2 * idmap_adex: Support for AD Forests
4 * Copyright (C) Gerald (Jerry) Carter 2006-2008
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
23 #include "idmap_adex.h"
24 #include "../libds/common/flags.h"
27 #define DBGC_CLASS DBGC_IDMAP
29 /**********************************************************************
30 **********************************************************************/
32 char *find_attr_string(char **list, size_t num_lines, const char *substr)
35 int cmplen = strlen(substr);
37 for (i = 0; i < num_lines; i++) {
38 /* make sure to avoid substring matches like uid
40 if ((StrnCaseCmp(list[i], substr, cmplen) == 0) &&
41 (list[i][cmplen] == '=')) {
42 /* Don't return an empty string */
43 if (list[i][cmplen + 1] != '\0')
44 return &(list[i][cmplen + 1]);
53 /**********************************************************************
54 **********************************************************************/
56 bool is_object_class(char **list, size_t num_lines, const char *substr)
60 for (i = 0; i < num_lines; i++) {
61 if (strequal(list[i], substr)) {
69 /**********************************************************************
70 Find out about the cell (e.g. use2307Attrs, etc...)
71 **********************************************************************/
73 NTSTATUS cell_lookup_settings(struct likewise_cell * cell)
75 NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
80 nt_status = NT_STATUS_INVALID_PARAMETER;
81 BAIL_ON_NTSTATUS_ERROR(nt_status);
84 /* Only supporting Forest-wide, schema based searches */
86 cell_set_flags(cell, LWCELL_FLAG_USE_RFC2307_ATTRS);
87 cell_set_flags(cell, LWCELL_FLAG_SEARCH_FOREST);
89 cell->provider = &ccp_unified;
91 nt_status = NT_STATUS_OK;
94 if (!NT_STATUS_IS_OK(nt_status)) {
95 DEBUG(1,("LWI: Failed to obtain cell settings (%s)\n",
96 nt_errstr(nt_status)));
103 static NTSTATUS cell_lookup_forest(struct likewise_cell *c)
105 NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
106 struct gc_info *gc = NULL;
109 return NT_STATUS_INVALID_PARAMETER;
112 if ((gc = TALLOC_ZERO_P(NULL, struct gc_info)) == NULL) {
113 nt_status = NT_STATUS_NO_MEMORY;
114 BAIL_ON_NTSTATUS_ERROR(nt_status);
117 /* Query the rootDSE for the forest root naming conect first.
118 Check that the a GC server for the forest has not already
121 nt_status = gc_find_forest_root(gc, cell_dns_domain(c));
122 BAIL_ON_NTSTATUS_ERROR(nt_status);
124 c->forest_name = talloc_strdup(c, gc->forest_name);
125 BAIL_ON_PTR_ERROR(c->forest_name, nt_status);
135 /**********************************************************************
136 **********************************************************************/
138 NTSTATUS cell_locate_membership(ADS_STRUCT * ads)
141 char *domain_dn = ads_build_dn(lp_realm());
142 NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
144 struct likewise_cell *cell = NULL;
146 /* In the Likewise plugin, I had to support the concept of cells
147 based on the machine's membership in an OU. However, now I'll
148 just assume our membership in the forest cell */
150 DEBUG(2, ("locate_cell_membership: Located membership "
151 "in cell \"%s\"\n", domain_dn));
153 if ((cell = cell_new()) == NULL) {
154 nt_status = NT_STATUS_NO_MEMORY;
155 BAIL_ON_NTSTATUS_ERROR(nt_status);
158 status = ads_domain_sid(ads, &sid);
159 if (!ADS_ERR_OK(status)) {
160 DEBUG(3,("locate_cell_membership: Failed to find "
161 "domain SID for %s\n", domain_dn));
164 /* save the SID and search base for our domain */
166 cell_set_dns_domain(cell, lp_realm());
167 cell_set_connection(cell, ads);
168 cell_set_dn(cell, domain_dn);
169 cell_set_domain_sid(cell, &sid);
171 /* Now save our forest root */
173 cell_lookup_forest(cell);
175 /* Add the cell to the list */
177 if (!cell_list_add(cell)) {
178 nt_status = NT_STATUS_INSUFFICIENT_RESOURCES;
179 BAIL_ON_NTSTATUS_ERROR(nt_status);
183 nt_status = NT_STATUS_OK;
186 if (!NT_STATUS_IS_OK(nt_status)) {
187 DEBUG(0,("LWI: Failed to locate cell membership (%s)\n",
188 nt_errstr(nt_status)));
191 SAFE_FREE(domain_dn);
196 /*********************************************************************
197 ********************************************************************/
199 int min_id_value(void)
203 id_val = lp_parm_int(-1, "lwidentity", "min_id_value", MIN_ID_VALUE);
205 /* Still don't let it go below 50 */
207 return MAX(50, id_val);
210 /********************************************************************
211 *******************************************************************/
213 char *cell_dn_to_dns(const char *dn)
215 NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
217 char *dns_name = NULL;
220 TALLOC_CTX *frame = talloc_stackframe();
226 tmp_dn = talloc_strdup(frame, dn);
227 BAIL_ON_PTR_ERROR(tmp_dn, nt_status);
229 while (next_token_talloc(frame, &tmp_dn, &buffer, ",")) {
231 /* skip everything up the where DC=... begins */
232 if (StrnCaseCmp(buffer, "DC=", 3) != 0)
236 domain = talloc_strdup(frame, &buffer[3]);
238 domain = talloc_asprintf_append(domain, ".%s",
241 BAIL_ON_PTR_ERROR(domain, nt_status);
244 dns_name = SMB_STRDUP(domain);
245 BAIL_ON_PTR_ERROR(dns_name, nt_status);
247 nt_status = NT_STATUS_OK;
250 PRINT_NTSTATUS_ERROR(nt_status, "cell_dn_to_dns", 1);
252 talloc_destroy(frame);
257 /*********************************************************************
258 ********************************************************************/
260 NTSTATUS get_sid_type(ADS_STRUCT *ads,
262 enum lsa_SidType *type)
264 NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
267 if (!ads_pull_uint32(ads, msg, "sAMAccountType", &atype)) {
268 nt_status = NT_STATUS_INVALID_USER_BUFFER;
269 BAIL_ON_NTSTATUS_ERROR(nt_status);
272 switch (atype &0xF0000000) {
273 case ATYPE_SECURITY_GLOBAL_GROUP:
274 *type = SID_NAME_DOM_GRP;
276 case ATYPE_SECURITY_LOCAL_GROUP:
277 *type = SID_NAME_ALIAS;
279 case ATYPE_NORMAL_ACCOUNT:
280 case ATYPE_WORKSTATION_TRUST:
281 case ATYPE_INTERDOMAIN_TRUST:
282 *type = SID_NAME_USER;
285 *type = SID_NAME_USE_NONE;
286 nt_status = NT_STATUS_INVALID_ACCOUNT_NAME;
287 BAIL_ON_NTSTATUS_ERROR(nt_status);
290 nt_status = NT_STATUS_OK;