This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
+ the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
*num_entries = 0;
*info = NULL;
+ if ( !winbindd_can_contact_domain( domain ) ) {
+ DEBUG(10,("query_user_list: No incoming trust for domain %s\n",
+ domain->name));
+ return NT_STATUS_OK;
+ }
+
result = cm_connect_sam(domain, mem_ctx, &cli, &dom_pol);
if (!NT_STATUS_IS_OK(result))
return result;
DEBUG(3,("rpc: enum_dom_groups\n"));
+ if ( !winbindd_can_contact_domain( domain ) ) {
+ DEBUG(10,("enum_domain_groups: No incoming trust for domain %s\n",
+ domain->name));
+ return NT_STATUS_OK;
+ }
+
status = cm_connect_sam(domain, mem_ctx, &cli, &dom_pol);
if (!NT_STATUS_IS_OK(status))
return status;
DEBUG(3,("rpc: enum_local_groups\n"));
+ if ( !winbindd_can_contact_domain( domain ) ) {
+ DEBUG(10,("enum_local_groups: No incoming trust for domain %s\n",
+ domain->name));
+ return NT_STATUS_OK;
+ }
+
result = cm_connect_sam(domain, mem_ctx, &cli, &dom_pol);
if (!NT_STATUS_IS_OK(result))
return result;
/* convert a single name to a sid in a domain */
NTSTATUS msrpc_name_to_sid(struct winbindd_domain *domain,
- TALLOC_CTX *mem_ctx,
- const char *domain_name,
- const char *name,
- DOM_SID *sid,
- enum SID_NAME_USE *type)
+ TALLOC_CTX *mem_ctx,
+ enum winbindd_cmd original_cmd,
+ const char *domain_name,
+ const char *name,
+ DOM_SID *sid,
+ enum lsa_SidType *type)
{
NTSTATUS result;
DOM_SID *sids = NULL;
- uint32 *types = NULL;
- const char *full_name;
+ enum lsa_SidType *types = NULL;
+ char *full_name = NULL;
struct rpc_pipe_client *cli;
POLICY_HND lsa_policy;
- if(name == NULL || *name=='\0') {
- DEBUG(3,("rpc: name_to_sid name=%s\n", domain_name));
- full_name = talloc_asprintf(mem_ctx, "%s", domain_name);
- } else {
- DEBUG(3,("rpc: name_to_sid name=%s\\%s\n", domain_name, name));
- full_name = talloc_asprintf(mem_ctx, "%s\\%s", domain_name, name);
- }
+ if (name == NULL || *name=='\0') {
+ full_name = talloc_asprintf(mem_ctx, "%s", domain_name);
+ } else if (domain_name == NULL || *domain_name == '\0') {
+ full_name = talloc_asprintf(mem_ctx, "%s", name);
+ } else {
+ full_name = talloc_asprintf(mem_ctx, "%s\\%s", domain_name, name);
+ }
if (!full_name) {
DEBUG(0, ("talloc_asprintf failed!\n"));
return NT_STATUS_NO_MEMORY;
}
- DEBUG(3,("name_to_sid [rpc] %s for domain %s\n", name?name:"", domain_name ));
+ DEBUG(3,("rpc: name_to_sid name=%s\n", full_name));
+
+ ws_name_return( full_name, WB_REPLACE_CHAR );
+
+ DEBUG(3,("name_to_sid [rpc] %s for domain %s\n", full_name?full_name:"", domain_name ));
result = cm_connect_lsa(domain, mem_ctx, &cli, &lsa_policy);
if (!NT_STATUS_IS_OK(result))
return result;
result = rpccli_lsa_lookup_names(cli, mem_ctx, &lsa_policy, 1,
- &full_name, &sids, &types);
+ (const char**) &full_name, NULL, 1, &sids, &types);
if (!NT_STATUS_IS_OK(result))
return result;
/* Return rid and type if lookup successful */
sid_copy(sid, &sids[0]);
- *type = (enum SID_NAME_USE)types[0];
+ *type = types[0];
return NT_STATUS_OK;
}
const DOM_SID *sid,
char **domain_name,
char **name,
- enum SID_NAME_USE *type)
+ enum lsa_SidType *type)
{
char **domains;
char **names;
- uint32 *types;
+ enum lsa_SidType *types;
NTSTATUS result;
struct rpc_pipe_client *cli;
