2 Unix SMB/Netbios implementation.
4 Winbind ADS backend functions
6 Copyright (C) Andrew Tridgell 2001
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program; if not, write to the Free Software
20 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
27 /* the realm of our primary LDAP server */
28 static char *primary_realm;
32 a wrapper around ldap_search_s that retries depending on the error code
33 this is supposed to catch dropped connections and auto-reconnect
35 ADS_STATUS ads_do_search_retry(ADS_STRUCT *ads, const char *bind_path, int scope,
37 const char **attrs, void **res)
43 time(NULL) - ads->last_attempt < ADS_RECONNECT_TIME) {
44 return ADS_ERROR(LDAP_SERVER_DOWN);
48 status = ads_do_search(ads, bind_path, scope, exp, attrs, res);
49 if (ADS_ERR_OK(status)) {
50 DEBUG(5,("Search for %s gave %d replies\n",
51 exp, ads_count_replies(ads, *res)));
55 if (*res) ads_msgfree(ads, *res);
57 DEBUG(1,("Reopening ads connection after error %s\n",
60 /* we should unbind here, but that seems to trigger openldap bugs :(
65 status = ads_connect(ads);
66 if (!ADS_ERR_OK(status)) {
67 DEBUG(1,("ads_search_retry: failed to reconnect (%s)\n",
74 DEBUG(1,("ads reopen failed after error %s\n", ads_errstr(status)));
79 ADS_STATUS ads_search_retry(ADS_STRUCT *ads, void **res,
83 return ads_do_search_retry(ads, ads->bind_path, LDAP_SCOPE_SUBTREE,
87 ADS_STATUS ads_search_retry_dn(ADS_STRUCT *ads, void **res,
91 return ads_do_search_retry(ads, dn, LDAP_SCOPE_BASE,
92 "(objectclass=*)", attrs, res);
96 return our ads connections structure for a domain. We keep the connection
97 open to make things faster
99 static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain)
104 struct in_addr server_ip;
106 if (domain->private) {
107 return (ADS_STRUCT *)domain->private;
110 /* we don't want this to affect the users ccache */
111 ccache = lock_path("winbindd_ccache");
112 SETENV("KRB5CCNAME", ccache, 1);
115 if (!resolve_name(domain->name, &server_ip, 0x1b)) {
116 DEBUG(1,("Can't find PDC for domain %s\n", domain->name));
120 ads = ads_init(primary_realm, inet_ntoa(server_ip), NULL, NULL);
122 DEBUG(1,("ads_init for domain %s failed\n", domain->name));
126 /* the machine acct password might have change - fetch it every time */
127 SAFE_FREE(ads->password);
128 ads->password = secrets_fetch_machine_password();
130 status = ads_connect(ads);
131 if (!ADS_ERR_OK(status)) {
132 DEBUG(1,("ads_connect for domain %s failed: %s\n",
133 domain->name, ads_errstr(status)));
138 /* remember our primary realm for trusted domain support */
139 if (!primary_realm) {
140 primary_realm = strdup(ads->realm);
143 fstrcpy(domain->full_name, ads->server_realm);
145 domain->private = (void *)ads;
150 static void sid_from_rid(struct winbindd_domain *domain, uint32 rid, DOM_SID *sid)
152 sid_copy(sid, &domain->sid);
153 sid_append_rid(sid, rid);
156 /* turn a sAMAccountType into a SID_NAME_USE */
157 static enum SID_NAME_USE ads_atype_map(uint32 atype)
159 switch (atype & 0xF0000000) {
161 return SID_NAME_DOM_GRP;
163 return SID_NAME_USER;
165 DEBUG(1,("hmm, need to map account type 0x%x\n", atype));
167 return SID_NAME_UNKNOWN;
170 /* Query display info for a realm. This is the basic user list fn */
171 static NTSTATUS query_user_list(struct winbindd_domain *domain,
174 WINBIND_USERINFO **info)
176 ADS_STRUCT *ads = NULL;
177 const char *attrs[] = {"sAMAccountName", "name", "objectSid", "primaryGroupID",
178 "sAMAccountType", NULL};
183 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
187 DEBUG(3,("ads: query_user_list\n"));
189 ads = ads_cached_connection(domain);
