2 Unix SMB/CIFS implementation.
4 Winbind ADS backend functions
6 Copyright (C) Andrew Tridgell 2001
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003
8 Copyright (C) Gerald (Jerry) Carter 2004
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 2 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program; if not, write to the Free Software
22 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
31 #define DBGC_CLASS DBGC_WINBIND
34 return our ads connections structure for a domain. We keep the connection
35 open to make things faster
37 static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain)
41 enum wb_posix_mapping map_type;
43 DEBUG(10,("ads_cached_connection\n"));
45 if (domain->private_data) {
46 ads = (ADS_STRUCT *)domain->private_data;
48 /* check for a valid structure */
50 DEBUG(7, ("Current tickets expire at %d, time is now %d\n",
51 (uint32) ads->auth.expire, (uint32) time(NULL)));
52 if ( ads->config.realm && (ads->auth.expire > time(NULL))) {
56 /* we own this ADS_STRUCT so make sure it goes away */
59 ads_kdestroy("MEMORY:winbind_ccache");
60 domain->private_data = NULL;
64 /* we don't want this to affect the users ccache */
65 setenv("KRB5CCNAME", "MEMORY:winbind_ccache", 1);
67 ads = ads_init(domain->alt_name, domain->name, NULL);
69 DEBUG(1,("ads_init for domain %s failed\n", domain->name));
73 /* the machine acct password might have change - fetch it every time */
75 SAFE_FREE(ads->auth.password);
76 SAFE_FREE(ads->auth.realm);
82 if ( !secrets_fetch_trusted_domain_password( domain->name, &ads->auth.password, &sid, &last_set_time ) ) {
86 ads->auth.realm = SMB_STRDUP( ads->server.realm );
87 strupper_m( ads->auth.realm );
90 struct winbindd_domain *our_domain = domain;
92 ads->auth.password = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
94 /* always give preference to the alt_name in our
95 primary domain if possible */
97 if ( !domain->primary )
98 our_domain = find_our_domain();
100 if ( our_domain->alt_name[0] != '\0' ) {
101 ads->auth.realm = SMB_STRDUP( our_domain->alt_name );
102 strupper_m( ads->auth.realm );
105 ads->auth.realm = SMB_STRDUP( lp_realm() );
108 ads->auth.renewable = WINBINDD_PAM_AUTH_KRB5_RENEW_TIME;
110 status = ads_connect(ads);
111 if (!ADS_ERR_OK(status) || !ads->config.realm) {
112 DEBUG(1,("ads_connect for domain %s failed: %s\n",
113 domain->name, ads_errstr(status)));
116 /* if we get ECONNREFUSED then it might be a NT4
117 server, fall back to MSRPC */
118 if (status.error_type == ENUM_ADS_ERROR_SYSTEM &&
119 status.err.rc == ECONNREFUSED) {
120 extern struct winbindd_methods reconnect_methods;
121 /* 'reconnect_methods' is the MS-RPC backend. */
122 DEBUG(1,("Trying MSRPC methods\n"));
123 domain->backend = &reconnect_methods;
128 map_type = get_nss_info(domain->name);
130 if ((map_type == WB_POSIX_MAP_RFC2307)||
131 (map_type == WB_POSIX_MAP_SFU)) {
133 status = ads_check_posix_schema_mapping(ads, map_type);
134 if (!ADS_ERR_OK(status)) {
135 DEBUG(10,("ads_check_posix_schema_mapping failed "
136 "with: %s\n", ads_errstr(status)));
140 /* set the flag that says we don't own the memory even
141 though we do so that ads_destroy() won't destroy the
142 structure we pass back by reference */
144 ads->is_mine = False;
146 domain->private_data = (void *)ads;
151 /* Query display info for a realm. This is the basic user list fn */
152 static NTSTATUS query_user_list(struct winbindd_domain *domain,
155 WINBIND_USERINFO **info)
157 ADS_STRUCT *ads = NULL;
158 const char *attrs[] = {"userPrincipalName",
