2 Unix SMB/CIFS implementation.
4 Winbind ADS backend functions
6 Copyright (C) Andrew Tridgell 2001
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003
8 Copyright (C) Gerald (Jerry) Carter 2004
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 2 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program; if not, write to the Free Software
22 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
31 #define DBGC_CLASS DBGC_WINBIND
34 return our ads connections structure for a domain. We keep the connection
35 open to make things faster
37 static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain)
42 if (domain->private_data) {
43 ads = (ADS_STRUCT *)domain->private_data;
45 /* check for a valid structure */
47 DEBUG(7, ("Current tickets expire at %d, time is now %d\n",
48 (uint32) ads->auth.expire, (uint32) time(NULL)));
49 if ( ads->config.realm && (ads->auth.expire > time(NULL))) {
53 /* we own this ADS_STRUCT so make sure it goes away */
56 ads_kdestroy("MEMORY:winbind_ccache");
57 domain->private_data = NULL;
61 /* we don't want this to affect the users ccache */
62 setenv("KRB5CCNAME", "MEMORY:winbind_ccache", 1);
64 ads = ads_init(domain->alt_name, domain->name, NULL);
66 DEBUG(1,("ads_init for domain %s failed\n", domain->name));
70 /* the machine acct password might have change - fetch it every time */
71 SAFE_FREE(ads->auth.password);
72 ads->auth.password = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
74 SAFE_FREE(ads->auth.realm);
75 ads->auth.realm = SMB_STRDUP(lp_realm());
77 status = ads_connect(ads);
78 if (!ADS_ERR_OK(status) || !ads->config.realm) {
79 extern struct winbindd_methods msrpc_methods, cache_methods;
80 DEBUG(1,("ads_connect for domain %s failed: %s\n",
81 domain->name, ads_errstr(status)));
84 /* if we get ECONNREFUSED then it might be a NT4
85 server, fall back to MSRPC */
86 if (status.error_type == ENUM_ADS_ERROR_SYSTEM &&
87 status.err.rc == ECONNREFUSED) {
88 DEBUG(1,("Trying MSRPC methods\n"));
89 if (domain->methods == &cache_methods) {
90 domain->backend = &msrpc_methods;
92 domain->methods = &msrpc_methods;
98 /* set the flag that says we don't own the memory even
99 though we do so that ads_destroy() won't destroy the
100 structure we pass back by reference */
102 ads->is_mine = False;
104 domain->private_data = (void *)ads;
109 /* Query display info for a realm. This is the basic user list fn */
110 static NTSTATUS query_user_list(struct winbindd_domain *domain,
113 WINBIND_USERINFO **info)
115 ADS_STRUCT *ads = NULL;
116 const char *attrs[] = {"userPrincipalName",
118 "name", "objectSid", "primaryGroupID",
119 "sAMAccountType", NULL};
124 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
128 DEBUG(3,("ads: query_user_list\n"));
130 ads = ads_cached_connection(domain);
133 domain->last_status = NT_STATUS_SERVER_DISABLED;
137 rc = ads_search_retry(ads, &res, "(objectClass=user)", attrs);
138 if (!ADS_ERR_OK(rc) || !res) {
139 DEBUG(1,("query_user_list ads_search: %s\n", ads_errstr(rc)));
143 count = ads_count_replies(ads, res);
145 DEBUG(1,("query_user_list: No users found\n"));
149 (*info) = TALLOC_ZERO_ARRAY(mem_ctx, WINBIND_USERINFO, count);
151 status = NT_STATUS_NO_MEMORY;
157 for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
162 if (!ads_pull_uint32(ads, msg, "sAMAccountType", &atype) ||
163 ads_atype_map(atype) != SID_NAME_USER) {
164 DEBUG(1,("Not a user account? atype=0x%x\n", atype));
168 name = ads_pull_username(ads, mem_ctx, msg);
169 gecos = ads_pull_string(ads, mem_ctx, msg, "name");
170 if (!ads_pull_sid(ads, msg, "objectSid",
