_SidType **types)
573 return msrpc_methods.rids_to_names(domain, mem_ctx, sid,
575 domain_name, names, types);
578 /* Lookup groups a user is a member of - alternate method, for when
579 tokenGroups are not available. */
580 static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain,
583 struct dom_sid *primary_group,
584 uint32_t *p_num_groups, struct dom_sid **user_sids)
587 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
589 LDAPMessage *res = NULL;
590 LDAPMessage *msg = NULL;
593 const char *group_attrs[] = {"objectSid", NULL};
595 uint32_t num_groups = 0;
597 DEBUG(3,("ads: lookup_usergroups_member\n"));
599 if ( !winbindd_can_contact_domain( domain ) ) {
600 DEBUG(10,("lookup_usergroups_members: No incoming trust for domain %s\n",
605 ads = ads_cached_connection(domain);
608 domain->last_status = NT_STATUS_SERVER_DISABLED;
612 if (!(escaped_dn = escape_ldap_string(talloc_tos(), user_dn))) {
613 status = NT_STATUS_NO_MEMORY;
617 ldap_exp = talloc_asprintf(mem_ctx,
618 "(&(member=%s)(objectCategory=group)(groupType:dn:%s:=%d))",
620 ADS_LDAP_MATCHING_RULE_BIT_AND,
621 GROUP_TYPE_SECURITY_ENABLED);
623 DEBUG(1,("lookup_usergroups(dn=%s) asprintf failed!\n", user_dn));
624 TALLOC_FREE(escaped_dn);
625 status = NT_STATUS_NO_MEMORY;
629 TALLOC_FREE(escaped_dn);
631 rc = ads_search_retry(ads, &res, ldap_exp, group_attrs);
633 if (!ADS_ERR_OK(rc)) {
634 DEBUG(1,("lookup_usergroups ads_search member=%s: %s\n", user_dn, ads_errstr(rc)));
635 return ads_ntstatus(rc);
637 DEBUG(1,("lookup_usergroups ads_search returned NULL res\n"));
638 return NT_STATUS_INTERNAL_ERROR;
642 count = ads_count_replies(ads, res);
647 /* always add the primary group to the sid array */
648 status = add_sid_to_array(mem_ctx, primary_group, user_sids,
650 if (!NT_STATUS_IS_OK(status)) {
655 for (msg = ads_first_entry(ads, res); msg;
656 msg = ads_next_entry(ads, msg)) {
657 struct dom_sid group_sid;
659 if (!ads_pull_sid(ads, msg, "objectSid", &group_sid)) {
660 DEBUG(1,("No sid for this group ?!?\n"));
664 /* ignore Builtin groups from ADS - Guenther */
665 if (sid_check_is_in_builtin(&group_sid)) {
669 status = add_sid_to_array(mem_ctx, &group_sid,
670 user_sids, &num_groups);
671 if (!NT_STATUS_IS_OK(status)) {
678 *p_num_groups = num_groups;
679 status = (user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
681 DEBUG(3,("ads lookup_usergroups (member) succeeded for dn=%s\n", user_dn));
684 ads_msgfree(ads, res);
689 /* Lookup groups a user is a member of - alternate method, for when
690 tokenGroups are not available. */
691 static NTSTATUS lookup_usergroups_memberof(struct winbindd_domain *domain,
694 struct dom_sid *primary_group,
695 uint32_t *p_num_groups,
696 struct dom_sid **user_sids)
699 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
701 const char *attrs[] = {"memberOf", NULL};
702 uint32_t num_groups = 0;
703 struct dom_sid *group_sids = NULL;
705 char **strings = NULL;
706 size_t num_strings = 0, num_sids = 0;
709 DEBUG(3,("ads: lookup_usergroups_memberof\n"));
711 if ( !winbindd_can_contact_domain( domain ) ) {
712 DEBUG(10,("lookup_usergroups_memberof: No incoming trust for "
