2 Unix SMB/CIFS implementation.
4 Winbind rpc backend functions
6 Copyright (C) Tim Potter 2000-2001,2003
7 Copyright (C) Andrew Tridgell 2001
8 Copyright (C) Volker Lendecke 2005
9 Copyright (C) Guenther Deschner 2008 (pidl conversion)
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 3 of the License, or
14 (at your option) any later version.
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
21 You should have received a copy of the GNU General Public License
22 along with this program. If not, see <http://www.gnu.org/licenses/>.
27 #include "../librpc/gen_ndr/cli_samr.h"
28 #include "rpc_client/cli_samr.h"
29 #include "../librpc/gen_ndr/cli_lsa.h"
32 #define DBGC_CLASS DBGC_WINBIND
35 /* Query display info for a domain. This returns enough information plus a
36 bit extra to give an overview of domain users for the User Manager
38 static NTSTATUS query_user_list(struct winbindd_domain *domain,
41 struct wbint_userinfo **info)
44 struct policy_handle dom_pol;
45 unsigned int i, start_idx;
47 struct rpc_pipe_client *cli;
49 DEBUG(3,("rpc: query_user_list\n"));
54 if ( !winbindd_can_contact_domain( domain ) ) {
55 DEBUG(10,("query_user_list: No incoming trust for domain %s\n",
60 result = cm_connect_sam(domain, mem_ctx, &cli, &dom_pol);
61 if (!NT_STATUS_IS_OK(result))
68 uint32 num_dom_users, j;
69 uint32 max_entries, max_size;
70 uint32_t total_size, returned_size;
72 union samr_DispInfo disp_info;
74 /* this next bit is copied from net_user_list_internal() */
76 get_query_dispinfo_params(loop_count, &max_entries,
79 result = rpccli_samr_QueryDisplayInfo(cli, mem_ctx,
88 num_dom_users = disp_info.info1.count;
89 start_idx += disp_info.info1.count;
92 *num_entries += num_dom_users;
94 *info = TALLOC_REALLOC_ARRAY(mem_ctx, *info,
95 struct wbint_userinfo,
99 return NT_STATUS_NO_MEMORY;
102 for (j = 0; j < num_dom_users; i++, j++) {
104 uint32_t rid = disp_info.info1.entries[j].rid;
105 struct samr_DispEntryGeneral *src;
106 struct wbint_userinfo *dst;
108 src = &(disp_info.info1.entries[j]);
111 dst->acct_name = talloc_strdup(
112 mem_ctx, src->account_name.string);
113 dst->full_name = talloc_strdup(
114 mem_ctx, src->full_name.string);
117 sid_compose(&dst->user_sid, &domain->sid, rid);
119 /* For the moment we set the primary group for
120 every user to be the Domain Users group.
121 There are serious problems with determining
122 the actual primary group for large domains.
123 This should really be made into a 'winbind
124 force group' smb.conf parameter or
125 something like that. */
127 sid_compose(&dst->group_sid, &domain->sid,
131 } while (NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES));
136 /* list all domain groups */
137 static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
140 struct acct_info **info)
142 struct policy_handle dom_pol;
145 struct rpc_pipe_client *cli;
150 DEBUG(3,("rpc: enum_dom_groups\n"));
152 if ( !winbindd_can_contact_domain( domain ) ) {
153 DEBUG(10,("enum_domain_groups: No incoming trust for domain %s\n",
158 status = cm_connect_sam(domain, mem_ctx, &cli, &dom_pol);
159 if (!NT_STATUS_IS_OK(status))
163 struct samr_SamArray *sam_array = NULL;
165 TALLOC_CTX *mem_ctx2;
168 mem_ctx2 = talloc_init("enum_dom_groups[rpc]");
170 /* start is updated by this call. */
171 status = rpccli_samr_EnumDomainGroups(cli, mem_ctx2,
175 0xFFFF, /* buffer size? */
178 if (!NT_STATUS_IS_OK(status) &&
179 !NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES)) {
180 talloc_destroy(mem_ctx2);
