2 Unix SMB/CIFS implementation.
4 Winbind ADS backend functions
6 Copyright (C) Andrew Tridgell 2001
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program; if not, write to the Free Software
20 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
27 /* the realm of our primary LDAP server */
28 static char *primary_realm;
32 a wrapper around ldap_search_s that retries depending on the error code
33 this is supposed to catch dropped connections and auto-reconnect
35 ADS_STATUS ads_do_search_retry(ADS_STRUCT *ads, const char *bind_path, int scope,
37 const char **attrs, void **res)
44 time(NULL) - ads->last_attempt < ADS_RECONNECT_TIME) {
45 return ADS_ERROR(LDAP_SERVER_DOWN);
48 bp = strdup(bind_path);
51 status = ads_do_search_all(ads, bp, scope, exp, attrs, res);
52 if (ADS_ERR_OK(status)) {
53 DEBUG(5,("Search for %s gave %d replies\n",
54 exp, ads_count_replies(ads, *res)));
59 if (*res) ads_msgfree(ads, *res);
61 DEBUG(1,("Reopening ads connection to %s after error %s\n",
62 ads->ldap_server, ads_errstr(status)));
67 status = ads_connect(ads);
68 if (!ADS_ERR_OK(status)) {
69 DEBUG(1,("ads_search_retry: failed to reconnect (%s)\n",
78 DEBUG(1,("ads reopen failed after error %s\n", ads_errstr(status)));
83 ADS_STATUS ads_search_retry(ADS_STRUCT *ads, void **res,
87 return ads_do_search_retry(ads, ads->bind_path, LDAP_SCOPE_SUBTREE,
91 ADS_STATUS ads_search_retry_dn(ADS_STRUCT *ads, void **res,
95 return ads_do_search_retry(ads, dn, LDAP_SCOPE_BASE,
96 "(objectclass=*)", attrs, res);
100 return our ads connections structure for a domain. We keep the connection
101 open to make things faster
103 static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain)
108 struct in_addr server_ip;
111 if (domain->private) {
112 return (ADS_STRUCT *)domain->private;
115 /* we don't want this to affect the users ccache */
116 ccache = lock_path("winbindd_ccache");
117 SETENV("KRB5CCNAME", ccache, 1);
120 if (resolve_name(domain->name, &server_ip, 0x1b)) {
121 sname = inet_ntoa(server_ip);
123 if (strcasecmp(domain->name, lp_workgroup()) != 0) {
124 DEBUG(1,("can't find domain controller for %s\n", domain->name));
130 ads = ads_init(primary_realm, sname, NULL, NULL);
132 DEBUG(1,("ads_init for domain %s failed\n", domain->name));
136 /* the machine acct password might have change - fetch it every time */
137 SAFE_FREE(ads->password);
138 ads->password = secrets_fetch_machine_password();
140 status = ads_connect(ads);
141 if (!ADS_ERR_OK(status)) {
142 extern struct winbindd_methods msrpc_methods;
143 DEBUG(1,("ads_connect for domain %s failed: %s\n",
144 domain->name, ads_errstr(status)));
147 /* if we get ECONNREFUSED then it might be a NT4
148 server, fall back to MSRPC */
149 if (status.error_type == ADS_ERROR_SYSTEM &&
150 status.rc == ECONNREFUSED) {
151 DEBUG(1,("Trying MSRPC methods\n"));
152 domain->methods = &msrpc_methods;
157 /* remember our primary realm for trusted domain support */
158 if (!primary_realm) {
159 primary_realm = strdup(ads->realm);
162 fstrcpy(domain->full_name, ads->server_realm);
164 domain->private = (void *)ads;