713 "domain %s\n", domain->name));
717 ads = ads_cached_connection(domain);
720 domain->last_status = NT_STATUS_SERVER_DISABLED;
721 return NT_STATUS_UNSUCCESSFUL;
724 rc = ads_search_retry_extended_dn_ranged(ads, mem_ctx, user_dn, attrs,
725 ADS_EXTENDED_DN_HEX_STRING,
726 &strings, &num_strings);
728 if (!ADS_ERR_OK(rc)) {
729 DEBUG(1,("lookup_usergroups_memberof ads_search "
730 "member=%s: %s\n", user_dn, ads_errstr(rc)));
731 return ads_ntstatus(rc);
737 /* always add the primary group to the sid array */
738 status = add_sid_to_array(mem_ctx, primary_group, user_sids,
740 if (!NT_STATUS_IS_OK(status)) {
744 group_sids = talloc_zero_array(mem_ctx, struct dom_sid, num_strings + 1);
746 status = NT_STATUS_NO_MEMORY;
750 for (i=0; i<num_strings; i++) {
751 rc = ads_get_sid_from_extended_dn(mem_ctx, strings[i],
752 ADS_EXTENDED_DN_HEX_STRING,
754 if (!ADS_ERR_OK(rc)) {
755 /* ignore members without SIDs */
756 if (NT_STATUS_EQUAL(ads_ntstatus(rc),
757 NT_STATUS_NOT_FOUND)) {
761 status = ads_ntstatus(rc);
769 DEBUG(1,("No memberOf for this user?!?\n"));
770 status = NT_STATUS_NO_MEMORY;
774 for (i=0; i<num_sids; i++) {
776 /* ignore Builtin groups from ADS - Guenther */
777 if (sid_check_is_in_builtin(&group_sids[i])) {
781 status = add_sid_to_array(mem_ctx, &group_sids[i], user_sids,
783 if (!NT_STATUS_IS_OK(status)) {
789 *p_num_groups = num_groups;
790 status = (*user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
792 DEBUG(3,("ads lookup_usergroups (memberof) succeeded for dn=%s\n",
796 TALLOC_FREE(strings);
797 TALLOC_FREE(group_sids);
803 /* Lookup groups a user is a member of. */
804 static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
806 const struct dom_sid *sid,
807 uint32_t *p_num_groups, struct dom_sid **user_sids)
809 ADS_STRUCT *ads = NULL;
810 const char *attrs[] = {"tokenGroups", "primaryGroupID", NULL};
813 LDAPMessage *msg = NULL;
814 char *user_dn = NULL;
815 struct dom_sid *sids;
817 struct dom_sid primary_group;
818 uint32_t primary_group_rid;
819 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
820 uint32_t num_groups = 0;
822 DEBUG(3,("ads: lookup_usergroups\n"));
825 status = lookup_usergroups_cached(mem_ctx, sid,
826 p_num_groups, user_sids);
827 if (NT_STATUS_IS_OK(status)) {
831 if ( !winbindd_can_contact_domain( domain ) ) {
832 DEBUG(10,("lookup_usergroups: No incoming trust for domain %s\n",
835 /* Tell the cache manager not to remember this one */
837 return NT_STATUS_SYNCHRONIZATION_REQUIRED;
840 ads = ads_cached_connection(domain);
843 domain->last_status = NT_STATUS_SERVER_DISABLED;
844 status = NT_STATUS_SERVER_DISABLED;
848 rc = ads_search_retry_sid(ads, &msg, sid, attrs);
850 if (!ADS_ERR_OK(rc)) {
851 status = ads_ntstatus(rc);
852 DEBUG(1, ("lookup_usergroups(sid=%s) ads_search tokenGroups: "
853 "%s\n", sid_string_dbg(sid), ads_errstr(rc)));
857 count = ads_count_replies(ads, msg);
859 status = NT_STATUS_UNSUCCESSFUL;
860 DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: "
861 "invalid number of results (count=%d)\n",
862 sid_string_dbg(sid), count));
867 DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: NULL msg\n",
868 sid_string_dbg(sid)));
