2 * Unix SMB/CIFS implementation.
4 * Winbind rpc backend functions
6 * Copyright (c) 2000-2003 Tim Potter
7 * Copyright (c) 2001 Andrew Tridgell
8 * Copyright (c) 2005 Volker Lendecke
9 * Copyright (c) 2008 Guenther Deschner (pidl conversion)
10 * Copyright (c) 2010 Andreas Schneider <asn@samba.org>
12 * This program is free software; you can redistribute it and/or modify
13 * it under the terms of the GNU General Public License as published by
14 * the Free Software Foundation; either version 3 of the License, or
15 * (at your option) any later version.
17 * This program is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
22 * You should have received a copy of the GNU General Public License
23 * along with this program. If not, see <http://www.gnu.org/licenses/>.
28 #include "winbindd_rpc.h"
30 #include "../librpc/gen_ndr/cli_samr.h"
31 #include "rpc_client/cli_samr.h"
32 #include "../librpc/gen_ndr/srv_samr.h"
33 #include "../librpc/gen_ndr/cli_lsa.h"
34 #include "rpc_client/cli_lsarpc.h"
35 #include "../librpc/gen_ndr/srv_lsa.h"
38 #define DBGC_CLASS DBGC_WINBIND
40 static NTSTATUS open_internal_samr_pipe(TALLOC_CTX *mem_ctx,
41 struct rpc_pipe_client **samr_pipe)
43 static struct rpc_pipe_client *cli = NULL;
44 struct auth_serversupplied_info *server_info = NULL;
51 if (server_info == NULL) {
52 status = make_server_info_system(mem_ctx, &server_info);
53 if (!NT_STATUS_IS_OK(status)) {
54 DEBUG(0, ("open_samr_pipe: Could not create auth_serversupplied_info: %s\n",
60 /* create a samr connection */
61 status = rpc_pipe_open_internal(talloc_autofree_context(),
62 &ndr_table_samr.syntax_id,
66 if (!NT_STATUS_IS_OK(status)) {
67 DEBUG(0, ("open_samr_pipe: Could not connect to samr_pipe: %s\n",
80 static NTSTATUS open_internal_samr_conn(TALLOC_CTX *mem_ctx,
81 struct winbindd_domain *domain,
82 struct rpc_pipe_client **samr_pipe,
83 struct policy_handle *samr_domain_hnd)
86 struct policy_handle samr_connect_hnd;
88 status = open_internal_samr_pipe(mem_ctx, samr_pipe);
89 if (!NT_STATUS_IS_OK(status)) {
93 status = rpccli_samr_Connect2((*samr_pipe),
95 (*samr_pipe)->desthost,
96 SEC_FLAG_MAXIMUM_ALLOWED,
98 if (!NT_STATUS_IS_OK(status)) {
102 status = rpccli_samr_OpenDomain((*samr_pipe),
105 SEC_FLAG_MAXIMUM_ALLOWED,
112 static NTSTATUS open_internal_lsa_pipe(TALLOC_CTX *mem_ctx,
113 struct rpc_pipe_client **lsa_pipe)
115 static struct rpc_pipe_client *cli = NULL;
116 struct auth_serversupplied_info *server_info = NULL;
123 if (server_info == NULL) {
124 status = make_server_info_system(mem_ctx, &server_info);
125 if (!NT_STATUS_IS_OK(status)) {
126 DEBUG(0, ("open_samr_pipe: Could not create auth_serversupplied_info: %s\n",
132 /* create a samr connection */
133 status = rpc_pipe_open_internal(talloc_autofree_context(),
134 &ndr_table_lsarpc.syntax_id,
138 if (!NT_STATUS_IS_OK(status)) {
139 DEBUG(0, ("open_samr_pipe: Could not connect to samr_pipe: %s\n",
152 static NTSTATUS open_internal_lsa_conn(TALLOC_CTX *mem_ctx,
153 struct rpc_pipe_client **lsa_pipe,
154 struct policy_handle *lsa_hnd)
158 status = open_internal_lsa_pipe(mem_ctx, lsa_pipe);