169 static void sid_from_rid(struct winbindd_domain *domain, uint32 rid, DOM_SID *sid)
171 sid_copy(sid, &domain->sid);
172 sid_append_rid(sid, rid);
175 /* turn a sAMAccountType into a SID_NAME_USE */
176 static enum SID_NAME_USE ads_atype_map(uint32 atype)
178 switch (atype & 0xF0000000) {
180 return SID_NAME_DOM_GRP;
182 return SID_NAME_USER;
184 DEBUG(1,("hmm, need to map account type 0x%x\n", atype));
186 return SID_NAME_UNKNOWN;
189 /* Query display info for a realm. This is the basic user list fn */
190 static NTSTATUS query_user_list(struct winbindd_domain *domain,
193 WINBIND_USERINFO **info)
195 ADS_STRUCT *ads = NULL;
196 const char *attrs[] = {"sAMAccountName", "name", "objectSid", "primaryGroupID",
197 "sAMAccountType", NULL};
202 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
206 DEBUG(3,("ads: query_user_list\n"));
208 ads = ads_cached_connection(domain);
211 rc = ads_search_retry(ads, &res, "(objectCategory=user)", attrs);
212 if (!ADS_ERR_OK(rc)) {
213 DEBUG(1,("query_user_list ads_search: %s\n", ads_errstr(rc)));
217 count = ads_count_replies(ads, res);
219 DEBUG(1,("query_user_list: No users found\n"));
223 (*info) = talloc(mem_ctx, count * sizeof(**info));
225 status = NT_STATUS_NO_MEMORY;
231 for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
237 if (!ads_pull_uint32(ads, msg, "sAMAccountType", &atype) ||
238 ads_atype_map(atype) != SID_NAME_USER) {
239 DEBUG(1,("Not a user account? atype=0x%x\n", atype));
243 name = ads_pull_string(ads, mem_ctx, msg, "sAMAccountName");
244 gecos = ads_pull_string(ads, mem_ctx, msg, "name");
245 if (!ads_pull_sid(ads, msg, "objectSid", &sid)) {
246 DEBUG(1,("No sid for %s !?\n", name));
249 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &group)) {
250 DEBUG(1,("No primary group for %s !?\n", name));
254 if (!sid_peek_rid(&sid, &rid)) {
255 DEBUG(1,("No rid for %s !?\n", name));
259 (*info)[i].acct_name = name;
260 (*info)[i].full_name = gecos;
261 (*info)[i].user_rid = rid;
262 (*info)[i].group_rid = group;
267 status = NT_STATUS_OK;
269 DEBUG(3,("ads query_user_list gave %d entries\n", (*num_entries)));
272 if (res) ads_msgfree(ads, res);
277 /* list all domain groups */
278 static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
281 struct acct_info **info)
283 ADS_STRUCT *ads = NULL;
284 const char *attrs[] = {"sAMAccountName", "name", "objectSid",
285 "sAMAccountType", NULL};
290 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
294 DEBUG(3,("ads: enum_dom_groups\n"));
296 ads = ads_cached_connection(domain);
299 rc = ads_search_retry(ads, &res, "(objectCategory=group)", attrs);
300 if (!ADS_ERR_OK(rc)) {
301 DEBUG(1,("query_user_list ads_search: %s\n", ads_errstr(rc)));
305 count = ads_count_replies(ads, res);
307 DEBUG(1,("query_user_list: No users found\n"));
311 (*info) = talloc(mem_ctx, count * sizeof(**info));
313 status = NT_STATUS_NO_MEMORY;
319 for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
325 if (!ads_pull_uint32(ads, msg, "sAMAccountType",
327 !(account_type & ATYPE_GROUP)) continue;
329 name = ads_pull_string(ads, mem_ctx, msg, "sAMAccountName");
