2 Unix SMB/CIFS implementation.
4 Winbind ADS backend functions
6 Copyright (C) Andrew Tridgell 2001
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003
8 Copyright (C) Gerald (Jerry) Carter 2004
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
26 #include "../librpc/gen_ndr/cli_netlogon.h"
27 #include "../libds/common/flags.h"
33 #define DBGC_CLASS DBGC_WINBIND
35 extern struct winbindd_methods reconnect_methods;
38 return our ads connections structure for a domain. We keep the connection
39 open to make things faster
41 static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain)
46 struct sockaddr_storage dc_ss;
48 DEBUG(10,("ads_cached_connection\n"));
50 if (domain->private_data) {
53 time_t now = time(NULL);
55 /* check for a valid structure */
56 ads = (ADS_STRUCT *)domain->private_data;
58 expire = MIN(ads->auth.tgt_expire, ads->auth.tgs_expire);
60 DEBUG(7, ("Current tickets expire in %d seconds (at %d, time is now %d)\n",
61 (uint32)expire-(uint32)now, (uint32) expire, (uint32) now));
63 if ( ads->config.realm && (expire > now)) {
66 /* we own this ADS_STRUCT so make sure it goes away */
67 DEBUG(7,("Deleting expired krb5 credential cache\n"));
70 ads_kdestroy("MEMORY:winbind_ccache");
71 domain->private_data = NULL;
75 /* we don't want this to affect the users ccache */
76 setenv("KRB5CCNAME", "MEMORY:winbind_ccache", 1);
78 ads = ads_init(domain->alt_name, domain->name, NULL);
80 DEBUG(1,("ads_init for domain %s failed\n", domain->name));
84 /* the machine acct password might have change - fetch it every time */
86 SAFE_FREE(ads->auth.password);
87 SAFE_FREE(ads->auth.realm);
91 if ( !pdb_get_trusteddom_pw( domain->name, &ads->auth.password, NULL, NULL ) ) {
95 ads->auth.realm = SMB_STRDUP( ads->server.realm );
96 strupper_m( ads->auth.realm );
99 struct winbindd_domain *our_domain = domain;
101 ads->auth.password = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
103 /* always give preference to the alt_name in our
104 primary domain if possible */
106 if ( !domain->primary )
107 our_domain = find_our_domain();
109 if ( our_domain->alt_name[0] != '\0' ) {
110 ads->auth.realm = SMB_STRDUP( our_domain->alt_name );
111 strupper_m( ads->auth.realm );
114 ads->auth.realm = SMB_STRDUP( lp_realm() );
117 ads->auth.renewable = WINBINDD_PAM_AUTH_KRB5_RENEW_TIME;
119 /* Setup the server affinity cache. We don't reaally care
120 about the name. Just setup affinity and the KRB5_CONFIG
123 get_dc_name( ads->server.workgroup, ads->server.realm, dc_name, &dc_ss );
125 status = ads_connect(ads);
126 if (!ADS_ERR_OK(status) || !ads->config.realm) {
127 DEBUG(1,("ads_connect for domain %s failed: %s\n",
128 domain->name, ads_errstr(status)));
131 /* if we get ECONNREFUSED then it might be a NT4
132 server, fall back to MSRPC */
133 if (status.error_type == ENUM_ADS_ERROR_SYSTEM &&
134 status.err.rc == ECONNREFUSED) {
135 /* 'reconnect_methods' is the MS-RPC backend. */
136 DEBUG(1,("Trying MSRPC methods\n"));
137 domain->backend = &reconnect_methods;
142 /* set the flag that says we don't own the memory even
143 though we do so that ads_destroy() won't destroy the
144 structure we pass back by reference */
146 ads->is_mine = False;
148 domain->private_data = (void *)ads;
153 /* Query display info for a realm. This is the basic user list fn */
154 static NTSTATUS query_user_list(struct winbindd_domain *domain,
157 struct wbint_userinfo **pinfo)
159 ADS_STRUCT *ads = NULL;
160 const char *attrs[] = { "*", NULL };
163 LDAPMessage *res = NULL;
164 LDAPMessage *msg = NULL;
165 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
169 DEBUG(3,("ads: query_user_list\n"));
171 if ( !winbindd_can_contact_domain( domain ) ) {
172 DEBUG(10,("query_user_list: No incoming trust for domain %s\n",
177 ads = ads_cached_connection(domain);
180 domain->last_status = NT_STATUS_SERVER_DISABLED;
184 rc = ads_search_retry(ads, &res, "(objectCategory=user)", attrs);
185 if (!ADS_ERR_OK(rc) || !res) {
186 DEBUG(1,("query_user_list ads_search: %s\n", ads_errstr(rc)));
190 count = ads_count_replies(ads, res);
192 DEBUG(1,("query_user_list: No users found\n"));
196 (*pinfo) = TALLOC_ZERO_ARRAY(mem_ctx, struct wbint_userinfo, count);
198 status = NT_STATUS_NO_MEMORY;
204 for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
205 struct wbint_userinfo *info = &((*pinfo)[count]);
209 if (!ads_pull_uint32(ads, msg, "sAMAccountType", &atype) ||
