2 Unix SMB/Netbios implementation.
4 Winbind ADS backend functions
6 Copyright (C) Andrew Tridgell 2001
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program; if not, write to the Free Software
20 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
28 static void sid_from_rid(struct winbindd_domain *domain, uint32 rid, DOM_SID *sid)
30 sid_copy(sid, &domain->sid);
31 sid_append_rid(sid, rid);
34 /* turn a sAMAccountType into a SID_NAME_USE */
35 static enum SID_NAME_USE ads_atype_map(uint32 atype)
37 switch (atype & 0xF0000000) {
39 return SID_NAME_DOM_GRP;
43 DEBUG(1,("hmm, need to map account type 0x%x\n", atype));
45 return SID_NAME_UNKNOWN;
48 /* Query display info for a realm. This is the basic user list fn */
49 static NTSTATUS query_user_list(struct winbindd_domain *domain,
51 uint32 *start_ndx, uint32 *num_entries,
52 WINBIND_USERINFO **info)
55 const char *attrs[] = {"sAMAccountName", "name", "objectSid", "primaryGroupID",
56 "userAccountControl", NULL};
61 DEBUG(3,("ads: query_user_list\n"));
63 if ((*start_ndx) != 0) {
64 DEBUG(1,("ads backend start_ndx not implemented\n"));
65 return NT_STATUS_NOT_IMPLEMENTED;
68 ads = ads_init(NULL, NULL, NULL);
70 DEBUG(1,("ads_init failed\n"));
71 return NT_STATUS_UNSUCCESSFUL;
74 rc = ads_connect(ads);
76 DEBUG(1,("query_user_list ads_connect: %s\n", ads_errstr(rc)));
77 return NT_STATUS_UNSUCCESSFUL;
80 rc = ads_search(ads, &res, "(objectclass=user)", attrs);
82 DEBUG(1,("query_user_list ads_search: %s\n", ads_errstr(rc)));
83 return NT_STATUS_UNSUCCESSFUL;
86 count = ads_count_replies(ads, res);
88 DEBUG(1,("query_user_list: No users found\n"));
89 return NT_STATUS_UNSUCCESSFUL;
92 (*info) = talloc(mem_ctx, count * sizeof(**info));
93 if (!*info) return NT_STATUS_NO_MEMORY;
97 for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
101 uint32 account_control;
103 if (!ads_pull_uint32(ads, msg, "userAccountControl",
105 !(account_control & UF_NORMAL_ACCOUNT)) continue;
107 name = ads_pull_string(ads, mem_ctx, msg, "sAMAccountName");
108 gecos = ads_pull_string(ads, mem_ctx, msg, "name");
109 if (!ads_pull_sid(ads, msg, "objectSid", &sid)) {
110 DEBUG(1,("No sid for %s !?\n", name));
113 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &group)) {
114 DEBUG(1,("No primary group for %s !?\n", name));
118 if (!sid_peek_rid(&sid, &rid)) {
119 DEBUG(1,("No rid for %s !?\n", name));
123 (*info)[i].acct_name = name;
124 (*info)[i].full_name = gecos;
125 (*info)[i].user_rid = rid;
126 (*info)[i].group_rid = group;
137 /* list all domain groups */
138 static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
140 uint32 *start_ndx, uint32 *num_entries,
141 struct acct_info **info)
144 const char *attrs[] = {"sAMAccountName", "name", "objectSid",
145 "sAMAccountType", NULL};
150 DEBUG(3,("ads: enum_dom_groups\n"));
152 if ((*start_ndx) != 0) {
153 DEBUG(1,("ads backend start_ndx not implemented\n"));
154 return NT_STATUS_NOT_IMPLEMENTED;
157 ads = ads_init(NULL, NULL, NULL);
159 DEBUG(1,("ads_init failed\n"));
160 return NT_STATUS_UNSUCCESSFUL;
163 rc = ads_connect(ads);
165 DEBUG(1,("query_user_list ads_connect: %s\n", ads_errstr(rc)));
166 return NT_STATUS_UNSUCCESSFUL;
169 rc = ads_search(ads, &res, "(objectclass=group)", attrs);
171 DEBUG(1,("query_user_list ads_search: %s\n", ads_errstr(rc)));
172 return NT_STATUS_UNSUCCESSFUL;
175 count = ads_count_replies(ads, res);
177 DEBUG(1,("query_user_list: No users found\n"));
178 return NT_STATUS_UNSUCCESSFUL;
181 (*info) = talloc(mem_ctx, count * sizeof(**info));
182 if (!*info) return NT_STATUS_NO_MEMORY;
186 for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
192 if (!ads_pull_uint32(ads, msg, "sAMAccountType",
194 !(account_type & ATYPE_GROUP)) continue;