192 rc = ads_search_retry(ads, &res, "(objectCategory=user)", attrs);
193 if (!ADS_ERR_OK(rc)) {
194 DEBUG(1,("query_user_list ads_search: %s\n", ads_errstr(rc)));
198 count = ads_count_replies(ads, res);
200 DEBUG(1,("query_user_list: No users found\n"));
204 (*info) = talloc(mem_ctx, count * sizeof(**info));
206 status = NT_STATUS_NO_MEMORY;
212 for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
218 if (!ads_pull_uint32(ads, msg, "sAMAccountType", &atype) ||
219 ads_atype_map(atype) != SID_NAME_USER) {
220 DEBUG(1,("Not a user account? atype=0x%x\n", atype));
224 name = ads_pull_string(ads, mem_ctx, msg, "sAMAccountName");
225 gecos = ads_pull_string(ads, mem_ctx, msg, "name");
226 if (!ads_pull_sid(ads, msg, "objectSid", &sid)) {
227 DEBUG(1,("No sid for %s !?\n", name));
230 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &group)) {
231 DEBUG(1,("No primary group for %s !?\n", name));
235 if (!sid_peek_rid(&sid, &rid)) {
236 DEBUG(1,("No rid for %s !?\n", name));
240 (*info)[i].acct_name = name;
241 (*info)[i].full_name = gecos;
242 (*info)[i].user_rid = rid;
243 (*info)[i].group_rid = group;
248 status = NT_STATUS_OK;
250 DEBUG(3,("ads query_user_list gave %d entries\n", (*num_entries)));
253 if (res) ads_msgfree(ads, res);
258 /* list all domain groups */
259 static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
262 struct acct_info **info)
264 ADS_STRUCT *ads = NULL;
265 const char *attrs[] = {"sAMAccountName", "name", "objectSid",
266 "sAMAccountType", NULL};
271 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
275 DEBUG(3,("ads: enum_dom_groups\n"));
277 ads = ads_cached_connection(domain);
280 rc = ads_search_retry(ads, &res, "(objectCategory=group)", attrs);
281 if (!ADS_ERR_OK(rc)) {
282 DEBUG(1,("query_user_list ads_search: %s\n", ads_errstr(rc)));
286 count = ads_count_replies(ads, res);
288 DEBUG(1,("query_user_list: No users found\n"));
292 (*info) = talloc(mem_ctx, count * sizeof(**info));
294 status = NT_STATUS_NO_MEMORY;
300 for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
306 if (!ads_pull_uint32(ads, msg, "sAMAccountType",
308 !(account_type & ATYPE_GROUP)) continue;
310 name = ads_pull_string(ads, mem_ctx, msg, "sAMAccountName");
311 gecos = ads_pull_string(ads, mem_ctx, msg, "name");
312 if (!ads_pull_sid(ads, msg, "objectSid", &sid)) {
313 DEBUG(1,("No sid for %s !?\n", name));
317 if (!sid_peek_rid(&sid, &rid)) {
318 DEBUG(1,("No rid for %s !?\n", name));
322 fstrcpy((*info)[i].acct_name, name);
323 fstrcpy((*info)[i].acct_desc, gecos);
324 (*info)[i].rid = rid;
330 status = NT_STATUS_OK;
332 DEBUG(3,("ads enum_dom_groups gave %d entries\n", (*num_entries)));
335 if (res) ads_msgfree(ads, res);
341 /* convert a single name to a sid in a domain */
342 static NTSTATUS name_to_sid(struct winbindd_domain *domain,
345 enum SID_NAME_USE *type)
347 ADS_STRUCT *ads = NULL;
348 const char *attrs[] = {"objectSid", "sAMAccountType", NULL};
354 fstring name2, dom2, fullname2;
355 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
357 /* sigh. Need to fix interface to give us a raw name */
358 fstrcpy(fullname2, name);
359 fstring_sub(fullname2, "\\", lp_winbind_separator());
360 if (!parse_domain_user(fullname2, dom2, name2)) {
364 DEBUG(3,("ads: name_to_sid\n"));
366 ads = ads_cached_connection(domain);
369 asprintf(&exp, "(sAMAccountName=%s)", name2);
370 rc = ads_search_retry(ads, &res, exp, attrs);
372 if (!ADS_ERR_OK(rc)) {
373 DEBUG(1,("name_to_sid ads_search: %s\n", ads_errstr(rc)));
377 count = ads_count_replies(ads, res);
379 DEBUG(1,("name_to_sid: %s not found\n", name));
383 if (!ads_pull_sid(ads, res, "objectSid", sid)) {