210 ds_atype_map(atype) != SID_NAME_USER) {
211 DEBUG(1,("Not a user account? atype=0x%x\n", atype));
215 info->acct_name = ads_pull_username(ads, mem_ctx, msg);
216 info->full_name = ads_pull_string(ads, mem_ctx, msg, "name");
217 info->homedir = NULL;
219 info->primary_gid = (gid_t)-1;
221 if (!ads_pull_sid(ads, msg, "objectSid",
223 DEBUG(1, ("No sid for %s !?\n", info->acct_name));
227 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &group)) {
228 DEBUG(1, ("No primary group for %s !?\n",
232 sid_compose(&info->group_sid, &domain->sid, group);
237 (*num_entries) = count;
238 ads_msgfree(ads, res);
240 for (i=0; i<count; i++) {
241 struct wbint_userinfo *info = &((*pinfo)[i]);
242 const char *gecos = NULL;
243 gid_t primary_gid = (gid_t)-1;
246 * Don't use our variable "ads" in this call here, every call
247 * to nss_get_info_cached can destroy the connection inside
250 status = nss_get_info_cached(domain, &info->user_sid, mem_ctx,
251 ads_cached_connection(domain),
252 msg, &info->homedir, &info->shell,
253 &gecos, &primary_gid);
254 if (!NT_STATUS_IS_OK(status)) {
256 * Deliberately ignore this error, there might be more
263 info->full_name = gecos;
265 info->primary_gid = primary_gid;
268 status = NT_STATUS_OK;
270 DEBUG(3,("ads query_user_list gave %d entries\n", (*num_entries)));
276 /* list all domain groups */
277 static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
280 struct acct_info **info)
282 ADS_STRUCT *ads = NULL;
283 const char *attrs[] = {"userPrincipalName", "sAMAccountName",
284 "name", "objectSid", NULL};
287 LDAPMessage *res = NULL;
288 LDAPMessage *msg = NULL;
289 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
291 bool enum_dom_local_groups = False;
295 DEBUG(3,("ads: enum_dom_groups\n"));
297 if ( !winbindd_can_contact_domain( domain ) ) {
298 DEBUG(10,("enum_dom_groups: No incoming trust for domain %s\n",
303 /* only grab domain local groups for our domain */
304 if ( domain->active_directory && strequal(lp_realm(), domain->alt_name) ) {
305 enum_dom_local_groups = True;
308 /* Workaround ADS LDAP bug present in MS W2K3 SP0 and W2K SP4 w/o
311 * According to Section 5.1(4) of RFC 2251 if a value of a type is it's
312 * default value, it MUST be absent. In case of extensible matching the
313 * "dnattr" boolean defaults to FALSE and so it must be only be present
316 * When it is set to FALSE and the OpenLDAP lib (correctly) encodes a
317 * filter using bitwise matching rule then the buggy AD fails to decode
318 * the extensible match. As a workaround set it to TRUE and thereby add
319 * the dnAttributes "dn" field to cope with those older AD versions.
320 * It should not harm and won't put any additional load on the AD since
321 * none of the dn components have a bitmask-attribute.
323 * Thanks to Ralf Haferkamp for input and testing - Guenther */
325 filter = talloc_asprintf(mem_ctx, "(&(objectCategory=group)(&(groupType:dn:%s:=%d)(!(groupType:dn:%s:=%d))))",
326 ADS_LDAP_MATCHING_RULE_BIT_AND, GROUP_TYPE_SECURITY_ENABLED,
327 ADS_LDAP_MATCHING_RULE_BIT_AND,
328 enum_dom_local_groups ? GROUP_TYPE_BUILTIN_LOCAL_GROUP : GROUP_TYPE_RESOURCE_GROUP);
330 if (filter == NULL) {
331 status = NT_STATUS_NO_MEMORY;
335 ads = ads_cached_connection(domain);
338 domain->last_status = NT_STATUS_SERVER_DISABLED;
342 rc = ads_search_retry(ads, &res, filter, attrs);
343 if (!ADS_ERR_OK(rc) || !res) {
344 DEBUG(1,("enum_dom_groups ads_search: %s\n", ads_errstr(rc)));
348 count = ads_count_replies(ads, res);
350 DEBUG(1,("enum_dom_groups: No groups found\n"));
354 (*info) = TALLOC_ZERO_ARRAY(mem_ctx, struct acct_info, count);
356 status = NT_STATUS_NO_MEMORY;
362 for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
367 name = ads_pull_username(ads, mem_ctx, msg);
368 gecos = ads_pull_string(ads, mem_ctx, msg, "name");
369 if (!ads_pull_sid(ads, msg, "objectSid", &sid)) {
370 DEBUG(1,("No sid for %s !?\n", name));
374 if (!sid_peek_check_rid(&domain->sid, &sid, &rid)) {
375 DEBUG(1,("No rid for %s !?\n", name));
379 fstrcpy((*info)[i].acct_name, name);
380 fstrcpy((*info)[i].acct_desc, gecos);
381 (*info)[i].rid = rid;
387 status = NT_STATUS_OK;
389 DEBUG(3,("ads enum_dom_groups gave %d entries\n", (*num_entries)));
393 ads_msgfree(ads, res);
398 /* list all domain local groups */
399 static NTSTATUS enum_local_groups(struct winbindd_domain *domain,
