2 * idmap_ad: map between Active Directory and RFC 2307 or "Services for Unix" (SFU) Accounts
4 * Unix SMB/CIFS implementation.
6 * Winbind ADS backend functions
8 * Copyright (C) Andrew Tridgell 2001
9 * Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003
10 * Copyright (C) Gerald (Jerry) Carter 2004-2007
11 * Copyright (C) Luke Howard 2001-2004
12 * Copyright (C) Michael Adam 2008
14 * This program is free software; you can redistribute it and/or modify
15 * it under the terms of the GNU General Public License as published by
16 * the Free Software Foundation; either version 3 of the License, or
17 * (at your option) any later version.
19 * This program is distributed in the hope that it will be useful,
20 * but WITHOUT ANY WARRANTY; without even the implied warranty of
21 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 * GNU General Public License for more details.
24 * You should have received a copy of the GNU General Public License
25 * along with this program; if not, see <http://www.gnu.org/licenses/>.
32 #define DBGC_CLASS DBGC_IDMAP
34 #define WINBIND_CCACHE_NAME "MEMORY:winbind_ccache"
36 #define IDMAP_AD_MAX_IDS 30
37 #define CHECK_ALLOC_DONE(mem) do { \
39 DEBUG(0, ("Out of memory!\n")); \
40 ret = NT_STATUS_NO_MEMORY; \
45 struct idmap_ad_context {
46 uint32_t filter_low_id;
47 uint32_t filter_high_id;
49 struct posix_schema *ad_schema;
50 enum wb_posix_mapping ad_map_type; /* WB_POSIX_MAP_UNKNOWN */
53 NTSTATUS init_module(void);
55 /************************************************************************
56 ***********************************************************************/
58 static ADS_STATUS ad_idmap_cached_connection_internal(struct idmap_domain *dom)
64 struct sockaddr_storage dc_ip;
65 struct idmap_ad_context *ctx;
66 char *ldap_server = NULL;
68 struct winbindd_domain *wb_dom;
70 DEBUG(10, ("ad_idmap_cached_connection: called for domain '%s'\n",
73 ctx = talloc_get_type(dom->private_data, struct idmap_ad_context);
75 if (ctx->ads != NULL) {
78 time_t now = time(NULL);
82 expire = MIN(ads->auth.tgt_expire, ads->auth.tgs_expire);
84 /* check for a valid structure */
85 DEBUG(7, ("Current tickets expire in %d seconds (at %d, time is now %d)\n",
86 (uint32)expire-(uint32)now, (uint32) expire, (uint32) now));
88 if ( ads->config.realm && (expire > time(NULL))) {
91 /* we own this ADS_STRUCT so make sure it goes away */
92 DEBUG(7,("Deleting expired krb5 credential cache\n"));
95 ads_kdestroy(WINBIND_CCACHE_NAME);
97 TALLOC_FREE( ctx->ad_schema );
102 /* we don't want this to affect the users ccache */
103 setenv("KRB5CCNAME", WINBIND_CCACHE_NAME, 1);
107 * At this point we only have the NetBIOS domain name.
108 * Check if we can get server nam and realm from SAF cache
109 * and the domain list.
