eb400f0ebf3ec76f2ed251b0bff80e5fed35b0d6
[nivanova/samba-autobuild/.git] / source3 / winbindd / winbindd_msrpc.c
1 /* 
2    Unix SMB/CIFS implementation.
3
4    Winbind rpc backend functions
5
6    Copyright (C) Tim Potter 2000-2001,2003
7    Copyright (C) Andrew Tridgell 2001
8    Copyright (C) Volker Lendecke 2005
9    Copyright (C) Guenther Deschner 2008 (pidl conversion)
10
11    This program is free software; you can redistribute it and/or modify
12    it under the terms of the GNU General Public License as published by
13    the Free Software Foundation; either version 3 of the License, or
14    (at your option) any later version.
15
16    This program is distributed in the hope that it will be useful,
17    but WITHOUT ANY WARRANTY; without even the implied warranty of
18    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
19    GNU General Public License for more details.
20
21    You should have received a copy of the GNU General Public License
22    along with this program.  If not, see <http://www.gnu.org/licenses/>.
23 */
24
25 #include "includes.h"
26 #include "winbindd.h"
27 #include "winbindd_rpc.h"
28
29 #include "../librpc/gen_ndr/ndr_samr_c.h"
30 #include "rpc_client/cli_pipe.h"
31 #include "rpc_client/cli_samr.h"
32 #include "rpc_client/cli_lsarpc.h"
33 #include "../libcli/security/security.h"
34 #include "libsmb/samlogon_cache.h"
35
36 #undef DBGC_CLASS
37 #define DBGC_CLASS DBGC_WINBIND
38
39 static NTSTATUS winbindd_lookup_names(TALLOC_CTX *mem_ctx,
40                                       struct winbindd_domain *domain,
41                                       uint32_t num_names,
42                                       const char **names,
43                                       const char ***domains,
44                                       struct dom_sid **sids,
45                                       enum lsa_SidType **types);
46
47 /* Query display info for a domain.  This returns enough information plus a
48    bit extra to give an overview of domain users for the User Manager
49    application. */
50 static NTSTATUS msrpc_query_user_list(struct winbindd_domain *domain,
51                                       TALLOC_CTX *mem_ctx,
52                                       uint32_t **prids)
53 {
54         struct rpc_pipe_client *samr_pipe = NULL;
55         struct policy_handle dom_pol;
56         uint32_t *rids = NULL;
57         TALLOC_CTX *tmp_ctx;
58         NTSTATUS status;
59
60         DEBUG(3, ("msrpc_query_user_list\n"));
61
62         tmp_ctx = talloc_stackframe();
63         if (tmp_ctx == NULL) {
64                 return NT_STATUS_NO_MEMORY;
65         }
66
67         if ( !winbindd_can_contact_domain( domain ) ) {
68                 DEBUG(10,("query_user_list: No incoming trust for domain %s\n",
69                           domain->name));
70                 status = NT_STATUS_OK;
71                 goto done;
72         }
73
74         status = cm_connect_sam(domain, tmp_ctx, false, &samr_pipe, &dom_pol);
75         if (!NT_STATUS_IS_OK(status)) {
76                 goto done;
77         }
78
79         status = rpc_query_user_list(tmp_ctx,
80                                      samr_pipe,
81                                      &dom_pol,
82                                      &domain->sid,
83                                      &rids);
84         if (!NT_STATUS_IS_OK(status)) {
85                 goto done;
86         }
87
88         if (prids) {
89                 *prids = talloc_move(mem_ctx, &rids);
90         }
91
92 done:
93         TALLOC_FREE(rids);
94         TALLOC_FREE(tmp_ctx);
95         return status;
96 }
97
98 /* list all domain groups */
99 static NTSTATUS msrpc_enum_dom_groups(struct winbindd_domain *domain,
100                                       TALLOC_CTX *mem_ctx,
101                                       uint32_t *pnum_info,
102                                       struct wb_acct_info **pinfo)
103 {
104         struct rpc_pipe_client *samr_pipe;
105         struct policy_handle dom_pol;
106         struct wb_acct_info *info = NULL;
107         uint32_t num_info = 0;
108         TALLOC_CTX *tmp_ctx;
109         NTSTATUS status;
110
111         DEBUG(3,("msrpc_enum_dom_groups\n"));
112
113         if (pnum_info) {
114                 *pnum_info = 0;
115         }
116
117         tmp_ctx = talloc_stackframe();
118         if (tmp_ctx == NULL) {
119                 return NT_STATUS_NO_MEMORY;
120         }
121
122         if ( !winbindd_can_contact_domain( domain ) ) {
123                 DEBUG(10,("enum_domain_groups: No incoming trust for domain %s\n",
124                           domain->name));
125                 status = NT_STATUS_OK;
126                 goto done;
127         }
128
129         status = cm_connect_sam(domain, tmp_ctx, false, &samr_pipe, &dom_pol);
130         if (!NT_STATUS_IS_OK(status)) {
131                 goto done;
132         }
133
134         status = rpc_enum_dom_groups(tmp_ctx,
135                                      samr_pipe,
136                                      &dom_pol,
137                                      &num_info,
138                                      &info);
139         if (!NT_STATUS_IS_OK(status)) {
140                 goto done;
141         }
142
143         if (pnum_info) {
144                 *pnum_info = num_info;
145         }
146
147         if (pinfo) {
148                 *pinfo = talloc_move(mem_ctx, &info);
149         }
150
151 done:
152         TALLOC_FREE(tmp_ctx);
