2 Unix SMB/CIFS implementation.
4 Winbind ADS backend functions
6 Copyright (C) Andrew Tridgell 2001
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program; if not, write to the Free Software
20 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
28 #define DBGC_CLASS DBGC_WINBIND
30 /* the realm of our primary LDAP server */
31 static char *primary_realm;
35 return our ads connections structure for a domain. We keep the connection
36 open to make things faster
38 static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain)
43 if (domain->private) {
44 return (ADS_STRUCT *)domain->private;
47 /* we don't want this to affect the users ccache */
48 setenv("KRB5CCNAME", "MEMORY:winbind_ccache", 1);
50 ads = ads_init(domain->alt_name, domain->name, NULL);
52 DEBUG(1,("ads_init for domain %s failed\n", domain->name));
56 /* the machine acct password might have change - fetch it every time */
57 SAFE_FREE(ads->auth.password);
58 ads->auth.password = secrets_fetch_machine_password();
61 SAFE_FREE(ads->auth.realm);
62 ads->auth.realm = strdup(primary_realm);
65 status = ads_connect(ads);
66 if (!ADS_ERR_OK(status) || !ads->config.realm) {
67 extern struct winbindd_methods msrpc_methods;
68 DEBUG(1,("ads_connect for domain %s failed: %s\n",
69 domain->name, ads_errstr(status)));
72 /* if we get ECONNREFUSED then it might be a NT4
73 server, fall back to MSRPC */
74 if (status.error_type == ADS_ERROR_SYSTEM &&
75 status.err.rc == ECONNREFUSED) {
76 DEBUG(1,("Trying MSRPC methods\n"));
77 domain->methods = &msrpc_methods;
82 /* remember our primary realm for trusted domain support */
84 primary_realm = strdup(ads->config.realm);
87 domain->private = (void *)ads;
92 static void sid_from_rid(struct winbindd_domain *domain, uint32 rid, DOM_SID *sid)
94 sid_copy(sid, &domain->sid);
95 sid_append_rid(sid, rid);
99 /* Query display info for a realm. This is the basic user list fn */
100 static NTSTATUS query_user_list(struct winbindd_domain *domain,
103 WINBIND_USERINFO **info)
105 ADS_STRUCT *ads = NULL;
106 const char *attrs[] = {"userPrincipalName",
108 "name", "objectSid", "primaryGroupID",
109 "sAMAccountType", NULL};
114 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
118 DEBUG(3,("ads: query_user_list\n"));
120 ads = ads_cached_connection(domain);
123 rc = ads_search_retry(ads, &res, "(objectCategory=user)", attrs);
124 if (!ADS_ERR_OK(rc)) {
125 DEBUG(1,("query_user_list ads_search: %s\n", ads_errstr(rc)));
129 count = ads_count_replies(ads, res);
131 DEBUG(1,("query_user_list: No users found\n"));
135 (*info) = talloc_zero(mem_ctx, count * sizeof(**info));
137 status = NT_STATUS_NO_MEMORY;
143 for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
149 if (!ads_pull_uint32(ads, msg, "sAMAccountType", &atype) ||
150 ads_atype_map(atype) != SID_NAME_USER) {
151 DEBUG(1,("Not a user account? atype=0x%x\n", atype));
155 name = ads_pull_username(ads, mem_ctx, msg);
156 gecos = ads_pull_string(ads, mem_ctx, msg, "name");
157 if (!ads_pull_sid(ads, msg, "objectSid", &sid)) {
158 DEBUG(1,("No sid for %s !?\n", name));
161 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &group)) {
162 DEBUG(1,("No primary group for %s !?\n", name));
166 if (!sid_peek_check_rid(&domain->sid, &sid, &rid)) {
167 DEBUG(1,("No rid for %s !?\n", name));
171 (*info)[i].acct_name = name;
172 (*info)[i].full_name = gecos;
173 (*info)[i].user_rid = rid;
174 (*info)[i].group_rid = group;
