2 * idmap_ad: map between Active Directory and RFC 2307 or "Services for Unix" (SFU) Accounts
4 * Unix SMB/CIFS implementation.
6 * Winbind ADS backend functions
8 * Copyright (C) Andrew Tridgell 2001
9 * Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003
10 * Copyright (C) Gerald (Jerry) Carter 2004-2007
11 * Copyright (C) Luke Howard 2001-2004
12 * Copyright (C) Michael Adam 2008,2010
14 * This program is free software; you can redistribute it and/or modify
15 * it under the terms of the GNU General Public License as published by
16 * the Free Software Foundation; either version 3 of the License, or
17 * (at your option) any later version.
19 * This program is distributed in the hope that it will be useful,
20 * but WITHOUT ANY WARRANTY; without even the implied warranty of
21 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 * GNU General Public License for more details.
24 * You should have received a copy of the GNU General Public License
25 * along with this program; if not, see <http://www.gnu.org/licenses/>.
30 #include "../libds/common/flags.h"
32 #include "libads/ldap_schema.h"
36 #include "../libcli/ldap/ldap_ndr.h"
37 #include "../libcli/security/security.h"
40 #define DBGC_CLASS DBGC_IDMAP
42 #define WINBIND_CCACHE_NAME "MEMORY:winbind_ccache"
44 #define IDMAP_AD_MAX_IDS 30
45 #define CHECK_ALLOC_DONE(mem) do { \
47 DEBUG(0, ("Out of memory!\n")); \
48 ret = NT_STATUS_NO_MEMORY; \
53 struct idmap_ad_context {
55 struct posix_schema *ad_schema;
56 enum wb_posix_mapping ad_map_type; /* WB_POSIX_MAP_UNKNOWN */
59 /************************************************************************
60 ***********************************************************************/
62 static ADS_STATUS ad_idmap_cached_connection_internal(struct idmap_domain *dom)
68 struct sockaddr_storage dc_ip;
69 struct idmap_ad_context *ctx;
70 char *ldap_server = NULL;
72 struct winbindd_domain *wb_dom;
74 DEBUG(10, ("ad_idmap_cached_connection: called for domain '%s'\n",
77 ctx = talloc_get_type(dom->private_data, struct idmap_ad_context);
79 if (ctx->ads != NULL) {
82 time_t now = time(NULL);
86 expire = MIN(ads->auth.tgt_expire, ads->auth.tgs_expire);
88 /* check for a valid structure */
89 DEBUG(7, ("Current tickets expire in %d seconds (at %d, time is now %d)\n",
90 (uint32)expire-(uint32)now, (uint32) expire, (uint32) now));
92 if ( ads->config.realm && (expire > time(NULL))) {
95 /* we own this ADS_STRUCT so make sure it goes away */
96 DEBUG(7,("Deleting expired krb5 credential cache\n"));
99 ads_kdestroy(WINBIND_CCACHE_NAME);
105 /* we don't want this to affect the users ccache */
106 setenv("KRB5CCNAME", WINBIND_CCACHE_NAME, 1);
110 * At this point we only have the NetBIOS domain name.
111 * Check if we can get server nam and realm from SAF cache
112 * and the domain list.
