2 Unix SMB/Netbios implementation.
4 Winbind ADS backend functions
6 Copyright (C) Andrew Tridgell 2001
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program; if not, write to the Free Software
20 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
29 a wrapper around ldap_search_s that retries depending on the error code
30 this is supposed to catch dropped connections and auto-reconnect
32 int ads_do_search_retry(ADS_STRUCT *ads, const char *bind_path, int scope,
34 const char **attrs, void **res)
40 time(NULL) - ads->last_attempt < ADS_RECONNECT_TIME) {
41 return LDAP_SERVER_DOWN;
45 rc = ads_do_search(ads, bind_path, scope, exp, attrs, res);
46 if (rc == 0) return rc;
48 if (*res) ads_msgfree(ads, *res);
50 DEBUG(1,("Reopening ads connection after error %s\n", ads_errstr(rc)));
52 /* we should unbind here, but that seems to trigger openldap bugs :(
57 rc2 = ads_connect(ads);
59 DEBUG(1,("ads_search_retry: failed to reconnect (%s)\n", ads_errstr(rc)));
63 DEBUG(1,("ads reopen failed after error %s\n", ads_errstr(rc)));
68 int ads_search_retry(ADS_STRUCT *ads, void **res,
72 return ads_do_search_retry(ads, ads->bind_path, LDAP_SCOPE_SUBTREE,
76 int ads_search_retry_dn(ADS_STRUCT *ads, void **res,
80 return ads_do_search_retry(ads, dn, LDAP_SCOPE_BASE,
81 "(objectclass=*)", attrs, res);
85 return our ads connections structure for a domain. We keep the connection
86 open to make things faster
88 static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain)
93 if (domain->private) {
94 return (ADS_STRUCT *)domain->private;
97 ads = ads_init(NULL, NULL, NULL, NULL);
99 DEBUG(1,("ads_init for domain %s failed\n", domain->name));
103 /* the machine acct password might have change - fetch it every time */
104 SAFE_FREE(ads->password);
105 ads->password = secrets_fetch_machine_password();
107 rc = ads_connect(ads);
109 DEBUG(1,("ads_connect for domain %s failed: %s\n", domain->name, ads_errstr(rc)));
114 domain->private = (void *)ads;
119 static void sid_from_rid(struct winbindd_domain *domain, uint32 rid, DOM_SID *sid)
121 sid_copy(sid, &domain->sid);
122 sid_append_rid(sid, rid);
125 /* turn a sAMAccountType into a SID_NAME_USE */
126 static enum SID_NAME_USE ads_atype_map(uint32 atype)
128 switch (atype & 0xF0000000) {
130 return SID_NAME_DOM_GRP;
132 return SID_NAME_USER;
134 DEBUG(1,("hmm, need to map account type 0x%x\n", atype));
136 return SID_NAME_UNKNOWN;
139 /* Query display info for a realm. This is the basic user list fn */
140 static NTSTATUS query_user_list(struct winbindd_domain *domain,
142 uint32 *start_ndx, uint32 *num_entries,
143 WINBIND_USERINFO **info)
145 ADS_STRUCT *ads = NULL;
146 const char *attrs[] = {"sAMAccountName", "name", "objectSid", "primaryGroupID",
147 "userAccountControl", NULL};
151 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
153 DEBUG(3,("ads: query_user_list\n"));
155 if ((*start_ndx) != 0) {
156 DEBUG(1,("ads backend start_ndx not implemented!\n"));
157 status = NT_STATUS_NOT_IMPLEMENTED;
161 ads = ads_cached_connection(domain);
164 rc = ads_search_retry(ads, &res, "(objectclass=user)", attrs);
166 DEBUG(1,("query_user_list ads_search: %s\n", ads_errstr(rc)));
170 count = ads_count_replies(ads, res);
172 DEBUG(1,("query_user_list: No users found\n"));
176 (*info) = talloc(mem_ctx, count * sizeof(**info));
178 status = NT_STATUS_NO_MEMORY;
184 for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
188 uint32 account_control;
190 if (!ads_pull_uint32(ads, msg, "userAccountControl",
192 !(account_control & UF_NORMAL_ACCOUNT)) continue;
194 name = ads_pull_string(ads, mem_ctx, msg, "sAMAccountName");
195 gecos = ads_pull_string(ads, mem_ctx, msg, "name");
196 if (!ads_pull_sid(ads, msg, "objectSid", &sid)) {
197 DEBUG(1,("No sid for %s !?\n", name));
200 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &group)) {
201 DEBUG(1,("No primary group for %s !?\n", name));
205 if (!sid_peek_rid(&sid, &rid)) {
206 DEBUG(1,("No rid for %s !?\n", name));
210 (*info)[i].acct_name = name;
211 (*info)[i].full_name = gecos;
212 (*info)[i].user_rid = rid;
213 (*info)[i].group_rid = group;
218 status = NT_STATUS_OK;