POLICY_HND lsa_policy;
domain->name ));
result = cm_connect_lsa(domain, mem_ctx, &cli, &lsa_policy);
- if (!NT_STATUS_IS_OK(result))
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(2,("msrpc_sid_to_name: cm_connect_lsa() failed (%s)\n",
+ nt_errstr(result)));
return result;
+ }
+
result = rpccli_lsa_lookup_sids(cli, mem_ctx, &lsa_policy,
1, sid, &domains, &names, &types);
- if (!NT_STATUS_IS_OK(result))
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(2,("msrpc_sid_to_name: rpccli_lsa_lookup_sids() failed (%s)\n",
+ nt_errstr(result)));
return result;
+ }
- *type = (enum SID_NAME_USE)types[0];
+ *type = (enum lsa_SidType)types[0];
*domain_name = domains[0];
*name = names[0];
+
+ ws_name_replace( *name, WB_REPLACE_CHAR );
+
DEBUG(5,("Mapped sid to [%s]\\[%s]\n", domains[0], *name));
return NT_STATUS_OK;
}
+NTSTATUS msrpc_rids_to_names(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ const DOM_SID *sid,
+ uint32 *rids,
+ size_t num_rids,
+ char **domain_name,
+ char ***names,
+ enum lsa_SidType **types)
+{
+ char **domains;
+ NTSTATUS result;
+ struct rpc_pipe_client *cli;
+ POLICY_HND lsa_policy;
+ DOM_SID *sids;
+ size_t i;
+ char **ret_names;
+
+ DEBUG(3, ("rids_to_names [rpc] for domain %s\n", domain->name ));
+
+ if (num_rids) {
+ sids = TALLOC_ARRAY(mem_ctx, DOM_SID, num_rids);
+ if (sids == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ } else {
+ sids = NULL;
+ }
+
+ for (i=0; i<num_rids; i++) {
+ if (!sid_compose(&sids[i], sid, rids[i])) {
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+ }
+
+ result = cm_connect_lsa(domain, mem_ctx, &cli, &lsa_policy);
+ if (!NT_STATUS_IS_OK(result)) {
+ return result;
+ }
+
+ result = rpccli_lsa_lookup_sids(cli, mem_ctx, &lsa_policy,
+ num_rids, sids, &domains,
+ names, types);
+ if (!NT_STATUS_IS_OK(result) &&
+ !NT_STATUS_EQUAL(result, STATUS_SOME_UNMAPPED)) {
+ return result;
+ }
+
+ ret_names = *names;
+ for (i=0; i<num_rids; i++) {
+ if ((*types)[i] != SID_NAME_UNKNOWN) {
+ ws_name_replace( ret_names[i], WB_REPLACE_CHAR );
+ *domain_name = domains[i];
+ }
+ }
+
+ return result;
+}
+
/* Lookup user information from a rid or username. */
static NTSTATUS query_user(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
NET_USER_INFO_3 *user;
struct rpc_pipe_client *cli;
- DEBUG(3,("rpc: query_user rid=%s\n",
+ DEBUG(3,("rpc: query_user sid=%s\n",
sid_to_string(sid_string, user_sid)));
if (!sid_peek_check_rid(&domain->sid, user_sid, &user_rid))
return NT_STATUS_UNSUCCESSFUL;
+ user_info->homedir = NULL;
+ user_info->shell = NULL;
+ user_info->primary_gid = (gid_t)-1;
+
/* try netsamlogon cache first */
if ( (user = netsamlogon_cache_get( mem_ctx, user_sid )) != NULL )
DEBUG(5,("query_user: Cache lookup succeeded for %s\n",
sid_string_static(user_sid)));
- sid_compose(&user_info->user_sid, &domain->sid, user_rid);
+ sid_compose(&user_info->user_sid, &domain->sid, user->user_rid);
sid_compose(&user_info->group_sid, &domain->sid,
user->group_rid);
user_info->full_name = unistr2_tdup(mem_ctx,
&user->uni_full_name);
- user_info->homedir = NULL;
- user_info->shell = NULL;
+ TALLOC_FREE(user);
- SAFE_FREE(user);
+ return NT_STATUS_OK;
+ }
+ if ( !winbindd_can_contact_domain( domain ) ) {
+ DEBUG(10,("query_user: No incoming trust for domain %s\n",
