2 Unix SMB/CIFS implementation.
4 Winbind rpc backend functions
6 Copyright (C) Tim Potter 2000-2001,2003
7 Copyright (C) Andrew Tridgell 2001
8 Copyright (C) Volker Lendecke 2005
9 Copyright (C) Guenther Deschner 2008 (pidl conversion)
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 3 of the License, or
14 (at your option) any later version.
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
21 You should have received a copy of the GNU General Public License
22 along with this program. If not, see <http://www.gnu.org/licenses/>.
29 #define DBGC_CLASS DBGC_WINBIND
32 /* Query display info for a domain. This returns enough information plus a
33 bit extra to give an overview of domain users for the User Manager
35 static NTSTATUS query_user_list(struct winbindd_domain *domain,
38 WINBIND_USERINFO **info)
42 unsigned int i, start_idx;
44 struct rpc_pipe_client *cli;
46 DEBUG(3,("rpc: query_user_list\n"));
51 if ( !winbindd_can_contact_domain( domain ) ) {
52 DEBUG(10,("query_user_list: No incoming trust for domain %s\n",
57 result = cm_connect_sam(domain, mem_ctx, &cli, &dom_pol);
58 if (!NT_STATUS_IS_OK(result))
65 uint32 num_dom_users, j;
66 uint32 max_entries, max_size;
67 uint32_t total_size, returned_size;
69 union samr_DispInfo disp_info;
71 /* this next bit is copied from net_user_list_internal() */
73 get_query_dispinfo_params(loop_count, &max_entries,
76 result = rpccli_samr_QueryDisplayInfo(cli, mem_ctx,
85 num_dom_users = disp_info.info1.count;
86 start_idx += disp_info.info1.count;
89 *num_entries += num_dom_users;
91 *info = TALLOC_REALLOC_ARRAY(mem_ctx, *info, WINBIND_USERINFO,
95 return NT_STATUS_NO_MEMORY;
98 for (j = 0; j < num_dom_users; i++, j++) {
100 uint32_t rid = disp_info.info1.entries[j].rid;
102 (*info)[i].acct_name = talloc_strdup(mem_ctx,
103 disp_info.info1.entries[j].account_name.string);
104 (*info)[i].full_name = talloc_strdup(mem_ctx,
105 disp_info.info1.entries[j].full_name.string);
106 (*info)[i].homedir = NULL;
107 (*info)[i].shell = NULL;
108 sid_compose(&(*info)[i].user_sid, &domain->sid, rid);
110 /* For the moment we set the primary group for
111 every user to be the Domain Users group.
112 There are serious problems with determining
113 the actual primary group for large domains.
114 This should really be made into a 'winbind
115 force group' smb.conf parameter or
116 something like that. */
118 sid_compose(&(*info)[i].group_sid, &domain->sid,
119 DOMAIN_GROUP_RID_USERS);
122 } while (NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES));
127 /* list all domain groups */
128 static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
131 struct acct_info **info)
136 struct rpc_pipe_client *cli;
141 DEBUG(3,("rpc: enum_dom_groups\n"));
143 if ( !winbindd_can_contact_domain( domain ) ) {
144 DEBUG(10,("enum_domain_groups: No incoming trust for domain %s\n",
149 status = cm_connect_sam(domain, mem_ctx, &cli, &dom_pol);
150 if (!NT_STATUS_IS_OK(status))
154 struct samr_SamArray *sam_array = NULL;
156 TALLOC_CTX *mem_ctx2;
159 mem_ctx2 = talloc_init("enum_dom_groups[rpc]");
161 /* start is updated by this call. */
162 status = rpccli_samr_EnumDomainGroups(cli, mem_ctx2,
166 0xFFFF, /* buffer size? */
