s3-winbindd: add and use winbindd_lookup_sids().
[ira/wip.git] / source3 / winbindd / winbindd_ads.c
1 /*
2    Unix SMB/CIFS implementation.
3
4    Winbind ADS backend functions
5
6    Copyright (C) Andrew Tridgell 2001
7    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003
8    Copyright (C) Gerald (Jerry) Carter 2004
9
10    This program is free software; you can redistribute it and/or modify
11    it under the terms of the GNU General Public License as published by
12    the Free Software Foundation; either version 3 of the License, or
13    (at your option) any later version.
14
15    This program is distributed in the hope that it will be useful,
16    but WITHOUT ANY WARRANTY; without even the implied warranty of
17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
18    GNU General Public License for more details.
19
20    You should have received a copy of the GNU General Public License
21    along with this program.  If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "winbindd.h"
26
27 #ifdef HAVE_ADS
28
29 #undef DBGC_CLASS
30 #define DBGC_CLASS DBGC_WINBIND
31
32 extern struct winbindd_methods reconnect_methods;
33
34 /*
35   return our ads connections structure for a domain. We keep the connection
36   open to make things faster
37 */
38 static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain)
39 {
40         ADS_STRUCT *ads;
41         ADS_STATUS status;
42         fstring dc_name;
43         struct sockaddr_storage dc_ss;
44
45         DEBUG(10,("ads_cached_connection\n"));
46
47         if (domain->private_data) {
48
49                 time_t expire;
50                 time_t now = time(NULL);
51
52                 /* check for a valid structure */
53                 ads = (ADS_STRUCT *)domain->private_data;
54
55                 expire = MIN(ads->auth.tgt_expire, ads->auth.tgs_expire);
56
57                 DEBUG(7, ("Current tickets expire in %d seconds (at %d, time is now %d)\n",
58                           (uint32)expire-(uint32)now, (uint32) expire, (uint32) now));
59
60                 if ( ads->config.realm && (expire > now)) {
61                         return ads;
62                 } else {
63                         /* we own this ADS_STRUCT so make sure it goes away */
64                         DEBUG(7,("Deleting expired krb5 credential cache\n"));
65                         ads->is_mine = True;
66                         ads_destroy( &ads );
67                         ads_kdestroy("MEMORY:winbind_ccache");
68                         domain->private_data = NULL;
69                 }
70         }
71
72         /* we don't want this to affect the users ccache */
73         setenv("KRB5CCNAME", "MEMORY:winbind_ccache", 1);
74
75         ads = ads_init(domain->alt_name, domain->name, NULL);
76         if (!ads) {
77                 DEBUG(1,("ads_init for domain %s failed\n", domain->name));
78                 return NULL;
79         }
80
81         /* the machine acct password might have change - fetch it every time */
82
83         SAFE_FREE(ads->auth.password);
84         SAFE_FREE(ads->auth.realm);
85
86         if ( IS_DC ) {
87                 DOM_SID sid;
88                 time_t last_set_time;
89
90                 if ( !pdb_get_trusteddom_pw( domain->name, &ads->auth.password, &sid, &last_set_time ) ) {
91                         ads_destroy( &ads );
92                         return NULL;
93                 }
94                 ads->auth.realm = SMB_STRDUP( ads->server.realm );
95                 strupper_m( ads->auth.realm );
96         }
97         else {
98                 struct winbindd_domain *our_domain = domain;
99
100                 ads->auth.password = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
101
102                 /* always give preference to the alt_name in our
103                    primary domain if possible */
104
105                 if ( !domain->primary )
106                         our_domain = find_our_domain();
107
108                 if ( our_domain->alt_name[0] != '\0' ) {
109                         ads->auth.realm = SMB_STRDUP( our_domain->alt_name );
110                         strupper_m( ads->auth.realm );
111                 }
112                 else
113                         ads->auth.realm = SMB_STRDUP( lp_realm() );
114         }
115
116         ads->auth.renewable = WINBINDD_PAM_AUTH_KRB5_RENEW_TIME;
117
118         /* Setup the server affinity cache.  We don't reaally care
119            about the name.  Just setup affinity and the KRB5_CONFIG
120            file. */
121
122         get_dc_name( ads->server.workgroup, ads->server.realm, dc_name, &dc_ss );
123
124         status = ads_connect(ads);
125         if (!ADS_ERR_OK(status) || !ads->config.realm) {
126                 DEBUG(1,("ads_connect for domain %s failed: %s\n",
127                          domain->name, ads_errstr(status)));
128                 ads_destroy(&ads);
129
130                 /* if we get ECONNREFUSED then it might be a NT4
131                    server, fall back to MSRPC */
132                 if (status.error_type == ENUM_ADS_ERROR_SYSTEM &&
133                     status.err.rc == ECONNREFUSED) {
134                         /* 'reconnect_methods' is the MS-RPC backend. */
135                         DEBUG(1,("Trying MSRPC methods\n"));
136                         domain->backend = &reconnect_methods;
137                 }
138                 return NULL;
139         }
140
141         /* set the flag that says we don't own the memory even
142            though we do so that ads_destroy() won't destroy the
143            structure we pass back by reference */
144
145         ads->is_mine = False;
146
147         domain->private_data = (void *)ads;
148         return ads;
149 }
150
151
152 /* Query display info for a realm. This is the basic user list fn */
153 static NTSTATUS query_user_list(struct winbindd_domain *domain,
154                                TALLOC_CTX *mem_ctx,
155                                uint32 *num_entries, 
156                                struct wbint_userinfo **info)
157 {
158         ADS_STRUCT *ads = NULL;
159         const char *attrs[] = { "*", NULL };
160         int i, count;
161         ADS_STATUS rc;
162         LDAPMessage *res = NULL;
163         LDAPMessage *msg = NULL;
164         NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
165
166         *num_entries = 0;
167
168         DEBUG(3,("ads: query_user_list\n"));
169
170         if ( !winbindd_can_contact_domain( domain ) ) {
171                 DEBUG(10,("query_user_list: No incoming trust for domain %s\n",
172                           domain->name));               
173                 return NT_STATUS_OK;
174         }
175
176         ads = ads_cached_connection(domain);
177
178         if (!ads) {
179                 domain->last_status = NT_STATUS_SERVER_DISABLED;
180                 goto done;
181         }
182
183         rc = ads_search_retry(ads, &res, "(objectCategory=user)", attrs);
184         if (!ADS_ERR_OK(rc) || !res) {
185                 DEBUG(1,("query_user_list ads_search: %s\n", ads_errstr(rc)));
186                 goto done;
187         }
188
189         count = ads_count_replies(ads, res);
190         if (count == 0) {
191                 DEBUG(1,("query_user_list: No users found\n"));
192                 goto done;
193         }
194
195         (*info) = TALLOC_ZERO_ARRAY(mem_ctx, struct wbint_userinfo, count);
196         if (!*info) {
197                 status = NT_STATUS_NO_MEMORY;
198                 goto done;
199         }
200
201         i = 0;
202
203         for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
204                 const char *name;