159 if (!NT_STATUS_IS_OK(status)) {
163 status = rpccli_lsa_open_policy((*lsa_pipe),
166 SEC_FLAG_MAXIMUM_ALLOWED,
172 /*********************************************************************
173 SAM specific functions.
174 *********************************************************************/
176 /* List all domain groups */
177 static NTSTATUS sam_enum_dom_groups(struct winbindd_domain *domain,
180 struct acct_info **pinfo)
182 struct rpc_pipe_client *samr_pipe;
183 struct policy_handle dom_pol;
184 struct acct_info *info = NULL;
185 uint32_t num_info = 0;
189 DEBUG(3,("sam_enum_dom_groups\n"));
195 tmp_ctx = talloc_stackframe();
196 if (tmp_ctx == NULL) {
197 return NT_STATUS_NO_MEMORY;
200 status = open_internal_samr_conn(tmp_ctx, domain, &samr_pipe, &dom_pol);
201 if (!NT_STATUS_IS_OK(status)) {
205 status = rpc_enum_dom_groups(tmp_ctx,
210 if (!NT_STATUS_IS_OK(status)) {
215 *pnum_info = num_info;
219 *pinfo = talloc_move(mem_ctx, &info);
223 TALLOC_FREE(tmp_ctx);
227 /* Query display info for a domain */
228 static NTSTATUS sam_query_user_list(struct winbindd_domain *domain,
231 struct wbint_userinfo **pinfo)
233 struct rpc_pipe_client *samr_pipe = NULL;
234 struct policy_handle dom_pol;
235 struct wbint_userinfo *info = NULL;
236 uint32_t num_info = 0;
240 DEBUG(3,("samr_query_user_list\n"));
246 tmp_ctx = talloc_stackframe();
247 if (tmp_ctx == NULL) {
248 return NT_STATUS_NO_MEMORY;
251 status = open_internal_samr_conn(tmp_ctx, domain, &samr_pipe, &dom_pol);
252 if (!NT_STATUS_IS_OK(status)) {
256 status = rpc_query_user_list(tmp_ctx,
262 if (!NT_STATUS_IS_OK(status)) {
267 *pnum_info = num_info;
271 *pinfo = talloc_move(mem_ctx, &info);
275 TALLOC_FREE(tmp_ctx);
279 /* Lookup user information from a rid or username. */
280 static NTSTATUS sam_query_user(struct winbindd_domain *domain,
282 const struct dom_sid *user_sid,
283 struct wbint_userinfo *user_info)
285 struct rpc_pipe_client *samr_pipe;
286 struct policy_handle dom_pol;
290 DEBUG(3,("sam_query_user\n"));
293 if (!sid_check_is_in_our_domain(user_sid)) {
294 return NT_STATUS_NO_SUCH_USER;
298 user_info->homedir = NULL;
299 user_info->shell = NULL;
300 user_info->primary_gid = (gid_t) -1;
303 tmp_ctx = talloc_stackframe();
304 if (tmp_ctx == NULL) {
305 return NT_STATUS_NO_MEMORY;
308 status = open_internal_samr_conn(tmp_ctx, domain, &samr_pipe, &dom_pol);
309 if (!NT_STATUS_IS_OK(status)) {
313 status = rpc_query_user(tmp_ctx,
321 TALLOC_FREE(tmp_ctx);
325 /* get a list of trusted domains - builtin domain */
326 static NTSTATUS sam_trusted_domains(struct winbindd_domain *domain,
328 struct netr_DomainTrustList *trusts)
330 struct rpc_pipe_client *lsa_pipe;
331 struct netr_DomainTrust *array = NULL;
332 struct policy_handle lsa_policy;
333 uint32_t enum_ctx = 0;
338 DEBUG(3,("samr: trusted domains\n"));
340 tmp_ctx = talloc_stackframe();
341 if (tmp_ctx == NULL) {
342 return NT_STATUS_NO_MEMORY;
345 status = open_internal_lsa_conn(tmp_ctx, &lsa_pipe, &lsa_policy);
346 if (!NT_STATUS_IS_OK(status)) {
351 struct lsa_DomainList dom_list;
356 * We don't run into deadlocks here, cause winbind_off() is
357 * called in the main function.
