2 Unix SMB/CIFS implementation.
4 Winbind rpc backend functions
6 Copyright (C) Tim Potter 2000-2001,2003
7 Copyright (C) Andrew Tridgell 2001
8 Copyright (C) Volker Lendecke 2005
9 Copyright (C) Guenther Deschner 2008 (pidl conversion)
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 3 of the License, or
14 (at your option) any later version.
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
21 You should have received a copy of the GNU General Public License
22 along with this program. If not, see <http://www.gnu.org/licenses/>.
27 #include "winbindd_rpc.h"
29 #include "../librpc/gen_ndr/ndr_samr_c.h"
30 #include "rpc_client/cli_pipe.h"
31 #include "rpc_client/cli_samr.h"
32 #include "rpc_client/cli_lsarpc.h"
33 #include "../libcli/security/security.h"
36 #define DBGC_CLASS DBGC_WINBIND
39 /* Query display info for a domain. This returns enough information plus a
40 bit extra to give an overview of domain users for the User Manager
42 static NTSTATUS msrpc_query_user_list(struct winbindd_domain *domain,
45 struct wbint_userinfo **pinfo)
47 struct rpc_pipe_client *samr_pipe = NULL;
48 struct policy_handle dom_pol;
49 struct wbint_userinfo *info = NULL;
50 uint32_t num_info = 0;
54 DEBUG(3, ("msrpc_query_user_list\n"));
60 tmp_ctx = talloc_stackframe();
61 if (tmp_ctx == NULL) {
62 return NT_STATUS_NO_MEMORY;
65 if ( !winbindd_can_contact_domain( domain ) ) {
66 DEBUG(10,("query_user_list: No incoming trust for domain %s\n",
68 status = NT_STATUS_OK;
72 status = cm_connect_sam(domain, tmp_ctx, &samr_pipe, &dom_pol);
73 if (!NT_STATUS_IS_OK(status)) {
77 status = rpc_query_user_list(tmp_ctx,
83 if (!NT_STATUS_IS_OK(status)) {
88 *pnum_info = num_info;
92 *pinfo = talloc_move(mem_ctx, &info);
100 /* list all domain groups */
101 static NTSTATUS msrpc_enum_dom_groups(struct winbindd_domain *domain,
104 struct wb_acct_info **pinfo)
106 struct rpc_pipe_client *samr_pipe;
107 struct policy_handle dom_pol;
108 struct wb_acct_info *info = NULL;
109 uint32_t num_info = 0;
113 DEBUG(3,("msrpc_enum_dom_groups\n"));
119 tmp_ctx = talloc_stackframe();
120 if (tmp_ctx == NULL) {
121 return NT_STATUS_NO_MEMORY;
124 if ( !winbindd_can_contact_domain( domain ) ) {
125 DEBUG(10,("enum_domain_groups: No incoming trust for domain %s\n",
127 status = NT_STATUS_OK;
131 status = cm_connect_sam(domain, tmp_ctx, &samr_pipe, &dom_pol);
132 if (!NT_STATUS_IS_OK(status)) {
136 status = rpc_enum_dom_groups(tmp_ctx,
141 if (!NT_STATUS_IS_OK(status)) {
146 *pnum_info = num_info;
150 *pinfo = talloc_move(mem_ctx, &info);
154 TALLOC_FREE(tmp_ctx);
158 /* List all domain groups */
160 static NTSTATUS msrpc_enum_local_groups(struct winbindd_domain *domain,
163 struct wb_acct_info **pinfo)
165 struct rpc_pipe_client *samr_pipe;
166 struct policy_handle dom_pol;
167 struct wb_acct_info *info = NULL;
168 uint32_t num_info = 0;
172 DEBUG(3,("msrpc_enum_local_groups\n"));
178 tmp_ctx = talloc_stackframe();
179 if (tmp_ctx == NULL) {
180 return NT_STATUS_NO_MEMORY;
183 if ( !winbindd_can_contact_domain( domain ) ) {
184 DEBUG(10,("enum_local_groups: No incoming trust for domain %s\n",
186 status = NT_STATUS_OK;
190 status = cm_connect_sam(domain, tmp_ctx, &samr_pipe, &dom_pol);
191 if (!NT_STATUS_IS_OK(status)) {
195 status = rpc_enum_local_groups(mem_ctx,
200 if (!NT_STATUS_IS_OK(status)) {
205 *pnum_info = num_info;
209 *pinfo = talloc_move(mem_ctx, &info);
213 TALLOC_FREE(tmp_ctx);
217 /* convert a single name to a sid in a domain */
218 static NTSTATUS msrpc_name_to_sid(struct winbindd_domain *domain,