205                 const char *gecos = NULL;
206                 const char *homedir = NULL;
207                 const char *shell = NULL;
208                 uint32 group;
209                 uint32 atype;
210                 DOM_SID user_sid;
211                 gid_t primary_gid = (gid_t)-1;
212
213                 if (!ads_pull_uint32(ads, msg, "sAMAccountType", &atype) ||
214                     ds_atype_map(atype) != SID_NAME_USER) {
215                         DEBUG(1,("Not a user account? atype=0x%x\n", atype));
216                         continue;
217                 }
218
219                 name = ads_pull_username(ads, mem_ctx, msg);
220
221                 if ( ads_pull_sid( ads, msg, "objectSid", &user_sid ) ) {
222                         status = nss_get_info_cached( domain, &user_sid, mem_ctx, 
223                                                ads, msg, &homedir, &shell, &gecos,
224                                                &primary_gid );
225                 }
226
227                 if (gecos == NULL) {
228                         gecos = ads_pull_string(ads, mem_ctx, msg, "name");
229                 }
230
231                 if (!ads_pull_sid(ads, msg, "objectSid",
232                                   &(*info)[i].user_sid)) {
233                         DEBUG(1,("No sid for %s !?\n", name));
234                         continue;
235                 }
236                 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &group)) {
237                         DEBUG(1,("No primary group for %s !?\n", name));
238                         continue;
239                 }
240
241                 (*info)[i].acct_name = name;
242                 (*info)[i].full_name = gecos;
243                 (*info)[i].homedir = homedir;
244                 (*info)[i].shell = shell;
245                 (*info)[i].primary_gid = primary_gid;
246                 sid_compose(&(*info)[i].group_sid, &domain->sid, group);
247                 i++;
248         }
249
250         (*num_entries) = i;
251         status = NT_STATUS_OK;
252
253         DEBUG(3,("ads query_user_list gave %d entries\n", (*num_entries)));
254
255 done:
256         if (res) 
257                 ads_msgfree(ads, res);
258
259         return status;
260 }
261
262 /* list all domain groups */
263 static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
264                                 TALLOC_CTX *mem_ctx,
265                                 uint32 *num_entries, 
266                                 struct acct_info **info)
267 {
268         ADS_STRUCT *ads = NULL;
269         const char *attrs[] = {"userPrincipalName", "sAMAccountName",
270                                "name", "objectSid", NULL};
271         int i, count;
272         ADS_STATUS rc;
273         LDAPMessage *res = NULL;
274         LDAPMessage *msg = NULL;
275         NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
276         const char *filter;
277         bool enum_dom_local_groups = False;
278
279         *num_entries = 0;
280
281         DEBUG(3,("ads: enum_dom_groups\n"));
282
283         if ( !winbindd_can_contact_domain( domain ) ) {
284                 DEBUG(10,("enum_dom_groups: No incoming trust for domain %s\n",
285                           domain->name));               
286                 return NT_STATUS_OK;
287         }
288
289         /* only grab domain local groups for our domain */
290         if ( domain->active_directory && strequal(lp_realm(), domain->alt_name)  ) {
291                 enum_dom_local_groups = True;
292         }
293
294         /* Workaround ADS LDAP bug present in MS W2K3 SP0 and W2K SP4 w/o
295          * rollup-fixes:
296          *
297          * According to Section 5.1(4) of RFC 2251 if a value of a type is it's
298          * default value, it MUST be absent. In case of extensible matching the
299          * "dnattr" boolean defaults to FALSE and so it must be only be present
300          * when set to TRUE. 
301          *
302          * When it is set to FALSE and the OpenLDAP lib (correctly) encodes a
303          * filter using bitwise matching rule then the buggy AD fails to decode
304          * the extensible match. As a workaround set it to TRUE and thereby add
305          * the dnAttributes "dn" field to cope with those older AD versions.
306          * It should not harm and won't put any additional load on the AD since
307          * none of the dn components have a bitmask-attribute.
308          *
309          * Thanks to Ralf Haferkamp for input and testing - Guenther */
310
311         filter = talloc_asprintf(mem_ctx, "(&(objectCategory=group)(&(groupType:dn:%s:=%d)(!(groupType:dn:%s:=%d))))", 
312                                  ADS_LDAP_MATCHING_RULE_BIT_AND, GROUP_TYPE_SECURITY_ENABLED,
313                                  ADS_LDAP_MATCHING_RULE_BIT_AND, 
314                                  enum_dom_local_groups ? GROUP_TYPE_BUILTIN_LOCAL_GROUP : GROUP_TYPE_RESOURCE_GROUP);
315
316         if (filter == NULL) {
317                 status = NT_STATUS_NO_MEMORY;
318                 goto done;
319         }
320
321         ads = ads_cached_connection(domain);
322
323         if (!ads) {
324                 domain->last_status = NT_STATUS_SERVER_DISABLED;
325                 goto done;
326         }
327
328         rc = ads_search_retry(ads, &res, filter, attrs);
329         if (!ADS_ERR_OK(rc) || !res) {
330                 DEBUG(1,("enum_dom_groups ads_search: %s\n", ads_errstr(rc)));
331                 goto done;
332         }
333
334         count = ads_count_replies(ads, res);
335         if (count == 0) {
336                 DEBUG(1,("enum_dom_groups: No groups found\n"));
337                 goto done;
338         }
339
340         (*info) = TALLOC_ZERO_ARRAY(mem_ctx, struct acct_info, count);
341         if (!*info) {
342                 status = NT_STATUS_NO_MEMORY;
343                 goto done;
344         }
345
346         i = 0;
347
348         for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
349                 char *name, *gecos;
350                 DOM_SID sid;
351                 uint32 rid;
352
353                 name = ads_pull_username(ads, mem_ctx, msg);
354                 gecos = ads_pull_string(ads, mem_ctx, msg, "name");
355                 if (!ads_pull_sid(ads, msg, "objectSid", &sid)) {
356                         DEBUG(1,("No sid for %s !?\n", name));
357                         continue;
358                 }
359
360                 if (!sid_peek_check_rid(&domain->sid, &sid, &rid)) {
361                         DEBUG(1,("No rid for %s !?\n", name));
362                         continue;
363                 }
364
365                 fstrcpy((*info)[i].acct_name, name);
366                 fstrcpy((*info)[i].acct_desc, gecos);
367                 (*info)[i].rid = rid;
368                 i++;
369         }
370
371         (*num_entries) = i;
372
373         status = NT_STATUS_OK;
374
375         DEBUG(3,("ads enum_dom_groups gave %d entries\n", (*num_entries)));
376
377 done:
378         if (res) 
379                 ads_msgfree(ads, res);
380
381         return status;
382 }
383
384 /* list all domain local groups */
385 static NTSTATUS enum_local_groups(struct winbindd_domain *domain,
386                                 TALLOC_CTX *mem_ctx,
387                                 uint32 *num_entries, 
388                                 struct acct_info **info)
389 {
390         /*
391          * This is a stub function only as we returned the domain 
392          * local groups in enum_dom_groups() if the domain->native field
393          * was true.  This is a simple performance optimization when
394          * using LDAP.