869 status = NT_STATUS_UNSUCCESSFUL;
873 user_dn = ads_get_dn(ads, mem_ctx, msg);
874 if (user_dn == NULL) {
875 status = NT_STATUS_NO_MEMORY;
879 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &primary_group_rid)) {
880 DEBUG(1,("%s: No primary group for sid=%s !?\n",
881 domain->name, sid_string_dbg(sid)));
885 sid_compose(&primary_group, &domain->sid, primary_group_rid);
887 count = ads_pull_sids(ads, mem_ctx, msg, "tokenGroups", &sids);
889 /* there must always be at least one group in the token,
890 unless we are talking to a buggy Win2k server */
892 /* actually this only happens when the machine account has no read
893 * permissions on the tokenGroup attribute - gd */
899 /* lookup what groups this user is a member of by DN search on
902 status = lookup_usergroups_memberof(domain, mem_ctx, user_dn,
904 &num_groups, user_sids);
905 *p_num_groups = num_groups;
906 if (NT_STATUS_IS_OK(status)) {
910 /* lookup what groups this user is a member of by DN search on
913 status = lookup_usergroups_member(domain, mem_ctx, user_dn,
915 &num_groups, user_sids);
916 *p_num_groups = num_groups;
923 status = add_sid_to_array(mem_ctx, &primary_group, user_sids,
925 if (!NT_STATUS_IS_OK(status)) {
929 for (i=0;i<count;i++) {
931 /* ignore Builtin groups from ADS - Guenther */
932 if (sid_check_is_in_builtin(&sids[i])) {
936 status = add_sid_to_array_unique(mem_ctx, &sids[i],
937 user_sids, &num_groups);
938 if (!NT_STATUS_IS_OK(status)) {
943 *p_num_groups = (uint32_t)num_groups;
944 status = (*user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
946 DEBUG(3,("ads lookup_usergroups (tokenGroups) succeeded for sid=%s\n",
947 sid_string_dbg(sid)));
949 TALLOC_FREE(user_dn);
950 ads_msgfree(ads, msg);
954 /* Lookup aliases a user is member of - use rpc methods */
955 static NTSTATUS lookup_useraliases(struct winbindd_domain *domain,
957 uint32_t num_sids, const struct dom_sid *sids,
958 uint32_t *num_aliases, uint32_t **alias_rids)
960 return msrpc_methods.lookup_useraliases(domain, mem_ctx, num_sids, sids,
961 num_aliases, alias_rids);
964 static NTSTATUS add_primary_group_members(
965 ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, uint32_t rid,
966 char ***all_members, size_t *num_all_members)
969 NTSTATUS status = NT_STATUS_NO_MEMORY;
971 const char *attrs[] = { "dn", NULL };
972 LDAPMessage *res = NULL;
978 filter = talloc_asprintf(
979 mem_ctx, "(&(objectCategory=user)(primaryGroupID=%u))",
981 if (filter == NULL) {
985 args.control = ADS_EXTENDED_DN_OID;
986 args.val = ADS_EXTENDED_DN_HEX_STRING;
987 args.critical = True;
989 rc = ads_do_search_all_args(ads, ads->config.bind_path,
990 LDAP_SCOPE_SUBTREE, filter, attrs, &args,
993 if (!ADS_ERR_OK(rc)) {
994 status = ads_ntstatus(rc);
995 DEBUG(1,("%s: ads_search: %s\n", __func__, ads_errstr(rc)));
999 DEBUG(1,("%s: ads_search returned NULL res\n", __func__));
1003 num_members = ads_count_replies(ads, res);
1005 DEBUG(10, ("%s: Got %ju primary group members\n", __func__,
1006 (uintmax_t)num_members));
1008 if (num_members == 0) {
1009 status = NT_STATUS_OK;
1013 members = talloc_realloc(mem_ctx, *all_members, char *,
1014 *num_all_members + num_members);