184 (*info) = TALLOC_REALLOC_ARRAY(mem_ctx, *info,
186 (*num_entries) + count);
188 talloc_destroy(mem_ctx2);
189 return NT_STATUS_NO_MEMORY;
192 for (g=0; g < count; g++) {
194 fstrcpy((*info)[*num_entries + g].acct_name,
195 sam_array->entries[g].name.string);
196 (*info)[*num_entries + g].rid = sam_array->entries[g].idx;
199 (*num_entries) += count;
200 talloc_destroy(mem_ctx2);
201 } while (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES));
206 /* List all domain groups */
208 static NTSTATUS enum_local_groups(struct winbindd_domain *domain,
211 struct acct_info **info)
213 struct policy_handle dom_pol;
215 struct rpc_pipe_client *cli;
220 DEBUG(3,("rpc: enum_local_groups\n"));
222 if ( !winbindd_can_contact_domain( domain ) ) {
223 DEBUG(10,("enum_local_groups: No incoming trust for domain %s\n",
228 result = cm_connect_sam(domain, mem_ctx, &cli, &dom_pol);
229 if (!NT_STATUS_IS_OK(result))
233 struct samr_SamArray *sam_array = NULL;
234 uint32 count = 0, start = *num_entries;
235 TALLOC_CTX *mem_ctx2;
238 mem_ctx2 = talloc_init("enum_dom_local_groups[rpc]");
240 result = rpccli_samr_EnumDomainAliases(cli, mem_ctx2,
244 0xFFFF, /* buffer size? */
246 if (!NT_STATUS_IS_OK(result) &&
247 !NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES) )
249 talloc_destroy(mem_ctx2);
253 (*info) = TALLOC_REALLOC_ARRAY(mem_ctx, *info,
255 (*num_entries) + count);
257 talloc_destroy(mem_ctx2);
258 return NT_STATUS_NO_MEMORY;
261 for (g=0; g < count; g++) {
263 fstrcpy((*info)[*num_entries + g].acct_name,
264 sam_array->entries[g].name.string);
265 (*info)[*num_entries + g].rid = sam_array->entries[g].idx;
268 (*num_entries) += count;
269 talloc_destroy(mem_ctx2);
271 } while (NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES));
276 /* convert a single name to a sid in a domain */
277 static NTSTATUS msrpc_name_to_sid(struct winbindd_domain *domain,
279 const char *domain_name,
283 enum lsa_SidType *type)
286 DOM_SID *sids = NULL;
287 enum lsa_SidType *types = NULL;
288 char *full_name = NULL;
289 NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL;
290 char *mapped_name = NULL;
292 if (name == NULL || *name=='\0') {
293 full_name = talloc_asprintf(mem_ctx, "%s", domain_name);
294 } else if (domain_name == NULL || *domain_name == '\0') {
295 full_name = talloc_asprintf(mem_ctx, "%s", name);
297 full_name = talloc_asprintf(mem_ctx, "%s\\%s", domain_name, name);
300 DEBUG(0, ("talloc_asprintf failed!\n"));
301 return NT_STATUS_NO_MEMORY;
304 DEBUG(3,("rpc: name_to_sid name=%s\n", full_name));
306 name_map_status = normalize_name_unmap(mem_ctx, full_name,
309 /* Reset the full_name pointer if we mapped anytthing */
311 if (NT_STATUS_IS_OK(name_map_status) ||
312 NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED))
314 full_name = mapped_name;
317 DEBUG(3,("name_to_sid [rpc] %s for domain %s\n",
318 full_name?full_name:"", domain_name ));
320 result = winbindd_lookup_names(mem_ctx, domain, 1,
321 (const char **)&full_name, NULL,
323 if (!NT_STATUS_IS_OK(result))
326 /* Return rid and type if lookup successful */
328 sid_copy(sid, &sids[0]);
335 convert a domain SID to a user or group name
337 static NTSTATUS msrpc_sid_to_name(struct winbindd_domain *domain,
342 enum lsa_SidType *type)
346 enum lsa_SidType *types = NULL;
348 NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL;
349 char *mapped_name = NULL;
351 DEBUG(3,("sid_to_name [rpc] %s for domain %s\n", sid_string_dbg(sid),
354 result = winbindd_lookup_sids(mem_ctx,
361 if (!NT_STATUS_IS_OK(result)) {