402 struct acct_info **info)
405 * This is a stub function only as we returned the domain
406 * local groups in enum_dom_groups() if the domain->native field
407 * was true. This is a simple performance optimization when
410 * if we ever need to enumerate domain local groups separately,
411 * then this optimization in enum_dom_groups() will need
419 /* convert a single name to a sid in a domain - use rpc methods */
420 static NTSTATUS name_to_sid(struct winbindd_domain *domain,
422 const char *domain_name,
426 enum lsa_SidType *type)
428 return reconnect_methods.name_to_sid(domain, mem_ctx,
429 domain_name, name, flags,
433 /* convert a domain SID to a user or group name - use rpc methods */
434 static NTSTATUS sid_to_name(struct winbindd_domain *domain,
436 const struct dom_sid *sid,
439 enum lsa_SidType *type)
441 return reconnect_methods.sid_to_name(domain, mem_ctx, sid,
442 domain_name, name, type);
445 /* convert a list of rids to names - use rpc methods */
446 static NTSTATUS rids_to_names(struct winbindd_domain *domain,
448 const struct dom_sid *sid,
453 enum lsa_SidType **types)
455 return reconnect_methods.rids_to_names(domain, mem_ctx, sid,
457 domain_name, names, types);
460 /* If you are looking for "dn_lookup": Yes, it used to be here!
461 * It has gone now since it was a major speed bottleneck in
462 * lookup_groupmem (its only use). It has been replaced by
463 * an rpc lookup sids call... R.I.P. */
465 /* Lookup user information from a rid */
466 static NTSTATUS query_user(struct winbindd_domain *domain,
468 const struct dom_sid *sid,
469 struct wbint_userinfo *info)
471 ADS_STRUCT *ads = NULL;
472 const char *attrs[] = { "*", NULL };
475 LDAPMessage *msg = NULL;
479 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
480 struct netr_SamInfo3 *user = NULL;
485 DEBUG(3,("ads: query_user\n"));
487 info->homedir = NULL;
490 /* try netsamlogon cache first */
492 if ( (user = netsamlogon_cache_get( mem_ctx, sid )) != NULL )
494 DEBUG(5,("query_user: Cache lookup succeeded for %s\n",
495 sid_string_dbg(sid)));
497 sid_compose(&info->user_sid, &domain->sid, user->base.rid);
498 sid_compose(&info->group_sid, &domain->sid, user->base.primary_gid);
500 info->acct_name = talloc_strdup(mem_ctx, user->base.account_name.string);
501 info->full_name = talloc_strdup(mem_ctx, user->base.full_name.string);
503 nss_get_info_cached( domain, sid, mem_ctx, NULL, NULL,
504 &info->homedir, &info->shell, &info->full_name,
506 info->primary_gid = gid;
513 if ( !winbindd_can_contact_domain(domain)) {
514 DEBUG(8,("query_user: No incoming trust from domain %s\n",
517 /* We still need to generate some basic information
518 about the user even if we cannot contact the
519 domain. Most of this stuff we can deduce. */
521 sid_copy( &info->user_sid, sid );
523 /* Assume "Domain Users" for the primary group */
525 sid_compose(&info->group_sid, &domain->sid, DOMAIN_RID_USERS );
527 /* Try to fill in what the nss_info backend can do */
529 nss_get_info_cached( domain, sid, mem_ctx, NULL, NULL,
530 &info->homedir, &info->shell, &info->full_name,
532 info->primary_gid = gid;
537 /* no cache...do the query */
539 if ( (ads = ads_cached_connection(domain)) == NULL ) {
540 domain->last_status = NT_STATUS_SERVER_DISABLED;
541 return NT_STATUS_SERVER_DISABLED;
544 sidstr = sid_binstring(talloc_tos(), sid);
546 ret = asprintf(&ldap_exp, "(objectSid=%s)", sidstr);
549 return NT_STATUS_NO_MEMORY;
551 rc = ads_search_retry(ads, &msg, ldap_exp, attrs);
553 if (!ADS_ERR_OK(rc) || !msg) {
554 DEBUG(1,("query_user(sid=%s) ads_search: %s\n",
555 sid_string_dbg(sid), ads_errstr(rc)));
556 return ads_ntstatus(rc);
559 count = ads_count_replies(ads, msg);
561 DEBUG(1,("query_user(sid=%s): Not found\n",
562 sid_string_dbg(sid)));
563 ads_msgfree(ads, msg);
564 return NT_STATUS_NO_SUCH_USER;
567 info->acct_name = ads_pull_username(ads, mem_ctx, msg);
569 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &group_rid)) {
570 DEBUG(1,("No primary group for %s !?\n",
571 sid_string_dbg(sid)));
572 ads_msgfree(ads, msg);
573 return NT_STATUS_NO_SUCH_USER;
575 sid_copy(&info->user_sid, sid);
576 sid_compose(&info->group_sid, &domain->sid, group_rid);
579 * We have to fetch the "name" attribute before doing the
580 * nss_get_info_cached call. nss_get_info_cached might destroy
581 * the ads struct, potentially invalidating the ldap message.