384 DEBUG(1,("No sid for %s !?\n", name));
388 if (!ads_pull_uint32(ads, res, "sAMAccountType", &t)) {
389 DEBUG(1,("No sAMAccountType for %s !?\n", name));
393 *type = ads_atype_map(t);
395 status = NT_STATUS_OK;
397 DEBUG(3,("ads name_to_sid mapped %s\n", name));
400 if (res) ads_msgfree(ads, res);
405 /* convert a sid to a user or group name */
406 static NTSTATUS sid_to_name(struct winbindd_domain *domain,
410 enum SID_NAME_USE *type)
412 ADS_STRUCT *ads = NULL;
413 const char *attrs[] = {"sAMAccountName", "sAMAccountType", NULL};
420 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
422 DEBUG(3,("ads: sid_to_name\n"));
424 ads = ads_cached_connection(domain);
427 sidstr = sid_binstring(sid);
428 asprintf(&exp, "(objectSid=%s)", sidstr);
429 rc = ads_search_retry(ads, &msg, exp, attrs);
432 if (!ADS_ERR_OK(rc)) {
433 DEBUG(1,("sid_to_name ads_search: %s\n", ads_errstr(rc)));
437 if (!ads_pull_uint32(ads, msg, "sAMAccountType", &atype)) {
441 s = ads_pull_string(ads, mem_ctx, msg, "sAMAccountName");
442 *name = talloc_asprintf(mem_ctx, "%s%s%s", domain->name, lp_winbind_separator(), s);
443 *type = ads_atype_map(atype);
445 status = NT_STATUS_OK;
447 DEBUG(3,("ads sid_to_name mapped %s\n", *name));
450 if (msg) ads_msgfree(ads, msg);
456 /* Lookup user information from a rid */
457 static NTSTATUS query_user(struct winbindd_domain *domain,
460 WINBIND_USERINFO *info)
462 ADS_STRUCT *ads = NULL;
463 const char *attrs[] = {"sAMAccountName", "name", "objectSid",
464 "primaryGroupID", NULL};
471 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
473 DEBUG(3,("ads: query_user\n"));
475 sid_from_rid(domain, user_rid, &sid);
477 ads = ads_cached_connection(domain);
480 sidstr = sid_binstring(&sid);
481 asprintf(&exp, "(objectSid=%s)", sidstr);
482 rc = ads_search_retry(ads, &msg, exp, attrs);
485 if (!ADS_ERR_OK(rc)) {
486 DEBUG(1,("query_user(rid=%d) ads_search: %s\n", user_rid, ads_errstr(rc)));
490 count = ads_count_replies(ads, msg);
492 DEBUG(1,("query_user(rid=%d): Not found\n", user_rid));
496 info->acct_name = ads_pull_string(ads, mem_ctx, msg, "sAMAccountName");
497 info->full_name = ads_pull_string(ads, mem_ctx, msg, "name");
498 if (!ads_pull_sid(ads, msg, "objectSid", &sid)) {
499 DEBUG(1,("No sid for %d !?\n", user_rid));
502 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &info->group_rid)) {
503 DEBUG(1,("No primary group for %d !?\n", user_rid));
507 if (!sid_peek_rid(&sid, &info->user_rid)) {
508 DEBUG(1,("No rid for %d !?\n", user_rid));
512 status = NT_STATUS_OK;
514 DEBUG(3,("ads query_user gave %s\n", info->acct_name));
516 if (msg) ads_msgfree(ads, msg);
522 /* Lookup groups a user is a member of. */
523 static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
526 uint32 *num_groups, uint32 **user_gids)
528 ADS_STRUCT *ads = NULL;
529 const char *attrs[] = {"distinguishedName", NULL};
530 const char *attrs2[] = {"tokenGroups", "primaryGroupID", NULL};
538 uint32 primary_group;
541 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
545 DEBUG(3,("ads: lookup_usergroups\n"));
549 sid_from_rid(domain, user_rid, &sid);
551 ads = ads_cached_connection(domain);
554 sidstr = sid_binstring(&sid);
555 asprintf(&exp, "(objectSid=%s)", sidstr);
556 rc = ads_search_retry(ads, &msg, exp, attrs);
559 if (!ADS_ERR_OK(rc)) {
560 DEBUG(1,("lookup_usergroups(rid=%d) ads_search: %s\n", user_rid, ads_errstr(rc)));
564 user_dn = ads_pull_string(ads, mem_ctx, msg, "distinguishedName");
566 if (msg) ads_msgfree(ads, msg);
568 rc = ads_search_retry_dn(ads, &msg, user_dn, attrs2);
569 if (!ADS_ERR_OK(rc)) {