395          *
396          * if we ever need to enumerate domain local groups separately, 
397          * then this optimization in enum_dom_groups() will need
398          * to be split out
399          */
400         *num_entries = 0;
401
402         return NT_STATUS_OK;
403 }
404
405 /* convert a single name to a sid in a domain - use rpc methods */
406 static NTSTATUS name_to_sid(struct winbindd_domain *domain,
407                             TALLOC_CTX *mem_ctx,
408                             const char *domain_name,
409                             const char *name,
410                             uint32_t flags,
411                             DOM_SID *sid,
412                             enum lsa_SidType *type)
413 {
414         return reconnect_methods.name_to_sid(domain, mem_ctx,
415                                              domain_name, name, flags,
416                                              sid, type);
417 }
418
419 /* convert a domain SID to a user or group name - use rpc methods */
420 static NTSTATUS sid_to_name(struct winbindd_domain *domain,
421                             TALLOC_CTX *mem_ctx,
422                             const DOM_SID *sid,
423                             char **domain_name,
424                             char **name,
425                             enum lsa_SidType *type)
426 {
427         return reconnect_methods.sid_to_name(domain, mem_ctx, sid,
428                                              domain_name, name, type);
429 }
430
431 /* convert a list of rids to names - use rpc methods */
432 static NTSTATUS rids_to_names(struct winbindd_domain *domain,
433                               TALLOC_CTX *mem_ctx,
434                               const DOM_SID *sid,
435                               uint32 *rids,
436                               size_t num_rids,
437                               char **domain_name,
438                               char ***names,
439                               enum lsa_SidType **types)
440 {
441         return reconnect_methods.rids_to_names(domain, mem_ctx, sid,
442                                                rids, num_rids,
443                                                domain_name, names, types);
444 }
445
446 /* If you are looking for "dn_lookup": Yes, it used to be here!
447  * It has gone now since it was a major speed bottleneck in
448  * lookup_groupmem (its only use). It has been replaced by
449  * an rpc lookup sids call... R.I.P. */
450
451 /* Lookup user information from a rid */
452 static NTSTATUS query_user(struct winbindd_domain *domain, 
453                            TALLOC_CTX *mem_ctx, 
454                            const DOM_SID *sid, 
455                            struct wbint_userinfo *info)
456 {
457         ADS_STRUCT *ads = NULL;
458         const char *attrs[] = { "*", NULL };
459         ADS_STATUS rc;
460         int count;
461         LDAPMessage *msg = NULL;
462         char *ldap_exp;
463         char *sidstr;
464         uint32 group_rid;
465         NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
466         struct netr_SamInfo3 *user = NULL;
467         gid_t gid;
468
469         DEBUG(3,("ads: query_user\n"));
470
471         info->homedir = NULL;
472         info->shell = NULL;
473         info->primary_gid = (gid_t)-1;
474
475         /* try netsamlogon cache first */
476
477         if ( (user = netsamlogon_cache_get( mem_ctx, sid )) != NULL ) 
478         {
479                 DEBUG(5,("query_user: Cache lookup succeeded for %s\n", 
480                          sid_string_dbg(sid)));
481
482                 sid_compose(&info->user_sid, &domain->sid, user->base.rid);
483                 sid_compose(&info->group_sid, &domain->sid, user->base.primary_gid);
484
485                 info->acct_name = talloc_strdup(mem_ctx, user->base.account_name.string);
486                 info->full_name = talloc_strdup(mem_ctx, user->base.full_name.string);
487
488                 nss_get_info_cached( domain, sid, mem_ctx, NULL, NULL, 
489                               &info->homedir, &info->shell, &info->full_name, 
490                               &gid );
491                 info->primary_gid = gid;
492
493                 TALLOC_FREE(user);
494
495                 return NT_STATUS_OK;
496         }
497
498         if ( !winbindd_can_contact_domain(domain)) {
499                 DEBUG(8,("query_user: No incoming trust from domain %s\n",
500                          domain->name));
501
502                 /* We still need to generate some basic information
503                    about the user even if we cannot contact the 
504                    domain.  Most of this stuff we can deduce. */
505
506                 sid_copy( &info->user_sid, sid );
507
508                 /* Assume "Domain Users" for the primary group */
509
510                 sid_compose(&info->group_sid, &domain->sid, DOMAIN_GROUP_RID_USERS );
511
512                 /* Try to fill in what the nss_info backend can do */
513
514                 nss_get_info_cached( domain, sid, mem_ctx, NULL, NULL, 
515                               &info->homedir, &info->shell, &info->full_name, 
516                               &gid);
517                 info->primary_gid = gid;
518
519                 status = NT_STATUS_OK;
520                 goto done;
521         }
522
523         /* no cache...do the query */
524
525         if ( (ads = ads_cached_connection(domain)) == NULL ) {
526                 domain->last_status = NT_STATUS_SERVER_DISABLED;
527                 goto done;
528         }
529
530         sidstr = sid_binstring(talloc_tos(), sid);
531         if (asprintf(&ldap_exp, "(objectSid=%s)", sidstr) == -1) {
532                 status = NT_STATUS_NO_MEMORY;
533                 goto done;
534         }
535         rc = ads_search_retry(ads, &msg, ldap_exp, attrs);
536         free(ldap_exp);
537         TALLOC_FREE(sidstr);
538         if (!ADS_ERR_OK(rc) || !msg) {
539                 DEBUG(1,("query_user(sid=%s) ads_search: %s\n",
540                          sid_string_dbg(sid), ads_errstr(rc)));
541                 goto done;
542         }
543
544         count = ads_count_replies(ads, msg);
545         if (count != 1) {
546                 DEBUG(1,("query_user(sid=%s): Not found\n",
547                          sid_string_dbg(sid)));
548                 goto done;
549         }
550
551         info->acct_name = ads_pull_username(ads, mem_ctx, msg);
552
553         nss_get_info_cached( domain, sid, mem_ctx, ads, msg, 
554                       &info->homedir, &info->shell, &info->full_name, 
555                       &gid);
556         info->primary_gid = gid;
557
558         if (info->full_name == NULL) {
559                 info->full_name = ads_pull_string(ads, mem_ctx, msg, "name");
560         }
561
562         if (!ads_pull_uint32(ads, msg, "primaryGroupID", &group_rid)) {
563                 DEBUG(1,("No primary group for %s !?\n",
564                          sid_string_dbg(sid)));
565                 goto done;
566         }
567
568         sid_copy(&info->user_sid, sid);
569         sid_compose(&info->group_sid, &domain->sid, group_rid);
570
571         status = NT_STATUS_OK;
572
573         DEBUG(3,("ads query_user gave %s\n", info->acct_name));
574 done:
575         if (msg) 
576                 ads_msgfree(ads, msg);
577
578         return status;
579 }
580
581 /* Lookup groups a user is a member of - alternate method, for when
582    tokenGroups are not available. */
583 static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain,
584                                          TALLOC_CTX *mem_ctx,
585                                          const char *user_dn, 
586                                          DOM_SID *primary_group,
