2 Unix SMB/Netbios implementation.
4 Winbind ADS backend functions
6 Copyright (C) Andrew Tridgell 2001
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program; if not, write to the Free Software
20 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
28 static void sid_from_rid(struct winbindd_domain *domain, uint32 rid, DOM_SID *sid)
30 sid_copy(sid, &domain->sid);
31 sid_append_rid(sid, rid);
34 /* turn a sAMAccountType into a SID_NAME_USE */
35 static enum SID_NAME_USE ads_atype_map(uint32 atype)
37 switch (atype & 0xF0000000) {
39 return SID_NAME_DOM_GRP;
43 DEBUG(1,("hmm, need to map account type 0x%x\n", atype));
45 return SID_NAME_UNKNOWN;
48 /* Query display info for a realm. This is the basic user list fn */
49 static NTSTATUS query_user_list(struct winbindd_domain *domain,
51 uint32 *start_ndx, uint32 *num_entries,
52 WINBIND_USERINFO **info)
54 ADS_STRUCT *ads = NULL;
55 const char *attrs[] = {"sAMAccountName", "name", "objectSid", "primaryGroupID",
56 "userAccountControl", NULL};
60 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
62 DEBUG(3,("ads: query_user_list\n"));
64 if ((*start_ndx) != 0) {
65 DEBUG(1,("ads backend start_ndx not implemented!\n"));
66 status = NT_STATUS_NOT_IMPLEMENTED;
70 ads = ads_init(NULL, NULL, NULL);
72 DEBUG(1,("ads_init failed\n"));
76 rc = ads_connect(ads);
78 DEBUG(1,("query_user_list ads_connect: %s\n", ads_errstr(rc)));
82 rc = ads_search(ads, &res, "(objectclass=user)", attrs);
84 DEBUG(1,("query_user_list ads_search: %s\n", ads_errstr(rc)));
88 count = ads_count_replies(ads, res);
90 DEBUG(1,("query_user_list: No users found\n"));
94 (*info) = talloc(mem_ctx, count * sizeof(**info));
96 status = NT_STATUS_NO_MEMORY;
102 for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
106 uint32 account_control;
108 if (!ads_pull_uint32(ads, msg, "userAccountControl",
110 !(account_control & UF_NORMAL_ACCOUNT)) continue;
112 name = ads_pull_string(ads, mem_ctx, msg, "sAMAccountName");
113 gecos = ads_pull_string(ads, mem_ctx, msg, "name");
114 if (!ads_pull_sid(ads, msg, "objectSid", &sid)) {
115 DEBUG(1,("No sid for %s !?\n", name));
118 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &group)) {
119 DEBUG(1,("No primary group for %s !?\n", name));
123 if (!sid_peek_rid(&sid, &rid)) {
124 DEBUG(1,("No rid for %s !?\n", name));
128 (*info)[i].acct_name = name;
129 (*info)[i].full_name = gecos;
130 (*info)[i].user_rid = rid;
131 (*info)[i].group_rid = group;
136 status = NT_STATUS_OK;
139 if (res) ads_msgfree(ads, res);
140 if (msg) ads_msgfree(ads, msg);
141 if (ads) ads_destroy(&ads);
146 /* list all domain groups */
147 static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
149 uint32 *start_ndx, uint32 *num_entries,
150 struct acct_info **info)
152 ADS_STRUCT *ads = NULL;
153 const char *attrs[] = {"sAMAccountName", "name", "objectSid",
154 "sAMAccountType", NULL};
158 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
160 DEBUG(3,("ads: enum_dom_groups\n"));
162 if ((*start_ndx) != 0) {
163 DEBUG(1,("ads backend start_ndx not implemented\n"));
164 status = NT_STATUS_NOT_IMPLEMENTED;
168 ads = ads_init(NULL, NULL, NULL);
170 DEBUG(1,("ads_init failed\n"));
174 rc = ads_connect(ads);
176 DEBUG(1,("query_user_list ads_connect: %s\n", ads_errstr(rc)));
180 rc = ads_search(ads, &res, "(objectclass=group)", attrs);
182 DEBUG(1,("query_user_list ads_search: %s\n", ads_errstr(rc)));
186 count = ads_count_replies(ads, res);
188 DEBUG(1,("query_user_list: No users found\n"));
192 (*info) = talloc(mem_ctx, count * sizeof(**info));
194 status = NT_STATUS_NO_MEMORY;
200 for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
206 if (!ads_pull_uint32(ads, msg, "sAMAccountType",
208 !(account_type & ATYPE_GROUP)) continue;
210 name = ads_pull_string(ads, mem_ctx, msg, "sAMAccountName");