160 "name", "objectSid", "primaryGroupID",
162 ADS_ATTR_SFU_HOMEDIR_OID,
163 ADS_ATTR_SFU_SHELL_OID,
164 ADS_ATTR_SFU_GECOS_OID,
165 ADS_ATTR_RFC2307_HOMEDIR_OID,
166 ADS_ATTR_RFC2307_SHELL_OID,
167 ADS_ATTR_RFC2307_GECOS_OID,
171 LDAPMessage *res = NULL;
172 LDAPMessage *msg = NULL;
173 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
177 DEBUG(3,("ads: query_user_list\n"));
179 ads = ads_cached_connection(domain);
182 domain->last_status = NT_STATUS_SERVER_DISABLED;
186 rc = ads_search_retry(ads, &res, "(objectCategory=user)", attrs);
187 if (!ADS_ERR_OK(rc) || !res) {
188 DEBUG(1,("query_user_list ads_search: %s\n", ads_errstr(rc)));
192 count = ads_count_replies(ads, res);
194 DEBUG(1,("query_user_list: No users found\n"));
198 (*info) = TALLOC_ZERO_ARRAY(mem_ctx, WINBIND_USERINFO, count);
200 status = NT_STATUS_NO_MEMORY;
206 for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
207 char *name, *gecos = NULL;
208 char *homedir = NULL;
213 if (!ads_pull_uint32(ads, msg, "sAMAccountType", &atype) ||
214 ads_atype_map(atype) != SID_NAME_USER) {
215 DEBUG(1,("Not a user account? atype=0x%x\n", atype));
219 name = ads_pull_username(ads, mem_ctx, msg);
221 if (get_nss_info(domain->name) && ads->schema.map_type) {
223 DEBUG(10,("pulling posix attributes (%s schema)\n",
224 wb_posix_map_str(ads->schema.map_type)));
226 homedir = ads_pull_string(ads, mem_ctx, msg,
227 ads->schema.posix_homedir_attr);
228 shell = ads_pull_string(ads, mem_ctx, msg,
229 ads->schema.posix_shell_attr);
230 gecos = ads_pull_string(ads, mem_ctx, msg,
231 ads->schema.posix_gecos_attr);
235 gecos = ads_pull_string(ads, mem_ctx, msg, "name");
238 if (!ads_pull_sid(ads, msg, "objectSid",
239 &(*info)[i].user_sid)) {
240 DEBUG(1,("No sid for %s !?\n", name));
243 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &group)) {
244 DEBUG(1,("No primary group for %s !?\n", name));
248 (*info)[i].acct_name = name;
249 (*info)[i].full_name = gecos;
250 (*info)[i].homedir = homedir;
251 (*info)[i].shell = shell;
252 sid_compose(&(*info)[i].group_sid, &domain->sid, group);
257 status = NT_STATUS_OK;
259 DEBUG(3,("ads query_user_list gave %d entries\n", (*num_entries)));
263 ads_msgfree(ads, res);
268 /* list all domain groups */
269 static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
272 struct acct_info **info)
274 ADS_STRUCT *ads = NULL;
275 const char *attrs[] = {"userPrincipalName", "sAMAccountName",
276 "name", "objectSid", NULL};
279 LDAPMessage *res = NULL;
280 LDAPMessage *msg = NULL;
281 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
283 BOOL enum_dom_local_groups = False;
287 DEBUG(3,("ads: enum_dom_groups\n"));
289 /* only grab domain local groups for our domain */
290 if ( domain->native_mode && strequal(lp_realm(), domain->alt_name) ) {
291 enum_dom_local_groups = True;
294 /* Workaround ADS LDAP bug present in MS W2K3 SP0 and W2K SP4 w/o
297 * According to Section 5.1(4) of RFC 2251 if a value of a type is it's
298 * default value, it MUST be absent. In case of extensible matching the
299 * "dnattr" boolean defaults to FALSE and so it must be only be present
302 * When it is set to FALSE and the OpenLDAP lib (correctly) encodes a
303 * filter using bitwise matching rule then the buggy AD fails to decode
304 * the extensible match. As a workaround set it to TRUE and thereby add
305 * the dnAttributes "dn" field to cope with those older AD versions.
306 * It should not harm and won't put any additional load on the AD since
307 * none of the dn components have a bitmask-attribute.