171 &(*info)[i].user_sid)) {
172 DEBUG(1,("No sid for %s !?\n", name));
175 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &group)) {
176 DEBUG(1,("No primary group for %s !?\n", name));
180 (*info)[i].acct_name = name;
181 (*info)[i].full_name = gecos;
182 sid_compose(&(*info)[i].group_sid, &domain->sid, group);
187 status = NT_STATUS_OK;
189 DEBUG(3,("ads query_user_list gave %d entries\n", (*num_entries)));
193 ads_msgfree(ads, res);
198 /* list all domain groups */
199 static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
202 struct acct_info **info)
204 ADS_STRUCT *ads = NULL;
205 const char *attrs[] = {"userPrincipalName", "sAMAccountName",
207 "sAMAccountType", NULL};
212 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
217 DEBUG(3,("ads: enum_dom_groups\n"));
219 ads = ads_cached_connection(domain);
222 domain->last_status = NT_STATUS_SERVER_DISABLED;
226 rc = ads_search_retry(ads, &res, "(objectCategory=group)", attrs);
227 if (!ADS_ERR_OK(rc) || !res) {
228 DEBUG(1,("enum_dom_groups ads_search: %s\n", ads_errstr(rc)));
232 count = ads_count_replies(ads, res);
234 DEBUG(1,("enum_dom_groups: No groups found\n"));
238 (*info) = TALLOC_ZERO_ARRAY(mem_ctx, struct acct_info, count);
240 status = NT_STATUS_NO_MEMORY;
246 group_flags = ATYPE_GLOBAL_GROUP;
248 /* only grab domain local groups for our domain */
249 if ( domain->native_mode && strequal(lp_realm(), domain->alt_name) )
250 group_flags |= ATYPE_LOCAL_GROUP;
252 for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
258 if (!ads_pull_uint32(ads, msg, "sAMAccountType", &account_type) || !(account_type & group_flags) )
261 name = ads_pull_username(ads, mem_ctx, msg);
262 gecos = ads_pull_string(ads, mem_ctx, msg, "name");
263 if (!ads_pull_sid(ads, msg, "objectSid", &sid)) {
264 DEBUG(1,("No sid for %s !?\n", name));
268 if (!sid_peek_check_rid(&domain->sid, &sid, &rid)) {
269 DEBUG(1,("No rid for %s !?\n", name));
273 fstrcpy((*info)[i].acct_name, name);
274 fstrcpy((*info)[i].acct_desc, gecos);
275 (*info)[i].rid = rid;
281 status = NT_STATUS_OK;
283 DEBUG(3,("ads enum_dom_groups gave %d entries\n", (*num_entries)));
287 ads_msgfree(ads, res);
292 /* list all domain local groups */
293 static NTSTATUS enum_local_groups(struct winbindd_domain *domain,
296 struct acct_info **info)
299 * This is a stub function only as we returned the domain
300 * local groups in enum_dom_groups() if the domain->native field
301 * was true. This is a simple performance optimization when
304 * if we ever need to enumerate domain local groups separately,
305 * then this the optimization in enum_dom_groups() will need
313 /* convert a DN to a name, SID and name type
314 this might become a major speed bottleneck if groups have
315 lots of users, in which case we could cache the results
317 static BOOL dn_lookup(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx,
319 char **name, uint32 *name_type, DOM_SID *sid)
322 const char *attrs[] = {"userPrincipalName", "sAMAccountName",
323 "objectSid", "sAMAccountType", NULL};
326 DEBUG(3,("ads: dn_lookup\n"));
328 rc = ads_search_retry_dn(ads, &res, dn, attrs);
330 if (!ADS_ERR_OK(rc) || !res) {
334 (*name) = ads_pull_username(ads, mem_ctx, res);
336 if (!ads_pull_uint32(ads, res, "sAMAccountType", &atype)) {
339 (*name_type) = ads_atype_map(atype);
341 if (!ads_pull_sid(ads, res, "objectSid", sid)) {
346 ads_msgfree(ads, res);
352 ads_msgfree(ads, res);
357 /* Lookup user information from a rid */
358 static NTSTATUS query_user(struct winbindd_domain *domain,
361 WINBIND_USERINFO *info)
363 ADS_STRUCT *ads = NULL;