114 ldap_server = saf_fetch(dom->name);
115 DEBUG(10, ("ldap_server from saf cache: '%s'\n", ldap_server?ldap_server:""));
117 wb_dom = find_domain_from_name_noinit(dom->name);
118 if (wb_dom == NULL) {
119 DEBUG(10, ("find_domain_from_name_noinit did not find domain '%s'\n",
123 DEBUG(10, ("find_domain_from_name_noinit found realm '%s' for "
124 " domain '%s'\n", wb_dom->alt_name, dom->name));
125 realm = wb_dom->alt_name;
128 if ( (ads = ads_init(realm, dom->name, ldap_server)) == NULL ) {
129 DEBUG(1,("ads_init failed\n"));
130 return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
133 /* the machine acct password might have change - fetch it every time */
134 SAFE_FREE(ads->auth.password);
135 ads->auth.password = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
137 SAFE_FREE(ads->auth.realm);
138 ads->auth.realm = SMB_STRDUP(lp_realm());
140 /* setup server affinity */
142 get_dc_name(dom->name, realm, dc_name, &dc_ip );
144 status = ads_connect(ads);
145 if (!ADS_ERR_OK(status)) {
146 DEBUG(1, ("ad_idmap_cached_connection_internal: failed to "
152 ads->is_mine = False;
159 /************************************************************************
160 ***********************************************************************/
162 static ADS_STATUS ad_idmap_cached_connection(struct idmap_domain *dom)
165 struct idmap_ad_context * ctx;
167 status = ad_idmap_cached_connection_internal(dom);
168 if (!ADS_ERR_OK(status)) {
172 ctx = talloc_get_type(dom->private_data, struct idmap_ad_context);
174 /* if we have a valid ADS_STRUCT and the schema model is
175 defined, then we can return here. */
177 if ( ctx->ad_schema ) {
181 /* Otherwise, set the schema model */
183 if ( (ctx->ad_map_type == WB_POSIX_MAP_SFU) ||
184 (ctx->ad_map_type == WB_POSIX_MAP_SFU20) ||
185 (ctx->ad_map_type == WB_POSIX_MAP_RFC2307) )
187 status = ads_check_posix_schema_mapping(
188 ctx, ctx->ads, ctx->ad_map_type, &ctx->ad_schema);
189 if ( !ADS_ERR_OK(status) ) {
190 DEBUG(2,("ad_idmap_cached_connection: Failed to obtain schema details!\n"));
197 static int idmap_ad_context_destructor(struct idmap_ad_context *ctx)
199 if (ctx->ads != NULL) {
200 /* we own this ADS_STRUCT so make sure it goes away */
201 ctx->ads->is_mine = True;
202 ads_destroy( &ctx->ads );
208 /************************************************************************
209 ***********************************************************************/
211 static NTSTATUS idmap_ad_initialize(struct idmap_domain *dom)
213 struct idmap_ad_context *ctx;
215 const char *schema_mode = NULL;
217 ctx = talloc_zero(dom, struct idmap_ad_context);
219 DEBUG(0, ("Out of memory!\n"));
220 return NT_STATUS_NO_MEMORY;
222 talloc_set_destructor(ctx, idmap_ad_context_destructor);
224 config_option = talloc_asprintf(ctx, "idmap config %s", dom->name);
225 if (config_option == NULL) {
226 DEBUG(0, ("Out of memory!\n"));
228 return NT_STATUS_NO_MEMORY;
231 /* default map type */
232 ctx->ad_map_type = WB_POSIX_MAP_RFC2307;
235 schema_mode = lp_parm_const_string(-1, config_option, "schema_mode", NULL);
236 if ( schema_mode && schema_mode[0] ) {
237 if ( strequal(schema_mode, "sfu") )
238 ctx->ad_map_type = WB_POSIX_MAP_SFU;
239 else if ( strequal(schema_mode, "sfu20" ) )
240 ctx->ad_map_type = WB_POSIX_MAP_SFU20;
241 else if ( strequal(schema_mode, "rfc2307" ) )
242 ctx->ad_map_type = WB_POSIX_MAP_RFC2307;
244 DEBUG(0,("idmap_ad_initialize: Unknown schema_mode (%s)\n",
248 dom->private_data = ctx;
250 talloc_free(config_option);