220 const char *domain_name,
224 enum lsa_SidType *type)
227 struct dom_sid *sids = NULL;
228 enum lsa_SidType *types = NULL;
229 char *full_name = NULL;
230 NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL;
231 char *mapped_name = NULL;
233 if (name == NULL || *name=='\0') {
234 full_name = talloc_asprintf(mem_ctx, "%s", domain_name);
235 } else if (domain_name == NULL || *domain_name == '\0') {
236 full_name = talloc_asprintf(mem_ctx, "%s", name);
238 full_name = talloc_asprintf(mem_ctx, "%s\\%s", domain_name, name);
241 DEBUG(0, ("talloc_asprintf failed!\n"));
242 return NT_STATUS_NO_MEMORY;
245 DEBUG(3, ("msrpc_name_to_sid: name=%s\n", full_name));
247 name_map_status = normalize_name_unmap(mem_ctx, full_name,
250 /* Reset the full_name pointer if we mapped anytthing */
252 if (NT_STATUS_IS_OK(name_map_status) ||
253 NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED))
255 full_name = mapped_name;
258 DEBUG(3,("name_to_sid [rpc] %s for domain %s\n",
259 full_name?full_name:"", domain_name ));
261 result = winbindd_lookup_names(mem_ctx, domain, 1,
262 (const char **)&full_name, NULL,
264 if (!NT_STATUS_IS_OK(result))
267 /* Return rid and type if lookup successful */
269 sid_copy(sid, &sids[0]);
276 convert a domain SID to a user or group name
278 static NTSTATUS msrpc_sid_to_name(struct winbindd_domain *domain,
280 const struct dom_sid *sid,
283 enum lsa_SidType *type)
287 enum lsa_SidType *types = NULL;
289 NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL;
290 char *mapped_name = NULL;
292 DEBUG(3, ("msrpc_sid_to_name: %s for domain %s\n", sid_string_dbg(sid),
295 result = winbindd_lookup_sids(mem_ctx,
302 if (!NT_STATUS_IS_OK(result)) {
303 DEBUG(2,("msrpc_sid_to_name: failed to lookup sids: %s\n",
309 *type = (enum lsa_SidType)types[0];
310 *domain_name = domains[0];
313 DEBUG(5,("Mapped sid to [%s]\\[%s]\n", domains[0], *name));
315 name_map_status = normalize_name_map(mem_ctx, domain, *name,
317 if (NT_STATUS_IS_OK(name_map_status) ||
318 NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED))
321 DEBUG(5,("returning mapped name -- %s\n", *name));
327 static NTSTATUS msrpc_rids_to_names(struct winbindd_domain *domain,
329 const struct dom_sid *sid,
334 enum lsa_SidType **types)
338 struct dom_sid *sids;
342 DEBUG(3, ("msrpc_rids_to_names: domain %s\n", domain->name ));
345 sids = talloc_array(mem_ctx, struct dom_sid, num_rids);
347 return NT_STATUS_NO_MEMORY;
353 for (i=0; i<num_rids; i++) {
354 if (!sid_compose(&sids[i], sid, rids[i])) {
355 return NT_STATUS_INTERNAL_ERROR;
359 result = winbindd_lookup_sids(mem_ctx,
367 if (!NT_STATUS_IS_OK(result) &&
368 !NT_STATUS_EQUAL(result, STATUS_SOME_UNMAPPED)) {
373 for (i=0; i<num_rids; i++) {
374 NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL;
375 char *mapped_name = NULL;
377 if ((*types)[i] != SID_NAME_UNKNOWN) {
378 name_map_status = normalize_name_map(mem_ctx,
382 if (NT_STATUS_IS_OK(name_map_status) ||
383 NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED))
385 ret_names[i] = mapped_name;
388 *domain_name = domains[i];
395 /* Lookup user information from a rid or username. */
396 static NTSTATUS msrpc_query_user(struct winbindd_domain *domain,
398 const struct dom_sid *user_sid,
399 struct wbint_userinfo *user_info)
401 struct rpc_pipe_client *samr_pipe;
402 struct policy_handle dom_pol;
403 struct netr_SamInfo3 *user = NULL;
407 DEBUG(3,("msrpc_query_user sid=%s\n", sid_string_dbg(user_sid)));
409 tmp_ctx = talloc_stackframe();
410 if (tmp_ctx == NULL) {
411 return NT_STATUS_NO_MEMORY;