587                                          size_t *p_num_groups, DOM_SID **user_sids)
588 {
589         ADS_STATUS rc;
590         NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
591         int count;
592         LDAPMessage *res = NULL;
593         LDAPMessage *msg = NULL;
594         char *ldap_exp;
595         ADS_STRUCT *ads;
596         const char *group_attrs[] = {"objectSid", NULL};
597         char *escaped_dn;
598         size_t num_groups = 0;
599
600         DEBUG(3,("ads: lookup_usergroups_member\n"));
601
602         if ( !winbindd_can_contact_domain( domain ) ) {
603                 DEBUG(10,("lookup_usergroups_members: No incoming trust for domain %s\n",
604                           domain->name));               
605                 return NT_STATUS_OK;
606         }
607
608         ads = ads_cached_connection(domain);
609
610         if (!ads) {
611                 domain->last_status = NT_STATUS_SERVER_DISABLED;
612                 goto done;
613         }
614
615         if (!(escaped_dn = escape_ldap_string(talloc_tos(), user_dn))) {
616                 status = NT_STATUS_NO_MEMORY;
617                 goto done;
618         }
619
620         ldap_exp = talloc_asprintf(mem_ctx,
621                 "(&(member=%s)(objectCategory=group)(groupType:dn:%s:=%d))",
622                 escaped_dn,
623                 ADS_LDAP_MATCHING_RULE_BIT_AND,
624                 GROUP_TYPE_SECURITY_ENABLED);
625         if (!ldap_exp) {
626                 DEBUG(1,("lookup_usergroups(dn=%s) asprintf failed!\n", user_dn));
627                 TALLOC_FREE(escaped_dn);
628                 status = NT_STATUS_NO_MEMORY;
629                 goto done;
630         }
631
632         TALLOC_FREE(escaped_dn);
633
634         rc = ads_search_retry(ads, &res, ldap_exp, group_attrs);
635
636         if (!ADS_ERR_OK(rc) || !res) {
637                 DEBUG(1,("lookup_usergroups ads_search member=%s: %s\n", user_dn, ads_errstr(rc)));
638                 return ads_ntstatus(rc);
639         }
640
641         count = ads_count_replies(ads, res);
642
643         *user_sids = NULL;
644         num_groups = 0;
645
646         /* always add the primary group to the sid array */
647         status = add_sid_to_array(mem_ctx, primary_group, user_sids,
648                                   &num_groups);
649         if (!NT_STATUS_IS_OK(status)) {
650                 goto done;
651         }
652
653         if (count > 0) {
654                 for (msg = ads_first_entry(ads, res); msg;
655                      msg = ads_next_entry(ads, msg)) {
656                         DOM_SID group_sid;
657
658                         if (!ads_pull_sid(ads, msg, "objectSid", &group_sid)) {
659                                 DEBUG(1,("No sid for this group ?!?\n"));
660                                 continue;
661                         }
662
663                         /* ignore Builtin groups from ADS - Guenther */
664                         if (sid_check_is_in_builtin(&group_sid)) {
665                                 continue;
666                         }
667
668                         status = add_sid_to_array(mem_ctx, &group_sid,
669                                                   user_sids, &num_groups);
670                         if (!NT_STATUS_IS_OK(status)) {
671                                 goto done;
672                         }
673                 }
674
675         }
676
677         *p_num_groups = num_groups;
678         status = (user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
679
680         DEBUG(3,("ads lookup_usergroups (member) succeeded for dn=%s\n", user_dn));
681 done:
682         if (res) 
683                 ads_msgfree(ads, res);
684
685         return status;
686 }
687
688 /* Lookup groups a user is a member of - alternate method, for when
689    tokenGroups are not available. */
690 static NTSTATUS lookup_usergroups_memberof(struct winbindd_domain *domain,
691                                            TALLOC_CTX *mem_ctx,
692                                            const char *user_dn,
693                                            DOM_SID *primary_group,
694                                            size_t *p_num_groups,
695                                            DOM_SID **user_sids)
696 {
697         ADS_STATUS rc;
698         NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
699         ADS_STRUCT *ads;
700         const char *attrs[] = {"memberOf", NULL};
701         size_t num_groups = 0;
702         DOM_SID *group_sids = NULL;
703         int i;
704         char **strings = NULL;
705         size_t num_strings = 0, num_sids = 0;
706
707
708         DEBUG(3,("ads: lookup_usergroups_memberof\n"));
709
710         if ( !winbindd_can_contact_domain( domain ) ) {
711                 DEBUG(10,("lookup_usergroups_memberof: No incoming trust for "
712                           "domain %s\n", domain->name));
713                 return NT_STATUS_OK;
714         }
715
716         ads = ads_cached_connection(domain);
717
718         if (!ads) {
719                 domain->last_status = NT_STATUS_SERVER_DISABLED;
720                 return NT_STATUS_UNSUCCESSFUL;
721         }
722
723         rc = ads_search_retry_extended_dn_ranged(ads, mem_ctx, user_dn, attrs,
724                                                  ADS_EXTENDED_DN_HEX_STRING,
725                                                  &strings, &num_strings);
726
727         if (!ADS_ERR_OK(rc)) {
728                 DEBUG(1,("lookup_usergroups_memberof ads_search "
729                         "member=%s: %s\n", user_dn, ads_errstr(rc)));
730                 return ads_ntstatus(rc);
731         }
732
733         *user_sids = NULL;
734         num_groups = 0;
735
736         /* always add the primary group to the sid array */
737         status = add_sid_to_array(mem_ctx, primary_group, user_sids,
738                                   &num_groups);
739         if (!NT_STATUS_IS_OK(status)) {
740                 goto done;
741         }
742
743         group_sids = TALLOC_ZERO_ARRAY(mem_ctx, DOM_SID, num_strings + 1);
744         if (!group_sids) {
745                 status = NT_STATUS_NO_MEMORY;
746                 goto done;
747         }
748
749         for (i=0; i<num_strings; i++) {
750                 rc = ads_get_sid_from_extended_dn(mem_ctx, strings[i],
751                                                   ADS_EXTENDED_DN_HEX_STRING,
752                                                   &(group_sids)[i]);
753                 if (!ADS_ERR_OK(rc)) {
754                         /* ignore members without SIDs */
755                         if (NT_STATUS_EQUAL(ads_ntstatus(rc),
756                             NT_STATUS_NOT_FOUND)) {
757                                 continue;
758                         }
759                         else {
760                                 status = ads_ntstatus(rc);
761                                 goto done;
762                         }
763                 }
764                 num_sids++;
765         }
766
767         if (i == 0) {
768                 DEBUG(1,("No memberOf for this user?!?\n"));
769                 status = NT_STATUS_NO_MEMORY;
770                 goto done;
771         }
772
773         for (i=0; i<num_sids; i++) {
774
775                 /* ignore Builtin groups from ADS - Guenther */
776                 if (sid_check_is_in_builtin(&group_sids[i])) {
777                         continue;
778                 }
779
780                 status = add_sid_to_array(mem_ctx, &group_sids[i], user_sids,
781                                           &num_groups);
782                 if (!NT_STATUS_IS_OK(status)) {
783                         goto done;
784                 }
785
786         }
787
788         *p_num_groups = num_groups;
