2 Unix SMB/Netbios implementation.
4 Winbind ADS backend functions
6 Copyright (C) Andrew Tridgell 2001
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program; if not, write to the Free Software
20 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
27 /* the realm of our primary LDAP server */
28 static char *primary_realm;
32 a wrapper around ldap_search_s that retries depending on the error code
33 this is supposed to catch dropped connections and auto-reconnect
35 int ads_do_search_retry(ADS_STRUCT *ads, const char *bind_path, int scope,
37 const char **attrs, void **res)
44 time(NULL) - ads->last_attempt < ADS_RECONNECT_TIME) {
45 return LDAP_SERVER_DOWN;
49 rc = ads_do_search(ads, bind_path, scope, exp, attrs, res);
51 DEBUG(5,("Search for %s gave %d replies\n",
52 exp, ads_count_replies(ads, *res)));
56 if (*res) ads_msgfree(ads, *res);
58 DEBUG(1,("Reopening ads connection after error %s\n", ads_errstr(rc)));
60 /* we should unbind here, but that seems to trigger openldap bugs :(
65 rc2 = ads_connect(ads);
67 DEBUG(1,("ads_search_retry: failed to reconnect:\n"));
69 ads_display_status("", rc2.rc, rc2.minor_status);
71 DEBUG(1,("LDAP error: %s\n", ads_errstr(rc2.rc)));
77 DEBUG(1,("ads reopen failed after error %s\n", ads_errstr(rc)));
82 int ads_search_retry(ADS_STRUCT *ads, void **res,
86 return ads_do_search_retry(ads, ads->bind_path, LDAP_SCOPE_SUBTREE,
90 int ads_search_retry_dn(ADS_STRUCT *ads, void **res,
94 return ads_do_search_retry(ads, dn, LDAP_SCOPE_BASE,
95 "(objectclass=*)", attrs, res);
99 return our ads connections structure for a domain. We keep the connection
100 open to make things faster
102 static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain)
107 struct in_addr server_ip;
109 if (domain->private) {
110 return (ADS_STRUCT *)domain->private;
113 /* we don't want this to affect the users ccache */
114 ccache = lock_path("winbindd_ccache");
115 SETENV("KRB5CCNAME", ccache, 1);
118 if (!resolve_name(domain->name, &server_ip, 0x1b)) {
119 DEBUG(1,("Can't find PDC for domain %s\n", domain->name));
123 ads = ads_init(primary_realm, inet_ntoa(server_ip), NULL, NULL);
125 DEBUG(1,("ads_init for domain %s failed\n", domain->name));
129 /* the machine acct password might have change - fetch it every time */
130 SAFE_FREE(ads->password);
131 ads->password = secrets_fetch_machine_password();
133 rc = ads_connect(ads);
135 DEBUG(1,("ads_connect for domain %s failed:\n", domain->name));
137 ads_display_status("", rc.rc, rc.minor_status);
139 DEBUG(1,("LDAP error: %s\n", ads_errstr(rc.rc)));
145 /* remember our primary realm for trusted domain support */
146 if (!primary_realm) {
147 primary_realm = strdup(ads->realm);
150 domain->private = (void *)ads;
155 static void sid_from_rid(struct winbindd_domain *domain, uint32 rid, DOM_SID *sid)
157 sid_copy(sid, &domain->sid);
158 sid_append_rid(sid, rid);
161 /* turn a sAMAccountType into a SID_NAME_USE */
162 static enum SID_NAME_USE ads_atype_map(uint32 atype)
164 switch (atype & 0xF0000000) {
166 return SID_NAME_DOM_GRP;
168 return SID_NAME_USER;
170 DEBUG(1,("hmm, need to map account type 0x%x\n", atype));
172 return SID_NAME_UNKNOWN;
175 /* Query display info for a realm. This is the basic user list fn */
176 static NTSTATUS query_user_list(struct winbindd_domain *domain,
179 WINBIND_USERINFO **info)
181 ADS_STRUCT *ads = NULL;
182 const char *attrs[] = {"sAMAccountName", "name", "objectSid", "primaryGroupID",
183 "sAMAccountType", NULL};
187 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