169 if (!NT_STATUS_IS_OK(status) &&
170 !NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES)) {
171 talloc_destroy(mem_ctx2);
175 (*info) = TALLOC_REALLOC_ARRAY(mem_ctx, *info,
177 (*num_entries) + count);
179 talloc_destroy(mem_ctx2);
180 return NT_STATUS_NO_MEMORY;
183 for (g=0; g < count; g++) {
185 fstrcpy((*info)[*num_entries + g].acct_name,
186 sam_array->entries[g].name.string);
187 (*info)[*num_entries + g].rid = sam_array->entries[g].idx;
190 (*num_entries) += count;
191 talloc_destroy(mem_ctx2);
192 } while (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES));
197 /* List all domain groups */
199 static NTSTATUS enum_local_groups(struct winbindd_domain *domain,
202 struct acct_info **info)
206 struct rpc_pipe_client *cli;
211 DEBUG(3,("rpc: enum_local_groups\n"));
213 if ( !winbindd_can_contact_domain( domain ) ) {
214 DEBUG(10,("enum_local_groups: No incoming trust for domain %s\n",
219 result = cm_connect_sam(domain, mem_ctx, &cli, &dom_pol);
220 if (!NT_STATUS_IS_OK(result))
224 struct samr_SamArray *sam_array = NULL;
225 uint32 count = 0, start = *num_entries;
226 TALLOC_CTX *mem_ctx2;
229 mem_ctx2 = talloc_init("enum_dom_local_groups[rpc]");
231 result = rpccli_samr_EnumDomainAliases(cli, mem_ctx2,
235 0xFFFF, /* buffer size? */
237 if (!NT_STATUS_IS_OK(result) &&
238 !NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES) )
240 talloc_destroy(mem_ctx2);
244 (*info) = TALLOC_REALLOC_ARRAY(mem_ctx, *info,
246 (*num_entries) + count);
248 talloc_destroy(mem_ctx2);
249 return NT_STATUS_NO_MEMORY;
252 for (g=0; g < count; g++) {
254 fstrcpy((*info)[*num_entries + g].acct_name,
255 sam_array->entries[g].name.string);
256 (*info)[*num_entries + g].rid = sam_array->entries[g].idx;
259 (*num_entries) += count;
260 talloc_destroy(mem_ctx2);
262 } while (NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES));
267 /* convert a single name to a sid in a domain */
268 NTSTATUS msrpc_name_to_sid(struct winbindd_domain *domain,
270 enum winbindd_cmd original_cmd,
271 const char *domain_name,
274 enum lsa_SidType *type)
277 DOM_SID *sids = NULL;
278 enum lsa_SidType *types = NULL;
279 char *full_name = NULL;
280 struct rpc_pipe_client *cli;
281 POLICY_HND lsa_policy;
282 NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL;
283 char *mapped_name = NULL;
285 if (name == NULL || *name=='\0') {
286 full_name = talloc_asprintf(mem_ctx, "%s", domain_name);
287 } else if (domain_name == NULL || *domain_name == '\0') {
288 full_name = talloc_asprintf(mem_ctx, "%s", name);
290 full_name = talloc_asprintf(mem_ctx, "%s\\%s", domain_name, name);
293 DEBUG(0, ("talloc_asprintf failed!\n"));
294 return NT_STATUS_NO_MEMORY;
297 DEBUG(3,("rpc: name_to_sid name=%s\n", full_name));
299 name_map_status = normalize_name_unmap(mem_ctx, full_name,
302 /* Reset the full_name pointer if we mapped anytthing */
304 if (NT_STATUS_IS_OK(name_map_status) ||
305 NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED))
307 full_name = mapped_name;
310 DEBUG(3,("name_to_sid [rpc] %s for domain %s\n",
311 full_name?full_name:"", domain_name ));
313 result = cm_connect_lsa(domain, mem_ctx, &cli, &lsa_policy);
314 if (!NT_STATUS_IS_OK(result))