309 * Thanks to Ralf Haferkamp for input and testing - Guenther */
311 filter = talloc_asprintf(mem_ctx, "(&(objectCategory=group)(&(groupType:dn:%s:=%d)(!(groupType:dn:%s:=%d))))",
312 ADS_LDAP_MATCHING_RULE_BIT_AND, GROUP_TYPE_SECURITY_ENABLED,
313 ADS_LDAP_MATCHING_RULE_BIT_AND,
314 enum_dom_local_groups ? GROUP_TYPE_BUILTIN_LOCAL_GROUP : GROUP_TYPE_RESOURCE_GROUP);
316 if (filter == NULL) {
317 status = NT_STATUS_NO_MEMORY;
321 ads = ads_cached_connection(domain);
324 domain->last_status = NT_STATUS_SERVER_DISABLED;
328 rc = ads_search_retry(ads, &res, filter, attrs);
329 if (!ADS_ERR_OK(rc) || !res) {
330 DEBUG(1,("enum_dom_groups ads_search: %s\n", ads_errstr(rc)));
334 count = ads_count_replies(ads, res);
336 DEBUG(1,("enum_dom_groups: No groups found\n"));
340 (*info) = TALLOC_ZERO_ARRAY(mem_ctx, struct acct_info, count);
342 status = NT_STATUS_NO_MEMORY;
348 for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
353 name = ads_pull_username(ads, mem_ctx, msg);
354 gecos = ads_pull_string(ads, mem_ctx, msg, "name");
355 if (!ads_pull_sid(ads, msg, "objectSid", &sid)) {
356 DEBUG(1,("No sid for %s !?\n", name));
360 if (!sid_peek_check_rid(&domain->sid, &sid, &rid)) {
361 DEBUG(1,("No rid for %s !?\n", name));
365 fstrcpy((*info)[i].acct_name, name);
366 fstrcpy((*info)[i].acct_desc, gecos);
367 (*info)[i].rid = rid;
373 status = NT_STATUS_OK;
375 DEBUG(3,("ads enum_dom_groups gave %d entries\n", (*num_entries)));
379 ads_msgfree(ads, res);
384 /* list all domain local groups */
385 static NTSTATUS enum_local_groups(struct winbindd_domain *domain,
388 struct acct_info **info)
391 * This is a stub function only as we returned the domain
392 * local groups in enum_dom_groups() if the domain->native field
393 * was true. This is a simple performance optimization when
396 * if we ever need to enumerate domain local groups separately,
397 * then this the optimization in enum_dom_groups() will need
405 /* convert a DN to a name, SID and name type
406 this might become a major speed bottleneck if groups have
407 lots of users, in which case we could cache the results
409 static BOOL dn_lookup(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx,
411 char **name, uint32 *name_type, DOM_SID *sid)
413 LDAPMessage *res = NULL;
414 const char *attrs[] = {"userPrincipalName", "sAMAccountName",
415 "objectSid", "sAMAccountType", NULL};
418 DEBUG(3,("ads: dn_lookup\n"));
420 rc = ads_search_retry_dn(ads, &res, dn, attrs);
422 if (!ADS_ERR_OK(rc) || !res) {
426 (*name) = ads_pull_username(ads, mem_ctx, res);
428 if (!ads_pull_uint32(ads, res, "sAMAccountType", &atype)) {
431 (*name_type) = ads_atype_map(atype);
433 if (!ads_pull_sid(ads, res, "objectSid", sid)) {
438 ads_msgfree(ads, res);
444 ads_msgfree(ads, res);
449 /* Lookup user information from a rid */
450 static NTSTATUS query_user(struct winbindd_domain *domain,
453 WINBIND_USERINFO *info)
455 ADS_STRUCT *ads = NULL;
456 const char *attrs[] = {"userPrincipalName",
460 ADS_ATTR_SFU_HOMEDIR_OID,
461 ADS_ATTR_SFU_SHELL_OID,
462 ADS_ATTR_SFU_GECOS_OID,
463 ADS_ATTR_RFC2307_HOMEDIR_OID,
464 ADS_ATTR_RFC2307_SHELL_OID,
465 ADS_ATTR_RFC2307_GECOS_OID,
469 LDAPMessage *msg = NULL;
473 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
475 DEBUG(3,("ads: query_user\n"));
477 ads = ads_cached_connection(domain);
480 domain->last_status = NT_STATUS_SERVER_DISABLED;
484 sidstr = sid_binstring(sid);
