2 Unix SMB/CIFS implementation.
4 crachnames implementation for the drsuapi pipe
7 Copyright (C) Stefan Metzmacher 2004
8 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
9 Copyright (C) Matthieu Patou <mat@matws.net> 2012
10 Copyright (C) Catalyst .Net Ltd 2017
12 This program is free software; you can redistribute it and/or modify
13 it under the terms of the GNU General Public License as published by
14 the Free Software Foundation; either version 3 of the License, or
15 (at your option) any later version.
17 This program is distributed in the hope that it will be useful,
18 but WITHOUT ANY WARRANTY; without even the implied warranty of
19 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 GNU General Public License for more details.
22 You should have received a copy of the GNU General Public License
23 along with this program. If not, see <http://www.gnu.org/licenses/>.
27 #include "librpc/gen_ndr/drsuapi.h"
28 #include "lib/events/events.h"
30 #include <ldb_errors.h>
31 #include "auth/kerberos/kerberos.h"
32 #include "libcli/ldap/ldap_ndr.h"
33 #include "libcli/security/security.h"
34 #include "auth/auth.h"
35 #include "../lib/util/util_ldb.h"
36 #include "dsdb/samdb/samdb.h"
37 #include "dsdb/common/util.h"
38 #include "param/param.h"
42 static WERROR DsCrackNameOneFilter(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
43 struct smb_krb5_context *smb_krb5_context,
44 uint32_t format_flags, enum drsuapi_DsNameFormat format_offered,
45 enum drsuapi_DsNameFormat format_desired,
46 struct ldb_dn *name_dn, const char *name,
47 const char *domain_filter, const char *result_filter,
48 struct drsuapi_DsNameInfo1 *info1, int scope, struct ldb_dn *search_dn);
49 static WERROR DsCrackNameOneSyntactical(TALLOC_CTX *mem_ctx,
50 enum drsuapi_DsNameFormat format_offered,
51 enum drsuapi_DsNameFormat format_desired,
52 struct ldb_dn *name_dn, const char *name,
53 struct drsuapi_DsNameInfo1 *info1);
55 static WERROR dns_domain_from_principal(TALLOC_CTX *mem_ctx, struct smb_krb5_context *smb_krb5_context,
57 struct drsuapi_DsNameInfo1 *info1)
60 krb5_principal principal;
61 /* perhaps it's a principal with a realm, so return the right 'domain only' response */
62 ret = krb5_parse_name_flags(smb_krb5_context->krb5_context, name,
63 KRB5_PRINCIPAL_PARSE_REQUIRE_REALM, &principal);
65 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
69 info1->dns_domain_name = smb_krb5_principal_get_realm(
70 mem_ctx, smb_krb5_context->krb5_context, principal);
71 krb5_free_principal(smb_krb5_context->krb5_context, principal);
73 W_ERROR_HAVE_NO_MEMORY(info1->dns_domain_name);
75 info1->status = DRSUAPI_DS_NAME_STATUS_DOMAIN_ONLY;
79 static enum drsuapi_DsNameStatus LDB_lookup_spn_alias(struct ldb_context *ldb_ctx,
81 const char *alias_from,
85 * Some of the logic of this function is mirrored in find_spn_alias()
86 * in source4/dsdb.samdb/ldb_modules/samldb.c. If you change this to
87 * not return the first matched alias, you will need to rethink that
92 struct ldb_result *res;
93 struct ldb_message_element *spnmappings;
95 struct ldb_dn *service_dn;
98 const char *directory_attrs[] = {
103 tmp_ctx = talloc_new(mem_ctx);
105 return DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
108 service_dn = ldb_dn_new(tmp_ctx, ldb_ctx, "CN=Directory Service,CN=Windows NT,CN=Services");
109 if ( ! ldb_dn_add_base(service_dn, ldb_get_config_basedn(ldb_ctx))) {
110 talloc_free(tmp_ctx);
111 return DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
113 service_dn_str = ldb_dn_alloc_linearized(tmp_ctx, service_dn);
114 if ( ! service_dn_str) {
115 talloc_free(tmp_ctx);
116 return DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
119 ret = ldb_search(ldb_ctx, tmp_ctx, &res, service_dn, LDB_SCOPE_BASE,
120 directory_attrs, "(objectClass=nTDSService)");
122 if (ret != LDB_SUCCESS && ret != LDB_ERR_NO_SUCH_OBJECT) {
123 DEBUG(1, ("ldb_search: dn: %s not found: %s\n", service_dn_str, ldb_errstring(ldb_ctx)));
124 talloc_free(tmp_ctx);
125 return DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
126 } else if (ret == LDB_ERR_NO_SUCH_OBJECT) {
127 DEBUG(1, ("ldb_search: dn: %s not found\n", service_dn_str));
128 talloc_free(tmp_ctx);
129 return DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
130 } else if (res->count != 1) {
131 DEBUG(1, ("ldb_search: dn: %s not found\n", service_dn_str));
132 talloc_free(tmp_ctx);
133 return DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
136 spnmappings = ldb_msg_find_element(res->msgs[0], "sPNMappings");
137 if (!spnmappings || spnmappings->num_values == 0) {
138 DEBUG(1, ("ldb_search: dn: %s no sPNMappings attribute\n", service_dn_str));
139 talloc_free(tmp_ctx);
140 return DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
143 for (i = 0; i < spnmappings->num_values; i++) {
144 char *mapping, *p, *str;
145 mapping = talloc_strdup(tmp_ctx,
146 (const char *)spnmappings->values[i].data);
148 DEBUG(1, ("LDB_lookup_spn_alias: ldb_search: dn: %s did not have an sPNMapping\n", service_dn_str));
149 talloc_free(tmp_ctx);
150 return DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
153 /* C string manipulation sucks */
155 p = strchr(mapping, '=');
157 DEBUG(1, ("ldb_search: dn: %s sPNMapping malformed: %s\n",
158 service_dn_str, mapping));
159 talloc_free(tmp_ctx);
160 return DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
171 if (strcasecmp(str, alias_from) == 0) {
173 talloc_steal(mem_ctx, mapping);
174 talloc_free(tmp_ctx);
175 return DRSUAPI_DS_NAME_STATUS_OK;
179 DEBUG(4, ("LDB_lookup_spn_alias: no alias for service %s applicable\n", alias_from));
180 talloc_free(tmp_ctx);
181 return DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
184 /* When cracking a ServicePrincipalName, many services may be served
185 * by the host/ servicePrincipalName. The incoming query is for cifs/
186 * but we translate it here, and search on host/. This is done after
187 * the cifs/ entry has been searched for, making this a fallback */
189 static WERROR DsCrackNameSPNAlias(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
190 struct smb_krb5_context *smb_krb5_context,
191 uint32_t format_flags, enum drsuapi_DsNameFormat format_offered,
