2 Unix SMB/Netbios implementation.
4 Winbind ADS backend functions
6 Copyright (C) Andrew Tridgell 2001
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program; if not, write to the Free Software
20 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
29 a wrapper around ldap_search_s that retries depending on the error code
30 this is supposed to catch dropped connections and auto-reconnect
32 int ads_do_search_retry(ADS_STRUCT *ads, const char *bind_path, int scope,
34 const char **attrs, void **res)
40 time(NULL) - ads->last_attempt < ADS_RECONNECT_TIME) {
41 return LDAP_SERVER_DOWN;
45 rc = ads_do_search(ads, bind_path, scope, exp, attrs, res);
47 DEBUG(5,("Search for %s gave %d replies\n",
48 exp, ads_count_replies(ads, *res)));
52 if (*res) ads_msgfree(ads, *res);
54 DEBUG(1,("Reopening ads connection after error %s\n", ads_errstr(rc)));
56 /* we should unbind here, but that seems to trigger openldap bugs :(
61 rc2 = ads_connect(ads);
63 DEBUG(1,("ads_search_retry: failed to reconnect (%s)\n", ads_errstr(rc)));
67 DEBUG(1,("ads reopen failed after error %s\n", ads_errstr(rc)));
72 int ads_search_retry(ADS_STRUCT *ads, void **res,
76 return ads_do_search_retry(ads, ads->bind_path, LDAP_SCOPE_SUBTREE,
80 int ads_search_retry_dn(ADS_STRUCT *ads, void **res,
84 return ads_do_search_retry(ads, dn, LDAP_SCOPE_BASE,
85 "(objectclass=*)", attrs, res);
89 return our ads connections structure for a domain. We keep the connection
90 open to make things faster
92 static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain)
98 if (domain->private) {
99 return (ADS_STRUCT *)domain->private;
102 /* we don't want this to affect the users ccache */
103 ccache = lock_path("winbindd_ccache");
104 setenv("KRB5CCNAME", ccache, 1);
107 ads = ads_init(NULL, NULL, NULL, NULL);
109 DEBUG(1,("ads_init for domain %s failed\n", domain->name));
113 /* the machine acct password might have change - fetch it every time */
114 SAFE_FREE(ads->password);
115 ads->password = secrets_fetch_machine_password();
117 rc = ads_connect(ads);
119 DEBUG(1,("ads_connect for domain %s failed: %s\n", domain->name, ads_errstr(rc)));
124 domain->private = (void *)ads;
129 static void sid_from_rid(struct winbindd_domain *domain, uint32 rid, DOM_SID *sid)
131 sid_copy(sid, &domain->sid);
132 sid_append_rid(sid, rid);
135 /* turn a sAMAccountType into a SID_NAME_USE */
136 static enum SID_NAME_USE ads_atype_map(uint32 atype)
138 switch (atype & 0xF0000000) {
140 return SID_NAME_DOM_GRP;
142 return SID_NAME_USER;
144 DEBUG(1,("hmm, need to map account type 0x%x\n", atype));
146 return SID_NAME_UNKNOWN;
149 /* Query display info for a realm. This is the basic user list fn */
150 static NTSTATUS query_user_list(struct winbindd_domain *domain,
153 WINBIND_USERINFO **info)
155 ADS_STRUCT *ads = NULL;
156 const char *attrs[] = {"sAMAccountName", "name", "objectSid", "primaryGroupID",
157 "sAMAccountType", NULL};
161 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
165 DEBUG(3,("ads: query_user_list\n"));
167 ads = ads_cached_connection(domain);
170 rc = ads_search_retry(ads, &res, "(objectCategory=user)", attrs);
172 DEBUG(1,("query_user_list ads_search: %s\n", ads_errstr(rc)));
176 count = ads_count_replies(ads, res);
178 DEBUG(1,("query_user_list: No users found\n"));
182 (*info) = talloc(mem_ctx, count * sizeof(**info));
