2 Unix SMB/CIFS implementation.
4 Winbind ADS backend functions
6 Copyright (C) Andrew Tridgell 2001
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003
8 Copyright (C) Gerald (Jerry) Carter 2004
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
26 #include "../librpc/gen_ndr/cli_netlogon.h"
31 #define DBGC_CLASS DBGC_WINBIND
33 extern struct winbindd_methods reconnect_methods;
36 return our ads connections structure for a domain. We keep the connection
37 open to make things faster
39 static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain)
44 struct sockaddr_storage dc_ss;
46 DEBUG(10,("ads_cached_connection\n"));
48 if (domain->private_data) {
51 time_t now = time(NULL);
53 /* check for a valid structure */
54 ads = (ADS_STRUCT *)domain->private_data;
56 expire = MIN(ads->auth.tgt_expire, ads->auth.tgs_expire);
58 DEBUG(7, ("Current tickets expire in %d seconds (at %d, time is now %d)\n",
59 (uint32)expire-(uint32)now, (uint32) expire, (uint32) now));
61 if ( ads->config.realm && (expire > now)) {
64 /* we own this ADS_STRUCT so make sure it goes away */
65 DEBUG(7,("Deleting expired krb5 credential cache\n"));
68 ads_kdestroy("MEMORY:winbind_ccache");
69 domain->private_data = NULL;
73 /* we don't want this to affect the users ccache */
74 setenv("KRB5CCNAME", "MEMORY:winbind_ccache", 1);
76 ads = ads_init(domain->alt_name, domain->name, NULL);
78 DEBUG(1,("ads_init for domain %s failed\n", domain->name));
82 /* the machine acct password might have change - fetch it every time */
84 SAFE_FREE(ads->auth.password);
85 SAFE_FREE(ads->auth.realm);
89 if ( !pdb_get_trusteddom_pw( domain->name, &ads->auth.password, NULL, NULL ) ) {
93 ads->auth.realm = SMB_STRDUP( ads->server.realm );
94 strupper_m( ads->auth.realm );
97 struct winbindd_domain *our_domain = domain;
99 ads->auth.password = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
101 /* always give preference to the alt_name in our
102 primary domain if possible */
104 if ( !domain->primary )
105 our_domain = find_our_domain();
107 if ( our_domain->alt_name[0] != '\0' ) {
108 ads->auth.realm = SMB_STRDUP( our_domain->alt_name );
109 strupper_m( ads->auth.realm );
112 ads->auth.realm = SMB_STRDUP( lp_realm() );
115 ads->auth.renewable = WINBINDD_PAM_AUTH_KRB5_RENEW_TIME;
117 /* Setup the server affinity cache. We don't reaally care
118 about the name. Just setup affinity and the KRB5_CONFIG
121 get_dc_name( ads->server.workgroup, ads->server.realm, dc_name, &dc_ss );
123 status = ads_connect(ads);
124 if (!ADS_ERR_OK(status) || !ads->config.realm) {
125 DEBUG(1,("ads_connect for domain %s failed: %s\n",
126 domain->name, ads_errstr(status)));
129 /* if we get ECONNREFUSED then it might be a NT4
130 server, fall back to MSRPC */
131 if (status.error_type == ENUM_ADS_ERROR_SYSTEM &&
132 status.err.rc == ECONNREFUSED) {
133 /* 'reconnect_methods' is the MS-RPC backend. */
134 DEBUG(1,("Trying MSRPC methods\n"));
135 domain->backend = &reconnect_methods;
140 /* set the flag that says we don't own the memory even
141 though we do so that ads_destroy() won't destroy the
142 structure we pass back by reference */
144 ads->is_mine = False;
146 domain->private_data = (void *)ads;
151 /* Query display info for a realm. This is the basic user list fn */
152 static NTSTATUS query_user_list(struct winbindd_domain *domain,
155 struct wbint_userinfo **info)
157 ADS_STRUCT *ads = NULL;
158 const char *attrs[] = { "*", NULL };
161 LDAPMessage *res = NULL;
162 LDAPMessage *msg = NULL;
163 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
167 DEBUG(3,("ads: query_user_list\n"));
169 if ( !winbindd_can_contact_domain( domain ) ) {
170 DEBUG(10,("query_user_list: No incoming trust for domain %s\n",
175 ads = ads_cached_connection(domain);
178 domain->last_status = NT_STATUS_SERVER_DISABLED;
182 rc = ads_search_retry(ads, &res, "(objectCategory=user)", attrs);
183 if (!ADS_ERR_OK(rc) || !res) {
