2 * idmap_ad: map between Active Directory and RFC 2307 or "Services for Unix" (SFU) Accounts
4 * Unix SMB/CIFS implementation.
6 * Winbind ADS backend functions
8 * Copyright (C) Andrew Tridgell 2001
9 * Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003
10 * Copyright (C) Gerald (Jerry) Carter 2004-2007
11 * Copyright (C) Luke Howard 2001-2004
13 * This program is free software; you can redistribute it and/or modify
14 * it under the terms of the GNU General Public License as published by
15 * the Free Software Foundation; either version 3 of the License, or
16 * (at your option) any later version.
18 * This program is distributed in the hope that it will be useful,
19 * but WITHOUT ANY WARRANTY; without even the implied warranty of
20 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21 * GNU General Public License for more details.
23 * You should have received a copy of the GNU General Public License
24 * along with this program; if not, see <http://www.gnu.org/licenses/>.
30 #define DBGC_CLASS DBGC_IDMAP
32 #define WINBIND_CCACHE_NAME "MEMORY:winbind_ccache"
34 #define IDMAP_AD_MAX_IDS 30
35 #define CHECK_ALLOC_DONE(mem) do { \
37 DEBUG(0, ("Out of memory!\n")); \
38 ret = NT_STATUS_NO_MEMORY; \
43 struct idmap_ad_context {
44 uint32_t filter_low_id;
45 uint32_t filter_high_id;
48 NTSTATUS init_module(void);
50 static ADS_STRUCT *ad_idmap_ads = NULL;
51 static struct posix_schema *ad_schema = NULL;
52 static enum wb_posix_mapping ad_map_type = WB_POSIX_MAP_UNKNOWN;
54 /************************************************************************
55 ***********************************************************************/
57 static ADS_STRUCT *ad_idmap_cached_connection_internal(void)
63 struct sockaddr_storage dc_ip;
65 if (ad_idmap_ads != NULL) {
68 time_t now = time(NULL);
72 expire = MIN(ads->auth.tgt_expire, ads->auth.tgs_expire);
74 /* check for a valid structure */
75 DEBUG(7, ("Current tickets expire in %d seconds (at %d, time is now %d)\n",
76 (uint32)expire-(uint32)now, (uint32) expire, (uint32) now));
78 if ( ads->config.realm && (expire > time(NULL))) {
81 /* we own this ADS_STRUCT so make sure it goes away */
82 DEBUG(7,("Deleting expired krb5 credential cache\n"));
85 ads_kdestroy(WINBIND_CCACHE_NAME);
87 TALLOC_FREE( ad_schema );
92 /* we don't want this to affect the users ccache */
93 setenv("KRB5CCNAME", WINBIND_CCACHE_NAME, 1);
96 if ( (ads = ads_init(lp_realm(), lp_workgroup(), NULL)) == NULL ) {
97 DEBUG(1,("ads_init failed\n"));
101 /* the machine acct password might have change - fetch it every time */
102 SAFE_FREE(ads->auth.password);
103 ads->auth.password = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
105 SAFE_FREE(ads->auth.realm);
106 ads->auth.realm = SMB_STRDUP(lp_realm());
108 /* setup server affinity */
110 get_dc_name( NULL, ads->auth.realm, dc_name, &dc_ip );
112 status = ads_connect(ads);
113 if (!ADS_ERR_OK(status)) {
114 DEBUG(1, ("ad_idmap_init: failed to connect to AD\n"));
119 ads->is_mine = False;
126 /************************************************************************
127 ***********************************************************************/
129 static ADS_STRUCT *ad_idmap_cached_connection(void)