+ domain->name));
+ return NT_STATUS_OK;
+ }
+
+ if ( !winbindd_can_contact_domain( domain ) ) {
+ DEBUG(10,("query_user: No incoming trust for domain %s\n",
+ domain->name));
return NT_STATUS_OK;
}
&ctr->info.id21->uni_full_name);
user_info->homedir = NULL;
user_info->shell = NULL;
+ user_info->primary_gid = (gid_t)-1;
return NT_STATUS_OK;
}
unsigned int i;
fstring sid_string;
uint32 user_rid;
- NET_USER_INFO_3 *user;
struct rpc_pipe_client *cli;
DEBUG(3,("rpc: lookup_usergroups sid=%s\n",
*user_grpsids = NULL;
/* so lets see if we have a cached user_info_3 */
-
- if ( (user = netsamlogon_cache_get( mem_ctx, user_sid )) != NULL )
- {
- DEBUG(5,("query_user: Cache lookup succeeded for %s\n",
- sid_string_static(user_sid)));
-
- *num_groups = user->num_groups;
-
- (*user_grpsids) = TALLOC_ARRAY(mem_ctx, DOM_SID, *num_groups);
- for (i=0;i<(*num_groups);i++) {
- sid_copy(&((*user_grpsids)[i]), &domain->sid);
- sid_append_rid(&((*user_grpsids)[i]),
- user->gids[i].g_rid);
- }
-
- SAFE_FREE(user);
-
+ result = lookup_usergroups_cached(domain, mem_ctx, user_sid,
+ num_groups, user_grpsids);
+
+ if (NT_STATUS_IS_OK(result)) {
return NT_STATUS_OK;
}
+ if ( !winbindd_can_contact_domain( domain ) ) {
+ DEBUG(10,("lookup_usergroups: No incoming trust for domain %s\n",
+ domain->name));
+
+ /* Tell the cache manager not to remember this one */
+
+ return NT_STATUS_SYNCHRONIZATION_REQUIRED;
+ }
+
/* no cache; hit the wire */
result = cm_connect_sam(domain, mem_ctx, &cli, &dom_pol);
{
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
POLICY_HND dom_pol;
- DOM_SID2 *sid2;
+ DOM_SID2 *query_sids;
+ uint32 num_query_sids = 0;
int i;
struct rpc_pipe_client *cli;
+ uint32 *alias_rids_query, num_aliases_query;
+ int rangesize = MAX_SAM_ENTRIES_W2K;
+ uint32 total_sids = 0;
+ int num_queries = 1;
*num_aliases = 0;
*alias_rids = NULL;
DEBUG(3,("rpc: lookup_useraliases\n"));
+ if ( !winbindd_can_contact_domain( domain ) ) {
+ DEBUG(10,("msrpc_lookup_useraliases: No incoming trust for domain %s\n",
+ domain->name));
+ return NT_STATUS_OK;
+ }
+
result = cm_connect_sam(domain, mem_ctx, &cli, &dom_pol);
if (!NT_STATUS_IS_OK(result))
return result;
- sid2 = TALLOC_ARRAY(mem_ctx, DOM_SID2, num_sids);
+ do {
+ /* prepare query */
- if (sid2 == NULL)
- return NT_STATUS_NO_MEMORY;
+ num_query_sids = MIN(num_sids - total_sids, rangesize);
- for (i=0; i<num_sids; i++) {
- sid_copy(&sid2[i].sid, &sids[i]);
- sid2[i].num_auths = sid2[i].sid.num_auths;
- }
+ DEBUG(10,("rpc: lookup_useraliases: entering query %d for %d sids\n",
+ num_queries, num_query_sids));
+
+ if (num_query_sids) {
+ query_sids = TALLOC_ARRAY(mem_ctx, DOM_SID2, num_query_sids);
+ if (query_sids == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ } else {
+ query_sids = NULL;
+ }
+
+ for (i=0; i<num_query_sids; i++) {
+ sid_copy(&query_sids[i].sid, &sids[total_sids++]);
+ query_sids[i].num_auths = query_sids[i].sid.num_auths;
+ }
- result = rpccli_samr_query_useraliases(cli, mem_ctx, &dom_pol,
- num_sids, sid2,
- num_aliases, alias_rids);
+ /* do request */
+
+ result = rpccli_samr_query_useraliases(cli, mem_ctx, &dom_pol,
+ num_query_sids, query_sids,
+ &num_aliases_query,
+ &alias_rids_query);
+
+ if (!NT_STATUS_IS_OK(result)) {