485 asprintf(&ldap_exp, "(objectSid=%s)", sidstr);
486 rc = ads_search_retry(ads, &msg, ldap_exp, attrs);
489 if (!ADS_ERR_OK(rc) || !msg) {
490 DEBUG(1,("query_user(sid=%s) ads_search: %s\n",
491 sid_string_static(sid), ads_errstr(rc)));
495 count = ads_count_replies(ads, msg);
497 DEBUG(1,("query_user(sid=%s): Not found\n",
498 sid_string_static(sid)));
502 info->acct_name = ads_pull_username(ads, mem_ctx, msg);
504 if (get_nss_info(domain->name) && ads->schema.map_type) {
506 DEBUG(10,("pulling posix attributes (%s schema)\n",
507 wb_posix_map_str(ads->schema.map_type)));
509 info->homedir = ads_pull_string(ads, mem_ctx, msg,
510 ads->schema.posix_homedir_attr);
511 info->shell = ads_pull_string(ads, mem_ctx, msg,
512 ads->schema.posix_shell_attr);
513 info->full_name = ads_pull_string(ads, mem_ctx, msg,
514 ads->schema.posix_gecos_attr);
517 if (info->full_name == NULL) {
518 info->full_name = ads_pull_string(ads, mem_ctx, msg, "name");
521 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &group_rid)) {
522 DEBUG(1,("No primary group for %s !?\n",
523 sid_string_static(sid)));
527 sid_copy(&info->user_sid, sid);
528 sid_compose(&info->group_sid, &domain->sid, group_rid);
530 status = NT_STATUS_OK;
532 DEBUG(3,("ads query_user gave %s\n", info->acct_name));
535 ads_msgfree(ads, msg);
540 /* Lookup groups a user is a member of - alternate method, for when
541 tokenGroups are not available. */
542 static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain,
545 DOM_SID *primary_group,
546 size_t *p_num_groups, DOM_SID **user_sids)
549 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
551 LDAPMessage *res = NULL;
552 LDAPMessage *msg = NULL;
555 const char *group_attrs[] = {"objectSid", NULL};
557 size_t num_groups = 0;
559 DEBUG(3,("ads: lookup_usergroups_member\n"));
561 ads = ads_cached_connection(domain);
564 domain->last_status = NT_STATUS_SERVER_DISABLED;
568 if (!(escaped_dn = escape_ldap_string_alloc(user_dn))) {
569 status = NT_STATUS_NO_MEMORY;
573 if (!(ldap_exp = talloc_asprintf(mem_ctx, "(&(member=%s)(objectCategory=group))", escaped_dn))) {
574 DEBUG(1,("lookup_usergroups(dn=%s) asprintf failed!\n", user_dn));
575 SAFE_FREE(escaped_dn);
576 status = NT_STATUS_NO_MEMORY;
580 SAFE_FREE(escaped_dn);
582 rc = ads_search_retry(ads, &res, ldap_exp, group_attrs);
584 if (!ADS_ERR_OK(rc) || !res) {
585 DEBUG(1,("lookup_usergroups ads_search member=%s: %s\n", user_dn, ads_errstr(rc)));
586 return ads_ntstatus(rc);
589 count = ads_count_replies(ads, res);
594 /* always add the primary group to the sid array */
595 if (!add_sid_to_array(mem_ctx, primary_group, user_sids, &num_groups)) {
596 status = NT_STATUS_NO_MEMORY;
601 for (msg = ads_first_entry(ads, res); msg;
602 msg = ads_next_entry(ads, msg)) {
605 if (!ads_pull_sid(ads, msg, "objectSid", &group_sid)) {
606 DEBUG(1,("No sid for this group ?!?\n"));
610 /* ignore Builtin groups from ADS - Guenther */
611 if (sid_check_is_in_builtin(&group_sid)) {
615 if (!add_sid_to_array(mem_ctx, &group_sid, user_sids,
617 status = NT_STATUS_NO_MEMORY;
624 *p_num_groups = num_groups;
625 status = (user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
627 DEBUG(3,("ads lookup_usergroups (member) succeeded for dn=%s\n", user_dn));
630 ads_msgfree(ads, res);
635 /* Lookup groups a user is a member of - alternate method, for when
636 tokenGroups are not available. */