364 const char *attrs[] = {"userPrincipalName",
367 "primaryGroupID", NULL};
374 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
376 DEBUG(3,("ads: query_user\n"));
378 ads = ads_cached_connection(domain);
381 domain->last_status = NT_STATUS_SERVER_DISABLED;
385 sidstr = sid_binstring(sid);
386 asprintf(&ldap_exp, "(objectSid=%s)", sidstr);
387 rc = ads_search_retry(ads, &msg, ldap_exp, attrs);
390 if (!ADS_ERR_OK(rc) || !msg) {
391 DEBUG(1,("query_user(sid=%s) ads_search: %s\n",
392 sid_string_static(sid), ads_errstr(rc)));
396 count = ads_count_replies(ads, msg);
398 DEBUG(1,("query_user(sid=%s): Not found\n",
399 sid_string_static(sid)));
403 info->acct_name = ads_pull_username(ads, mem_ctx, msg);
404 info->full_name = ads_pull_string(ads, mem_ctx, msg, "name");
406 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &group_rid)) {
407 DEBUG(1,("No primary group for %s !?\n",
408 sid_string_static(sid)));
412 sid_copy(&info->user_sid, sid);
413 sid_compose(&info->group_sid, &domain->sid, group_rid);
415 status = NT_STATUS_OK;
417 DEBUG(3,("ads query_user gave %s\n", info->acct_name));
420 ads_msgfree(ads, msg);
425 /* Lookup groups a user is a member of - alternate method, for when
426 tokenGroups are not available. */
427 static NTSTATUS lookup_usergroups_alt(struct winbindd_domain *domain,
430 DOM_SID *primary_group,
431 uint32 *num_groups, DOM_SID **user_sids)
434 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
440 const char *group_attrs[] = {"objectSid", NULL};
443 DEBUG(3,("ads: lookup_usergroups_alt\n"));
445 ads = ads_cached_connection(domain);
448 domain->last_status = NT_STATUS_SERVER_DISABLED;
452 if (!(escaped_dn = escape_ldap_string_alloc(user_dn))) {
453 status = NT_STATUS_NO_MEMORY;
457 /* buggy server, no tokenGroups. Instead lookup what groups this user
458 is a member of by DN search on member*/
460 if (!(ldap_exp = talloc_asprintf(mem_ctx, "(&(member=%s)(objectClass=group))", escaped_dn))) {
461 DEBUG(1,("lookup_usergroups(dn=%s) asprintf failed!\n", user_dn));
462 SAFE_FREE(escaped_dn);
463 status = NT_STATUS_NO_MEMORY;
467 SAFE_FREE(escaped_dn);
469 rc = ads_search_retry(ads, &res, ldap_exp, group_attrs);
471 if (!ADS_ERR_OK(rc) || !res) {
472 DEBUG(1,("lookup_usergroups ads_search member=%s: %s\n", user_dn, ads_errstr(rc)));
473 return ads_ntstatus(rc);
476 count = ads_count_replies(ads, res);
478 DEBUG(5,("lookup_usergroups: No supp groups found\n"));
480 status = ads_ntstatus(rc);
487 add_sid_to_array(mem_ctx, primary_group, user_sids, num_groups);
489 for (msg = ads_first_entry(ads, res); msg;
490 msg = ads_next_entry(ads, msg)) {
493 if (!ads_pull_sid(ads, msg, "objectSid", &group_sid)) {
494 DEBUG(1,("No sid for this group ?!?\n"));
498 add_sid_to_array(mem_ctx, &group_sid, user_sids, num_groups);
501 status = (user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
503 DEBUG(3,("ads lookup_usergroups (alt) for dn=%s\n", user_dn));
506 ads_msgfree(ads, res);
511 /* Lookup groups a user is a member of. */
512 static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
515 uint32 *num_groups, DOM_SID **user_sids)
517 ADS_STRUCT *ads = NULL;
518 const char *attrs[] = {"tokenGroups", "primaryGroupID", NULL};
521 LDAPMessage *msg = NULL;
525 DOM_SID primary_group;
526 uint32 primary_group_rid;
528 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
530 DEBUG(3,("ads: lookup_usergroups\n"));
533 ads = ads_cached_connection(domain);
536 domain->last_status = NT_STATUS_SERVER_DISABLED;
537 status = NT_STATUS_SERVER_DISABLED;
541 rc = ads_sid_to_dn(ads, mem_ctx, sid, &user_dn);