192 enum drsuapi_DsNameFormat format_desired,
193 const char *name, struct drsuapi_DsNameInfo1 *info1)
197 krb5_principal principal;
199 const char *service, *dns_name;
202 enum drsuapi_DsNameStatus namestatus;
204 /* parse principal */
205 ret = krb5_parse_name_flags(smb_krb5_context->krb5_context,
206 name, KRB5_PRINCIPAL_PARSE_NO_REALM, &principal);
208 DEBUG(2, ("Could not parse principal: %s: %s\n",
209 name, smb_get_krb5_error_message(smb_krb5_context->krb5_context,
211 return WERR_NOT_ENOUGH_MEMORY;
214 /* grab cifs/, http/ etc */
216 ret = smb_krb5_princ_component(smb_krb5_context->krb5_context,
217 principal, 0, &component);
219 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
220 krb5_free_principal(smb_krb5_context->krb5_context, principal);
223 service = (const char *)component.data;
224 ret = smb_krb5_princ_component(smb_krb5_context->krb5_context,
225 principal, 1, &component);
227 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
228 krb5_free_principal(smb_krb5_context->krb5_context, principal);
231 dns_name = (const char *)component.data;
234 namestatus = LDB_lookup_spn_alias(sam_ctx, mem_ctx,
235 service, &new_service);
237 if (namestatus == DRSUAPI_DS_NAME_STATUS_NOT_FOUND) {
239 info1->status = DRSUAPI_DS_NAME_STATUS_DOMAIN_ONLY;
240 info1->dns_domain_name = talloc_strdup(mem_ctx, dns_name);
241 if (!info1->dns_domain_name) {
242 wret = WERR_NOT_ENOUGH_MEMORY;
244 krb5_free_principal(smb_krb5_context->krb5_context, principal);
246 } else if (namestatus != DRSUAPI_DS_NAME_STATUS_OK) {
247 info1->status = namestatus;
248 krb5_free_principal(smb_krb5_context->krb5_context, principal);
252 /* reform principal */
253 new_princ = talloc_asprintf(mem_ctx, "%s/%s", new_service, dns_name);
255 krb5_free_principal(smb_krb5_context->krb5_context, principal);
256 return WERR_NOT_ENOUGH_MEMORY;
259 wret = DsCrackNameOneName(sam_ctx, mem_ctx, format_flags, format_offered, format_desired,
261 talloc_free(new_princ);
262 if (W_ERROR_IS_OK(wret) && (info1->status == DRSUAPI_DS_NAME_STATUS_NOT_FOUND)) {
263 info1->status = DRSUAPI_DS_NAME_STATUS_DOMAIN_ONLY;
264 info1->dns_domain_name = talloc_strdup(mem_ctx, dns_name);
265 if (!info1->dns_domain_name) {
266 wret = WERR_NOT_ENOUGH_MEMORY;
269 krb5_free_principal(smb_krb5_context->krb5_context, principal);
273 /* Subcase of CrackNames, for the userPrincipalName */
275 static WERROR DsCrackNameUPN(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
276 struct smb_krb5_context *smb_krb5_context,
277 uint32_t format_flags, enum drsuapi_DsNameFormat format_offered,
278 enum drsuapi_DsNameFormat format_desired,
279 const char *name, struct drsuapi_DsNameInfo1 *info1)
283 const char *domain_filter = NULL;
284 const char *result_filter = NULL;
286 krb5_principal principal;
288 char *realm_encoded = NULL;
289 char *unparsed_name_short;
290 const char *unparsed_name_short_encoded = NULL;
291 const char *domain_attrs[] = { NULL };
292 struct ldb_result *domain_res = NULL;
294 /* Prevent recursion */
296 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
300 ret = krb5_parse_name_flags(smb_krb5_context->krb5_context, name,
301 KRB5_PRINCIPAL_PARSE_REQUIRE_REALM, &principal);
303 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
307 realm = smb_krb5_principal_get_realm(
308 mem_ctx, smb_krb5_context->krb5_context, principal);
310 return WERR_NOT_ENOUGH_MEMORY;
313 realm_encoded = ldb_binary_encode_string(mem_ctx, realm);
314 if (realm_encoded == NULL) {
315 return WERR_NOT_ENOUGH_MEMORY;
318 ldb_ret = ldb_search(sam_ctx, mem_ctx, &domain_res,
319 samdb_partitions_dn(sam_ctx, mem_ctx),
322 "(&(objectClass=crossRef)(|(dnsRoot=%s)(netbiosName=%s))"
323 "(systemFlags:"LDB_OID_COMPARATOR_AND":=%u))",
326 SYSTEM_FLAG_CR_NTDS_DOMAIN);
327 TALLOC_FREE(realm_encoded);
330 if (ldb_ret != LDB_SUCCESS) {
331 DEBUG(2, ("DsCrackNameUPN domain ref search failed: %s\n", ldb_errstring(sam_ctx)));
332 info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
333 krb5_free_principal(smb_krb5_context->krb5_context, principal);
337 switch (domain_res->count) {
341 krb5_free_principal(smb_krb5_context->krb5_context, principal);
342 return dns_domain_from_principal(mem_ctx, smb_krb5_context,
345 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE;
346 krb5_free_principal(smb_krb5_context->krb5_context, principal);
351 * The important thing here is that a samAccountName may have
352 * a space in it, and this must not be kerberos escaped to
353 * match this filter, so we specify
354 * KRB5_PRINCIPAL_UNPARSE_DISPLAY
356 ret = krb5_unparse_name_flags(smb_krb5_context->krb5_context, principal,
357 KRB5_PRINCIPAL_UNPARSE_NO_REALM |
358 KRB5_PRINCIPAL_UNPARSE_DISPLAY,
359 &unparsed_name_short);
360 krb5_free_principal(smb_krb5_context->krb5_context, principal);
363 free(unparsed_name_short);
364 return WERR_NOT_ENOUGH_MEMORY;
367 unparsed_name_short_encoded = ldb_binary_encode_string(mem_ctx, unparsed_name_short);
368 if (unparsed_name_short_encoded == NULL) {
369 free(unparsed_name_short);
370 return WERR_NOT_ENOUGH_MEMORY;
373 /* This may need to be extended for more userPrincipalName variations */
374 result_filter = talloc_asprintf(mem_ctx, "(&(samAccountName=%s)(objectClass=user))",
375 unparsed_name_short_encoded);
377 domain_filter = talloc_asprintf(mem_ctx, "(distinguishedName=%s)", ldb_dn_get_linearized(domain_res->msgs[0]->dn));
379 if (!result_filter || !domain_filter) {
380 free(unparsed_name_short);
381 return WERR_NOT_ENOUGH_MEMORY;
383 status = DsCrackNameOneFilter(sam_ctx, mem_ctx,
385 format_flags, format_offered, format_desired,
386 NULL, unparsed_name_short, domain_filter, result_filter,
387 info1, LDB_SCOPE_SUBTREE, NULL);
388 free(unparsed_name_short);
394 * This function will workout the filtering parameter in order to be able to do
395 * the adapted search when the incoming format is format_functional.
396 * This boils down to defining the search_dn (passed as pointer to ldb_dn *) and the
397 * ldap filter request.
398 * Main input parameters are:
399 * * name, which is the portion of the functional name after the
401 * * domain_filter, which is a ldap search filter used to find the NC DN given the
402 * function name to crack.