317 result = rpccli_lsa_lookup_names(cli, mem_ctx, &lsa_policy, 1,
318 (const char**) &full_name, NULL, 1, &sids, &types);
320 if (!NT_STATUS_IS_OK(result))
323 /* Return rid and type if lookup successful */
325 sid_copy(sid, &sids[0]);
332 convert a domain SID to a user or group name
334 NTSTATUS msrpc_sid_to_name(struct winbindd_domain *domain,
339 enum lsa_SidType *type)
343 enum lsa_SidType *types = NULL;
345 struct rpc_pipe_client *cli;
346 POLICY_HND lsa_policy;
347 NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL;
348 char *mapped_name = NULL;
350 DEBUG(3,("sid_to_name [rpc] %s for domain %s\n", sid_string_dbg(sid),
353 result = cm_connect_lsa(domain, mem_ctx, &cli, &lsa_policy);
354 if (!NT_STATUS_IS_OK(result)) {
355 DEBUG(2,("msrpc_sid_to_name: cm_connect_lsa() failed (%s)\n",
361 result = rpccli_lsa_lookup_sids(cli, mem_ctx, &lsa_policy,
362 1, sid, &domains, &names, &types);
363 if (!NT_STATUS_IS_OK(result)) {
364 DEBUG(2,("msrpc_sid_to_name: rpccli_lsa_lookup_sids() failed (%s)\n",
369 *type = (enum lsa_SidType)types[0];
370 *domain_name = domains[0];
373 DEBUG(5,("Mapped sid to [%s]\\[%s]\n", domains[0], *name));
375 name_map_status = normalize_name_map(mem_ctx, domain, *name,
377 if (NT_STATUS_IS_OK(name_map_status) ||
378 NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED))
381 DEBUG(5,("returning mapped name -- %s\n", *name));
387 NTSTATUS msrpc_rids_to_names(struct winbindd_domain *domain,
394 enum lsa_SidType **types)
398 struct rpc_pipe_client *cli;
399 POLICY_HND lsa_policy;
404 DEBUG(3, ("rids_to_names [rpc] for domain %s\n", domain->name ));
407 sids = TALLOC_ARRAY(mem_ctx, DOM_SID, num_rids);
409 return NT_STATUS_NO_MEMORY;
415 for (i=0; i<num_rids; i++) {
416 if (!sid_compose(&sids[i], sid, rids[i])) {
417 return NT_STATUS_INTERNAL_ERROR;
421 result = cm_connect_lsa(domain, mem_ctx, &cli, &lsa_policy);
422 if (!NT_STATUS_IS_OK(result)) {
426 result = rpccli_lsa_lookup_sids(cli, mem_ctx, &lsa_policy,
427 num_rids, sids, &domains,
429 if (!NT_STATUS_IS_OK(result) &&
430 !NT_STATUS_EQUAL(result, STATUS_SOME_UNMAPPED)) {
435 for (i=0; i<num_rids; i++) {
436 NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL;
437 char *mapped_name = NULL;
439 if ((*types)[i] != SID_NAME_UNKNOWN) {
440 name_map_status = normalize_name_map(mem_ctx,
444 if (NT_STATUS_IS_OK(name_map_status) ||
445 NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED))
447 ret_names[i] = mapped_name;
450 *domain_name = domains[i];
457 /* Lookup user information from a rid or username. */
458 static NTSTATUS query_user(struct winbindd_domain *domain,
460 const DOM_SID *user_sid,
461 WINBIND_USERINFO *user_info)
463 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
464 POLICY_HND dom_pol, user_pol;
465 union samr_UserInfo *info = NULL;
467 struct netr_SamInfo3 *user;
468 struct rpc_pipe_client *cli;
470 DEBUG(3,("rpc: query_user sid=%s\n", sid_string_dbg(user_sid)));
472 if (!sid_peek_check_rid(&domain->sid, user_sid, &user_rid))
473 return NT_STATUS_UNSUCCESSFUL;
475 user_info->homedir = NULL;
476 user_info->shell = NULL;
477 user_info->primary_gid = (gid_t)-1;
479 /* try netsamlogon cache first */
481 if ( (user = netsamlogon_cache_get( mem_ctx, user_sid )) != NULL )