184 DEBUG(1,("query_user_list ads_search: %s\n", ads_errstr(rc)));
188 count = ads_count_replies(ads, res);
190 DEBUG(1,("query_user_list: No users found\n"));
194 (*info) = TALLOC_ZERO_ARRAY(mem_ctx, struct wbint_userinfo, count);
196 status = NT_STATUS_NO_MEMORY;
202 for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
204 const char *gecos = NULL;
205 const char *homedir = NULL;
206 const char *shell = NULL;
209 struct dom_sid user_sid;
210 gid_t primary_gid = (gid_t)-1;
212 if (!ads_pull_uint32(ads, msg, "sAMAccountType", &atype) ||
213 ds_atype_map(atype) != SID_NAME_USER) {
214 DEBUG(1,("Not a user account? atype=0x%x\n", atype));
218 name = ads_pull_username(ads, mem_ctx, msg);
220 if ( ads_pull_sid( ads, msg, "objectSid", &user_sid ) ) {
221 status = nss_get_info_cached( domain, &user_sid, mem_ctx,
222 ads, msg, &homedir, &shell, &gecos,
227 gecos = ads_pull_string(ads, mem_ctx, msg, "name");
230 if (!ads_pull_sid(ads, msg, "objectSid",
231 &(*info)[i].user_sid)) {
232 DEBUG(1,("No sid for %s !?\n", name));
235 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &group)) {
236 DEBUG(1,("No primary group for %s !?\n", name));
240 (*info)[i].acct_name = name;
241 (*info)[i].full_name = gecos;
242 (*info)[i].homedir = homedir;
243 (*info)[i].shell = shell;
244 (*info)[i].primary_gid = primary_gid;
245 sid_compose(&(*info)[i].group_sid, &domain->sid, group);
250 status = NT_STATUS_OK;
252 DEBUG(3,("ads query_user_list gave %d entries\n", (*num_entries)));
256 ads_msgfree(ads, res);
261 /* list all domain groups */
262 static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
265 struct acct_info **info)
267 ADS_STRUCT *ads = NULL;
268 const char *attrs[] = {"userPrincipalName", "sAMAccountName",
269 "name", "objectSid", NULL};
272 LDAPMessage *res = NULL;
273 LDAPMessage *msg = NULL;
274 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
276 bool enum_dom_local_groups = False;
280 DEBUG(3,("ads: enum_dom_groups\n"));
282 if ( !winbindd_can_contact_domain( domain ) ) {
283 DEBUG(10,("enum_dom_groups: No incoming trust for domain %s\n",
288 /* only grab domain local groups for our domain */
289 if ( domain->active_directory && strequal(lp_realm(), domain->alt_name) ) {
290 enum_dom_local_groups = True;
293 /* Workaround ADS LDAP bug present in MS W2K3 SP0 and W2K SP4 w/o
296 * According to Section 5.1(4) of RFC 2251 if a value of a type is it's
297 * default value, it MUST be absent. In case of extensible matching the
298 * "dnattr" boolean defaults to FALSE and so it must be only be present
301 * When it is set to FALSE and the OpenLDAP lib (correctly) encodes a
302 * filter using bitwise matching rule then the buggy AD fails to decode
303 * the extensible match. As a workaround set it to TRUE and thereby add
304 * the dnAttributes "dn" field to cope with those older AD versions.
305 * It should not harm and won't put any additional load on the AD since
306 * none of the dn components have a bitmask-attribute.
308 * Thanks to Ralf Haferkamp for input and testing - Guenther */
310 filter = talloc_asprintf(mem_ctx, "(&(objectCategory=group)(&(groupType:dn:%s:=%d)(!(groupType:dn:%s:=%d))))",
311 ADS_LDAP_MATCHING_RULE_BIT_AND, GROUP_TYPE_SECURITY_ENABLED,
312 ADS_LDAP_MATCHING_RULE_BIT_AND,
313 enum_dom_local_groups ? GROUP_TYPE_BUILTIN_LOCAL_GROUP : GROUP_TYPE_RESOURCE_GROUP);
315 if (filter == NULL) {
316 status = NT_STATUS_NO_MEMORY;
320 ads = ads_cached_connection(domain);
323 domain->last_status = NT_STATUS_SERVER_DISABLED;
327 rc = ads_search_retry(ads, &res, filter, attrs);
328 if (!ADS_ERR_OK(rc) || !res) {
329 DEBUG(1,("enum_dom_groups ads_search: %s\n", ads_errstr(rc)));
333 count = ads_count_replies(ads, res);
335 DEBUG(1,("enum_dom_groups: No groups found\n"));
339 (*info) = TALLOC_ZERO_ARRAY(mem_ctx, struct acct_info, count);
341 status = NT_STATUS_NO_MEMORY;
347 for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