153         return status;
154 }
155
156 /* List all domain groups */
157
158 static NTSTATUS msrpc_enum_local_groups(struct winbindd_domain *domain,
159                                         TALLOC_CTX *mem_ctx,
160                                         uint32_t *pnum_info,
161                                         struct wb_acct_info **pinfo)
162 {
163         struct rpc_pipe_client *samr_pipe;
164         struct policy_handle dom_pol;
165         struct wb_acct_info *info = NULL;
166         uint32_t num_info = 0;
167         TALLOC_CTX *tmp_ctx;
168         NTSTATUS status;
169
170         DEBUG(3,("msrpc_enum_local_groups\n"));
171
172         if (pnum_info) {
173                 *pnum_info = 0;
174         }
175
176         tmp_ctx = talloc_stackframe();
177         if (tmp_ctx == NULL) {
178                 return NT_STATUS_NO_MEMORY;
179         }
180
181         if ( !winbindd_can_contact_domain( domain ) ) {
182                 DEBUG(10,("enum_local_groups: No incoming trust for domain %s\n",
183                           domain->name));
184                 status = NT_STATUS_OK;
185                 goto done;
186         }
187
188         status = cm_connect_sam(domain, tmp_ctx, false, &samr_pipe, &dom_pol);
189         if (!NT_STATUS_IS_OK(status)) {
190                 goto done;
191         }
192
193         status = rpc_enum_local_groups(mem_ctx,
194                                        samr_pipe,
195                                        &dom_pol,
196                                        &num_info,
197                                        &info);
198         if (!NT_STATUS_IS_OK(status)) {
199                 goto done;
200         }
201
202         if (pnum_info) {
203                 *pnum_info = num_info;
204         }
205
206         if (pinfo) {
207                 *pinfo = talloc_move(mem_ctx, &info);
208         }
209
210 done:
211         TALLOC_FREE(tmp_ctx);
212         return status;
213 }
214
215 /* convert a single name to a sid in a domain */
216 static NTSTATUS msrpc_name_to_sid(struct winbindd_domain *domain,
217                                   TALLOC_CTX *mem_ctx,
218                                   const char *domain_name,
219                                   const char *name,
220                                   uint32_t flags,
221                                   struct dom_sid *sid,
222                                   enum lsa_SidType *type)
223 {
224         NTSTATUS result;
225         struct dom_sid *sids = NULL;
226         enum lsa_SidType *types = NULL;
227         char *full_name = NULL;
228         const char *names[1];
229         NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL;
230         char *mapped_name = NULL;
231
232         if (name == NULL || *name=='\0') {
233                 full_name = talloc_asprintf(mem_ctx, "%s", domain_name);
234         } else if (domain_name == NULL || *domain_name == '\0') {
235                 full_name = talloc_asprintf(mem_ctx, "%s", name);
236         } else {
237                 full_name = talloc_asprintf(mem_ctx, "%s\\%s", domain_name, name);
238         }
239         if (!full_name) {
240                 DEBUG(0, ("talloc_asprintf failed!\n"));
241                 return NT_STATUS_NO_MEMORY;
242         }
243
244         DEBUG(3, ("msrpc_name_to_sid: name=%s\n", full_name));
245
246         name_map_status = normalize_name_unmap(mem_ctx, full_name,
247                                                &mapped_name);
248
249         /* Reset the full_name pointer if we mapped anything */
250
251         if (NT_STATUS_IS_OK(name_map_status) ||
252             NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED))
253         {
254                 full_name = mapped_name;
255         }
256
257         DEBUG(3,("name_to_sid [rpc] %s for domain %s\n",
258                  full_name?full_name:"", domain_name ));
259
260         names[0] = full_name;
261
262         result = winbindd_lookup_names(mem_ctx, domain, 1,
263                                        names, NULL,
264                                        &sids, &types);
265         if (!NT_STATUS_IS_OK(result))
266                 return result;
267
268         /* Return rid and type if lookup successful */
269
270         sid_copy(sid, &sids[0]);
271         *type = types[0];
272
273         return NT_STATUS_OK;
274 }
275
276 /*
277   convert a domain SID to a user or group name
278 */
279 static NTSTATUS msrpc_sid_to_name(struct winbindd_domain *domain,
280                                   TALLOC_CTX *mem_ctx,
281                                   const struct dom_sid *sid,
282                                   char **domain_name,
283                                   char **name,
284                                   enum lsa_SidType *type)
285 {
286         char **domains;
287         char **names;
288         enum lsa_SidType *types = NULL;
289         NTSTATUS result;
290         NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL;
291         char *mapped_name = NULL;
292
293         DEBUG(3, ("msrpc_sid_to_name: %s for domain %s\n", sid_string_dbg(sid),
294                  domain->name ));
295
296         result = winbindd_lookup_sids(mem_ctx,
297                                       domain,
298                                       1,
299                                       sid,
300                                       &domains,
301                                       &names,
302                                       &types);