484 DEBUG(5,("query_user: Cache lookup succeeded for %s\n",
485 sid_string_dbg(user_sid)));
487 sid_compose(&user_info->user_sid, &domain->sid, user->base.rid);
488 sid_compose(&user_info->group_sid, &domain->sid,
489 user->base.primary_gid);
491 user_info->acct_name = talloc_strdup(mem_ctx,
492 user->base.account_name.string);
493 user_info->full_name = talloc_strdup(mem_ctx,
494 user->base.full_name.string);
501 if ( !winbindd_can_contact_domain( domain ) ) {
502 DEBUG(10,("query_user: No incoming trust for domain %s\n",
507 if ( !winbindd_can_contact_domain( domain ) ) {
508 DEBUG(10,("query_user: No incoming trust for domain %s\n",
513 if ( !winbindd_can_contact_domain( domain ) ) {
514 DEBUG(10,("query_user: No incoming trust for domain %s\n",
519 /* no cache; hit the wire */
521 result = cm_connect_sam(domain, mem_ctx, &cli, &dom_pol);
522 if (!NT_STATUS_IS_OK(result))
525 /* Get user handle */
526 result = rpccli_samr_OpenUser(cli, mem_ctx,
528 SEC_RIGHTS_MAXIMUM_ALLOWED,
532 if (!NT_STATUS_IS_OK(result))
536 result = rpccli_samr_QueryUserInfo(cli, mem_ctx,
541 rpccli_samr_Close(cli, mem_ctx, &user_pol);
543 if (!NT_STATUS_IS_OK(result))
546 sid_compose(&user_info->user_sid, &domain->sid, user_rid);
547 sid_compose(&user_info->group_sid, &domain->sid,
548 info->info21.primary_gid);
549 user_info->acct_name = talloc_strdup(mem_ctx,
550 info->info21.account_name.string);
551 user_info->full_name = talloc_strdup(mem_ctx,
552 info->info21.full_name.string);
553 user_info->homedir = NULL;
554 user_info->shell = NULL;
555 user_info->primary_gid = (gid_t)-1;
560 /* Lookup groups a user is a member of. I wish Unix had a call like this! */
561 static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
563 const DOM_SID *user_sid,
564 uint32 *num_groups, DOM_SID **user_grpsids)
566 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
567 POLICY_HND dom_pol, user_pol;
568 uint32 des_access = SEC_RIGHTS_MAXIMUM_ALLOWED;
569 struct samr_RidWithAttributeArray *rid_array = NULL;
572 struct rpc_pipe_client *cli;
574 DEBUG(3,("rpc: lookup_usergroups sid=%s\n", sid_string_dbg(user_sid)));
576 if (!sid_peek_check_rid(&domain->sid, user_sid, &user_rid))
577 return NT_STATUS_UNSUCCESSFUL;
580 *user_grpsids = NULL;
582 /* so lets see if we have a cached user_info_3 */
583 result = lookup_usergroups_cached(domain, mem_ctx, user_sid,
584 num_groups, user_grpsids);
586 if (NT_STATUS_IS_OK(result)) {
590 if ( !winbindd_can_contact_domain( domain ) ) {
591 DEBUG(10,("lookup_usergroups: No incoming trust for domain %s\n",
594 /* Tell the cache manager not to remember this one */
596 return NT_STATUS_SYNCHRONIZATION_REQUIRED;
599 /* no cache; hit the wire */
601 result = cm_connect_sam(domain, mem_ctx, &cli, &dom_pol);
602 if (!NT_STATUS_IS_OK(result))
605 /* Get user handle */
606 result = rpccli_samr_OpenUser(cli, mem_ctx,
612 if (!NT_STATUS_IS_OK(result))
615 /* Query user rids */
616 result = rpccli_samr_GetGroupsForUser(cli, mem_ctx,
619 *num_groups = rid_array->count;
621 rpccli_samr_Close(cli, mem_ctx, &user_pol);
623 if (!NT_STATUS_IS_OK(result) || (*num_groups) == 0)
626 (*user_grpsids) = TALLOC_ARRAY(mem_ctx, DOM_SID, *num_groups);