255 /************************************************************************
256 Search up to IDMAP_AD_MAX_IDS entries in maps for a match.
257 ***********************************************************************/
259 static struct id_map *find_map_by_id(struct id_map **maps, enum id_type type, uint32_t id)
263 for (i = 0; maps[i] && i<IDMAP_AD_MAX_IDS; i++) {
264 if ((maps[i]->xid.type == type) && (maps[i]->xid.id == id)) {
272 /************************************************************************
273 Search up to IDMAP_AD_MAX_IDS entries in maps for a match
274 ***********************************************************************/
276 static struct id_map *find_map_by_sid(struct id_map **maps, struct dom_sid *sid)
280 for (i = 0; maps[i] && i<IDMAP_AD_MAX_IDS; i++) {
281 if (dom_sid_equal(maps[i]->sid, sid)) {
289 /************************************************************************
290 ***********************************************************************/
292 static NTSTATUS idmap_ad_unixids_to_sids(struct idmap_domain *dom, struct id_map **ids)
296 struct idmap_ad_context *ctx;
298 const char *attrs[] = { "sAMAccountType",
300 NULL, /* uidnumber */
301 NULL, /* gidnumber */
303 LDAPMessage *res = NULL;
304 LDAPMessage *entry = NULL;
310 char *u_filter = NULL;
311 char *g_filter = NULL;
313 /* initialize the status to avoid suprise */
314 for (i = 0; ids[i]; i++) {
315 ids[i]->status = ID_UNKNOWN;
318 /* Only do query if we are online */
319 if (idmap_is_offline()) {
320 return NT_STATUS_FILE_IS_OFFLINE;
323 ctx = talloc_get_type(dom->private_data, struct idmap_ad_context);
325 if ( (memctx = talloc_new(ctx)) == NULL ) {
326 DEBUG(0, ("Out of memory!\n"));
327 return NT_STATUS_NO_MEMORY;
330 rc = ad_idmap_cached_connection(dom);
331 if (!ADS_ERR_OK(rc)) {
332 DEBUG(1, ("ADS uninitialized: %s\n", ads_errstr(rc)));
333 ret = NT_STATUS_UNSUCCESSFUL;
334 /* ret = ads_ntstatus(rc); */
338 attrs[2] = ctx->ad_schema->posix_uidnumber_attr;
339 attrs[3] = ctx->ad_schema->posix_gidnumber_attr;
343 for (i = 0; (i < IDMAP_AD_MAX_IDS) && ids[idx]; i++, idx++) {
344 switch (ids[idx]->xid.type) {
347 u_filter = talloc_asprintf(memctx, "(&(|"
348 "(sAMAccountType=%d)"
349 "(sAMAccountType=%d)"
350 "(sAMAccountType=%d))(|",
351 ATYPE_NORMAL_ACCOUNT,
352 ATYPE_WORKSTATION_TRUST,
353 ATYPE_INTERDOMAIN_TRUST);
355 u_filter = talloc_asprintf_append_buffer(u_filter, "(%s=%lu)",
356 ctx->ad_schema->posix_uidnumber_attr,
357 (unsigned long)ids[idx]->xid.id);
358 CHECK_ALLOC_DONE(u_filter);
363 g_filter = talloc_asprintf(memctx, "(&(|"
364 "(sAMAccountType=%d)"
365 "(sAMAccountType=%d))(|",
366 ATYPE_SECURITY_GLOBAL_GROUP,
367 ATYPE_SECURITY_LOCAL_GROUP);
369 g_filter = talloc_asprintf_append_buffer(g_filter, "(%s=%lu)",
370 ctx->ad_schema->posix_gidnumber_attr,
371 (unsigned long)ids[idx]->xid.id);
372 CHECK_ALLOC_DONE(g_filter);
376 DEBUG(3, ("Error: mapping requested but Unknown ID type\n"));
377 ids[idx]->status = ID_UNKNOWN;
381 filter = talloc_asprintf(memctx, "(|");
382 CHECK_ALLOC_DONE(filter);
384 filter = talloc_asprintf_append_buffer(filter, "%s))", u_filter);
385 CHECK_ALLOC_DONE(filter);
386 TALLOC_FREE(u_filter);
389 filter = talloc_asprintf_append_buffer(filter, "%s))", g_filter);
390 CHECK_ALLOC_DONE(filter);
391 TALLOC_FREE(g_filter);
393 filter = talloc_asprintf_append_buffer(filter, ")");
394 CHECK_ALLOC_DONE(filter);
396 rc = ads_search_retry(ctx->ads, &res, filter, attrs);
397 if (!ADS_ERR_OK(rc)) {
398 DEBUG(1, ("ERROR: ads search returned: %s\n", ads_errstr(rc)));
399 ret = NT_STATUS_UNSUCCESSFUL;
403 if ( (count = ads_count_replies(ctx->ads, res)) == 0 ) {
404 DEBUG(10, ("No IDs found\n"));
408 for (i = 0; (i < count) && entry; i++) {
415 if (i == 0) { /* first entry */
416 entry = ads_first_entry(ctx->ads, entry);
417 } else { /* following ones */
418 entry = ads_next_entry(ctx->ads, entry);
422 DEBUG(2, ("ERROR: Unable to fetch ldap entries from results\n"));
426 /* first check if the SID is present */
427 if (!ads_pull_sid(ctx->ads, entry, "objectSid", &sid)) {
428 DEBUG(2, ("Could not retrieve SID from entry\n"));
433 if (!ads_pull_uint32(ctx->ads, entry, "sAMAccountType", &atype)) {
434 DEBUG(1, ("could not get SAM account type\n"));
438 switch (atype & 0xF0000000) {
439 case ATYPE_SECURITY_GLOBAL_GROUP:
440 case ATYPE_SECURITY_LOCAL_GROUP:
443 case ATYPE_NORMAL_ACCOUNT:
444 case ATYPE_WORKSTATION_TRUST:
445 case ATYPE_INTERDOMAIN_TRUST:
449 DEBUG(1, ("unrecognized SAM account type %08x\n", atype));
453 if (!ads_pull_uint32(ctx->ads, entry, (type==ID_TYPE_UID) ?