404 static WERROR get_format_functional_filtering_param(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
405 char *name, struct drsuapi_DsNameInfo1 *info1,
406 struct ldb_dn **psearch_dn, const char *domain_filter, const char **presult_filter)
408 struct ldb_result *domain_res = NULL;
409 const char * const domain_attrs[] = {"ncName", NULL};
410 struct ldb_dn *partitions_basedn = samdb_partitions_dn(sam_ctx, mem_ctx);
412 char *account, *s, *result_filter = NULL;
413 struct ldb_dn *search_dn = NULL;
416 *presult_filter = NULL;
418 ldb_ret = ldb_search(sam_ctx, mem_ctx, &domain_res,
422 "%s", domain_filter);
424 if (ldb_ret != LDB_SUCCESS) {
425 DEBUG(2, ("DsCrackNameOne domain ref search failed: %s\n", ldb_errstring(sam_ctx)));
426 info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
430 if (domain_res->count == 1) {
431 struct ldb_dn *tmp_dn = samdb_result_dn(sam_ctx, mem_ctx, domain_res->msgs[0], "ncName", NULL);
432 const char * const name_attrs[] = {"name", NULL};
435 s = strchr(account, '/');
436 talloc_free(domain_res);
441 ldb_ret = ldb_search(sam_ctx, mem_ctx, &domain_res,
447 if (ldb_ret != LDB_SUCCESS) {
448 DEBUG(2, ("DsCrackNameOne domain ref search failed: %s\n", ldb_errstring(sam_ctx)));
449 info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
453 switch (domain_res->count) {
457 talloc_free(domain_res);
458 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
461 talloc_free(domain_res);
462 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE;
466 tmp_dn = talloc_steal(mem_ctx, domain_res->msgs[0]->dn);
467 talloc_free(domain_res);
470 s = strchr(account, '/');
472 account = ldb_binary_encode_string(mem_ctx, account);
473 W_ERROR_HAVE_NO_MEMORY(account);
474 result_filter = talloc_asprintf(mem_ctx, "(name=%s)",
476 W_ERROR_HAVE_NO_MEMORY(result_filter);
478 *psearch_dn = search_dn;
479 *presult_filter = result_filter;
483 /* Crack a single 'name', from format_offered into format_desired, returning the result in info1 */
485 WERROR DsCrackNameOneName(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
486 uint32_t format_flags, enum drsuapi_DsNameFormat format_offered,
487 enum drsuapi_DsNameFormat format_desired,
488 const char *name, struct drsuapi_DsNameInfo1 *info1)
491 const char *domain_filter = NULL;
492 const char *result_filter = NULL;
493 struct ldb_dn *name_dn = NULL;
494 struct ldb_dn *search_dn = NULL;
496 struct smb_krb5_context *smb_krb5_context = NULL;
497 int scope = LDB_SCOPE_SUBTREE;
499 info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
500 info1->dns_domain_name = NULL;
501 info1->result_name = NULL;
504 return WERR_INVALID_PARAMETER;
507 /* TODO: - fill the correct names in all cases!
508 * - handle format_flags
510 if (format_desired == DRSUAPI_DS_NAME_FORMAT_UNKNOWN) {
513 /* here we need to set the domain_filter and/or the result_filter */
514 switch (format_offered) {
515 case DRSUAPI_DS_NAME_FORMAT_UNKNOWN:
518 enum drsuapi_DsNameFormat formats[] = {
519 DRSUAPI_DS_NAME_FORMAT_FQDN_1779, DRSUAPI_DS_NAME_FORMAT_USER_PRINCIPAL,
520 DRSUAPI_DS_NAME_FORMAT_NT4_ACCOUNT, DRSUAPI_DS_NAME_FORMAT_CANONICAL,
521 DRSUAPI_DS_NAME_FORMAT_GUID, DRSUAPI_DS_NAME_FORMAT_DISPLAY,
522 DRSUAPI_DS_NAME_FORMAT_SERVICE_PRINCIPAL,
523 DRSUAPI_DS_NAME_FORMAT_SID_OR_SID_HISTORY,
524 DRSUAPI_DS_NAME_FORMAT_CANONICAL_EX
527 for (i=0; i < ARRAY_SIZE(formats); i++) {
528 werr = DsCrackNameOneName(sam_ctx, mem_ctx, format_flags, formats[i], format_desired, name, info1);
529 if (!W_ERROR_IS_OK(werr)) {
532 if (info1->status != DRSUAPI_DS_NAME_STATUS_NOT_FOUND &&
533 (formats[i] != DRSUAPI_DS_NAME_FORMAT_CANONICAL ||
534 info1->status != DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR))
542 case DRSUAPI_DS_NAME_FORMAT_CANONICAL:
543 case DRSUAPI_DS_NAME_FORMAT_CANONICAL_EX:
545 char *str, *s, *account;
546 const char *str_encoded = NULL;
547 scope = LDB_SCOPE_ONELEVEL;
549 if (strlen(name) == 0) {
550 info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
554 str = talloc_strdup(mem_ctx, name);
555 W_ERROR_HAVE_NO_MEMORY(str);
557 if (format_offered == DRSUAPI_DS_NAME_FORMAT_CANONICAL_EX) {
558 /* Look backwards for the \n, and replace it with / */
559 s = strrchr(str, '\n');
561 info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
567 s = strchr(str, '/');
569 /* there must be at least one / */
570 info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
577 str_encoded = ldb_binary_encode_string(mem_ctx, str);
578 if (str_encoded == NULL) {
579 return WERR_NOT_ENOUGH_MEMORY;
582 domain_filter = talloc_asprintf(mem_ctx, "(&(objectClass=crossRef)(dnsRoot=%s)(systemFlags:%s:=%u))",
584 LDB_OID_COMPARATOR_AND,
585 SYSTEM_FLAG_CR_NTDS_DOMAIN);
586 W_ERROR_HAVE_NO_MEMORY(domain_filter);
588 /* There may not be anything after the domain component (search for the domain itself) */
590 if (account && *account) {
591 WERROR werr = get_format_functional_filtering_param(sam_ctx,
598 if (!W_ERROR_IS_OK(werr)) {
601 if (info1->status != DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR)
606 case DRSUAPI_DS_NAME_FORMAT_NT4_ACCOUNT: {
609 char *domain_encoded = NULL;
610 const char *account = NULL;
612 domain = talloc_strdup(mem_ctx, name);
613 W_ERROR_HAVE_NO_MEMORY(domain);
615 p = strchr(domain, '\\');
617 /* invalid input format */
618 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
627 domain_encoded = ldb_binary_encode_string(mem_ctx, domain);
628 if (domain_encoded == NULL) {
629 return WERR_NOT_ENOUGH_MEMORY;
632 domain_filter = talloc_asprintf(mem_ctx,
633 "(&(objectClass=crossRef)(netbiosName=%s)(systemFlags:%s:=%u))",
635 LDB_OID_COMPARATOR_AND,
636 SYSTEM_FLAG_CR_NTDS_DOMAIN);
637 W_ERROR_HAVE_NO_MEMORY(domain_filter);
639 const char *account_encoded = NULL;
641 account_encoded = ldb_binary_encode_string(mem_ctx, account);
642 if (account_encoded == NULL) {
643 return WERR_NOT_ENOUGH_MEMORY;
646 result_filter = talloc_asprintf(mem_ctx, "(sAMAccountName=%s)",
648 W_ERROR_HAVE_NO_MEMORY(result_filter);
655 /* A LDAP DN as a string */
656 case DRSUAPI_DS_NAME_FORMAT_FQDN_1779: {
657 domain_filter = NULL;
658 name_dn = ldb_dn_new(mem_ctx, sam_ctx, name);
659 if (! ldb_dn_validate(name_dn)) {
660 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
666 /* A GUID as a string */
667 case DRSUAPI_DS_NAME_FORMAT_GUID: {
671 domain_filter = NULL;
673 nt_status = GUID_from_string(name, &guid);
674 if (!NT_STATUS_IS_OK(nt_status)) {
675 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
679 ldap_guid = ldap_encode_ndr_GUID(mem_ctx, &guid);
681 return WERR_NOT_ENOUGH_MEMORY;
683 result_filter = talloc_asprintf(mem_ctx, "(objectGUID=%s)",
685 W_ERROR_HAVE_NO_MEMORY(result_filter);
688 case DRSUAPI_DS_NAME_FORMAT_DISPLAY: {
689 const char *name_encoded = NULL;
691 domain_filter = NULL;
693 name_encoded = ldb_binary_encode_string(mem_ctx, name);