627 if (!(*user_grpsids))
628 return NT_STATUS_NO_MEMORY;
630 for (i=0;i<(*num_groups);i++) {
631 sid_copy(&((*user_grpsids)[i]), &domain->sid);
632 sid_append_rid(&((*user_grpsids)[i]),
633 rid_array->rids[i].rid);
639 NTSTATUS msrpc_lookup_useraliases(struct winbindd_domain *domain,
641 uint32 num_sids, const DOM_SID *sids,
642 uint32 *num_aliases, uint32 **alias_rids)
644 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
646 uint32 num_query_sids = 0;
648 struct rpc_pipe_client *cli;
649 struct samr_Ids alias_rids_query;
650 int rangesize = MAX_SAM_ENTRIES_W2K;
651 uint32 total_sids = 0;
657 DEBUG(3,("rpc: lookup_useraliases\n"));
659 if ( !winbindd_can_contact_domain( domain ) ) {
660 DEBUG(10,("msrpc_lookup_useraliases: No incoming trust for domain %s\n",
665 result = cm_connect_sam(domain, mem_ctx, &cli, &dom_pol);
666 if (!NT_STATUS_IS_OK(result))
671 struct lsa_SidArray sid_array;
673 ZERO_STRUCT(sid_array);
675 num_query_sids = MIN(num_sids - total_sids, rangesize);
677 DEBUG(10,("rpc: lookup_useraliases: entering query %d for %d sids\n",
678 num_queries, num_query_sids));
680 if (num_query_sids) {
681 sid_array.sids = TALLOC_ZERO_ARRAY(mem_ctx, struct lsa_SidPtr, num_query_sids);
682 if (sid_array.sids == NULL) {
683 return NT_STATUS_NO_MEMORY;
686 sid_array.sids = NULL;
689 for (i=0; i<num_query_sids; i++) {
690 sid_array.sids[i].sid = sid_dup_talloc(mem_ctx, &sids[total_sids++]);
691 if (!sid_array.sids[i].sid) {
692 TALLOC_FREE(sid_array.sids);
693 return NT_STATUS_NO_MEMORY;
696 sid_array.num_sids = num_query_sids;
699 result = rpccli_samr_GetAliasMembership(cli, mem_ctx,
704 if (!NT_STATUS_IS_OK(result)) {
707 TALLOC_FREE(sid_array.sids);
713 for (i=0; i<alias_rids_query.count; i++) {
714 size_t na = *num_aliases;
715 if (!add_rid_to_array_unique(mem_ctx, alias_rids_query.ids[i],
717 return NT_STATUS_NO_MEMORY;
722 TALLOC_FREE(sid_array.sids);
726 } while (total_sids < num_sids);
729 DEBUG(10,("rpc: lookup_useraliases: got %d aliases in %d queries "
730 "(rangesize: %d)\n", *num_aliases, num_queries, rangesize));
736 /* Lookup group membership given a rid. */
737 static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
739 const DOM_SID *group_sid, uint32 *num_names,
740 DOM_SID **sid_mem, char ***names,
743 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
744 uint32 i, total_names = 0;
745 POLICY_HND dom_pol, group_pol;
746 uint32 des_access = SEC_RIGHTS_MAXIMUM_ALLOWED;
747 uint32 *rid_mem = NULL;
750 struct rpc_pipe_client *cli;
751 unsigned int orig_timeout;
752 struct samr_RidTypeArray *rids = NULL;
754 DEBUG(10,("rpc: lookup_groupmem %s sid=%s\n", domain->name,
755 sid_string_dbg(group_sid)));
757 if ( !winbindd_can_contact_domain( domain ) ) {
758 DEBUG(10,("lookup_groupmem: No incoming trust for domain %s\n",
763 if (!sid_peek_check_rid(&domain->sid, group_sid, &group_rid))
764 return NT_STATUS_UNSUCCESSFUL;
768 result = cm_connect_sam(domain, mem_ctx, &cli, &dom_pol);
769 if (!NT_STATUS_IS_OK(result))
772 result = rpccli_samr_OpenGroup(cli, mem_ctx,
778 if (!NT_STATUS_IS_OK(result))
781 /* Step #1: Get a list of user rids that are the members of the
784 /* This call can take a long time - allow the server to time out.