352 name = ads_pull_username(ads, mem_ctx, msg);
353 gecos = ads_pull_string(ads, mem_ctx, msg, "name");
354 if (!ads_pull_sid(ads, msg, "objectSid", &sid)) {
355 DEBUG(1,("No sid for %s !?\n", name));
359 if (!sid_peek_check_rid(&domain->sid, &sid, &rid)) {
360 DEBUG(1,("No rid for %s !?\n", name));
364 fstrcpy((*info)[i].acct_name, name);
365 fstrcpy((*info)[i].acct_desc, gecos);
366 (*info)[i].rid = rid;
372 status = NT_STATUS_OK;
374 DEBUG(3,("ads enum_dom_groups gave %d entries\n", (*num_entries)));
378 ads_msgfree(ads, res);
383 /* list all domain local groups */
384 static NTSTATUS enum_local_groups(struct winbindd_domain *domain,
387 struct acct_info **info)
390 * This is a stub function only as we returned the domain
391 * local groups in enum_dom_groups() if the domain->native field
392 * was true. This is a simple performance optimization when
395 * if we ever need to enumerate domain local groups separately,
396 * then this optimization in enum_dom_groups() will need
404 /* convert a single name to a sid in a domain - use rpc methods */
405 static NTSTATUS name_to_sid(struct winbindd_domain *domain,
407 const char *domain_name,
411 enum lsa_SidType *type)
413 return reconnect_methods.name_to_sid(domain, mem_ctx,
414 domain_name, name, flags,
418 /* convert a domain SID to a user or group name - use rpc methods */
419 static NTSTATUS sid_to_name(struct winbindd_domain *domain,
421 const struct dom_sid *sid,
424 enum lsa_SidType *type)
426 return reconnect_methods.sid_to_name(domain, mem_ctx, sid,
427 domain_name, name, type);
430 /* convert a list of rids to names - use rpc methods */
431 static NTSTATUS rids_to_names(struct winbindd_domain *domain,
433 const struct dom_sid *sid,
438 enum lsa_SidType **types)
440 return reconnect_methods.rids_to_names(domain, mem_ctx, sid,
442 domain_name, names, types);
445 /* If you are looking for "dn_lookup": Yes, it used to be here!
446 * It has gone now since it was a major speed bottleneck in
447 * lookup_groupmem (its only use). It has been replaced by
448 * an rpc lookup sids call... R.I.P. */
450 /* Lookup user information from a rid */
451 static NTSTATUS query_user(struct winbindd_domain *domain,
453 const struct dom_sid *sid,
454 struct wbint_userinfo *info)
456 ADS_STRUCT *ads = NULL;
457 const char *attrs[] = { "*", NULL };
460 LDAPMessage *msg = NULL;
464 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
465 struct netr_SamInfo3 *user = NULL;
468 DEBUG(3,("ads: query_user\n"));
470 info->homedir = NULL;
472 info->primary_gid = (gid_t)-1;
474 /* try netsamlogon cache first */
476 if ( (user = netsamlogon_cache_get( mem_ctx, sid )) != NULL )
478 DEBUG(5,("query_user: Cache lookup succeeded for %s\n",
479 sid_string_dbg(sid)));
481 sid_compose(&info->user_sid, &domain->sid, user->base.rid);
482 sid_compose(&info->group_sid, &domain->sid, user->base.primary_gid);
484 info->acct_name = talloc_strdup(mem_ctx, user->base.account_name.string);
485 info->full_name = talloc_strdup(mem_ctx, user->base.full_name.string);
487 nss_get_info_cached( domain, sid, mem_ctx, NULL, NULL,
488 &info->homedir, &info->shell, &info->full_name,
490 info->primary_gid = gid;
497 if ( !winbindd_can_contact_domain(domain)) {
498 DEBUG(8,("query_user: No incoming trust from domain %s\n",
501 /* We still need to generate some basic information
502 about the user even if we cannot contact the
503 domain. Most of this stuff we can deduce. */
505 sid_copy( &info->user_sid, sid );
507 /* Assume "Domain Users" for the primary group */
509 sid_compose(&info->group_sid, &domain->sid, DOMAIN_RID_USERS );
511 /* Try to fill in what the nss_info backend can do */
513 nss_get_info_cached( domain, sid, mem_ctx, NULL, NULL,
514 &info->homedir, &info->shell, &info->full_name,
516 info->primary_gid = gid;
518 status = NT_STATUS_OK;
522 /* no cache...do the query */
524 if ( (ads = ads_cached_connection(domain)) == NULL ) {
