s3-libads: allow ads_try_connect() to re-use a resolved ip address.
[nivanova/samba-autobuild/.git] / source3 / auth / server_info.c
1 /*
2    Unix SMB/CIFS implementation.
3    Authentication utility functions
4    Copyright (C) Volker Lendecke 2010
5
6    This program is free software; you can redistribute it and/or modify
7    it under the terms of the GNU General Public License as published by
8    the Free Software Foundation; either version 3 of the License, or
9    (at your option) any later version.
10
11    This program is distributed in the hope that it will be useful,
12    but WITHOUT ANY WARRANTY; without even the implied warranty of
13    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14    GNU General Public License for more details.
15
16    You should have received a copy of the GNU General Public License
17    along with this program.  If not, see <http://www.gnu.org/licenses/>.
18 */
19
20 #include "includes.h"
21 #include "auth.h"
22 #include "../lib/crypto/arcfour.h"
23 #include "../librpc/gen_ndr/netlogon.h"
24 #include "../libcli/security/security.h"
25 #include "rpc_client/util_netlogon.h"
26 #include "nsswitch/libwbclient/wbclient.h"
27 #include "lib/winbind_util.h"
28 #include "passdb.h"
29
30 #undef DBGC_CLASS
31 #define DBGC_CLASS DBGC_AUTH
32
33 /***************************************************************************
34  Make a server_info struct. Free with TALLOC_FREE().
35 ***************************************************************************/
36
37 struct auth_serversupplied_info *make_server_info(TALLOC_CTX *mem_ctx)
38 {
39         struct auth_serversupplied_info *result;
40
41         result = talloc_zero(mem_ctx, struct auth_serversupplied_info);
42         if (result == NULL) {
43                 DEBUG(0, ("talloc failed\n"));
44                 return NULL;
45         }
46
47         /* Initialise the uid and gid values to something non-zero
48            which may save us from giving away root access if there
49            is a bug in allocating these fields. */
50
51         result->utok.uid = -1;
52         result->utok.gid = -1;
53
54         return result;
55 }
56
57 /****************************************************************************
58  inits a netr_SamInfo2 structure from an auth_serversupplied_info. sam2 must
59  already be initialized and is used as the talloc parent for its members.
60 *****************************************************************************/
61
62 NTSTATUS serverinfo_to_SamInfo2(struct auth_serversupplied_info *server_info,
63                                 struct netr_SamInfo2 *sam2)
64 {
65         struct netr_SamInfo3 *info3;
66
67         info3 = copy_netr_SamInfo3(sam2, server_info->info3);
68         if (!info3) {
69                 return NT_STATUS_NO_MEMORY;
70         }
71
72         if (server_info->session_key.length) {
73                 memcpy(info3->base.key.key,
74                        server_info->session_key.data,
75                        MIN(sizeof(info3->base.key.key),
76                            server_info->session_key.length));
77         }
78         if (server_info->lm_session_key.length) {
79                 memcpy(info3->base.LMSessKey.key,
80                        server_info->lm_session_key.data,
81                        MIN(sizeof(info3->base.LMSessKey.key),
82                            server_info->lm_session_key.length));
83         }
84
85         sam2->base = info3->base;
86
87         return NT_STATUS_OK;
88 }
89
90 /****************************************************************************
91  inits a netr_SamInfo3 structure from an auth_serversupplied_info. sam3 must
92  already be initialized and is used as the talloc parent for its members.
93 *****************************************************************************/
94
95 NTSTATUS serverinfo_to_SamInfo3(const struct auth_serversupplied_info *server_info,
96                                 struct netr_SamInfo3 *sam3)
97 {
98         struct netr_SamInfo3 *info3;
99
100         info3 = copy_netr_SamInfo3(sam3, server_info->info3);
101         if (!info3) {
102                 return NT_STATUS_NO_MEMORY;
103         }
104
105         if (server_info->session_key.length) {
106                 memcpy(info3->base.key.key,
107                        server_info->session_key.data,
108                        MIN(sizeof(info3->base.key.key),
109                            server_info->session_key.length));
110         }
111         if (server_info->lm_session_key.length) {
112                 memcpy(info3->base.LMSessKey.key,
113                        server_info->lm_session_key.data,
114                        MIN(sizeof(info3->base.LMSessKey.key),
115                            server_info->lm_session_key.length));
116         }
117
118         sam3->base = info3->base;
119
120         sam3->sidcount          = 0;
121         sam3->sids              = NULL;
122
123         return NT_STATUS_OK;
124 }
125
126 /****************************************************************************
127  inits a netr_SamInfo6 structure from an auth_serversupplied_info. sam6 must
128  already be initialized and is used as the talloc parent for its members.