111 ldap_server = saf_fetch(dom->name);
112 DEBUG(10, ("ldap_server from saf cache: '%s'\n", ldap_server?ldap_server:""));
114 wb_dom = find_domain_from_name_noinit(dom->name);
115 if (wb_dom == NULL) {
116 DEBUG(10, ("find_domain_from_name_noinit did not find domain '%s'\n",
120 DEBUG(10, ("find_domain_from_name_noinit found realm '%s' for "
121 " domain '%s'\n", wb_dom->alt_name, dom->name));
122 realm = wb_dom->alt_name;
125 if ( (ads = ads_init(realm, dom->name, ldap_server)) == NULL ) {
126 DEBUG(1,("ads_init failed\n"));
127 return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
130 /* the machine acct password might have change - fetch it every time */
131 SAFE_FREE(ads->auth.password);
132 ads->auth.password = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
134 SAFE_FREE(ads->auth.realm);
135 ads->auth.realm = SMB_STRDUP(lp_realm());
137 /* setup server affinity */
139 get_dc_name(dom->name, realm, dc_name, &dc_ip );
141 status = ads_connect(ads);
142 if (!ADS_ERR_OK(status)) {
143 DEBUG(1, ("ad_idmap_init: failed to connect to AD\n"));
148 ads->is_mine = False;
155 /************************************************************************
156 ***********************************************************************/
158 static ADS_STATUS ad_idmap_cached_connection(struct idmap_domain *dom)
161 struct idmap_ad_context * ctx;
163 status = ad_idmap_cached_connection_internal(dom);
164 if (!ADS_ERR_OK(status)) {
168 ctx = talloc_get_type(dom->private_data, struct idmap_ad_context);
170 /* if we have a valid ADS_STRUCT and the schema model is
171 defined, then we can return here. */
173 if ( ctx->ad_schema ) {
177 /* Otherwise, set the schema model */
179 if ( (ctx->ad_map_type == WB_POSIX_MAP_SFU) ||
180 (ctx->ad_map_type == WB_POSIX_MAP_SFU20) ||
181 (ctx->ad_map_type == WB_POSIX_MAP_RFC2307) )
183 status = ads_check_posix_schema_mapping(NULL, ctx->ads, ctx->ad_map_type, &ctx->ad_schema);
184 if ( !ADS_ERR_OK(status) ) {
185 DEBUG(2,("ad_idmap_cached_connection: Failed to obtain schema details!\n"));
192 /************************************************************************
193 ***********************************************************************/
195 static NTSTATUS idmap_ad_initialize(struct idmap_domain *dom,
198 struct idmap_ad_context *ctx;
200 const char *range = NULL;
201 const char *schema_mode = NULL;
203 if ( (ctx = TALLOC_ZERO_P(dom, struct idmap_ad_context)) == NULL ) {
204 DEBUG(0, ("Out of memory!\n"));
205 return NT_STATUS_NO_MEMORY;
208 if ( (config_option = talloc_asprintf(ctx, "idmap config %s", dom->name)) == NULL ) {
209 DEBUG(0, ("Out of memory!\n"));
211 return NT_STATUS_NO_MEMORY;
215 range = lp_parm_const_string(-1, config_option, "range", NULL);
216 if (range && range[0]) {
217 if ((sscanf(range, "%u - %u", &ctx->filter_low_id, &ctx->filter_high_id) != 2) ||
218 (ctx->filter_low_id > ctx->filter_high_id)) {
219 DEBUG(1, ("ERROR: invalid filter range [%s]", range));
220 ctx->filter_low_id = 0;
221 ctx->filter_high_id = 0;
225 /* default map type */
226 ctx->ad_map_type = WB_POSIX_MAP_RFC2307;
229 schema_mode = lp_parm_const_string(-1, config_option, "schema_mode", NULL);
230 if ( schema_mode && schema_mode[0] ) {
231 if ( strequal(schema_mode, "sfu") )
232 ctx->ad_map_type = WB_POSIX_MAP_SFU;
233 else if ( strequal(schema_mode, "sfu20" ) )
234 ctx->ad_map_type = WB_POSIX_MAP_SFU20;
235 else if ( strequal(schema_mode, "rfc2307" ) )
236 ctx->ad_map_type = WB_POSIX_MAP_RFC2307;
238 DEBUG(0,("idmap_ad_initialize: Unknown schema_mode (%s)\n",
242 dom->private_data = ctx;
244 talloc_free(config_option);