184 status = NT_STATUS_NO_MEMORY;
190 for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
196 if (!ads_pull_uint32(ads, msg, "sAMAccountType", &atype) ||
197 ads_atype_map(atype) != SID_NAME_USER) {
198 DEBUG(1,("Not a user account? atype=0x%x\n", atype));
202 name = ads_pull_string(ads, mem_ctx, msg, "sAMAccountName");
203 gecos = ads_pull_string(ads, mem_ctx, msg, "name");
204 if (!ads_pull_sid(ads, msg, "objectSid", &sid)) {
205 DEBUG(1,("No sid for %s !?\n", name));
208 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &group)) {
209 DEBUG(1,("No primary group for %s !?\n", name));
213 if (!sid_peek_rid(&sid, &rid)) {
214 DEBUG(1,("No rid for %s !?\n", name));
218 (*info)[i].acct_name = name;
219 (*info)[i].full_name = gecos;
220 (*info)[i].user_rid = rid;
221 (*info)[i].group_rid = group;
226 status = NT_STATUS_OK;
228 DEBUG(3,("ads query_user_list gave %d entries\n", (*num_entries)));
231 if (res) ads_msgfree(ads, res);
236 /* list all domain groups */
237 static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
240 struct acct_info **info)
242 ADS_STRUCT *ads = NULL;
243 const char *attrs[] = {"sAMAccountName", "name", "objectSid",
244 "sAMAccountType", NULL};
248 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
252 DEBUG(3,("ads: enum_dom_groups\n"));
254 ads = ads_cached_connection(domain);
257 rc = ads_search_retry(ads, &res, "(objectCategory=group)", attrs);
259 DEBUG(1,("query_user_list ads_search: %s\n", ads_errstr(rc)));
263 count = ads_count_replies(ads, res);
265 DEBUG(1,("query_user_list: No users found\n"));
269 (*info) = talloc(mem_ctx, count * sizeof(**info));
271 status = NT_STATUS_NO_MEMORY;
277 for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
283 if (!ads_pull_uint32(ads, msg, "sAMAccountType",
285 !(account_type & ATYPE_GROUP)) continue;
287 name = ads_pull_string(ads, mem_ctx, msg, "sAMAccountName");
288 gecos = ads_pull_string(ads, mem_ctx, msg, "name");
289 if (!ads_pull_sid(ads, msg, "objectSid", &sid)) {
290 DEBUG(1,("No sid for %s !?\n", name));
294 if (!sid_peek_rid(&sid, &rid)) {
295 DEBUG(1,("No rid for %s !?\n", name));
299 fstrcpy((*info)[i].acct_name, name);
300 fstrcpy((*info)[i].acct_desc, gecos);
301 (*info)[i].rid = rid;
307 status = NT_STATUS_OK;
309 DEBUG(3,("ads enum_dom_groups gave %d entries\n", (*num_entries)));
312 if (res) ads_msgfree(ads, res);
318 /* convert a single name to a sid in a domain */
319 static NTSTATUS name_to_sid(struct winbindd_domain *domain,
322 enum SID_NAME_USE *type)
324 ADS_STRUCT *ads = NULL;
325 const char *attrs[] = {"objectSid", "sAMAccountType", NULL};
331 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
333 /* sigh. Need to fix interface to give us a raw name */
334 if (!parse_domain_user(name, dom2, name2)) {
338 DEBUG(3,("ads: name_to_sid\n"));
340 ads = ads_cached_connection(domain);
343 asprintf(&exp, "(sAMAccountName=%s)", name2);
344 rc = ads_search_retry(ads, &res, exp, attrs);
347 DEBUG(1,("name_to_sid ads_search: %s\n", ads_errstr(rc)));
351 count = ads_count_replies(ads, res);
353 DEBUG(1,("name_to_sid: %s not found\n", name));
357 if (!ads_pull_sid(ads, res, "objectSid", sid)) {
358 DEBUG(1,("No sid for %s !?\n", name));
362 if (!ads_pull_uint32(ads, res, "sAMAccountType", &t)) {
363 DEBUG(1,("No sAMAccountType for %s !?\n", name));
367 *type = ads_atype_map(t);
