2 Unix SMB/Netbios implementation.
4 Winbind ADS backend functions
6 Copyright (C) Andrew Tridgell 2001
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program; if not, write to the Free Software
20 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
27 /* the realm of our primary LDAP server */
28 static char *primary_realm;
32 a wrapper around ldap_search_s that retries depending on the error code
33 this is supposed to catch dropped connections and auto-reconnect
35 int ads_do_search_retry(ADS_STRUCT *ads, const char *bind_path, int scope,
37 const char **attrs, void **res)
44 time(NULL) - ads->last_attempt < ADS_RECONNECT_TIME) {
45 return LDAP_SERVER_DOWN;
49 rc = ads_do_search(ads, bind_path, scope, exp, attrs, res);
51 DEBUG(5,("Search for %s gave %d replies\n",
52 exp, ads_count_replies(ads, *res)));
56 if (*res) ads_msgfree(ads, *res);
58 DEBUG(1,("Reopening ads connection after error %s\n", ads_errstr(rc)));
60 /* we should unbind here, but that seems to trigger openldap bugs :(
65 rc2 = ads_connect(ads);
67 DEBUG(1,("ads_search_retry: failed to reconnect:\n"));
69 ads_display_status("", rc2.rc, rc2.minor_status);
71 DEBUG(1,("LDAP error: %s\n", ads_errstr(rc2.rc)));
77 DEBUG(1,("ads reopen failed after error %s\n", ads_errstr(rc)));
82 int ads_search_retry(ADS_STRUCT *ads, void **res,
86 return ads_do_search_retry(ads, ads->bind_path, LDAP_SCOPE_SUBTREE,
90 int ads_search_retry_dn(ADS_STRUCT *ads, void **res,
94 return ads_do_search_retry(ads, dn, LDAP_SCOPE_BASE,
95 "(objectclass=*)", attrs, res);
99 return our ads connections structure for a domain. We keep the connection
100 open to make things faster
102 static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain)
107 struct in_addr server_ip;
109 if (domain->private) {
110 return (ADS_STRUCT *)domain->private;
113 /* we don't want this to affect the users ccache */
114 ccache = lock_path("winbindd_ccache");
115 SETENV("KRB5CCNAME", ccache, 1);
118 if (!resolve_name(domain->name, &server_ip, 0x1b)) {
119 DEBUG(1,("Can't find PDC for domain %s\n", domain->name));
123 ads = ads_init(primary_realm, inet_ntoa(server_ip), NULL, NULL);
125 DEBUG(1,("ads_init for domain %s failed\n", domain->name));
129 /* the machine acct password might have change - fetch it every time */
130 SAFE_FREE(ads->password);
131 ads->password = secrets_fetch_machine_password();
133 rc = ads_connect(ads);
135 DEBUG(1,("ads_connect for domain %s failed:\n", domain->name));
137 ads_display_status("", rc.rc, rc.minor_status);
139 DEBUG(1,("LDAP error: %s\n", ads_errstr(rc.rc)));
145 /* remember our primary realm for trusted domain support */
146 if (!primary_realm) {
147 primary_realm = strdup(ads->realm);
150 fstrcpy(domain->full_name, ads->server_realm);
152 domain->private = (void *)ads;
157 static void sid_from_rid(struct winbindd_domain *domain, uint32 rid, DOM_SID *sid)
159 sid_copy(sid, &domain->sid);
160 sid_append_rid(sid, rid);
163 /* turn a sAMAccountType into a SID_NAME_USE */
164 static enum SID_NAME_USE ads_atype_map(uint32 atype)
166 switch (atype & 0xF0000000) {
168 return SID_NAME_DOM_GRP;
170 return SID_NAME_USER;
172 DEBUG(1,("hmm, need to map account type 0x%x\n", atype));
174 return SID_NAME_UNKNOWN;
177 /* Query display info for a realm. This is the basic user list fn */
178 static NTSTATUS query_user_list(struct winbindd_domain *domain,
181 WINBIND_USERINFO **info)
183 ADS_STRUCT *ads = NULL;
184 const char *attrs[] = {"sAMAccountName", "name", "objectSid", "primaryGroupID",
185 "sAMAccountType", NULL};
189 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