694 if (name_encoded == NULL) {
695 return WERR_NOT_ENOUGH_MEMORY;
698 result_filter = talloc_asprintf(mem_ctx, "(|(displayName=%s)(samAccountName=%s))",
701 W_ERROR_HAVE_NO_MEMORY(result_filter);
705 /* A S-1234-5678 style string */
706 case DRSUAPI_DS_NAME_FORMAT_SID_OR_SID_HISTORY: {
707 struct dom_sid *sid = dom_sid_parse_talloc(mem_ctx, name);
710 domain_filter = NULL;
712 info1->dns_domain_name = NULL;
713 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
716 ldap_sid = ldap_encode_ndr_dom_sid(mem_ctx,
719 return WERR_NOT_ENOUGH_MEMORY;
721 result_filter = talloc_asprintf(mem_ctx, "(objectSid=%s)",
723 W_ERROR_HAVE_NO_MEMORY(result_filter);
726 case DRSUAPI_DS_NAME_FORMAT_USER_PRINCIPAL: {
727 krb5_principal principal;
729 const char *unparsed_name_encoded = NULL;
731 ret = smb_krb5_init_context(mem_ctx,
732 (struct loadparm_context *)ldb_get_opaque(sam_ctx, "loadparm"),
736 return WERR_NOT_ENOUGH_MEMORY;
739 /* Ensure we reject complete junk first */
740 ret = krb5_parse_name(smb_krb5_context->krb5_context, name, &principal);
742 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
746 domain_filter = NULL;
749 * By getting the unparsed name here, we ensure the
750 * escaping is removed correctly (and trust the client
751 * less). The important thing here is that a
752 * userPrincipalName may have a space in it, and this
753 * must not be kerberos escaped to match this filter,
754 * so we specify KRB5_PRINCIPAL_UNPARSE_DISPLAY
756 ret = krb5_unparse_name_flags(smb_krb5_context->krb5_context,
758 KRB5_PRINCIPAL_UNPARSE_DISPLAY,
761 krb5_free_principal(smb_krb5_context->krb5_context, principal);
762 return WERR_NOT_ENOUGH_MEMORY;
765 krb5_free_principal(smb_krb5_context->krb5_context, principal);
767 /* The ldb_binary_encode_string() here avoids LDAP filter injection attacks */
768 unparsed_name_encoded = ldb_binary_encode_string(mem_ctx, unparsed_name);
769 if (unparsed_name_encoded == NULL) {
770 return WERR_NOT_ENOUGH_MEMORY;
773 result_filter = talloc_asprintf(mem_ctx, "(&(userPrincipalName=%s)(objectClass=user))",
774 unparsed_name_encoded);
777 W_ERROR_HAVE_NO_MEMORY(result_filter);
780 case DRSUAPI_DS_NAME_FORMAT_SERVICE_PRINCIPAL: {
781 krb5_principal principal;
782 char *unparsed_name_short;
783 const char *unparsed_name_short_encoded = NULL;
784 bool principal_is_host = false;
786 ret = smb_krb5_init_context(mem_ctx,
787 (struct loadparm_context *)ldb_get_opaque(sam_ctx, "loadparm"),
791 return WERR_NOT_ENOUGH_MEMORY;
794 ret = krb5_parse_name(smb_krb5_context->krb5_context, name, &principal);
796 krb5_princ_size(smb_krb5_context->krb5_context,
798 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
799 krb5_free_principal(smb_krb5_context->krb5_context, principal);
801 } else if (ret == 0) {
802 krb5_free_principal(smb_krb5_context->krb5_context, principal);
804 ret = krb5_parse_name_flags(smb_krb5_context->krb5_context, name,
805 KRB5_PRINCIPAL_PARSE_NO_REALM, &principal);
807 return dns_domain_from_principal(mem_ctx, smb_krb5_context,
811 domain_filter = NULL;
813 ret = krb5_unparse_name_flags(smb_krb5_context->krb5_context, principal,
814 KRB5_PRINCIPAL_UNPARSE_NO_REALM, &unparsed_name_short);
816 krb5_free_principal(smb_krb5_context->krb5_context, principal);
817 return WERR_NOT_ENOUGH_MEMORY;
820 unparsed_name_short_encoded = ldb_binary_encode_string(mem_ctx, unparsed_name_short);
821 if (unparsed_name_short_encoded == NULL) {
822 krb5_free_principal(smb_krb5_context->krb5_context, principal);
823 free(unparsed_name_short);
824 return WERR_NOT_ENOUGH_MEMORY;
827 if ((krb5_princ_size(smb_krb5_context->krb5_context, principal) == 2)) {
830 ret = smb_krb5_princ_component(smb_krb5_context->krb5_context,
831 principal, 0, &component);
833 krb5_free_principal(smb_krb5_context->krb5_context, principal);
834 free(unparsed_name_short);
835 return WERR_INTERNAL_ERROR;
838 principal_is_host = strcasecmp(component.data, "host") == 0;
841 if (principal_is_host) {
842 /* the 'cn' attribute is just the leading part of the name */
845 const char *computer_name_encoded = NULL;
846 ret = smb_krb5_princ_component(
847 smb_krb5_context->krb5_context,
848 principal, 1, &component);
850 krb5_free_principal(smb_krb5_context->krb5_context, principal);
851 free(unparsed_name_short);
852 return WERR_INTERNAL_ERROR;
854 computer_name = talloc_strndup(mem_ctx, (char *)component.data,
855 strcspn((char *)component.data, "."));
856 if (computer_name == NULL) {
857 krb5_free_principal(smb_krb5_context->krb5_context, principal);
858 free(unparsed_name_short);
859 return WERR_NOT_ENOUGH_MEMORY;
862 computer_name_encoded = ldb_binary_encode_string(mem_ctx, computer_name);
863 if (computer_name_encoded == NULL) {
864 krb5_free_principal(smb_krb5_context->krb5_context, principal);
865 free(unparsed_name_short);
866 return WERR_NOT_ENOUGH_MEMORY;
869 result_filter = talloc_asprintf(mem_ctx, "(|(&(servicePrincipalName=%s)(objectClass=user))(&(cn=%s)(objectClass=computer)))",
870 unparsed_name_short_encoded,
871 computer_name_encoded);
873 result_filter = talloc_asprintf(mem_ctx, "(&(servicePrincipalName=%s)(objectClass=user))",
874 unparsed_name_short_encoded);
876 krb5_free_principal(smb_krb5_context->krb5_context, principal);
877 free(unparsed_name_short);
878 W_ERROR_HAVE_NO_MEMORY(result_filter);
883 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
888 if (format_flags & DRSUAPI_DS_NAME_FLAG_SYNTACTICAL_ONLY) {
889 return DsCrackNameOneSyntactical(mem_ctx, format_offered, format_desired,
890 name_dn, name, info1);
893 return DsCrackNameOneFilter(sam_ctx, mem_ctx,
895 format_flags, format_offered, format_desired,
897 domain_filter, result_filter,
898 info1, scope, search_dn);
901 /* Subcase of CrackNames. It is possible to translate a LDAP-style DN
902 * (FQDN_1779) into a canonical name without actually searching the
905 static WERROR DsCrackNameOneSyntactical(TALLOC_CTX *mem_ctx,
906 enum drsuapi_DsNameFormat format_offered,
907 enum drsuapi_DsNameFormat format_desired,
908 struct ldb_dn *name_dn, const char *name,
909 struct drsuapi_DsNameInfo1 *info1)
912 if (format_offered != DRSUAPI_DS_NAME_FORMAT_FQDN_1779) {
913 info1->status = DRSUAPI_DS_NAME_STATUS_NO_SYNTACTICAL_MAPPING;
917 switch (format_desired) {
918 case DRSUAPI_DS_NAME_FORMAT_CANONICAL:
919 cracked = ldb_dn_canonical_string(mem_ctx, name_dn);
921 case DRSUAPI_DS_NAME_FORMAT_CANONICAL_EX:
922 cracked = ldb_dn_canonical_ex_string(mem_ctx, name_dn);
925 info1->status = DRSUAPI_DS_NAME_STATUS_NO_SYNTACTICAL_MAPPING;
928 info1->status = DRSUAPI_DS_NAME_STATUS_OK;
929 info1->result_name = cracked;
931 return WERR_NOT_ENOUGH_MEMORY;
937 /* Given a filter for the domain, and one for the result, perform the
938 * ldb search. The format offered and desired flags change the
939 * behaviours, including what attributes to return.