211 gecos = ads_pull_string(ads, mem_ctx, msg, "name");
212 if (!ads_pull_sid(ads, msg, "objectSid", &sid)) {
213 DEBUG(1,("No sid for %s !?\n", name));
217 if (!sid_peek_rid(&sid, &rid)) {
218 DEBUG(1,("No rid for %s !?\n", name));
222 fstrcpy((*info)[i].acct_name, name);
223 fstrcpy((*info)[i].acct_desc, gecos);
224 (*info)[i].rid = rid;
230 status = NT_STATUS_OK;
233 if (res) ads_msgfree(ads, res);
234 if (msg) ads_msgfree(ads, msg);
235 if (ads) ads_destroy(&ads);
241 /* convert a single name to a sid in a domain */
242 static NTSTATUS name_to_sid(struct winbindd_domain *domain,
245 enum SID_NAME_USE *type)
247 ADS_STRUCT *ads = NULL;
248 const char *attrs[] = {"objectSid", "sAMAccountType", NULL};
254 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
256 /* sigh. Need to fix interface to give us a raw name */
257 if (!parse_domain_user(name, dom2, name2)) {
261 DEBUG(3,("ads: name_to_sid\n"));
263 ads = ads_init(NULL, NULL, NULL);
265 DEBUG(1,("ads_init failed\n"));
269 rc = ads_connect(ads);
271 DEBUG(1,("name_to_sid ads_connect: %s\n", ads_errstr(rc)));
275 asprintf(&exp, "(sAMAccountName=%s)", name2);
276 rc = ads_search(ads, &res, exp, attrs);
279 DEBUG(1,("name_to_sid ads_search: %s\n", ads_errstr(rc)));
283 count = ads_count_replies(ads, res);
285 DEBUG(1,("name_to_sid: %s not found\n", name));
289 if (!ads_pull_sid(ads, res, "objectSid", sid)) {
290 DEBUG(1,("No sid for %s !?\n", name));
294 if (!ads_pull_uint32(ads, res, "sAMAccountType", &t)) {
295 DEBUG(1,("No sAMAccountType for %s !?\n", name));
299 *type = ads_atype_map(t);
301 status = NT_STATUS_OK;
304 if (res) ads_msgfree(ads, res);
305 if (ads) ads_destroy(&ads);
310 /* convert a sid to a user or group name */
311 static NTSTATUS sid_to_name(struct winbindd_domain *domain,
315 enum SID_NAME_USE *type)
317 ADS_STRUCT *ads = NULL;
318 const char *attrs[] = {"sAMAccountName", "sAMAccountType", NULL};
325 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
327 DEBUG(3,("ads: sid_to_name\n"));
329 ads = ads_init(NULL, NULL, NULL);
331 DEBUG(1,("ads_init failed\n"));
335 rc = ads_connect(ads);
337 DEBUG(1,("sid_to_name ads_connect: %s\n", ads_errstr(rc)));
341 sidstr = ads_sid_binstring(sid);
342 asprintf(&exp, "(objectSid=%s)", sidstr);
343 rc = ads_search(ads, &msg, exp, attrs);
347 DEBUG(1,("sid_to_name ads_search: %s\n", ads_errstr(rc)));
351 if (!ads_pull_uint32(ads, msg, "sAMAccountType", &atype)) {
355 s = ads_pull_string(ads, mem_ctx, msg, "sAMAccountName");
356 *name = talloc_asprintf(mem_ctx, "%s%s%s", domain->name, lp_winbind_separator(), s);
357 *type = ads_atype_map(atype);
359 status = NT_STATUS_OK;
361 if (msg) ads_msgfree(ads, msg);
362 if (ads) ads_destroy(&ads);
368 /* Lookup user information from a rid */
369 static NTSTATUS query_user(struct winbindd_domain *domain,
372 WINBIND_USERINFO *info)
374 ADS_STRUCT *ads = NULL;
375 const char *attrs[] = {"sAMAccountName", "name", "objectSid", "primaryGroupID",
376 "userAccountControl", NULL};
382 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
384 DEBUG(3,("ads: query_user\n"));
386 sid_from_rid(domain, user_rid, &sid);
388 ads = ads_init(NULL, NULL, NULL);
390 DEBUG(1,("ads_init failed\n"));
394 rc = ads_connect(ads);
396 DEBUG(1,("query_user ads_connect: %s\n", ads_errstr(rc)));
400 sidstr = ads_sid_binstring(&sid);
401 asprintf(&exp, "(objectSid=%s)", sidstr);
402 rc = ads_search(ads, &msg, exp, attrs);
406 DEBUG(1,("query_user(rid=%d) ads_search: %s\n", user_rid, ads_errstr(rc)));
410 count = ads_count_replies(ads, msg);
412 DEBUG(1,("query_user(rid=%d): Not found\n", user_rid));
416 info->acct_name = ads_pull_string(ads, mem_ctx, msg, "sAMAccountName");
417 info->full_name = ads_pull_string(ads, mem_ctx, msg, "name");
418 if (!ads_pull_sid(ads, msg, "objectSid", &sid)) {
419 DEBUG(1,("No sid for %d !?\n", user_rid));