193 DEBUG(3,("ads: query_user_list\n"));
195 ads = ads_cached_connection(domain);
198 rc = ads_search_retry(ads, &res, "(objectCategory=user)", attrs);
200 DEBUG(1,("query_user_list ads_search: %s\n", ads_errstr(rc)));
204 count = ads_count_replies(ads, res);
206 DEBUG(1,("query_user_list: No users found\n"));
210 (*info) = talloc(mem_ctx, count * sizeof(**info));
212 status = NT_STATUS_NO_MEMORY;
218 for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
224 if (!ads_pull_uint32(ads, msg, "sAMAccountType", &atype) ||
225 ads_atype_map(atype) != SID_NAME_USER) {
226 DEBUG(1,("Not a user account? atype=0x%x\n", atype));
230 name = ads_pull_string(ads, mem_ctx, msg, "sAMAccountName");
231 gecos = ads_pull_string(ads, mem_ctx, msg, "name");
232 if (!ads_pull_sid(ads, msg, "objectSid", &sid)) {
233 DEBUG(1,("No sid for %s !?\n", name));
236 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &group)) {
237 DEBUG(1,("No primary group for %s !?\n", name));
241 if (!sid_peek_rid(&sid, &rid)) {
242 DEBUG(1,("No rid for %s !?\n", name));
246 (*info)[i].acct_name = name;
247 (*info)[i].full_name = gecos;
248 (*info)[i].user_rid = rid;
249 (*info)[i].group_rid = group;
254 status = NT_STATUS_OK;
256 DEBUG(3,("ads query_user_list gave %d entries\n", (*num_entries)));
259 if (res) ads_msgfree(ads, res);
264 /* list all domain groups */
265 static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
268 struct acct_info **info)
270 ADS_STRUCT *ads = NULL;
271 const char *attrs[] = {"sAMAccountName", "name", "objectSid",
272 "sAMAccountType", NULL};
276 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
280 DEBUG(3,("ads: enum_dom_groups\n"));
282 ads = ads_cached_connection(domain);
285 rc = ads_search_retry(ads, &res, "(objectCategory=group)", attrs);
287 DEBUG(1,("query_user_list ads_search: %s\n", ads_errstr(rc)));
291 count = ads_count_replies(ads, res);
293 DEBUG(1,("query_user_list: No users found\n"));
297 (*info) = talloc(mem_ctx, count * sizeof(**info));
299 status = NT_STATUS_NO_MEMORY;
305 for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
311 if (!ads_pull_uint32(ads, msg, "sAMAccountType",
313 !(account_type & ATYPE_GROUP)) continue;
315 name = ads_pull_string(ads, mem_ctx, msg, "sAMAccountName");
316 gecos = ads_pull_string(ads, mem_ctx, msg, "name");
317 if (!ads_pull_sid(ads, msg, "objectSid", &sid)) {
318 DEBUG(1,("No sid for %s !?\n", name));
322 if (!sid_peek_rid(&sid, &rid)) {
323 DEBUG(1,("No rid for %s !?\n", name));
327 fstrcpy((*info)[i].acct_name, name);
328 fstrcpy((*info)[i].acct_desc, gecos);
329 (*info)[i].rid = rid;
335 status = NT_STATUS_OK;
337 DEBUG(3,("ads enum_dom_groups gave %d entries\n", (*num_entries)));
340 if (res) ads_msgfree(ads, res);
346 /* convert a single name to a sid in a domain */
347 static NTSTATUS name_to_sid(struct winbindd_domain *domain,
350 enum SID_NAME_USE *type)
352 ADS_STRUCT *ads = NULL;
353 const char *attrs[] = {"objectSid", "sAMAccountType", NULL};
358 fstring name2, dom2, fullname2;
359 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
361 /* sigh. Need to fix interface to give us a raw name */
362 fstrcpy(fullname2, name);
363 fstring_sub(fullname2, "\\", lp_winbind_separator());
364 if (!parse_domain_user(fullname2, dom2, name2)) {
368 DEBUG(3,("ads: name_to_sid\n"));
370 ads = ads_cached_connection(domain);
373 asprintf(&exp, "(sAMAccountName=%s)", name2);
374 rc = ads_search_retry(ads, &res, exp, attrs);
377 DEBUG(1,("name_to_sid ads_search: %s\n", ads_errstr(rc)));
381 count = ads_count_replies(ads, res);