525 domain->last_status = NT_STATUS_SERVER_DISABLED;
529 sidstr = sid_binstring(talloc_tos(), sid);
530 if (asprintf(&ldap_exp, "(objectSid=%s)", sidstr) == -1) {
531 status = NT_STATUS_NO_MEMORY;
534 rc = ads_search_retry(ads, &msg, ldap_exp, attrs);
537 if (!ADS_ERR_OK(rc) || !msg) {
538 DEBUG(1,("query_user(sid=%s) ads_search: %s\n",
539 sid_string_dbg(sid), ads_errstr(rc)));
543 count = ads_count_replies(ads, msg);
545 DEBUG(1,("query_user(sid=%s): Not found\n",
546 sid_string_dbg(sid)));
550 info->acct_name = ads_pull_username(ads, mem_ctx, msg);
552 status = nss_get_info_cached( domain, sid, mem_ctx, ads, msg,
553 &info->homedir, &info->shell, &info->full_name,
555 info->primary_gid = gid;
556 if (!NT_STATUS_IS_OK(status)) {
557 DEBUG(1, ("nss_get_info_cached failed: %s\n",
562 if (info->full_name == NULL) {
563 info->full_name = ads_pull_string(ads, mem_ctx, msg, "name");
566 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &group_rid)) {
567 DEBUG(1,("No primary group for %s !?\n",
568 sid_string_dbg(sid)));
572 sid_copy(&info->user_sid, sid);
573 sid_compose(&info->group_sid, &domain->sid, group_rid);
575 status = NT_STATUS_OK;
577 DEBUG(3,("ads query_user gave %s\n", info->acct_name));
580 ads_msgfree(ads, msg);
585 /* Lookup groups a user is a member of - alternate method, for when
586 tokenGroups are not available. */
587 static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain,
590 struct dom_sid *primary_group,
591 size_t *p_num_groups, struct dom_sid **user_sids)
594 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
596 LDAPMessage *res = NULL;
597 LDAPMessage *msg = NULL;
600 const char *group_attrs[] = {"objectSid", NULL};
602 size_t num_groups = 0;
604 DEBUG(3,("ads: lookup_usergroups_member\n"));
606 if ( !winbindd_can_contact_domain( domain ) ) {
607 DEBUG(10,("lookup_usergroups_members: No incoming trust for domain %s\n",
612 ads = ads_cached_connection(domain);
615 domain->last_status = NT_STATUS_SERVER_DISABLED;
619 if (!(escaped_dn = escape_ldap_string(talloc_tos(), user_dn))) {
620 status = NT_STATUS_NO_MEMORY;
624 ldap_exp = talloc_asprintf(mem_ctx,
625 "(&(member=%s)(objectCategory=group)(groupType:dn:%s:=%d))",
627 ADS_LDAP_MATCHING_RULE_BIT_AND,
628 GROUP_TYPE_SECURITY_ENABLED);
630 DEBUG(1,("lookup_usergroups(dn=%s) asprintf failed!\n", user_dn));
631 TALLOC_FREE(escaped_dn);
632 status = NT_STATUS_NO_MEMORY;
636 TALLOC_FREE(escaped_dn);
638 rc = ads_search_retry(ads, &res, ldap_exp, group_attrs);
640 if (!ADS_ERR_OK(rc) || !res) {
641 DEBUG(1,("lookup_usergroups ads_search member=%s: %s\n", user_dn, ads_errstr(rc)));
642 return ads_ntstatus(rc);
645 count = ads_count_replies(ads, res);
650 /* always add the primary group to the sid array */
651 status = add_sid_to_array(mem_ctx, primary_group, user_sids,
653 if (!NT_STATUS_IS_OK(status)) {
658 for (msg = ads_first_entry(ads, res); msg;
659 msg = ads_next_entry(ads, msg)) {
660 struct dom_sid group_sid;
662 if (!ads_pull_sid(ads, msg, "objectSid", &group_sid)) {
663 DEBUG(1,("No sid for this group ?!?\n"));
667 /* ignore Builtin groups from ADS - Guenther */
668 if (sid_check_is_in_builtin(&group_sid)) {
672 status = add_sid_to_array(mem_ctx, &group_sid,
673 user_sids, &num_groups);
674 if (!NT_STATUS_IS_OK(status)) {
681 *p_num_groups = num_groups;
682 status = (user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
684 DEBUG(3,("ads lookup_usergroups (member) succeeded for dn=%s\n", user_dn));
687 ads_msgfree(ads, res);
692 /* Lookup groups a user is a member of - alternate method, for when
693 tokenGroups are not available. */
694 static NTSTATUS lookup_usergroups_memberof(struct winbindd_domain *domain,
697 struct dom_sid *primary_group,
698 size_t *p_num_groups,
699 struct dom_sid **user_sids)
702 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
704 const char *attrs[] = {"memberOf", NULL};