131 ADS_STRUCT *ads = ad_idmap_cached_connection_internal();
136 /* if we have a valid ADS_STRUCT and the schema model is
137 defined, then we can return here. */
142 /* Otherwise, set the schema model */
144 if ( (ad_map_type == WB_POSIX_MAP_SFU) ||
145 (ad_map_type == WB_POSIX_MAP_SFU20) ||
146 (ad_map_type == WB_POSIX_MAP_RFC2307) )
148 ADS_STATUS schema_status;
150 schema_status = ads_check_posix_schema_mapping( NULL, ads, ad_map_type, &ad_schema);
151 if ( !ADS_ERR_OK(schema_status) ) {
152 DEBUG(2,("ad_idmap_cached_connection: Failed to obtain schema details!\n"));
160 /************************************************************************
161 ***********************************************************************/
163 static NTSTATUS idmap_ad_initialize(struct idmap_domain *dom,
166 struct idmap_ad_context *ctx;
168 const char *range = NULL;
169 const char *schema_mode = NULL;
171 if ( (ctx = TALLOC_ZERO_P(dom, struct idmap_ad_context)) == NULL ) {
172 DEBUG(0, ("Out of memory!\n"));
173 return NT_STATUS_NO_MEMORY;
176 if ( (config_option = talloc_asprintf(ctx, "idmap config %s", dom->name)) == NULL ) {
177 DEBUG(0, ("Out of memory!\n"));
179 return NT_STATUS_NO_MEMORY;
183 range = lp_parm_const_string(-1, config_option, "range", NULL);
184 if (range && range[0]) {
185 if ((sscanf(range, "%u - %u", &ctx->filter_low_id, &ctx->filter_high_id) != 2) ||
186 (ctx->filter_low_id > ctx->filter_high_id)) {
187 DEBUG(1, ("ERROR: invalid filter range [%s]", range));
188 ctx->filter_low_id = 0;
189 ctx->filter_high_id = 0;
194 if ( ad_map_type == WB_POSIX_MAP_UNKNOWN )
195 ad_map_type = WB_POSIX_MAP_RFC2307;
196 schema_mode = lp_parm_const_string(-1, config_option, "schema_mode", NULL);
197 if ( schema_mode && schema_mode[0] ) {
198 if ( strequal(schema_mode, "sfu") )
199 ad_map_type = WB_POSIX_MAP_SFU;
200 else if ( strequal(schema_mode, "sfu20" ) )
201 ad_map_type = WB_POSIX_MAP_SFU20;
202 else if ( strequal(schema_mode, "rfc2307" ) )
203 ad_map_type = WB_POSIX_MAP_RFC2307;
205 DEBUG(0,("idmap_ad_initialize: Unknown schema_mode (%s)\n",
209 dom->private_data = ctx;
211 talloc_free(config_option);
216 /************************************************************************
217 Search up to IDMAP_AD_MAX_IDS entries in maps for a match.
218 ***********************************************************************/
220 static struct id_map *find_map_by_id(struct id_map **maps, enum id_type type, uint32_t id)
224 for (i = 0; maps[i] && i<IDMAP_AD_MAX_IDS; i++) {
225 if ((maps[i]->xid.type == type) && (maps[i]->xid.id == id)) {
233 /************************************************************************
234 Search up to IDMAP_AD_MAX_IDS entries in maps for a match
235 ***********************************************************************/
237 static struct id_map *find_map_by_sid(struct id_map **maps, DOM_SID *sid)
241 for (i = 0; maps[i] && i<IDMAP_AD_MAX_IDS; i++) {
242 if (sid_equal(maps[i]->sid, sid)) {
250 /************************************************************************
251 ***********************************************************************/
253 static NTSTATUS idmap_ad_unixids_to_sids(struct idmap_domain *dom, struct id_map **ids)
257 struct idmap_ad_context *ctx;