369 status = NT_STATUS_OK;
371 DEBUG(3,("ads name_to_sid mapped %s\n", name));
374 if (res) ads_msgfree(ads, res);
379 /* convert a sid to a user or group name */
380 static NTSTATUS sid_to_name(struct winbindd_domain *domain,
384 enum SID_NAME_USE *type)
386 ADS_STRUCT *ads = NULL;
387 const char *attrs[] = {"sAMAccountName", "sAMAccountType", NULL};
394 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
396 DEBUG(3,("ads: sid_to_name\n"));
398 ads = ads_cached_connection(domain);
401 sidstr = sid_binstring(sid);
402 asprintf(&exp, "(objectSid=%s)", sidstr);
403 rc = ads_search_retry(ads, &msg, exp, attrs);
407 DEBUG(1,("sid_to_name ads_search: %s\n", ads_errstr(rc)));
411 if (!ads_pull_uint32(ads, msg, "sAMAccountType", &atype)) {
415 s = ads_pull_string(ads, mem_ctx, msg, "sAMAccountName");
416 *name = talloc_asprintf(mem_ctx, "%s%s%s", domain->name, lp_winbind_separator(), s);
417 *type = ads_atype_map(atype);
419 status = NT_STATUS_OK;
421 DEBUG(3,("ads sid_to_name mapped %s\n", *name));
424 if (msg) ads_msgfree(ads, msg);
430 /* Lookup user information from a rid */
431 static NTSTATUS query_user(struct winbindd_domain *domain,
434 WINBIND_USERINFO *info)
436 ADS_STRUCT *ads = NULL;
437 const char *attrs[] = {"sAMAccountName", "name", "objectSid",
438 "primaryGroupID", NULL};
444 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
446 DEBUG(3,("ads: query_user\n"));
448 sid_from_rid(domain, user_rid, &sid);
450 ads = ads_cached_connection(domain);
453 sidstr = sid_binstring(&sid);
454 asprintf(&exp, "(objectSid=%s)", sidstr);
455 rc = ads_search_retry(ads, &msg, exp, attrs);
459 DEBUG(1,("query_user(rid=%d) ads_search: %s\n", user_rid, ads_errstr(rc)));
463 count = ads_count_replies(ads, msg);
465 DEBUG(1,("query_user(rid=%d): Not found\n", user_rid));
469 info->acct_name = ads_pull_string(ads, mem_ctx, msg, "sAMAccountName");
470 info->full_name = ads_pull_string(ads, mem_ctx, msg, "name");
471 if (!ads_pull_sid(ads, msg, "objectSid", &sid)) {
472 DEBUG(1,("No sid for %d !?\n", user_rid));
475 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &info->group_rid)) {
476 DEBUG(1,("No primary group for %d !?\n", user_rid));
480 if (!sid_peek_rid(&sid, &info->user_rid)) {
481 DEBUG(1,("No rid for %d !?\n", user_rid));
485 status = NT_STATUS_OK;
487 DEBUG(3,("ads query_user gave %s\n", info->acct_name));
489 if (msg) ads_msgfree(ads, msg);
495 /* Lookup groups a user is a member of. */
496 static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
499 uint32 *num_groups, uint32 **user_gids)
501 ADS_STRUCT *ads = NULL;
502 const char *attrs[] = {"distinguishedName", NULL};
503 const char *attrs2[] = {"tokenGroups", "primaryGroupID", NULL};
510 uint32 primary_group;
513 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
517 DEBUG(3,("ads: lookup_usergroups\n"));
521 sid_from_rid(domain, user_rid, &sid);
523 ads = ads_cached_connection(domain);
526 sidstr = sid_binstring(&sid);
527 asprintf(&exp, "(objectSid=%s)", sidstr);
528 rc = ads_search_retry(ads, &msg, exp, attrs);
532 DEBUG(1,("lookup_usergroups(rid=%d) ads_search: %s\n", user_rid, ads_errstr(rc)));
536 user_dn = ads_pull_string(ads, mem_ctx, msg, "distinguishedName");
538 if (msg) ads_msgfree(ads, msg);
540 rc = ads_search_retry_dn(ads, &msg, user_dn, attrs2);