249 /************************************************************************
250 Search up to IDMAP_AD_MAX_IDS entries in maps for a match.
251 ***********************************************************************/
253 static struct id_map *find_map_by_id(struct id_map **maps, enum id_type type, uint32_t id)
257 for (i = 0; maps[i] && i<IDMAP_AD_MAX_IDS; i++) {
258 if ((maps[i]->xid.type == type) && (maps[i]->xid.id == id)) {
266 /************************************************************************
267 Search up to IDMAP_AD_MAX_IDS entries in maps for a match
268 ***********************************************************************/
270 static struct id_map *find_map_by_sid(struct id_map **maps, DOM_SID *sid)
274 for (i = 0; maps[i] && i<IDMAP_AD_MAX_IDS; i++) {
275 if (sid_equal(maps[i]->sid, sid)) {
283 /************************************************************************
284 ***********************************************************************/
286 static NTSTATUS idmap_ad_unixids_to_sids(struct idmap_domain *dom, struct id_map **ids)
290 struct idmap_ad_context *ctx;
292 const char *attrs[] = { "sAMAccountType",
294 NULL, /* uidnumber */
295 NULL, /* gidnumber */
297 LDAPMessage *res = NULL;
298 LDAPMessage *entry = NULL;
304 char *u_filter = NULL;
305 char *g_filter = NULL;
307 /* initialize the status to avoid suprise */
308 for (i = 0; ids[i]; i++) {
309 ids[i]->status = ID_UNKNOWN;
312 /* Only do query if we are online */
313 if (idmap_is_offline()) {
314 return NT_STATUS_FILE_IS_OFFLINE;
317 ctx = talloc_get_type(dom->private_data, struct idmap_ad_context);
319 if ( (memctx = talloc_new(ctx)) == NULL ) {
320 DEBUG(0, ("Out of memory!\n"));
321 return NT_STATUS_NO_MEMORY;
324 rc = ad_idmap_cached_connection(dom);
325 if (!ADS_ERR_OK(rc)) {
326 DEBUG(1, ("ADS uninitialized: %s\n", ads_errstr(rc)));
327 ret = NT_STATUS_UNSUCCESSFUL;
328 /* ret = ads_ntstatus(rc); */
332 attrs[2] = ctx->ad_schema->posix_uidnumber_attr;
333 attrs[3] = ctx->ad_schema->posix_gidnumber_attr;
337 for (i = 0; (i < IDMAP_AD_MAX_IDS) && ids[idx]; i++, idx++) {
338 switch (ids[idx]->xid.type) {
341 u_filter = talloc_asprintf(memctx, "(&(|"
342 "(sAMAccountType=%d)"
343 "(sAMAccountType=%d)"
344 "(sAMAccountType=%d))(|",
345 ATYPE_NORMAL_ACCOUNT,
346 ATYPE_WORKSTATION_TRUST,
347 ATYPE_INTERDOMAIN_TRUST);
349 u_filter = talloc_asprintf_append_buffer(u_filter, "(%s=%lu)",
350 ctx->ad_schema->posix_uidnumber_attr,
351 (unsigned long)ids[idx]->xid.id);
352 CHECK_ALLOC_DONE(u_filter);
357 g_filter = talloc_asprintf(memctx, "(&(|"
358 "(sAMAccountType=%d)"
359 "(sAMAccountType=%d))(|",
360 ATYPE_SECURITY_GLOBAL_GROUP,
361 ATYPE_SECURITY_LOCAL_GROUP);
363 g_filter = talloc_asprintf_append_buffer(g_filter, "(%s=%lu)",
364 ctx->ad_schema->posix_gidnumber_attr,
365 (unsigned long)ids[idx]->xid.id);
366 CHECK_ALLOC_DONE(g_filter);
370 DEBUG(3, ("Error: mapping requested but Unknown ID type\n"));
371 ids[idx]->status = ID_UNKNOWN;
375 filter = talloc_asprintf(memctx, "(|");
376 CHECK_ALLOC_DONE(filter);
378 filter = talloc_asprintf_append_buffer(filter, "%s))", u_filter);