454 ctx->ad_schema->posix_uidnumber_attr :
455 ctx->ad_schema->posix_gidnumber_attr,
458 DEBUG(1, ("Could not get unix ID\n"));
462 if (!idmap_unix_id_is_in_range(id, dom)) {
463 DEBUG(5, ("Requested id (%u) out of range (%u - %u). Filtered!\n",
464 id, dom->low_id, dom->high_id));
468 map = find_map_by_id(&ids[bidx], type, id);
470 DEBUG(2, ("WARNING: couldn't match result with requested ID\n"));
474 sid_copy(map->sid, &sid);
477 map->status = ID_MAPPED;
479 DEBUG(10, ("Mapped %s -> %lu (%d)\n", sid_string_dbg(map->sid),
480 (unsigned long)map->xid.id,
485 ads_msgfree(ctx->ads, res);
488 if (ids[idx]) { /* still some values to map */
494 /* mark all unknown/expired ones as unmapped */
495 for (i = 0; ids[i]; i++) {
496 if (ids[i]->status != ID_MAPPED)
497 ids[i]->status = ID_UNMAPPED;
505 /************************************************************************
506 ***********************************************************************/
508 static NTSTATUS idmap_ad_sids_to_unixids(struct idmap_domain *dom, struct id_map **ids)
512 struct idmap_ad_context *ctx;
514 const char *attrs[] = { "sAMAccountType",
516 NULL, /* attr_uidnumber */
517 NULL, /* attr_gidnumber */
519 LDAPMessage *res = NULL;
520 LDAPMessage *entry = NULL;
528 /* initialize the status to avoid suprise */
529 for (i = 0; ids[i]; i++) {
530 ids[i]->status = ID_UNKNOWN;
533 /* Only do query if we are online */
534 if (idmap_is_offline()) {
535 return NT_STATUS_FILE_IS_OFFLINE;
538 ctx = talloc_get_type(dom->private_data, struct idmap_ad_context);
540 if ( (memctx = talloc_new(ctx)) == NULL ) {
541 DEBUG(0, ("Out of memory!\n"));
542 return NT_STATUS_NO_MEMORY;
545 rc = ad_idmap_cached_connection(dom);
546 if (!ADS_ERR_OK(rc)) {
547 DEBUG(1, ("ADS uninitialized: %s\n", ads_errstr(rc)));
548 ret = NT_STATUS_UNSUCCESSFUL;
549 /* ret = ads_ntstatus(rc); */
553 if (ctx->ad_schema == NULL) {
554 DEBUG(0, ("haven't got ctx->ad_schema ! \n"));
555 ret = NT_STATUS_UNSUCCESSFUL;
559 attrs[2] = ctx->ad_schema->posix_uidnumber_attr;
560 attrs[3] = ctx->ad_schema->posix_gidnumber_attr;
563 filter = talloc_asprintf(memctx, "(&(|"
564 "(sAMAccountType=%d)(sAMAccountType=%d)(sAMAccountType=%d)" /* user account types */
565 "(sAMAccountType=%d)(sAMAccountType=%d)" /* group account types */
567 ATYPE_NORMAL_ACCOUNT, ATYPE_WORKSTATION_TRUST, ATYPE_INTERDOMAIN_TRUST,
568 ATYPE_SECURITY_GLOBAL_GROUP, ATYPE_SECURITY_LOCAL_GROUP);
570 CHECK_ALLOC_DONE(filter);
573 for (i = 0; (i < IDMAP_AD_MAX_IDS) && ids[idx]; i++, idx++) {
575 ids[idx]->status = ID_UNKNOWN;
577 sidstr = ldap_encode_ndr_dom_sid(talloc_tos(), ids[idx]->sid);
578 filter = talloc_asprintf_append_buffer(filter, "(objectSid=%s)", sidstr);
581 CHECK_ALLOC_DONE(filter);
583 filter = talloc_asprintf_append_buffer(filter, "))");
584 CHECK_ALLOC_DONE(filter);
585 DEBUG(10, ("Filter: [%s]\n", filter));
587 rc = ads_search_retry(ctx->ads, &res, filter, attrs);
588 if (!ADS_ERR_OK(rc)) {
589 DEBUG(1, ("ERROR: ads search returned: %s\n", ads_errstr(rc)));
590 ret = NT_STATUS_UNSUCCESSFUL;
594 if ( (count = ads_count_replies(ctx->ads, res)) == 0 ) {
595 DEBUG(10, ("No IDs found\n"));
599 for (i = 0; (i < count) && entry; i++) {
606 if (i == 0) { /* first entry */