583 ads_name = ads_pull_string(ads, mem_ctx, msg, "name");
585 ads_msgfree(ads, msg);
588 status = nss_get_info_cached( domain, sid, mem_ctx, ads, msg,
589 &info->homedir, &info->shell, &info->full_name,
591 info->primary_gid = gid;
592 if (!NT_STATUS_IS_OK(status)) {
593 DEBUG(1, ("nss_get_info_cached failed: %s\n",
598 if (info->full_name == NULL) {
599 info->full_name = ads_name;
601 TALLOC_FREE(ads_name);
604 status = NT_STATUS_OK;
606 DEBUG(3,("ads query_user gave %s\n", info->acct_name));
610 /* Lookup groups a user is a member of - alternate method, for when
611 tokenGroups are not available. */
612 static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain,
615 struct dom_sid *primary_group,
616 size_t *p_num_groups, struct dom_sid **user_sids)
619 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
621 LDAPMessage *res = NULL;
622 LDAPMessage *msg = NULL;
625 const char *group_attrs[] = {"objectSid", NULL};
627 size_t num_groups = 0;
629 DEBUG(3,("ads: lookup_usergroups_member\n"));
631 if ( !winbindd_can_contact_domain( domain ) ) {
632 DEBUG(10,("lookup_usergroups_members: No incoming trust for domain %s\n",
637 ads = ads_cached_connection(domain);
640 domain->last_status = NT_STATUS_SERVER_DISABLED;
644 if (!(escaped_dn = escape_ldap_string(talloc_tos(), user_dn))) {
645 status = NT_STATUS_NO_MEMORY;
649 ldap_exp = talloc_asprintf(mem_ctx,
650 "(&(member=%s)(objectCategory=group)(groupType:dn:%s:=%d))",
652 ADS_LDAP_MATCHING_RULE_BIT_AND,
653 GROUP_TYPE_SECURITY_ENABLED);
655 DEBUG(1,("lookup_usergroups(dn=%s) asprintf failed!\n", user_dn));
656 TALLOC_FREE(escaped_dn);
657 status = NT_STATUS_NO_MEMORY;
661 TALLOC_FREE(escaped_dn);
663 rc = ads_search_retry(ads, &res, ldap_exp, group_attrs);
665 if (!ADS_ERR_OK(rc) || !res) {
666 DEBUG(1,("lookup_usergroups ads_search member=%s: %s\n", user_dn, ads_errstr(rc)));
667 return ads_ntstatus(rc);
670 count = ads_count_replies(ads, res);
675 /* always add the primary group to the sid array */
676 status = add_sid_to_array(mem_ctx, primary_group, user_sids,
678 if (!NT_STATUS_IS_OK(status)) {
683 for (msg = ads_first_entry(ads, res); msg;
684 msg = ads_next_entry(ads, msg)) {
685 struct dom_sid group_sid;
687 if (!ads_pull_sid(ads, msg, "objectSid", &group_sid)) {
688 DEBUG(1,("No sid for this group ?!?\n"));
692 /* ignore Builtin groups from ADS - Guenther */
693 if (sid_check_is_in_builtin(&group_sid)) {
697 status = add_sid_to_array(mem_ctx, &group_sid,
698 user_sids, &num_groups);
699 if (!NT_STATUS_IS_OK(status)) {
706 *p_num_groups = num_groups;
707 status = (user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
709 DEBUG(3,("ads lookup_usergroups (member) succeeded for dn=%s\n", user_dn));
712 ads_msgfree(ads, res);
717 /* Lookup groups a user is a member of - alternate method, for when
718 tokenGroups are not available. */
719 static NTSTATUS lookup_usergroups_memberof(struct winbindd_domain *domain,
722 struct dom_sid *primary_group,
723 size_t *p_num_groups,
724 struct dom_sid **user_sids)
727 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
729 const char *attrs[] = {"memberOf", NULL};
730 size_t num_groups = 0;
731 struct dom_sid *group_sids = NULL;
733 char **strings = NULL;
734 size_t num_strings = 0, num_sids = 0;
737 DEBUG(3,("ads: lookup_usergroups_memberof\n"));
739 if ( !winbindd_can_contact_domain( domain ) ) {
740 DEBUG(10,("lookup_usergroups_memberof: No incoming trust for "
741 "domain %s\n", domain->name));
745 ads = ads_cached_connection(domain);
748 domain->last_status = NT_STATUS_SERVER_DISABLED;
749 return NT_STATUS_UNSUCCESSFUL;
752 rc = ads_search_retry_extended_dn_ranged(ads, mem_ctx, user_dn, attrs,