191 DEBUG(3,("ads: query_user_list\n"));
193 ads = ads_cached_connection(domain);
196 rc = ads_search_retry(ads, &res, "(objectCategory=user)", attrs);
198 DEBUG(1,("query_user_list ads_search: %s\n", ads_errstr(rc)));
202 count = ads_count_replies(ads, res);
204 DEBUG(1,("query_user_list: No users found\n"));
208 (*info) = talloc(mem_ctx, count * sizeof(**info));
210 status = NT_STATUS_NO_MEMORY;
216 for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
222 if (!ads_pull_uint32(ads, msg, "sAMAccountType", &atype) ||
223 ads_atype_map(atype) != SID_NAME_USER) {
224 DEBUG(1,("Not a user account? atype=0x%x\n", atype));
228 name = ads_pull_string(ads, mem_ctx, msg, "sAMAccountName");
229 gecos = ads_pull_string(ads, mem_ctx, msg, "name");
230 if (!ads_pull_sid(ads, msg, "objectSid", &sid)) {
231 DEBUG(1,("No sid for %s !?\n", name));
234 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &group)) {
235 DEBUG(1,("No primary group for %s !?\n", name));
239 if (!sid_peek_rid(&sid, &rid)) {
240 DEBUG(1,("No rid for %s !?\n", name));
244 (*info)[i].acct_name = name;
245 (*info)[i].full_name = gecos;
246 (*info)[i].user_rid = rid;
247 (*info)[i].group_rid = group;
252 status = NT_STATUS_OK;
254 DEBUG(3,("ads query_user_list gave %d entries\n", (*num_entries)));
257 if (res) ads_msgfree(ads, res);
262 /* list all domain groups */
263 static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
266 struct acct_info **info)
268 ADS_STRUCT *ads = NULL;
269 const char *attrs[] = {"sAMAccountName", "name", "objectSid",
270 "sAMAccountType", NULL};
274 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
278 DEBUG(3,("ads: enum_dom_groups\n"));
280 ads = ads_cached_connection(domain);
283 rc = ads_search_retry(ads, &res, "(objectCategory=group)", attrs);
285 DEBUG(1,("query_user_list ads_search: %s\n", ads_errstr(rc)));
289 count = ads_count_replies(ads, res);
291 DEBUG(1,("query_user_list: No users found\n"));
295 (*info) = talloc(mem_ctx, count * sizeof(**info));
297 status = NT_STATUS_NO_MEMORY;
303 for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
309 if (!ads_pull_uint32(ads, msg, "sAMAccountType",
311 !(account_type & ATYPE_GROUP)) continue;
313 name = ads_pull_string(ads, mem_ctx, msg, "sAMAccountName");
314 gecos = ads_pull_string(ads, mem_ctx, msg, "name");
315 if (!ads_pull_sid(ads, msg, "objectSid", &sid)) {
316 DEBUG(1,("No sid for %s !?\n", name));
320 if (!sid_peek_rid(&sid, &rid)) {
321 DEBUG(1,("No rid for %s !?\n", name));
325 fstrcpy((*info)[i].acct_name, name);
326 fstrcpy((*info)[i].acct_desc, gecos);
327 (*info)[i].rid = rid;
333 status = NT_STATUS_OK;
335 DEBUG(3,("ads enum_dom_groups gave %d entries\n", (*num_entries)));
338 if (res) ads_msgfree(ads, res);
344 /* convert a single name to a sid in a domain */
345 static NTSTATUS name_to_sid(struct winbindd_domain *domain,
348 enum SID_NAME_USE *type)
350 ADS_STRUCT *ads = NULL;
351 const char *attrs[] = {"objectSid", "sAMAccountType", NULL};
356 fstring name2, dom2, fullname2;
357 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
359 /* sigh. Need to fix interface to give us a raw name */
360 fstrcpy(fullname2, name);
361 fstring_sub(fullname2, "\\", lp_winbind_separator());
362 if (!parse_domain_user(fullname2, dom2, name2)) {
366 DEBUG(3,("ads: name_to_sid\n"));
368 ads = ads_cached_connection(domain);
371 asprintf(&exp, "(sAMAccountName=%s)", name2);
372 rc = ads_search_retry(ads, &res, exp, attrs);
375 DEBUG(1,("name_to_sid ads_search: %s\n", ads_errstr(rc)));
379 count = ads_count_replies(ads, res);
381 DEBUG(1,("name_to_sid: %s not found\n", name));