129 *****************************************************************************/
130
131 NTSTATUS serverinfo_to_SamInfo6(struct auth_serversupplied_info *server_info,
132                                 struct netr_SamInfo6 *sam6)
133 {
134         struct pdb_domain_info *dominfo;
135         struct netr_SamInfo3 *info3;
136
137         if ((pdb_capabilities() & PDB_CAP_ADS) == 0) {
138                 DEBUG(10,("Not adding validation info level 6 "
139                            "without ADS passdb backend\n"));
140                 return NT_STATUS_INVALID_INFO_CLASS;
141         }
142
143         dominfo = pdb_get_domain_info(sam6);
144         if (dominfo == NULL) {
145                 return NT_STATUS_NO_MEMORY;
146         }
147
148         info3 = copy_netr_SamInfo3(sam6, server_info->info3);
149         if (!info3) {
150                 return NT_STATUS_NO_MEMORY;
151         }
152
153         if (server_info->session_key.length) {
154                 memcpy(info3->base.key.key,
155                        server_info->session_key.data,
156                        MIN(sizeof(info3->base.key.key),
157                            server_info->session_key.length));
158         }
159         if (server_info->lm_session_key.length) {
160                 memcpy(info3->base.LMSessKey.key,
161                        server_info->lm_session_key.data,
162                        MIN(sizeof(info3->base.LMSessKey.key),
163                            server_info->lm_session_key.length));
164         }
165
166         sam6->base = info3->base;
167
168         sam6->sidcount          = 0;
169         sam6->sids              = NULL;
170
171         sam6->dns_domainname.string = talloc_strdup(sam6, dominfo->dns_domain);
172         if (sam6->dns_domainname.string == NULL) {
173                 return NT_STATUS_NO_MEMORY;
174         }
175
176         sam6->principle.string  = talloc_asprintf(sam6, "%s@%s",
177                                                   sam6->base.account_name.string,
178                                                   sam6->dns_domainname.string);
179         if (sam6->principle.string == NULL) {
180                 return NT_STATUS_NO_MEMORY;
181         }
182
183         return NT_STATUS_OK;
184 }
185
186 static NTSTATUS append_netr_SidAttr(TALLOC_CTX *mem_ctx,
187                                     struct netr_SidAttr **sids,
188                                     uint32_t *count,
189                                     const struct dom_sid2 *asid,
190                                     uint32_t attributes)
191 {
192         uint32_t t = *count;
193
194         *sids = talloc_realloc(mem_ctx, *sids, struct netr_SidAttr, t + 1);
195         if (*sids == NULL) {
196                 return NT_STATUS_NO_MEMORY;
197         }
198         (*sids)[t].sid = dom_sid_dup(*sids, asid);
199         if ((*sids)[t].sid == NULL) {
200                 return NT_STATUS_NO_MEMORY;
201         }
202         (*sids)[t].attributes = attributes;
203         *count = t + 1;
204
205         return NT_STATUS_OK;
206 }
207
208 /* Fills the samr_RidWithAttributeArray with the provided sids.