196 name = ads_pull_string(ads, mem_ctx, msg, "sAMAccountName");
197 gecos = ads_pull_string(ads, mem_ctx, msg, "name");
198 if (!ads_pull_sid(ads, msg, "objectSid", &sid)) {
199 DEBUG(1,("No sid for %s !?\n", name));
203 if (!sid_peek_rid(&sid, &rid)) {
204 DEBUG(1,("No rid for %s !?\n", name));
208 fstrcpy((*info)[i].acct_name, name);
209 fstrcpy((*info)[i].acct_desc, gecos);
210 (*info)[i].rid = rid;
222 /* convert a single name to a sid in a domain */
223 static NTSTATUS name_to_sid(struct winbindd_domain *domain,
226 enum SID_NAME_USE *type)
229 const char *attrs[] = {"objectSid", "sAMAccountType", NULL};
236 /* sigh. Need to fix interface to give us a raw name */
237 if (!parse_domain_user(name, dom2, name2))
238 return NT_STATUS_UNSUCCESSFUL;
240 DEBUG(3,("ads: name_to_sid\n"));
242 ads = ads_init(NULL, NULL, NULL);
244 DEBUG(1,("ads_init failed\n"));
245 return NT_STATUS_UNSUCCESSFUL;
248 rc = ads_connect(ads);
250 DEBUG(1,("name_to_sid ads_connect: %s\n", ads_errstr(rc)));
251 return NT_STATUS_UNSUCCESSFUL;
254 asprintf(&exp, "(sAMAccountName=%s)", name2);
255 rc = ads_search(ads, &res, exp, attrs);
258 DEBUG(1,("name_to_sid ads_search: %s\n", ads_errstr(rc)));
259 return NT_STATUS_UNSUCCESSFUL;
262 count = ads_count_replies(ads, res);
264 DEBUG(1,("name_to_sid: %s not found\n", name));
265 return NT_STATUS_UNSUCCESSFUL;
268 if (!ads_pull_sid(ads, res, "objectSid", sid)) {
269 DEBUG(1,("No sid for %s !?\n", name));
270 return NT_STATUS_UNSUCCESSFUL;
273 if (!ads_pull_uint32(ads, res, "sAMAccountType", &t)) {
274 DEBUG(1,("No sAMAccountType for %s !?\n", name));
275 return NT_STATUS_UNSUCCESSFUL;
278 *type = ads_atype_map(t);
286 /* convert a sid to a user or group name */
287 static NTSTATUS sid_to_name(struct winbindd_domain *domain,
291 enum SID_NAME_USE *type)
294 const char *attrs[] = {"sAMAccountName", "sAMAccountType", NULL};
302 DEBUG(3,("ads: sid_to_name\n"));
304 ads = ads_init(NULL, NULL, NULL);
306 DEBUG(1,("ads_init failed\n"));
307 return NT_STATUS_UNSUCCESSFUL;
310 rc = ads_connect(ads);
312 DEBUG(1,("sid_to_name ads_connect: %s\n", ads_errstr(rc)));
313 return NT_STATUS_UNSUCCESSFUL;
316 sidstr = ads_sid_binstring(sid);
317 asprintf(&exp, "(objectSid=%s)", sidstr);
318 rc = ads_search(ads, &msg, exp, attrs);
322 DEBUG(1,("sid_to_name ads_search: %s\n", ads_errstr(rc)));
323 return NT_STATUS_UNSUCCESSFUL;
326 if (!ads_pull_uint32(ads, msg, "sAMAccountType", &atype)) {
327 return NT_STATUS_UNSUCCESSFUL;
330 s = ads_pull_string(ads, mem_ctx, msg, "sAMAccountName");
331 *name = talloc_asprintf(mem_ctx, "%s%s%s", domain->name, lp_winbind_separator(), s);
332 *type = ads_atype_map(atype);
338 /* Lookup user information from a rid */
339 static NTSTATUS query_user(struct winbindd_domain *domain,
342 WINBIND_USERINFO *info)
345 const char *attrs[] = {"sAMAccountName", "name", "objectSid", "primaryGroupID",
346 "userAccountControl", NULL};
353 DEBUG(3,("ads: query_user\n"));
355 sid_from_rid(domain, user_rid, &sid);
357 ads = ads_init(NULL, NULL, NULL);
359 DEBUG(1,("ads_init failed\n"));
360 return NT_STATUS_UNSUCCESSFUL;
363 rc = ads_connect(ads);
365 DEBUG(1,("query_user ads_connect: %s\n", ads_errstr(rc)));
366 return NT_STATUS_UNSUCCESSFUL;
369 sidstr = ads_sid_binstring(&sid);
370 asprintf(&exp, "(objectSid=%s)", sidstr);
371 rc = ads_search(ads, &msg, exp, attrs);
375 DEBUG(1,("query_user(rid=%d) ads_search: %s\n", user_rid, ads_errstr(rc)));
376 return NT_STATUS_UNSUCCESSFUL;
379 count = ads_count_replies(ads, msg);
381 DEBUG(1,("query_user(rid=%d): Not found\n", user_rid));
382 return NT_STATUS_UNSUCCESSFUL;
385 info->acct_name = ads_pull_string(ads, mem_ctx, msg, "sAMAccountName");