785 35 seconds should do it. */
787 orig_timeout = rpccli_set_timeout(cli, 35000);
789 result = rpccli_samr_QueryGroupMember(cli, mem_ctx,
793 /* And restore our original timeout. */
794 rpccli_set_timeout(cli, orig_timeout);
796 rpccli_samr_Close(cli, mem_ctx, &group_pol);
798 if (!NT_STATUS_IS_OK(result))
801 *num_names = rids->count;
802 rid_mem = rids->rids;
811 /* Step #2: Convert list of rids into list of usernames. Do this
812 in bunches of ~1000 to avoid crashing NT4. It looks like there
813 is a buffer overflow or something like that lurking around
816 #define MAX_LOOKUP_RIDS 900
818 *names = TALLOC_ZERO_ARRAY(mem_ctx, char *, *num_names);
819 *name_types = TALLOC_ZERO_ARRAY(mem_ctx, uint32, *num_names);
820 *sid_mem = TALLOC_ZERO_ARRAY(mem_ctx, DOM_SID, *num_names);
822 for (j=0;j<(*num_names);j++)
823 sid_compose(&(*sid_mem)[j], &domain->sid, rid_mem[j]);
825 if (*num_names>0 && (!*names || !*name_types))
826 return NT_STATUS_NO_MEMORY;
828 for (i = 0; i < *num_names; i += MAX_LOOKUP_RIDS) {
829 int num_lookup_rids = MIN(*num_names - i, MAX_LOOKUP_RIDS);
830 struct lsa_Strings tmp_names;
831 struct samr_Ids tmp_types;
833 /* Lookup a chunk of rids */
835 result = rpccli_samr_LookupRids(cli, mem_ctx,
842 /* see if we have a real error (and yes the
843 STATUS_SOME_UNMAPPED is the one returned from 2k) */
845 if (!NT_STATUS_IS_OK(result) &&
846 !NT_STATUS_EQUAL(result, STATUS_SOME_UNMAPPED))
849 /* Copy result into array. The talloc system will take
850 care of freeing the temporary arrays later on. */
852 if (tmp_names.count != tmp_types.count) {
853 return NT_STATUS_UNSUCCESSFUL;
856 for (r=0; r<tmp_names.count; r++) {
857 (*names)[i+r] = fill_domain_username_talloc(mem_ctx,
859 tmp_names.names[r].string,
861 (*name_types)[i+r] = tmp_types.ids[r];
864 total_names += tmp_names.count;
867 *num_names = total_names;
876 static int get_ldap_seq(const char *server, int port, uint32 *seq)
880 const char *attrs[] = {"highestCommittedUSN", NULL};
881 LDAPMessage *res = NULL;
882 char **values = NULL;
885 *seq = DOM_SEQUENCE_NONE;
888 * Parameterised (5) second timeout on open. This is needed as the
889 * search timeout doesn't seem to apply to doing an open as well. JRA.
