2 Unix SMB/CIFS implementation.
4 Winbind rpc backend functions
6 Copyright (C) Tim Potter 2000-2001,2003
7 Copyright (C) Andrew Tridgell 2001
8 Copyright (C) Volker Lendecke 2005
9 Copyright (C) Guenther Deschner 2008 (pidl conversion)
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 3 of the License, or
14 (at your option) any later version.
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
21 You should have received a copy of the GNU General Public License
22 along with this program. If not, see <http://www.gnu.org/licenses/>.
27 #include "winbindd_rpc.h"
29 #include "../librpc/gen_ndr/ndr_samr_c.h"
30 #include "rpc_client/cli_pipe.h"
31 #include "rpc_client/cli_samr.h"
32 #include "rpc_client/cli_lsarpc.h"
33 #include "../libcli/security/security.h"
36 #define DBGC_CLASS DBGC_WINBIND
38 static NTSTATUS winbindd_lookup_names(TALLOC_CTX *mem_ctx,
39 struct winbindd_domain *domain,
42 const char ***domains,
43 struct dom_sid **sids,
44 enum lsa_SidType **types);
46 /* Query display info for a domain. This returns enough information plus a
47 bit extra to give an overview of domain users for the User Manager
49 static NTSTATUS msrpc_query_user_list(struct winbindd_domain *domain,
52 struct wbint_userinfo **pinfo)
54 struct rpc_pipe_client *samr_pipe = NULL;
55 struct policy_handle dom_pol;
56 struct wbint_userinfo *info = NULL;
57 uint32_t num_info = 0;
61 DEBUG(3, ("msrpc_query_user_list\n"));
67 tmp_ctx = talloc_stackframe();
68 if (tmp_ctx == NULL) {
69 return NT_STATUS_NO_MEMORY;
72 if ( !winbindd_can_contact_domain( domain ) ) {
73 DEBUG(10,("query_user_list: No incoming trust for domain %s\n",
75 status = NT_STATUS_OK;
79 status = cm_connect_sam(domain, tmp_ctx, &samr_pipe, &dom_pol);
80 if (!NT_STATUS_IS_OK(status)) {
84 status = rpc_query_user_list(tmp_ctx,
90 if (!NT_STATUS_IS_OK(status)) {
95 *pnum_info = num_info;
99 *pinfo = talloc_move(mem_ctx, &info);
103 TALLOC_FREE(tmp_ctx);
107 /* list all domain groups */
108 static NTSTATUS msrpc_enum_dom_groups(struct winbindd_domain *domain,
111 struct wb_acct_info **pinfo)
113 struct rpc_pipe_client *samr_pipe;
114 struct policy_handle dom_pol;
115 struct wb_acct_info *info = NULL;
116 uint32_t num_info = 0;
120 DEBUG(3,("msrpc_enum_dom_groups\n"));
126 tmp_ctx = talloc_stackframe();
127 if (tmp_ctx == NULL) {
128 return NT_STATUS_NO_MEMORY;
131 if ( !winbindd_can_contact_domain( domain ) ) {
132 DEBUG(10,("enum_domain_groups: No incoming trust for domain %s\n",
134 status = NT_STATUS_OK;
138 status = cm_connect_sam(domain, tmp_ctx, &samr_pipe, &dom_pol);
139 if (!NT_STATUS_IS_OK(status)) {
143 status = rpc_enum_dom_groups(tmp_ctx,
148 if (!NT_STATUS_IS_OK(status)) {
153 *pnum_info = num_info;
157 *pinfo = talloc_move(mem_ctx, &info);
161 TALLOC_FREE(tmp_ctx);
165 /* List all domain groups */
167 static NTSTATUS msrpc_enum_local_groups(struct winbindd_domain *domain,
170 struct wb_acct_info **pinfo)
172 struct rpc_pipe_client *samr_pipe;
173 struct policy_handle dom_pol;
174 struct wb_acct_info *info = NULL;
175 uint32_t num_info = 0;
179 DEBUG(3,("msrpc_enum_local_groups\n"));
185 tmp_ctx = talloc_stackframe();
186 if (tmp_ctx == NULL) {
187 return NT_STATUS_NO_MEMORY;
190 if ( !winbindd_can_contact_domain( domain ) ) {
191 DEBUG(10,("enum_local_groups: No incoming trust for domain %s\n",
193 status = NT_STATUS_OK;
197 status = cm_connect_sam(domain, tmp_ctx, &samr_pipe, &dom_pol);
198 if (!NT_STATUS_IS_OK(status)) {
202 status = rpc_enum_local_groups(mem_ctx,
207 if (!NT_STATUS_IS_OK(status)) {
212 *pnum_info = num_info;
216 *pinfo = talloc_move(mem_ctx, &info);