383 DEBUG(1,("name_to_sid: %s not found\n", name));
387 if (!ads_pull_sid(ads, res, "objectSid", sid)) {
388 DEBUG(1,("No sid for %s !?\n", name));
392 if (!ads_pull_uint32(ads, res, "sAMAccountType", &t)) {
393 DEBUG(1,("No sAMAccountType for %s !?\n", name));
397 *type = ads_atype_map(t);
399 status = NT_STATUS_OK;
401 DEBUG(3,("ads name_to_sid mapped %s\n", name));
404 if (res) ads_msgfree(ads, res);
409 /* convert a sid to a user or group name */
410 static NTSTATUS sid_to_name(struct winbindd_domain *domain,
414 enum SID_NAME_USE *type)
416 ADS_STRUCT *ads = NULL;
417 const char *attrs[] = {"sAMAccountName", "sAMAccountType", NULL};
424 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
426 DEBUG(3,("ads: sid_to_name\n"));
428 ads = ads_cached_connection(domain);
431 sidstr = sid_binstring(sid);
432 asprintf(&exp, "(objectSid=%s)", sidstr);
433 rc = ads_search_retry(ads, &msg, exp, attrs);
437 DEBUG(1,("sid_to_name ads_search: %s\n", ads_errstr(rc)));
441 if (!ads_pull_uint32(ads, msg, "sAMAccountType", &atype)) {
445 s = ads_pull_string(ads, mem_ctx, msg, "sAMAccountName");
446 *name = talloc_asprintf(mem_ctx, "%s%s%s", domain->name, lp_winbind_separator(), s);
447 *type = ads_atype_map(atype);
449 status = NT_STATUS_OK;
451 DEBUG(3,("ads sid_to_name mapped %s\n", *name));
454 if (msg) ads_msgfree(ads, msg);
460 /* Lookup user information from a rid */
461 static NTSTATUS query_user(struct winbindd_domain *domain,
464 WINBIND_USERINFO *info)
466 ADS_STRUCT *ads = NULL;
467 const char *attrs[] = {"sAMAccountName", "name", "objectSid",
468 "primaryGroupID", NULL};
474 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
476 DEBUG(3,("ads: query_user\n"));
478 sid_from_rid(domain, user_rid, &sid);
480 ads = ads_cached_connection(domain);
483 sidstr = sid_binstring(&sid);
484 asprintf(&exp, "(objectSid=%s)", sidstr);
485 rc = ads_search_retry(ads, &msg, exp, attrs);
489 DEBUG(1,("query_user(rid=%d) ads_search: %s\n", user_rid, ads_errstr(rc)));
493 count = ads_count_replies(ads, msg);
495 DEBUG(1,("query_user(rid=%d): Not found\n", user_rid));
499 info->acct_name = ads_pull_string(ads, mem_ctx, msg, "sAMAccountName");
500 info->full_name = ads_pull_string(ads, mem_ctx, msg, "name");
501 if (!ads_pull_sid(ads, msg, "objectSid", &sid)) {
502 DEBUG(1,("No sid for %d !?\n", user_rid));
505 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &info->group_rid)) {
506 DEBUG(1,("No primary group for %d !?\n", user_rid));
510 if (!sid_peek_rid(&sid, &info->user_rid)) {
511 DEBUG(1,("No rid for %d !?\n", user_rid));
515 status = NT_STATUS_OK;
517 DEBUG(3,("ads query_user gave %s\n", info->acct_name));
519 if (msg) ads_msgfree(ads, msg);
525 /* Lookup groups a user is a member of. */
526 static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
529 uint32 *num_groups, uint32 **user_gids)
531 ADS_STRUCT *ads = NULL;
532 const char *attrs[] = {"distinguishedName", NULL};
533 const char *attrs2[] = {"tokenGroups", "primaryGroupID", NULL};
540 uint32 primary_group;
543 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
547 DEBUG(3,("ads: lookup_usergroups\n"));
551 sid_from_rid(domain, user_rid, &sid);
553 ads = ads_cached_connection(domain);
556 sidstr = sid_binstring(&sid);
557 asprintf(&exp, "(objectSid=%s)", sidstr);
558 rc = ads_search_retry(ads, &msg, exp, attrs);
562 DEBUG(1,("lookup_usergroups(rid=%d) ads_search: %s\n", user_rid, ads_errstr(rc)));
566 user_dn = ads_pull_string(ads, mem_ctx, msg, "distinguishedName");
568 if (msg) ads_msgfree(ads, msg);
570 rc = ads_search_retry_dn(ads, &msg, user_dn, attrs2);