415 user_info->homedir = NULL;
416 user_info->shell = NULL;
417 user_info->primary_gid = (gid_t)-1;
420 /* try netsamlogon cache first */
421 if (winbindd_use_cache()) {
422 user = netsamlogon_cache_get(tmp_ctx, user_sid);
425 DEBUG(5,("msrpc_query_user: Cache lookup succeeded for %s\n",
426 sid_string_dbg(user_sid)));
428 sid_compose(&user_info->user_sid, &domain->sid, user->base.rid);
429 sid_compose(&user_info->group_sid, &domain->sid,
430 user->base.primary_gid);
432 user_info->acct_name = talloc_strdup(user_info,
433 user->base.account_name.string);
434 user_info->full_name = talloc_strdup(user_info,
435 user->base.full_name.string);
437 status = NT_STATUS_OK;
441 if ( !winbindd_can_contact_domain( domain ) ) {
442 DEBUG(10,("query_user: No incoming trust for domain %s\n",
444 /* Tell the cache manager not to remember this one */
445 status = NT_STATUS_SYNCHRONIZATION_REQUIRED;
449 /* no cache; hit the wire */
450 status = cm_connect_sam(domain, tmp_ctx, &samr_pipe, &dom_pol);
451 if (!NT_STATUS_IS_OK(status)) {
455 status = rpc_query_user(tmp_ctx,
463 TALLOC_FREE(tmp_ctx);
467 /* Lookup groups a user is a member of. I wish Unix had a call like this! */
468 static NTSTATUS msrpc_lookup_usergroups(struct winbindd_domain *domain,
470 const struct dom_sid *user_sid,
471 uint32_t *pnum_groups,
472 struct dom_sid **puser_grpsids)
474 struct rpc_pipe_client *samr_pipe;
475 struct policy_handle dom_pol;
476 struct dom_sid *user_grpsids = NULL;
477 uint32_t num_groups = 0;
481 DEBUG(3,("msrpc_lookup_usergroups sid=%s\n", sid_string_dbg(user_sid)));
485 tmp_ctx = talloc_stackframe();
486 if (tmp_ctx == NULL) {
487 return NT_STATUS_NO_MEMORY;
490 /* Check if we have a cached user_info_3 */
491 status = lookup_usergroups_cached(domain,
496 if (NT_STATUS_IS_OK(status)) {
500 if ( !winbindd_can_contact_domain( domain ) ) {
501 DEBUG(10,("lookup_usergroups: No incoming trust for domain %s\n",
504 /* Tell the cache manager not to remember this one */
505 status = NT_STATUS_SYNCHRONIZATION_REQUIRED;
509 /* no cache; hit the wire */
510 status = cm_connect_sam(domain, tmp_ctx, &samr_pipe, &dom_pol);
511 if (!NT_STATUS_IS_OK(status)) {
515 status = rpc_lookup_usergroups(tmp_ctx,
522 if (!NT_STATUS_IS_OK(status)) {
527 *pnum_groups = num_groups;
530 *puser_grpsids = talloc_move(mem_ctx, &user_grpsids);
534 TALLOC_FREE(tmp_ctx);
539 #define MAX_SAM_ENTRIES_W2K 0x400 /* 1024 */
541 static NTSTATUS msrpc_lookup_useraliases(struct winbindd_domain *domain,
543 uint32 num_sids, const struct dom_sid *sids,
544 uint32 *pnum_aliases,
545 uint32 **palias_rids)
547 struct rpc_pipe_client *samr_pipe;
548 struct policy_handle dom_pol;
549 uint32_t num_aliases = 0;
550 uint32_t *alias_rids = NULL;
554 DEBUG(3,("msrpc_lookup_useraliases\n"));
560 tmp_ctx = talloc_stackframe();
561 if (tmp_ctx == NULL) {
562 return NT_STATUS_NO_MEMORY;
565 if (!winbindd_can_contact_domain(domain)) {
566 DEBUG(10,("msrpc_lookup_useraliases: No incoming trust for domain %s\n",
568 /* Tell the cache manager not to remember this one */
569 status = NT_STATUS_SYNCHRONIZATION_REQUIRED;
573 status = cm_connect_sam(domain, tmp_ctx, &samr_pipe, &dom_pol);
574 if (!NT_STATUS_IS_OK(status)) {
578 status = rpc_lookup_useraliases(tmp_ctx,
585 if (!NT_STATUS_IS_OK(status)) {
590 *pnum_aliases = num_aliases;
594 *palias_rids = talloc_move(mem_ctx, &alias_rids);
598 TALLOC_FREE(tmp_ctx);
603 /* Lookup group membership given a rid. */
604 static NTSTATUS msrpc_lookup_groupmem(struct winbindd_domain *domain,
606 const struct dom_sid *group_sid,