753 ADS_EXTENDED_DN_HEX_STRING,
754 &strings, &num_strings);
756 if (!ADS_ERR_OK(rc)) {
757 DEBUG(1,("lookup_usergroups_memberof ads_search "
758 "member=%s: %s\n", user_dn, ads_errstr(rc)));
759 return ads_ntstatus(rc);
765 /* always add the primary group to the sid array */
766 status = add_sid_to_array(mem_ctx, primary_group, user_sids,
768 if (!NT_STATUS_IS_OK(status)) {
772 group_sids = TALLOC_ZERO_ARRAY(mem_ctx, struct dom_sid, num_strings + 1);
774 status = NT_STATUS_NO_MEMORY;
778 for (i=0; i<num_strings; i++) {
779 rc = ads_get_sid_from_extended_dn(mem_ctx, strings[i],
780 ADS_EXTENDED_DN_HEX_STRING,
782 if (!ADS_ERR_OK(rc)) {
783 /* ignore members without SIDs */
784 if (NT_STATUS_EQUAL(ads_ntstatus(rc),
785 NT_STATUS_NOT_FOUND)) {
789 status = ads_ntstatus(rc);
797 DEBUG(1,("No memberOf for this user?!?\n"));
798 status = NT_STATUS_NO_MEMORY;
802 for (i=0; i<num_sids; i++) {
804 /* ignore Builtin groups from ADS - Guenther */
805 if (sid_check_is_in_builtin(&group_sids[i])) {
809 status = add_sid_to_array(mem_ctx, &group_sids[i], user_sids,
811 if (!NT_STATUS_IS_OK(status)) {
817 *p_num_groups = num_groups;
818 status = (*user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
820 DEBUG(3,("ads lookup_usergroups (memberof) succeeded for dn=%s\n",
824 TALLOC_FREE(strings);
825 TALLOC_FREE(group_sids);
831 /* Lookup groups a user is a member of. */
832 static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
834 const struct dom_sid *sid,
835 uint32 *p_num_groups, struct dom_sid **user_sids)
837 ADS_STRUCT *ads = NULL;
838 const char *attrs[] = {"tokenGroups", "primaryGroupID", NULL};
841 LDAPMessage *msg = NULL;
842 char *user_dn = NULL;
843 struct dom_sid *sids;
845 struct dom_sid primary_group;
846 uint32 primary_group_rid;
847 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
848 size_t num_groups = 0;
850 DEBUG(3,("ads: lookup_usergroups\n"));
853 status = lookup_usergroups_cached(domain, mem_ctx, sid,
854 p_num_groups, user_sids);
855 if (NT_STATUS_IS_OK(status)) {
859 if ( !winbindd_can_contact_domain( domain ) ) {
860 DEBUG(10,("lookup_usergroups: No incoming trust for domain %s\n",
863 /* Tell the cache manager not to remember this one */
865 return NT_STATUS_SYNCHRONIZATION_REQUIRED;
868 ads = ads_cached_connection(domain);
871 domain->last_status = NT_STATUS_SERVER_DISABLED;
872 status = NT_STATUS_SERVER_DISABLED;
876 rc = ads_search_retry_sid(ads, &msg, sid, attrs);
878 if (!ADS_ERR_OK(rc)) {
879 status = ads_ntstatus(rc);
880 DEBUG(1, ("lookup_usergroups(sid=%s) ads_search tokenGroups: "
881 "%s\n", sid_string_dbg(sid), ads_errstr(rc)));
885 count = ads_count_replies(ads, msg);
887 status = NT_STATUS_UNSUCCESSFUL;
888 DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: "
889 "invalid number of results (count=%d)\n",
890 sid_string_dbg(sid), count));
895 DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: NULL msg\n",
896 sid_string_dbg(sid)));
897 status = NT_STATUS_UNSUCCESSFUL;
901 user_dn = ads_get_dn(ads, mem_ctx, msg);
902 if (user_dn == NULL) {
903 status = NT_STATUS_NO_MEMORY;
907 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &primary_group_rid)) {
908 DEBUG(1,("%s: No primary group for sid=%s !?\n",
909 domain->name, sid_string_dbg(sid)));
913 sid_compose(&primary_group, &domain->sid, primary_group_rid);
915 count = ads_pull_sids(ads, mem_ctx, msg, "tokenGroups", &sids);
917 /* there must always be at least one group in the token,
918 unless we are talking to a buggy Win2k server */
920 /* actually this only happens when the machine account has no read
921 * permissions on the tokenGroup attribute - gd */
927 /* lookup what groups this user is a member of by DN search on