607 entry = ads_first_entry(ctx->ads, entry);
608 } else { /* following ones */
609 entry = ads_next_entry(ctx->ads, entry);
613 DEBUG(2, ("ERROR: Unable to fetch ldap entries from results\n"));
617 /* first check if the SID is present */
618 if (!ads_pull_sid(ctx->ads, entry, "objectSid", &sid)) {
619 DEBUG(2, ("Could not retrieve SID from entry\n"));
623 map = find_map_by_sid(&ids[bidx], &sid);
625 DEBUG(2, ("WARNING: couldn't match result with requested SID\n"));
630 if (!ads_pull_uint32(ctx->ads, entry, "sAMAccountType", &atype)) {
631 DEBUG(1, ("could not get SAM account type\n"));
635 switch (atype & 0xF0000000) {
636 case ATYPE_SECURITY_GLOBAL_GROUP:
637 case ATYPE_SECURITY_LOCAL_GROUP:
640 case ATYPE_NORMAL_ACCOUNT:
641 case ATYPE_WORKSTATION_TRUST:
642 case ATYPE_INTERDOMAIN_TRUST:
646 DEBUG(1, ("unrecognized SAM account type %08x\n", atype));
650 if (!ads_pull_uint32(ctx->ads, entry, (type==ID_TYPE_UID) ?
651 ctx->ad_schema->posix_uidnumber_attr :
652 ctx->ad_schema->posix_gidnumber_attr,
655 DEBUG(1, ("Could not get unix ID\n"));
658 if (!idmap_unix_id_is_in_range(id, dom)) {
659 DEBUG(5, ("Requested id (%u) out of range (%u - %u). Filtered!\n",
660 id, dom->low_id, dom->high_id));
665 map->xid.type = type;
667 map->status = ID_MAPPED;
669 DEBUG(10, ("Mapped %s -> %lu (%d)\n", sid_string_dbg(map->sid),
670 (unsigned long)map->xid.id,
675 ads_msgfree(ctx->ads, res);
678 if (ids[idx]) { /* still some values to map */
684 /* mark all unknown/expired ones as unmapped */
685 for (i = 0; ids[i]; i++) {
686 if (ids[i]->status != ID_MAPPED)
687 ids[i]->status = ID_UNMAPPED;
696 * nss_info_{sfu,sfu20,rfc2307}
699 /************************************************************************
700 Initialize the {sfu,sfu20,rfc2307} state
701 ***********************************************************************/
703 static const char *wb_posix_map_unknown_string = "WB_POSIX_MAP_UNKNOWN";
704 static const char *wb_posix_map_template_string = "WB_POSIX_MAP_TEMPLATE";
705 static const char *wb_posix_map_sfu_string = "WB_POSIX_MAP_SFU";
706 static const char *wb_posix_map_sfu20_string = "WB_POSIX_MAP_SFU20";
707 static const char *wb_posix_map_rfc2307_string = "WB_POSIX_MAP_RFC2307";
708 static const char *wb_posix_map_unixinfo_string = "WB_POSIX_MAP_UNIXINFO";
710 static const char *ad_map_type_string(enum wb_posix_mapping map_type)
713 case WB_POSIX_MAP_TEMPLATE:
714 return wb_posix_map_template_string;
715 case WB_POSIX_MAP_SFU:
716 return wb_posix_map_sfu_string;
717 case WB_POSIX_MAP_SFU20:
718 return wb_posix_map_sfu20_string;
719 case WB_POSIX_MAP_RFC2307:
720 return wb_posix_map_rfc2307_string;
721 case WB_POSIX_MAP_UNIXINFO:
722 return wb_posix_map_unixinfo_string;
724 return wb_posix_map_unknown_string;
728 static NTSTATUS nss_ad_generic_init(struct nss_domain_entry *e,
729 enum wb_posix_mapping new_ad_map_type)
731 struct idmap_domain *dom;
732 struct idmap_ad_context *ctx;
734 if (e->state != NULL) {
735 dom = talloc_get_type(e->state, struct idmap_domain);
737 dom = talloc_zero(e, struct idmap_domain);
739 DEBUG(0, ("Out of memory!\n"));
740 return NT_STATUS_NO_MEMORY;
745 if (e->domain != NULL) {
746 dom->name = talloc_strdup(dom, e->domain);