789         status = (*user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
790
791         DEBUG(3,("ads lookup_usergroups (memberof) succeeded for dn=%s\n",
792                 user_dn));
793
794 done:
795         TALLOC_FREE(strings);
796         TALLOC_FREE(group_sids);
797
798         return status;
799 }
800
801
802 /* Lookup groups a user is a member of. */
803 static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
804                                   TALLOC_CTX *mem_ctx,
805                                   const DOM_SID *sid, 
806                                   uint32 *p_num_groups, DOM_SID **user_sids)
807 {
808         ADS_STRUCT *ads = NULL;
809         const char *attrs[] = {"tokenGroups", "primaryGroupID", NULL};
810         ADS_STATUS rc;
811         int count;
812         LDAPMessage *msg = NULL;
813         char *user_dn = NULL;
814         DOM_SID *sids;
815         int i;
816         DOM_SID primary_group;
817         uint32 primary_group_rid;
818         NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
819         size_t num_groups = 0;
820
821         DEBUG(3,("ads: lookup_usergroups\n"));
822         *p_num_groups = 0;
823
824         status = lookup_usergroups_cached(domain, mem_ctx, sid, 
825                                           p_num_groups, user_sids);
826         if (NT_STATUS_IS_OK(status)) {
827                 return NT_STATUS_OK;
828         }
829
830         if ( !winbindd_can_contact_domain( domain ) ) {
831                 DEBUG(10,("lookup_usergroups: No incoming trust for domain %s\n",
832                           domain->name));
833
834                 /* Tell the cache manager not to remember this one */
835
836                 return NT_STATUS_SYNCHRONIZATION_REQUIRED;
837         }
838
839         ads = ads_cached_connection(domain);
840
841         if (!ads) {
842                 domain->last_status = NT_STATUS_SERVER_DISABLED;
843                 status = NT_STATUS_SERVER_DISABLED;
844                 goto done;
845         }
846
847         rc = ads_search_retry_sid(ads, &msg, sid, attrs);
848
849         if (!ADS_ERR_OK(rc)) {
850                 status = ads_ntstatus(rc);
851                 DEBUG(1, ("lookup_usergroups(sid=%s) ads_search tokenGroups: "
852                           "%s\n", sid_string_dbg(sid), ads_errstr(rc)));
853                 goto done;
854         }
855
856         count = ads_count_replies(ads, msg);
857         if (count != 1) {
858                 status = NT_STATUS_UNSUCCESSFUL;
859                 DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: "
860                          "invalid number of results (count=%d)\n", 
861                          sid_string_dbg(sid), count));
862                 goto done;
863         }
864
865         if (!msg) {
866                 DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: NULL msg\n", 
867                          sid_string_dbg(sid)));
868                 status = NT_STATUS_UNSUCCESSFUL;
869                 goto done;
870         }
871
872         user_dn = ads_get_dn(ads, mem_ctx, msg);
873         if (user_dn == NULL) {
874                 status = NT_STATUS_NO_MEMORY;
875                 goto done;
876         }
877
878         if (!ads_pull_uint32(ads, msg, "primaryGroupID", &primary_group_rid)) {
879                 DEBUG(1,("%s: No primary group for sid=%s !?\n", 
880                          domain->name, sid_string_dbg(sid)));
881                 goto done;
882         }
883
884         sid_copy(&primary_group, &domain->sid);
885         sid_append_rid(&primary_group, primary_group_rid);
886
887         count = ads_pull_sids(ads, mem_ctx, msg, "tokenGroups", &sids);
888
889         /* there must always be at least one group in the token, 
890            unless we are talking to a buggy Win2k server */
891
892         /* actually this only happens when the machine account has no read
893          * permissions on the tokenGroup attribute - gd */
894
895         if (count == 0) {
896
897                 /* no tokenGroups */
898
899                 /* lookup what groups this user is a member of by DN search on
900                  * "memberOf" */
901
902                 status = lookup_usergroups_memberof(domain, mem_ctx, user_dn,
903                                                     &primary_group,
904                                                     &num_groups, user_sids);
905                 *p_num_groups = (uint32)num_groups;
906                 if (NT_STATUS_IS_OK(status)) {
907                         goto done;
908                 }
909
910                 /* lookup what groups this user is a member of by DN search on
911                  * "member" */
912
913                 status = lookup_usergroups_member(domain, mem_ctx, user_dn, 
914                                                   &primary_group,
915                                                   &num_groups, user_sids);
916                 *p_num_groups = (uint32)num_groups;
917                 goto done;
918         }
919
920         *user_sids = NULL;
921         num_groups = 0;
922
923         status = add_sid_to_array(mem_ctx, &primary_group, user_sids,
924                                   &num_groups);
925         if (!NT_STATUS_IS_OK(status)) {
926                 goto done;
927         }
928
929         for (i=0;i<count;i++) {
930
931                 /* ignore Builtin groups from ADS - Guenther */
932                 if (sid_check_is_in_builtin(&sids[i])) {
933                         continue;
934                 }
935
936                 status = add_sid_to_array_unique(mem_ctx, &sids[i],
937                                                  user_sids, &num_groups);
938                 if (!NT_STATUS_IS_OK(status)) {
939                         goto done;
940                 }
941         }
942
943         *p_num_groups = (uint32)num_groups;
944         status = (*user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
945
946         DEBUG(3,("ads lookup_usergroups (tokenGroups) succeeded for sid=%s\n",
947                  sid_string_dbg(sid)));
948 done:
949         TALLOC_FREE(user_dn);
950         ads_msgfree(ads, msg);
951         return status;
952 }
953
954 /* Lookup aliases a user is member of - use rpc methods */
955 static NTSTATUS lookup_useraliases(struct winbindd_domain *domain,
956                                    TALLOC_CTX *mem_ctx,
957                                    uint32 num_sids, const DOM_SID *sids,
958                                    uint32 *num_aliases, uint32 **alias_rids)
959 {
960         return reconnect_methods.lookup_useraliases(domain, mem_ctx,
961                                                     num_sids, sids,
962                                                     num_aliases,
963                                                     alias_rids);
964 }
965
966 /*
967   find the members of a group, given a group rid and domain
968  */
969 static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
970                                 TALLOC_CTX *mem_ctx,
971                                 const DOM_SID *group_sid,
972                                 enum lsa_SidType type,
973                                 uint32 *num_names,
974                                 DOM_SID **sid_mem, char ***names,
975                                 uint32 **name_types)
976 {
977         ADS_STATUS rc;
978         ADS_STRUCT *ads = NULL;
979         char *ldap_exp;
980         NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
981         char *sidbinstr;
982         char **members = NULL;
983         int i;
984         size_t num_members = 0;
985         ads_control args;
986         DOM_SID *sid_mem_nocache = NULL;
987         char **names_nocache = NULL;