362 DEBUG(2,("msrpc_sid_to_name: failed to lookup sids: %s\n",
368 *type = (enum lsa_SidType)types[0];
369 *domain_name = domains[0];
372 DEBUG(5,("Mapped sid to [%s]\\[%s]\n", domains[0], *name));
374 name_map_status = normalize_name_map(mem_ctx, domain, *name,
376 if (NT_STATUS_IS_OK(name_map_status) ||
377 NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED))
380 DEBUG(5,("returning mapped name -- %s\n", *name));
386 static NTSTATUS msrpc_rids_to_names(struct winbindd_domain *domain,
393 enum lsa_SidType **types)
401 DEBUG(3, ("rids_to_names [rpc] for domain %s\n", domain->name ));
404 sids = TALLOC_ARRAY(mem_ctx, DOM_SID, num_rids);
406 return NT_STATUS_NO_MEMORY;
412 for (i=0; i<num_rids; i++) {
413 if (!sid_compose(&sids[i], sid, rids[i])) {
414 return NT_STATUS_INTERNAL_ERROR;
418 result = winbindd_lookup_sids(mem_ctx,
426 if (!NT_STATUS_IS_OK(result) &&
427 !NT_STATUS_EQUAL(result, STATUS_SOME_UNMAPPED)) {
432 for (i=0; i<num_rids; i++) {
433 NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL;
434 char *mapped_name = NULL;
436 if ((*types)[i] != SID_NAME_UNKNOWN) {
437 name_map_status = normalize_name_map(mem_ctx,
441 if (NT_STATUS_IS_OK(name_map_status) ||
442 NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED))
444 ret_names[i] = mapped_name;
447 *domain_name = domains[i];
454 /* Lookup user information from a rid or username. */
455 static NTSTATUS query_user(struct winbindd_domain *domain,
457 const DOM_SID *user_sid,
458 struct wbint_userinfo *user_info)
460 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
461 struct policy_handle dom_pol, user_pol;
462 union samr_UserInfo *info = NULL;
464 struct netr_SamInfo3 *user;
465 struct rpc_pipe_client *cli;
467 DEBUG(3,("rpc: query_user sid=%s\n", sid_string_dbg(user_sid)));
469 if (!sid_peek_check_rid(&domain->sid, user_sid, &user_rid))
470 return NT_STATUS_UNSUCCESSFUL;
472 user_info->homedir = NULL;
473 user_info->shell = NULL;
474 user_info->primary_gid = (gid_t)-1;
476 /* try netsamlogon cache first */
478 if ( (user = netsamlogon_cache_get( mem_ctx, user_sid )) != NULL )
481 DEBUG(5,("query_user: Cache lookup succeeded for %s\n",
482 sid_string_dbg(user_sid)));
484 sid_compose(&user_info->user_sid, &domain->sid, user->base.rid);
485 sid_compose(&user_info->group_sid, &domain->sid,
486 user->base.primary_gid);
488 user_info->acct_name = talloc_strdup(mem_ctx,
489 user->base.account_name.string);
490 user_info->full_name = talloc_strdup(mem_ctx,
491 user->base.full_name.string);
498 if ( !winbindd_can_contact_domain( domain ) ) {
499 DEBUG(10,("query_user: No incoming trust for domain %s\n",
504 /* no cache; hit the wire */
506 result = cm_connect_sam(domain, mem_ctx, &cli, &dom_pol);
507 if (!NT_STATUS_IS_OK(result))
510 /* Get user handle */
511 result = rpccli_samr_OpenUser(cli, mem_ctx,
513 SEC_FLAG_MAXIMUM_ALLOWED,
517 if (!NT_STATUS_IS_OK(result))
521 result = rpccli_samr_QueryUserInfo(cli, mem_ctx,
526 rpccli_samr_Close(cli, mem_ctx, &user_pol);
528 if (!NT_STATUS_IS_OK(result))
531 sid_compose(&user_info->user_sid, &domain->sid, user_rid);
532 sid_compose(&user_info->group_sid, &domain->sid,
533 info->info21.primary_gid);
534 user_info->acct_name = talloc_strdup(mem_ctx,
535 info->info21.account_name.string);
536 user_info->full_name = talloc_strdup(mem_ctx,
537 info->info21.full_name.string);
538 user_info->homedir = NULL;
539 user_info->shell = NULL;
540 user_info->primary_gid = (gid_t)-1;
545 /* Lookup groups a user is a member of. I wish Unix had a call like this! */