705 size_t num_groups = 0;
706 struct dom_sid *group_sids = NULL;
708 char **strings = NULL;
709 size_t num_strings = 0, num_sids = 0;
712 DEBUG(3,("ads: lookup_usergroups_memberof\n"));
714 if ( !winbindd_can_contact_domain( domain ) ) {
715 DEBUG(10,("lookup_usergroups_memberof: No incoming trust for "
716 "domain %s\n", domain->name));
720 ads = ads_cached_connection(domain);
723 domain->last_status = NT_STATUS_SERVER_DISABLED;
724 return NT_STATUS_UNSUCCESSFUL;
727 rc = ads_search_retry_extended_dn_ranged(ads, mem_ctx, user_dn, attrs,
728 ADS_EXTENDED_DN_HEX_STRING,
729 &strings, &num_strings);
731 if (!ADS_ERR_OK(rc)) {
732 DEBUG(1,("lookup_usergroups_memberof ads_search "
733 "member=%s: %s\n", user_dn, ads_errstr(rc)));
734 return ads_ntstatus(rc);
740 /* always add the primary group to the sid array */
741 status = add_sid_to_array(mem_ctx, primary_group, user_sids,
743 if (!NT_STATUS_IS_OK(status)) {
747 group_sids = TALLOC_ZERO_ARRAY(mem_ctx, struct dom_sid, num_strings + 1);
749 status = NT_STATUS_NO_MEMORY;
753 for (i=0; i<num_strings; i++) {
754 rc = ads_get_sid_from_extended_dn(mem_ctx, strings[i],
755 ADS_EXTENDED_DN_HEX_STRING,
757 if (!ADS_ERR_OK(rc)) {
758 /* ignore members without SIDs */
759 if (NT_STATUS_EQUAL(ads_ntstatus(rc),
760 NT_STATUS_NOT_FOUND)) {
764 status = ads_ntstatus(rc);
772 DEBUG(1,("No memberOf for this user?!?\n"));
773 status = NT_STATUS_NO_MEMORY;
777 for (i=0; i<num_sids; i++) {
779 /* ignore Builtin groups from ADS - Guenther */
780 if (sid_check_is_in_builtin(&group_sids[i])) {
784 status = add_sid_to_array(mem_ctx, &group_sids[i], user_sids,
786 if (!NT_STATUS_IS_OK(status)) {
792 *p_num_groups = num_groups;
793 status = (*user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
795 DEBUG(3,("ads lookup_usergroups (memberof) succeeded for dn=%s\n",
799 TALLOC_FREE(strings);
800 TALLOC_FREE(group_sids);
806 /* Lookup groups a user is a member of. */
807 static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
809 const struct dom_sid *sid,
810 uint32 *p_num_groups, struct dom_sid **user_sids)
812 ADS_STRUCT *ads = NULL;
813 const char *attrs[] = {"tokenGroups", "primaryGroupID", NULL};
816 LDAPMessage *msg = NULL;
817 char *user_dn = NULL;
818 struct dom_sid *sids;
820 struct dom_sid primary_group;
821 uint32 primary_group_rid;
822 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
823 size_t num_groups = 0;
825 DEBUG(3,("ads: lookup_usergroups\n"));
828 status = lookup_usergroups_cached(domain, mem_ctx, sid,
829 p_num_groups, user_sids);
830 if (NT_STATUS_IS_OK(status)) {
834 if ( !winbindd_can_contact_domain( domain ) ) {
835 DEBUG(10,("lookup_usergroups: No incoming trust for domain %s\n",
838 /* Tell the cache manager not to remember this one */
840 return NT_STATUS_SYNCHRONIZATION_REQUIRED;
843 ads = ads_cached_connection(domain);
846 domain->last_status = NT_STATUS_SERVER_DISABLED;
847 status = NT_STATUS_SERVER_DISABLED;
851 rc = ads_search_retry_sid(ads, &msg, sid, attrs);
853 if (!ADS_ERR_OK(rc)) {
854 status = ads_ntstatus(rc);
855 DEBUG(1, ("lookup_usergroups(sid=%s) ads_search tokenGroups: "
856 "%s\n", sid_string_dbg(sid), ads_errstr(rc)));
860 count = ads_count_replies(ads, msg);
862 status = NT_STATUS_UNSUCCESSFUL;
863 DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: "
864 "invalid number of results (count=%d)\n",
865 sid_string_dbg(sid), count));
870 DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: NULL msg\n",
871 sid_string_dbg(sid)));
872 status = NT_STATUS_UNSUCCESSFUL;
876 user_dn = ads_get_dn(ads, mem_ctx, msg);
877 if (user_dn == NULL) {
878 status = NT_STATUS_NO_MEMORY;
882 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &primary_group_rid)) {
883 DEBUG(1,("%s: No primary group for sid=%s !?\n",
884 domain->name, sid_string_dbg(sid)));
888 sid_compose(&primary_group, &domain->sid, primary_group_rid);
890 count = ads_pull_sids(ads, mem_ctx, msg, "tokenGroups", &sids);