179 status = NT_STATUS_OK;
181 DEBUG(3,("ads query_user_list gave %d entries\n", (*num_entries)));
184 if (res) ads_msgfree(ads, res);
189 /* list all domain groups */
190 static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
193 struct acct_info **info)
195 ADS_STRUCT *ads = NULL;
196 const char *attrs[] = {"userPrincipalName", "sAMAccountName",
198 "sAMAccountType", NULL};
203 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
208 DEBUG(3,("ads: enum_dom_groups\n"));
210 ads = ads_cached_connection(domain);
213 rc = ads_search_retry(ads, &res, "(objectCategory=group)", attrs);
214 if (!ADS_ERR_OK(rc)) {
215 DEBUG(1,("enum_dom_groups ads_search: %s\n", ads_errstr(rc)));
219 count = ads_count_replies(ads, res);
221 DEBUG(1,("enum_dom_groups: No groups found\n"));
225 (*info) = talloc_zero(mem_ctx, count * sizeof(**info));
227 status = NT_STATUS_NO_MEMORY;
233 group_flags = ATYPE_GLOBAL_GROUP;
234 if ( domain->native_mode )
235 group_flags |= ATYPE_LOCAL_GROUP;
237 for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
243 if (!ads_pull_uint32(ads, msg, "sAMAccountType", &account_type) || !(account_type & group_flags) )
246 name = ads_pull_username(ads, mem_ctx, msg);
247 gecos = ads_pull_string(ads, mem_ctx, msg, "name");
248 if (!ads_pull_sid(ads, msg, "objectSid", &sid)) {
249 DEBUG(1,("No sid for %s !?\n", name));
253 if (!sid_peek_check_rid(&domain->sid, &sid, &rid)) {
254 DEBUG(1,("No rid for %s !?\n", name));
258 fstrcpy((*info)[i].acct_name, name);
259 fstrcpy((*info)[i].acct_desc, gecos);
260 (*info)[i].rid = rid;
266 status = NT_STATUS_OK;
268 DEBUG(3,("ads enum_dom_groups gave %d entries\n", (*num_entries)));
271 if (res) ads_msgfree(ads, res);
276 /* list all domain local groups */
277 static NTSTATUS enum_local_groups(struct winbindd_domain *domain,
280 struct acct_info **info)
283 * This is a stub function only as we returned the domain
284 * ocal groups in enum_dom_groups() if the domain->native field
285 * was true. This is a simple performance optimization when
288 * if we ever need to enumerate domain local groups separately,
289 * then this the optimization in enum_dom_groups() will need
297 /* convert a single name to a sid in a domain */
298 static NTSTATUS name_to_sid(struct winbindd_domain *domain,
301 enum SID_NAME_USE *type)
305 DEBUG(3,("ads: name_to_sid\n"));
307 ads = ads_cached_connection(domain);
309 return NT_STATUS_UNSUCCESSFUL;
311 return ads_name_to_sid(ads, name, sid, type);
314 /* convert a sid to a user or group name */
315 static NTSTATUS sid_to_name(struct winbindd_domain *domain,
319 enum SID_NAME_USE *type)
321 ADS_STRUCT *ads = NULL;
322 DEBUG(3,("ads: sid_to_name\n"));
323 ads = ads_cached_connection(domain);
325 return NT_STATUS_UNSUCCESSFUL;
327 return ads_sid_to_name(ads, mem_ctx, sid, name, type);
331 /* convert a DN to a name, rid and name type
332 this might become a major speed bottleneck if groups have
333 lots of users, in which case we could cache the results
335 static BOOL dn_lookup(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx,
337 char **name, uint32 *name_type, uint32 *rid)
341 const char *attrs[] = {"userPrincipalName", "sAMAccountName",
342 "objectSid", "sAMAccountType", NULL};
346 char *escaped_dn = escape_ldap_string_alloc(dn);
352 asprintf(&exp, "(distinguishedName=%s)", dn);
353 rc = ads_search_retry(ads, &res, exp, attrs);
355 SAFE_FREE(escaped_dn);
357 if (!ADS_ERR_OK(rc)) {