+ *num_aliases = 0;
+ *alias_rids = NULL;
+ TALLOC_FREE(query_sids);
+ goto done;
+ }
+
+ /* process output */
+
+ for (i=0; i<num_aliases_query; i++) {
+ size_t na = *num_aliases;
+ if (!add_rid_to_array_unique(mem_ctx, alias_rids_query[i],
+ alias_rids, &na)) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ *num_aliases = na;
+ }
+
+ TALLOC_FREE(query_sids);
+
+ num_queries++;
+
+ } while (total_sids < num_sids);
+
+ done:
+ DEBUG(10,("rpc: lookup_useraliases: got %d aliases in %d queries "
+ "(rangesize: %d)\n", *num_aliases, num_queries, rangesize));
return result;
}
unsigned int j;
fstring sid_string;
struct rpc_pipe_client *cli;
+ unsigned int orig_timeout;
DEBUG(10,("rpc: lookup_groupmem %s sid=%s\n", domain->name,
sid_to_string(sid_string, group_sid)));
+ if ( !winbindd_can_contact_domain( domain ) ) {
+ DEBUG(10,("lookup_groupmem: No incoming trust for domain %s\n",
+ domain->name));
+ return NT_STATUS_OK;
+ }
+
if (!sid_peek_check_rid(&domain->sid, group_sid, &group_rid))
return NT_STATUS_UNSUCCESSFUL;
/* Step #1: Get a list of user rids that are the members of the
group. */
+ /* This call can take a long time - allow the server to time out.
+ 35 seconds should do it. */
+
+ orig_timeout = cli_set_timeout(cli->cli, 35000);
+
result = rpccli_samr_query_groupmem(cli, mem_ctx,
&group_pol, num_names, &rid_mem,
name_types);
+ /* And restore our original timeout. */
+ cli_set_timeout(cli->cli, orig_timeout);
+
rpccli_samr_close(cli, mem_ctx, &group_pol);
if (!NT_STATUS_IS_OK(result))
/**********************************************************************
Get the sequence number for a Windows AD native mode domain using
- LDAP queries
+ LDAP queries.
**********************************************************************/
-static int get_ldap_sequence_number( const char* domain, uint32 *seq)
+static int get_ldap_sequence_number(struct winbindd_domain *domain, uint32 *seq)
{
int ret = -1;
- int i, port = LDAP_PORT;
- struct ip_service *ip_list = NULL;
- int count;
-
- if ( !get_sorted_dc_list(domain, &ip_list, &count, False) ) {
- DEBUG(3, ("Could not look up dc's for domain %s\n", domain));
- return False;
- }
-
- /* Finally return first DC that we can contact */
-
- for (i = 0; i < count; i++) {
- fstring ipstr;
-
- /* since the is an LDAP lookup, default to the LDAP_PORT is
- * not set */
- port = (ip_list[i].port!= PORT_NONE) ?
- ip_list[i].port : LDAP_PORT;
+ fstring ipstr;
- fstrcpy( ipstr, inet_ntoa(ip_list[i].ip) );
-
- if (is_zero_ip(ip_list[i].ip))
- continue;
-
- if ( (ret = get_ldap_seq( ipstr, port, seq)) == 0 )
- goto done;
-
- /* add to failed connection cache */
- add_failed_connection_entry( domain, ipstr,
- NT_STATUS_UNSUCCESSFUL );
- }
-
-done:
- if ( ret == 0 ) {
+ fstrcpy( ipstr, inet_ntoa(domain->dcaddr.sin_addr));
+ if ((ret = get_ldap_seq( ipstr, LDAP_PORT, seq)) == 0) {
DEBUG(3, ("get_ldap_sequence_number: Retrieved sequence "
- "number for Domain (%s) from DC (%s:%d)\n",
- domain, inet_ntoa(ip_list[i].ip), port));
- }
-
- SAFE_FREE(ip_list);
-
+ "number for Domain (%s) from DC (%s)\n",
+ domain->name, ipstr));
+ }
return ret;
}
NTSTATUS result;
POLICY_HND dom_pol;
BOOL got_seq_num = False;
- int retry;
struct rpc_pipe_client *cli;
DEBUG(10,("rpc: fetch sequence_number for %s\n", domain->name));