1015 if (members == NULL) {
1016 DEBUG(1, ("%s: talloc_realloc failed\n", __func__));
1019 *all_members = members;
1021 for (msg = ads_first_entry(ads, res); msg != NULL;
1022 msg = ads_next_entry(ads, msg)) {
1025 dn = ads_get_dn(ads, members, msg);
1027 DEBUG(1, ("%s: ads_get_dn failed\n", __func__));
1031 members[*num_all_members] = dn;
1032 *num_all_members += 1;
1035 status = NT_STATUS_OK;
1038 ads_msgfree(ads, res);
1040 TALLOC_FREE(filter);
1045 find the members of a group, given a group rid and domain
1047 static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
1048 TALLOC_CTX *mem_ctx,
1049 const struct dom_sid *group_sid,
1050 enum lsa_SidType type,
1051 uint32_t *num_names,
1052 struct dom_sid **sid_mem, char ***names,
1053 uint32_t **name_types)
1056 ADS_STRUCT *ads = NULL;
1058 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
1060 char **members = NULL;
1062 size_t num_members = 0;
1064 struct dom_sid *sid_mem_nocache = NULL;
1065 char **names_nocache = NULL;
1066 enum lsa_SidType *name_types_nocache = NULL;
1067 char **domains_nocache = NULL; /* only needed for rpccli_lsa_lookup_sids */
1068 uint32_t num_nocache = 0;
1069 TALLOC_CTX *tmp_ctx = NULL;
1072 DEBUG(10,("ads: lookup_groupmem %s sid=%s\n", domain->name,
1073 sid_string_dbg(group_sid)));
1077 tmp_ctx = talloc_new(mem_ctx);
1079 DEBUG(1, ("ads: lookup_groupmem: talloc failed\n"));
1080 status = NT_STATUS_NO_MEMORY;
1084 if (!sid_peek_rid(group_sid, &rid)) {
1085 DEBUG(1, ("%s: sid_peek_rid failed\n", __func__));
1086 status = NT_STATUS_INVALID_PARAMETER;
1090 if ( !winbindd_can_contact_domain( domain ) ) {
1091 DEBUG(10,("lookup_groupmem: No incoming trust for domain %s\n",
1093 return NT_STATUS_OK;
1096 ads = ads_cached_connection(domain);
1099 domain->last_status = NT_STATUS_SERVER_DISABLED;
1103 if ((sidbinstr = ldap_encode_ndr_dom_sid(talloc_tos(), group_sid)) == NULL) {
1104 status = NT_STATUS_NO_MEMORY;
1108 /* search for all members of the group */
1109 ldap_exp = talloc_asprintf(tmp_ctx, "(objectSid=%s)", sidbinstr);
1110 TALLOC_FREE(sidbinstr);
1111 if (ldap_exp == NULL) {
1112 DEBUG(1, ("ads: lookup_groupmem: talloc_asprintf for ldap_exp failed!\n"));
1113 status = NT_STATUS_NO_MEMORY;
1117 args.control = ADS_EXTENDED_DN_OID;
1118 args.val = ADS_EXTENDED_DN_HEX_STRING;
1119 args.critical = True;
1121 rc = ads_ranged_search(ads, tmp_ctx, LDAP_SCOPE_SUBTREE, ads->config.bind_path,
1122 ldap_exp, &args, "member", &members, &num_members);
1124 if (!ADS_ERR_OK(rc)) {
1125 DEBUG(0,("ads_ranged_search failed with: %s\n", ads_errstr(rc)));
1126 status = NT_STATUS_UNSUCCESSFUL;
1130 DEBUG(10, ("ads lookup_groupmem: got %d sids via extended dn call\n", (int)num_members));
1132 status = add_primary_group_members(ads, mem_ctx, rid,
1133 &members, &num_members);
1134 if (!NT_STATUS_IS_OK(status)) {
1135 DEBUG(10, ("%s: add_primary_group_members failed: %s\n",
1136 __func__, nt_errstr(status)));
1140 DEBUG(10, ("%s: Got %d sids after adding primary group members\n",
1141 __func__, (int)num_members));
1143 /* Now that we have a list of sids, we need to get the
1144 * lists of names and name_types belonging to these sids.