546 static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
548 const DOM_SID *user_sid,
549 uint32 *num_groups, DOM_SID **user_grpsids)
551 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
552 struct policy_handle dom_pol, user_pol;
553 uint32 des_access = SEC_FLAG_MAXIMUM_ALLOWED;
554 struct samr_RidWithAttributeArray *rid_array = NULL;
557 struct rpc_pipe_client *cli;
559 DEBUG(3,("rpc: lookup_usergroups sid=%s\n", sid_string_dbg(user_sid)));
561 if (!sid_peek_check_rid(&domain->sid, user_sid, &user_rid))
562 return NT_STATUS_UNSUCCESSFUL;
565 *user_grpsids = NULL;
567 /* so lets see if we have a cached user_info_3 */
568 result = lookup_usergroups_cached(domain, mem_ctx, user_sid,
569 num_groups, user_grpsids);
571 if (NT_STATUS_IS_OK(result)) {
575 if ( !winbindd_can_contact_domain( domain ) ) {
576 DEBUG(10,("lookup_usergroups: No incoming trust for domain %s\n",
579 /* Tell the cache manager not to remember this one */
581 return NT_STATUS_SYNCHRONIZATION_REQUIRED;
584 /* no cache; hit the wire */
586 result = cm_connect_sam(domain, mem_ctx, &cli, &dom_pol);
587 if (!NT_STATUS_IS_OK(result))
590 /* Get user handle */
591 result = rpccli_samr_OpenUser(cli, mem_ctx,
597 if (!NT_STATUS_IS_OK(result))
600 /* Query user rids */
601 result = rpccli_samr_GetGroupsForUser(cli, mem_ctx,
604 *num_groups = rid_array->count;
606 rpccli_samr_Close(cli, mem_ctx, &user_pol);
608 if (!NT_STATUS_IS_OK(result) || (*num_groups) == 0)
611 (*user_grpsids) = TALLOC_ARRAY(mem_ctx, DOM_SID, *num_groups);
612 if (!(*user_grpsids))
613 return NT_STATUS_NO_MEMORY;
615 for (i=0;i<(*num_groups);i++) {
616 sid_compose(&((*user_grpsids)[i]), &domain->sid,
617 rid_array->rids[i].rid);
623 #define MAX_SAM_ENTRIES_W2K 0x400 /* 1024 */
625 static NTSTATUS msrpc_lookup_useraliases(struct winbindd_domain *domain,
627 uint32 num_sids, const DOM_SID *sids,
631 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
632 struct policy_handle dom_pol;
633 uint32 num_query_sids = 0;
635 struct rpc_pipe_client *cli;
636 struct samr_Ids alias_rids_query;
637 int rangesize = MAX_SAM_ENTRIES_W2K;
638 uint32 total_sids = 0;
644 DEBUG(3,("rpc: lookup_useraliases\n"));
646 if ( !winbindd_can_contact_domain( domain ) ) {
647 DEBUG(10,("msrpc_lookup_useraliases: No incoming trust for domain %s\n",
652 result = cm_connect_sam(domain, mem_ctx, &cli, &dom_pol);
653 if (!NT_STATUS_IS_OK(result))
658 struct lsa_SidArray sid_array;
660 ZERO_STRUCT(sid_array);
662 num_query_sids = MIN(num_sids - total_sids, rangesize);
664 DEBUG(10,("rpc: lookup_useraliases: entering query %d for %d sids\n",
665 num_queries, num_query_sids));
667 if (num_query_sids) {
668 sid_array.sids = TALLOC_ZERO_ARRAY(mem_ctx, struct lsa_SidPtr, num_query_sids);
669 if (sid_array.sids == NULL) {
670 return NT_STATUS_NO_MEMORY;
673 sid_array.sids = NULL;
676 for (i=0; i<num_query_sids; i++) {
677 sid_array.sids[i].sid = sid_dup_talloc(mem_ctx, &sids[total_sids++]);
678 if (!sid_array.sids[i].sid) {
679 TALLOC_FREE(sid_array.sids);
680 return NT_STATUS_NO_MEMORY;
683 sid_array.num_sids = num_query_sids;
686 result = rpccli_samr_GetAliasMembership(cli, mem_ctx,
691 if (!NT_STATUS_IS_OK(result)) {
694 TALLOC_FREE(sid_array.sids);
700 for (i=0; i<alias_rids_query.count; i++) {
701 size_t na = *num_aliases;
702 if (!add_rid_to_array_unique(mem_ctx, alias_rids_query.ids[i],
704 return NT_STATUS_NO_MEMORY;
709 TALLOC_FREE(sid_array.sids);
713 } while (total_sids < num_sids);
716 DEBUG(10,("rpc: lookup_useraliases: got %d aliases in %d queries "