941 * The smb_krb5_context is required because we use the krb5 libs for principal parsing
944 static WERROR DsCrackNameOneFilter(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
945 struct smb_krb5_context *smb_krb5_context,
946 uint32_t format_flags, enum drsuapi_DsNameFormat format_offered,
947 enum drsuapi_DsNameFormat format_desired,
948 struct ldb_dn *name_dn, const char *name,
949 const char *domain_filter, const char *result_filter,
950 struct drsuapi_DsNameInfo1 *info1,
951 int scope, struct ldb_dn *search_dn)
954 struct ldb_result *domain_res = NULL;
955 const char * const *domain_attrs;
956 const char * const *result_attrs;
957 struct ldb_message **result_res = NULL;
958 struct ldb_message *result = NULL;
961 struct ldb_dn *partitions_basedn = samdb_partitions_dn(sam_ctx, mem_ctx);
963 const char * const _domain_attrs_1779[] = { "ncName", "dnsRoot", NULL};
964 const char * const _result_attrs_null[] = { NULL };
966 const char * const _domain_attrs_canonical[] = { "ncName", "dnsRoot", NULL};
967 const char * const _result_attrs_canonical[] = { "canonicalName", NULL };
969 const char * const _domain_attrs_nt4[] = { "ncName", "dnsRoot", "nETBIOSName", NULL};
970 const char * const _result_attrs_nt4[] = { "sAMAccountName", "objectSid", "objectClass", NULL};
972 const char * const _domain_attrs_guid[] = { "ncName", "dnsRoot", NULL};
973 const char * const _result_attrs_guid[] = { "objectGUID", NULL};
975 const char * const _domain_attrs_upn[] = { "ncName", "dnsRoot", NULL};
976 const char * const _result_attrs_upn[] = { "userPrincipalName", NULL};
978 const char * const _domain_attrs_spn[] = { "ncName", "dnsRoot", NULL};
979 const char * const _result_attrs_spn[] = { "servicePrincipalName", NULL};
981 const char * const _domain_attrs_display[] = { "ncName", "dnsRoot", NULL};
982 const char * const _result_attrs_display[] = { "displayName", "samAccountName", NULL};
984 const char * const _domain_attrs_sid[] = { "ncName", "dnsRoot", NULL};
985 const char * const _result_attrs_sid[] = { "objectSid", NULL};
987 const char * const _domain_attrs_none[] = { "ncName", "dnsRoot" , NULL};
988 const char * const _result_attrs_none[] = { NULL};
990 /* here we need to set the attrs lists for domain and result lookups */
991 switch (format_desired) {
992 case DRSUAPI_DS_NAME_FORMAT_FQDN_1779:
993 case DRSUAPI_DS_NAME_FORMAT_CANONICAL_EX:
994 domain_attrs = _domain_attrs_1779;
995 result_attrs = _result_attrs_null;
997 case DRSUAPI_DS_NAME_FORMAT_CANONICAL:
998 domain_attrs = _domain_attrs_canonical;
999 result_attrs = _result_attrs_canonical;
1001 case DRSUAPI_DS_NAME_FORMAT_NT4_ACCOUNT:
1002 domain_attrs = _domain_attrs_nt4;
1003 result_attrs = _result_attrs_nt4;
1005 case DRSUAPI_DS_NAME_FORMAT_GUID:
1006 domain_attrs = _domain_attrs_guid;
1007 result_attrs = _result_attrs_guid;
1009 case DRSUAPI_DS_NAME_FORMAT_DISPLAY:
1010 domain_attrs = _domain_attrs_display;
1011 result_attrs = _result_attrs_display;
1013 case DRSUAPI_DS_NAME_FORMAT_USER_PRINCIPAL:
1014 domain_attrs = _domain_attrs_upn;
1015 result_attrs = _result_attrs_upn;
1017 case DRSUAPI_DS_NAME_FORMAT_SERVICE_PRINCIPAL:
1018 domain_attrs = _domain_attrs_spn;
1019 result_attrs = _result_attrs_spn;
1021 case DRSUAPI_DS_NAME_FORMAT_SID_OR_SID_HISTORY:
1022 domain_attrs = _domain_attrs_sid;
1023 result_attrs = _result_attrs_sid;
1026 domain_attrs = _domain_attrs_none;
1027 result_attrs = _result_attrs_none;
1031 if (domain_filter) {
1032 /* if we have a domain_filter look it up and set the result_basedn and the dns_domain_name */
1033 ldb_ret = ldb_search(sam_ctx, mem_ctx, &domain_res,
1037 "%s", domain_filter);
1039 if (ldb_ret != LDB_SUCCESS) {
1040 DEBUG(2, ("DsCrackNameOneFilter domain ref search failed: %s\n", ldb_errstring(sam_ctx)));
1041 info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
1045 switch (domain_res->count) {
1049 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
1052 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE;
1056 info1->dns_domain_name = ldb_msg_find_attr_as_string(domain_res->msgs[0], "dnsRoot", NULL);
1057 W_ERROR_HAVE_NO_MEMORY(info1->dns_domain_name);
1058 info1->status = DRSUAPI_DS_NAME_STATUS_DOMAIN_ONLY;
1060 info1->dns_domain_name = NULL;
1061 info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
1064 if (result_filter) {
1066 struct ldb_result *res;
1067 uint32_t dsdb_flags = 0;
1068 struct ldb_dn *real_search_dn = NULL;
1069 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
1072 * From 4.1.4.2.11 of MS-DRSR
1073 * if DS_NAME_FLAG_GCVERIFY in flags then
1074 * rt := select all O from all
1075 * where attrValue in GetAttrVals(O, att, false)
1077 * rt := select all O from subtree DefaultNC()
1078 * where attrValue in GetAttrVals(O, att, false)
1082 if (format_flags & DRSUAPI_DS_NAME_FLAG_GCVERIFY ||
1083 format_offered == DRSUAPI_DS_NAME_FORMAT_GUID)
1085 dsdb_flags = DSDB_SEARCH_SEARCH_ALL_PARTITIONS;
1086 } else if (domain_res) {
1088 struct ldb_dn *tmp_dn = samdb_result_dn(sam_ctx, mem_ctx, domain_res->msgs[0], "ncName", NULL);
1089 real_search_dn = tmp_dn;
1091 real_search_dn = search_dn;
1094 real_search_dn = ldb_get_default_basedn(sam_ctx);
1096 if (format_offered == DRSUAPI_DS_NAME_FORMAT_GUID){
1097 dsdb_flags |= DSDB_SEARCH_SHOW_RECYCLED;
1099 /* search with the 'phantom root' flag */
1100 ret = dsdb_search(sam_ctx, mem_ctx, &res,
1105 "%s", result_filter);
1106 if (ret != LDB_SUCCESS) {
1107 DEBUG(2, ("DsCrackNameOneFilter search from '%s' with flags 0x%08x failed: %s\n",
1108 ldb_dn_get_linearized(real_search_dn),
1110 ldb_errstring(sam_ctx)));
1111 info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
1115 ldb_ret = res->count;
1116 result_res = res->msgs;
1117 } else if (format_offered == DRSUAPI_DS_NAME_FORMAT_FQDN_1779) {
1118 ldb_ret = gendb_search_dn(sam_ctx, mem_ctx, name_dn, &result_res,
1120 } else if (domain_res) {
1121 name_dn = samdb_result_dn(sam_ctx, mem_ctx, domain_res->msgs[0], "ncName", NULL);
1122 ldb_ret = gendb_search_dn(sam_ctx, mem_ctx, name_dn, &result_res,
1126 DEBUG(0, ("LOGIC ERROR: DsCrackNameOneFilter domain ref search not available: This can't happen...\n"));