747 if (dom->name == NULL) {
748 DEBUG(0, ("Out of memory!\n"));
749 return NT_STATUS_NO_MEMORY;
753 if (dom->private_data != NULL) {
754 ctx = talloc_get_type(dom->private_data,
755 struct idmap_ad_context);
757 ctx = talloc_zero(dom, struct idmap_ad_context);
759 DEBUG(0, ("Out of memory!\n"));
760 return NT_STATUS_NO_MEMORY;
762 ctx->ad_map_type = WB_POSIX_MAP_RFC2307;
763 dom->private_data = ctx;
766 if ((ctx->ad_map_type != WB_POSIX_MAP_UNKNOWN) &&
767 (ctx->ad_map_type != new_ad_map_type))
769 DEBUG(2, ("nss_ad_generic_init: "
770 "Warning: overriding previously set posix map type "
771 "%s for domain %s with map type %s.\n",
772 ad_map_type_string(ctx->ad_map_type),
774 ad_map_type_string(new_ad_map_type)));
777 ctx->ad_map_type = new_ad_map_type;
782 static NTSTATUS nss_sfu_init( struct nss_domain_entry *e )
784 return nss_ad_generic_init(e, WB_POSIX_MAP_SFU);
787 static NTSTATUS nss_sfu20_init( struct nss_domain_entry *e )
789 return nss_ad_generic_init(e, WB_POSIX_MAP_SFU20);
792 static NTSTATUS nss_rfc2307_init( struct nss_domain_entry *e )
794 return nss_ad_generic_init(e, WB_POSIX_MAP_RFC2307);
798 /************************************************************************
799 ***********************************************************************/
801 static NTSTATUS nss_ad_get_info( struct nss_domain_entry *e,
802 const struct dom_sid *sid,
804 const char **homedir,
809 const char *attrs[] = {NULL, /* attr_homedir */
810 NULL, /* attr_shell */
811 NULL, /* attr_gecos */
812 NULL, /* attr_gidnumber */
815 LDAPMessage *msg_internal = NULL;
816 ADS_STATUS ads_status = ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
817 NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
819 struct idmap_domain *dom;
820 struct idmap_ad_context *ctx;
822 DEBUG(10, ("nss_ad_get_info called for sid [%s] in domain '%s'\n",
823 sid_string_dbg(sid), e->domain?e->domain:"NULL"));
825 /* Only do query if we are online */
826 if (idmap_is_offline()) {
827 return NT_STATUS_FILE_IS_OFFLINE;
830 dom = talloc_get_type(e->state, struct idmap_domain);
831 ctx = talloc_get_type(dom->private_data, struct idmap_ad_context);
833 ads_status = ad_idmap_cached_connection(dom);
834 if (!ADS_ERR_OK(ads_status)) {
835 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
838 if (!ctx->ad_schema) {
839 DEBUG(10, ("nss_ad_get_info: no ad_schema configured!\n"));
840 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
843 if (!sid || !homedir || !shell || !gecos) {
844 return NT_STATUS_INVALID_PARAMETER;
847 /* Have to do our own query */
849 DEBUG(10, ("nss_ad_get_info: no ads connection given, doing our "
852 attrs[0] = ctx->ad_schema->posix_homedir_attr;
853 attrs[1] = ctx->ad_schema->posix_shell_attr;
854 attrs[2] = ctx->ad_schema->posix_gecos_attr;
855 attrs[3] = ctx->ad_schema->posix_gidnumber_attr;
857 sidstr = ldap_encode_ndr_dom_sid(mem_ctx, sid);
858 filter = talloc_asprintf(mem_ctx, "(objectSid=%s)", sidstr);
862 nt_status = NT_STATUS_NO_MEMORY;
866 ads_status = ads_search_retry(ctx->ads, &msg_internal, filter, attrs);
867 if (!ADS_ERR_OK(ads_status)) {
868 nt_status = ads_ntstatus(ads_status);
872 *homedir = ads_pull_string(ctx->ads, mem_ctx, msg_internal, ctx->ad_schema->posix_homedir_attr);