717 "(rangesize: %d)\n", *num_aliases, num_queries, rangesize));
723 /* Lookup group membership given a rid. */
724 static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
726 const DOM_SID *group_sid,
727 enum lsa_SidType type,
729 DOM_SID **sid_mem, char ***names,
732 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
733 uint32 i, total_names = 0;
734 struct policy_handle dom_pol, group_pol;
735 uint32 des_access = SEC_FLAG_MAXIMUM_ALLOWED;
736 uint32 *rid_mem = NULL;
739 struct rpc_pipe_client *cli;
740 unsigned int orig_timeout;
741 struct samr_RidTypeArray *rids = NULL;
743 DEBUG(10,("rpc: lookup_groupmem %s sid=%s\n", domain->name,
744 sid_string_dbg(group_sid)));
746 if ( !winbindd_can_contact_domain( domain ) ) {
747 DEBUG(10,("lookup_groupmem: No incoming trust for domain %s\n",
752 if (!sid_peek_check_rid(&domain->sid, group_sid, &group_rid))
753 return NT_STATUS_UNSUCCESSFUL;
757 result = cm_connect_sam(domain, mem_ctx, &cli, &dom_pol);
758 if (!NT_STATUS_IS_OK(result))
761 result = rpccli_samr_OpenGroup(cli, mem_ctx,
767 if (!NT_STATUS_IS_OK(result))
770 /* Step #1: Get a list of user rids that are the members of the
773 /* This call can take a long time - allow the server to time out.
774 35 seconds should do it. */
776 orig_timeout = rpccli_set_timeout(cli, 35000);
778 result = rpccli_samr_QueryGroupMember(cli, mem_ctx,
782 /* And restore our original timeout. */
783 rpccli_set_timeout(cli, orig_timeout);
785 rpccli_samr_Close(cli, mem_ctx, &group_pol);
787 if (!NT_STATUS_IS_OK(result))
790 if (!rids || !rids->count) {
797 *num_names = rids->count;
798 rid_mem = rids->rids;
800 /* Step #2: Convert list of rids into list of usernames. Do this
801 in bunches of ~1000 to avoid crashing NT4. It looks like there
802 is a buffer overflow or something like that lurking around
805 #define MAX_LOOKUP_RIDS 900
807 *names = TALLOC_ZERO_ARRAY(mem_ctx, char *, *num_names);
808 *name_types = TALLOC_ZERO_ARRAY(mem_ctx, uint32, *num_names);
809 *sid_mem = TALLOC_ZERO_ARRAY(mem_ctx, DOM_SID, *num_names);
811 for (j=0;j<(*num_names);j++)
812 sid_compose(&(*sid_mem)[j], &domain->sid, rid_mem[j]);
814 if (*num_names>0 && (!*names || !*name_types))
815 return NT_STATUS_NO_MEMORY;
817 for (i = 0; i < *num_names; i += MAX_LOOKUP_RIDS) {
818 int num_lookup_rids = MIN(*num_names - i, MAX_LOOKUP_RIDS);
819 struct lsa_Strings tmp_names;
820 struct samr_Ids tmp_types;
822 /* Lookup a chunk of rids */
824 result = rpccli_samr_LookupRids(cli, mem_ctx,
831 /* see if we have a real error (and yes the
832 STATUS_SOME_UNMAPPED is the one returned from 2k) */
834 if (!NT_STATUS_IS_OK(result) &&
835 !NT_STATUS_EQUAL(result, STATUS_SOME_UNMAPPED))
838 /* Copy result into array. The talloc system will take
839 care of freeing the temporary arrays later on. */
841 if (tmp_names.count != tmp_types.count) {
842 return NT_STATUS_UNSUCCESSFUL;
845 for (r=0; r<tmp_names.count; r++) {
846 if (tmp_types.ids[r] == SID_NAME_UNKNOWN) {
849 (*names)[total_names] = fill_domain_username_talloc(
850 mem_ctx, domain->name,
851 tmp_names.names[r].string, true);
852 (*name_types)[total_names] = tmp_types.ids[r];
857 *num_names = total_names;
866 static int get_ldap_seq(const char *server, int port, uint32 *seq)
870 const char *attrs[] = {"highestCommittedUSN", NULL};
871 LDAPMessage *res = NULL;
872 char **values = NULL;
875 *seq = DOM_SEQUENCE_NONE;
878 * Parameterised (5) second timeout on open. This is needed as the
879 * search timeout doesn't seem to apply to doing an open as well. JRA.