1127 info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
1133 result = result_res[0];
1136 switch (format_offered) {
1137 case DRSUAPI_DS_NAME_FORMAT_SERVICE_PRINCIPAL:
1138 return DsCrackNameSPNAlias(sam_ctx, mem_ctx,
1140 format_flags, format_offered, format_desired,
1143 case DRSUAPI_DS_NAME_FORMAT_USER_PRINCIPAL:
1144 return DsCrackNameUPN(sam_ctx, mem_ctx, smb_krb5_context,
1145 format_flags, format_offered, format_desired,
1150 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
1153 DEBUG(2, ("DsCrackNameOneFilter result search failed: %s\n", ldb_errstring(sam_ctx)));
1154 info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
1157 switch (format_offered) {
1158 case DRSUAPI_DS_NAME_FORMAT_CANONICAL:
1159 case DRSUAPI_DS_NAME_FORMAT_CANONICAL_EX:
1161 const char *canonical_name = NULL; /* Not required, but we get warnings... */
1162 /* We may need to manually filter further */
1163 for (i = 0; i < ldb_ret; i++) {
1164 switch (format_offered) {
1165 case DRSUAPI_DS_NAME_FORMAT_CANONICAL:
1166 canonical_name = ldb_dn_canonical_string(mem_ctx, result_res[i]->dn);
1168 case DRSUAPI_DS_NAME_FORMAT_CANONICAL_EX:
1169 canonical_name = ldb_dn_canonical_ex_string(mem_ctx, result_res[i]->dn);
1174 if (strcasecmp_m(canonical_name, name) == 0) {
1175 result = result_res[i];
1180 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
1186 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE;
1191 info1->dns_domain_name = ldb_dn_canonical_string(mem_ctx, result->dn);
1192 W_ERROR_HAVE_NO_MEMORY(info1->dns_domain_name);
1193 p = strchr(info1->dns_domain_name, '/');
1198 /* here we can use result and domain_res[0] */
1199 switch (format_desired) {
1200 case DRSUAPI_DS_NAME_FORMAT_FQDN_1779: {
1201 info1->result_name = ldb_dn_alloc_linearized(mem_ctx, result->dn);
1202 W_ERROR_HAVE_NO_MEMORY(info1->result_name);
1204 info1->status = DRSUAPI_DS_NAME_STATUS_OK;
1207 case DRSUAPI_DS_NAME_FORMAT_CANONICAL: {
1208 info1->result_name = ldb_msg_find_attr_as_string(result, "canonicalName", NULL);
1209 info1->status = DRSUAPI_DS_NAME_STATUS_OK;
1212 case DRSUAPI_DS_NAME_FORMAT_CANONICAL_EX: {
1213 /* Not in the virtual ldb attribute */
1214 return DsCrackNameOneSyntactical(mem_ctx,
1215 DRSUAPI_DS_NAME_FORMAT_FQDN_1779,
1216 DRSUAPI_DS_NAME_FORMAT_CANONICAL_EX,
1217 result->dn, name, info1);
1219 case DRSUAPI_DS_NAME_FORMAT_NT4_ACCOUNT: {
1221 const struct dom_sid *sid = samdb_result_dom_sid(mem_ctx, result, "objectSid");
1222 const char *_acc = "", *_dom = "";
1224 info1->status = DRSUAPI_DS_NAME_STATUS_NO_MAPPING;
1228 if (samdb_find_attribute(sam_ctx, result, "objectClass",
1230 /* This can also find a DomainDNSZones entry,
1231 * but it won't have the SID we just
1233 ldb_ret = ldb_search(sam_ctx, mem_ctx, &domain_res,
1237 "(ncName=%s)", ldb_dn_get_linearized(result->dn));
1239 if (ldb_ret != LDB_SUCCESS) {
1240 DEBUG(2, ("DsCrackNameOneFilter domain ref search failed: %s\n", ldb_errstring(sam_ctx)));
1241 info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
1245 switch (domain_res->count) {
1249 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
1252 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE;
1255 _dom = ldb_msg_find_attr_as_string(domain_res->msgs[0], "nETBIOSName", NULL);
1256 W_ERROR_HAVE_NO_MEMORY(_dom);
1258 _acc = ldb_msg_find_attr_as_string(result, "sAMAccountName", NULL);
1260 info1->status = DRSUAPI_DS_NAME_STATUS_NO_MAPPING;
1263 if (dom_sid_in_domain(&global_sid_Builtin, sid)) {
1266 const char *attrs[] = { NULL };
1267 struct ldb_result *domain_res2;
1268 struct dom_sid *dom_sid = dom_sid_dup(mem_ctx, sid);
1272 dom_sid->num_auths--;
1273 ldb_ret = ldb_search(sam_ctx, mem_ctx, &domain_res,
1277 "(&(objectSid=%s)(objectClass=domain))",
1278 ldap_encode_ndr_dom_sid(mem_ctx, dom_sid));
1280 if (ldb_ret != LDB_SUCCESS) {
1281 DEBUG(2, ("DsCrackNameOneFilter domain search failed: %s\n", ldb_errstring(sam_ctx)));
1282 info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
1286 switch (domain_res->count) {
1290 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
1293 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE;
1297 ldb_ret = ldb_search(sam_ctx, mem_ctx, &domain_res2,
1301 "(ncName=%s)", ldb_dn_get_linearized(domain_res->msgs[0]->dn));
1303 if (ldb_ret != LDB_SUCCESS) {
1304 DEBUG(2, ("DsCrackNameOneFilter domain ref search failed: %s\n", ldb_errstring(sam_ctx)));
1305 info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
1309 switch (domain_res2->count) {
1313 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
1316 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE;
1319 _dom = ldb_msg_find_attr_as_string(domain_res2->msgs[0], "nETBIOSName", NULL);
1320 W_ERROR_HAVE_NO_MEMORY(_dom);
1324 info1->result_name = talloc_asprintf(mem_ctx, "%s\\%s", _dom, _acc);
1325 W_ERROR_HAVE_NO_MEMORY(info1->result_name);
1327 info1->status = DRSUAPI_DS_NAME_STATUS_OK;
1330 case DRSUAPI_DS_NAME_FORMAT_GUID: {
1333 guid = samdb_result_guid(result, "objectGUID");
1335 info1->result_name = GUID_string2(mem_ctx, &guid);
1336 W_ERROR_HAVE_NO_MEMORY(info1->result_name);
1338 info1->status = DRSUAPI_DS_NAME_STATUS_OK;
1341 case DRSUAPI_DS_NAME_FORMAT_DISPLAY: {
1342 info1->result_name = ldb_msg_find_attr_as_string(result, "displayName", NULL);
1343 if (!info1->result_name) {
1344 info1->result_name = ldb_msg_find_attr_as_string(result, "sAMAccountName", NULL);
1346 if (!info1->result_name) {
1347 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
1349 info1->status = DRSUAPI_DS_NAME_STATUS_OK;
1353 case DRSUAPI_DS_NAME_FORMAT_SERVICE_PRINCIPAL: {
1354 struct ldb_message_element *el
1355 = ldb_msg_find_element(result,
1356 "servicePrincipalName");
1358 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
1360 } else if (el->num_values > 1) {
1361 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE;
1365 info1->result_name = ldb_msg_find_attr_as_string(result, "servicePrincipalName", NULL);
1366 if (!info1->result_name) {
1367 info1->status = DRSUAPI_DS_NAME_STATUS_NO_MAPPING;
1369 info1->status = DRSUAPI_DS_NAME_STATUS_OK;