988         enum lsa_SidType *name_types_nocache = NULL;
989         char **domains_nocache = NULL;     /* only needed for rpccli_lsa_lookup_sids */
990         uint32 num_nocache = 0;
991         TALLOC_CTX *tmp_ctx = NULL;
992
993         DEBUG(10,("ads: lookup_groupmem %s sid=%s\n", domain->name,
994                   sid_string_dbg(group_sid)));
995
996         *num_names = 0;
997
998         tmp_ctx = talloc_new(mem_ctx);
999         if (!tmp_ctx) {
1000                 DEBUG(1, ("ads: lookup_groupmem: talloc failed\n"));
1001                 status = NT_STATUS_NO_MEMORY;
1002                 goto done;
1003         }
1004
1005         if ( !winbindd_can_contact_domain( domain ) ) {
1006                 DEBUG(10,("lookup_groupmem: No incoming trust for domain %s\n",
1007                           domain->name));
1008                 return NT_STATUS_OK;
1009         }
1010
1011         ads = ads_cached_connection(domain);
1012
1013         if (!ads) {
1014                 domain->last_status = NT_STATUS_SERVER_DISABLED;
1015                 goto done;
1016         }
1017
1018         if ((sidbinstr = sid_binstring(talloc_tos(), group_sid)) == NULL) {
1019                 status = NT_STATUS_NO_MEMORY;
1020                 goto done;
1021         }
1022
1023         /* search for all members of the group */
1024         ldap_exp = talloc_asprintf(tmp_ctx, "(objectSid=%s)", sidbinstr);
1025         TALLOC_FREE(sidbinstr);
1026         if (ldap_exp == NULL) {
1027                 DEBUG(1, ("ads: lookup_groupmem: talloc_asprintf for ldap_exp failed!\n"));
1028                 status = NT_STATUS_NO_MEMORY;
1029                 goto done;
1030         }
1031
1032         args.control = ADS_EXTENDED_DN_OID;
1033         args.val = ADS_EXTENDED_DN_HEX_STRING;
1034         args.critical = True;
1035
1036         rc = ads_ranged_search(ads, tmp_ctx, LDAP_SCOPE_SUBTREE, ads->config.bind_path,
1037                                ldap_exp, &args, "member", &members, &num_members);
1038
1039         if (!ADS_ERR_OK(rc)) {
1040                 DEBUG(0,("ads_ranged_search failed with: %s\n", ads_errstr(rc)));
1041                 status = NT_STATUS_UNSUCCESSFUL;
1042                 goto done;
1043         }
1044
1045         DEBUG(10, ("ads lookup_groupmem: got %d sids via extended dn call\n", (int)num_members));
1046
1047         /* Now that we have a list of sids, we need to get the
1048          * lists of names and name_types belonging to these sids.
1049          * even though conceptually not quite clean,  we use the
1050          * RPC call lsa_lookup_sids for this since it can handle a
1051          * list of sids. ldap calls can just resolve one sid at a time.
1052          *
1053          * At this stage, the sids are still hidden in the exetended dn
1054          * member output format. We actually do a little better than
1055          * stated above: In extracting the sids from the member strings,
1056          * we try to resolve as many sids as possible from the
1057          * cache. Only the rest is passed to the lsa_lookup_sids call. */
1058
1059         if (num_members) {
1060                 (*sid_mem) = TALLOC_ZERO_ARRAY(mem_ctx, DOM_SID, num_members);
1061                 (*names) = TALLOC_ZERO_ARRAY(mem_ctx, char *, num_members);
1062                 (*name_types) = TALLOC_ZERO_ARRAY(mem_ctx, uint32, num_members);
1063                 (sid_mem_nocache) = TALLOC_ZERO_ARRAY(tmp_ctx, DOM_SID, num_members);
1064
1065                 if ((members == NULL) || (*sid_mem == NULL) ||
1066                     (*names == NULL) || (*name_types == NULL) ||
1067                     (sid_mem_nocache == NULL))
1068                 {
1069                         DEBUG(1, ("ads: lookup_groupmem: talloc failed\n"));
1070                         status = NT_STATUS_NO_MEMORY;
1071                         goto done;
1072                 }
1073         }
1074         else {
1075                 (*sid_mem) = NULL;
1076                 (*names) = NULL;
1077                 (*name_types) = NULL;
1078         }
1079
1080         for (i=0; i<num_members; i++) {
1081                 enum lsa_SidType name_type;
1082                 char *name, *domain_name;
1083                 DOM_SID sid;
1084
1085                 rc = ads_get_sid_from_extended_dn(tmp_ctx, members[i], args.val,
1086                     &sid);
1087                 if (!ADS_ERR_OK(rc)) {
1088                         if (NT_STATUS_EQUAL(ads_ntstatus(rc),
1089                             NT_STATUS_NOT_FOUND)) {
1090                                 /* Group members can be objects, like Exchange
1091                                  * Public Folders, that don't have a SID.  Skip
1092                                  * them. */
1093                                 continue;
1094                         }
1095                         else {
1096                                 status = ads_ntstatus(rc);
1097                                 goto done;
1098                         }
1099                 }
1100                 if (lookup_cached_sid(mem_ctx, &sid, &domain_name, &name,
1101                     &name_type)) {
1102                         DEBUG(10,("ads: lookup_groupmem: got sid %s from "
1103                                   "cache\n", sid_string_dbg(&sid)));
1104                         sid_copy(&(*sid_mem)[*num_names], &sid);
1105                         (*names)[*num_names] = fill_domain_username_talloc(
1106                                                         *names,
1107                                                         domain_name,
1108                                                         name,
1109                                                         true);
1110
1111                         (*name_types)[*num_names] = name_type;
1112                         (*num_names)++;
1113                 }
1114                 else {
1115                         DEBUG(10, ("ads: lookup_groupmem: sid %s not found in "
1116                                    "cache\n", sid_string_dbg(&sid)));
1117                         sid_copy(&(sid_mem_nocache)[num_nocache], &sid);
1118                         num_nocache++;
1119                 }
1120         }
1121
1122         DEBUG(10, ("ads: lookup_groupmem: %d sids found in cache, "
1123                   "%d left for lsa_lookupsids\n", *num_names, num_nocache));
1124
1125         /* handle sids not resolved from cache by lsa_lookup_sids */
1126         if (num_nocache > 0) {
1127
1128                 status = winbindd_lookup_sids(tmp_ctx,
1129                                               domain,
1130                                               num_nocache,
1131                                               sid_mem_nocache,
1132                                               &domains_nocache,
1133                                               &names_nocache,
1134                                               &name_types_nocache);
1135
1136                 if (!(NT_STATUS_IS_OK(status) ||
1137                       NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED) ||
1138                       NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)))
1139                 {
1140                         DEBUG(1, ("lsa_lookupsids call failed with %s "
1141                                   "- retrying...\n", nt_errstr(status)));
1142
1143                         status = winbindd_lookup_sids(tmp_ctx,
1144                                                       domain,
1145                                                       num_nocache,
1146                                                       sid_mem_nocache,
1147                                                       &domains_nocache,
1148                                                       &names_nocache,