209  * If it happens that we have additional groups that do not belong
210  * to the domain, add their sids as extra sids */
211 static NTSTATUS group_sids_to_info3(struct netr_SamInfo3 *info3,
212                                     const struct dom_sid *sids,
213                                     size_t num_sids)
214 {
215         uint32_t attributes = SE_GROUP_MANDATORY |
216                                 SE_GROUP_ENABLED_BY_DEFAULT |
217                                 SE_GROUP_ENABLED;
218         struct samr_RidWithAttributeArray *groups;
219         struct dom_sid *domain_sid;
220         unsigned int i;
221         NTSTATUS status;
222         uint32_t rid;
223         bool ok;
224
225         domain_sid = info3->base.domain_sid;
226         groups = &info3->base.groups;
227
228         groups->rids = talloc_array(info3,
229                                     struct samr_RidWithAttribute, num_sids);
230         if (!groups->rids) {
231                 return NT_STATUS_NO_MEMORY;
232         }
233
234         for (i = 0; i < num_sids; i++) {
235                 ok = sid_peek_check_rid(domain_sid, &sids[i], &rid);
236                 if (ok) {
237                         /* store domain group rid */
238                         groups->rids[groups->count].rid = rid;
239                         groups->rids[groups->count].attributes = attributes;
240                         groups->count++;
241                         continue;
242                 }
243
244                 /* if this wasn't a domain sid, add it as extra sid */
245                 status = append_netr_SidAttr(info3, &info3->sids,
246                                              &info3->sidcount,
247                                              &sids[i], attributes);
248                 if (!NT_STATUS_IS_OK(status)) {
249                         return status;
250                 }
251         }
252
253         return NT_STATUS_OK;
254 }
255
256 #define RET_NOMEM(ptr) do { \
257         if (!ptr) { \
258                 TALLOC_FREE(info3); \
259                 return NT_STATUS_NO_MEMORY; \
260         } } while(0)
261
262 NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx,
263                           struct samu *samu,
264                           const char *login_server,
265                           struct netr_SamInfo3 **_info3,
266                           struct extra_auth_info *extra)
267 {
268         struct netr_SamInfo3 *info3;
269         const struct dom_sid *user_sid;
270         const struct dom_sid *group_sid;
271         struct dom_sid domain_sid;
272         struct dom_sid *group_sids;
273         uint32_t num_group_sids = 0;
274         const char *tmp;
275         gid_t *gids;
276         NTSTATUS status;
277         bool ok;
278
279         user_sid = pdb_get_user_sid(samu);
280         group_sid = pdb_get_group_sid(samu);
281
282         if (!user_sid || !group_sid) {
283                 DEBUG(1, ("Sam account is missing sids!\n"));
284                 return NT_STATUS_UNSUCCESSFUL;
285         }
286
287         info3 = talloc_zero(mem_ctx, struct netr_SamInfo3);
288         if (!info3) {
289                 return NT_STATUS_NO_MEMORY;
290         }
291
292         ZERO_STRUCT(domain_sid);
293
294         /* check if this is a "Unix Users" domain user,
295          * we need to handle it in a special way if that's the case */
296         if (sid_check_is_in_unix_users(user_sid)) {
297                 /* in info3 you can only set rids for the user and the
298                  * primary group, and the domain sid must be that of
299                  * the sam domain.
300                  *
301                  * Store a completely bogus value here.
302                  * The real SID is stored in the extra sids.
303                  * Other code will know to look there if (-1) is found
304                  */
305                 info3->base.rid = (uint32_t)(-1);
306                 sid_copy(&extra->user_sid, user_sid);
307
308                 DEBUG(10, ("Unix User found in struct samu. Rid marked as "
309                            "special and sid (%s) saved as extra sid\n",
310                            sid_string_dbg(user_sid)));
311         } else {
312                 sid_copy(&domain_sid, user_sid);
313                 sid_split_rid(&domain_sid, &info3->base.rid);
314         }
315
316         if (is_null_sid(&domain_sid)) {
317                 sid_copy(&domain_sid, get_global_sam_sid());
318         }
319
320         /* check if this is a "Unix Groups" domain group,
321          * if so we need special handling */
322         if (sid_check_is_in_unix_groups(group_sid)) {
323                 /* in info3 you can only set rids for the user and the
324                  * primary group, and the domain sid must be that of
325                  * the sam domain.
326                  *
327                  * Store a completely bogus value here.
328                  * The real SID is stored in the extra sids.