303         if (!NT_STATUS_IS_OK(result)) {
304                 DEBUG(2,("msrpc_sid_to_name: failed to lookup sids: %s\n",
305                         nt_errstr(result)));
306                 return result;
307         }
308
309
310         *type = (enum lsa_SidType)types[0];
311         *domain_name = domains[0];
312         *name = names[0];
313
314         DEBUG(5,("Mapped sid to [%s]\\[%s]\n", domains[0], *name));
315
316         name_map_status = normalize_name_map(mem_ctx, domain->name, *name,
317                                              &mapped_name);
318         if (NT_STATUS_IS_OK(name_map_status) ||
319             NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED))
320         {
321                 *name = mapped_name;
322                 DEBUG(5,("returning mapped name -- %s\n", *name));
323         }
324
325         return NT_STATUS_OK;
326 }
327
328 static NTSTATUS msrpc_rids_to_names(struct winbindd_domain *domain,
329                                     TALLOC_CTX *mem_ctx,
330                                     const struct dom_sid *sid,
331                                     uint32_t *rids,
332                                     size_t num_rids,
333                                     char **domain_name,
334                                     char ***names,
335                                     enum lsa_SidType **types)
336 {
337         char **domains;
338         NTSTATUS result;
339         struct dom_sid *sids;
340         size_t i;
341         char **ret_names;
342
343         DEBUG(3, ("msrpc_rids_to_names: domain %s\n", domain->name ));
344
345         if (num_rids) {
346                 sids = talloc_array(mem_ctx, struct dom_sid, num_rids);
347                 if (sids == NULL) {
348                         return NT_STATUS_NO_MEMORY;
349                 }
350         } else {
351                 sids = NULL;
352         }
353
354         for (i=0; i<num_rids; i++) {
355                 if (!sid_compose(&sids[i], sid, rids[i])) {
356                         return NT_STATUS_INTERNAL_ERROR;
357                 }
358         }
359
360         result = winbindd_lookup_sids(mem_ctx,
361                                       domain,
362                                       num_rids,
363                                       sids,
364                                       &domains,
365                                       names,
366                                       types);
367
368         if (!NT_STATUS_IS_OK(result) &&
369             !NT_STATUS_EQUAL(result, STATUS_SOME_UNMAPPED)) {
370                 return result;
371         }
372
373         ret_names = *names;
374         for (i=0; i<num_rids; i++) {
375                 NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL;
376                 char *mapped_name = NULL;
377
378                 if ((*types)[i] != SID_NAME_UNKNOWN) {
379                         name_map_status = normalize_name_map(mem_ctx,
380                                                              domain->name,
381                                                              ret_names[i],
382                                                              &mapped_name);
383                         if (NT_STATUS_IS_OK(name_map_status) ||
384                             NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED))
385                         {
386                                 ret_names[i] = mapped_name;
387                         }
388
389                         *domain_name = domains[i];
390                 }
391         }
392
393         return result;
394 }
395
396 /* Lookup groups a user is a member of.  I wish Unix had a call like this! */
397 static NTSTATUS msrpc_lookup_usergroups(struct winbindd_domain *domain,
398                                         TALLOC_CTX *mem_ctx,
399                                         const struct dom_sid *user_sid,
400                                         uint32_t *pnum_groups,
401                                         struct dom_sid **puser_grpsids)
402 {
403         struct rpc_pipe_client *samr_pipe;
404         struct policy_handle dom_pol;
405         struct dom_sid *user_grpsids = NULL;
406         uint32_t num_groups = 0;
407         TALLOC_CTX *tmp_ctx;
408         NTSTATUS status;
409
410         DEBUG(3,("msrpc_lookup_usergroups sid=%s\n", sid_string_dbg(user_sid)));
411
412         *pnum_groups = 0;
413
414         tmp_ctx = talloc_stackframe();
415         if (tmp_ctx == NULL) {
416                 return NT_STATUS_NO_MEMORY;
417         }
418
419         /* Check if we have a cached user_info_3 */
420         status = lookup_usergroups_cached(tmp_ctx,
421                                           user_sid,
422                                           &num_groups,
423                                           &user_grpsids);
424         if (NT_STATUS_IS_OK(status)) {
425                 goto cached;
426         }
427
428         if ( !winbindd_can_contact_domain( domain ) ) {
429                 DEBUG(10,("lookup_usergroups: No incoming trust for domain %s\n",
430                           domain->name));
431
432                 /* Tell the cache manager not to remember this one */
433                 status = NT_STATUS_SYNCHRONIZATION_REQUIRED;
434                 goto done;
435         }
436
437         /* no cache; hit the wire */
438         status = cm_connect_sam(domain, tmp_ctx, false, &samr_pipe, &dom_pol);
439         if (!NT_STATUS_IS_OK(status)) {