+ if ( !winbindd_can_contact_domain( domain ) ) {
+ DEBUG(10,("sequence_number: No incoming trust for domain %s\n",
+ domain->name));
+ *seq = time(NULL);
+ return NT_STATUS_OK;
+ }
+
*seq = DOM_SEQUENCE_NONE;
if (!(mem_ctx = talloc_init("sequence_number[rpc]")))
return NT_STATUS_NO_MEMORY;
- retry = 0;
-
#ifdef HAVE_LDAP
- if ( domain->native_mode )
+ if ( domain->active_directory )
{
int res;
DEBUG(8,("using get_ldap_seq() to retrieve the "
"sequence number\n"));
- res = get_ldap_sequence_number( domain->name, seq );
+ res = get_ldap_sequence_number( domain, seq );
if (res == 0)
{
result = NT_STATUS_OK;
result = rpccli_samr_query_dom_info(cli, mem_ctx, &dom_pol, 8, &ctr);
if (NT_STATUS_IS_OK(result)) {
- *seq = ctr.info.inf8.seq_num.low;
+ *seq = ctr.info.inf8.seq_num;
got_seq_num = True;
goto seq_num;
}
result = rpccli_samr_query_dom_info(cli, mem_ctx, &dom_pol, 2, &ctr);
if (NT_STATUS_IS_OK(result)) {
- *seq = ctr.info.inf2.seq_num.low;
+ *seq = ctr.info.inf2.seq_num;
got_seq_num = True;
}
return result;
}
+/* find the lockout policy for a domain */
+NTSTATUS msrpc_lockout_policy(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ SAM_UNK_INFO_12 *lockout_policy)
+{
+ NTSTATUS result;
+ struct rpc_pipe_client *cli;
+ POLICY_HND dom_pol;
+ SAM_UNK_CTR ctr;
+
+ DEBUG(10,("rpc: fetch lockout policy for %s\n", domain->name));
+
+ if ( !winbindd_can_contact_domain( domain ) ) {
+ DEBUG(10,("msrpc_lockout_policy: No incoming trust for domain %s\n",
+ domain->name));
+ return NT_STATUS_NOT_SUPPORTED;
+ }
+
+ result = cm_connect_sam(domain, mem_ctx, &cli, &dom_pol);
+ if (!NT_STATUS_IS_OK(result)) {
+ goto done;
+ }
+
+ result = rpccli_samr_query_dom_info(cli, mem_ctx, &dom_pol, 12, &ctr);
+ if (!NT_STATUS_IS_OK(result)) {
+ goto done;
+ }
+
+ *lockout_policy = ctr.info.inf12;
+
+ DEBUG(10,("msrpc_lockout_policy: bad_attempt_lockout %d\n",
+ ctr.info.inf12.bad_attempt_lockout));
+
+ done:
+
+ return result;
+}
+
+/* find the password policy for a domain */
+NTSTATUS msrpc_password_policy(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ SAM_UNK_INFO_1 *password_policy)
+{
+ NTSTATUS result;
+ struct rpc_pipe_client *cli;
+ POLICY_HND dom_pol;
+ SAM_UNK_CTR ctr;
+
+ DEBUG(10,("rpc: fetch password policy for %s\n", domain->name));
+
+ if ( !winbindd_can_contact_domain( domain ) ) {
+ DEBUG(10,("msrpc_password_policy: No incoming trust for domain %s\n",
+ domain->name));
+ return NT_STATUS_NOT_SUPPORTED;
+ }
+
+ result = cm_connect_sam(domain, mem_ctx, &cli, &dom_pol);
+ if (!NT_STATUS_IS_OK(result)) {
+ goto done;
+ }
+
+ result = rpccli_samr_query_dom_info(cli, mem_ctx, &dom_pol, 1, &ctr);
+ if (!NT_STATUS_IS_OK(result)) {
+ goto done;
+ }
+
+ *password_policy = ctr.info.inf1;
+
+ DEBUG(10,("msrpc_password_policy: min_length_password %d\n",
+ ctr.info.inf1.min_length_password));
+
+ done:
+
+ return result;
+}
+
+
/* the rpc backend methods are exposed via this structure */
struct winbindd_methods msrpc_methods = {
False,
enum_local_groups,
msrpc_name_to_sid,
msrpc_sid_to_name,
+ msrpc_rids_to_names,
query_user,
lookup_usergroups,
msrpc_lookup_useraliases,
lookup_groupmem,
sequence_number,
+ msrpc_lockout_policy,
+ msrpc_password_policy,
trusted_domains,
};