220 TALLOC_FREE(tmp_ctx);
224 /* convert a single name to a sid in a domain */
225 static NTSTATUS msrpc_name_to_sid(struct winbindd_domain *domain,
227 const char *domain_name,
231 enum lsa_SidType *type)
234 struct dom_sid *sids = NULL;
235 enum lsa_SidType *types = NULL;
236 char *full_name = NULL;
237 NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL;
238 char *mapped_name = NULL;
240 if (name == NULL || *name=='\0') {
241 full_name = talloc_asprintf(mem_ctx, "%s", domain_name);
242 } else if (domain_name == NULL || *domain_name == '\0') {
243 full_name = talloc_asprintf(mem_ctx, "%s", name);
245 full_name = talloc_asprintf(mem_ctx, "%s\\%s", domain_name, name);
248 DEBUG(0, ("talloc_asprintf failed!\n"));
249 return NT_STATUS_NO_MEMORY;
252 DEBUG(3, ("msrpc_name_to_sid: name=%s\n", full_name));
254 name_map_status = normalize_name_unmap(mem_ctx, full_name,
257 /* Reset the full_name pointer if we mapped anytthing */
259 if (NT_STATUS_IS_OK(name_map_status) ||
260 NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED))
262 full_name = mapped_name;
265 DEBUG(3,("name_to_sid [rpc] %s for domain %s\n",
266 full_name?full_name:"", domain_name ));
268 result = winbindd_lookup_names(mem_ctx, domain, 1,
269 (const char **)&full_name, NULL,
271 if (!NT_STATUS_IS_OK(result))
274 /* Return rid and type if lookup successful */
276 sid_copy(sid, &sids[0]);
283 convert a domain SID to a user or group name
285 static NTSTATUS msrpc_sid_to_name(struct winbindd_domain *domain,
287 const struct dom_sid *sid,
290 enum lsa_SidType *type)
294 enum lsa_SidType *types = NULL;
296 NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL;
297 char *mapped_name = NULL;
299 DEBUG(3, ("msrpc_sid_to_name: %s for domain %s\n", sid_string_dbg(sid),
302 result = winbindd_lookup_sids(mem_ctx,
309 if (!NT_STATUS_IS_OK(result)) {
310 DEBUG(2,("msrpc_sid_to_name: failed to lookup sids: %s\n",
316 *type = (enum lsa_SidType)types[0];
317 *domain_name = domains[0];
320 DEBUG(5,("Mapped sid to [%s]\\[%s]\n", domains[0], *name));
322 name_map_status = normalize_name_map(mem_ctx, domain, *name,
324 if (NT_STATUS_IS_OK(name_map_status) ||
325 NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED))
328 DEBUG(5,("returning mapped name -- %s\n", *name));
334 static NTSTATUS msrpc_rids_to_names(struct winbindd_domain *domain,
336 const struct dom_sid *sid,
341 enum lsa_SidType **types)
345 struct dom_sid *sids;
349 DEBUG(3, ("msrpc_rids_to_names: domain %s\n", domain->name ));
352 sids = talloc_array(mem_ctx, struct dom_sid, num_rids);
354 return NT_STATUS_NO_MEMORY;
360 for (i=0; i<num_rids; i++) {
361 if (!sid_compose(&sids[i], sid, rids[i])) {
362 return NT_STATUS_INTERNAL_ERROR;
366 result = winbindd_lookup_sids(mem_ctx,
374 if (!NT_STATUS_IS_OK(result) &&
375 !NT_STATUS_EQUAL(result, STATUS_SOME_UNMAPPED)) {
380 for (i=0; i<num_rids; i++) {
381 NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL;
382 char *mapped_name = NULL;
384 if ((*types)[i] != SID_NAME_UNKNOWN) {
385 name_map_status = normalize_name_map(mem_ctx,
389 if (NT_STATUS_IS_OK(name_map_status) ||
390 NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED))
392 ret_names[i] = mapped_name;
395 *domain_name = domains[i];
402 /* Lookup user information from a rid or username. */
403 static NTSTATUS msrpc_query_user(struct winbindd_domain *domain,
405 const struct dom_sid *user_sid,
406 struct wbint_userinfo *user_info)
408 struct rpc_pipe_client *samr_pipe;
409 struct policy_handle dom_pol;
410 struct netr_SamInfo3 *user = NULL;
414 DEBUG(3,("msrpc_query_user sid=%s\n", sid_string_dbg(user_sid)));