607 enum lsa_SidType type,
609 struct dom_sid **sid_mem,
611 uint32_t **name_types)
613 NTSTATUS status, result;
614 uint32 i, total_names = 0;
615 struct policy_handle dom_pol, group_pol;
616 uint32 des_access = SEC_FLAG_MAXIMUM_ALLOWED;
617 uint32 *rid_mem = NULL;
620 struct rpc_pipe_client *cli;
621 unsigned int orig_timeout;
622 struct samr_RidAttrArray *rids = NULL;
623 struct dcerpc_binding_handle *b;
625 DEBUG(3,("msrpc_lookup_groupmem: %s sid=%s\n", domain->name,
626 sid_string_dbg(group_sid)));
628 if ( !winbindd_can_contact_domain( domain ) ) {
629 DEBUG(10,("lookup_groupmem: No incoming trust for domain %s\n",
634 if (!sid_peek_check_rid(&domain->sid, group_sid, &group_rid))
635 return NT_STATUS_UNSUCCESSFUL;
639 result = cm_connect_sam(domain, mem_ctx, &cli, &dom_pol);
640 if (!NT_STATUS_IS_OK(result))
643 b = cli->binding_handle;
645 status = dcerpc_samr_OpenGroup(b, mem_ctx,
651 if (!NT_STATUS_IS_OK(status)) {
654 if (!NT_STATUS_IS_OK(result)) {
658 /* Step #1: Get a list of user rids that are the members of the
661 /* This call can take a long time - allow the server to time out.
662 35 seconds should do it. */
664 orig_timeout = rpccli_set_timeout(cli, 35000);
666 status = dcerpc_samr_QueryGroupMember(b, mem_ctx,
671 /* And restore our original timeout. */
672 rpccli_set_timeout(cli, orig_timeout);
676 dcerpc_samr_Close(b, mem_ctx, &group_pol, &_result);
679 if (!NT_STATUS_IS_OK(status)) {
683 if (!NT_STATUS_IS_OK(result)) {
687 if (!rids || !rids->count) {
694 *num_names = rids->count;
695 rid_mem = rids->rids;
697 /* Step #2: Convert list of rids into list of usernames. Do this
698 in bunches of ~1000 to avoid crashing NT4. It looks like there
699 is a buffer overflow or something like that lurking around
702 #define MAX_LOOKUP_RIDS 900
704 *names = TALLOC_ZERO_ARRAY(mem_ctx, char *, *num_names);
705 *name_types = TALLOC_ZERO_ARRAY(mem_ctx, uint32, *num_names);
706 *sid_mem = TALLOC_ZERO_ARRAY(mem_ctx, struct dom_sid, *num_names);
708 for (j=0;j<(*num_names);j++)
709 sid_compose(&(*sid_mem)[j], &domain->sid, rid_mem[j]);
711 if (*num_names>0 && (!*names || !*name_types))
712 return NT_STATUS_NO_MEMORY;
714 for (i = 0; i < *num_names; i += MAX_LOOKUP_RIDS) {
715 int num_lookup_rids = MIN(*num_names - i, MAX_LOOKUP_RIDS);
716 struct lsa_Strings tmp_names;
717 struct samr_Ids tmp_types;
719 /* Lookup a chunk of rids */
721 status = dcerpc_samr_LookupRids(b, mem_ctx,
728 if (!NT_STATUS_IS_OK(status)) {
732 /* see if we have a real error (and yes the
733 STATUS_SOME_UNMAPPED is the one returned from 2k) */
735 if (!NT_STATUS_IS_OK(result) &&
736 !NT_STATUS_EQUAL(result, STATUS_SOME_UNMAPPED))
739 /* Copy result into array. The talloc system will take
740 care of freeing the temporary arrays later on. */
742 if (tmp_names.count != tmp_types.count) {
743 return NT_STATUS_UNSUCCESSFUL;
746 for (r=0; r<tmp_names.count; r++) {
747 if (tmp_types.ids[r] == SID_NAME_UNKNOWN) {
750 (*names)[total_names] = fill_domain_username_talloc(
751 mem_ctx, domain->name,
752 tmp_names.names[r].string, true);
753 (*name_types)[total_names] = tmp_types.ids[r];
758 *num_names = total_names;
767 static int get_ldap_seq(const char *server, struct sockaddr_storage *ss, int port, uint32 *seq)
771 const char *attrs[] = {"highestCommittedUSN", NULL};
772 LDAPMessage *res = NULL;
773 char **values = NULL;
776 *seq = DOM_SEQUENCE_NONE;
779 * Parameterised (5) second timeout on open. This is needed as the
780 * search timeout doesn't seem to apply to doing an open as well. JRA.