260 const char *attrs[] = { "sAMAccountType",
262 NULL, /* uidnumber */
263 NULL, /* gidnumber */
265 LDAPMessage *res = NULL;
266 LDAPMessage *entry = NULL;
272 char *u_filter = NULL;
273 char *g_filter = NULL;
275 /* Only do query if we are online */
276 if (idmap_is_offline()) {
277 return NT_STATUS_FILE_IS_OFFLINE;
280 ctx = talloc_get_type(dom->private_data, struct idmap_ad_context);
282 if ( (memctx = talloc_new(ctx)) == NULL ) {
283 DEBUG(0, ("Out of memory!\n"));
284 return NT_STATUS_NO_MEMORY;
287 if ( (ads = ad_idmap_cached_connection()) == NULL ) {
288 DEBUG(1, ("ADS uninitialized\n"));
289 ret = NT_STATUS_UNSUCCESSFUL;
293 attrs[2] = ad_schema->posix_uidnumber_attr;
294 attrs[3] = ad_schema->posix_gidnumber_attr;
298 for (i = 0; (i < IDMAP_AD_MAX_IDS) && ids[idx]; i++, idx++) {
299 switch (ids[idx]->xid.type) {
302 u_filter = talloc_asprintf(memctx, "(&(|"
303 "(sAMAccountType=%d)"
304 "(sAMAccountType=%d)"
305 "(sAMAccountType=%d))(|",
306 ATYPE_NORMAL_ACCOUNT,
307 ATYPE_WORKSTATION_TRUST,
308 ATYPE_INTERDOMAIN_TRUST);
310 u_filter = talloc_asprintf_append_buffer(u_filter, "(%s=%lu)",
311 ad_schema->posix_uidnumber_attr,
312 (unsigned long)ids[idx]->xid.id);
313 CHECK_ALLOC_DONE(u_filter);
318 g_filter = talloc_asprintf(memctx, "(&(|"
319 "(sAMAccountType=%d)"
320 "(sAMAccountType=%d))(|",
321 ATYPE_SECURITY_GLOBAL_GROUP,
322 ATYPE_SECURITY_LOCAL_GROUP);
324 g_filter = talloc_asprintf_append_buffer(g_filter, "(%s=%lu)",
325 ad_schema->posix_gidnumber_attr,
326 (unsigned long)ids[idx]->xid.id);
327 CHECK_ALLOC_DONE(g_filter);
331 DEBUG(3, ("Error: mapping requested but Unknown ID type\n"));
332 ids[idx]->status = ID_UNKNOWN;
336 filter = talloc_asprintf(memctx, "(|");
337 CHECK_ALLOC_DONE(filter);
339 filter = talloc_asprintf_append_buffer(filter, "%s))", u_filter);
340 CHECK_ALLOC_DONE(filter);
341 TALLOC_FREE(u_filter);
344 filter = talloc_asprintf_append_buffer(filter, "%s))", g_filter);
345 CHECK_ALLOC_DONE(filter);
346 TALLOC_FREE(g_filter);
348 filter = talloc_asprintf_append_buffer(filter, ")");
349 CHECK_ALLOC_DONE(filter);
351 rc = ads_search_retry(ads, &res, filter, attrs);
352 if (!ADS_ERR_OK(rc)) {
353 DEBUG(1, ("ERROR: ads search returned: %s\n", ads_errstr(rc)));
354 ret = NT_STATUS_UNSUCCESSFUL;
358 if ( (count = ads_count_replies(ads, res)) == 0 ) {
359 DEBUG(10, ("No IDs found\n"));
363 for (i = 0; (i < count) && entry; i++) {
370 if (i == 0) { /* first entry */
371 entry = ads_first_entry(ads, entry);
372 } else { /* following ones */
373 entry = ads_next_entry(ads, entry);
377 DEBUG(2, ("ERROR: Unable to fetch ldap entries from results\n"));
381 /* first check if the SID is present */
382 if (!ads_pull_sid(ads, entry, "objectSid", &sid)) {
383 DEBUG(2, ("Could not retrieve SID from entry\n"));
388 if (!ads_pull_uint32(ads, entry, "sAMAccountType", &atype)) {
389 DEBUG(1, ("could not get SAM account type\n"));
393 switch (atype & 0xF0000000) {
394 case ATYPE_SECURITY_GLOBAL_GROUP:
395 case ATYPE_SECURITY_LOCAL_GROUP:
398 case ATYPE_NORMAL_ACCOUNT:
399 case ATYPE_WORKSTATION_TRUST:
400 case ATYPE_INTERDOMAIN_TRUST:
404 DEBUG(1, ("unrecognized SAM account type %08x\n", atype));
408 if (!ads_pull_uint32(ads, entry, (type==ID_TYPE_UID) ?