440                 goto done;
441         }
442
443         status = rpc_lookup_usergroups(tmp_ctx,
444                                        samr_pipe,
445                                        &dom_pol,
446                                        &domain->sid,
447                                        user_sid,
448                                        &num_groups,
449                                        &user_grpsids);
450         if (!NT_STATUS_IS_OK(status)) {
451                 goto done;
452         }
453
454 cached:
455         *pnum_groups = num_groups;
456
457         if (puser_grpsids) {
458                 *puser_grpsids = talloc_move(mem_ctx, &user_grpsids);
459         }
460
461 done:
462         TALLOC_FREE(tmp_ctx);
463         return status;
464         return NT_STATUS_OK;
465 }
466
467 #define MAX_SAM_ENTRIES_W2K 0x400 /* 1024 */
468
469 static NTSTATUS msrpc_lookup_useraliases(struct winbindd_domain *domain,
470                                          TALLOC_CTX *mem_ctx,
471                                          uint32_t num_sids, const struct dom_sid *sids,
472                                          uint32_t *pnum_aliases,
473                                          uint32_t **palias_rids)
474 {
475         struct rpc_pipe_client *samr_pipe;
476         struct policy_handle dom_pol;
477         uint32_t num_aliases = 0;
478         uint32_t *alias_rids = NULL;
479         TALLOC_CTX *tmp_ctx;
480         NTSTATUS status;
481
482         DEBUG(3,("msrpc_lookup_useraliases\n"));
483
484         if (pnum_aliases) {
485                 *pnum_aliases = 0;
486         }
487
488         tmp_ctx = talloc_stackframe();
489         if (tmp_ctx == NULL) {
490                 return NT_STATUS_NO_MEMORY;
491         }
492
493         if (!winbindd_can_contact_domain(domain)) {
494                 DEBUG(10,("msrpc_lookup_useraliases: No incoming trust for domain %s\n",
495                           domain->name));
496                 /* Tell the cache manager not to remember this one */
497                 status = NT_STATUS_SYNCHRONIZATION_REQUIRED;
498                 goto done;
499         }
500
501         status = cm_connect_sam(domain, tmp_ctx, false, &samr_pipe, &dom_pol);
502         if (!NT_STATUS_IS_OK(status)) {
503                 goto done;
504         }
505
506         status = rpc_lookup_useraliases(tmp_ctx,
507                                         samr_pipe,
508                                         &dom_pol,
509                                         num_sids,
510                                         sids,
511                                         &num_aliases,
512                                         &alias_rids);
513         if (!NT_STATUS_IS_OK(status)) {
514                 goto done;
515         }
516
517         if (pnum_aliases) {
518                 *pnum_aliases = num_aliases;
519         }
520
521         if (palias_rids) {
522                 *palias_rids = talloc_move(mem_ctx, &alias_rids);
523         }
524
525 done:
526         TALLOC_FREE(tmp_ctx);
527         return status;
528 }
529
530
531 /* Lookup group membership given a rid.   */
532 static NTSTATUS msrpc_lookup_groupmem(struct winbindd_domain *domain,
533                                       TALLOC_CTX *mem_ctx,
534                                       const struct dom_sid *group_sid,
535                                       enum lsa_SidType type,
536                                       uint32_t *num_names,
537                                       struct dom_sid **sid_mem,
538                                       char ***names,
539                                       uint32_t **name_types)
540 {
541         NTSTATUS status, result;
542         uint32_t i, total_names = 0;
543         struct policy_handle dom_pol, group_pol;
544         uint32_t des_access = SEC_FLAG_MAXIMUM_ALLOWED;
545         uint32_t *rid_mem = NULL;
546         uint32_t group_rid;
547         unsigned int j, r;
548         struct rpc_pipe_client *cli;
549         unsigned int orig_timeout;
550         struct samr_RidAttrArray *rids = NULL;
551         struct dcerpc_binding_handle *b;
552
553         DEBUG(3,("msrpc_lookup_groupmem: %s sid=%s\n", domain->name,
554                   sid_string_dbg(group_sid)));
555
556         if ( !winbindd_can_contact_domain( domain ) ) {
557                 DEBUG(10,("lookup_groupmem: No incoming trust for domain %s\n",
558                           domain->name));
559                 return NT_STATUS_OK;
560         }
561
562         if (!sid_peek_check_rid(&domain->sid, group_sid, &group_rid))
563                 return NT_STATUS_UNSUCCESSFUL;
564
565         *num_names = 0;
566
567         result = cm_connect_sam(domain, mem_ctx, false, &cli, &dom_pol);
568         if (!NT_STATUS_IS_OK(result))
569                 return result;
570
571         b = cli->binding_handle;
572
573         status = dcerpc_samr_OpenGroup(b, mem_ctx,
574                                        &dom_pol,
575                                        des_access,
576                                        group_rid,
577                                        &group_pol,
578                                        &result);
579         if (any_nt_status_not_ok(status, result, &status)) {
580                 return status;
581         }
582
583         /* Step #1: Get a list of user rids that are the members of the
584            group. */
585
586         /* This call can take a long time - allow the server to time out.