329                  * Other code will know to look there if (-1) is found
330                  */
331                 info3->base.primary_gid = (uint32_t)(-1);
332                 sid_copy(&extra->pgid_sid, group_sid);
333
334                 DEBUG(10, ("Unix Group found in struct samu. Rid marked as "
335                            "special and sid (%s) saved as extra sid\n",
336                            sid_string_dbg(group_sid)));
337
338         } else {
339                 ok = sid_peek_check_rid(&domain_sid, group_sid,
340                                         &info3->base.primary_gid);
341                 if (!ok) {
342                         DEBUG(1, ("The primary group domain sid(%s) does not "
343                                   "match the domain sid(%s) for %s(%s)\n",
344                                   sid_string_dbg(group_sid),
345                                   sid_string_dbg(&domain_sid),
346                                   pdb_get_username(samu),
347                                   sid_string_dbg(user_sid)));
348                         TALLOC_FREE(info3);
349                         return NT_STATUS_UNSUCCESSFUL;
350                 }
351         }
352
353         unix_to_nt_time(&info3->base.logon_time, pdb_get_logon_time(samu));
354         unix_to_nt_time(&info3->base.logoff_time, get_time_t_max());
355         unix_to_nt_time(&info3->base.kickoff_time, get_time_t_max());
356         unix_to_nt_time(&info3->base.last_password_change,
357                         pdb_get_pass_last_set_time(samu));
358         unix_to_nt_time(&info3->base.allow_password_change,
359                         pdb_get_pass_can_change_time(samu));
360         unix_to_nt_time(&info3->base.force_password_change,
361                         pdb_get_pass_must_change_time(samu));
362
363         tmp = pdb_get_username(samu);
364         if (tmp) {
365                 info3->base.account_name.string = talloc_strdup(info3, tmp);
366                 RET_NOMEM(info3->base.account_name.string);
367         }
368         tmp = pdb_get_fullname(samu);
369         if (tmp) {
370                 info3->base.full_name.string = talloc_strdup(info3, tmp);
371                 RET_NOMEM(info3->base.full_name.string);
372         }
373         tmp = pdb_get_logon_script(samu);
374         if (tmp) {
375                 info3->base.logon_script.string = talloc_strdup(info3, tmp);
376                 RET_NOMEM(info3->base.logon_script.string);
377         }
378         tmp = pdb_get_profile_path(samu);
379         if (tmp) {
380                 info3->base.profile_path.string = talloc_strdup(info3, tmp);
381                 RET_NOMEM(info3->base.profile_path.string);
382         }
383         tmp = pdb_get_homedir(samu);
384         if (tmp) {
385                 info3->base.home_directory.string = talloc_strdup(info3, tmp);
386                 RET_NOMEM(info3->base.home_directory.string);
387         }
388         tmp = pdb_get_dir_drive(samu);
389         if (tmp) {
390                 info3->base.home_drive.string = talloc_strdup(info3, tmp);
391                 RET_NOMEM(info3->base.home_drive.string);
392         }
393
394         info3->base.logon_count = pdb_get_logon_count(samu);
395         info3->base.bad_password_count = pdb_get_bad_password_count(samu);
396
397         info3->base.logon_domain.string = talloc_strdup(info3,
398                                                   pdb_get_domain(samu));
399         RET_NOMEM(info3->base.logon_domain.string);
400
401         info3->base.domain_sid = dom_sid_dup(info3, &domain_sid);
402         RET_NOMEM(info3->base.domain_sid);
403
404         status = pdb_enum_group_memberships(mem_ctx, samu,
405                                             &group_sids, &gids,
406                                             &num_group_sids);
407         if (!NT_STATUS_IS_OK(status)) {
408                 DEBUG(1, ("Failed to get groups from sam account.\n"));
409                 TALLOC_FREE(info3);
410                 return status;
411         }
412
413         if (num_group_sids) {
414                 status = group_sids_to_info3(info3, group_sids, num_group_sids);
415                 if (!NT_STATUS_IS_OK(status)) {
416                         TALLOC_FREE(info3);
417                         return status;
418                 }
419         }
420
421         /* We don't need sids and gids after the conversion */
422         TALLOC_FREE(group_sids);
423         TALLOC_FREE(gids);
424         num_group_sids = 0;
425
426         /* FIXME: should we add other flags ? */
427         info3->base.user_flags = NETLOGON_EXTRA_SIDS;
428
429         if (login_server) {
430                 info3->base.logon_server.string = talloc_strdup(info3, login_server);
431                 RET_NOMEM(info3->base.logon_server.string);
432         }
433
434         info3->base.acct_flags = pdb_get_acct_ctrl(samu);
435
436         *_info3 = info3;
437         return NT_STATUS_OK;
438 }
439
440 NTSTATUS passwd_to_SamInfo3(TALLOC_CTX *mem_ctx,
441                             const char *unix_username,
442                             const struct passwd *pwd,
443                             struct netr_SamInfo3 **pinfo3)
444 {
445         struct netr_SamInfo3 *info3;
446         NTSTATUS status;
447         TALLOC_CTX *tmp_ctx;
448         const char *domain_name = NULL;
449         const char *user_name = NULL;
450         struct dom_sid domain_sid;
451         struct dom_sid user_sid;
452         struct dom_sid group_sid;
453         enum lsa_SidType type;
454         uint32_t num_sids = 0;
455         struct dom_sid *user_sids = NULL;
456         bool is_null;
457         bool ok;
458
459         tmp_ctx = talloc_stackframe();
460
461         ok = lookup_name_smbconf(tmp_ctx,
462                                  unix_username,
463                                  LOOKUP_NAME_ALL,
464                                  &domain_name,
465                                  &user_name,
466                                  &user_sid,
467                                  &type);
468         if (!ok) {
469                 status = NT_STATUS_NO_SUCH_USER;
470                 goto done;
471         }
472
473         if (type != SID_NAME_USER) {
474                 status = NT_STATUS_NO_SUCH_USER;
475                 goto done;
476         }
477
478         ok = winbind_lookup_usersids(tmp_ctx,
479                                      &user_sid,
480                                      &num_sids,
481                                      &user_sids);
482         /* Check if winbind is running */
483         if (ok) {
484                 /*
485                  * Winbind is running and the first element of the user_sids
486                  * is the primary group.