416 tmp_ctx = talloc_stackframe();
417 if (tmp_ctx == NULL) {
418 return NT_STATUS_NO_MEMORY;
422 user_info->homedir = NULL;
423 user_info->shell = NULL;
424 user_info->primary_gid = (gid_t)-1;
427 /* try netsamlogon cache first */
428 if (winbindd_use_cache()) {
429 user = netsamlogon_cache_get(tmp_ctx, user_sid);
432 DEBUG(5,("msrpc_query_user: Cache lookup succeeded for %s\n",
433 sid_string_dbg(user_sid)));
435 sid_compose(&user_info->user_sid, &domain->sid, user->base.rid);
436 sid_compose(&user_info->group_sid, &domain->sid,
437 user->base.primary_gid);
439 user_info->acct_name = talloc_strdup(user_info,
440 user->base.account_name.string);
441 user_info->full_name = talloc_strdup(user_info,
442 user->base.full_name.string);
444 status = NT_STATUS_OK;
448 if ( !winbindd_can_contact_domain( domain ) ) {
449 DEBUG(10,("query_user: No incoming trust for domain %s\n",
451 /* Tell the cache manager not to remember this one */
452 status = NT_STATUS_SYNCHRONIZATION_REQUIRED;
456 /* no cache; hit the wire */
457 status = cm_connect_sam(domain, tmp_ctx, &samr_pipe, &dom_pol);
458 if (!NT_STATUS_IS_OK(status)) {
462 status = rpc_query_user(tmp_ctx,
470 TALLOC_FREE(tmp_ctx);
474 /* Lookup groups a user is a member of. I wish Unix had a call like this! */
475 static NTSTATUS msrpc_lookup_usergroups(struct winbindd_domain *domain,
477 const struct dom_sid *user_sid,
478 uint32_t *pnum_groups,
479 struct dom_sid **puser_grpsids)
481 struct rpc_pipe_client *samr_pipe;
482 struct policy_handle dom_pol;
483 struct dom_sid *user_grpsids = NULL;
484 uint32_t num_groups = 0;
488 DEBUG(3,("msrpc_lookup_usergroups sid=%s\n", sid_string_dbg(user_sid)));
492 tmp_ctx = talloc_stackframe();
493 if (tmp_ctx == NULL) {
494 return NT_STATUS_NO_MEMORY;
497 /* Check if we have a cached user_info_3 */
498 status = lookup_usergroups_cached(domain,
503 if (NT_STATUS_IS_OK(status)) {
507 if ( !winbindd_can_contact_domain( domain ) ) {
508 DEBUG(10,("lookup_usergroups: No incoming trust for domain %s\n",
511 /* Tell the cache manager not to remember this one */
512 status = NT_STATUS_SYNCHRONIZATION_REQUIRED;
516 /* no cache; hit the wire */
517 status = cm_connect_sam(domain, tmp_ctx, &samr_pipe, &dom_pol);
518 if (!NT_STATUS_IS_OK(status)) {
522 status = rpc_lookup_usergroups(tmp_ctx,
529 if (!NT_STATUS_IS_OK(status)) {
534 *pnum_groups = num_groups;
537 *puser_grpsids = talloc_move(mem_ctx, &user_grpsids);
541 TALLOC_FREE(tmp_ctx);
546 #define MAX_SAM_ENTRIES_W2K 0x400 /* 1024 */
548 static NTSTATUS msrpc_lookup_useraliases(struct winbindd_domain *domain,
550 uint32 num_sids, const struct dom_sid *sids,
551 uint32 *pnum_aliases,
552 uint32 **palias_rids)
554 struct rpc_pipe_client *samr_pipe;
555 struct policy_handle dom_pol;
556 uint32_t num_aliases = 0;
557 uint32_t *alias_rids = NULL;
561 DEBUG(3,("msrpc_lookup_useraliases\n"));
567 tmp_ctx = talloc_stackframe();
568 if (tmp_ctx == NULL) {
569 return NT_STATUS_NO_MEMORY;
572 if (!winbindd_can_contact_domain(domain)) {
573 DEBUG(10,("msrpc_lookup_useraliases: No incoming trust for domain %s\n",
575 /* Tell the cache manager not to remember this one */
576 status = NT_STATUS_SYNCHRONIZATION_REQUIRED;
580 status = cm_connect_sam(domain, tmp_ctx, &samr_pipe, &dom_pol);
581 if (!NT_STATUS_IS_OK(status)) {
585 status = rpc_lookup_useraliases(tmp_ctx,
592 if (!NT_STATUS_IS_OK(status)) {
597 *pnum_aliases = num_aliases;
601 *palias_rids = talloc_move(mem_ctx, &alias_rids);
605 TALLOC_FREE(tmp_ctx);
610 /* Lookup group membership given a rid. */
611 static NTSTATUS msrpc_lookup_groupmem(struct winbindd_domain *domain,