1145 * even though conceptually not quite clean, we use the
1146 * RPC call lsa_lookup_sids for this since it can handle a
1147 * list of sids. ldap calls can just resolve one sid at a time.
1149 * At this stage, the sids are still hidden in the exetended dn
1150 * member output format. We actually do a little better than
1151 * stated above: In extracting the sids from the member strings,
1152 * we try to resolve as many sids as possible from the
1153 * cache. Only the rest is passed to the lsa_lookup_sids call. */
1156 (*sid_mem) = talloc_zero_array(mem_ctx, struct dom_sid, num_members);
1157 (*names) = talloc_zero_array(mem_ctx, char *, num_members);
1158 (*name_types) = talloc_zero_array(mem_ctx, uint32_t, num_members);
1159 (sid_mem_nocache) = talloc_zero_array(tmp_ctx, struct dom_sid, num_members);
1161 if ((members == NULL) || (*sid_mem == NULL) ||
1162 (*names == NULL) || (*name_types == NULL) ||
1163 (sid_mem_nocache == NULL))
1165 DEBUG(1, ("ads: lookup_groupmem: talloc failed\n"));
1166 status = NT_STATUS_NO_MEMORY;
1173 (*name_types) = NULL;
1176 for (i=0; i<num_members; i++) {
1177 enum lsa_SidType name_type;
1178 char *name, *domain_name;
1181 rc = ads_get_sid_from_extended_dn(tmp_ctx, members[i], args.val,
1183 if (!ADS_ERR_OK(rc)) {
1184 if (NT_STATUS_EQUAL(ads_ntstatus(rc),
1185 NT_STATUS_NOT_FOUND)) {
1186 /* Group members can be objects, like Exchange
1187 * Public Folders, that don't have a SID. Skip
1192 status = ads_ntstatus(rc);
1196 if (lookup_cached_sid(mem_ctx, &sid, &domain_name, &name,
1198 DEBUG(10,("ads: lookup_groupmem: got sid %s from "
1199 "cache\n", sid_string_dbg(&sid)));
1200 sid_copy(&(*sid_mem)[*num_names], &sid);
1201 (*names)[*num_names] = fill_domain_username_talloc(
1207 (*name_types)[*num_names] = name_type;
1211 DEBUG(10, ("ads: lookup_groupmem: sid %s not found in "
1212 "cache\n", sid_string_dbg(&sid)));
1213 sid_copy(&(sid_mem_nocache)[num_nocache], &sid);
1218 DEBUG(10, ("ads: lookup_groupmem: %d sids found in cache, "
1219 "%d left for lsa_lookupsids\n", *num_names, num_nocache));
1221 /* handle sids not resolved from cache by lsa_lookup_sids */
1222 if (num_nocache > 0) {
1224 status = winbindd_lookup_sids(tmp_ctx,
1230 &name_types_nocache);
1232 if (!(NT_STATUS_IS_OK(status) ||
1233 NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED) ||
1234 NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)))
1236 DEBUG(1, ("lsa_lookupsids call failed with %s "
1237 "- retrying...\n", nt_errstr(status)));
1239 status = winbindd_lookup_sids(tmp_ctx,
1245 &name_types_nocache);
1248 if (NT_STATUS_IS_OK(status) ||
1249 NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED))
1251 /* Copy the entries over from the "_nocache" arrays
1252 * to the result arrays, skipping the gaps the
1253 * lookup_sids call left. */
1254 for (i=0; i < num_nocache; i++) {
1255 if (((names_nocache)[i] != NULL) &&
1256 ((name_types_nocache)[i] != SID_NAME_UNKNOWN))
1258 sid_copy(&(*sid_mem)[*num_names],
1259 &sid_mem_nocache[i]);
1260 (*names)[*num_names] =
1261 fill_domain_username_talloc(
1266 (*name_types)[*num_names] = name_types_nocache[i];
1271 else if (NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)) {
1272 DEBUG(10, ("lookup_groupmem: lsa_lookup_sids could "
1273 "not map any SIDs at all.\n"));
1274 /* Don't handle this as an error here.