587            35 seconds should do it. */
588
589         orig_timeout = rpccli_set_timeout(cli, 35000);
590
591         status = dcerpc_samr_QueryGroupMember(b, mem_ctx,
592                                               &group_pol,
593                                               &rids,
594                                               &result);
595
596         /* And restore our original timeout. */
597         rpccli_set_timeout(cli, orig_timeout);
598
599         {
600                 NTSTATUS _result;
601                 dcerpc_samr_Close(b, mem_ctx, &group_pol, &_result);
602         }
603
604         if (any_nt_status_not_ok(status, result, &status)) {
605                 return status;
606         }
607
608         if (!rids || !rids->count) {
609                 names = NULL;
610                 name_types = NULL;
611                 sid_mem = NULL;
612                 return NT_STATUS_OK;
613         }
614
615         *num_names = rids->count;
616         rid_mem = rids->rids;
617
618         /* Step #2: Convert list of rids into list of usernames.  Do this
619            in bunches of ~1000 to avoid crashing NT4.  It looks like there
620            is a buffer overflow or something like that lurking around
621            somewhere. */
622
623 #define MAX_LOOKUP_RIDS 900
624
625         *names = talloc_zero_array(mem_ctx, char *, *num_names);
626         *name_types = talloc_zero_array(mem_ctx, uint32_t, *num_names);
627         *sid_mem = talloc_zero_array(mem_ctx, struct dom_sid, *num_names);
628
629         for (j=0;j<(*num_names);j++)
630                 sid_compose(&(*sid_mem)[j], &domain->sid, rid_mem[j]);
631
632         if (*num_names>0 && (!*names || !*name_types))
633                 return NT_STATUS_NO_MEMORY;
634
635         for (i = 0; i < *num_names; i += MAX_LOOKUP_RIDS) {
636                 int num_lookup_rids = MIN(*num_names - i, MAX_LOOKUP_RIDS);
637                 struct lsa_Strings tmp_names;
638                 struct samr_Ids tmp_types;
639
640                 /* Lookup a chunk of rids */
641
642                 status = dcerpc_samr_LookupRids(b, mem_ctx,
643                                                 &dom_pol,
644                                                 num_lookup_rids,
645                                                 &rid_mem[i],
646                                                 &tmp_names,
647                                                 &tmp_types,
648                                                 &result);
649                 if (!NT_STATUS_IS_OK(status)) {
650                         return status;
651                 }
652
653                 /* see if we have a real error (and yes the
654                    STATUS_SOME_UNMAPPED is the one returned from 2k) */
655
656                 if (!NT_STATUS_IS_OK(result) &&
657                     !NT_STATUS_EQUAL(result, STATUS_SOME_UNMAPPED))
658                         return result;
659
660                 /* Copy result into array.  The talloc system will take
661                    care of freeing the temporary arrays later on. */
662
663                 if (tmp_names.count != num_lookup_rids) {
664                         return NT_STATUS_INVALID_NETWORK_RESPONSE;
665                 }
666                 if (tmp_types.count != num_lookup_rids) {
667                         return NT_STATUS_INVALID_NETWORK_RESPONSE;
668                 }
669
670                 for (r=0; r<tmp_names.count; r++) {
671                         if (tmp_types.ids[r] == SID_NAME_UNKNOWN) {
672                                 continue;
673                         }
674                         if (total_names >= *num_names) {
675                                 break;
676                         }
677                         (*names)[total_names] = fill_domain_username_talloc(
678                                 mem_ctx, domain->name,
679                                 tmp_names.names[r].string, true);
680                         (*name_types)[total_names] = tmp_types.ids[r];
681                         total_names += 1;
682                 }
683         }
684
685         *num_names = total_names;
686
687         return NT_STATUS_OK;
688 }
689
690 #ifdef HAVE_LDAP
691
692 #include "ads.h"
693
694 static int get_ldap_seq(const char *server, struct sockaddr_storage *ss, int port, uint32_t *seq)
695 {
696         int ret = -1;
697         struct timeval to;
698         const char *attrs[] = {"highestCommittedUSN", NULL};
699         LDAPMessage *res = NULL;
700         char **values = NULL;
701         LDAP *ldp = NULL;
702
703         *seq = DOM_SEQUENCE_NONE;
704
705         /*
706          * Parameterised (5) second timeout on open. This is needed as the
707          * search timeout doesn't seem to apply to doing an open as well. JRA.
708          */
709
710         ldp = ldap_open_with_timeout(server, ss, port, lp_ldap_timeout());
711         if (ldp == NULL)
712                 return -1;
713
714         /* Timeout if no response within 20 seconds. */
715         to.tv_sec = 10;
716         to.tv_usec = 0;
717
718         if (ldap_search_st(ldp, "", LDAP_SCOPE_BASE, "(objectclass=*)",
719                            discard_const_p(char *, attrs), 0, &to, &res))
720                 goto done;
721
722         if (ldap_count_entries(ldp, res) != 1)
723                 goto done;
724
725         values = ldap_get_values(ldp, res, "highestCommittedUSN");
726         if (!values || !values[0])
727                 goto done;
728
729         *seq = atoi(values[0]);
730         ret = 0;
731
732   done:
733
734         if (values)
735                 ldap_value_free(values);
736         if (res)
737                 ldap_msgfree(res);
738         if (ldp)
739                 ldap_unbind(ldp);
740         return ret;