385 if (!ads_pull_sid(ads, res, "objectSid", sid)) {
386 DEBUG(1,("No sid for %s !?\n", name));
390 if (!ads_pull_uint32(ads, res, "sAMAccountType", &t)) {
391 DEBUG(1,("No sAMAccountType for %s !?\n", name));
395 *type = ads_atype_map(t);
397 status = NT_STATUS_OK;
399 DEBUG(3,("ads name_to_sid mapped %s\n", name));
402 if (res) ads_msgfree(ads, res);
407 /* convert a sid to a user or group name */
408 static NTSTATUS sid_to_name(struct winbindd_domain *domain,
412 enum SID_NAME_USE *type)
414 ADS_STRUCT *ads = NULL;
415 const char *attrs[] = {"sAMAccountName", "sAMAccountType", NULL};
422 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
424 DEBUG(3,("ads: sid_to_name\n"));
426 ads = ads_cached_connection(domain);
429 sidstr = sid_binstring(sid);
430 asprintf(&exp, "(objectSid=%s)", sidstr);
431 rc = ads_search_retry(ads, &msg, exp, attrs);
435 DEBUG(1,("sid_to_name ads_search: %s\n", ads_errstr(rc)));
439 if (!ads_pull_uint32(ads, msg, "sAMAccountType", &atype)) {
443 s = ads_pull_string(ads, mem_ctx, msg, "sAMAccountName");
444 *name = talloc_asprintf(mem_ctx, "%s%s%s", domain->name, lp_winbind_separator(), s);
445 *type = ads_atype_map(atype);
447 status = NT_STATUS_OK;
449 DEBUG(3,("ads sid_to_name mapped %s\n", *name));
452 if (msg) ads_msgfree(ads, msg);
458 /* Lookup user information from a rid */
459 static NTSTATUS query_user(struct winbindd_domain *domain,
462 WINBIND_USERINFO *info)
464 ADS_STRUCT *ads = NULL;
465 const char *attrs[] = {"sAMAccountName", "name", "objectSid",
466 "primaryGroupID", NULL};
472 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
474 DEBUG(3,("ads: query_user\n"));
476 sid_from_rid(domain, user_rid, &sid);
478 ads = ads_cached_connection(domain);
481 sidstr = sid_binstring(&sid);
482 asprintf(&exp, "(objectSid=%s)", sidstr);
483 rc = ads_search_retry(ads, &msg, exp, attrs);
487 DEBUG(1,("query_user(rid=%d) ads_search: %s\n", user_rid, ads_errstr(rc)));
491 count = ads_count_replies(ads, msg);
493 DEBUG(1,("query_user(rid=%d): Not found\n", user_rid));
497 info->acct_name = ads_pull_string(ads, mem_ctx, msg, "sAMAccountName");
498 info->full_name = ads_pull_string(ads, mem_ctx, msg, "name");
499 if (!ads_pull_sid(ads, msg, "objectSid", &sid)) {
500 DEBUG(1,("No sid for %d !?\n", user_rid));
503 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &info->group_rid)) {
504 DEBUG(1,("No primary group for %d !?\n", user_rid));
508 if (!sid_peek_rid(&sid, &info->user_rid)) {
509 DEBUG(1,("No rid for %d !?\n", user_rid));
513 status = NT_STATUS_OK;
515 DEBUG(3,("ads query_user gave %s\n", info->acct_name));
517 if (msg) ads_msgfree(ads, msg);
523 /* Lookup groups a user is a member of. */
524 static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
527 uint32 *num_groups, uint32 **user_gids)
529 ADS_STRUCT *ads = NULL;
530 const char *attrs[] = {"distinguishedName", NULL};
531 const char *attrs2[] = {"tokenGroups", "primaryGroupID", NULL};
538 uint32 primary_group;
541 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
545 DEBUG(3,("ads: lookup_usergroups\n"));
549 sid_from_rid(domain, user_rid, &sid);
551 ads = ads_cached_connection(domain);
554 sidstr = sid_binstring(&sid);
555 asprintf(&exp, "(objectSid=%s)", sidstr);
556 rc = ads_search_retry(ads, &msg, exp, attrs);
560 DEBUG(1,("lookup_usergroups(rid=%d) ads_search: %s\n", user_rid, ads_errstr(rc)));
564 user_dn = ads_pull_string(ads, mem_ctx, msg, "distinguishedName");
566 if (msg) ads_msgfree(ads, msg);
568 rc = ads_search_retry_dn(ads, &msg, user_dn, attrs2);