542 DEBUG(1,("lookup_usergroups(rid=%d) ads_search tokenGroups: %s\n", user_rid, ads_errstr(rc)));
546 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &primary_group)) {
547 DEBUG(1,("No primary group for rid=%d !?\n", user_rid));
551 count = ads_pull_sids(ads, mem_ctx, msg, "tokenGroups", &sids) + 1;
552 (*user_gids) = (uint32 *)talloc(mem_ctx, sizeof(uint32) * count);
553 (*user_gids)[(*num_groups)++] = primary_group;
555 for (i=1;i<count;i++) {
557 if (!sid_peek_rid(&sids[i-1], &rid)) continue;
558 (*user_gids)[*num_groups] = rid;
562 status = NT_STATUS_OK;
563 DEBUG(3,("ads lookup_usergroups for rid=%d\n", user_rid));
565 if (msg) ads_msgfree(ads, msg);
571 static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
573 uint32 group_rid, uint32 *num_names,
574 uint32 **rid_mem, char ***names,
579 const char *attrs[] = {"sAMAccountName", "objectSid", "sAMAccountType", NULL};
581 void *res=NULL, *msg=NULL;
582 ADS_STRUCT *ads = NULL;
584 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
588 ads = ads_cached_connection(domain);
591 sid_from_rid(domain, group_rid, &group_sid);
592 sidstr = sid_binstring(&group_sid);
593 /* search for all users who have that group sid as primary group or as member */
594 asprintf(&exp, "(&(objectCategory=user)(|(primaryGroupID=%d)(memberOf=%s)))",
596 rc = ads_search_retry(ads, &res, exp, attrs);
600 DEBUG(1,("query_user_list ads_search: %s\n", ads_errstr(rc)));
604 count = ads_count_replies(ads, res);
606 status = NT_STATUS_OK;
610 (*rid_mem) = talloc(mem_ctx, sizeof(uint32) * count);
611 (*name_types) = talloc(mem_ctx, sizeof(uint32) * count);
612 (*names) = talloc(mem_ctx, sizeof(char *) * count);
614 for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
618 (*names)[*num_names] = ads_pull_string(ads, mem_ctx, msg, "sAMAccountName");
619 if (!ads_pull_uint32(ads, msg, "sAMAccountType", &atype)) {
622 (*name_types)[*num_names] = ads_atype_map(atype);
623 if (!ads_pull_sid(ads, msg, "objectSid", &sid)) {
624 DEBUG(1,("No sid for %s !?\n", (*names)[*num_names]));
627 if (!sid_peek_rid(&sid, &rid)) {
628 DEBUG(1,("No rid for %s !?\n", (*names)[*num_names]));
631 (*rid_mem)[*num_names] = rid;
635 status = NT_STATUS_OK;
636 DEBUG(3,("ads lookup_groupmem for rid=%d\n", group_rid));
638 if (res) ads_msgfree(ads, res);
643 /* find the sequence number for a domain */
644 static NTSTATUS sequence_number(struct winbindd_domain *domain, uint32 *seq)
646 ADS_STRUCT *ads = NULL;
648 *seq = DOM_SEQUENCE_NONE;
650 ads = ads_cached_connection(domain);
651 if (!ads) return NT_STATUS_UNSUCCESSFUL;
653 if (!ads_USN(ads, seq)) {
654 return NT_STATUS_UNSUCCESSFUL;
660 /* get a list of trusted domains */
661 static NTSTATUS trusted_domains(struct winbindd_domain *domain,
668 return NT_STATUS_NOT_IMPLEMENTED;
671 /* find the domain sid for a domain */
672 static NTSTATUS domain_sid(struct winbindd_domain *domain, DOM_SID *sid)
674 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
675 const char *attrs[] = {"objectSid", NULL};
676 ADS_STRUCT *ads = NULL;
680 ads = ads_cached_connection(domain);
683 rc = ads_do_search(ads, ads->bind_path, LDAP_SCOPE_BASE, "(objectclass=*)",
686 if (ads_pull_sid(ads, res, "objectSid", sid)) {
687 status = NT_STATUS_OK;
689 ads_msgfree(ads, res);
695 /* the ADS backend methods are exposed via this structure */
696 struct winbindd_methods ads_methods = {