1275 * There is nothing left to do with respect to the
1276 * overall result... */
1278 else if (!NT_STATUS_IS_OK(status)) {
1279 DEBUG(10, ("lookup_groupmem: Error looking up %d "
1280 "sids via rpc_lsa_lookup_sids: %s\n",
1281 (int)num_members, nt_errstr(status)));
1286 status = NT_STATUS_OK;
1287 DEBUG(3,("ads lookup_groupmem for sid=%s succeeded\n",
1288 sid_string_dbg(group_sid)));
1292 TALLOC_FREE(tmp_ctx);
1297 /* find the sequence number for a domain */
1298 static NTSTATUS sequence_number(struct winbindd_domain *domain, uint32_t *seq)
1300 ADS_STRUCT *ads = NULL;
1303 DEBUG(3,("ads: fetch sequence_number for %s\n", domain->name));
1305 if ( !winbindd_can_contact_domain( domain ) ) {
1306 DEBUG(10,("sequence: No incoming trust for domain %s\n",
1309 return NT_STATUS_OK;
1312 *seq = DOM_SEQUENCE_NONE;
1314 ads = ads_cached_connection(domain);
1317 domain->last_status = NT_STATUS_SERVER_DISABLED;
1318 return NT_STATUS_UNSUCCESSFUL;
1321 rc = ads_USN(ads, seq);
1323 if (!ADS_ERR_OK(rc)) {
1325 /* its a dead connection, destroy it */
1327 if (domain->private_data) {
1328 ads = (ADS_STRUCT *)domain->private_data;
1329 ads->is_mine = True;
1331 ads_kdestroy(WINBIND_CCACHE_NAME);
1332 domain->private_data = NULL;
1335 return ads_ntstatus(rc);
1338 /* find the lockout policy of a domain - use rpc methods */
1339 static NTSTATUS lockout_policy(struct winbindd_domain *domain,
1340 TALLOC_CTX *mem_ctx,
1341 struct samr_DomInfo12 *policy)
1343 return msrpc_methods.lockout_policy(domain, mem_ctx, policy);
1346 /* find the password policy of a domain - use rpc methods */
1347 static NTSTATUS password_policy(struct winbindd_domain *domain,
1348 TALLOC_CTX *mem_ctx,
1349 struct samr_DomInfo1 *policy)
1351 return msrpc_methods.password_policy(domain, mem_ctx, policy);
1354 /* get a list of trusted domains */
1355 static NTSTATUS trusted_domains(struct winbindd_domain *domain,
1356 TALLOC_CTX *mem_ctx,
1357 struct netr_DomainTrustList *trusts)
1359 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1363 struct rpc_pipe_client *cli;
1365 struct dcerpc_binding_handle *b;
1367 DEBUG(3,("ads: trusted_domains\n"));
1369 ZERO_STRUCTP(trusts);
1371 /* If this is our primary domain or a root in our forest,
1372 query for all trusts. If not, then just look for domain
1373 trusts in the target forest */
1375 if (domain->primary || domain_is_forest_root(domain)) {
1376 flags = NETR_TRUST_FLAG_OUTBOUND |
1377 NETR_TRUST_FLAG_INBOUND |
1378 NETR_TRUST_FLAG_IN_FOREST;
1380 flags = NETR_TRUST_FLAG_IN_FOREST;
1383 result = cm_connect_netlogon(domain, &cli);
1385 if (!NT_STATUS_IS_OK(result)) {
1386 DEBUG(5, ("trusted_domains: Could not open a connection to %s "
1387 "for PIPE_NETLOGON (%s)\n",
1388 domain->name, nt_errstr(result)));
1389 return NT_STATUS_UNSUCCESSFUL;
1392 b = cli->binding_handle;
1394 result = dcerpc_netr_DsrEnumerateDomainTrusts(b, mem_ctx,
1399 if (!NT_STATUS_IS_OK(result)) {
1403 if (!W_ERROR_IS_OK(werr)) {
1404 return werror_to_ntstatus(werr);
1406 if (trusts->count == 0) {
1407 return NT_STATUS_OK;
1410 /* Copy across names and sids */
1413 for (i = 0; i < trusts->count; i++) {