570 DEBUG(1,("lookup_usergroups(rid=%d) ads_search tokenGroups: %s\n", user_rid, ads_errstr(rc)));
574 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &primary_group)) {
575 DEBUG(1,("%s: No primary group for rid=%d !?\n", domain->name, user_rid));
579 count = ads_pull_sids(ads, mem_ctx, msg, "tokenGroups", &sids) + 1;
580 (*user_gids) = (uint32 *)talloc(mem_ctx, sizeof(uint32) * count);
581 (*user_gids)[(*num_groups)++] = primary_group;
583 for (i=1;i<count;i++) {
585 if (!sid_peek_rid(&sids[i-1], &rid)) continue;
586 (*user_gids)[*num_groups] = rid;
590 status = NT_STATUS_OK;
591 DEBUG(3,("ads lookup_usergroups for rid=%d\n", user_rid));
593 if (msg) ads_msgfree(ads, msg);
599 static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
601 uint32 group_rid, uint32 *num_names,
602 uint32 **rid_mem, char ***names,
607 const char *attrs[] = {"sAMAccountName", "objectSid", "sAMAccountType", NULL};
610 void *res=NULL, *msg=NULL;
611 ADS_STRUCT *ads = NULL;
613 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
617 ads = ads_cached_connection(domain);
620 sid_from_rid(domain, group_rid, &group_sid);
621 sidstr = sid_binstring(&group_sid);
622 /* search for all users who have that group sid as primary group or as member */
623 asprintf(&exp, "(&(objectCategory=user)(|(primaryGroupID=%d)(memberOf=%s)))",
625 rc = ads_search_retry(ads, &res, exp, attrs);
628 if (!ADS_ERR_OK(rc)) {
629 DEBUG(1,("query_user_list ads_search: %s\n", ads_errstr(rc)));
633 count = ads_count_replies(ads, res);
635 status = NT_STATUS_OK;
639 (*rid_mem) = talloc(mem_ctx, sizeof(uint32) * count);
640 (*name_types) = talloc(mem_ctx, sizeof(uint32) * count);
641 (*names) = talloc(mem_ctx, sizeof(char *) * count);
643 for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
647 (*names)[*num_names] = ads_pull_string(ads, mem_ctx, msg, "sAMAccountName");
648 if (!ads_pull_uint32(ads, msg, "sAMAccountType", &atype)) {
651 (*name_types)[*num_names] = ads_atype_map(atype);
652 if (!ads_pull_sid(ads, msg, "objectSid", &sid)) {
653 DEBUG(1,("No sid for %s !?\n", (*names)[*num_names]));
656 if (!sid_peek_rid(&sid, &rid)) {
657 DEBUG(1,("No rid for %s !?\n", (*names)[*num_names]));
660 (*rid_mem)[*num_names] = rid;
664 status = NT_STATUS_OK;
665 DEBUG(3,("ads lookup_groupmem for rid=%d\n", group_rid));
667 if (res) ads_msgfree(ads, res);
672 /* find the sequence number for a domain */
673 static NTSTATUS sequence_number(struct winbindd_domain *domain, uint32 *seq)
675 ADS_STRUCT *ads = NULL;
678 *seq = DOM_SEQUENCE_NONE;
680 ads = ads_cached_connection(domain);
681 if (!ads) return NT_STATUS_UNSUCCESSFUL;
683 rc = ads_USN(ads, seq);
684 return ads_ntstatus(rc);
687 /* get a list of trusted domains */
688 static NTSTATUS trusted_domains(struct winbindd_domain *domain,
694 ADS_STRUCT *ads = NULL;
700 ads = ads_cached_connection(domain);
701 if (!ads) return NT_STATUS_UNSUCCESSFUL;
703 rc = ads_trusted_domains(ads, mem_ctx, num_domains, names, dom_sids);
705 return ads_ntstatus(rc);
708 /* find the domain sid for a domain */
709 static NTSTATUS domain_sid(struct winbindd_domain *domain, DOM_SID *sid)
711 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
712 const char *attrs[] = {"objectSid", NULL};
713 ADS_STRUCT *ads = NULL;
717 ads = ads_cached_connection(domain);
720 rc = ads_do_search(ads, ads->bind_path, LDAP_SCOPE_BASE, "(objectclass=*)",
722 if (!ADS_ERR_OK(rc)) goto done;
723 if (ads_pull_sid(ads, res, "objectSid", sid)) {
724 status = NT_STATUS_OK;
726 ads_msgfree(ads, res);
732 /* the ADS backend methods are exposed via this structure */
733 struct winbindd_methods ads_methods = {