637 static NTSTATUS lookup_usergroups_memberof(struct winbindd_domain *domain,
640 DOM_SID *primary_group,
641 size_t *p_num_groups, DOM_SID **user_sids)
644 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
646 LDAPMessage *res = NULL;
648 const char *attrs[] = {"memberOf", NULL};
649 size_t num_groups = 0;
650 DOM_SID *group_sids = NULL;
653 DEBUG(3,("ads: lookup_usergroups_memberof\n"));
655 ads = ads_cached_connection(domain);
658 domain->last_status = NT_STATUS_SERVER_DISABLED;
662 rc = ads_search_retry_extended_dn(ads, &res, user_dn, attrs,
663 ADS_EXTENDED_DN_HEX_STRING);
665 if (!ADS_ERR_OK(rc) || !res) {
666 DEBUG(1,("lookup_usergroups_memberof ads_search member=%s: %s\n",
667 user_dn, ads_errstr(rc)));
668 return ads_ntstatus(rc);
671 count = ads_count_replies(ads, res);
674 status = NT_STATUS_NO_SUCH_USER;
681 /* always add the primary group to the sid array */
682 if (!add_sid_to_array(mem_ctx, primary_group, user_sids, &num_groups)) {
683 status = NT_STATUS_NO_MEMORY;
687 count = ads_pull_sids_from_extendeddn(ads, mem_ctx, res, "memberOf",
688 ADS_EXTENDED_DN_HEX_STRING,
691 DEBUG(1,("No memberOf for this user?!?\n"));
692 status = NT_STATUS_NO_MEMORY;
696 for (i=0; i<count; i++) {
698 /* ignore Builtin groups from ADS - Guenther */
699 if (sid_check_is_in_builtin(&group_sids[i])) {
703 if (!add_sid_to_array(mem_ctx, &group_sids[i], user_sids,
705 status = NT_STATUS_NO_MEMORY;
711 *p_num_groups = num_groups;
712 status = (*user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
714 DEBUG(3,("ads lookup_usergroups (memberof) succeeded for dn=%s\n", user_dn));
716 TALLOC_FREE(group_sids);
718 ads_msgfree(ads, res);
724 /* Lookup groups a user is a member of. */
725 static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
728 uint32 *p_num_groups, DOM_SID **user_sids)
730 ADS_STRUCT *ads = NULL;
731 const char *attrs[] = {"tokenGroups", "primaryGroupID", NULL};
734 LDAPMessage *msg = NULL;
735 char *user_dn = NULL;
738 DOM_SID primary_group;
739 uint32 primary_group_rid;
741 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
742 size_t num_groups = 0;
744 DEBUG(3,("ads: lookup_usergroups\n"));
747 status = lookup_usergroups_cached(domain, mem_ctx, sid,
748 p_num_groups, user_sids);
749 if (NT_STATUS_IS_OK(status)) {
753 ads = ads_cached_connection(domain);
756 domain->last_status = NT_STATUS_SERVER_DISABLED;
757 status = NT_STATUS_SERVER_DISABLED;
761 rc = ads_search_retry_sid(ads, &msg, sid, attrs);
763 if (!ADS_ERR_OK(rc)) {
764 status = ads_ntstatus(rc);
765 DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: %s\n",
766 sid_to_string(sid_string, sid), ads_errstr(rc)));
770 count = ads_count_replies(ads, msg);
772 status = NT_STATUS_UNSUCCESSFUL;
773 DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: "
774 "invalid number of results (count=%d)\n",
775 sid_to_string(sid_string, sid), count));
780 DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: NULL msg\n",
781 sid_to_string(sid_string, sid)));
782 status = NT_STATUS_UNSUCCESSFUL;
786 user_dn = ads_get_dn(ads, msg);
787 if (user_dn == NULL) {
788 status = NT_STATUS_NO_MEMORY;
792 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &primary_group_rid)) {
793 DEBUG(1,("%s: No primary group for sid=%s !?\n",
794 domain->name, sid_to_string(sid_string, sid)));
798 sid_copy(&primary_group, &domain->sid);
799 sid_append_rid(&primary_group, primary_group_rid);
801 count = ads_pull_sids(ads, mem_ctx, msg, "tokenGroups", &sids);