783 ldp = ldap_open_with_timeout(server, ss, port, lp_ldap_timeout());
787 /* Timeout if no response within 20 seconds. */
791 if (ldap_search_st(ldp, "", LDAP_SCOPE_BASE, "(objectclass=*)",
792 discard_const_p(char *, attrs), 0, &to, &res))
795 if (ldap_count_entries(ldp, res) != 1)
798 values = ldap_get_values(ldp, res, "highestCommittedUSN");
799 if (!values || !values[0])
802 *seq = atoi(values[0]);
808 ldap_value_free(values);
816 /**********************************************************************
817 Get the sequence number for a Windows AD native mode domain using
819 **********************************************************************/
821 static int get_ldap_sequence_number(struct winbindd_domain *domain, uint32 *seq)
824 char addr[INET6_ADDRSTRLEN];
826 print_sockaddr(addr, sizeof(addr), &domain->dcaddr);
827 if ((ret = get_ldap_seq(addr, &domain->dcaddr, LDAP_PORT, seq)) == 0) {
828 DEBUG(3, ("get_ldap_sequence_number: Retrieved sequence "
829 "number for Domain (%s) from DC (%s)\n",
830 domain->name, addr));
835 #endif /* HAVE_LDAP */
837 /* find the sequence number for a domain */
838 static NTSTATUS msrpc_sequence_number(struct winbindd_domain *domain,
841 struct rpc_pipe_client *samr_pipe;
842 struct policy_handle dom_pol;
847 DEBUG(3, ("msrpc_sequence_number: fetch sequence_number for %s\n", domain->name));
850 *pseq = DOM_SEQUENCE_NONE;
853 tmp_ctx = talloc_stackframe();
854 if (tmp_ctx == NULL) {
855 return NT_STATUS_NO_MEMORY;
858 if ( !winbindd_can_contact_domain( domain ) ) {
859 DEBUG(10,("sequence_number: No incoming trust for domain %s\n",
864 status = NT_STATUS_OK;
869 if (domain->active_directory) {
872 DEBUG(8,("using get_ldap_seq() to retrieve the "
873 "sequence number\n"));
875 rc = get_ldap_sequence_number(domain, &seq);
877 DEBUG(10,("domain_sequence_number: LDAP for "
885 status = NT_STATUS_OK;
889 DEBUG(10,("domain_sequence_number: failed to get LDAP "
890 "sequence number for domain %s\n",
893 #endif /* HAVE_LDAP */
895 status = cm_connect_sam(domain, tmp_ctx, &samr_pipe, &dom_pol);
896 if (!NT_STATUS_IS_OK(status)) {
900 status = rpc_sequence_number(tmp_ctx,
905 if (!NT_STATUS_IS_OK(status)) {
914 TALLOC_FREE(tmp_ctx);
918 /* get a list of trusted domains */
919 static NTSTATUS msrpc_trusted_domains(struct winbindd_domain *domain,
921 struct netr_DomainTrustList *ptrust_list)
923 struct rpc_pipe_client *lsa_pipe;
924 struct policy_handle lsa_policy;
925 struct netr_DomainTrust *trusts = NULL;
926 uint32_t num_trusts = 0;
930 DEBUG(3,("msrpc_trusted_domains\n"));
933 ZERO_STRUCTP(ptrust_list);
936 tmp_ctx = talloc_stackframe();
937 if (tmp_ctx == NULL) {
938 return NT_STATUS_NO_MEMORY;
941 status = cm_connect_lsa(domain, tmp_ctx, &lsa_pipe, &lsa_policy);
942 if (!NT_STATUS_IS_OK(status))
945 status = rpc_trusted_domains(tmp_ctx,
950 if (!NT_STATUS_IS_OK(status)) {
955 ptrust_list->count = num_trusts;
956 ptrust_list->array = talloc_move(mem_ctx, &trusts);
960 TALLOC_FREE(tmp_ctx);
964 /* find the lockout policy for a domain */