892 /* there must always be at least one group in the token,
893 unless we are talking to a buggy Win2k server */
895 /* actually this only happens when the machine account has no read
896 * permissions on the tokenGroup attribute - gd */
902 /* lookup what groups this user is a member of by DN search on
905 status = lookup_usergroups_memberof(domain, mem_ctx, user_dn,
907 &num_groups, user_sids);
908 *p_num_groups = (uint32)num_groups;
909 if (NT_STATUS_IS_OK(status)) {
913 /* lookup what groups this user is a member of by DN search on
916 status = lookup_usergroups_member(domain, mem_ctx, user_dn,
918 &num_groups, user_sids);
919 *p_num_groups = (uint32)num_groups;
926 status = add_sid_to_array(mem_ctx, &primary_group, user_sids,
928 if (!NT_STATUS_IS_OK(status)) {
932 for (i=0;i<count;i++) {
934 /* ignore Builtin groups from ADS - Guenther */
935 if (sid_check_is_in_builtin(&sids[i])) {
939 status = add_sid_to_array_unique(mem_ctx, &sids[i],
940 user_sids, &num_groups);
941 if (!NT_STATUS_IS_OK(status)) {
946 *p_num_groups = (uint32)num_groups;
947 status = (*user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
949 DEBUG(3,("ads lookup_usergroups (tokenGroups) succeeded for sid=%s\n",
950 sid_string_dbg(sid)));
952 TALLOC_FREE(user_dn);
953 ads_msgfree(ads, msg);
957 /* Lookup aliases a user is member of - use rpc methods */
958 static NTSTATUS lookup_useraliases(struct winbindd_domain *domain,
960 uint32 num_sids, const struct dom_sid *sids,
961 uint32 *num_aliases, uint32 **alias_rids)
963 return reconnect_methods.lookup_useraliases(domain, mem_ctx,
970 find the members of a group, given a group rid and domain
972 static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
974 const struct dom_sid *group_sid,
975 enum lsa_SidType type,
977 struct dom_sid **sid_mem, char ***names,
981 ADS_STRUCT *ads = NULL;
983 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
985 char **members = NULL;
987 size_t num_members = 0;
989 struct dom_sid *sid_mem_nocache = NULL;
990 char **names_nocache = NULL;
991 enum lsa_SidType *name_types_nocache = NULL;
992 char **domains_nocache = NULL; /* only needed for rpccli_lsa_lookup_sids */
993 uint32 num_nocache = 0;
994 TALLOC_CTX *tmp_ctx = NULL;
996 DEBUG(10,("ads: lookup_groupmem %s sid=%s\n", domain->name,
997 sid_string_dbg(group_sid)));
1001 tmp_ctx = talloc_new(mem_ctx);
1003 DEBUG(1, ("ads: lookup_groupmem: talloc failed\n"));
1004 status = NT_STATUS_NO_MEMORY;
1008 if ( !winbindd_can_contact_domain( domain ) ) {
1009 DEBUG(10,("lookup_groupmem: No incoming trust for domain %s\n",
1011 return NT_STATUS_OK;
1014 ads = ads_cached_connection(domain);
1017 domain->last_status = NT_STATUS_SERVER_DISABLED;
1021 if ((sidbinstr = sid_binstring(talloc_tos(), group_sid)) == NULL) {
1022 status = NT_STATUS_NO_MEMORY;
1026 /* search for all members of the group */
1027 ldap_exp = talloc_asprintf(tmp_ctx, "(objectSid=%s)", sidbinstr);
1028 TALLOC_FREE(sidbinstr);
1029 if (ldap_exp == NULL) {
1030 DEBUG(1, ("ads: lookup_groupmem: talloc_asprintf for ldap_exp failed!\n"));
1031 status = NT_STATUS_NO_MEMORY;
1035 args.control = ADS_EXTENDED_DN_OID;
1036 args.val = ADS_EXTENDED_DN_HEX_STRING;
1037 args.critical = True;
1039 rc = ads_ranged_search(ads, tmp_ctx, LDAP_SCOPE_SUBTREE, ads->config.bind_path,
1040 ldap_exp, &args, "member", &members, &num_members);
1042 if (!ADS_ERR_OK(rc)) {
1043 DEBUG(0,("ads_ranged_search failed with: %s\n", ads_errstr(rc)));
1044 status = NT_STATUS_UNSUCCESSFUL;
1048 DEBUG(10, ("ads lookup_groupmem: got %d sids via extended dn call\n", (int)num_members));
1050 /* Now that we have a list of sids, we need to get the
1051 * lists of names and name_types belonging to these sids.
1052 * even though conceptually not quite clean, we use the
1053 * RPC call lsa_lookup_sids for this since it can handle a
1054 * list of sids. ldap calls can just resolve one sid at a time.