221 if (res) ads_msgfree(ads, res);
226 /* list all domain groups */
227 static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
229 uint32 *start_ndx, uint32 *num_entries,
230 struct acct_info **info)
232 ADS_STRUCT *ads = NULL;
233 const char *attrs[] = {"sAMAccountName", "name", "objectSid",
234 "sAMAccountType", NULL};
238 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
240 DEBUG(3,("ads: enum_dom_groups\n"));
242 if ((*start_ndx) != 0) {
243 DEBUG(1,("ads backend start_ndx not implemented\n"));
244 status = NT_STATUS_NOT_IMPLEMENTED;
248 ads = ads_cached_connection(domain);
251 rc = ads_search_retry(ads, &res, "(objectclass=group)", attrs);
253 DEBUG(1,("query_user_list ads_search: %s\n", ads_errstr(rc)));
257 count = ads_count_replies(ads, res);
259 DEBUG(1,("query_user_list: No users found\n"));
263 (*info) = talloc(mem_ctx, count * sizeof(**info));
265 status = NT_STATUS_NO_MEMORY;
271 for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
277 if (!ads_pull_uint32(ads, msg, "sAMAccountType",
279 !(account_type & ATYPE_GROUP)) continue;
281 name = ads_pull_string(ads, mem_ctx, msg, "sAMAccountName");
282 gecos = ads_pull_string(ads, mem_ctx, msg, "name");
283 if (!ads_pull_sid(ads, msg, "objectSid", &sid)) {
284 DEBUG(1,("No sid for %s !?\n", name));
288 if (!sid_peek_rid(&sid, &rid)) {
289 DEBUG(1,("No rid for %s !?\n", name));
293 fstrcpy((*info)[i].acct_name, name);
294 fstrcpy((*info)[i].acct_desc, gecos);
295 (*info)[i].rid = rid;
301 status = NT_STATUS_OK;
304 if (res) ads_msgfree(ads, res);
310 /* convert a single name to a sid in a domain */
311 static NTSTATUS name_to_sid(struct winbindd_domain *domain,
314 enum SID_NAME_USE *type)
316 ADS_STRUCT *ads = NULL;
317 const char *attrs[] = {"objectSid", "sAMAccountType", NULL};
323 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
325 /* sigh. Need to fix interface to give us a raw name */
326 if (!parse_domain_user(name, dom2, name2)) {
330 DEBUG(3,("ads: name_to_sid\n"));
332 ads = ads_cached_connection(domain);
335 asprintf(&exp, "(sAMAccountName=%s)", name2);
336 rc = ads_search_retry(ads, &res, exp, attrs);
339 DEBUG(1,("name_to_sid ads_search: %s\n", ads_errstr(rc)));
343 count = ads_count_replies(ads, res);
345 DEBUG(1,("name_to_sid: %s not found\n", name));
349 if (!ads_pull_sid(ads, res, "objectSid", sid)) {
350 DEBUG(1,("No sid for %s !?\n", name));
354 if (!ads_pull_uint32(ads, res, "sAMAccountType", &t)) {
355 DEBUG(1,("No sAMAccountType for %s !?\n", name));
359 *type = ads_atype_map(t);
361 status = NT_STATUS_OK;
364 if (res) ads_msgfree(ads, res);
369 /* convert a sid to a user or group name */
370 static NTSTATUS sid_to_name(struct winbindd_domain *domain,
374 enum SID_NAME_USE *type)
376 ADS_STRUCT *ads = NULL;
377 const char *attrs[] = {"sAMAccountName", "sAMAccountType", NULL};
384 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
386 DEBUG(3,("ads: sid_to_name\n"));
388 ads = ads_cached_connection(domain);
391 sidstr = ads_sid_binstring(sid);
392 asprintf(&exp, "(objectSid=%s)", sidstr);
393 rc = ads_search_retry(ads, &msg, exp, attrs);
397 DEBUG(1,("sid_to_name ads_search: %s\n", ads_errstr(rc)));
401 if (!ads_pull_uint32(ads, msg, "sAMAccountType", &atype)) {
405 s = ads_pull_string(ads, mem_ctx, msg, "sAMAccountName");
406 *name = talloc_asprintf(mem_ctx, "%s%s%s", domain->name, lp_winbind_separator(), s);
407 *type = ads_atype_map(atype);
409 status = NT_STATUS_OK;
411 if (msg) ads_msgfree(ads, msg);
417 /* Lookup user information from a rid */
418 static NTSTATUS query_user(struct winbindd_domain *domain,
421 WINBIND_USERINFO *info)
423 ADS_STRUCT *ads = NULL;
424 const char *attrs[] = {"sAMAccountName", "name", "objectSid", "primaryGroupID",
425 "userAccountControl", NULL};
431 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
433 DEBUG(3,("ads: query_user\n"));
435 sid_from_rid(domain, user_rid, &sid);
437 ads = ads_cached_connection(domain);
440 sidstr = ads_sid_binstring(&sid);
441 asprintf(&exp, "(objectSid=%s)", sidstr);
442 rc = ads_search_retry(ads, &msg, exp, attrs);
446 DEBUG(1,("query_user(rid=%d) ads_search: %s\n", user_rid, ads_errstr(rc)));