965 static NTSTATUS msrpc_lockout_policy(struct winbindd_domain *domain,
967 struct samr_DomInfo12 *lockout_policy)
969 NTSTATUS status, result;
970 struct rpc_pipe_client *cli;
971 struct policy_handle dom_pol;
972 union samr_DomainInfo *info = NULL;
973 struct dcerpc_binding_handle *b;
975 DEBUG(3, ("msrpc_lockout_policy: fetch lockout policy for %s\n", domain->name));
977 if ( !winbindd_can_contact_domain( domain ) ) {
978 DEBUG(10,("msrpc_lockout_policy: No incoming trust for domain %s\n",
980 return NT_STATUS_NOT_SUPPORTED;
983 status = cm_connect_sam(domain, mem_ctx, &cli, &dom_pol);
984 if (!NT_STATUS_IS_OK(status)) {
988 b = cli->binding_handle;
990 status = dcerpc_samr_QueryDomainInfo(b, mem_ctx,
992 DomainLockoutInformation,
995 if (!NT_STATUS_IS_OK(status)) {
998 if (!NT_STATUS_IS_OK(result)) {
1003 *lockout_policy = info->info12;
1005 DEBUG(10,("msrpc_lockout_policy: lockout_threshold %d\n",
1006 info->info12.lockout_threshold));
1013 /* find the password policy for a domain */
1014 static NTSTATUS msrpc_password_policy(struct winbindd_domain *domain,
1015 TALLOC_CTX *mem_ctx,
1016 struct samr_DomInfo1 *password_policy)
1018 NTSTATUS status, result;
1019 struct rpc_pipe_client *cli;
1020 struct policy_handle dom_pol;
1021 union samr_DomainInfo *info = NULL;
1022 struct dcerpc_binding_handle *b;
1024 DEBUG(3, ("msrpc_password_policy: fetch password policy for %s\n",
1027 if ( !winbindd_can_contact_domain( domain ) ) {
1028 DEBUG(10,("msrpc_password_policy: No incoming trust for domain %s\n",
1030 return NT_STATUS_NOT_SUPPORTED;
1033 status = cm_connect_sam(domain, mem_ctx, &cli, &dom_pol);
1034 if (!NT_STATUS_IS_OK(status)) {
1038 b = cli->binding_handle;
1040 status = dcerpc_samr_QueryDomainInfo(b, mem_ctx,
1042 DomainPasswordInformation,
1045 if (!NT_STATUS_IS_OK(status)) {
1048 if (!NT_STATUS_IS_OK(result)) {
1052 *password_policy = info->info1;
1054 DEBUG(10,("msrpc_password_policy: min_length_password %d\n",
1055 info->info1.min_password_length));
1062 typedef NTSTATUS (*lookup_sids_fn_t)(struct dcerpc_binding_handle *h,
1063 TALLOC_CTX *mem_ctx,
1064 struct policy_handle *pol,
1066 const struct dom_sid *sids,
1069 enum lsa_SidType **ptypes,
1072 NTSTATUS winbindd_lookup_sids(TALLOC_CTX *mem_ctx,
1073 struct winbindd_domain *domain,
1075 const struct dom_sid *sids,
1078 enum lsa_SidType **types)
1082 struct rpc_pipe_client *cli = NULL;
1083 struct dcerpc_binding_handle *b = NULL;
1084 struct policy_handle lsa_policy;
1085 unsigned int orig_timeout;
1086 lookup_sids_fn_t lookup_sids_fn = dcerpc_lsa_lookup_sids;
1088 if (domain->can_do_ncacn_ip_tcp) {
1089 status = cm_connect_lsa_tcp(domain, mem_ctx, &cli);
1090 if (NT_STATUS_IS_OK(status)) {
1091 lookup_sids_fn = dcerpc_lsa_lookup_sids3;
1094 domain->can_do_ncacn_ip_tcp = false;
1096 status = cm_connect_lsa(domain, mem_ctx, &cli, &lsa_policy);
1098 if (!NT_STATUS_IS_OK(status)) {
1103 b = cli->binding_handle;
1106 * This call can take a long time
1107 * allow the server to time out.