386 info->full_name = ads_pull_string(ads, mem_ctx, msg, "name");
387 if (!ads_pull_sid(ads, msg, "objectSid", &sid)) {
388 DEBUG(1,("No sid for %d !?\n", user_rid));
391 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &info->group_rid)) {
392 DEBUG(1,("No primary group for %d !?\n", user_rid));
396 if (!sid_peek_rid(&sid, &info->user_rid)) {
397 DEBUG(1,("No rid for %d !?\n", user_rid));
406 return NT_STATUS_UNSUCCESSFUL;
409 /* Lookup groups a user is a member of. */
410 static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
413 uint32 *num_groups, uint32 **user_gids)
416 const char *attrs[] = {"distinguishedName", NULL};
417 const char *attrs2[] = {"tokenGroups", "primaryGroupID", NULL};
424 uint32 primary_group;
428 DEBUG(3,("ads: lookup_usergroups\n"));
432 sid_from_rid(domain, user_rid, &sid);
434 ads = ads_init(NULL, NULL, NULL);
436 DEBUG(1,("ads_init failed\n"));
437 return NT_STATUS_UNSUCCESSFUL;
440 rc = ads_connect(ads);
442 DEBUG(1,("lookup_usergroups ads_connect: %s\n", ads_errstr(rc)));
443 return NT_STATUS_UNSUCCESSFUL;
446 sidstr = ads_sid_binstring(&sid);
447 asprintf(&exp, "(objectSid=%s)", sidstr);
448 rc = ads_search(ads, &msg, exp, attrs);
452 DEBUG(1,("lookup_usergroups(rid=%d) ads_search: %s\n", user_rid, ads_errstr(rc)));
453 return NT_STATUS_UNSUCCESSFUL;
456 user_dn = ads_pull_string(ads, mem_ctx, msg, "distinguishedName");
458 rc = ads_search_dn(ads, &msg, user_dn, attrs2);
460 DEBUG(1,("lookup_usergroups(rid=%d) ads_search tokenGroups: %s\n", user_rid, ads_errstr(rc)));
461 return NT_STATUS_UNSUCCESSFUL;
464 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &primary_group)) {
465 DEBUG(1,("No primary group for rid=%d !?\n", user_rid));
466 return NT_STATUS_UNSUCCESSFUL;
469 count = ads_pull_sids(ads, mem_ctx, msg, "tokenGroups", &sids) + 1;
470 (*user_gids) = (uint32 *)talloc(mem_ctx, sizeof(uint32) * count);
471 (*user_gids)[(*num_groups)++] = primary_group;
473 for (i=1;i<count;i++) {
475 if (!sid_peek_rid(&sids[i-1], &rid)) continue;
476 (*user_gids)[*num_groups] = rid;
485 static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
487 uint32 group_rid, uint32 *num_names,
488 uint32 **rid_mem, char ***names,
493 const char *attrs[] = {"sAMAccountName", "objectSid", "sAMAccountType", NULL};
501 ads = ads_init(NULL, NULL, NULL);
503 DEBUG(1,("ads_init failed\n"));
504 return NT_STATUS_UNSUCCESSFUL;
507 rc = ads_connect(ads);
509 DEBUG(1,("query_user_list ads_connect: %s\n", ads_errstr(rc)));
510 return NT_STATUS_UNSUCCESSFUL;
513 sid_from_rid(domain, group_rid, &group_sid);
514 sidstr = ads_sid_binstring(&group_sid);
515 /* search for all users who have that group sid as primary group or as member */
516 asprintf(&exp, "(&(objectclass=user)(|(primaryGroupID=%d)(memberOf=%s)))",
518 rc = ads_search(ads, &res, exp, attrs);
520 DEBUG(1,("query_user_list ads_search: %s\n", ads_errstr(rc)));
521 return NT_STATUS_UNSUCCESSFUL;
524 count = ads_count_replies(ads, res);
529 (*rid_mem) = talloc(mem_ctx, sizeof(uint32) * count);
530 (*name_types) = talloc(mem_ctx, sizeof(uint32) * count);
531 (*names) = talloc(mem_ctx, sizeof(char *) * count);
533 for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
537 (*names)[*num_names] = ads_pull_string(ads, mem_ctx, msg, "sAMAccountName");
538 if (!ads_pull_uint32(ads, msg, "sAMAccountType", &atype)) {
541 (*name_types)[*num_names] = ads_atype_map(atype);
542 if (!ads_pull_sid(ads, msg, "objectSid", &sid)) {
543 DEBUG(1,("No sid for %s !?\n", (*names)[*num_names]));
546 if (!sid_peek_rid(&sid, &rid)) {
547 DEBUG(1,("No rid for %s !?\n", (*names)[*num_names]));
550 (*rid_mem)[*num_names] = rid;
559 /* the ADS backend methods are exposed via this structure */
560 struct winbindd_methods ads_methods = {