892 ldp = ldap_open_with_timeout(server, port, lp_ldap_timeout());
896 /* Timeout if no response within 20 seconds. */
900 if (ldap_search_st(ldp, "", LDAP_SCOPE_BASE, "(objectclass=*)",
901 CONST_DISCARD(char **, attrs), 0, &to, &res))
904 if (ldap_count_entries(ldp, res) != 1)
907 values = ldap_get_values(ldp, res, "highestCommittedUSN");
908 if (!values || !values[0])
911 *seq = atoi(values[0]);
917 ldap_value_free(values);
925 /**********************************************************************
926 Get the sequence number for a Windows AD native mode domain using
928 **********************************************************************/
930 static int get_ldap_sequence_number(struct winbindd_domain *domain, uint32 *seq)
933 char addr[INET6_ADDRSTRLEN];
935 print_sockaddr(addr, sizeof(addr), &domain->dcaddr);
936 if ((ret = get_ldap_seq(addr, LDAP_PORT, seq)) == 0) {
937 DEBUG(3, ("get_ldap_sequence_number: Retrieved sequence "
938 "number for Domain (%s) from DC (%s)\n",
939 domain->name, addr));
944 #endif /* HAVE_LDAP */
946 /* find the sequence number for a domain */
947 static NTSTATUS sequence_number(struct winbindd_domain *domain, uint32 *seq)
950 union samr_DomainInfo *info = NULL;
953 bool got_seq_num = False;
954 struct rpc_pipe_client *cli;
956 DEBUG(10,("rpc: fetch sequence_number for %s\n", domain->name));
958 if ( !winbindd_can_contact_domain( domain ) ) {
959 DEBUG(10,("sequence_number: No incoming trust for domain %s\n",
965 *seq = DOM_SEQUENCE_NONE;
967 if (!(mem_ctx = talloc_init("sequence_number[rpc]")))
968 return NT_STATUS_NO_MEMORY;
971 if ( domain->active_directory )
975 DEBUG(8,("using get_ldap_seq() to retrieve the "
976 "sequence number\n"));
978 res = get_ldap_sequence_number( domain, seq );
981 result = NT_STATUS_OK;
982 DEBUG(10,("domain_sequence_number: LDAP for "
984 domain->name, *seq));
988 DEBUG(10,("domain_sequence_number: failed to get LDAP "
989 "sequence number for domain %s\n",
992 #endif /* HAVE_LDAP */
994 result = cm_connect_sam(domain, mem_ctx, &cli, &dom_pol);
995 if (!NT_STATUS_IS_OK(result)) {
999 /* Query domain info */
1001 result = rpccli_samr_QueryDomainInfo(cli, mem_ctx,
1006 if (NT_STATUS_IS_OK(result)) {
1007 *seq = info->info8.sequence_num;
1012 /* retry with info-level 2 in case the dc does not support info-level 8
1013 * (like all older samba2 and samba3 dc's) - Guenther */
1015 result = rpccli_samr_QueryDomainInfo(cli, mem_ctx,
1020 if (NT_STATUS_IS_OK(result)) {
1021 *seq = info->general.sequence_num;
1027 DEBUG(10,("domain_sequence_number: for domain %s is %u\n",
1028 domain->name, (unsigned)*seq));
1030 DEBUG(10,("domain_sequence_number: failed to get sequence "
1031 "number (%u) for domain %s\n",
1032 (unsigned)*seq, domain->name ));
1037 talloc_destroy(mem_ctx);
1042 /* get a list of trusted domains */
1043 static NTSTATUS trusted_domains(struct winbindd_domain *domain,
1044 TALLOC_CTX *mem_ctx,
1045 uint32 *num_domains,
1050 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1051 uint32 enum_ctx = 0;
1052 struct rpc_pipe_client *cli;