882 ldp = ldap_open_with_timeout(server, port, lp_ldap_timeout());
886 /* Timeout if no response within 20 seconds. */
890 if (ldap_search_st(ldp, "", LDAP_SCOPE_BASE, "(objectclass=*)",
891 CONST_DISCARD(char **, attrs), 0, &to, &res))
894 if (ldap_count_entries(ldp, res) != 1)
897 values = ldap_get_values(ldp, res, "highestCommittedUSN");
898 if (!values || !values[0])
901 *seq = atoi(values[0]);
907 ldap_value_free(values);
915 /**********************************************************************
916 Get the sequence number for a Windows AD native mode domain using
918 **********************************************************************/
920 static int get_ldap_sequence_number(struct winbindd_domain *domain, uint32 *seq)
923 char addr[INET6_ADDRSTRLEN];
925 print_sockaddr(addr, sizeof(addr), &domain->dcaddr);
926 if ((ret = get_ldap_seq(addr, LDAP_PORT, seq)) == 0) {
927 DEBUG(3, ("get_ldap_sequence_number: Retrieved sequence "
928 "number for Domain (%s) from DC (%s)\n",
929 domain->name, addr));
934 #endif /* HAVE_LDAP */
936 /* find the sequence number for a domain */
937 static NTSTATUS sequence_number(struct winbindd_domain *domain, uint32 *seq)
940 union samr_DomainInfo *info = NULL;
942 struct policy_handle dom_pol;
943 bool got_seq_num = False;
944 struct rpc_pipe_client *cli;
946 DEBUG(10,("rpc: fetch sequence_number for %s\n", domain->name));
948 if ( !winbindd_can_contact_domain( domain ) ) {
949 DEBUG(10,("sequence_number: No incoming trust for domain %s\n",
955 *seq = DOM_SEQUENCE_NONE;
957 if (!(mem_ctx = talloc_init("sequence_number[rpc]")))
958 return NT_STATUS_NO_MEMORY;
961 if ( domain->active_directory )
965 DEBUG(8,("using get_ldap_seq() to retrieve the "
966 "sequence number\n"));
968 res = get_ldap_sequence_number( domain, seq );
971 result = NT_STATUS_OK;
972 DEBUG(10,("domain_sequence_number: LDAP for "
974 domain->name, *seq));
978 DEBUG(10,("domain_sequence_number: failed to get LDAP "
979 "sequence number for domain %s\n",
982 #endif /* HAVE_LDAP */
984 result = cm_connect_sam(domain, mem_ctx, &cli, &dom_pol);
985 if (!NT_STATUS_IS_OK(result)) {
989 /* Query domain info */
991 result = rpccli_samr_QueryDomainInfo(cli, mem_ctx,
996 if (NT_STATUS_IS_OK(result)) {
997 *seq = info->info8.sequence_num;
1002 /* retry with info-level 2 in case the dc does not support info-level 8
1003 * (like all older samba2 and samba3 dc's) - Guenther */
1005 result = rpccli_samr_QueryDomainInfo(cli, mem_ctx,
1010 if (NT_STATUS_IS_OK(result)) {
1011 *seq = info->general.sequence_num;
1017 DEBUG(10,("domain_sequence_number: for domain %s is %u\n",
1018 domain->name, (unsigned)*seq));
1020 DEBUG(10,("domain_sequence_number: failed to get sequence "
1021 "number (%u) for domain %s\n",
1022 (unsigned)*seq, domain->name ));
1027 talloc_destroy(mem_ctx);
1032 /* get a list of trusted domains */