359 status = rpccli_lsa_EnumTrustDom(lsa_pipe,
365 if (!NT_STATUS_IS_OK(status)) {
366 if (!NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES)) {
371 start_idx = trusts->count;
372 count += dom_list.count;
374 array = talloc_realloc(tmp_ctx,
376 struct netr_DomainTrust,
379 status = NT_STATUS_NO_MEMORY;
383 for (i = 0; i < dom_list.count; i++) {
384 struct netr_DomainTrust *trust = &array[i];
389 trust->netbios_name = talloc_move(array,
390 &dom_list.domains[i].name.string);
391 trust->dns_name = NULL;
393 sid = talloc(array, struct dom_sid);
395 status = NT_STATUS_NO_MEMORY;
398 sid_copy(sid, dom_list.domains[i].sid);
401 } while (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES));
404 trusts->count = count;
405 trusts->array = talloc_move(mem_ctx, &array);
409 TALLOC_FREE(tmp_ctx);
413 /* Lookup group membership given a rid. */
414 static NTSTATUS sam_lookup_groupmem(struct winbindd_domain *domain,
416 const struct dom_sid *group_sid,
417 enum lsa_SidType type,
418 uint32_t *pnum_names,
419 struct dom_sid **psid_mem,
421 uint32_t **pname_types)
423 struct rpc_pipe_client *samr_pipe;
424 struct policy_handle dom_pol;
426 uint32_t num_names = 0;
427 struct dom_sid *sid_mem = NULL;
429 uint32_t *name_types = NULL;
434 DEBUG(3,("sam_lookup_groupmem\n"));
437 if (sid_check_is_in_builtin(group_sid) && (type != SID_NAME_ALIAS)) {
438 /* There's no groups, only aliases in BUILTIN */
439 return NT_STATUS_NO_SUCH_GROUP;
446 tmp_ctx = talloc_stackframe();
447 if (tmp_ctx == NULL) {
448 return NT_STATUS_NO_MEMORY;
451 status = open_internal_samr_conn(tmp_ctx, domain, &samr_pipe, &dom_pol);
452 if (!NT_STATUS_IS_OK(status)) {
456 status = rpc_lookup_groupmem(tmp_ctx,
469 *pnum_names = num_names;
473 *pnames = talloc_move(mem_ctx, &names);
477 *pname_types = talloc_move(mem_ctx, &name_types);
481 *psid_mem = talloc_move(mem_ctx, &sid_mem);