1053 POLICY_HND lsa_policy;
1055 DEBUG(3,("rpc: trusted_domains\n"));
1062 result = cm_connect_lsa(domain, mem_ctx, &cli, &lsa_policy);
1063 if (!NT_STATUS_IS_OK(result))
1066 result = STATUS_MORE_ENTRIES;
1068 while (NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES)) {
1071 struct lsa_DomainList dom_list;
1073 result = rpccli_lsa_EnumTrustDom(cli, mem_ctx,
1079 if (!NT_STATUS_IS_OK(result) &&
1080 !NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES))
1083 start_idx = *num_domains;
1084 *num_domains += dom_list.count;
1085 *names = TALLOC_REALLOC_ARRAY(mem_ctx, *names,
1086 char *, *num_domains);
1087 *dom_sids = TALLOC_REALLOC_ARRAY(mem_ctx, *dom_sids,
1088 DOM_SID, *num_domains);
1089 *alt_names = TALLOC_REALLOC_ARRAY(mem_ctx, *alt_names,
1090 char *, *num_domains);
1091 if ((*names == NULL) || (*dom_sids == NULL) ||
1092 (*alt_names == NULL))
1093 return NT_STATUS_NO_MEMORY;
1095 for (i=0; i<dom_list.count; i++) {
1096 (*names)[start_idx+i] = CONST_DISCARD(char *, dom_list.domains[i].name.string);
1097 (*dom_sids)[start_idx+i] = *dom_list.domains[i].sid;
1098 (*alt_names)[start_idx+i] = talloc_strdup(mem_ctx, "");
1104 /* find the lockout policy for a domain */
1105 NTSTATUS msrpc_lockout_policy(struct winbindd_domain *domain,
1106 TALLOC_CTX *mem_ctx,
1107 struct samr_DomInfo12 *lockout_policy)
1110 struct rpc_pipe_client *cli;
1112 union samr_DomainInfo *info = NULL;
1114 DEBUG(10,("rpc: fetch lockout policy for %s\n", domain->name));
1116 if ( !winbindd_can_contact_domain( domain ) ) {
1117 DEBUG(10,("msrpc_lockout_policy: No incoming trust for domain %s\n",
1119 return NT_STATUS_NOT_SUPPORTED;
1122 result = cm_connect_sam(domain, mem_ctx, &cli, &dom_pol);
1123 if (!NT_STATUS_IS_OK(result)) {
1127 result = rpccli_samr_QueryDomainInfo(cli, mem_ctx,
1131 if (!NT_STATUS_IS_OK(result)) {
1135 *lockout_policy = info->info12;
1137 DEBUG(10,("msrpc_lockout_policy: lockout_threshold %d\n",
1138 info->info12.lockout_threshold));
1145 /* find the password policy for a domain */
1146 NTSTATUS msrpc_password_policy(struct winbindd_domain *domain,
1147 TALLOC_CTX *mem_ctx,
1148 struct samr_DomInfo1 *password_policy)
1151 struct rpc_pipe_client *cli;
1153 union samr_DomainInfo *info = NULL;
1155 DEBUG(10,("rpc: fetch password policy for %s\n", domain->name));
1157 if ( !winbindd_can_contact_domain( domain ) ) {
1158 DEBUG(10,("msrpc_password_policy: No incoming trust for domain %s\n",
1160 return NT_STATUS_NOT_SUPPORTED;
1163 result = cm_connect_sam(domain, mem_ctx, &cli, &dom_pol);
1164 if (!NT_STATUS_IS_OK(result)) {
1168 result = rpccli_samr_QueryDomainInfo(cli, mem_ctx,
1172 if (!NT_STATUS_IS_OK(result)) {
1176 *password_policy = info->info1;
1178 DEBUG(10,("msrpc_password_policy: min_length_password %d\n",
1179 info->info1.min_password_length));
1187 /* the rpc backend methods are exposed via this structure */
1188 struct winbindd_methods msrpc_methods = {
1195 msrpc_rids_to_names,
1198 msrpc_lookup_useraliases,
1201 msrpc_lockout_policy,
1202 msrpc_password_policy,
git.samba.org / kai / samba.git / blob