613 const struct dom_sid *group_sid,
614 enum lsa_SidType type,
616 struct dom_sid **sid_mem,
618 uint32_t **name_types)
620 NTSTATUS status, result;
621 uint32 i, total_names = 0;
622 struct policy_handle dom_pol, group_pol;
623 uint32 des_access = SEC_FLAG_MAXIMUM_ALLOWED;
624 uint32 *rid_mem = NULL;
627 struct rpc_pipe_client *cli;
628 unsigned int orig_timeout;
629 struct samr_RidAttrArray *rids = NULL;
630 struct dcerpc_binding_handle *b;
632 DEBUG(3,("msrpc_lookup_groupmem: %s sid=%s\n", domain->name,
633 sid_string_dbg(group_sid)));
635 if ( !winbindd_can_contact_domain( domain ) ) {
636 DEBUG(10,("lookup_groupmem: No incoming trust for domain %s\n",
641 if (!sid_peek_check_rid(&domain->sid, group_sid, &group_rid))
642 return NT_STATUS_UNSUCCESSFUL;
646 result = cm_connect_sam(domain, mem_ctx, &cli, &dom_pol);
647 if (!NT_STATUS_IS_OK(result))
650 b = cli->binding_handle;
652 status = dcerpc_samr_OpenGroup(b, mem_ctx,
658 if (!NT_STATUS_IS_OK(status)) {
661 if (!NT_STATUS_IS_OK(result)) {
665 /* Step #1: Get a list of user rids that are the members of the
668 /* This call can take a long time - allow the server to time out.
669 35 seconds should do it. */
671 orig_timeout = rpccli_set_timeout(cli, 35000);
673 status = dcerpc_samr_QueryGroupMember(b, mem_ctx,
678 /* And restore our original timeout. */
679 rpccli_set_timeout(cli, orig_timeout);
683 dcerpc_samr_Close(b, mem_ctx, &group_pol, &_result);
686 if (!NT_STATUS_IS_OK(status)) {
690 if (!NT_STATUS_IS_OK(result)) {
694 if (!rids || !rids->count) {
701 *num_names = rids->count;
702 rid_mem = rids->rids;
704 /* Step #2: Convert list of rids into list of usernames. Do this
705 in bunches of ~1000 to avoid crashing NT4. It looks like there
706 is a buffer overflow or something like that lurking around
709 #define MAX_LOOKUP_RIDS 900
711 *names = talloc_zero_array(mem_ctx, char *, *num_names);
712 *name_types = talloc_zero_array(mem_ctx, uint32, *num_names);
713 *sid_mem = talloc_zero_array(mem_ctx, struct dom_sid, *num_names);
715 for (j=0;j<(*num_names);j++)
716 sid_compose(&(*sid_mem)[j], &domain->sid, rid_mem[j]);
718 if (*num_names>0 && (!*names || !*name_types))
719 return NT_STATUS_NO_MEMORY;
721 for (i = 0; i < *num_names; i += MAX_LOOKUP_RIDS) {
722 int num_lookup_rids = MIN(*num_names - i, MAX_LOOKUP_RIDS);
723 struct lsa_Strings tmp_names;
724 struct samr_Ids tmp_types;
726 /* Lookup a chunk of rids */
728 status = dcerpc_samr_LookupRids(b, mem_ctx,
735 if (!NT_STATUS_IS_OK(status)) {
739 /* see if we have a real error (and yes the
740 STATUS_SOME_UNMAPPED is the one returned from 2k) */
742 if (!NT_STATUS_IS_OK(result) &&
743 !NT_STATUS_EQUAL(result, STATUS_SOME_UNMAPPED))
746 /* Copy result into array. The talloc system will take
747 care of freeing the temporary arrays later on. */
749 if (tmp_names.count != tmp_types.count) {
750 return NT_STATUS_UNSUCCESSFUL;
753 for (r=0; r<tmp_names.count; r++) {
754 if (tmp_types.ids[r] == SID_NAME_UNKNOWN) {
757 (*names)[total_names] = fill_domain_username_talloc(
758 mem_ctx, domain->name,
759 tmp_names.names[r].string, true);
760 (*name_types)[total_names] = tmp_types.ids[r];
765 *num_names = total_names;
774 static int get_ldap_seq(const char *server, struct sockaddr_storage *ss, int port, uint32 *seq)
778 const char *attrs[] = {"highestCommittedUSN", NULL};
779 LDAPMessage *res = NULL;
780 char **values = NULL;
783 *seq = DOM_SEQUENCE_NONE;
786 * Parameterised (5) second timeout on open. This is needed as the
787 * search timeout doesn't seem to apply to doing an open as well. JRA.