330 gecos = ads_pull_string(ads, mem_ctx, msg, "name");
331 if (!ads_pull_sid(ads, msg, "objectSid", &sid)) {
332 DEBUG(1,("No sid for %s !?\n", name));
336 if (!sid_peek_rid(&sid, &rid)) {
337 DEBUG(1,("No rid for %s !?\n", name));
341 fstrcpy((*info)[i].acct_name, name);
342 fstrcpy((*info)[i].acct_desc, gecos);
343 (*info)[i].rid = rid;
349 status = NT_STATUS_OK;
351 DEBUG(3,("ads enum_dom_groups gave %d entries\n", (*num_entries)));
354 if (res) ads_msgfree(ads, res);
360 /* convert a single name to a sid in a domain */
361 static NTSTATUS name_to_sid(struct winbindd_domain *domain,
364 enum SID_NAME_USE *type)
366 ADS_STRUCT *ads = NULL;
367 const char *attrs[] = {"objectSid", "sAMAccountType", NULL};
373 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
375 DEBUG(3,("ads: name_to_sid\n"));
377 ads = ads_cached_connection(domain);
380 asprintf(&exp, "(sAMAccountName=%s)", name);
381 rc = ads_search_retry(ads, &res, exp, attrs);
383 if (!ADS_ERR_OK(rc)) {
384 DEBUG(1,("name_to_sid ads_search: %s\n", ads_errstr(rc)));
388 count = ads_count_replies(ads, res);
390 DEBUG(1,("name_to_sid: %s not found\n", name));
394 if (!ads_pull_sid(ads, res, "objectSid", sid)) {
395 DEBUG(1,("No sid for %s !?\n", name));
399 if (!ads_pull_uint32(ads, res, "sAMAccountType", &t)) {
400 DEBUG(1,("No sAMAccountType for %s !?\n", name));
404 *type = ads_atype_map(t);
406 status = NT_STATUS_OK;
408 DEBUG(3,("ads name_to_sid mapped %s\n", name));
411 if (res) ads_msgfree(ads, res);
416 /* convert a sid to a user or group name */
417 static NTSTATUS sid_to_name(struct winbindd_domain *domain,
421 enum SID_NAME_USE *type)
423 ADS_STRUCT *ads = NULL;
424 const char *attrs[] = {"sAMAccountName", "sAMAccountType", NULL};
430 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
432 DEBUG(3,("ads: sid_to_name\n"));
434 ads = ads_cached_connection(domain);
437 sidstr = sid_binstring(sid);
438 asprintf(&exp, "(objectSid=%s)", sidstr);
439 rc = ads_search_retry(ads, &msg, exp, attrs);
442 if (!ADS_ERR_OK(rc)) {
443 DEBUG(1,("sid_to_name ads_search: %s\n", ads_errstr(rc)));
447 if (!ads_pull_uint32(ads, msg, "sAMAccountType", &atype)) {
451 *name = ads_pull_string(ads, mem_ctx, msg, "sAMAccountName");
452 *type = ads_atype_map(atype);
454 status = NT_STATUS_OK;
456 DEBUG(3,("ads sid_to_name mapped %s\n", *name));
459 if (msg) ads_msgfree(ads, msg);
465 /* convert a sid to a distnguished name */
466 static NTSTATUS sid_to_distinguished_name(struct winbindd_domain *domain,
471 ADS_STRUCT *ads = NULL;
472 const char *attrs[] = {"distinguishedName", NULL};
477 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
479 DEBUG(3,("ads: sid_to_distinguished_name\n"));
481 ads = ads_cached_connection(domain);
484 sidstr = sid_binstring(sid);
485 asprintf(&exp, "(objectSid=%s)", sidstr);
486 rc = ads_search_retry(ads, &msg, exp, attrs);
489 if (!ADS_ERR_OK(rc)) {
490 DEBUG(1,("sid_to_distinguished_name ads_search: %s\n", ads_errstr(rc)));
494 *dn = ads_pull_string(ads, mem_ctx, msg, "distinguishedName");
496 status = NT_STATUS_OK;