741 }
742
743 /**********************************************************************
744  Get the sequence number for a Windows AD native mode domain using
745  LDAP queries.
746 **********************************************************************/
747
748 static int get_ldap_sequence_number(struct winbindd_domain *domain, uint32_t *seq)
749 {
750         int ret = -1;
751         char addr[INET6_ADDRSTRLEN];
752
753         print_sockaddr(addr, sizeof(addr), &domain->dcaddr);
754         if ((ret = get_ldap_seq(addr, &domain->dcaddr, LDAP_PORT, seq)) == 0) {
755                 DEBUG(3, ("get_ldap_sequence_number: Retrieved sequence "
756                           "number for Domain (%s) from DC (%s)\n",
757                         domain->name, addr));
758         }
759         return ret;
760 }
761
762 #endif /* HAVE_LDAP */
763
764 /* find the sequence number for a domain */
765 static NTSTATUS msrpc_sequence_number(struct winbindd_domain *domain,
766                                       uint32_t *pseq)
767 {
768         struct rpc_pipe_client *samr_pipe;
769         struct policy_handle dom_pol;
770         uint32_t seq = DOM_SEQUENCE_NONE;
771         TALLOC_CTX *tmp_ctx;
772         NTSTATUS status;
773
774         DEBUG(3, ("msrpc_sequence_number: fetch sequence_number for %s\n", domain->name));
775
776         if (pseq) {
777                 *pseq = DOM_SEQUENCE_NONE;
778         }
779
780         tmp_ctx = talloc_stackframe();
781         if (tmp_ctx == NULL) {
782                 return NT_STATUS_NO_MEMORY;
783         }
784
785         if ( !winbindd_can_contact_domain( domain ) ) {
786                 DEBUG(10,("sequence_number: No incoming trust for domain %s\n",
787                           domain->name));
788                 if (pseq) {
789                         *pseq = time(NULL);
790                 }
791                 status = NT_STATUS_OK;
792                 goto done;
793         }
794
795 #ifdef HAVE_LDAP
796         if (domain->active_directory) {
797                 int rc;
798
799                 DEBUG(8,("using get_ldap_seq() to retrieve the "
800                          "sequence number\n"));
801
802                 rc =  get_ldap_sequence_number(domain, &seq);
803                 if (rc == 0) {
804                         DEBUG(10,("domain_sequence_number: LDAP for "
805                                   "domain %s is %u\n",
806                                   domain->name, seq));
807
808                         if (pseq) {
809                                 *pseq = seq;
810                         }
811
812                         status = NT_STATUS_OK;
813                         goto done;
814                 }
815
816                 DEBUG(10,("domain_sequence_number: failed to get LDAP "
817                           "sequence number for domain %s\n",
818                           domain->name ));
819         }
820 #endif /* HAVE_LDAP */
821
822         status = cm_connect_sam(domain, tmp_ctx, false, &samr_pipe, &dom_pol);
823         if (!NT_STATUS_IS_OK(status)) {
824                 goto done;
825         }
826
827         status = rpc_sequence_number(tmp_ctx,
828                                      samr_pipe,
829                                      &dom_pol,
830                                      domain->name,
831                                      &seq);
832         if (!NT_STATUS_IS_OK(status)) {
833                 goto done;
834         }
835
836         if (pseq) {
837                 *pseq = seq;
838         }
839
840 done:
841         TALLOC_FREE(tmp_ctx);
842         return status;
843 }
844
845 /* get a list of trusted domains */
846 static NTSTATUS msrpc_trusted_domains(struct winbindd_domain *domain,
847                                       TALLOC_CTX *mem_ctx,
848                                       struct netr_DomainTrustList *ptrust_list)
849 {
850         struct rpc_pipe_client *lsa_pipe;
851         struct policy_handle lsa_policy;
852         struct netr_DomainTrust *trusts = NULL;
853         uint32_t num_trusts = 0;
854         TALLOC_CTX *tmp_ctx;
855         NTSTATUS status;
856
857         DEBUG(3,("msrpc_trusted_domains\n"));
858
859         if (ptrust_list) {
860                 ZERO_STRUCTP(ptrust_list);
861         }
862
863         tmp_ctx = talloc_stackframe();
864         if (tmp_ctx == NULL) {
865                 return NT_STATUS_NO_MEMORY;
866         }
867
868         status = cm_connect_lsa(domain, tmp_ctx, &lsa_pipe, &lsa_policy);
869         if (!NT_STATUS_IS_OK(status)) {
870                 goto done;
871         }
872
873         status = rpc_trusted_domains(tmp_ctx,
874                                      lsa_pipe,
875                                      &lsa_policy,
876                                      &num_trusts,
877                                      &trusts);
878         if (!NT_STATUS_IS_OK(status)) {
879                 goto done;
880         }
881
882         if (ptrust_list) {
883                 ptrust_list->count = num_trusts;
884                 ptrust_list->array = talloc_move(mem_ctx, &trusts);
885         }
886
887 done:
888         TALLOC_FREE(tmp_ctx);
889         return status;
890 }
891
892 /* find the lockout policy for a domain */
893 static NTSTATUS msrpc_lockout_policy(struct winbindd_domain *domain,
894                                      TALLOC_CTX *mem_ctx,
895                                      struct samr_DomInfo12 *lockout_policy)
896 {
897         NTSTATUS status, result;
898         struct rpc_pipe_client *cli;
899         struct policy_handle dom_pol;
900         union samr_DomainInfo *info = NULL;
901         struct dcerpc_binding_handle *b;
902
903         DEBUG(3, ("msrpc_lockout_policy: fetch lockout policy for %s\n", domain->name));
904
905         if ( !winbindd_can_contact_domain( domain ) ) {
906                 DEBUG(10,("msrpc_lockout_policy: No incoming trust for domain %s\n",
907                           domain->name));
908                 return NT_STATUS_NOT_SUPPORTED;
909         }
910
911         status = cm_connect_sam(domain, mem_ctx, false, &cli, &dom_pol);
912         if (!NT_STATUS_IS_OK(status)) {
913                 goto done;
914         }
915
916         b = cli->binding_handle;
917
918         status = dcerpc_samr_QueryDomainInfo(b, mem_ctx,
919                                              &dom_pol,
920                                              DomainLockoutInformation,
921                                              &info,
922                                              &result);