790 ldp = ldap_open_with_timeout(server, ss, port, lp_ldap_timeout());
794 /* Timeout if no response within 20 seconds. */
798 if (ldap_search_st(ldp, "", LDAP_SCOPE_BASE, "(objectclass=*)",
799 discard_const_p(char *, attrs), 0, &to, &res))
802 if (ldap_count_entries(ldp, res) != 1)
805 values = ldap_get_values(ldp, res, "highestCommittedUSN");
806 if (!values || !values[0])
809 *seq = atoi(values[0]);
815 ldap_value_free(values);
823 /**********************************************************************
824 Get the sequence number for a Windows AD native mode domain using
826 **********************************************************************/
828 static int get_ldap_sequence_number(struct winbindd_domain *domain, uint32 *seq)
831 char addr[INET6_ADDRSTRLEN];
833 print_sockaddr(addr, sizeof(addr), &domain->dcaddr);
834 if ((ret = get_ldap_seq(addr, &domain->dcaddr, LDAP_PORT, seq)) == 0) {
835 DEBUG(3, ("get_ldap_sequence_number: Retrieved sequence "
836 "number for Domain (%s) from DC (%s)\n",
837 domain->name, addr));
842 #endif /* HAVE_LDAP */
844 /* find the sequence number for a domain */
845 static NTSTATUS msrpc_sequence_number(struct winbindd_domain *domain,
848 struct rpc_pipe_client *samr_pipe;
849 struct policy_handle dom_pol;
854 DEBUG(3, ("msrpc_sequence_number: fetch sequence_number for %s\n", domain->name));
857 *pseq = DOM_SEQUENCE_NONE;
860 tmp_ctx = talloc_stackframe();
861 if (tmp_ctx == NULL) {
862 return NT_STATUS_NO_MEMORY;
865 if ( !winbindd_can_contact_domain( domain ) ) {
866 DEBUG(10,("sequence_number: No incoming trust for domain %s\n",
871 status = NT_STATUS_OK;
876 if (domain->active_directory) {
879 DEBUG(8,("using get_ldap_seq() to retrieve the "
880 "sequence number\n"));
882 rc = get_ldap_sequence_number(domain, &seq);
884 DEBUG(10,("domain_sequence_number: LDAP for "
892 status = NT_STATUS_OK;
896 DEBUG(10,("domain_sequence_number: failed to get LDAP "
897 "sequence number for domain %s\n",
900 #endif /* HAVE_LDAP */
902 status = cm_connect_sam(domain, tmp_ctx, &samr_pipe, &dom_pol);
903 if (!NT_STATUS_IS_OK(status)) {
907 status = rpc_sequence_number(tmp_ctx,
912 if (!NT_STATUS_IS_OK(status)) {
921 TALLOC_FREE(tmp_ctx);
925 /* get a list of trusted domains */
926 static NTSTATUS msrpc_trusted_domains(struct winbindd_domain *domain,
928 struct netr_DomainTrustList *ptrust_list)
930 struct rpc_pipe_client *lsa_pipe;
931 struct policy_handle lsa_policy;
932 struct netr_DomainTrust *trusts = NULL;
933 uint32_t num_trusts = 0;
937 DEBUG(3,("msrpc_trusted_domains\n"));
940 ZERO_STRUCTP(ptrust_list);
943 tmp_ctx = talloc_stackframe();
944 if (tmp_ctx == NULL) {
945 return NT_STATUS_NO_MEMORY;
948 status = cm_connect_lsa(domain, tmp_ctx, &lsa_pipe, &lsa_policy);
949 if (!NT_STATUS_IS_OK(status))
952 status = rpc_trusted_domains(tmp_ctx,
957 if (!NT_STATUS_IS_OK(status)) {
962 ptrust_list->count = num_trusts;
963 ptrust_list->array = talloc_move(mem_ctx, &trusts);
967 TALLOC_FREE(tmp_ctx);
971 /* find the lockout policy for a domain */