422 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &info->group_rid)) {
423 DEBUG(1,("No primary group for %d !?\n", user_rid));
427 if (!sid_peek_rid(&sid, &info->user_rid)) {
428 DEBUG(1,("No rid for %d !?\n", user_rid));
432 status = NT_STATUS_OK;
435 if (msg) ads_msgfree(ads, msg);
436 if (ads) ads_destroy(&ads);
442 /* Lookup groups a user is a member of. */
443 static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
446 uint32 *num_groups, uint32 **user_gids)
448 ADS_STRUCT *ads = NULL;
449 const char *attrs[] = {"distinguishedName", NULL};
450 const char *attrs2[] = {"tokenGroups", "primaryGroupID", NULL};
457 uint32 primary_group;
460 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
462 DEBUG(3,("ads: lookup_usergroups\n"));
466 sid_from_rid(domain, user_rid, &sid);
468 ads = ads_init(NULL, NULL, NULL);
470 DEBUG(1,("ads_init failed\n"));
474 rc = ads_connect(ads);
476 DEBUG(1,("lookup_usergroups ads_connect: %s\n", ads_errstr(rc)));
480 sidstr = ads_sid_binstring(&sid);
481 asprintf(&exp, "(objectSid=%s)", sidstr);
482 rc = ads_search(ads, &msg, exp, attrs);
486 DEBUG(1,("lookup_usergroups(rid=%d) ads_search: %s\n", user_rid, ads_errstr(rc)));
490 user_dn = ads_pull_string(ads, mem_ctx, msg, "distinguishedName");
492 rc = ads_search_dn(ads, &msg, user_dn, attrs2);
494 DEBUG(1,("lookup_usergroups(rid=%d) ads_search tokenGroups: %s\n", user_rid, ads_errstr(rc)));
498 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &primary_group)) {
499 DEBUG(1,("No primary group for rid=%d !?\n", user_rid));
503 count = ads_pull_sids(ads, mem_ctx, msg, "tokenGroups", &sids) + 1;
504 (*user_gids) = (uint32 *)talloc(mem_ctx, sizeof(uint32) * count);
505 (*user_gids)[(*num_groups)++] = primary_group;
507 for (i=1;i<count;i++) {
509 if (!sid_peek_rid(&sids[i-1], &rid)) continue;
510 (*user_gids)[*num_groups] = rid;
514 status = NT_STATUS_OK;
516 if (msg) ads_msgfree(ads, msg);
517 if (ads) ads_destroy(&ads);
523 static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
525 uint32 group_rid, uint32 *num_names,
526 uint32 **rid_mem, char ***names,
531 const char *attrs[] = {"sAMAccountName", "objectSid", "sAMAccountType", NULL};
533 void *res=NULL, *msg=NULL;
534 ADS_STRUCT *ads = NULL;
536 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
540 ads = ads_init(NULL, NULL, NULL);
542 DEBUG(1,("ads_init failed\n"));
546 rc = ads_connect(ads);
548 DEBUG(1,("query_user_list ads_connect: %s\n", ads_errstr(rc)));
552 sid_from_rid(domain, group_rid, &group_sid);
553 sidstr = ads_sid_binstring(&group_sid);
554 /* search for all users who have that group sid as primary group or as member */
555 asprintf(&exp, "(&(objectclass=user)(|(primaryGroupID=%d)(memberOf=%s)))",
557 rc = ads_search(ads, &res, exp, attrs);
561 DEBUG(1,("query_user_list ads_search: %s\n", ads_errstr(rc)));
565 count = ads_count_replies(ads, res);
567 status = NT_STATUS_OK;
571 (*rid_mem) = talloc(mem_ctx, sizeof(uint32) * count);
572 (*name_types) = talloc(mem_ctx, sizeof(uint32) * count);
573 (*names) = talloc(mem_ctx, sizeof(char *) * count);
575 for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
579 (*names)[*num_names] = ads_pull_string(ads, mem_ctx, msg, "sAMAccountName");
580 if (!ads_pull_uint32(ads, msg, "sAMAccountType", &atype)) {
583 (*name_types)[*num_names] = ads_atype_map(atype);
584 if (!ads_pull_sid(ads, msg, "objectSid", &sid)) {
585 DEBUG(1,("No sid for %s !?\n", (*names)[*num_names]));
588 if (!sid_peek_rid(&sid, &rid)) {
589 DEBUG(1,("No rid for %s !?\n", (*names)[*num_names]));
592 (*rid_mem)[*num_names] = rid;
596 status = NT_STATUS_OK;
598 if (msg) ads_msgfree(ads, msg);
599 if (res) ads_msgfree(ads, res);
600 if (ads) ads_destroy(&ads);
605 /* the ADS backend methods are exposed via this structure */
606 struct winbindd_methods ads_methods = {