487                  */
488                 if (num_sids > 0) {
489                         group_sid = user_sids[0];
490                 }
491         } else {
492                 /*
493                  * Winbind is not running, try to create the group_sid from the
494                  * passwd group id.
495                  */
496
497                 /*
498                  * This can lead to a primary group of S-1-22-2-XX which
499                  * will be rejected by other Samba code.
500                  */
501                 gid_to_sid(&group_sid, pwd->pw_gid);
502
503                 ZERO_STRUCT(domain_sid);
504
505                 /*
506                  * If we are a unix group, set the group_sid to the
507                  * 'Domain Users' RID of 513 which will always resolve to a
508                  * name.
509                  */
510                 if (sid_check_is_in_unix_groups(&group_sid)) {
511                         sid_compose(&group_sid,
512                                     get_global_sam_sid(),
513                                     DOMAIN_RID_USERS);
514                 }
515         }
516
517         /* Make sure we have a valid group sid */
518         is_null = is_null_sid(&group_sid);
519         if (is_null) {
520                 status = NT_STATUS_NO_SUCH_USER;
521                 goto done;
522         }
523
524         /* Construct a netr_SamInfo3 from the information we have */
525         info3 = talloc_zero(tmp_ctx, struct netr_SamInfo3);
526         if (!info3) {
527                 status = NT_STATUS_NO_MEMORY;
528                 goto done;
529         }
530
531         info3->base.account_name.string = talloc_strdup(info3, unix_username);
532         if (info3->base.account_name.string == NULL) {
533                 status = NT_STATUS_NO_MEMORY;
534                 goto done;
535         }
536
537         ZERO_STRUCT(domain_sid);
538
539         sid_copy(&domain_sid, &user_sid);
540         sid_split_rid(&domain_sid, &info3->base.rid);
541         info3->base.domain_sid = dom_sid_dup(info3, &domain_sid);
542
543         ok = sid_peek_check_rid(&domain_sid, &group_sid,
544                                 &info3->base.primary_gid);
545         if (!ok) {
546                 DEBUG(1, ("The primary group domain sid(%s) does not "
547                           "match the domain sid(%s) for %s(%s)\n",
548                           sid_string_dbg(&group_sid),
549                           sid_string_dbg(&domain_sid),
550                           unix_username,
551                           sid_string_dbg(&user_sid)));
552                 status = NT_STATUS_INVALID_SID;
553                 goto done;
554         }
555
556         info3->base.acct_flags = ACB_NORMAL;
557
558         if (num_sids) {
559                 status = group_sids_to_info3(info3, user_sids, num_sids);
560                 if (!NT_STATUS_IS_OK(status)) {
561                         goto done;
562                 }
563         }
564
565         *pinfo3 = talloc_steal(mem_ctx, info3);
566
567         status = NT_STATUS_OK;
568 done:
569         talloc_free(tmp_ctx);
570
571         return status;
572 }
573
574 #undef RET_NOMEM
575
576 #define RET_NOMEM(ptr) do { \
577         if (!ptr) { \
578                 TALLOC_FREE(info3); \
579                 return NULL; \
580         } } while(0)
581
582 struct netr_SamInfo3 *copy_netr_SamInfo3(TALLOC_CTX *mem_ctx,
583                                          struct netr_SamInfo3 *orig)
584 {
585         struct netr_SamInfo3 *info3;
586         unsigned int i;
587         NTSTATUS status;
588
589         info3 = talloc_zero(mem_ctx, struct netr_SamInfo3);
590         if (!info3) return NULL;
591
592         status = copy_netr_SamBaseInfo(info3, &orig->base, &info3->base);
593         if (!NT_STATUS_IS_OK(status)) {
594                 TALLOC_FREE(info3);
595                 return NULL;
596         }
597
598         if (orig->sidcount) {
599                 info3->sidcount = orig->sidcount;
600                 info3->sids = talloc_array(info3, struct netr_SidAttr,
601                                            orig->sidcount);
602                 RET_NOMEM(info3->sids);
603                 for (i = 0; i < orig->sidcount; i++) {
604                         info3->sids[i].sid = dom_sid_dup(info3->sids,