570 DEBUG(1,("lookup_usergroups(rid=%d) ads_search tokenGroups: %s\n", user_rid, ads_errstr(rc)));
574 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &primary_group)) {
575 DEBUG(1,("%s: No primary group for rid=%d !?\n", domain->name, user_rid));
579 count = ads_pull_sids(ads, mem_ctx, msg, "tokenGroups", &sids) + 1;
580 (*user_gids) = (uint32 *)talloc(mem_ctx, sizeof(uint32) * count);
581 (*user_gids)[(*num_groups)++] = primary_group;
583 for (i=1;i<count;i++) {
585 if (!sid_peek_rid(&sids[i-1], &rid)) continue;
586 (*user_gids)[*num_groups] = rid;
590 status = NT_STATUS_OK;
591 DEBUG(3,("ads lookup_usergroups for rid=%d\n", user_rid));
593 if (msg) ads_msgfree(ads, msg);
599 static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
601 uint32 group_rid, uint32 *num_names,
602 uint32 **rid_mem, char ***names,
607 const char *attrs[] = {"sAMAccountName", "objectSid", "sAMAccountType", NULL};
609 void *res=NULL, *msg=NULL;
610 ADS_STRUCT *ads = NULL;
612 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
616 ads = ads_cached_connection(domain);
619 sid_from_rid(domain, group_rid, &group_sid);
620 sidstr = sid_binstring(&group_sid);
621 /* search for all users who have that group sid as primary group or as member */
622 asprintf(&exp, "(&(objectCategory=user)(|(primaryGroupID=%d)(memberOf=%s)))",
624 rc = ads_search_retry(ads, &res, exp, attrs);
628 DEBUG(1,("query_user_list ads_search: %s\n", ads_errstr(rc)));
632 count = ads_count_replies(ads, res);
634 status = NT_STATUS_OK;
638 (*rid_mem) = talloc(mem_ctx, sizeof(uint32) * count);
639 (*name_types) = talloc(mem_ctx, sizeof(uint32) * count);
640 (*names) = talloc(mem_ctx, sizeof(char *) * count);
642 for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
646 (*names)[*num_names] = ads_pull_string(ads, mem_ctx, msg, "sAMAccountName");
647 if (!ads_pull_uint32(ads, msg, "sAMAccountType", &atype)) {
650 (*name_types)[*num_names] = ads_atype_map(atype);
651 if (!ads_pull_sid(ads, msg, "objectSid", &sid)) {
652 DEBUG(1,("No sid for %s !?\n", (*names)[*num_names]));
655 if (!sid_peek_rid(&sid, &rid)) {
656 DEBUG(1,("No rid for %s !?\n", (*names)[*num_names]));
659 (*rid_mem)[*num_names] = rid;
663 status = NT_STATUS_OK;
664 DEBUG(3,("ads lookup_groupmem for rid=%d\n", group_rid));
666 if (res) ads_msgfree(ads, res);
671 /* find the sequence number for a domain */
672 static NTSTATUS sequence_number(struct winbindd_domain *domain, uint32 *seq)
674 ADS_STRUCT *ads = NULL;
676 *seq = DOM_SEQUENCE_NONE;
678 ads = ads_cached_connection(domain);
679 if (!ads) return NT_STATUS_UNSUCCESSFUL;
681 if (!ads_USN(ads, seq)) {
682 return NT_STATUS_UNSUCCESSFUL;
688 /* get a list of trusted domains */
689 static NTSTATUS trusted_domains(struct winbindd_domain *domain,
695 ADS_STRUCT *ads = NULL;
700 ads = ads_cached_connection(domain);
701 if (!ads) return NT_STATUS_UNSUCCESSFUL;
703 if (!ads_trusted_domains(ads, mem_ctx, num_domains, names, dom_sids)) {
704 return NT_STATUS_UNSUCCESSFUL;
710 /* find the domain sid for a domain */
711 static NTSTATUS domain_sid(struct winbindd_domain *domain, DOM_SID *sid)
713 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
714 const char *attrs[] = {"objectSid", NULL};
715 ADS_STRUCT *ads = NULL;
719 ads = ads_cached_connection(domain);
722 rc = ads_do_search(ads, ads->bind_path, LDAP_SCOPE_BASE, "(objectclass=*)",
725 if (ads_pull_sid(ads, res, "objectSid", sid)) {
726 status = NT_STATUS_OK;
728 ads_msgfree(ads, res);
734 /* the ADS backend methods are exposed via this structure */
735 struct winbindd_methods ads_methods = {