542 if (!ADS_ERR_OK(rc)) {
543 status = ads_ntstatus(rc);
547 rc = ads_search_retry_dn(ads, (void**)&msg, user_dn, attrs);
548 if (!ADS_ERR_OK(rc)) {
549 status = ads_ntstatus(rc);
550 DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: %s\n",
551 sid_to_string(sid_string, sid), ads_errstr(rc)));
556 DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: NULL msg\n",
557 sid_to_string(sid_string, sid)));
558 status = NT_STATUS_UNSUCCESSFUL;
562 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &primary_group_rid)) {
563 DEBUG(1,("%s: No primary group for sid=%s !?\n",
564 domain->name, sid_to_string(sid_string, sid)));
568 sid_copy(&primary_group, &domain->sid);
569 sid_append_rid(&primary_group, primary_group_rid);
571 count = ads_pull_sids(ads, mem_ctx, msg, "tokenGroups", &sids);
574 ads_msgfree(ads, msg);
576 /* there must always be at least one group in the token,
577 unless we are talking to a buggy Win2k server */
579 return lookup_usergroups_alt(domain, mem_ctx, user_dn,
581 num_groups, user_sids);
587 add_sid_to_array(mem_ctx, &primary_group, user_sids, num_groups);
589 for (i=0;i<count;i++)
590 add_sid_to_array_unique(mem_ctx, &sids[i],
591 user_sids, num_groups);
593 status = (user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
595 DEBUG(3,("ads lookup_usergroups for sid=%s\n",
596 sid_to_string(sid_string, sid)));
602 find the members of a group, given a group rid and domain
604 static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
606 const DOM_SID *group_sid, uint32 *num_names,
607 DOM_SID **sid_mem, char ***names,
613 ADS_STRUCT *ads = NULL;
615 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
626 DEBUG(10,("ads: lookup_groupmem %s sid=%s\n", domain->name,
627 sid_string_static(group_sid)));
631 ads = ads_cached_connection(domain);
634 domain->last_status = NT_STATUS_SERVER_DISABLED;
638 sidstr = sid_binstring(group_sid);
640 /* search for all members of the group */
641 if (!(ldap_exp = talloc_asprintf(mem_ctx, "(objectSid=%s)",sidstr))) {
643 DEBUG(1, ("ads: lookup_groupmem: tallloc_asprintf for ldap_exp failed!\n"));
644 status = NT_STATUS_NO_MEMORY;
652 attrs = TALLOC_ARRAY(mem_ctx, const char *, 3);
653 attrs[1] = talloc_strdup(mem_ctx, "usnChanged");
657 if (num_members == 0)
658 attrs[0] = talloc_strdup(mem_ctx, "member");
660 DEBUG(10, ("Searching for attrs[0] = %s, attrs[1] = %s\n", attrs[0], attrs[1]));
662 rc = ads_search_retry(ads, &res, ldap_exp, attrs);
664 if (!ADS_ERR_OK(rc) || !res) {
665 DEBUG(1,("ads: lookup_groupmem ads_search: %s\n",
667 status = ads_ntstatus(rc);
671 count = ads_count_replies(ads, res);
675 if (num_members == 0) {
676 if (!ads_pull_uint32(ads, res, "usnChanged", &first_usn)) {
677 DEBUG(1, ("ads: lookup_groupmem could not pull usnChanged!\n"));
682 if (!ads_pull_uint32(ads, res, "usnChanged", ¤t_usn)) {
683 DEBUG(1, ("ads: lookup_groupmem could not pull usnChanged!\n"));
687 if (first_usn != current_usn) {
688 DEBUG(5, ("ads: lookup_groupmem USN on this record changed"
689 " - restarting search\n"));
690 if (num_retries < 5) {
695 DEBUG(5, ("ads: lookup_groupmem USN on this record changed"
696 " - restarted search too many times, aborting!\n"));
697 status = NT_STATUS_UNSUCCESSFUL;
702 members = ads_pull_strings_range(ads, mem_ctx, res,
709 if ((members == NULL) || (num_members == 0))
712 } while (more_values);
714 /* now we need to turn a list of members into rids, names and name types
715 the problem is that the members are in the form of distinguised names
718 (*sid_mem) = TALLOC_ZERO_ARRAY(mem_ctx, DOM_SID, num_members);