930 status = lookup_usergroups_memberof(domain, mem_ctx, user_dn,
932 &num_groups, user_sids);
933 *p_num_groups = (uint32)num_groups;
934 if (NT_STATUS_IS_OK(status)) {
938 /* lookup what groups this user is a member of by DN search on
941 status = lookup_usergroups_member(domain, mem_ctx, user_dn,
943 &num_groups, user_sids);
944 *p_num_groups = (uint32)num_groups;
951 status = add_sid_to_array(mem_ctx, &primary_group, user_sids,
953 if (!NT_STATUS_IS_OK(status)) {
957 for (i=0;i<count;i++) {
959 /* ignore Builtin groups from ADS - Guenther */
960 if (sid_check_is_in_builtin(&sids[i])) {
964 status = add_sid_to_array_unique(mem_ctx, &sids[i],
965 user_sids, &num_groups);
966 if (!NT_STATUS_IS_OK(status)) {
971 *p_num_groups = (uint32)num_groups;
972 status = (*user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
974 DEBUG(3,("ads lookup_usergroups (tokenGroups) succeeded for sid=%s\n",
975 sid_string_dbg(sid)));
977 TALLOC_FREE(user_dn);
978 ads_msgfree(ads, msg);
982 /* Lookup aliases a user is member of - use rpc methods */
983 static NTSTATUS lookup_useraliases(struct winbindd_domain *domain,
985 uint32 num_sids, const struct dom_sid *sids,
986 uint32 *num_aliases, uint32 **alias_rids)
988 return reconnect_methods.lookup_useraliases(domain, mem_ctx,
995 find the members of a group, given a group rid and domain
997 static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
999 const struct dom_sid *group_sid,
1000 enum lsa_SidType type,
1002 struct dom_sid **sid_mem, char ***names,
1003 uint32 **name_types)
1006 ADS_STRUCT *ads = NULL;
1008 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
1010 char **members = NULL;
1012 size_t num_members = 0;
1014 struct dom_sid *sid_mem_nocache = NULL;
1015 char **names_nocache = NULL;
1016 enum lsa_SidType *name_types_nocache = NULL;
1017 char **domains_nocache = NULL; /* only needed for rpccli_lsa_lookup_sids */
1018 uint32 num_nocache = 0;
1019 TALLOC_CTX *tmp_ctx = NULL;
1021 DEBUG(10,("ads: lookup_groupmem %s sid=%s\n", domain->name,
1022 sid_string_dbg(group_sid)));
1026 tmp_ctx = talloc_new(mem_ctx);
1028 DEBUG(1, ("ads: lookup_groupmem: talloc failed\n"));
1029 status = NT_STATUS_NO_MEMORY;
1033 if ( !winbindd_can_contact_domain( domain ) ) {
1034 DEBUG(10,("lookup_groupmem: No incoming trust for domain %s\n",
1036 return NT_STATUS_OK;
1039 ads = ads_cached_connection(domain);
1042 domain->last_status = NT_STATUS_SERVER_DISABLED;
1046 if ((sidbinstr = sid_binstring(talloc_tos(), group_sid)) == NULL) {
1047 status = NT_STATUS_NO_MEMORY;
1051 /* search for all members of the group */
1052 ldap_exp = talloc_asprintf(tmp_ctx, "(objectSid=%s)", sidbinstr);
1053 TALLOC_FREE(sidbinstr);
1054 if (ldap_exp == NULL) {
1055 DEBUG(1, ("ads: lookup_groupmem: talloc_asprintf for ldap_exp failed!\n"));
1056 status = NT_STATUS_NO_MEMORY;
1060 args.control = ADS_EXTENDED_DN_OID;
1061 args.val = ADS_EXTENDED_DN_HEX_STRING;
1062 args.critical = True;
1064 rc = ads_ranged_search(ads, tmp_ctx, LDAP_SCOPE_SUBTREE, ads->config.bind_path,
1065 ldap_exp, &args, "member", &members, &num_members);
1067 if (!ADS_ERR_OK(rc)) {
1068 DEBUG(0,("ads_ranged_search failed with: %s\n", ads_errstr(rc)));
1069 status = NT_STATUS_UNSUCCESSFUL;
1073 DEBUG(10, ("ads lookup_groupmem: got %d sids via extended dn call\n", (int)num_members));
1075 /* Now that we have a list of sids, we need to get the
1076 * lists of names and name_types belonging to these sids.
1077 * even though conceptually not quite clean, we use the
1078 * RPC call lsa_lookup_sids for this since it can handle a
1079 * list of sids. ldap calls can just resolve one sid at a time.