1033 static NTSTATUS trusted_domains(struct winbindd_domain *domain,
1034 TALLOC_CTX *mem_ctx,
1035 struct netr_DomainTrustList *trusts)
1037 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1038 uint32 enum_ctx = 0;
1039 struct rpc_pipe_client *cli;
1040 struct policy_handle lsa_policy;
1042 DEBUG(3,("rpc: trusted_domains\n"));
1044 ZERO_STRUCTP(trusts);
1046 result = cm_connect_lsa(domain, mem_ctx, &cli, &lsa_policy);
1047 if (!NT_STATUS_IS_OK(result))
1050 result = STATUS_MORE_ENTRIES;
1052 while (NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES)) {
1055 struct lsa_DomainList dom_list;
1057 result = rpccli_lsa_EnumTrustDom(cli, mem_ctx,
1063 if (!NT_STATUS_IS_OK(result) &&
1064 !NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES))
1067 start_idx = trusts->count;
1068 trusts->count += dom_list.count;
1070 trusts->array = talloc_realloc(
1071 mem_ctx, trusts->array, struct netr_DomainTrust,
1073 if (trusts->array == NULL) {
1074 return NT_STATUS_NO_MEMORY;
1077 for (i=0; i<dom_list.count; i++) {
1078 struct netr_DomainTrust *trust = &trusts->array[i];
1079 struct dom_sid *sid;
1081 ZERO_STRUCTP(trust);
1083 trust->netbios_name = talloc_move(
1085 &dom_list.domains[i].name.string);
1086 trust->dns_name = NULL;
1088 sid = talloc(trusts->array, struct dom_sid);
1090 return NT_STATUS_NO_MEMORY;
1092 sid_copy(sid, dom_list.domains[i].sid);
1099 /* find the lockout policy for a domain */
1100 static NTSTATUS msrpc_lockout_policy(struct winbindd_domain *domain,
1101 TALLOC_CTX *mem_ctx,
1102 struct samr_DomInfo12 *lockout_policy)
1105 struct rpc_pipe_client *cli;
1106 struct policy_handle dom_pol;
1107 union samr_DomainInfo *info = NULL;
1109 DEBUG(10,("rpc: fetch lockout policy for %s\n", domain->name));
1111 if ( !winbindd_can_contact_domain( domain ) ) {
1112 DEBUG(10,("msrpc_lockout_policy: No incoming trust for domain %s\n",
1114 return NT_STATUS_NOT_SUPPORTED;
1117 result = cm_connect_sam(domain, mem_ctx, &cli, &dom_pol);
1118 if (!NT_STATUS_IS_OK(result)) {
1122 result = rpccli_samr_QueryDomainInfo(cli, mem_ctx,
1126 if (!NT_STATUS_IS_OK(result)) {
1130 *lockout_policy = info->info12;
1132 DEBUG(10,("msrpc_lockout_policy: lockout_threshold %d\n",
1133 info->info12.lockout_threshold));
1140 /* find the password policy for a domain */
1141 static NTSTATUS msrpc_password_policy(struct winbindd_domain *domain,
1142 TALLOC_CTX *mem_ctx,
1143 struct samr_DomInfo1 *password_policy)
1146 struct rpc_pipe_client *cli;
1147 struct policy_handle dom_pol;
1148 union samr_DomainInfo *info = NULL;
1150 DEBUG(10,("rpc: fetch password policy for %s\n", domain->name));
1152 if ( !winbindd_can_contact_domain( domain ) ) {
1153 DEBUG(10,("msrpc_password_policy: No incoming trust for domain %s\n",
1155 return NT_STATUS_NOT_SUPPORTED;
1158 result = cm_connect_sam(domain, mem_ctx, &cli, &dom_pol);
1159 if (!NT_STATUS_IS_OK(result)) {
1163 result = rpccli_samr_QueryDomainInfo(cli, mem_ctx,