803 /* there must always be at least one group in the token,
804 unless we are talking to a buggy Win2k server */
806 /* actually this only happens when the machine account has no read
807 * permissions on the tokenGroup attribute - gd */
813 /* lookup what groups this user is a member of by DN search on
816 status = lookup_usergroups_memberof(domain, mem_ctx, user_dn,
818 &num_groups, user_sids);
819 *p_num_groups = (uint32)num_groups;
820 if (NT_STATUS_IS_OK(status)) {
824 /* lookup what groups this user is a member of by DN search on
827 status = lookup_usergroups_member(domain, mem_ctx, user_dn,
829 &num_groups, user_sids);
830 *p_num_groups = (uint32)num_groups;
837 if (!add_sid_to_array(mem_ctx, &primary_group, user_sids, &num_groups)) {
838 status = NT_STATUS_NO_MEMORY;
842 for (i=0;i<count;i++) {
844 /* ignore Builtin groups from ADS - Guenther */
845 if (sid_check_is_in_builtin(&sids[i])) {
849 if (!add_sid_to_array_unique(mem_ctx, &sids[i],
850 user_sids, &num_groups)) {
851 status = NT_STATUS_NO_MEMORY;
856 *p_num_groups = (uint32)num_groups;
857 status = (*user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
859 DEBUG(3,("ads lookup_usergroups (tokenGroups) succeeded for sid=%s\n",
860 sid_to_string(sid_string, sid)));
862 ads_memfree(ads, user_dn);
863 ads_msgfree(ads, msg);
868 find the members of a group, given a group rid and domain
870 static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
872 const DOM_SID *group_sid, uint32 *num_names,
873 DOM_SID **sid_mem, char ***names,
878 LDAPMessage *res=NULL;
879 ADS_STRUCT *ads = NULL;
881 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
893 DEBUG(10,("ads: lookup_groupmem %s sid=%s\n", domain->name,
894 sid_string_static(group_sid)));
898 ads = ads_cached_connection(domain);
901 domain->last_status = NT_STATUS_SERVER_DISABLED;
905 if ((sidstr = sid_binstring(group_sid)) == NULL) {
906 status = NT_STATUS_NO_MEMORY;
910 /* search for all members of the group */
911 if (!(ldap_exp = talloc_asprintf(mem_ctx, "(objectSid=%s)",sidstr))) {
913 DEBUG(1, ("ads: lookup_groupmem: tallloc_asprintf for ldap_exp failed!\n"));
914 status = NT_STATUS_NO_MEMORY;
922 if ((attrs = TALLOC_ARRAY(mem_ctx, const char *, 3)) == NULL) {
923 status = NT_STATUS_NO_MEMORY;
927 attrs[1] = talloc_strdup(mem_ctx, "usnChanged");
931 if (num_members == 0)
932 attrs[0] = talloc_strdup(mem_ctx, "member");
934 DEBUG(10, ("Searching for attrs[0] = %s, attrs[1] = %s\n", attrs[0], attrs[1]));
936 rc = ads_search_retry(ads, &res, ldap_exp, attrs);
938 if (!ADS_ERR_OK(rc) || !res) {
939 DEBUG(1,("ads: lookup_groupmem ads_search: %s\n",
941 status = ads_ntstatus(rc);
945 count = ads_count_replies(ads, res);
949 if (num_members == 0) {
950 if (!ads_pull_uint32(ads, res, "usnChanged", &first_usn)) {
951 DEBUG(1, ("ads: lookup_groupmem could not pull usnChanged!\n"));
956 if (!ads_pull_uint32(ads, res, "usnChanged", ¤t_usn)) {
957 DEBUG(1, ("ads: lookup_groupmem could not pull usnChanged!\n"));
961 if (first_usn != current_usn) {
962 DEBUG(5, ("ads: lookup_groupmem USN on this record changed"
963 " - restarting search\n"));
964 if (num_retries < 5) {
969 DEBUG(5, ("ads: lookup_groupmem USN on this record changed"
970 " - restarted search too many times, aborting!\n"));
971 status = NT_STATUS_UNSUCCESSFUL;
976 members = ads_pull_strings_range(ads, mem_ctx, res,