1081 * At this stage, the sids are still hidden in the exetended dn
1082 * member output format. We actually do a little better than
1083 * stated above: In extracting the sids from the member strings,
1084 * we try to resolve as many sids as possible from the
1085 * cache. Only the rest is passed to the lsa_lookup_sids call. */
1088 (*sid_mem) = TALLOC_ZERO_ARRAY(mem_ctx, struct dom_sid, num_members);
1089 (*names) = TALLOC_ZERO_ARRAY(mem_ctx, char *, num_members);
1090 (*name_types) = TALLOC_ZERO_ARRAY(mem_ctx, uint32, num_members);
1091 (sid_mem_nocache) = TALLOC_ZERO_ARRAY(tmp_ctx, struct dom_sid, num_members);
1093 if ((members == NULL) || (*sid_mem == NULL) ||
1094 (*names == NULL) || (*name_types == NULL) ||
1095 (sid_mem_nocache == NULL))
1097 DEBUG(1, ("ads: lookup_groupmem: talloc failed\n"));
1098 status = NT_STATUS_NO_MEMORY;
1105 (*name_types) = NULL;
1108 for (i=0; i<num_members; i++) {
1109 enum lsa_SidType name_type;
1110 char *name, *domain_name;
1113 rc = ads_get_sid_from_extended_dn(tmp_ctx, members[i], args.val,
1115 if (!ADS_ERR_OK(rc)) {
1116 if (NT_STATUS_EQUAL(ads_ntstatus(rc),
1117 NT_STATUS_NOT_FOUND)) {
1118 /* Group members can be objects, like Exchange
1119 * Public Folders, that don't have a SID. Skip
1124 status = ads_ntstatus(rc);
1128 if (lookup_cached_sid(mem_ctx, &sid, &domain_name, &name,
1130 DEBUG(10,("ads: lookup_groupmem: got sid %s from "
1131 "cache\n", sid_string_dbg(&sid)));
1132 sid_copy(&(*sid_mem)[*num_names], &sid);
1133 (*names)[*num_names] = fill_domain_username_talloc(
1139 (*name_types)[*num_names] = name_type;
1143 DEBUG(10, ("ads: lookup_groupmem: sid %s not found in "
1144 "cache\n", sid_string_dbg(&sid)));
1145 sid_copy(&(sid_mem_nocache)[num_nocache], &sid);
1150 DEBUG(10, ("ads: lookup_groupmem: %d sids found in cache, "
1151 "%d left for lsa_lookupsids\n", *num_names, num_nocache));
1153 /* handle sids not resolved from cache by lsa_lookup_sids */
1154 if (num_nocache > 0) {
1156 status = winbindd_lookup_sids(tmp_ctx,
1162 &name_types_nocache);
1164 if (!(NT_STATUS_IS_OK(status) ||
1165 NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED) ||
1166 NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)))
1168 DEBUG(1, ("lsa_lookupsids call failed with %s "
1169 "- retrying...\n", nt_errstr(status)));
1171 status = winbindd_lookup_sids(tmp_ctx,
1177 &name_types_nocache);
1180 if (NT_STATUS_IS_OK(status) ||
1181 NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED))
1183 /* Copy the entries over from the "_nocache" arrays
1184 * to the result arrays, skipping the gaps the
1185 * lookup_sids call left. */
1186 for (i=0; i < num_nocache; i++) {
1187 if (((names_nocache)[i] != NULL) &&
1188 ((name_types_nocache)[i] != SID_NAME_UNKNOWN))
1190 sid_copy(&(*sid_mem)[*num_names],
1191 &sid_mem_nocache[i]);
1192 (*names)[*num_names] =
1193 fill_domain_username_talloc(
1198 (*name_types)[*num_names] = name_types_nocache[i];
1203 else if (NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)) {
1204 DEBUG(10, ("lookup_groupmem: lsa_lookup_sids could "
1205 "not map any SIDs at all.\n"));
1206 /* Don't handle this as an error here.
1207 * There is nothing left to do with respect to the
1208 * overall result... */
1210 else if (!NT_STATUS_IS_OK(status)) {
1211 DEBUG(10, ("lookup_groupmem: Error looking up %d "
1212 "sids via rpc_lsa_lookup_sids: %s\n",
1213 (int)num_members, nt_errstr(status)));
1218 status = NT_STATUS_OK;
1219 DEBUG(3,("ads lookup_groupmem for sid=%s succeeded\n",
1220 sid_string_dbg(group_sid)));
1224 TALLOC_FREE(tmp_ctx);
1229 /* find the sequence number for a domain */
1230 static NTSTATUS sequence_number(struct winbindd_domain *domain, uint32 *seq)
1232 ADS_STRUCT *ads = NULL;
1235 DEBUG(3,("ads: fetch sequence_number for %s\n", domain->name));
1237 if ( !winbindd_can_contact_domain( domain ) ) {
1238 DEBUG(10,("sequence: No incoming trust for domain %s\n",
1241 return NT_STATUS_OK;
1244 *seq = DOM_SEQUENCE_NONE;
1246 ads = ads_cached_connection(domain);
1249 domain->last_status = NT_STATUS_SERVER_DISABLED;
1250 return NT_STATUS_UNSUCCESSFUL;
1253 rc = ads_USN(ads, seq);
1255 if (!ADS_ERR_OK(rc)) {
1257 /* its a dead connection, destroy it */
1259 if (domain->private_data) {
1260 ads = (ADS_STRUCT *)domain->private_data;
1261 ads->is_mine = True;
1263 ads_kdestroy("MEMORY:winbind_ccache");
1264 domain->private_data = NULL;
1267 return ads_ntstatus(rc);
1270 /* find the lockout policy of a domain - use rpc methods */
1271 static NTSTATUS lockout_policy(struct winbindd_domain *domain,