605                                                             orig->sids[i].sid);
606                         RET_NOMEM(info3->sids[i].sid);
607                         info3->sids[i].attributes =
608                                 orig->sids[i].attributes;
609                 }
610         }
611
612         return info3;
613 }
614
615 static NTSTATUS wbcsids_to_samr_RidWithAttributeArray(
616                                 TALLOC_CTX *mem_ctx,
617                                 struct samr_RidWithAttributeArray *groups,
618                                 const struct dom_sid *domain_sid,
619                                 const struct wbcSidWithAttr *sids,
620                                 size_t num_sids)
621 {
622         unsigned int i, j = 0;
623         bool ok;
624
625         groups->rids = talloc_array(mem_ctx,
626                                     struct samr_RidWithAttribute, num_sids);
627         if (!groups->rids) {
628                 return NT_STATUS_NO_MEMORY;
629         }
630
631         /* a wbcDomainSid is the same as a dom_sid */
632         for (i = 0; i < num_sids; i++) {
633                 ok = sid_peek_check_rid(domain_sid,
634                                         (const struct dom_sid *)&sids[i].sid,
635                                         &groups->rids[j].rid);
636                 if (!ok) continue;
637
638                 groups->rids[j].attributes = SE_GROUP_MANDATORY |
639                                              SE_GROUP_ENABLED_BY_DEFAULT |
640                                              SE_GROUP_ENABLED;
641                 j++;
642         }
643
644         groups->count = j;
645         return NT_STATUS_OK;
646 }
647
648 static NTSTATUS wbcsids_to_netr_SidAttrArray(
649                                 const struct dom_sid *domain_sid,
650                                 const struct wbcSidWithAttr *sids,
651                                 size_t num_sids,
652                                 TALLOC_CTX *mem_ctx,
653                                 struct netr_SidAttr **_info3_sids,
654                                 uint32_t *info3_num_sids)
655 {
656         unsigned int i, j = 0;
657         struct netr_SidAttr *info3_sids;
658
659         info3_sids = talloc_array(mem_ctx, struct netr_SidAttr, num_sids);
660         if (info3_sids == NULL) {
661                 return NT_STATUS_NO_MEMORY;
662         }
663
664         /* a wbcDomainSid is the same as a dom_sid */
665         for (i = 0; i < num_sids; i++) {
666                 const struct dom_sid *sid;
667
668                 sid = (const struct dom_sid *)&sids[i].sid;
669
670                 if (dom_sid_in_domain(domain_sid, sid)) {
671                         continue;
672                 }
673
674                 info3_sids[j].sid = dom_sid_dup(info3_sids, sid);
675                 if (info3_sids[j].sid == NULL) {
676                         talloc_free(info3_sids);
677                         return NT_STATUS_NO_MEMORY;
678                 }
679                 info3_sids[j].attributes = SE_GROUP_MANDATORY |
680                                            SE_GROUP_ENABLED_BY_DEFAULT |
681                                            SE_GROUP_ENABLED;
682                 j++;
683         }
684
685         *info3_num_sids = j;
686         *_info3_sids = info3_sids;
687         return NT_STATUS_OK;
688 }
689
690 struct netr_SamInfo3 *wbcAuthUserInfo_to_netr_SamInfo3(TALLOC_CTX *mem_ctx,
691                                         const struct wbcAuthUserInfo *info)
692 {
693         struct netr_SamInfo3 *info3;
694         struct dom_sid user_sid;
695         struct dom_sid group_sid;
696         struct dom_sid domain_sid;
697         NTSTATUS status;
698         bool ok;
699
700         memcpy(&user_sid, &info->sids[0].sid, sizeof(user_sid));
701         memcpy(&group_sid, &info->sids[1].sid, sizeof(group_sid));
702
703         info3 = talloc_zero(mem_ctx, struct netr_SamInfo3);
704         if (!info3) return NULL;
705
706         unix_to_nt_time(&info3->base.logon_time, info->logon_time);
707         unix_to_nt_time(&info3->base.logoff_time, info->logoff_time);
708         unix_to_nt_time(&info3->base.kickoff_time, info->kickoff_time);
709         unix_to_nt_time(&info3->base.last_password_change, info->pass_last_set_time);