1108 * 35 seconds should do it.
1110 orig_timeout = dcerpc_binding_handle_set_timeout(b, 35000);
1112 status = lookup_sids_fn(b,
1122 /* And restore our original timeout. */
1123 dcerpc_binding_handle_set_timeout(b, orig_timeout);
1125 if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) ||
1126 NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR)) {
1128 * This can happen if the schannel key is not
1129 * valid anymore, we need to invalidate the
1130 * all connections to the dc and reestablish
1131 * a netlogon connection first.
1133 invalidate_cm_connection(&domain->conn);
1134 status = NT_STATUS_ACCESS_DENIED;
1137 if (!NT_STATUS_IS_OK(status)) {
1141 if (!NT_STATUS_IS_OK(result)) {
1145 return NT_STATUS_OK;
1148 typedef NTSTATUS (*lookup_names_fn_t)(struct dcerpc_binding_handle *h,
1149 TALLOC_CTX *mem_ctx,
1150 struct policy_handle *pol,
1153 const char ***dom_names,
1154 enum lsa_LookupNamesLevel level,
1155 struct dom_sid **sids,
1156 enum lsa_SidType **types,
1159 NTSTATUS winbindd_lookup_names(TALLOC_CTX *mem_ctx,
1160 struct winbindd_domain *domain,
1163 const char ***domains,
1164 struct dom_sid **sids,
1165 enum lsa_SidType **types)
1169 struct rpc_pipe_client *cli = NULL;
1170 struct dcerpc_binding_handle *b = NULL;
1171 struct policy_handle lsa_policy;
1172 unsigned int orig_timeout = 0;
1173 lookup_names_fn_t lookup_names_fn = dcerpc_lsa_lookup_names;
1175 if (domain->can_do_ncacn_ip_tcp) {
1176 status = cm_connect_lsa_tcp(domain, mem_ctx, &cli);
1177 if (NT_STATUS_IS_OK(status)) {
1178 lookup_names_fn = dcerpc_lsa_lookup_names4;
1181 domain->can_do_ncacn_ip_tcp = false;
1183 status = cm_connect_lsa(domain, mem_ctx, &cli, &lsa_policy);
1185 if (!NT_STATUS_IS_OK(status)) {
1190 b = cli->binding_handle;
1193 * This call can take a long time
1194 * allow the server to time out.
1195 * 35 seconds should do it.
1197 orig_timeout = dcerpc_binding_handle_set_timeout(b, 35000);
1199 status = lookup_names_fn(b,
1203 (const char **) names,
1210 /* And restore our original timeout. */
1211 dcerpc_binding_handle_set_timeout(b, orig_timeout);
1213 if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) ||
1214 NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR)) {
1216 * This can happen if the schannel key is not
1217 * valid anymore, we need to invalidate the
1218 * all connections to the dc and reestablish
1219 * a netlogon connection first.
1221 invalidate_cm_connection(&domain->conn);
1222 status = NT_STATUS_ACCESS_DENIED;
1225 if (!NT_STATUS_IS_OK(status)) {
1229 if (!NT_STATUS_IS_OK(result)) {
1233 return NT_STATUS_OK;
1236 /* the rpc backend methods are exposed via this structure */
1237 struct winbindd_methods msrpc_methods = {
1239 msrpc_query_user_list,
1240 msrpc_enum_dom_groups,
1241 msrpc_enum_local_groups,
1244 msrpc_rids_to_names,
1246 msrpc_lookup_usergroups,
1247 msrpc_lookup_useraliases,
1248 msrpc_lookup_groupmem,
1249 msrpc_sequence_number,
1250 msrpc_lockout_policy,
1251 msrpc_password_policy,
1252 msrpc_trusted_domains,