409 ad_schema->posix_uidnumber_attr :
410 ad_schema->posix_gidnumber_attr,
413 DEBUG(1, ("Could not get unix ID\n"));
418 (ctx->filter_low_id && (id < ctx->filter_low_id)) ||
419 (ctx->filter_high_id && (id > ctx->filter_high_id))) {
420 DEBUG(5, ("Requested id (%u) out of range (%u - %u). Filtered!\n",
421 id, ctx->filter_low_id, ctx->filter_high_id));
425 map = find_map_by_id(&ids[bidx], type, id);
427 DEBUG(2, ("WARNING: couldn't match result with requested ID\n"));
431 sid_copy(map->sid, &sid);
434 map->status = ID_MAPPED;
436 DEBUG(10, ("Mapped %s -> %lu (%d)\n", sid_string_dbg(map->sid),
437 (unsigned long)map->xid.id,
442 ads_msgfree(ads, res);
445 if (ids[idx]) { /* still some values to map */
451 /* mark all unknown/expired ones as unmapped */
452 for (i = 0; ids[i]; i++) {
453 if (ids[i]->status != ID_MAPPED)
454 ids[i]->status = ID_UNMAPPED;
462 /************************************************************************
463 ***********************************************************************/
465 static NTSTATUS idmap_ad_sids_to_unixids(struct idmap_domain *dom, struct id_map **ids)
469 struct idmap_ad_context *ctx;
472 const char *attrs[] = { "sAMAccountType",
474 NULL, /* attr_uidnumber */
475 NULL, /* attr_gidnumber */
477 LDAPMessage *res = NULL;
478 LDAPMessage *entry = NULL;
486 /* Only do query if we are online */
487 if (idmap_is_offline()) {
488 return NT_STATUS_FILE_IS_OFFLINE;
491 ctx = talloc_get_type(dom->private_data, struct idmap_ad_context);
493 if ( (memctx = talloc_new(ctx)) == NULL ) {
494 DEBUG(0, ("Out of memory!\n"));
495 return NT_STATUS_NO_MEMORY;
498 if ( (ads = ad_idmap_cached_connection()) == NULL ) {
499 DEBUG(1, ("ADS uninitialized\n"));
500 ret = NT_STATUS_UNSUCCESSFUL;
504 attrs[2] = ad_schema->posix_uidnumber_attr;
505 attrs[3] = ad_schema->posix_gidnumber_attr;
508 filter = talloc_asprintf(memctx, "(&(|"
509 "(sAMAccountType=%d)(sAMAccountType=%d)(sAMAccountType=%d)" /* user account types */
510 "(sAMAccountType=%d)(sAMAccountType=%d)" /* group account types */
512 ATYPE_NORMAL_ACCOUNT, ATYPE_WORKSTATION_TRUST, ATYPE_INTERDOMAIN_TRUST,
513 ATYPE_SECURITY_GLOBAL_GROUP, ATYPE_SECURITY_LOCAL_GROUP);
515 CHECK_ALLOC_DONE(filter);
518 for (i = 0; (i < IDMAP_AD_MAX_IDS) && ids[idx]; i++, idx++) {
520 ids[idx]->status = ID_UNKNOWN;
522 sidstr = sid_binstring(ids[idx]->sid);
523 filter = talloc_asprintf_append_buffer(filter, "(objectSid=%s)", sidstr);
526 CHECK_ALLOC_DONE(filter);
528 filter = talloc_asprintf_append_buffer(filter, "))");
529 CHECK_ALLOC_DONE(filter);
530 DEBUG(10, ("Filter: [%s]\n", filter));
532 rc = ads_search_retry(ads, &res, filter, attrs);
533 if (!ADS_ERR_OK(rc)) {
534 DEBUG(1, ("ERROR: ads search returned: %s\n", ads_errstr(rc)));
535 ret = NT_STATUS_UNSUCCESSFUL;
539 if ( (count = ads_count_replies(ads, res)) == 0 ) {
540 DEBUG(10, ("No IDs found\n"));
544 for (i = 0; (i < count) && entry; i++) {
551 if (i == 0) { /* first entry */
552 entry = ads_first_entry(ads, entry);
553 } else { /* following ones */
554 entry = ads_next_entry(ads, entry);
558 DEBUG(2, ("ERROR: Unable to fetch ldap entries from results\n"));
562 /* first check if the SID is present */
563 if (!ads_pull_sid(ads, entry, "objectSid", &sid)) {
564 DEBUG(2, ("Could not retrieve SID from entry\n"));
568 map = find_map_by_sid(&ids[bidx], &sid);
570 DEBUG(2, ("WARNING: couldn't match result with requested SID\n"));
575 if (!ads_pull_uint32(ads, entry, "sAMAccountType", &atype)) {
576 DEBUG(1, ("could not get SAM account type\n"));
580 switch (atype & 0xF0000000) {
581 case ATYPE_SECURITY_GLOBAL_GROUP:
582 case ATYPE_SECURITY_LOCAL_GROUP:
585 case ATYPE_NORMAL_ACCOUNT:
586 case ATYPE_WORKSTATION_TRUST:
587 case ATYPE_INTERDOMAIN_TRUST:
591 DEBUG(1, ("unrecognized SAM account type %08x\n", atype));
595 if (!ads_pull_uint32(ads, entry, (type==ID_TYPE_UID) ?