485 TALLOC_FREE(tmp_ctx);
489 /*********************************************************************
490 BUILTIN specific functions.
491 *********************************************************************/
493 /* List all domain groups */
494 static NTSTATUS builtin_enum_dom_groups(struct winbindd_domain *domain,
497 struct acct_info **info)
499 /* BUILTIN doesn't have domain groups */
505 /* Query display info for a domain */
506 static NTSTATUS builtin_query_user_list(struct winbindd_domain *domain,
509 struct wbint_userinfo **info)
511 /* We don't have users */
517 /* Lookup user information from a rid or username. */
518 static NTSTATUS builtin_query_user(struct winbindd_domain *domain,
520 const struct dom_sid *user_sid,
521 struct wbint_userinfo *user_info)
523 return NT_STATUS_NO_SUCH_USER;
526 /* get a list of trusted domains - builtin domain */
527 static NTSTATUS builtin_trusted_domains(struct winbindd_domain *domain,
529 struct netr_DomainTrustList *trusts)
531 ZERO_STRUCTP(trusts);
535 /*********************************************************************
537 *********************************************************************/
539 /* List all local groups (aliases) */
540 static NTSTATUS sam_enum_local_groups(struct winbindd_domain *domain,
543 struct acct_info **pinfo)
545 struct rpc_pipe_client *samr_pipe;
546 struct policy_handle dom_pol;
547 struct acct_info *info = NULL;
548 uint32_t num_info = 0;
552 DEBUG(3,("samr: enum local groups\n"));
558 tmp_ctx = talloc_stackframe();
559 if (tmp_ctx == NULL) {
560 return NT_STATUS_NO_MEMORY;
563 status = open_internal_samr_conn(tmp_ctx, domain, &samr_pipe, &dom_pol);
564 if (!NT_STATUS_IS_OK(status)) {
568 status = rpc_enum_local_groups(mem_ctx,
573 if (!NT_STATUS_IS_OK(status)) {
578 *pnum_info = num_info;
582 *pinfo = talloc_move(mem_ctx, &info);
586 TALLOC_FREE(tmp_ctx);
590 /* convert a single name to a sid in a domain */
591 static NTSTATUS sam_name_to_sid(struct winbindd_domain *domain,
593 const char *domain_name,
596 struct dom_sid *psid,
597 enum lsa_SidType *ptype)
599 struct rpc_pipe_client *lsa_pipe;
600 struct policy_handle lsa_policy;
602 enum lsa_SidType type;
606 DEBUG(3,("sam_name_to_sid\n"));
608 tmp_ctx = talloc_stackframe();
609 if (tmp_ctx == NULL) {
610 return NT_STATUS_NO_MEMORY;
613 status = open_internal_lsa_conn(tmp_ctx, &lsa_pipe, &lsa_policy);
614 if (!NT_STATUS_IS_OK(status)) {
618 status = rpc_name_to_sid(tmp_ctx,
626 if (!NT_STATUS_IS_OK(status)) {
631 sid_copy(psid, &sid);
638 TALLOC_FREE(tmp_ctx);
642 /* convert a domain SID to a user or group name */
643 static NTSTATUS sam_sid_to_name(struct winbindd_domain *domain,
645 const struct dom_sid *sid,
648 enum lsa_SidType *ptype)
650 struct rpc_pipe_client *lsa_pipe;
651 struct policy_handle lsa_policy;
652 char *domain_name = NULL;
654 enum lsa_SidType type;
658 DEBUG(3,("sam_sid_to_name\n"));
661 if (!sid_check_is_in_builtin(sid) &&
662 !sid_check_is_in_our_domain(sid) &&
663 !sid_check_is_in_unix_users(sid) &&
664 !sid_check_is_unix_users(sid) &&
665 !sid_check_is_in_unix_groups(sid) &&
666 !sid_check_is_unix_groups(sid) &&
667 !sid_check_is_in_wellknown_domain(sid)) {
668 DEBUG(0, ("sam_sid_to_name: possible deadlock - trying to "
669 "lookup SID %s\n", sid_string_dbg(sid)));