1167 if (!NT_STATUS_IS_OK(result)) {
1171 *password_policy = info->info1;
1173 DEBUG(10,("msrpc_password_policy: min_length_password %d\n",
1174 info->info1.min_password_length));
1181 typedef NTSTATUS (*lookup_sids_fn_t)(struct rpc_pipe_client *cli,
1182 TALLOC_CTX *mem_ctx,
1183 struct policy_handle *pol,
1185 const DOM_SID *sids,
1188 enum lsa_SidType **ptypes);
1190 NTSTATUS winbindd_lookup_sids(TALLOC_CTX *mem_ctx,
1191 struct winbindd_domain *domain,
1193 const struct dom_sid *sids,
1196 enum lsa_SidType **types)
1199 struct rpc_pipe_client *cli = NULL;
1200 struct policy_handle lsa_policy;
1201 unsigned int orig_timeout;
1202 lookup_sids_fn_t lookup_sids_fn = rpccli_lsa_lookup_sids;
1204 if (domain->can_do_ncacn_ip_tcp) {
1205 status = cm_connect_lsa_tcp(domain, mem_ctx, &cli);
1206 if (NT_STATUS_IS_OK(status)) {
1207 lookup_sids_fn = rpccli_lsa_lookup_sids3;
1210 domain->can_do_ncacn_ip_tcp = false;
1212 status = cm_connect_lsa(domain, mem_ctx, &cli, &lsa_policy);
1214 if (!NT_STATUS_IS_OK(status)) {
1220 * This call can take a long time
1221 * allow the server to time out.
1222 * 35 seconds should do it.
1224 orig_timeout = rpccli_set_timeout(cli, 35000);
1226 status = lookup_sids_fn(cli,
1235 /* And restore our original timeout. */
1236 rpccli_set_timeout(cli, orig_timeout);
1238 if (!NT_STATUS_IS_OK(status)) {
1245 typedef NTSTATUS (*lookup_names_fn_t)(struct rpc_pipe_client *cli,
1246 TALLOC_CTX *mem_ctx,
1247 struct policy_handle *pol,
1250 const char ***dom_names,
1252 struct dom_sid **sids,
1253 enum lsa_SidType **types);
1255 NTSTATUS winbindd_lookup_names(TALLOC_CTX *mem_ctx,
1256 struct winbindd_domain *domain,
1259 const char ***domains,
1260 struct dom_sid **sids,
1261 enum lsa_SidType **types)
1264 struct rpc_pipe_client *cli = NULL;
1265 struct policy_handle lsa_policy;
1266 unsigned int orig_timeout = 0;
1267 lookup_names_fn_t lookup_names_fn = rpccli_lsa_lookup_names;
1269 if (domain->can_do_ncacn_ip_tcp) {
1270 status = cm_connect_lsa_tcp(domain, mem_ctx, &cli);
1271 if (NT_STATUS_IS_OK(status)) {
1272 lookup_names_fn = rpccli_lsa_lookup_names4;
1275 domain->can_do_ncacn_ip_tcp = false;
1277 status = cm_connect_lsa(domain, mem_ctx, &cli, &lsa_policy);
1279 if (!NT_STATUS_IS_OK(status)) {
1286 * This call can take a long time
1287 * allow the server to time out.
1288 * 35 seconds should do it.
1290 orig_timeout = rpccli_set_timeout(cli, 35000);
1292 status = lookup_names_fn(cli,
1296 (const char **) names,
1302 /* And restore our original timeout. */
1303 rpccli_set_timeout(cli, orig_timeout);
1305 if (!NT_STATUS_IS_OK(status)) {
1312 /* the rpc backend methods are exposed via this structure */
1313 struct winbindd_methods msrpc_methods = {
1320 msrpc_rids_to_names,
1323 msrpc_lookup_useraliases,
1326 msrpc_lockout_policy,
1327 msrpc_password_policy,
git.samba.org / samba.git / blob