1373 case DRSUAPI_DS_NAME_FORMAT_DNS_DOMAIN: {
1374 info1->dns_domain_name = NULL;
1375 info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
1378 case DRSUAPI_DS_NAME_FORMAT_SID_OR_SID_HISTORY: {
1379 const struct dom_sid *sid = samdb_result_dom_sid(mem_ctx, result, "objectSid");
1382 info1->status = DRSUAPI_DS_NAME_STATUS_NO_MAPPING;
1386 info1->result_name = dom_sid_string(mem_ctx, sid);
1387 W_ERROR_HAVE_NO_MEMORY(info1->result_name);
1389 info1->status = DRSUAPI_DS_NAME_STATUS_OK;
1392 case DRSUAPI_DS_NAME_FORMAT_USER_PRINCIPAL: {
1393 info1->result_name = ldb_msg_find_attr_as_string(result, "userPrincipalName", NULL);
1394 if (!info1->result_name) {
1395 info1->status = DRSUAPI_DS_NAME_STATUS_NO_MAPPING;
1397 info1->status = DRSUAPI_DS_NAME_STATUS_OK;
1402 info1->status = DRSUAPI_DS_NAME_STATUS_NO_MAPPING;
1407 /* Given a user Principal Name (such as foo@bar.com),
1408 * return the user and domain DNs. This is used in the KDC to then
1409 * return the Keys and evaluate policy */
1411 NTSTATUS crack_user_principal_name(struct ldb_context *sam_ctx,
1412 TALLOC_CTX *mem_ctx,
1413 const char *user_principal_name,
1414 struct ldb_dn **user_dn,
1415 struct ldb_dn **domain_dn)
1418 struct drsuapi_DsNameInfo1 info1;
1419 werr = DsCrackNameOneName(sam_ctx, mem_ctx, 0,
1420 DRSUAPI_DS_NAME_FORMAT_USER_PRINCIPAL,
1421 DRSUAPI_DS_NAME_FORMAT_FQDN_1779,
1422 user_principal_name,
1424 if (!W_ERROR_IS_OK(werr)) {
1425 return werror_to_ntstatus(werr);
1427 switch (info1.status) {
1428 case DRSUAPI_DS_NAME_STATUS_OK:
1430 case DRSUAPI_DS_NAME_STATUS_NOT_FOUND:
1431 case DRSUAPI_DS_NAME_STATUS_DOMAIN_ONLY:
1432 case DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE:
1433 return NT_STATUS_NO_SUCH_USER;
1434 case DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR:
1436 return NT_STATUS_UNSUCCESSFUL;
1439 *user_dn = ldb_dn_new(mem_ctx, sam_ctx, info1.result_name);
1442 werr = DsCrackNameOneName(sam_ctx, mem_ctx, 0,
1443 DRSUAPI_DS_NAME_FORMAT_CANONICAL,
1444 DRSUAPI_DS_NAME_FORMAT_FQDN_1779,
1445 talloc_asprintf(mem_ctx, "%s/",
1446 info1.dns_domain_name),
1448 if (!W_ERROR_IS_OK(werr)) {
1449 return werror_to_ntstatus(werr);
1451 switch (info1.status) {
1452 case DRSUAPI_DS_NAME_STATUS_OK:
1454 case DRSUAPI_DS_NAME_STATUS_NOT_FOUND:
1455 case DRSUAPI_DS_NAME_STATUS_DOMAIN_ONLY:
1456 case DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE:
1457 return NT_STATUS_NO_SUCH_USER;
1458 case DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR:
1460 return NT_STATUS_UNSUCCESSFUL;
1463 *domain_dn = ldb_dn_new(mem_ctx, sam_ctx, info1.result_name);
1466 return NT_STATUS_OK;
1469 /* Given a Service Principal Name (such as host/foo.bar.com@BAR.COM),
1470 * return the user and domain DNs. This is used in the KDC to then
1471 * return the Keys and evaluate policy */
1473 NTSTATUS crack_service_principal_name(struct ldb_context *sam_ctx,
1474 TALLOC_CTX *mem_ctx,
1475 const char *service_principal_name,
1476 struct ldb_dn **user_dn,
1477 struct ldb_dn **domain_dn)
1480 struct drsuapi_DsNameInfo1 info1;
1481 werr = DsCrackNameOneName(sam_ctx, mem_ctx, 0,
1482 DRSUAPI_DS_NAME_FORMAT_SERVICE_PRINCIPAL,
1483 DRSUAPI_DS_NAME_FORMAT_FQDN_1779,
1484 service_principal_name,
1486 if (!W_ERROR_IS_OK(werr)) {
1487 return werror_to_ntstatus(werr);
1489 switch (info1.status) {
1490 case DRSUAPI_DS_NAME_STATUS_OK:
1492 case DRSUAPI_DS_NAME_STATUS_NOT_FOUND:
1493 case DRSUAPI_DS_NAME_STATUS_DOMAIN_ONLY:
1494 case DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE:
1495 return NT_STATUS_NO_SUCH_USER;
1496 case DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR:
1498 return NT_STATUS_UNSUCCESSFUL;
1501 *user_dn = ldb_dn_new(mem_ctx, sam_ctx, info1.result_name);
1504 werr = DsCrackNameOneName(sam_ctx, mem_ctx, 0,
1505 DRSUAPI_DS_NAME_FORMAT_CANONICAL,
1506 DRSUAPI_DS_NAME_FORMAT_FQDN_1779,
1507 talloc_asprintf(mem_ctx, "%s/",
1508 info1.dns_domain_name),
1510 if (!W_ERROR_IS_OK(werr)) {
1511 return werror_to_ntstatus(werr);
1513 switch (info1.status) {
1514 case DRSUAPI_DS_NAME_STATUS_OK:
1516 case DRSUAPI_DS_NAME_STATUS_NOT_FOUND:
1517 case DRSUAPI_DS_NAME_STATUS_DOMAIN_ONLY:
1518 case DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE:
1519 return NT_STATUS_NO_SUCH_USER;
1520 case DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR:
1522 return NT_STATUS_UNSUCCESSFUL;
1525 *domain_dn = ldb_dn_new(mem_ctx, sam_ctx, info1.result_name);
1528 return NT_STATUS_OK;
1531 NTSTATUS crack_name_to_nt4_name(TALLOC_CTX *mem_ctx,
1532 struct ldb_context *ldb,
1533 enum drsuapi_DsNameFormat format_offered,
1535 const char **nt4_domain, const char **nt4_account)
1538 struct drsuapi_DsNameInfo1 info1;
1541 /* Handle anonymous bind */
1542 if (!name || !*name) {
1545 return NT_STATUS_OK;
1548 werr = DsCrackNameOneName(ldb, mem_ctx, 0,
1550 DRSUAPI_DS_NAME_FORMAT_NT4_ACCOUNT,
1553 if (!W_ERROR_IS_OK(werr)) {
1554 return werror_to_ntstatus(werr);
1556 switch (info1.status) {
1557 case DRSUAPI_DS_NAME_STATUS_OK:
1559 case DRSUAPI_DS_NAME_STATUS_NOT_FOUND:
1560 case DRSUAPI_DS_NAME_STATUS_DOMAIN_ONLY:
1561 case DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE:
1562 return NT_STATUS_NO_SUCH_USER;
1563 case DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR:
1565 return NT_STATUS_UNSUCCESSFUL;
1568 *nt4_domain = talloc_strdup(mem_ctx, info1.result_name);
1569 if (*nt4_domain == NULL) {
1570 return NT_STATUS_NO_MEMORY;
1573 p = strchr(*nt4_domain, '\\');
1575 return NT_STATUS_INVALID_PARAMETER;
1579 *nt4_account = talloc_strdup(mem_ctx, &p[1]);
1580 if (*nt4_account == NULL) {
1581 return NT_STATUS_NO_MEMORY;
1584 return NT_STATUS_OK;
1587 NTSTATUS crack_auto_name_to_nt4_name(TALLOC_CTX *mem_ctx,
1588 struct ldb_context *ldb,
1590 const char **nt4_domain,
1591 const char **nt4_account)
1593 enum drsuapi_DsNameFormat format_offered = DRSUAPI_DS_NAME_FORMAT_UNKNOWN;
1595 /* Handle anonymous bind */
1596 if (!name || !*name) {
1599 return NT_STATUS_OK;
1603 * Here we only consider a subset of the possible name forms listed in
1604 * [MS-ADTS] 5.1.1.1.1, and we don't retry with a different name form if
1605 * the first attempt fails.