972 static NTSTATUS msrpc_lockout_policy(struct winbindd_domain *domain,
974 struct samr_DomInfo12 *lockout_policy)
976 NTSTATUS status, result;
977 struct rpc_pipe_client *cli;
978 struct policy_handle dom_pol;
979 union samr_DomainInfo *info = NULL;
980 struct dcerpc_binding_handle *b;
982 DEBUG(3, ("msrpc_lockout_policy: fetch lockout policy for %s\n", domain->name));
984 if ( !winbindd_can_contact_domain( domain ) ) {
985 DEBUG(10,("msrpc_lockout_policy: No incoming trust for domain %s\n",
987 return NT_STATUS_NOT_SUPPORTED;
990 status = cm_connect_sam(domain, mem_ctx, &cli, &dom_pol);
991 if (!NT_STATUS_IS_OK(status)) {
995 b = cli->binding_handle;
997 status = dcerpc_samr_QueryDomainInfo(b, mem_ctx,
999 DomainLockoutInformation,
1002 if (!NT_STATUS_IS_OK(status)) {
1005 if (!NT_STATUS_IS_OK(result)) {
1010 *lockout_policy = info->info12;
1012 DEBUG(10,("msrpc_lockout_policy: lockout_threshold %d\n",
1013 info->info12.lockout_threshold));
1020 /* find the password policy for a domain */
1021 static NTSTATUS msrpc_password_policy(struct winbindd_domain *domain,
1022 TALLOC_CTX *mem_ctx,
1023 struct samr_DomInfo1 *password_policy)
1025 NTSTATUS status, result;
1026 struct rpc_pipe_client *cli;
1027 struct policy_handle dom_pol;
1028 union samr_DomainInfo *info = NULL;
1029 struct dcerpc_binding_handle *b;
1031 DEBUG(3, ("msrpc_password_policy: fetch password policy for %s\n",
1034 if ( !winbindd_can_contact_domain( domain ) ) {
1035 DEBUG(10,("msrpc_password_policy: No incoming trust for domain %s\n",
1037 return NT_STATUS_NOT_SUPPORTED;
1040 status = cm_connect_sam(domain, mem_ctx, &cli, &dom_pol);
1041 if (!NT_STATUS_IS_OK(status)) {
1045 b = cli->binding_handle;
1047 status = dcerpc_samr_QueryDomainInfo(b, mem_ctx,
1049 DomainPasswordInformation,
1052 if (!NT_STATUS_IS_OK(status)) {
1055 if (!NT_STATUS_IS_OK(result)) {
1059 *password_policy = info->info1;
1061 DEBUG(10,("msrpc_password_policy: min_length_password %d\n",
1062 info->info1.min_password_length));
1069 typedef NTSTATUS (*lookup_sids_fn_t)(struct dcerpc_binding_handle *h,
1070 TALLOC_CTX *mem_ctx,
1071 struct policy_handle *pol,
1073 const struct dom_sid *sids,
1076 enum lsa_SidType **ptypes,
1079 NTSTATUS winbindd_lookup_sids(TALLOC_CTX *mem_ctx,
1080 struct winbindd_domain *domain,
1082 const struct dom_sid *sids,
1085 enum lsa_SidType **types)
1089 struct rpc_pipe_client *cli = NULL;
1090 struct dcerpc_binding_handle *b = NULL;
1091 struct policy_handle lsa_policy;
1092 unsigned int orig_timeout;
1093 lookup_sids_fn_t lookup_sids_fn = dcerpc_lsa_lookup_sids;
1095 if (domain->can_do_ncacn_ip_tcp) {
1096 status = cm_connect_lsa_tcp(domain, mem_ctx, &cli);
1097 if (NT_STATUS_IS_OK(status)) {
1098 lookup_sids_fn = dcerpc_lsa_lookup_sids3;
1101 domain->can_do_ncacn_ip_tcp = false;
1103 status = cm_connect_lsa(domain, mem_ctx, &cli, &lsa_policy);
1105 if (!NT_STATUS_IS_OK(status)) {
1110 b = cli->binding_handle;
1113 * This call can take a long time
1114 * allow the server to time out.