670 return NT_STATUS_NONE_MAPPED;
673 tmp_ctx = talloc_stackframe();
674 if (tmp_ctx == NULL) {
675 return NT_STATUS_NO_MEMORY;
678 status = open_internal_lsa_conn(tmp_ctx, &lsa_pipe, &lsa_policy);
679 if (!NT_STATUS_IS_OK(status)) {
683 status = rpc_sid_to_name(tmp_ctx,
697 *pname = talloc_move(mem_ctx, &name);
701 *pdomain_name = talloc_move(mem_ctx, &domain_name);
705 TALLOC_FREE(tmp_ctx);
709 static NTSTATUS sam_rids_to_names(struct winbindd_domain *domain,
711 const struct dom_sid *sid,
716 enum lsa_SidType **ptypes)
718 struct rpc_pipe_client *lsa_pipe;
719 struct policy_handle lsa_policy;
720 enum lsa_SidType *types = NULL;
721 char *domain_name = NULL;
726 DEBUG(3,("sam_rids_to_names for %s\n", domain->name));
729 if (!sid_check_is_in_builtin(sid) &&
730 !sid_check_is_in_our_domain(sid) &&
731 !sid_check_is_in_unix_users(sid) &&
732 !sid_check_is_unix_users(sid) &&
733 !sid_check_is_in_unix_groups(sid) &&
734 !sid_check_is_unix_groups(sid) &&
735 !sid_check_is_in_wellknown_domain(sid)) {
736 DEBUG(0, ("sam_rids_to_names: possible deadlock - trying to "
737 "lookup SID %s\n", sid_string_dbg(sid)));
738 return NT_STATUS_NONE_MAPPED;
741 tmp_ctx = talloc_stackframe();
742 if (tmp_ctx == NULL) {
743 return NT_STATUS_NO_MEMORY;
746 status = open_internal_lsa_conn(tmp_ctx, &lsa_pipe, &lsa_policy);
747 if (!NT_STATUS_IS_OK(status)) {
751 status = rpc_rids_to_names(tmp_ctx,
761 if (!NT_STATUS_IS_OK(status)) {
766 *pdomain_name = talloc_move(mem_ctx, &domain_name);
770 *ptypes = talloc_move(mem_ctx, &types);
774 *pnames = talloc_move(mem_ctx, &names);
778 TALLOC_FREE(tmp_ctx);
782 static NTSTATUS sam_lockout_policy(struct winbindd_domain *domain,
784 struct samr_DomInfo12 *lockout_policy)
786 struct rpc_pipe_client *samr_pipe;
787 struct policy_handle dom_pol;
788 union samr_DomainInfo *info = NULL;
792 DEBUG(3,("sam_lockout_policy\n"));
794 tmp_ctx = talloc_stackframe();
795 if (tmp_ctx == NULL) {
796 return NT_STATUS_NO_MEMORY;
799 status = open_internal_samr_conn(tmp_ctx, domain, &samr_pipe, &dom_pol);
800 if (!NT_STATUS_IS_OK(status)) {
804 status = rpccli_samr_QueryDomainInfo(samr_pipe,
809 if (!NT_STATUS_IS_OK(status)) {
813 *lockout_policy = info->info12;
816 TALLOC_FREE(tmp_ctx);
820 static NTSTATUS common_password_policy(struct winbindd_domain *domain,
822 struct samr_DomInfo1 *passwd_policy)
824 struct rpc_pipe_client *samr_pipe;
825 struct policy_handle dom_pol;
826 union samr_DomainInfo *info = NULL;
830 DEBUG(3,("samr: password policy\n"));
832 tmp_ctx = talloc_stackframe();
833 if (tmp_ctx == NULL) {
834 return NT_STATUS_NO_MEMORY;
837 status = open_internal_samr_conn(tmp_ctx, domain, &samr_pipe, &dom_pol);
838 if (!NT_STATUS_IS_OK(status)) {
842 status = rpccli_samr_QueryDomainInfo(samr_pipe,
847 if (!NT_STATUS_IS_OK(status)) {
851 *passwd_policy = info->info1;
854 TALLOC_FREE(tmp_ctx);
858 /* Lookup groups a user is a member of. */
859 static NTSTATUS sam_lookup_usergroups(struct winbindd_domain *domain,
861 const struct dom_sid *user_sid,
862 uint32_t *pnum_groups,
863 struct dom_sid **puser_grpsids)
865 struct rpc_pipe_client *samr_pipe;
866 struct policy_handle dom_pol;
867 struct dom_sid *user_grpsids = NULL;
868 uint32_t num_groups = 0;
872 DEBUG(3,("sam_lookup_usergroups\n"));