710         unix_to_nt_time(&info3->base.allow_password_change,
711                         info->pass_can_change_time);
712         unix_to_nt_time(&info3->base.force_password_change,
713                         info->pass_must_change_time);
714
715         if (info->account_name) {
716                 info3->base.account_name.string =
717                                 talloc_strdup(info3, info->account_name);
718                 RET_NOMEM(info3->base.account_name.string);
719         }
720         if (info->full_name) {
721                 info3->base.full_name.string =
722                                 talloc_strdup(info3, info->full_name);
723                 RET_NOMEM(info3->base.full_name.string);
724         }
725         if (info->logon_script) {
726                 info3->base.logon_script.string =
727                                 talloc_strdup(info3, info->logon_script);
728                 RET_NOMEM(info3->base.logon_script.string);
729         }
730         if (info->profile_path) {
731                 info3->base.profile_path.string =
732                                 talloc_strdup(info3, info->profile_path);
733                 RET_NOMEM(info3->base.profile_path.string);
734         }
735         if (info->home_directory) {
736                 info3->base.home_directory.string =
737                                 talloc_strdup(info3, info->home_directory);
738                 RET_NOMEM(info3->base.home_directory.string);
739         }
740         if (info->home_drive) {
741                 info3->base.home_drive.string =
742                                 talloc_strdup(info3, info->home_drive);
743                 RET_NOMEM(info3->base.home_drive.string);
744         }
745
746         info3->base.logon_count = info->logon_count;
747         info3->base.bad_password_count = info->bad_password_count;
748
749         sid_copy(&domain_sid, &user_sid);
750         sid_split_rid(&domain_sid, &info3->base.rid);
751
752         ok = sid_peek_check_rid(&domain_sid, &group_sid,
753                                 &info3->base.primary_gid);
754         if (!ok) {
755                 DEBUG(1, ("The primary group sid domain does not"
756                           "match user sid domain for user: %s\n",
757                           info->account_name));
758                 TALLOC_FREE(info3);
759                 return NULL;
760         }
761
762         status = wbcsids_to_samr_RidWithAttributeArray(info3,
763                                                        &info3->base.groups,
764                                                        &domain_sid,
765                                                        &info->sids[1],
766                                                        info->num_sids - 1);
767         if (!NT_STATUS_IS_OK(status)) {
768                 TALLOC_FREE(info3);
769                 return NULL;
770         }
771
772         status = wbcsids_to_netr_SidAttrArray(&domain_sid,
773                                               &info->sids[1],
774                                               info->num_sids - 1,
775                                               info3,
776                                               &info3->sids,
777                                               &info3->sidcount);
778         if (!NT_STATUS_IS_OK(status)) {
779                 TALLOC_FREE(info3);
780                 return NULL;
781         }
782
783         info3->base.user_flags = info->user_flags;
784         memcpy(info3->base.key.key, info->user_session_key, 16);
785
786         if (info->logon_server) {
787                 info3->base.logon_server.string =
788                                 talloc_strdup(info3, info->logon_server);
789                 RET_NOMEM(info3->base.logon_server.string);
790         }
791         if (info->domain_name) {
792                 info3->base.logon_domain.string =
793                                 talloc_strdup(info3, info->domain_name);
794                 RET_NOMEM(info3->base.logon_domain.string);
795         }
796
797         info3->base.domain_sid = dom_sid_dup(info3, &domain_sid);
798         RET_NOMEM(info3->base.domain_sid);
799
800         memcpy(info3->base.LMSessKey.key, info->lm_session_key, 8);
801         info3->base.acct_flags = info->acct_flags;
802
803         return info3;
804 }