1149                                                       &name_types_nocache);
1150                 }
1151
1152                 if (NT_STATUS_IS_OK(status) ||
1153                     NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED))
1154                 {
1155                         /* Copy the entries over from the "_nocache" arrays
1156                          * to the result arrays, skipping the gaps the
1157                          * lookup_sids call left. */
1158                         for (i=0; i < num_nocache; i++) {
1159                                 if (((names_nocache)[i] != NULL) &&
1160                                     ((name_types_nocache)[i] != SID_NAME_UNKNOWN))
1161                                 {
1162                                         sid_copy(&(*sid_mem)[*num_names],
1163                                                  &sid_mem_nocache[i]);
1164                                         (*names)[*num_names] =
1165                                                 fill_domain_username_talloc(
1166                                                         *names,
1167                                                         domains_nocache[i],
1168                                                         names_nocache[i],
1169                                                         true);
1170                                         (*name_types)[*num_names] = name_types_nocache[i];
1171                                         (*num_names)++;
1172                                 }
1173                         }
1174                 }
1175                 else if (NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)) {
1176                         DEBUG(10, ("lookup_groupmem: lsa_lookup_sids could "
1177                                    "not map any SIDs at all.\n"));
1178                         /* Don't handle this as an error here.
1179                          * There is nothing left to do with respect to the 
1180                          * overall result... */
1181                 }
1182                 else if (!NT_STATUS_IS_OK(status)) {
1183                         DEBUG(10, ("lookup_groupmem: Error looking up %d "
1184                                    "sids via rpc_lsa_lookup_sids: %s\n",
1185                                    (int)num_members, nt_errstr(status)));
1186                         goto done;
1187                 }
1188         }
1189
1190         status = NT_STATUS_OK;
1191         DEBUG(3,("ads lookup_groupmem for sid=%s succeeded\n",
1192                  sid_string_dbg(group_sid)));
1193
1194 done:
1195
1196         TALLOC_FREE(tmp_ctx);
1197
1198         return status;
1199 }
1200
1201 /* find the sequence number for a domain */
1202 static NTSTATUS sequence_number(struct winbindd_domain *domain, uint32 *seq)
1203 {
1204         ADS_STRUCT *ads = NULL;
1205         ADS_STATUS rc;
1206
1207         DEBUG(3,("ads: fetch sequence_number for %s\n", domain->name));
1208
1209         if ( !winbindd_can_contact_domain( domain ) ) {
1210                 DEBUG(10,("sequence: No incoming trust for domain %s\n",
1211                           domain->name));
1212                 *seq = time(NULL);              
1213                 return NT_STATUS_OK;
1214         }
1215
1216         *seq = DOM_SEQUENCE_NONE;
1217
1218         ads = ads_cached_connection(domain);
1219
1220         if (!ads) {
1221                 domain->last_status = NT_STATUS_SERVER_DISABLED;
1222                 return NT_STATUS_UNSUCCESSFUL;
1223         }
1224
1225         rc = ads_USN(ads, seq);
1226
1227         if (!ADS_ERR_OK(rc)) {
1228
1229                 /* its a dead connection, destroy it */
1230
1231                 if (domain->private_data) {
1232                         ads = (ADS_STRUCT *)domain->private_data;
1233                         ads->is_mine = True;
1234                         ads_destroy(&ads);
1235                         ads_kdestroy("MEMORY:winbind_ccache");
1236                         domain->private_data = NULL;
1237                 }
1238         }
1239         return ads_ntstatus(rc);
1240 }
1241
1242 /* find the lockout policy of a domain - use rpc methods */
1243 static NTSTATUS lockout_policy(struct winbindd_domain *domain,
1244                                TALLOC_CTX *mem_ctx,
1245                                struct samr_DomInfo12 *policy)
1246 {
1247         return reconnect_methods.lockout_policy(domain, mem_ctx, policy);
1248 }
1249
1250 /* find the password policy of a domain - use rpc methods */
1251 static NTSTATUS password_policy(struct winbindd_domain *domain,
1252                                 TALLOC_CTX *mem_ctx,
1253                                 struct samr_DomInfo1 *policy)
1254 {
1255         return reconnect_methods.password_policy(domain, mem_ctx, policy);
1256 }
1257
1258 /* get a list of trusted domains */
1259 static NTSTATUS trusted_domains(struct winbindd_domain *domain,
1260                                 TALLOC_CTX *mem_ctx,
1261                                 uint32 *num_domains,
1262                                 char ***names,
1263                                 char ***alt_names,
1264                                 DOM_SID **dom_sids)
1265 {
1266         NTSTATUS                result = NT_STATUS_UNSUCCESSFUL;
1267         struct netr_DomainTrustList trusts;
1268         int                     i;
1269         uint32                  flags;  
1270         struct rpc_pipe_client *cli;
1271         uint32                 fr_flags = (NETR_TRUST_FLAG_IN_FOREST | NETR_TRUST_FLAG_TREEROOT);
1272         int ret_count;
1273
1274         DEBUG(3,("ads: trusted_domains\n"));
1275
1276         *num_domains = 0;
1277         *alt_names   = NULL;
1278         *names       = NULL;
1279         *dom_sids    = NULL;
1280
1281         /* If this is our primary domain or a root in our forest,
1282            query for all trusts.  If not, then just look for domain
1283            trusts in the target forest */
1284
1285         if ( domain->primary ||
1286                 ((domain->domain_flags&fr_flags) == fr_flags) ) 
1287         {
1288                 flags = NETR_TRUST_FLAG_OUTBOUND |
1289                         NETR_TRUST_FLAG_INBOUND |
1290                         NETR_TRUST_FLAG_IN_FOREST;
1291         } else {
1292                 flags = NETR_TRUST_FLAG_IN_FOREST;
1293         }       
1294
1295         result = cm_connect_netlogon(domain, &cli);
1296
1297         if (!NT_STATUS_IS_OK(result)) {
1298                 DEBUG(5, ("trusted_domains: Could not open a connection to %s "
1299                           "for PIPE_NETLOGON (%s)\n", 
1300                           domain->name, nt_errstr(result)));
1301                 return NT_STATUS_UNSUCCESSFUL;
1302         }
1303
1304         result = rpccli_netr_DsrEnumerateDomainTrusts(cli, mem_ctx,
1305                                                       cli->desthost,
1306                                                       flags,
1307                                                       &trusts,
1308                                                       NULL);
1309         if ( NT_STATUS_IS_OK(result) && trusts.count) {
1310
1311                 /* Allocate memory for trusted domain names and sids */
1312
1313                 if ( !(*names = TALLOC_ARRAY(mem_ctx, char *, trusts.count)) ) {
1314                         DEBUG(0, ("trusted_domains: out of memory\n"));
1315                         return NT_STATUS_NO_MEMORY;
1316                 }
1317
1318                 if ( !(*alt_names = TALLOC_ARRAY(mem_ctx, char *, trusts.count)) ) {
1319                         DEBUG(0, ("trusted_domains: out of memory\n"));
1320                         return NT_STATUS_NO_MEMORY;