878 tmp_ctx = talloc_stackframe();
879 if (tmp_ctx == NULL) {
880 return NT_STATUS_NO_MEMORY;
883 status = open_internal_samr_conn(tmp_ctx, domain, &samr_pipe, &dom_pol);
884 if (!NT_STATUS_IS_OK(status)) {
888 status = rpc_lookup_usergroups(tmp_ctx,
895 if (!NT_STATUS_IS_OK(status)) {
900 *pnum_groups = num_groups;
904 *puser_grpsids = talloc_move(mem_ctx, &user_grpsids);
908 TALLOC_FREE(tmp_ctx);
912 static NTSTATUS sam_lookup_useraliases(struct winbindd_domain *domain,
915 const struct dom_sid *sids,
916 uint32_t *pnum_aliases,
917 uint32_t **palias_rids)
919 struct rpc_pipe_client *samr_pipe;
920 struct policy_handle dom_pol;
921 uint32_t num_aliases = 0;
922 uint32_t *alias_rids = NULL;
926 DEBUG(3,("sam_lookup_useraliases\n"));
932 tmp_ctx = talloc_stackframe();
933 if (tmp_ctx == NULL) {
934 return NT_STATUS_NO_MEMORY;
937 status = open_internal_samr_conn(tmp_ctx, domain, &samr_pipe, &dom_pol);
938 if (!NT_STATUS_IS_OK(status)) {
942 status = rpc_lookup_useraliases(tmp_ctx,
949 if (!NT_STATUS_IS_OK(status)) {
954 *pnum_aliases = num_aliases;
958 *palias_rids = talloc_move(mem_ctx, &alias_rids);
962 TALLOC_FREE(tmp_ctx);
966 /* find the sequence number for a domain */
967 static NTSTATUS sam_sequence_number(struct winbindd_domain *domain,
970 struct rpc_pipe_client *samr_pipe;
971 struct policy_handle dom_pol;
976 DEBUG(3,("samr: sequence number\n"));
979 *pseq = DOM_SEQUENCE_NONE;
982 tmp_ctx = talloc_stackframe();
983 if (tmp_ctx == NULL) {
984 return NT_STATUS_NO_MEMORY;
987 status = open_internal_samr_conn(tmp_ctx, domain, &samr_pipe, &dom_pol);
988 if (!NT_STATUS_IS_OK(status)) {
992 status = rpc_sequence_number(tmp_ctx,
997 if (!NT_STATUS_IS_OK(status)) {
1005 TALLOC_FREE(tmp_ctx);
1009 /* the rpc backend methods are exposed via this structure */
1010 struct winbindd_methods builtin_passdb_methods = {
1011 .consistent = false,
1013 .query_user_list = builtin_query_user_list,
1014 .enum_dom_groups = builtin_enum_dom_groups,
1015 .enum_local_groups = sam_enum_local_groups,
1016 .name_to_sid = sam_name_to_sid,
1017 .sid_to_name = sam_sid_to_name,
1018 .rids_to_names = sam_rids_to_names,
1019 .query_user = builtin_query_user,
1020 .lookup_usergroups = sam_lookup_usergroups,
1021 .lookup_useraliases = sam_lookup_useraliases,
1022 .lookup_groupmem = sam_lookup_groupmem,
1023 .sequence_number = sam_sequence_number,
1024 .lockout_policy = sam_lockout_policy,
1025 .password_policy = common_password_policy,
1026 .trusted_domains = builtin_trusted_domains
1029 /* the rpc backend methods are exposed via this structure */
1030 struct winbindd_methods sam_passdb_methods = {
1031 .consistent = false,
1033 .query_user_list = sam_query_user_list,
1034 .enum_dom_groups = sam_enum_dom_groups,
1035 .enum_local_groups = sam_enum_local_groups,
1036 .name_to_sid = sam_name_to_sid,
1037 .sid_to_name = sam_sid_to_name,
1038 .rids_to_names = sam_rids_to_names,
1039 .query_user = sam_query_user,
1040 .lookup_usergroups = sam_lookup_usergroups,
1041 .lookup_useraliases = sam_lookup_useraliases,
1042 .lookup_groupmem = sam_lookup_groupmem,
1043 .sequence_number = sam_sequence_number,
1044 .lockout_policy = sam_lockout_policy,
1045 .password_policy = common_password_policy,
1046 .trusted_domains = sam_trusted_domains