1608 if (strchr_m(name, '=')) {
1609 format_offered = DRSUAPI_DS_NAME_FORMAT_FQDN_1779;
1610 } else if (strchr_m(name, '@')) {
1611 format_offered = DRSUAPI_DS_NAME_FORMAT_USER_PRINCIPAL;
1612 } else if (strchr_m(name, '\\')) {
1613 format_offered = DRSUAPI_DS_NAME_FORMAT_NT4_ACCOUNT;
1614 } else if (strchr_m(name, '\n')) {
1615 format_offered = DRSUAPI_DS_NAME_FORMAT_CANONICAL_EX;
1616 } else if (strchr_m(name, '/')) {
1617 format_offered = DRSUAPI_DS_NAME_FORMAT_CANONICAL;
1618 } else if ((name[0] == 'S' || name[0] == 's') && name[1] == '-') {
1619 format_offered = DRSUAPI_DS_NAME_FORMAT_SID_OR_SID_HISTORY;
1621 return NT_STATUS_NO_SUCH_USER;
1624 return crack_name_to_nt4_name(mem_ctx, ldb, format_offered, name, nt4_domain, nt4_account);
1628 WERROR dcesrv_drsuapi_ListRoles(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
1629 const struct drsuapi_DsNameRequest1 *req1,
1630 struct drsuapi_DsNameCtr1 **ctr1)
1632 struct drsuapi_DsNameInfo1 *names;
1634 uint32_t count = 5;/*number of fsmo role owners we are going to return*/
1636 *ctr1 = talloc(mem_ctx, struct drsuapi_DsNameCtr1);
1637 W_ERROR_HAVE_NO_MEMORY(*ctr1);
1638 names = talloc_array(mem_ctx, struct drsuapi_DsNameInfo1, count);
1639 W_ERROR_HAVE_NO_MEMORY(names);
1641 for (i = 0; i < count; i++) {
1643 struct ldb_dn *role_owner_dn, *fsmo_role_dn, *server_dn;
1644 werr = dsdb_get_fsmo_role_info(mem_ctx, sam_ctx, i,
1645 &fsmo_role_dn, &role_owner_dn);
1646 if(!W_ERROR_IS_OK(werr)) {
1649 server_dn = ldb_dn_copy(mem_ctx, role_owner_dn);
1650 ldb_dn_remove_child_components(server_dn, 1);
1651 names[i].status = DRSUAPI_DS_NAME_STATUS_OK;
1652 names[i].dns_domain_name = samdb_dn_to_dnshostname(sam_ctx, mem_ctx,
1654 if(!names[i].dns_domain_name) {
1655 DEBUG(4, ("list_roles: Failed to find dNSHostName for server %s\n",
1656 ldb_dn_get_linearized(server_dn)));
1658 names[i].result_name = talloc_strdup(mem_ctx, ldb_dn_get_linearized(role_owner_dn));
1661 (*ctr1)->count = count;
1662 (*ctr1)->array = names;
1667 WERROR dcesrv_drsuapi_CrackNamesByNameFormat(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
1668 const struct drsuapi_DsNameRequest1 *req1,
1669 struct drsuapi_DsNameCtr1 **ctr1)
1671 struct drsuapi_DsNameInfo1 *names;
1675 *ctr1 = talloc_zero(mem_ctx, struct drsuapi_DsNameCtr1);
1676 W_ERROR_HAVE_NO_MEMORY(*ctr1);
1678 count = req1->count;
1679 names = talloc_array(mem_ctx, struct drsuapi_DsNameInfo1, count);
1680 W_ERROR_HAVE_NO_MEMORY(names);
1682 for (i=0; i < count; i++) {
1683 status = DsCrackNameOneName(sam_ctx, mem_ctx,
1685 req1->format_offered,
1686 req1->format_desired,
1689 if (!W_ERROR_IS_OK(status)) {
1694 (*ctr1)->count = count;
1695 (*ctr1)->array = names;
1700 WERROR dcesrv_drsuapi_ListInfoServer(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
1701 const struct drsuapi_DsNameRequest1 *req1,
1702 struct drsuapi_DsNameCtr1 **_ctr1)
1704 struct drsuapi_DsNameInfo1 *names;
1705 struct ldb_result *res;
1706 struct ldb_dn *server_dn, *dn;
1707 struct drsuapi_DsNameCtr1 *ctr1;
1710 const char *attrs[] = {
1718 ctr1 = talloc_zero(mem_ctx, struct drsuapi_DsNameCtr1);
1719 W_ERROR_HAVE_NO_MEMORY(ctr1);
1722 * No magic value here, we have to return 3 entries according to the
1726 names = talloc_zero_array(ctr1, struct drsuapi_DsNameInfo1,
1728 W_ERROR_HAVE_NO_MEMORY(names);
1729 ctr1->array = names;
1731 for (i=0; i < ctr1->count; i++) {
1732 names[i].status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
1736 if (req1->count != 1) {
1737 DEBUG(1, ("Expected a count of 1 for the ListInfoServer crackname \n"));
1741 if (req1->names[0].str == NULL) {
1745 server_dn = ldb_dn_new(mem_ctx, sam_ctx, req1->names[0].str);
1746 W_ERROR_HAVE_NO_MEMORY(server_dn);
1748 ret = ldb_search(sam_ctx, mem_ctx, &res, server_dn, LDB_SCOPE_ONELEVEL,
1749 NULL, "(objectClass=nTDSDSA)");
1751 if (ret != LDB_SUCCESS) {
1752 DEBUG(1, ("Search for objectClass=nTDSDSA "
1753 "returned less than 1 objects\n"));
1757 if (res->count != 1) {
1758 DEBUG(1, ("Search for objectClass=nTDSDSA "
1759 "returned less than 1 objects\n"));
1763 if (res->msgs[0]->dn) {
1764 names[0].result_name = ldb_dn_alloc_linearized(names, res->msgs[0]->dn);
1765 W_ERROR_HAVE_NO_MEMORY(names[0].result_name);
1766 names[0].status = DRSUAPI_DS_NAME_STATUS_OK;
1771 ret = ldb_search(sam_ctx, mem_ctx, &res, server_dn, LDB_SCOPE_BASE,
1772 attrs, "(objectClass=*)");
1773 if (ret != LDB_SUCCESS) {
1774 DEBUG(1, ("Search for objectClass=* on dn %s"
1775 "returned %s\n", req1->names[0].str,
1776 ldb_strerror(ret)));
1780 if (res->count != 1) {
1781 DEBUG(1, ("Search for objectClass=* on dn %s"
1782 "returned less than 1 objects\n", req1->names[0].str));
1786 str = ldb_msg_find_attr_as_string(res->msgs[0], "dNSHostName", NULL);
1788 names[1].result_name = talloc_strdup(names, str);
1789 W_ERROR_HAVE_NO_MEMORY(names[1].result_name);
1790 names[1].status = DRSUAPI_DS_NAME_STATUS_OK;
1793 dn = ldb_msg_find_attr_as_dn(sam_ctx, mem_ctx, res->msgs[0], "serverReference");
1795 names[2].result_name = ldb_dn_alloc_linearized(names, dn);
1796 W_ERROR_HAVE_NO_MEMORY(names[2].result_name);
1797 names[2].status = DRSUAPI_DS_NAME_STATUS_OK;
git.samba.org / samba.git / blob