379 CHECK_ALLOC_DONE(filter);
380 TALLOC_FREE(u_filter);
383 filter = talloc_asprintf_append_buffer(filter, "%s))", g_filter);
384 CHECK_ALLOC_DONE(filter);
385 TALLOC_FREE(g_filter);
387 filter = talloc_asprintf_append_buffer(filter, ")");
388 CHECK_ALLOC_DONE(filter);
390 rc = ads_search_retry(ctx->ads, &res, filter, attrs);
391 if (!ADS_ERR_OK(rc)) {
392 DEBUG(1, ("ERROR: ads search returned: %s\n", ads_errstr(rc)));
393 ret = NT_STATUS_UNSUCCESSFUL;
397 if ( (count = ads_count_replies(ctx->ads, res)) == 0 ) {
398 DEBUG(10, ("No IDs found\n"));
402 for (i = 0; (i < count) && entry; i++) {
409 if (i == 0) { /* first entry */
410 entry = ads_first_entry(ctx->ads, entry);
411 } else { /* following ones */
412 entry = ads_next_entry(ctx->ads, entry);
416 DEBUG(2, ("ERROR: Unable to fetch ldap entries from results\n"));
420 /* first check if the SID is present */
421 if (!ads_pull_sid(ctx->ads, entry, "objectSid", &sid)) {
422 DEBUG(2, ("Could not retrieve SID from entry\n"));
427 if (!ads_pull_uint32(ctx->ads, entry, "sAMAccountType", &atype)) {
428 DEBUG(1, ("could not get SAM account type\n"));
432 switch (atype & 0xF0000000) {
433 case ATYPE_SECURITY_GLOBAL_GROUP:
434 case ATYPE_SECURITY_LOCAL_GROUP:
437 case ATYPE_NORMAL_ACCOUNT:
438 case ATYPE_WORKSTATION_TRUST:
439 case ATYPE_INTERDOMAIN_TRUST:
443 DEBUG(1, ("unrecognized SAM account type %08x\n", atype));
447 if (!ads_pull_uint32(ctx->ads, entry, (type==ID_TYPE_UID) ?
448 ctx->ad_schema->posix_uidnumber_attr :
449 ctx->ad_schema->posix_gidnumber_attr,
452 DEBUG(1, ("Could not get unix ID\n"));
456 if (!idmap_unix_id_is_in_range(id, dom)) {
457 DEBUG(5, ("Requested id (%u) out of range (%u - %u). Filtered!\n",
458 id, dom->low_id, dom->high_id));
462 map = find_map_by_id(&ids[bidx], type, id);
464 DEBUG(2, ("WARNING: couldn't match result with requested ID\n"));
468 sid_copy(map->sid, &sid);
471 map->status = ID_MAPPED;
473 DEBUG(10, ("Mapped %s -> %lu (%d)\n", sid_string_dbg(map->sid),
474 (unsigned long)map->xid.id,
479 ads_msgfree(ctx->ads, res);
482 if (ids[idx]) { /* still some values to map */
488 /* mark all unknown/expired ones as unmapped */
489 for (i = 0; ids[i]; i++) {
490 if (ids[i]->status != ID_MAPPED)
491 ids[i]->status = ID_UNMAPPED;
499 /************************************************************************
500 ***********************************************************************/
502 static NTSTATUS idmap_ad_sids_to_unixids(struct idmap_domain *dom, struct id_map **ids)
506 struct idmap_ad_context *ctx;
508 const char *attrs[] = { "sAMAccountType",
510 NULL, /* attr_uidnumber */
511 NULL, /* attr_gidnumber */
513 LDAPMessage *res = NULL;
514 LDAPMessage *entry = NULL;
522 /* initialize the status to avoid suprise */
523 for (i = 0; ids[i]; i++) {
524 ids[i]->status = ID_UNKNOWN;
527 /* Only do query if we are online */
528 if (idmap_is_offline()) {
529 return NT_STATUS_FILE_IS_OFFLINE;
532 ctx = talloc_get_type(dom->private_data, struct idmap_ad_context);
534 if ( (memctx = talloc_new(ctx)) == NULL ) {
535 DEBUG(0, ("Out of memory!\n"));
536 return NT_STATUS_NO_MEMORY;