923         if (any_nt_status_not_ok(status, result, &status)) {
924                 return status;
925         }
926
927         *lockout_policy = info->info12;
928
929         DEBUG(10,("msrpc_lockout_policy: lockout_threshold %d\n",
930                 info->info12.lockout_threshold));
931
932   done:
933
934         return status;
935 }
936
937 /* find the password policy for a domain */
938 static NTSTATUS msrpc_password_policy(struct winbindd_domain *domain,
939                                       TALLOC_CTX *mem_ctx,
940                                       struct samr_DomInfo1 *password_policy)
941 {
942         NTSTATUS status, result;
943         struct rpc_pipe_client *cli;
944         struct policy_handle dom_pol;
945         union samr_DomainInfo *info = NULL;
946         struct dcerpc_binding_handle *b;
947
948         DEBUG(3, ("msrpc_password_policy: fetch password policy for %s\n",
949                   domain->name));
950
951         if ( !winbindd_can_contact_domain( domain ) ) {
952                 DEBUG(10,("msrpc_password_policy: No incoming trust for domain %s\n",
953                           domain->name));
954                 return NT_STATUS_NOT_SUPPORTED;
955         }
956
957         status = cm_connect_sam(domain, mem_ctx, false, &cli, &dom_pol);
958         if (!NT_STATUS_IS_OK(status)) {
959                 goto done;
960         }
961
962         b = cli->binding_handle;
963
964         status = dcerpc_samr_QueryDomainInfo(b, mem_ctx,
965                                              &dom_pol,
966                                              DomainPasswordInformation,
967                                              &info,
968                                              &result);
969         if (!NT_STATUS_IS_OK(status)) {
970                 goto done;
971         }
972         if (!NT_STATUS_IS_OK(result)) {
973                 goto done;
974         }
975
976         *password_policy = info->info1;
977
978         DEBUG(10,("msrpc_password_policy: min_length_password %d\n",
979                 info->info1.min_password_length));
980
981   done:
982
983         return status;
984 }
985
986 static enum lsa_LookupNamesLevel winbindd_lookup_level(
987         struct winbindd_domain *domain)
988 {
989         enum lsa_LookupNamesLevel level = LSA_LOOKUP_NAMES_DOMAINS_ONLY;
990
991         if (domain->internal) {
992                 level = LSA_LOOKUP_NAMES_ALL;
993         } else if (domain->secure_channel_type == SEC_CHAN_DNS_DOMAIN) {
994                 if (domain->domain_flags & NETR_TRUST_FLAG_IN_FOREST) {
995                         /*
996                          * TODO:
997                          *
998                          * Depending on what we want to resolve. We need to use:
999                          * 1. LsapLookupXForestReferral(5)/LSA_LOOKUP_NAMES_FOREST_TRUSTS_ONLY
1000                          *    if we want to pass the request into the direction of the forest
1001                          *    root domain. The forest root domain uses
1002                          *    LsapLookupXForestResolve(6)/LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2
1003                          *    when passing the request to trusted forests.
1004                          * 2. LsapLookupGC(4)/LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY
1005                          *    if we're not a GC and want to resolve a name within our own forest.
1006                          *
1007                          * As we don't support more than one domain in our own forest
1008                          * and always try to be a GC for now, we just set
1009                          * LSA_LOOKUP_NAMES_FOREST_TRUSTS_ONLY.
1010                          */
1011                         level = LSA_LOOKUP_NAMES_FOREST_TRUSTS_ONLY;
1012                 } else if (domain->domain_trust_attribs & LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) {
1013                         /*
1014                          * This is LsapLookupXForestResolve(6)/LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2
1015                          */
1016                         level = LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2;
1017                 } else {
1018                         /*
1019                          * This is LsapLookupTDL(3)/LSA_LOOKUP_NAMES_PRIMARY_DOMAIN_ONLY
1020                          */
1021                         level = LSA_LOOKUP_NAMES_PRIMARY_DOMAIN_ONLY;
1022                 }
1023         } else if (domain->secure_channel_type == SEC_CHAN_DOMAIN) {
1024                 /*
1025                  * This is LsapLookupTDL(3)/LSA_LOOKUP_NAMES_PRIMARY_DOMAIN_ONLY
1026                  */
1027                 level = LSA_LOOKUP_NAMES_PRIMARY_DOMAIN_ONLY;
1028         } else if (domain->rodc) {
1029                 level = LSA_LOOKUP_NAMES_RODC_REFERRAL_TO_FULL_DC;
1030         } else {
1031                 /*
1032                  * This is LsapLookupPDC(2)/LSA_LOOKUP_NAMES_DOMAINS_ONLY
1033                  */
1034                 level = LSA_LOOKUP_NAMES_DOMAINS_ONLY;
1035         }
1036
1037         return level;
1038 }
1039
1040 NTSTATUS winbindd_lookup_sids(TALLOC_CTX *mem_ctx,
1041                               struct winbindd_domain *domain,
1042                               uint32_t num_sids,
1043                               const struct dom_sid *sids,
1044                               char ***domains,
1045                               char ***names,
1046                               enum lsa_SidType **types)
1047 {
1048         NTSTATUS status;
1049         NTSTATUS result;
1050         struct rpc_pipe_client *cli = NULL;
1051         struct dcerpc_binding_handle *b = NULL;
1052         struct policy_handle lsa_policy;
1053         unsigned int orig_timeout;
1054         bool use_lookupsids3 = false;
1055         bool retried = false;
1056         enum lsa_LookupNamesLevel level = LSA_LOOKUP_NAMES_ALL;
1057
1058  connect:
1059         status = cm_connect_lsat(domain, mem_ctx, &cli, &lsa_policy);
1060         if (!NT_STATUS_IS_OK(status)) {
1061                 return status;
1062         }
1063
1064         b = cli->binding_handle;
1065
1066         if (cli->transport->transport == NCACN_IP_TCP) {
1067                 use_lookupsids3 = true;
1068         }
1069
1070         level = winbindd_lookup_level(domain);
1071
1072         /*
1073          * This call can take a long time
1074          * allow the server to time out.