596 ad_schema->posix_uidnumber_attr :
597 ad_schema->posix_gidnumber_attr,
600 DEBUG(1, ("Could not get unix ID\n"));
604 (ctx->filter_low_id && (id < ctx->filter_low_id)) ||
605 (ctx->filter_high_id && (id > ctx->filter_high_id))) {
606 DEBUG(5, ("Requested id (%u) out of range (%u - %u). Filtered!\n",
607 id, ctx->filter_low_id, ctx->filter_high_id));
612 map->xid.type = type;
614 map->status = ID_MAPPED;
616 DEBUG(10, ("Mapped %s -> %lu (%d)\n", sid_string_dbg(map->sid),
617 (unsigned long)map->xid.id,
622 ads_msgfree(ads, res);
625 if (ids[idx]) { /* still some values to map */
631 /* mark all unknwoni/expired ones as unmapped */
632 for (i = 0; ids[i]; i++) {
633 if (ids[i]->status != ID_MAPPED)
634 ids[i]->status = ID_UNMAPPED;
642 /************************************************************************
643 ***********************************************************************/
645 static NTSTATUS idmap_ad_close(struct idmap_domain *dom)
647 ADS_STRUCT *ads = ad_idmap_ads;
650 /* we own this ADS_STRUCT so make sure it goes away */
656 TALLOC_FREE( ad_schema );
662 * nss_info_{sfu,sfu20,rfc2307}
665 /************************************************************************
666 Initialize the {sfu,sfu20,rfc2307} state
667 ***********************************************************************/
669 static NTSTATUS nss_sfu_init( struct nss_domain_entry *e )
671 /* Sanity check if we have previously been called with a
672 different schema model */
674 if ( (ad_map_type != WB_POSIX_MAP_UNKNOWN) &&
675 (ad_map_type != WB_POSIX_MAP_SFU) )
677 DEBUG(0,("nss_sfu_init: Posix Map type has already been set. "
678 "Mixed schema models not supported!\n"));
679 return NT_STATUS_NOT_SUPPORTED;
682 ad_map_type = WB_POSIX_MAP_SFU;
687 static NTSTATUS nss_sfu20_init( struct nss_domain_entry *e )
689 /* Sanity check if we have previously been called with a
690 different schema model */
692 if ( (ad_map_type != WB_POSIX_MAP_UNKNOWN) &&
693 (ad_map_type != WB_POSIX_MAP_SFU20) )
695 DEBUG(0,("nss_sfu20_init: Posix Map type has already been set. "
696 "Mixed schema models not supported!\n"));
697 return NT_STATUS_NOT_SUPPORTED;
700 ad_map_type = WB_POSIX_MAP_SFU20;
705 static NTSTATUS nss_rfc2307_init( struct nss_domain_entry *e )
707 /* Sanity check if we have previously been called with a
708 different schema model */
710 if ( (ad_map_type != WB_POSIX_MAP_UNKNOWN) &&
711 (ad_map_type != WB_POSIX_MAP_RFC2307) )
713 DEBUG(0,("nss_rfc2307_init: Posix Map type has already been set. "
714 "Mixed schema models not supported!\n"));
715 return NT_STATUS_NOT_SUPPORTED;
718 ad_map_type = WB_POSIX_MAP_RFC2307;
724 /************************************************************************
725 ***********************************************************************/
726 static NTSTATUS nss_ad_get_info( struct nss_domain_entry *e,
736 ADS_STRUCT *ads_internal = NULL;
737 const char *attrs[] = {NULL, /* attr_homedir */
738 NULL, /* attr_shell */
739 NULL, /* attr_gecos */
740 NULL, /* attr_gidnumber */
743 LDAPMessage *msg_internal = NULL;
744 ADS_STATUS ads_status = ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
745 NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
748 /* Only do query if we are online */
749 if (idmap_is_offline()) {
750 return NT_STATUS_FILE_IS_OFFLINE;
753 /* We are assuming that the internal ADS_STRUCT is for the
754 same forest as the incoming *ads pointer */
756 ads_internal = ad_idmap_cached_connection();
758 if ( !ads_internal || !ad_schema ) {
759 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
762 if (!sid || !homedir || !shell || !gecos) {