498 DEBUG(3,("ads sid_to_distinguished_name mapped %s\n", *dn));
501 if (msg) ads_msgfree(ads, msg);
507 /* Lookup user information from a rid */
508 static NTSTATUS query_user(struct winbindd_domain *domain,
511 WINBIND_USERINFO *info)
513 ADS_STRUCT *ads = NULL;
514 const char *attrs[] = {"sAMAccountName", "name", "objectSid",
515 "primaryGroupID", NULL};
522 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
524 DEBUG(3,("ads: query_user\n"));
526 sid_from_rid(domain, user_rid, &sid);
528 ads = ads_cached_connection(domain);
531 sidstr = sid_binstring(&sid);
532 asprintf(&exp, "(objectSid=%s)", sidstr);
533 rc = ads_search_retry(ads, &msg, exp, attrs);
536 if (!ADS_ERR_OK(rc)) {
537 DEBUG(1,("query_user(rid=%d) ads_search: %s\n", user_rid, ads_errstr(rc)));
541 count = ads_count_replies(ads, msg);
543 DEBUG(1,("query_user(rid=%d): Not found\n", user_rid));
547 info->acct_name = ads_pull_string(ads, mem_ctx, msg, "sAMAccountName");
548 info->full_name = ads_pull_string(ads, mem_ctx, msg, "name");
549 if (!ads_pull_sid(ads, msg, "objectSid", &sid)) {
550 DEBUG(1,("No sid for %d !?\n", user_rid));
553 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &info->group_rid)) {
554 DEBUG(1,("No primary group for %d !?\n", user_rid));
558 if (!sid_peek_rid(&sid, &info->user_rid)) {
559 DEBUG(1,("No rid for %d !?\n", user_rid));
563 status = NT_STATUS_OK;
565 DEBUG(3,("ads query_user gave %s\n", info->acct_name));
567 if (msg) ads_msgfree(ads, msg);
573 /* Lookup groups a user is a member of. */
574 static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
577 uint32 *num_groups, uint32 **user_gids)
579 ADS_STRUCT *ads = NULL;
580 const char *attrs[] = {"distinguishedName", NULL};
581 const char *attrs2[] = {"tokenGroups", "primaryGroupID", NULL};
589 uint32 primary_group;
592 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
596 DEBUG(3,("ads: lookup_usergroups\n"));
600 sid_from_rid(domain, user_rid, &sid);
602 ads = ads_cached_connection(domain);
605 sidstr = sid_binstring(&sid);
606 asprintf(&exp, "(objectSid=%s)", sidstr);
607 rc = ads_search_retry(ads, &msg, exp, attrs);
610 if (!ADS_ERR_OK(rc)) {
611 DEBUG(1,("lookup_usergroups(rid=%d) ads_search: %s\n", user_rid, ads_errstr(rc)));
615 user_dn = ads_pull_string(ads, mem_ctx, msg, "distinguishedName");
617 if (msg) ads_msgfree(ads, msg);
619 rc = ads_search_retry_dn(ads, &msg, user_dn, attrs2);
620 if (!ADS_ERR_OK(rc)) {
621 DEBUG(1,("lookup_usergroups(rid=%d) ads_search tokenGroups: %s\n", user_rid, ads_errstr(rc)));
625 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &primary_group)) {
626 DEBUG(1,("%s: No primary group for rid=%d !?\n", domain->name, user_rid));
630 count = ads_pull_sids(ads, mem_ctx, msg, "tokenGroups", &sids) + 1;
631 (*user_gids) = (uint32 *)talloc(mem_ctx, sizeof(uint32) * count);
632 (*user_gids)[(*num_groups)++] = primary_group;
634 for (i=1;i<count;i++) {
636 if (!sid_peek_rid(&sids[i-1], &rid)) continue;
637 (*user_gids)[*num_groups] = rid;
641 status = NT_STATUS_OK;
642 DEBUG(3,("ads lookup_usergroups for rid=%d\n", user_rid));
644 if (msg) ads_msgfree(ads, msg);