1075          * 35 seconds should do it.
1076          */
1077         orig_timeout = dcerpc_binding_handle_set_timeout(b, 35000);
1078
1079         status = dcerpc_lsa_lookup_sids_generic(b,
1080                                                 mem_ctx,
1081                                                 &lsa_policy,
1082                                                 num_sids,
1083                                                 sids,
1084                                                 level,
1085                                                 domains,
1086                                                 names,
1087                                                 types,
1088                                                 use_lookupsids3,
1089                                                 &result);
1090
1091         /* And restore our original timeout. */
1092         dcerpc_binding_handle_set_timeout(b, orig_timeout);
1093
1094         if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) ||
1095             NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR) ||
1096             NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED)) {
1097                 /*
1098                  * This can happen if the schannel key is not
1099                  * valid anymore, we need to invalidate the
1100                  * all connections to the dc and reestablish
1101                  * a netlogon connection first.
1102                  */
1103                 invalidate_cm_connection(domain);
1104                 domain->can_do_ncacn_ip_tcp = domain->active_directory;
1105                 if (!retried) {
1106                         retried = true;
1107                         goto connect;
1108                 }
1109                 status = NT_STATUS_ACCESS_DENIED;
1110         }
1111
1112         if (any_nt_status_not_ok(status, result, &status)) {
1113                 return status;
1114         }
1115
1116         return NT_STATUS_OK;
1117 }
1118
1119 static NTSTATUS winbindd_lookup_names(TALLOC_CTX *mem_ctx,
1120                                       struct winbindd_domain *domain,
1121                                       uint32_t num_names,
1122                                       const char **names,
1123                                       const char ***domains,
1124                                       struct dom_sid **sids,
1125                                       enum lsa_SidType **types)
1126 {
1127         NTSTATUS status;
1128         NTSTATUS result;
1129         struct rpc_pipe_client *cli = NULL;
1130         struct dcerpc_binding_handle *b = NULL;
1131         struct policy_handle lsa_policy;
1132         unsigned int orig_timeout = 0;
1133         bool use_lookupnames4 = false;
1134         bool retried = false;
1135         enum lsa_LookupNamesLevel level = LSA_LOOKUP_NAMES_ALL;
1136
1137  connect:
1138         status = cm_connect_lsat(domain, mem_ctx, &cli, &lsa_policy);
1139         if (!NT_STATUS_IS_OK(status)) {
1140                 return status;
1141         }
1142
1143         b = cli->binding_handle;
1144
1145         if (cli->transport->transport == NCACN_IP_TCP) {
1146                 use_lookupnames4 = true;
1147         }
1148
1149         level = winbindd_lookup_level(domain);
1150
1151         /*
1152          * This call can take a long time
1153          * allow the server to time out.
1154          * 35 seconds should do it.
1155          */
1156         orig_timeout = dcerpc_binding_handle_set_timeout(b, 35000);
1157
1158         status = dcerpc_lsa_lookup_names_generic(b,
1159                                                  mem_ctx,
1160                                                  &lsa_policy,
1161                                                  num_names,
1162                                                  (const char **) names,
1163                                                  domains,
1164                                                  level,
1165                                                  sids,
1166                                                  types,
1167                                                  use_lookupnames4,
1168                                                  &result);
1169
1170         /* And restore our original timeout. */
1171         dcerpc_binding_handle_set_timeout(b, orig_timeout);
1172
1173         if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) ||
1174             NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR) ||
1175             NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED)) {
1176                 /*
1177                  * This can happen if the schannel key is not
1178                  * valid anymore, we need to invalidate the
1179                  * all connections to the dc and reestablish
1180                  * a netlogon connection first.
1181                  */
1182                 invalidate_cm_connection(domain);
1183                 if (!retried) {
1184                         retried = true;
1185                         goto connect;
1186                 }
1187                 status = NT_STATUS_ACCESS_DENIED;
1188         }
1189
1190         if (any_nt_status_not_ok(status, result, &status)) {
1191                 return status;
1192         }
1193
1194         return NT_STATUS_OK;
1195 }
1196
1197 /* the rpc backend methods are exposed via this structure */
1198 struct winbindd_methods msrpc_methods = {
1199         False,
1200         msrpc_query_user_list,
1201         msrpc_enum_dom_groups,
1202         msrpc_enum_local_groups,
1203         msrpc_name_to_sid,
1204         msrpc_sid_to_name,
1205         msrpc_rids_to_names,
1206         msrpc_lookup_usergroups,
1207         msrpc_lookup_useraliases,
1208         msrpc_lookup_groupmem,
1209         msrpc_sequence_number,
1210         msrpc_lockout_policy,
1211         msrpc_password_policy,
1212         msrpc_trusted_domains,
1213 };