763 return NT_STATUS_INVALID_PARAMETER;
766 /* See if we can use the ADS connection struct swe were given */
769 *homedir = ads_pull_string( ads, ctx, msg, ad_schema->posix_homedir_attr );
770 *shell = ads_pull_string( ads, ctx, msg, ad_schema->posix_shell_attr );
771 *gecos = ads_pull_string( ads, ctx, msg, ad_schema->posix_gecos_attr );
774 if ( !ads_pull_uint32(ads, msg, ad_schema->posix_gidnumber_attr, gid ) )
778 nt_status = NT_STATUS_OK;
782 /* Have to do our own query */
784 attrs[0] = ad_schema->posix_homedir_attr;
785 attrs[1] = ad_schema->posix_shell_attr;
786 attrs[2] = ad_schema->posix_gecos_attr;
787 attrs[3] = ad_schema->posix_gidnumber_attr;
789 sidstr = sid_binstring(sid);
790 filter = talloc_asprintf(ctx, "(objectSid=%s)", sidstr);
794 nt_status = NT_STATUS_NO_MEMORY;
798 ads_status = ads_search_retry(ads_internal, &msg_internal, filter, attrs);
799 if (!ADS_ERR_OK(ads_status)) {
800 nt_status = ads_ntstatus(ads_status);
804 *homedir = ads_pull_string(ads_internal, ctx, msg_internal, ad_schema->posix_homedir_attr);
805 *shell = ads_pull_string(ads_internal, ctx, msg_internal, ad_schema->posix_shell_attr);
806 *gecos = ads_pull_string(ads_internal, ctx, msg_internal, ad_schema->posix_gecos_attr);
809 if (!ads_pull_uint32(ads_internal, msg_internal, ad_schema->posix_gidnumber_attr, gid))
813 nt_status = NT_STATUS_OK;
817 ads_msgfree(ads_internal, msg_internal);
823 /**********************************************************************
824 *********************************************************************/
826 static NTSTATUS nss_ad_map_to_alias(TALLOC_CTX *mem_ctx,
831 ADS_STRUCT *ads_internal = NULL;
832 const char *attrs[] = {NULL, /* attr_uid */
835 LDAPMessage *msg = NULL;
836 ADS_STATUS ads_status = ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
837 NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
839 /* Check incoming parameters */
841 if ( !domain || !name || !*alias) {
842 nt_status = NT_STATUS_INVALID_PARAMETER;
846 /* Only do query if we are online */
848 if (idmap_is_offline()) {
849 nt_status = NT_STATUS_FILE_IS_OFFLINE;
853 ads_internal = ad_idmap_cached_connection();
855 if (!ads_internal || !ad_schema) {
856 nt_status = NT_STATUS_OBJECT_PATH_NOT_FOUND;
860 attrs[0] = ad_schema->posix_uid_attr;
862 filter = talloc_asprintf(mem_ctx,
863 "(sAMAccountName=%s)",
866 nt_status = NT_STATUS_NO_MEMORY;
870 ads_status = ads_search_retry(ads_internal, &msg, filter, attrs);
871 if (!ADS_ERR_OK(ads_status)) {
872 nt_status = ads_ntstatus(ads_status);
876 *alias = ads_pull_string(ads_internal, mem_ctx, msg, ad_schema->posix_uid_attr );
879 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
882 nt_status = NT_STATUS_OK;
886 talloc_destroy(filter);
889 ads_msgfree(ads_internal, msg);
895 /**********************************************************************
896 *********************************************************************/
898 static NTSTATUS nss_ad_map_from_alias( TALLOC_CTX *mem_ctx,
903 ADS_STRUCT *ads_internal = NULL;
904 const char *attrs[] = {"sAMAccountName",
907 LDAPMessage *msg = NULL;
908 ADS_STATUS ads_status = ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
909 NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
912 /* Check incoming parameters */
914 if ( !alias || !name) {
915 nt_status = NT_STATUS_INVALID_PARAMETER;
919 /* Only do query if we are online */
921 if (idmap_is_offline()) {
922 nt_status = NT_STATUS_FILE_IS_OFFLINE;
926 ads_internal = ad_idmap_cached_connection();
928 if (!ads_internal || !ad_schema) {
929 nt_status = NT_STATUS_OBJECT_PATH_NOT_FOUND;
933 filter = talloc_asprintf(mem_ctx,