650 static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
652 uint32 group_rid, uint32 *num_names,
653 uint32 **rid_mem, char ***names,
657 const char *attrs[] = {"sAMAccountName", "objectSid", "sAMAccountType", NULL};
660 void *res=NULL, *msg=NULL;
661 ADS_STRUCT *ads = NULL;
662 char *exp, *dn = NULL;
663 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
667 ads = ads_cached_connection(domain);
670 sid_from_rid(domain, group_rid, &group_sid);
671 status = sid_to_distinguished_name(domain, mem_ctx, &group_sid, &dn);
672 if (!NT_STATUS_IS_OK(status)) {
673 DEBUG(3,("Failed to find distinguishedName for %s\n", sid_string_static(&group_sid)));
677 /* search for all users who have that group sid as primary group or as member */
678 asprintf(&exp, "(&(objectCategory=user)(|(primaryGroupID=%d)(memberOf=%s)))",
680 rc = ads_search_retry(ads, &res, exp, attrs);
682 if (!ADS_ERR_OK(rc)) {
683 DEBUG(1,("query_user_list ads_search: %s\n", ads_errstr(rc)));
687 count = ads_count_replies(ads, res);
689 status = NT_STATUS_OK;
693 (*rid_mem) = talloc(mem_ctx, sizeof(uint32) * count);
694 (*name_types) = talloc(mem_ctx, sizeof(uint32) * count);
695 (*names) = talloc(mem_ctx, sizeof(char *) * count);
697 for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
701 (*names)[*num_names] = ads_pull_string(ads, mem_ctx, msg, "sAMAccountName");
702 if (!ads_pull_uint32(ads, msg, "sAMAccountType", &atype)) {
705 (*name_types)[*num_names] = ads_atype_map(atype);
706 if (!ads_pull_sid(ads, msg, "objectSid", &sid)) {
707 DEBUG(1,("No sid for %s !?\n", (*names)[*num_names]));
710 if (!sid_peek_rid(&sid, &rid)) {
711 DEBUG(1,("No rid for %s !?\n", (*names)[*num_names]));
714 (*rid_mem)[*num_names] = rid;
718 status = NT_STATUS_OK;
719 DEBUG(3,("ads lookup_groupmem for rid=%d\n", group_rid));
721 if (res) ads_msgfree(ads, res);
726 /* find the sequence number for a domain */
727 static NTSTATUS sequence_number(struct winbindd_domain *domain, uint32 *seq)
729 ADS_STRUCT *ads = NULL;
732 *seq = DOM_SEQUENCE_NONE;
734 ads = ads_cached_connection(domain);
735 if (!ads) return NT_STATUS_UNSUCCESSFUL;
737 rc = ads_USN(ads, seq);
738 if (!ADS_ERR_OK(rc)) {
739 /* its a dead connection */
741 domain->private = NULL;
743 return ads_ntstatus(rc);
746 /* get a list of trusted domains */
747 static NTSTATUS trusted_domains(struct winbindd_domain *domain,
759 ads = ads_cached_connection(domain);
760 if (!ads) return NT_STATUS_UNSUCCESSFUL;
762 rc = ads_trusted_domains(ads, mem_ctx, num_domains, names, dom_sids);
764 return ads_ntstatus(rc);
767 /* find the domain sid for a domain */
768 static NTSTATUS domain_sid(struct winbindd_domain *domain, DOM_SID *sid)
773 ads = ads_cached_connection(domain);
774 if (!ads) return NT_STATUS_UNSUCCESSFUL;
776 rc = ads_domain_sid(ads, sid);
778 if (!ADS_ERR_OK(rc)) {
779 /* its a dead connection */
781 domain->private = NULL;
784 return ads_ntstatus(rc);
787 /* the ADS backend methods are exposed via this structure */
788 struct winbindd_methods ads_methods = {
git.samba.org / nivanova / samba-autobuild / .git / blob