361 (*name) = ads_pull_username(ads, mem_ctx, res);
363 if (!ads_pull_uint32(ads, res, "sAMAccountType", &atype)) {
366 (*name_type) = ads_atype_map(atype);
368 if (!ads_pull_sid(ads, res, "objectSid", &sid) ||
369 !sid_peek_rid(&sid, rid)) {
373 if (res) ads_msgfree(ads, res);
377 if (res) ads_msgfree(ads, res);
381 /* Lookup user information from a rid */
382 static NTSTATUS query_user(struct winbindd_domain *domain,
385 WINBIND_USERINFO *info)
387 ADS_STRUCT *ads = NULL;
388 const char *attrs[] = {"userPrincipalName",
391 "primaryGroupID", NULL};
398 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
400 DEBUG(3,("ads: query_user\n"));
402 sid_from_rid(domain, user_rid, &sid);
404 ads = ads_cached_connection(domain);
407 sidstr = sid_binstring(&sid);
408 asprintf(&exp, "(objectSid=%s)", sidstr);
409 rc = ads_search_retry(ads, &msg, exp, attrs);
412 if (!ADS_ERR_OK(rc)) {
413 DEBUG(1,("query_user(rid=%d) ads_search: %s\n", user_rid, ads_errstr(rc)));
417 count = ads_count_replies(ads, msg);
419 DEBUG(1,("query_user(rid=%d): Not found\n", user_rid));
423 info->acct_name = ads_pull_username(ads, mem_ctx, msg);
424 info->full_name = ads_pull_string(ads, mem_ctx, msg, "name");
425 if (!ads_pull_sid(ads, msg, "objectSid", &sid)) {
426 DEBUG(1,("No sid for %d !?\n", user_rid));
429 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &info->group_rid)) {
430 DEBUG(1,("No primary group for %d !?\n", user_rid));
434 if (!sid_peek_check_rid(&domain->sid,&sid, &info->user_rid)) {
435 DEBUG(1,("No rid for %d !?\n", user_rid));
439 status = NT_STATUS_OK;
441 DEBUG(3,("ads query_user gave %s\n", info->acct_name));
443 if (msg) ads_msgfree(ads, msg);
449 /* Lookup groups a user is a member of. */
450 static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
453 uint32 *num_groups, uint32 **user_gids)
455 ADS_STRUCT *ads = NULL;
456 const char *attrs[] = {"distinguishedName", NULL};
457 const char *attrs2[] = {"tokenGroups", "primaryGroupID", NULL};
465 uint32 primary_group;
468 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
472 DEBUG(3,("ads: lookup_usergroups\n"));
476 sid_from_rid(domain, user_rid, &sid);
478 ads = ads_cached_connection(domain);
481 sidstr = sid_binstring(&sid);
482 asprintf(&exp, "(objectSid=%s)", sidstr);
483 rc = ads_search_retry(ads, &msg, exp, attrs);
486 if (!ADS_ERR_OK(rc)) {
487 DEBUG(1,("lookup_usergroups(rid=%d) ads_search: %s\n", user_rid, ads_errstr(rc)));
491 user_dn = ads_pull_string(ads, mem_ctx, msg, "distinguishedName");
493 DEBUG(1,("lookup_usergroups(rid=%d) ads_search did not return a a distinguishedName!\n", user_rid));
497 if (msg) ads_msgfree(ads, msg);
499 rc = ads_search_retry_dn(ads, &msg, user_dn, attrs2);
500 if (!ADS_ERR_OK(rc)) {
501 DEBUG(1,("lookup_usergroups(rid=%d) ads_search tokenGroups: %s\n", user_rid, ads_errstr(rc)));
505 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &primary_group)) {
506 DEBUG(1,("%s: No primary group for rid=%d !?\n", domain->name, user_rid));
510 count = ads_pull_sids(ads, mem_ctx, msg, "tokenGroups", &sids) + 1;
511 (*user_gids) = (uint32 *)talloc_zero(mem_ctx, sizeof(uint32) * count);
512 (*user_gids)[(*num_groups)++] = primary_group;
514 for (i=1;i<count;i++) {
516 if (!sid_peek_check_rid(&domain->sid, &sids[i-1], &rid)) continue;
517 (*user_gids)[*num_groups] = rid;
521 status = NT_STATUS_OK;
522 DEBUG(3,("ads lookup_usergroups for rid=%d\n", user_rid));