572 DEBUG(1,("lookup_usergroups(rid=%d) ads_search tokenGroups: %s\n", user_rid, ads_errstr(rc)));
576 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &primary_group)) {
577 DEBUG(1,("%s: No primary group for rid=%d !?\n", domain->name, user_rid));
581 count = ads_pull_sids(ads, mem_ctx, msg, "tokenGroups", &sids) + 1;
582 (*user_gids) = (uint32 *)talloc(mem_ctx, sizeof(uint32) * count);
583 (*user_gids)[(*num_groups)++] = primary_group;
585 for (i=1;i<count;i++) {
587 if (!sid_peek_rid(&sids[i-1], &rid)) continue;
588 (*user_gids)[*num_groups] = rid;
592 status = NT_STATUS_OK;
593 DEBUG(3,("ads lookup_usergroups for rid=%d\n", user_rid));
595 if (msg) ads_msgfree(ads, msg);
601 static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
603 uint32 group_rid, uint32 *num_names,
604 uint32 **rid_mem, char ***names,
609 const char *attrs[] = {"sAMAccountName", "objectSid", "sAMAccountType", NULL};
611 void *res=NULL, *msg=NULL;
612 ADS_STRUCT *ads = NULL;
614 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
618 ads = ads_cached_connection(domain);
621 sid_from_rid(domain, group_rid, &group_sid);
622 sidstr = sid_binstring(&group_sid);
623 /* search for all users who have that group sid as primary group or as member */
624 asprintf(&exp, "(&(objectCategory=user)(|(primaryGroupID=%d)(memberOf=%s)))",
626 rc = ads_search_retry(ads, &res, exp, attrs);
630 DEBUG(1,("query_user_list ads_search: %s\n", ads_errstr(rc)));
634 count = ads_count_replies(ads, res);
636 status = NT_STATUS_OK;
640 (*rid_mem) = talloc(mem_ctx, sizeof(uint32) * count);
641 (*name_types) = talloc(mem_ctx, sizeof(uint32) * count);
642 (*names) = talloc(mem_ctx, sizeof(char *) * count);
644 for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
648 (*names)[*num_names] = ads_pull_string(ads, mem_ctx, msg, "sAMAccountName");
649 if (!ads_pull_uint32(ads, msg, "sAMAccountType", &atype)) {
652 (*name_types)[*num_names] = ads_atype_map(atype);
653 if (!ads_pull_sid(ads, msg, "objectSid", &sid)) {
654 DEBUG(1,("No sid for %s !?\n", (*names)[*num_names]));
657 if (!sid_peek_rid(&sid, &rid)) {
658 DEBUG(1,("No rid for %s !?\n", (*names)[*num_names]));
661 (*rid_mem)[*num_names] = rid;
665 status = NT_STATUS_OK;
666 DEBUG(3,("ads lookup_groupmem for rid=%d\n", group_rid));
668 if (res) ads_msgfree(ads, res);
673 /* find the sequence number for a domain */
674 static NTSTATUS sequence_number(struct winbindd_domain *domain, uint32 *seq)
676 ADS_STRUCT *ads = NULL;
678 *seq = DOM_SEQUENCE_NONE;
680 ads = ads_cached_connection(domain);
681 if (!ads) return NT_STATUS_UNSUCCESSFUL;
683 if (!ads_USN(ads, seq)) {
684 return NT_STATUS_UNSUCCESSFUL;
690 /* get a list of trusted domains */
691 static NTSTATUS trusted_domains(struct winbindd_domain *domain,
697 ADS_STRUCT *ads = NULL;
702 ads = ads_cached_connection(domain);
703 if (!ads) return NT_STATUS_UNSUCCESSFUL;
705 if (!ads_trusted_domains(ads, mem_ctx, num_domains, names, dom_sids)) {
706 return NT_STATUS_UNSUCCESSFUL;
712 /* find the domain sid for a domain */
713 static NTSTATUS domain_sid(struct winbindd_domain *domain, DOM_SID *sid)
715 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
716 const char *attrs[] = {"objectSid", NULL};
717 ADS_STRUCT *ads = NULL;
721 ads = ads_cached_connection(domain);
724 rc = ads_do_search(ads, ads->bind_path, LDAP_SCOPE_BASE, "(objectclass=*)",
727 if (ads_pull_sid(ads, res, "objectSid", sid)) {
728 status = NT_STATUS_OK;
730 ads_msgfree(ads, res);
736 /* the ADS backend methods are exposed via this structure */
737 struct winbindd_methods ads_methods = {