873 *shell = ads_pull_string(ctx->ads, mem_ctx, msg_internal, ctx->ad_schema->posix_shell_attr);
874 *gecos = ads_pull_string(ctx->ads, mem_ctx, msg_internal, ctx->ad_schema->posix_gecos_attr);
877 if (!ads_pull_uint32(ctx->ads, msg_internal, ctx->ad_schema->posix_gidnumber_attr, gid))
881 nt_status = NT_STATUS_OK;
885 ads_msgfree(ctx->ads, msg_internal);
891 /**********************************************************************
892 *********************************************************************/
894 static NTSTATUS nss_ad_map_to_alias(TALLOC_CTX *mem_ctx,
895 struct nss_domain_entry *e,
899 const char *attrs[] = {NULL, /* attr_uid */
902 LDAPMessage *msg = NULL;
903 ADS_STATUS ads_status = ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
904 NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
905 struct idmap_domain *dom;
906 struct idmap_ad_context *ctx = NULL;
908 /* Check incoming parameters */
910 if ( !e || !e->domain || !name || !*alias) {
911 nt_status = NT_STATUS_INVALID_PARAMETER;
915 /* Only do query if we are online */
917 if (idmap_is_offline()) {
918 nt_status = NT_STATUS_FILE_IS_OFFLINE;
922 dom = talloc_get_type(e->state, struct idmap_domain);
923 ctx = talloc_get_type(dom->private_data, struct idmap_ad_context);
925 ads_status = ad_idmap_cached_connection(dom);
926 if (!ADS_ERR_OK(ads_status)) {
927 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
930 if (!ctx->ad_schema) {
931 nt_status = NT_STATUS_OBJECT_PATH_NOT_FOUND;
935 attrs[0] = ctx->ad_schema->posix_uid_attr;
937 filter = talloc_asprintf(mem_ctx,
938 "(sAMAccountName=%s)",
941 nt_status = NT_STATUS_NO_MEMORY;
945 ads_status = ads_search_retry(ctx->ads, &msg, filter, attrs);
946 if (!ADS_ERR_OK(ads_status)) {
947 nt_status = ads_ntstatus(ads_status);
951 *alias = ads_pull_string(ctx->ads, mem_ctx, msg, ctx->ad_schema->posix_uid_attr);
954 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
957 nt_status = NT_STATUS_OK;
961 talloc_destroy(filter);
964 ads_msgfree(ctx->ads, msg);
970 /**********************************************************************
971 *********************************************************************/
973 static NTSTATUS nss_ad_map_from_alias( TALLOC_CTX *mem_ctx,
974 struct nss_domain_entry *e,
978 const char *attrs[] = {"sAMAccountName",
981 LDAPMessage *msg = NULL;
982 ADS_STATUS ads_status = ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
983 NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
985 struct idmap_domain *dom;
986 struct idmap_ad_context *ctx = NULL;
988 /* Check incoming parameters */
990 if ( !alias || !name) {
991 nt_status = NT_STATUS_INVALID_PARAMETER;
995 /* Only do query if we are online */
997 if (idmap_is_offline()) {
998 nt_status = NT_STATUS_FILE_IS_OFFLINE;
1002 dom = talloc_get_type(e->state, struct idmap_domain);
1003 ctx = talloc_get_type(dom->private_data, struct idmap_ad_context);
1005 ads_status = ad_idmap_cached_connection(dom);
1006 if (!ADS_ERR_OK(ads_status)) {
1007 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1010 if (!ctx->ad_schema) {
1011 nt_status = NT_STATUS_OBJECT_PATH_NOT_FOUND;
1015 filter = talloc_asprintf(mem_ctx,
1017 ctx->ad_schema->posix_uid_attr,