524 if (msg) ads_msgfree(ads, msg);
530 find the members of a group, given a group rid and domain
532 static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
534 uint32 group_rid, uint32 *num_names,
535 uint32 **rid_mem, char ***names,
542 ADS_STRUCT *ads = NULL;
544 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
546 const char *attrs[] = {"member", NULL};
552 ads = ads_cached_connection(domain);
555 sid_from_rid(domain, group_rid, &group_sid);
556 sidstr = sid_binstring(&group_sid);
558 /* search for all members of the group */
559 asprintf(&exp, "(objectSid=%s)",sidstr);
560 rc = ads_search_retry(ads, &res, exp, attrs);
564 if (!ADS_ERR_OK(rc)) {
565 DEBUG(1,("query_user_list ads_search: %s\n", ads_errstr(rc)));
569 count = ads_count_replies(ads, res);
571 status = NT_STATUS_OK;
575 members = ads_pull_strings(ads, mem_ctx, res, "member");
577 /* no members? ok ... */
578 status = NT_STATUS_OK;
582 /* now we need to turn a list of members into rids, names and name types
583 the problem is that the members are in the form of distinguised names
585 for (i=0;members[i];i++) /* noop */ ;
588 (*rid_mem) = talloc_zero(mem_ctx, sizeof(uint32) * num_members);
589 (*name_types) = talloc_zero(mem_ctx, sizeof(uint32) * num_members);
590 (*names) = talloc_zero(mem_ctx, sizeof(char *) * num_members);
592 for (i=0;i<num_members;i++) {
593 uint32 name_type, rid;
596 if (dn_lookup(ads, mem_ctx, members[i], &name, &name_type, &rid)) {
597 (*names)[*num_names] = name;
598 (*name_types)[*num_names] = name_type;
599 (*rid_mem)[*num_names] = rid;
604 status = NT_STATUS_OK;
605 DEBUG(3,("ads lookup_groupmem for rid=%d\n", group_rid));
607 if (res) ads_msgfree(ads, res);
613 /* find the sequence number for a domain */
614 static NTSTATUS sequence_number(struct winbindd_domain *domain, uint32 *seq)
616 ADS_STRUCT *ads = NULL;
619 *seq = DOM_SEQUENCE_NONE;
621 ads = ads_cached_connection(domain);
622 if (!ads) return NT_STATUS_UNSUCCESSFUL;
624 rc = ads_USN(ads, seq);
625 if (!ADS_ERR_OK(rc)) {
626 /* its a dead connection */
628 domain->private = NULL;
630 return ads_ntstatus(rc);
633 /* get a list of trusted domains */
634 static NTSTATUS trusted_domains(struct winbindd_domain *domain,
647 ads = ads_cached_connection(domain);
648 if (!ads) return NT_STATUS_UNSUCCESSFUL;
650 rc = ads_trusted_domains(ads, mem_ctx, num_domains, names, alt_names, dom_sids);
652 return ads_ntstatus(rc);
655 /* find the domain sid for a domain */
656 static NTSTATUS domain_sid(struct winbindd_domain *domain, DOM_SID *sid)
661 ads = ads_cached_connection(domain);
662 if (!ads) return NT_STATUS_UNSUCCESSFUL;
664 rc = ads_domain_sid(ads, sid);
666 if (!ADS_ERR_OK(rc)) {
667 /* its a dead connection */
669 domain->private = NULL;
672 return ads_ntstatus(rc);
676 /* find alternate names list for the domain - for ADS this is the
678 static NTSTATUS alternate_name(struct winbindd_domain *domain)
685 ads = ads_cached_connection(domain);
686 if (!ads) return NT_STATUS_UNSUCCESSFUL;
688 if (!(ctx = talloc_init("alternate_name"))) {
689 return NT_STATUS_NO_MEMORY;
692 rc = ads_workgroup_name(ads, ctx, &workgroup);
694 if (ADS_ERR_OK(rc)) {
695 fstrcpy(domain->name, workgroup);
696 fstrcpy(domain->alt_name, ads->config.realm);
697 strupper(domain->alt_name);
698 strupper(domain->name);
703 return ads_ntstatus(rc);
706 /* the ADS backend methods are exposed via this structure */
707 struct winbindd_methods ads_methods = {