1056 * At this stage, the sids are still hidden in the exetended dn
1057 * member output format. We actually do a little better than
1058 * stated above: In extracting the sids from the member strings,
1059 * we try to resolve as many sids as possible from the
1060 * cache. Only the rest is passed to the lsa_lookup_sids call. */
1063 (*sid_mem) = TALLOC_ZERO_ARRAY(mem_ctx, struct dom_sid, num_members);
1064 (*names) = TALLOC_ZERO_ARRAY(mem_ctx, char *, num_members);
1065 (*name_types) = TALLOC_ZERO_ARRAY(mem_ctx, uint32, num_members);
1066 (sid_mem_nocache) = TALLOC_ZERO_ARRAY(tmp_ctx, struct dom_sid, num_members);
1068 if ((members == NULL) || (*sid_mem == NULL) ||
1069 (*names == NULL) || (*name_types == NULL) ||
1070 (sid_mem_nocache == NULL))
1072 DEBUG(1, ("ads: lookup_groupmem: talloc failed\n"));
1073 status = NT_STATUS_NO_MEMORY;
1080 (*name_types) = NULL;
1083 for (i=0; i<num_members; i++) {
1084 enum lsa_SidType name_type;
1085 char *name, *domain_name;
1088 rc = ads_get_sid_from_extended_dn(tmp_ctx, members[i], args.val,
1090 if (!ADS_ERR_OK(rc)) {
1091 if (NT_STATUS_EQUAL(ads_ntstatus(rc),
1092 NT_STATUS_NOT_FOUND)) {
1093 /* Group members can be objects, like Exchange
1094 * Public Folders, that don't have a SID. Skip
1099 status = ads_ntstatus(rc);
1103 if (lookup_cached_sid(mem_ctx, &sid, &domain_name, &name,
1105 DEBUG(10,("ads: lookup_groupmem: got sid %s from "
1106 "cache\n", sid_string_dbg(&sid)));
1107 sid_copy(&(*sid_mem)[*num_names], &sid);
1108 (*names)[*num_names] = fill_domain_username_talloc(
1114 (*name_types)[*num_names] = name_type;
1118 DEBUG(10, ("ads: lookup_groupmem: sid %s not found in "
1119 "cache\n", sid_string_dbg(&sid)));
1120 sid_copy(&(sid_mem_nocache)[num_nocache], &sid);
1125 DEBUG(10, ("ads: lookup_groupmem: %d sids found in cache, "
1126 "%d left for lsa_lookupsids\n", *num_names, num_nocache));
1128 /* handle sids not resolved from cache by lsa_lookup_sids */
1129 if (num_nocache > 0) {
1131 status = winbindd_lookup_sids(tmp_ctx,
1137 &name_types_nocache);
1139 if (!(NT_STATUS_IS_OK(status) ||
1140 NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED) ||
1141 NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)))
1143 DEBUG(1, ("lsa_lookupsids call failed with %s "
1144 "- retrying...\n", nt_errstr(status)));
1146 status = winbindd_lookup_sids(tmp_ctx,
1152 &name_types_nocache);
1155 if (NT_STATUS_IS_OK(status) ||
1156 NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED))
1158 /* Copy the entries over from the "_nocache" arrays
1159 * to the result arrays, skipping the gaps the
1160 * lookup_sids call left. */
1161 for (i=0; i < num_nocache; i++) {
1162 if (((names_nocache)[i] != NULL) &&
1163 ((name_types_nocache)[i] != SID_NAME_UNKNOWN))
1165 sid_copy(&(*sid_mem)[*num_names],
1166 &sid_mem_nocache[i]);
1167 (*names)[*num_names] =
1168 fill_domain_username_talloc(
1173 (*name_types)[*num_names] = name_types_nocache[i];
1178 else if (NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)) {
1179 DEBUG(10, ("lookup_groupmem: lsa_lookup_sids could "
1180 "not map any SIDs at all.\n"));
1181 /* Don't handle this as an error here.
1182 * There is nothing left to do with respect to the
1183 * overall result... */
1185 else if (!NT_STATUS_IS_OK(status)) {
1186 DEBUG(10, ("lookup_groupmem: Error looking up %d "
1187 "sids via rpc_lsa_lookup_sids: %s\n",
1188 (int)num_members, nt_errstr(status)));
1193 status = NT_STATUS_OK;
1194 DEBUG(3,("ads lookup_groupmem for sid=%s succeeded\n",
1195 sid_string_dbg(group_sid)));
1199 TALLOC_FREE(tmp_ctx);
1204 /* find the sequence number for a domain */
1205 static NTSTATUS sequence_number(struct winbindd_domain *domain, uint32 *seq)
1207 ADS_STRUCT *ads = NULL;
1210 DEBUG(3,("ads: fetch sequence_number for %s\n", domain->name));
1212 if ( !winbindd_can_contact_domain( domain ) ) {
1213 DEBUG(10,("sequence: No incoming trust for domain %s\n",
1216 return NT_STATUS_OK;
1219 *seq = DOM_SEQUENCE_NONE;
1221 ads = ads_cached_connection(domain);
1224 domain->last_status = NT_STATUS_SERVER_DISABLED;
1225 return NT_STATUS_UNSUCCESSFUL;
1228 rc = ads_USN(ads, seq);
1230 if (!ADS_ERR_OK(rc)) {
1232 /* its a dead connection, destroy it */
1234 if (domain->private_data) {
1235 ads = (ADS_STRUCT *)domain->private_data;
1236 ads->is_mine = True;
1238 ads_kdestroy("MEMORY:winbind_ccache");
1239 domain->private_data = NULL;
1242 return ads_ntstatus(rc);
1245 /* find the lockout policy of a domain - use rpc methods */