1020 nt_status = NT_STATUS_NO_MEMORY;
1024 ads_status = ads_search_retry(ctx->ads, &msg, filter, attrs);
1025 if (!ADS_ERR_OK(ads_status)) {
1026 nt_status = ads_ntstatus(ads_status);
1030 username = ads_pull_string(ctx->ads, mem_ctx, msg,
1033 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1036 *name = talloc_asprintf(mem_ctx, "%s\\%s",
1040 nt_status = NT_STATUS_NO_MEMORY;
1044 nt_status = NT_STATUS_OK;
1048 talloc_destroy(filter);
1051 ads_msgfree(ctx->ads, msg);
1057 /************************************************************************
1058 Function dispatch tables for the idmap and nss plugins
1059 ***********************************************************************/
1061 static struct idmap_methods ad_methods = {
1062 .init = idmap_ad_initialize,
1063 .unixids_to_sids = idmap_ad_unixids_to_sids,
1064 .sids_to_unixids = idmap_ad_sids_to_unixids,
1067 /* The SFU and RFC2307 NSS plugins share everything but the init
1068 function which sets the intended schema model to use */
1070 static struct nss_info_methods nss_rfc2307_methods = {
1071 .init = nss_rfc2307_init,
1072 .get_nss_info = nss_ad_get_info,
1073 .map_to_alias = nss_ad_map_to_alias,
1074 .map_from_alias = nss_ad_map_from_alias,
1077 static struct nss_info_methods nss_sfu_methods = {
1078 .init = nss_sfu_init,
1079 .get_nss_info = nss_ad_get_info,
1080 .map_to_alias = nss_ad_map_to_alias,
1081 .map_from_alias = nss_ad_map_from_alias,
1084 static struct nss_info_methods nss_sfu20_methods = {
1085 .init = nss_sfu20_init,
1086 .get_nss_info = nss_ad_get_info,
1087 .map_to_alias = nss_ad_map_to_alias,
1088 .map_from_alias = nss_ad_map_from_alias,
1093 /************************************************************************
1094 Initialize the plugins
1095 ***********************************************************************/
1097 NTSTATUS samba_module_init(void)
1099 static NTSTATUS status_idmap_ad = NT_STATUS_UNSUCCESSFUL;
1100 static NTSTATUS status_nss_rfc2307 = NT_STATUS_UNSUCCESSFUL;
1101 static NTSTATUS status_nss_sfu = NT_STATUS_UNSUCCESSFUL;
1102 static NTSTATUS status_nss_sfu20 = NT_STATUS_UNSUCCESSFUL;
1104 /* Always register the AD method first in order to get the
1105 idmap_domain interface called */
1107 if ( !NT_STATUS_IS_OK(status_idmap_ad) ) {
1108 status_idmap_ad = smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION,
1110 if ( !NT_STATUS_IS_OK(status_idmap_ad) )
1111 return status_idmap_ad;
1114 if ( !NT_STATUS_IS_OK( status_nss_rfc2307 ) ) {
1115 status_nss_rfc2307 = smb_register_idmap_nss(SMB_NSS_INFO_INTERFACE_VERSION,
1116 "rfc2307", &nss_rfc2307_methods );
1117 if ( !NT_STATUS_IS_OK(status_nss_rfc2307) )
1118 return status_nss_rfc2307;
1121 if ( !NT_STATUS_IS_OK( status_nss_sfu ) ) {
1122 status_nss_sfu = smb_register_idmap_nss(SMB_NSS_INFO_INTERFACE_VERSION,
1123 "sfu", &nss_sfu_methods );
1124 if ( !NT_STATUS_IS_OK(status_nss_sfu) )
1125 return status_nss_sfu;
1128 if ( !NT_STATUS_IS_OK( status_nss_sfu20 ) ) {
1129 status_nss_sfu20 = smb_register_idmap_nss(SMB_NSS_INFO_INTERFACE_VERSION,
1130 "sfu20", &nss_sfu20_methods );
1131 if ( !NT_STATUS_IS_OK(status_nss_sfu20) )
1132 return status_nss_sfu20;
1135 return NT_STATUS_OK;
git.samba.org / mat / samba.git / blob