719 (*name_types) = TALLOC_ZERO_ARRAY(mem_ctx, uint32, num_members);
720 (*names) = TALLOC_ZERO_ARRAY(mem_ctx, char *, num_members);
722 for (i=0;i<num_members;i++) {
727 if (dn_lookup(ads, mem_ctx, members[i], &name, &name_type, &sid)) {
728 (*names)[*num_names] = name;
729 (*name_types)[*num_names] = name_type;
730 sid_copy(&(*sid_mem)[*num_names], &sid);
735 status = NT_STATUS_OK;
736 DEBUG(3,("ads lookup_groupmem for sid=%s\n", sid_to_string(sid_string, group_sid)));
740 ads_msgfree(ads, res);
745 /* find the sequence number for a domain */
746 static NTSTATUS sequence_number(struct winbindd_domain *domain, uint32 *seq)
748 ADS_STRUCT *ads = NULL;
751 DEBUG(3,("ads: fetch sequence_number for %s\n", domain->name));
753 *seq = DOM_SEQUENCE_NONE;
755 ads = ads_cached_connection(domain);
758 domain->last_status = NT_STATUS_SERVER_DISABLED;
759 return NT_STATUS_UNSUCCESSFUL;
762 rc = ads_USN(ads, seq);
764 if (!ADS_ERR_OK(rc)) {
766 /* its a dead connection ; don't destroy it
767 through since ads_USN() has already done
770 domain->private_data = NULL;
772 return ads_ntstatus(rc);
775 /* get a list of trusted domains */
776 static NTSTATUS trusted_domains(struct winbindd_domain *domain,
783 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
784 struct ds_domain_trust *domains = NULL;
787 /* i think we only need our forest and downlevel trusted domains */
788 uint32 flags = DS_DOMAIN_IN_FOREST | DS_DOMAIN_DIRECT_OUTBOUND;
789 struct rpc_pipe_client *cli;
791 DEBUG(3,("ads: trusted_domains\n"));
799 unsigned char *session_key;
802 result = cm_connect_netlogon(domain, mem_ctx, &cli,
803 &session_key, &creds);
806 if (!NT_STATUS_IS_OK(result)) {
807 DEBUG(5, ("trusted_domains: Could not open a connection to %s "
808 "for PIPE_NETLOGON (%s)\n",
809 domain->name, nt_errstr(result)));
810 return NT_STATUS_UNSUCCESSFUL;
813 if ( NT_STATUS_IS_OK(result) )
814 result = rpccli_ds_enum_domain_trusts(cli, mem_ctx,
817 (unsigned int *)&count);
819 if ( NT_STATUS_IS_OK(result) && count) {
821 /* Allocate memory for trusted domain names and sids */
823 if ( !(*names = TALLOC_ARRAY(mem_ctx, char *, count)) ) {
824 DEBUG(0, ("trusted_domains: out of memory\n"));
825 return NT_STATUS_NO_MEMORY;
828 if ( !(*alt_names = TALLOC_ARRAY(mem_ctx, char *, count)) ) {
829 DEBUG(0, ("trusted_domains: out of memory\n"));
830 return NT_STATUS_NO_MEMORY;
833 if ( !(*dom_sids = TALLOC_ARRAY(mem_ctx, DOM_SID, count)) ) {
834 DEBUG(0, ("trusted_domains: out of memory\n"));
835 return NT_STATUS_NO_MEMORY;
838 /* Copy across names and sids */
840 for (i = 0; i < count; i++) {
841 (*names)[i] = domains[i].netbios_domain;
842 (*alt_names)[i] = domains[i].dns_domain;
844 sid_copy(&(*dom_sids)[i], &domains[i].sid);
847 *num_domains = count;
853 /* find alternate names list for the domain - for ADS this is the
855 static NTSTATUS alternate_name(struct winbindd_domain *domain)
860 const char *workgroup;
862 DEBUG(3,("ads: alternate_name\n"));
864 ads = ads_cached_connection(domain);
867 domain->last_status = NT_STATUS_SERVER_DISABLED;
868 return NT_STATUS_UNSUCCESSFUL;
871 if (!(ctx = talloc_init("alternate_name"))) {
872 return NT_STATUS_NO_MEMORY;
875 rc = ads_workgroup_name(ads, ctx, &workgroup);
877 if (ADS_ERR_OK(rc)) {
878 fstrcpy(domain->name, workgroup);
879 fstrcpy(domain->alt_name, ads->config.realm);
880 strupper_m(domain->alt_name);
881 strupper_m(domain->name);
886 return ads_ntstatus(rc);
889 /* the ADS backend methods are exposed via this structure */
890 struct winbindd_methods ads_methods = {
899 msrpc_lookup_useraliases,
git.samba.org / tprouty / samba.git / blob