1115 * 35 seconds should do it.
1117 orig_timeout = dcerpc_binding_handle_set_timeout(b, 35000);
1119 status = lookup_sids_fn(b,
1129 /* And restore our original timeout. */
1130 dcerpc_binding_handle_set_timeout(b, orig_timeout);
1132 if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) ||
1133 NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR)) {
1135 * This can happen if the schannel key is not
1136 * valid anymore, we need to invalidate the
1137 * all connections to the dc and reestablish
1138 * a netlogon connection first.
1140 invalidate_cm_connection(&domain->conn);
1141 status = NT_STATUS_ACCESS_DENIED;
1144 if (!NT_STATUS_IS_OK(status)) {
1148 if (!NT_STATUS_IS_OK(result)) {
1152 return NT_STATUS_OK;
1155 typedef NTSTATUS (*lookup_names_fn_t)(struct dcerpc_binding_handle *h,
1156 TALLOC_CTX *mem_ctx,
1157 struct policy_handle *pol,
1160 const char ***dom_names,
1161 enum lsa_LookupNamesLevel level,
1162 struct dom_sid **sids,
1163 enum lsa_SidType **types,
1166 static NTSTATUS winbindd_lookup_names(TALLOC_CTX *mem_ctx,
1167 struct winbindd_domain *domain,
1170 const char ***domains,
1171 struct dom_sid **sids,
1172 enum lsa_SidType **types)
1176 struct rpc_pipe_client *cli = NULL;
1177 struct dcerpc_binding_handle *b = NULL;
1178 struct policy_handle lsa_policy;
1179 unsigned int orig_timeout = 0;
1180 lookup_names_fn_t lookup_names_fn = dcerpc_lsa_lookup_names;
1182 if (domain->can_do_ncacn_ip_tcp) {
1183 status = cm_connect_lsa_tcp(domain, mem_ctx, &cli);
1184 if (NT_STATUS_IS_OK(status)) {
1185 lookup_names_fn = dcerpc_lsa_lookup_names4;
1188 domain->can_do_ncacn_ip_tcp = false;
1190 status = cm_connect_lsa(domain, mem_ctx, &cli, &lsa_policy);
1192 if (!NT_STATUS_IS_OK(status)) {
1197 b = cli->binding_handle;
1200 * This call can take a long time
1201 * allow the server to time out.
1202 * 35 seconds should do it.
1204 orig_timeout = dcerpc_binding_handle_set_timeout(b, 35000);
1206 status = lookup_names_fn(b,
1210 (const char **) names,
1217 /* And restore our original timeout. */
1218 dcerpc_binding_handle_set_timeout(b, orig_timeout);
1220 if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) ||
1221 NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR)) {
1223 * This can happen if the schannel key is not
1224 * valid anymore, we need to invalidate the
1225 * all connections to the dc and reestablish
1226 * a netlogon connection first.
1228 invalidate_cm_connection(&domain->conn);
1229 status = NT_STATUS_ACCESS_DENIED;
1232 if (!NT_STATUS_IS_OK(status)) {
1236 if (!NT_STATUS_IS_OK(result)) {
1240 return NT_STATUS_OK;
1243 /* the rpc backend methods are exposed via this structure */
1244 struct winbindd_methods msrpc_methods = {
1246 msrpc_query_user_list,
1247 msrpc_enum_dom_groups,
1248 msrpc_enum_local_groups,
1251 msrpc_rids_to_names,
1253 msrpc_lookup_usergroups,
1254 msrpc_lookup_useraliases,
1255 msrpc_lookup_groupmem,
1256 msrpc_sequence_number,
1257 msrpc_lockout_policy,
1258 msrpc_password_policy,
1259 msrpc_trusted_domains,
git.samba.org / kai / samba.git / blob