935 ad_schema->posix_uid_attr,
938 nt_status = NT_STATUS_NO_MEMORY;
942 ads_status = ads_search_retry(ads_internal, &msg, filter, attrs);
943 if (!ADS_ERR_OK(ads_status)) {
944 nt_status = ads_ntstatus(ads_status);
948 username = ads_pull_string(ads_internal, mem_ctx, msg,
951 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
954 *name = talloc_asprintf(mem_ctx, "%s\\%s",
958 nt_status = NT_STATUS_NO_MEMORY;
962 nt_status = NT_STATUS_OK;
966 talloc_destroy(filter);
969 ads_msgfree(ads_internal, msg);
976 /************************************************************************
977 ***********************************************************************/
979 static NTSTATUS nss_ad_close( void )
981 /* nothing to do. All memory is free()'d by the idmap close_fn() */
986 /************************************************************************
987 Function dispatch tables for the idmap and nss plugins
988 ***********************************************************************/
990 static struct idmap_methods ad_methods = {
991 .init = idmap_ad_initialize,
992 .unixids_to_sids = idmap_ad_unixids_to_sids,
993 .sids_to_unixids = idmap_ad_sids_to_unixids,
994 .close_fn = idmap_ad_close
997 /* The SFU and RFC2307 NSS plugins share everything but the init
998 function which sets the intended schema model to use */
1000 static struct nss_info_methods nss_rfc2307_methods = {
1001 .init = nss_rfc2307_init,
1002 .get_nss_info = nss_ad_get_info,
1003 .map_to_alias = nss_ad_map_to_alias,
1004 .map_from_alias = nss_ad_map_from_alias,
1005 .close_fn = nss_ad_close
1008 static struct nss_info_methods nss_sfu_methods = {
1009 .init = nss_sfu_init,
1010 .get_nss_info = nss_ad_get_info,
1011 .map_to_alias = nss_ad_map_to_alias,
1012 .map_from_alias = nss_ad_map_from_alias,
1013 .close_fn = nss_ad_close
1016 static struct nss_info_methods nss_sfu20_methods = {
1017 .init = nss_sfu20_init,
1018 .get_nss_info = nss_ad_get_info,
1019 .map_to_alias = nss_ad_map_to_alias,
1020 .map_from_alias = nss_ad_map_from_alias,
1021 .close_fn = nss_ad_close
1026 /************************************************************************
1027 Initialize the plugins
1028 ***********************************************************************/
1030 NTSTATUS idmap_ad_init(void)
1032 static NTSTATUS status_idmap_ad = NT_STATUS_UNSUCCESSFUL;
1033 static NTSTATUS status_nss_rfc2307 = NT_STATUS_UNSUCCESSFUL;
1034 static NTSTATUS status_nss_sfu = NT_STATUS_UNSUCCESSFUL;
1035 static NTSTATUS status_nss_sfu20 = NT_STATUS_UNSUCCESSFUL;
1037 /* Always register the AD method first in order to get the
1038 idmap_domain interface called */
1040 if ( !NT_STATUS_IS_OK(status_idmap_ad) ) {
1041 status_idmap_ad = smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION,
1043 if ( !NT_STATUS_IS_OK(status_idmap_ad) )
1044 return status_idmap_ad;
1047 if ( !NT_STATUS_IS_OK( status_nss_rfc2307 ) ) {
1048 status_nss_rfc2307 = smb_register_idmap_nss(SMB_NSS_INFO_INTERFACE_VERSION,
1049 "rfc2307", &nss_rfc2307_methods );
1050 if ( !NT_STATUS_IS_OK(status_nss_rfc2307) )
1051 return status_nss_rfc2307;
1054 if ( !NT_STATUS_IS_OK( status_nss_sfu ) ) {
1055 status_nss_sfu = smb_register_idmap_nss(SMB_NSS_INFO_INTERFACE_VERSION,
1056 "sfu", &nss_sfu_methods );
1057 if ( !NT_STATUS_IS_OK(status_nss_sfu) )
1058 return status_nss_sfu;
1061 if ( !NT_STATUS_IS_OK( status_nss_sfu20 ) ) {
1062 status_nss_sfu20 = smb_register_idmap_nss(SMB_NSS_INFO_INTERFACE_VERSION,
1063 "sfu20", &nss_sfu20_methods );
1064 if ( !NT_STATUS_IS_OK(status_nss_sfu20) )
1065 return status_nss_sfu20;
1068 return NT_STATUS_OK;
git.samba.org / amitay / samba.git / blob