1272 TALLOC_CTX *mem_ctx,
1273 struct samr_DomInfo12 *policy)
1275 return reconnect_methods.lockout_policy(domain, mem_ctx, policy);
1278 /* find the password policy of a domain - use rpc methods */
1279 static NTSTATUS password_policy(struct winbindd_domain *domain,
1280 TALLOC_CTX *mem_ctx,
1281 struct samr_DomInfo1 *policy)
1283 return reconnect_methods.password_policy(domain, mem_ctx, policy);
1286 /* get a list of trusted domains */
1287 static NTSTATUS trusted_domains(struct winbindd_domain *domain,
1288 TALLOC_CTX *mem_ctx,
1289 struct netr_DomainTrustList *trusts)
1291 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1294 struct rpc_pipe_client *cli;
1297 DEBUG(3,("ads: trusted_domains\n"));
1299 ZERO_STRUCTP(trusts);
1301 /* If this is our primary domain or a root in our forest,
1302 query for all trusts. If not, then just look for domain
1303 trusts in the target forest */
1305 if (domain->primary || domain_is_forest_root(domain)) {
1306 flags = NETR_TRUST_FLAG_OUTBOUND |
1307 NETR_TRUST_FLAG_INBOUND |
1308 NETR_TRUST_FLAG_IN_FOREST;
1310 flags = NETR_TRUST_FLAG_IN_FOREST;
1313 result = cm_connect_netlogon(domain, &cli);
1315 if (!NT_STATUS_IS_OK(result)) {
1316 DEBUG(5, ("trusted_domains: Could not open a connection to %s "
1317 "for PIPE_NETLOGON (%s)\n",
1318 domain->name, nt_errstr(result)));
1319 return NT_STATUS_UNSUCCESSFUL;
1322 result = rpccli_netr_DsrEnumerateDomainTrusts(cli, mem_ctx,
1327 if (!NT_STATUS_IS_OK(result)) {
1330 if (trusts->count == 0) {
1331 return NT_STATUS_OK;
1334 /* Copy across names and sids */
1337 for (i = 0; i < trusts->count; i++) {
1338 struct netr_DomainTrust *trust = &trusts->array[i];
1339 struct winbindd_domain d;
1344 * drop external trusts if this is not our primary
1345 * domain. This means that the returned number of
1346 * domains may be less that the ones actually trusted
1350 if ((trust->trust_attributes
1351 == NETR_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN) &&
1354 DEBUG(10,("trusted_domains: Skipping external trusted "
1355 "domain %s because it is outside of our "
1357 trust->netbios_name));
1361 /* add to the trusted domain cache */
1363 fstrcpy(d.name, trust->netbios_name);
1364 fstrcpy(d.alt_name, trust->dns_name);
1366 sid_copy(&d.sid, trust->sid);
1368 sid_copy(&d.sid, &global_sid_NULL);
1371 if ( domain->primary ) {
1372 DEBUG(10,("trusted_domains(ads): Searching "
1373 "trusted domain list of %s and storing "
1374 "trust flags for domain %s\n",
1375 domain->name, d.alt_name));
1377 d.domain_flags = trust->trust_flags;
1378 d.domain_type = trust->trust_type;
1379 d.domain_trust_attribs = trust->trust_attributes;
1381 wcache_tdc_add_domain( &d );
1383 } else if (domain_is_forest_root(domain)) {
1384 /* Check if we already have this record. If
1385 * we are following our forest root that is not
1386 * our primary domain, we want to keep trust
1387 * flags from the perspective of our primary
1388 * domain not our forest root. */
1389 struct winbindd_tdc_domain *exist = NULL;
1391 exist = wcache_tdc_fetch_domain(
1392 talloc_tos(), trust->netbios_name);
1394 DEBUG(10,("trusted_domains(ads): Searching "
1395 "trusted domain list of %s and "
1396 "storing trust flags for domain "
1397 "%s\n", domain->name, d.alt_name));
1398 d.domain_flags = trust->trust_flags;
1399 d.domain_type = trust->trust_type;
1400 d.domain_trust_attribs =
1401 trust->trust_attributes;
1403 wcache_tdc_add_domain( &d );
1408 /* This gets a little tricky. If we are
1409 following a transitive forest trust, then
1410 innerit the flags, type, and attribs from
1411 the domain we queried to make sure we don't
1412 record the view of the trust from the wrong
1413 side. Always view it from the side of our
1414 primary domain. --jerry */
1415 struct winbindd_tdc_domain *parent = NULL;
1417 DEBUG(10,("trusted_domains(ads): Searching "
1418 "trusted domain list of %s and inheriting "
1419 "trust flags for domain %s\n",
1420 domain->name, d.alt_name));
1422 parent = wcache_tdc_fetch_domain(talloc_tos(),
1425 d.domain_flags = parent->trust_flags;
1426 d.domain_type = parent->trust_type;
1427 d.domain_trust_attribs = parent->trust_attribs;
1429 d.domain_flags = domain->domain_flags;
1430 d.domain_type = domain->domain_type;
1431 d.domain_trust_attribs =
1432 domain->domain_trust_attribs;
1434 TALLOC_FREE(parent);
1436 wcache_tdc_add_domain( &d );
1443 /* the ADS backend methods are exposed via this structure */
1444 struct winbindd_methods ads_methods = {
git.samba.org / samba.git / blob