450 count = ads_count_replies(ads, msg);
452 DEBUG(1,("query_user(rid=%d): Not found\n", user_rid));
456 info->acct_name = ads_pull_string(ads, mem_ctx, msg, "sAMAccountName");
457 info->full_name = ads_pull_string(ads, mem_ctx, msg, "name");
458 if (!ads_pull_sid(ads, msg, "objectSid", &sid)) {
459 DEBUG(1,("No sid for %d !?\n", user_rid));
462 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &info->group_rid)) {
463 DEBUG(1,("No primary group for %d !?\n", user_rid));
467 if (!sid_peek_rid(&sid, &info->user_rid)) {
468 DEBUG(1,("No rid for %d !?\n", user_rid));
472 status = NT_STATUS_OK;
475 if (msg) ads_msgfree(ads, msg);
481 /* Lookup groups a user is a member of. */
482 static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
485 uint32 *num_groups, uint32 **user_gids)
487 ADS_STRUCT *ads = NULL;
488 const char *attrs[] = {"distinguishedName", NULL};
489 const char *attrs2[] = {"tokenGroups", "primaryGroupID", NULL};
496 uint32 primary_group;
499 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
501 DEBUG(3,("ads: lookup_usergroups\n"));
505 sid_from_rid(domain, user_rid, &sid);
507 ads = ads_cached_connection(domain);
510 sidstr = ads_sid_binstring(&sid);
511 asprintf(&exp, "(objectSid=%s)", sidstr);
512 rc = ads_search_retry(ads, &msg, exp, attrs);
516 DEBUG(1,("lookup_usergroups(rid=%d) ads_search: %s\n", user_rid, ads_errstr(rc)));
520 user_dn = ads_pull_string(ads, mem_ctx, msg, "distinguishedName");
522 if (msg) ads_msgfree(ads, msg);
524 rc = ads_search_retry_dn(ads, &msg, user_dn, attrs2);
526 DEBUG(1,("lookup_usergroups(rid=%d) ads_search tokenGroups: %s\n", user_rid, ads_errstr(rc)));
530 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &primary_group)) {
531 DEBUG(1,("No primary group for rid=%d !?\n", user_rid));
535 count = ads_pull_sids(ads, mem_ctx, msg, "tokenGroups", &sids) + 1;
536 (*user_gids) = (uint32 *)talloc(mem_ctx, sizeof(uint32) * count);
537 (*user_gids)[(*num_groups)++] = primary_group;
539 for (i=1;i<count;i++) {
541 if (!sid_peek_rid(&sids[i-1], &rid)) continue;
542 (*user_gids)[*num_groups] = rid;
546 status = NT_STATUS_OK;
548 if (msg) ads_msgfree(ads, msg);
554 static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
556 uint32 group_rid, uint32 *num_names,
557 uint32 **rid_mem, char ***names,
562 const char *attrs[] = {"sAMAccountName", "objectSid", "sAMAccountType", NULL};
564 void *res=NULL, *msg=NULL;
565 ADS_STRUCT *ads = NULL;
567 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
571 ads = ads_cached_connection(domain);
574 sid_from_rid(domain, group_rid, &group_sid);
575 sidstr = ads_sid_binstring(&group_sid);
576 /* search for all users who have that group sid as primary group or as member */
577 asprintf(&exp, "(&(objectclass=user)(|(primaryGroupID=%d)(memberOf=%s)))",
579 rc = ads_search_retry(ads, &res, exp, attrs);
583 DEBUG(1,("query_user_list ads_search: %s\n", ads_errstr(rc)));
587 count = ads_count_replies(ads, res);
589 status = NT_STATUS_OK;
593 (*rid_mem) = talloc(mem_ctx, sizeof(uint32) * count);
594 (*name_types) = talloc(mem_ctx, sizeof(uint32) * count);
595 (*names) = talloc(mem_ctx, sizeof(char *) * count);
597 for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
601 (*names)[*num_names] = ads_pull_string(ads, mem_ctx, msg, "sAMAccountName");
602 if (!ads_pull_uint32(ads, msg, "sAMAccountType", &atype)) {
605 (*name_types)[*num_names] = ads_atype_map(atype);
606 if (!ads_pull_sid(ads, msg, "objectSid", &sid)) {
607 DEBUG(1,("No sid for %s !?\n", (*names)[*num_names]));
610 if (!sid_peek_rid(&sid, &rid)) {
611 DEBUG(1,("No rid for %s !?\n", (*names)[*num_names]));
614 (*rid_mem)[*num_names] = rid;
618 status = NT_STATUS_OK;
620 if (res) ads_msgfree(ads, res);
625 /* find the sequence number for a domain */
626 static uint32 sequence_number(struct winbindd_domain *domain)
629 ADS_STRUCT *ads = NULL;
631 ads = ads_cached_connection(domain);
632 if (!ads) return DOM_SEQUENCE_NONE;
634 if (!ads_USN(ads, &usn)) return DOM_SEQUENCE_NONE;
639 /* the ADS backend methods are exposed via this structure */
640 struct winbindd_methods ads_methods = {