1246 static NTSTATUS lockout_policy(struct winbindd_domain *domain,
1247 TALLOC_CTX *mem_ctx,
1248 struct samr_DomInfo12 *policy)
1250 return reconnect_methods.lockout_policy(domain, mem_ctx, policy);
1253 /* find the password policy of a domain - use rpc methods */
1254 static NTSTATUS password_policy(struct winbindd_domain *domain,
1255 TALLOC_CTX *mem_ctx,
1256 struct samr_DomInfo1 *policy)
1258 return reconnect_methods.password_policy(domain, mem_ctx, policy);
1261 /* get a list of trusted domains */
1262 static NTSTATUS trusted_domains(struct winbindd_domain *domain,
1263 TALLOC_CTX *mem_ctx,
1264 struct netr_DomainTrustList *trusts)
1266 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1269 struct rpc_pipe_client *cli;
1272 DEBUG(3,("ads: trusted_domains\n"));
1274 ZERO_STRUCTP(trusts);
1276 /* If this is our primary domain or a root in our forest,
1277 query for all trusts. If not, then just look for domain
1278 trusts in the target forest */
1280 if (domain->primary || domain_is_forest_root(domain)) {
1281 flags = NETR_TRUST_FLAG_OUTBOUND |
1282 NETR_TRUST_FLAG_INBOUND |
1283 NETR_TRUST_FLAG_IN_FOREST;
1285 flags = NETR_TRUST_FLAG_IN_FOREST;
1288 result = cm_connect_netlogon(domain, &cli);
1290 if (!NT_STATUS_IS_OK(result)) {
1291 DEBUG(5, ("trusted_domains: Could not open a connection to %s "
1292 "for PIPE_NETLOGON (%s)\n",
1293 domain->name, nt_errstr(result)));
1294 return NT_STATUS_UNSUCCESSFUL;
1297 result = rpccli_netr_DsrEnumerateDomainTrusts(cli, mem_ctx,
1302 if (!NT_STATUS_IS_OK(result)) {
1305 if (trusts->count == 0) {
1306 return NT_STATUS_OK;
1309 /* Copy across names and sids */
1312 for (i = 0; i < trusts->count; i++) {
1313 struct netr_DomainTrust *trust = &trusts->array[i];
1314 struct winbindd_domain d;
1319 * drop external trusts if this is not our primary
1320 * domain. This means that the returned number of
1321 * domains may be less that the ones actually trusted
1325 if ((trust->trust_attributes
1326 == NETR_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN) &&
1329 DEBUG(10,("trusted_domains: Skipping external trusted "
1330 "domain %s because it is outside of our "
1332 trust->netbios_name));
1336 /* add to the trusted domain cache */
1338 fstrcpy(d.name, trust->netbios_name);
1339 fstrcpy(d.alt_name, trust->dns_name);
1341 sid_copy(&d.sid, trust->sid);
1343 sid_copy(&d.sid, &global_sid_NULL);
1346 if ( domain->primary ) {
1347 DEBUG(10,("trusted_domains(ads): Searching "
1348 "trusted domain list of %s and storing "
1349 "trust flags for domain %s\n",
1350 domain->name, d.alt_name));
1352 d.domain_flags = trust->trust_flags;
1353 d.domain_type = trust->trust_type;
1354 d.domain_trust_attribs = trust->trust_attributes;
1356 wcache_tdc_add_domain( &d );
1358 } else if (domain_is_forest_root(domain)) {
1359 /* Check if we already have this record. If
1360 * we are following our forest root that is not
1361 * our primary domain, we want to keep trust
1362 * flags from the perspective of our primary
1363 * domain not our forest root. */
1364 struct winbindd_tdc_domain *exist = NULL;
1366 exist = wcache_tdc_fetch_domain(
1367 talloc_tos(), trust->netbios_name);
1369 DEBUG(10,("trusted_domains(ads): Searching "
1370 "trusted domain list of %s and "
1371 "storing trust flags for domain "
1372 "%s\n", domain->name, d.alt_name));
1373 d.domain_flags = trust->trust_flags;
1374 d.domain_type = trust->trust_type;
1375 d.domain_trust_attribs =
1376 trust->trust_attributes;
1378 wcache_tdc_add_domain( &d );
1383 /* This gets a little tricky. If we are
1384 following a transitive forest trust, then
1385 innerit the flags, type, and attribs from
1386 the domain we queried to make sure we don't
1387 record the view of the trust from the wrong
1388 side. Always view it from the side of our
1389 primary domain. --jerry */
1390 struct winbindd_tdc_domain *parent = NULL;
1392 DEBUG(10,("trusted_domains(ads): Searching "
1393 "trusted domain list of %s and inheriting "
1394 "trust flags for domain %s\n",
1395 domain->name, d.alt_name));
1397 parent = wcache_tdc_fetch_domain(talloc_tos(),
1400 d.domain_flags = parent->trust_flags;
1401 d.domain_type = parent->trust_type;
1402 d.domain_trust_attribs = parent->trust_attribs;
1404 d.domain_flags = domain->domain_flags;
1405 d.domain_type = domain->domain_type;
1406 d.domain_trust_attribs =
1407 domain->domain_trust_attribs;
1409 TALLOC_FREE(parent);
1411 wcache_tdc_add_domain( &d );
1418 /* the ADS backend methods are exposed via this structure */
1419 struct winbindd_methods ads_methods = {