983 if ((members == NULL) || (num_members == 0))
986 } while (more_values);
988 /* now we need to turn a list of members into rids, names and name types
989 the problem is that the members are in the form of distinguised names
992 (*sid_mem) = TALLOC_ZERO_ARRAY(mem_ctx, DOM_SID, num_members);
993 (*name_types) = TALLOC_ZERO_ARRAY(mem_ctx, uint32, num_members);
994 (*names) = TALLOC_ZERO_ARRAY(mem_ctx, char *, num_members);
996 if ((num_members != 0) &&
997 ((members == NULL) || (*sid_mem == NULL) ||
998 (*name_types == NULL) || (*names == NULL))) {
999 DEBUG(1, ("talloc failed\n"));
1000 status = NT_STATUS_NO_MEMORY;
1004 for (i=0;i<num_members;i++) {
1009 if (dn_lookup(ads, mem_ctx, members[i], &name, &name_type, &sid)) {
1010 (*names)[*num_names] = name;
1011 (*name_types)[*num_names] = name_type;
1012 sid_copy(&(*sid_mem)[*num_names], &sid);
1017 status = NT_STATUS_OK;
1018 DEBUG(3,("ads lookup_groupmem for sid=%s\n", sid_to_string(sid_string, group_sid)));
1022 ads_msgfree(ads, res);
1027 /* find the sequence number for a domain */
1028 static NTSTATUS sequence_number(struct winbindd_domain *domain, uint32 *seq)
1030 ADS_STRUCT *ads = NULL;
1033 DEBUG(3,("ads: fetch sequence_number for %s\n", domain->name));
1035 *seq = DOM_SEQUENCE_NONE;
1037 ads = ads_cached_connection(domain);
1040 domain->last_status = NT_STATUS_SERVER_DISABLED;
1041 return NT_STATUS_UNSUCCESSFUL;
1044 rc = ads_USN(ads, seq);
1046 if (!ADS_ERR_OK(rc)) {
1048 /* its a dead connection ; don't destroy it
1049 through since ads_USN() has already done
1052 domain->private_data = NULL;
1054 return ads_ntstatus(rc);
1057 /* get a list of trusted domains */
1058 static NTSTATUS trusted_domains(struct winbindd_domain *domain,
1059 TALLOC_CTX *mem_ctx,
1060 uint32 *num_domains,
1065 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1066 struct ds_domain_trust *domains = NULL;
1069 uint32 flags = DS_DOMAIN_IN_FOREST | DS_DOMAIN_DIRECT_OUTBOUND;
1070 struct rpc_pipe_client *cli;
1072 DEBUG(3,("ads: trusted_domains\n"));
1079 result = cm_connect_netlogon(domain, &cli);
1081 if (!NT_STATUS_IS_OK(result)) {
1082 DEBUG(5, ("trusted_domains: Could not open a connection to %s "
1083 "for PIPE_NETLOGON (%s)\n",
1084 domain->name, nt_errstr(result)));
1085 return NT_STATUS_UNSUCCESSFUL;
1088 if ( NT_STATUS_IS_OK(result) ) {
1089 result = rpccli_ds_enum_domain_trusts(cli, mem_ctx,
1092 (unsigned int *)&count);
1095 if ( NT_STATUS_IS_OK(result) && count) {
1097 /* Allocate memory for trusted domain names and sids */
1099 if ( !(*names = TALLOC_ARRAY(mem_ctx, char *, count)) ) {
1100 DEBUG(0, ("trusted_domains: out of memory\n"));
1101 return NT_STATUS_NO_MEMORY;
1104 if ( !(*alt_names = TALLOC_ARRAY(mem_ctx, char *, count)) ) {
1105 DEBUG(0, ("trusted_domains: out of memory\n"));
1106 return NT_STATUS_NO_MEMORY;
1109 if ( !(*dom_sids = TALLOC_ARRAY(mem_ctx, DOM_SID, count)) ) {
1110 DEBUG(0, ("trusted_domains: out of memory\n"));
1111 return NT_STATUS_NO_MEMORY;
1114 /* Copy across names and sids */
1116 for (i = 0; i < count; i++) {
1117 (*names)[i] = domains[i].netbios_domain;
1118 (*alt_names)[i] = domains[i].dns_domain;
1120 sid_copy(&(*dom_sids)[i], &domains[i].sid);
1123 *num_domains = count;
1129 /* the ADS backend methods are exposed via this structure */
1130 struct winbindd_methods ads_methods = {
1137 msrpc_rids_to_names,
1140 msrpc_lookup_useraliases,
1143 msrpc_lockout_policy,
1144 msrpc_password_policy,