1414 struct netr_DomainTrust *trust = &trusts->array[i];
1415 struct winbindd_domain d;
1420 * drop external trusts if this is not our primary
1421 * domain. This means that the returned number of
1422 * domains may be less that the ones actually trusted
1426 if ((trust->trust_attributes
1427 == LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN) &&
1430 DEBUG(10,("trusted_domains: Skipping external trusted "
1431 "domain %s because it is outside of our "
1433 trust->netbios_name));
1437 /* add to the trusted domain cache */
1439 d.name = discard_const_p(char, trust->netbios_name);
1440 d.alt_name = discard_const_p(char, trust->dns_name);
1443 sid_copy(&d.sid, trust->sid);
1445 sid_copy(&d.sid, &global_sid_NULL);
1448 if ( domain->primary ) {
1449 DEBUG(10,("trusted_domains(ads): Searching "
1450 "trusted domain list of %s and storing "
1451 "trust flags for domain %s\n",
1452 domain->name, d.alt_name));
1454 d.domain_flags = trust->trust_flags;
1455 d.domain_type = trust->trust_type;
1456 d.domain_trust_attribs = trust->trust_attributes;
1458 wcache_tdc_add_domain( &d );
1460 } else if (domain_is_forest_root(domain)) {
1461 /* Check if we already have this record. If
1462 * we are following our forest root that is not
1463 * our primary domain, we want to keep trust
1464 * flags from the perspective of our primary
1465 * domain not our forest root. */
1466 struct winbindd_tdc_domain *exist = NULL;
1468 exist = wcache_tdc_fetch_domain(
1469 talloc_tos(), trust->netbios_name);
1471 DEBUG(10,("trusted_domains(ads): Searching "
1472 "trusted domain list of %s and "
1473 "storing trust flags for domain "
1474 "%s\n", domain->name, d.alt_name));
1475 d.domain_flags = trust->trust_flags;
1476 d.domain_type = trust->trust_type;
1477 d.domain_trust_attribs =
1478 trust->trust_attributes;
1480 wcache_tdc_add_domain( &d );
1485 /* This gets a little tricky. If we are
1486 following a transitive forest trust, then
1487 innerit the flags, type, and attribs from
1488 the domain we queried to make sure we don't
1489 record the view of the trust from the wrong
1490 side. Always view it from the side of our
1491 primary domain. --jerry */
1492 struct winbindd_tdc_domain *parent = NULL;
1494 DEBUG(10,("trusted_domains(ads): Searching "
1495 "trusted domain list of %s and inheriting "
1496 "trust flags for domain %s\n",
1497 domain->name, d.alt_name));
1499 parent = wcache_tdc_fetch_domain(talloc_tos(),
1502 d.domain_flags = parent->trust_flags;
1503 d.domain_type = parent->trust_type;
1504 d.domain_trust_attribs = parent->trust_attribs;
1506 d.domain_flags = domain->domain_flags;
1507 d.domain_type = domain->domain_type;
1508 d.domain_trust_attribs =
1509 domain->domain_trust_attribs;
1511 TALLOC_FREE(parent);
1514 * We need to pass the modified properties
1517 trust->trust_flags = d.domain_flags;
1518 trust->trust_type = d.domain_type;
1519 trust->trust_attributes = d.domain_trust_attribs;
1521 wcache_tdc_add_domain( &d );
1528 /* the ADS backend methods are exposed via this structure */
1529 struct winbindd_methods ads_methods = {
git.samba.org / samba.git / blob