1321                 }
1322
1323                 if ( !(*dom_sids = TALLOC_ARRAY(mem_ctx, DOM_SID, trusts.count)) ) {
1324                         DEBUG(0, ("trusted_domains: out of memory\n"));
1325                         return NT_STATUS_NO_MEMORY;
1326                 }
1327
1328                 /* Copy across names and sids */
1329
1330
1331                 ret_count = 0;          
1332                 for (i = 0; i < trusts.count; i++) {
1333                         struct winbindd_domain d;
1334
1335                         ZERO_STRUCT(d);
1336
1337                         /* drop external trusts if this is not our primary 
1338                            domain.  This means that the returned number of 
1339                            domains may be less that the ones actually trusted
1340                            by the DC. */
1341
1342                         if ( (trusts.array[i].trust_attributes == NETR_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN) &&
1343                              !domain->primary ) 
1344                         {
1345                                 DEBUG(10,("trusted_domains: Skipping external trusted domain "
1346                                           "%s because it is outside of our primary domain\n",
1347                                           trusts.array[i].netbios_name));
1348                                 continue;
1349                         }
1350
1351                         /* We must check that the SID of each trusted domain
1352                          * was returned to work around a bug in Windows:
1353                          * http://support.microsoft.com/kb/922832 */
1354
1355                         (*names)[ret_count] = CONST_DISCARD(char *, trusts.array[i].netbios_name);
1356                         (*alt_names)[ret_count] = CONST_DISCARD(char *, trusts.array[i].dns_name);
1357                         if (trusts.array[i].sid) {
1358                                 sid_copy(&(*dom_sids)[ret_count], trusts.array[i].sid);
1359                         } else {
1360                                 sid_copy(&(*dom_sids)[ret_count], &global_sid_NULL);
1361                         }
1362
1363                         /* add to the trusted domain cache */
1364
1365                         fstrcpy( d.name,  trusts.array[i].netbios_name);
1366                         fstrcpy( d.alt_name, trusts.array[i].dns_name);
1367                         if (trusts.array[i].sid) {
1368                                 sid_copy( &d.sid, trusts.array[i].sid);
1369                         } else {
1370                                 sid_copy(&d.sid, &global_sid_NULL);
1371                         }
1372
1373                         if ( domain->primary ) {
1374                                 DEBUG(10,("trusted_domains(ads):  Searching "
1375                                           "trusted domain list of %s and storing "
1376                                           "trust flags for domain %s\n", 
1377                                           domain->name, d.alt_name));
1378
1379                                 d.domain_flags = trusts.array[i].trust_flags;
1380                                 d.domain_type = trusts.array[i].trust_type;
1381                                 d.domain_trust_attribs = trusts.array[i].trust_attributes;
1382
1383                                 wcache_tdc_add_domain( &d );
1384                                 ret_count++;
1385                         } else if ( (domain->domain_flags&fr_flags) == fr_flags ) {
1386                                 /* Check if we already have this record. If
1387                                  * we are following our forest root that is not
1388                                  * our primary domain, we want to keep trust
1389                                  * flags from the perspective of our primary
1390                                  * domain not our forest root. */
1391                                 struct winbindd_tdc_domain *exist = NULL;
1392
1393                                 exist = 
1394                                     wcache_tdc_fetch_domain(NULL, trusts.array[i].netbios_name);
1395                                 if (!exist) {
1396                                         DEBUG(10,("trusted_domains(ads):  Searching "
1397                                                   "trusted domain list of %s and storing "
1398                                                   "trust flags for domain %s\n", 
1399                                                   domain->name, d.alt_name));
1400                                         d.domain_flags = trusts.array[i].trust_flags;
1401                                         d.domain_type = trusts.array[i].trust_type;
1402                                         d.domain_trust_attribs = trusts.array[i].trust_attributes;
1403
1404                                         wcache_tdc_add_domain( &d );
1405                                         ret_count++;
1406                                 }
1407                                 TALLOC_FREE(exist);
1408                         } else {
1409                                 /* This gets a little tricky.  If we are
1410                                    following a transitive forest trust, then
1411                                    innerit the flags, type, and attribs from
1412                                    the domain we queried to make sure we don't
1413                                    record the view of the trust from the wrong
1414                                    side.  Always view it from the side of our
1415                                    primary domain.   --jerry */
1416                                 struct winbindd_tdc_domain *parent = NULL;
1417
1418                                 DEBUG(10,("trusted_domains(ads):  Searching "
1419                                           "trusted domain list of %s and inheriting "
1420                                           "trust flags for domain %s\n", 
1421                                           domain->name, d.alt_name));
1422
1423                                 parent = wcache_tdc_fetch_domain(NULL, domain->name);
1424                                 if (parent) {
1425                                         d.domain_flags = parent->trust_flags;
1426                                         d.domain_type  = parent->trust_type;
1427                                         d.domain_trust_attribs = parent->trust_attribs;
1428                                 } else {
1429                                         d.domain_flags = domain->domain_flags;
1430                                         d.domain_type  = domain->domain_type;
1431                                         d.domain_trust_attribs = domain->domain_trust_attribs;
1432                                 }
1433                                 TALLOC_FREE(parent);
1434
1435                                 wcache_tdc_add_domain( &d );
1436                                 ret_count++;
1437                         }
1438                 }
1439
1440                 *num_domains = ret_count;       
1441         }
1442
1443         return result;
1444 }
1445
1446 /* the ADS backend methods are exposed via this structure */
1447 struct winbindd_methods ads_methods = {
1448         True,
1449         query_user_list,
1450         enum_dom_groups,
1451         enum_local_groups,
1452         name_to_sid,
1453         sid_to_name,
1454         rids_to_names,
1455         query_user,
1456         lookup_usergroups,
1457         lookup_useraliases,
1458         lookup_groupmem,
1459         sequence_number,
1460         lockout_policy,
1461         password_policy,
1462         trusted_domains,
1463 };
1464
1465 #endif