539 rc = ad_idmap_cached_connection(dom);
540 if (!ADS_ERR_OK(rc)) {
541 DEBUG(1, ("ADS uninitialized: %s\n", ads_errstr(rc)));
542 ret = NT_STATUS_UNSUCCESSFUL;
543 /* ret = ads_ntstatus(rc); */
547 if (ctx->ad_schema == NULL) {
548 DEBUG(0, ("haven't got ctx->ad_schema ! \n"));
549 ret = NT_STATUS_UNSUCCESSFUL;
553 attrs[2] = ctx->ad_schema->posix_uidnumber_attr;
554 attrs[3] = ctx->ad_schema->posix_gidnumber_attr;
557 filter = talloc_asprintf(memctx, "(&(|"
558 "(sAMAccountType=%d)(sAMAccountType=%d)(sAMAccountType=%d)" /* user account types */
559 "(sAMAccountType=%d)(sAMAccountType=%d)" /* group account types */
561 ATYPE_NORMAL_ACCOUNT, ATYPE_WORKSTATION_TRUST, ATYPE_INTERDOMAIN_TRUST,
562 ATYPE_SECURITY_GLOBAL_GROUP, ATYPE_SECURITY_LOCAL_GROUP);
564 CHECK_ALLOC_DONE(filter);
567 for (i = 0; (i < IDMAP_AD_MAX_IDS) && ids[idx]; i++, idx++) {
569 ids[idx]->status = ID_UNKNOWN;
571 sidstr = sid_binstring(ids[idx]->sid);
572 filter = talloc_asprintf_append_buffer(filter, "(objectSid=%s)", sidstr);
575 CHECK_ALLOC_DONE(filter);
577 filter = talloc_asprintf_append_buffer(filter, "))");
578 CHECK_ALLOC_DONE(filter);
579 DEBUG(10, ("Filter: [%s]\n", filter));
581 rc = ads_search_retry(ctx->ads, &res, filter, attrs);
582 if (!ADS_ERR_OK(rc)) {
583 DEBUG(1, ("ERROR: ads search returned: %s\n", ads_errstr(rc)));
584 ret = NT_STATUS_UNSUCCESSFUL;
588 if ( (count = ads_count_replies(ctx->ads, res)) == 0 ) {
589 DEBUG(10, ("No IDs found\n"));
593 for (i = 0; (i < count) && entry; i++) {
600 if (i == 0) { /* first entry */
601 entry = ads_first_entry(ctx->ads, entry);
602 } else { /* following ones */
603 entry = ads_next_entry(ctx->ads, entry);
607 DEBUG(2, ("ERROR: Unable to fetch ldap entries from results\n"));
611 /* first check if the SID is present */
612 if (!ads_pull_sid(ctx->ads, entry, "objectSid", &sid)) {
613 DEBUG(2, ("Could not retrieve SID from entry\n"));
617 map = find_map_by_sid(&ids[bidx], &sid);
619 DEBUG(2, ("WARNING: couldn't match result with requested SID\n"));
624 if (!ads_pull_uint32(ctx->ads, entry, "sAMAccountType", &atype)) {
625 DEBUG(1, ("could not get SAM account type\n"));
629 switch (atype & 0xF0000000) {
630 case ATYPE_SECURITY_GLOBAL_GROUP:
631 case ATYPE_SECURITY_LOCAL_GROUP:
634 case ATYPE_NORMAL_ACCOUNT:
635 case ATYPE_WORKSTATION_TRUST:
636 case ATYPE_INTERDOMAIN_TRUST:
640 DEBUG(1, ("unrecognized SAM account type %08x\n", atype));
644 if (!ads_pull_uint32(ctx->ads, entry, (type==ID_TYPE_UID) ?
645 ctx->ad_schema->posix_uidnumber_attr :
646 ctx->ad_schema->posix_gidnumber_attr,
649 DEBUG(1, ("Could not get unix ID\n"));
652 if (!idmap_unix_id_is_in_range(id, dom)) {
653 DEBUG(5, ("Requested id (%u) out of range (%u - %u). Filtered!\n",
654 id, dom->low_id, dom->high_id));
659 map->xid.type = type;
661 map->status = ID_MAPPED;
663 DEBUG(10, ("Mapped %s -> %lu (%d)\n", sid_string_dbg(map->sid),
664 (unsigned long)map->xid.id,
669 ads_msgfree(ctx->ads, res);
672 if (ids[idx]) { /* still some values to map */
678 /* mark all unknwoni/expired ones as unmapped */
679 for (i = 0; ids[i]; i++) {
680 if (ids[i]->status != ID_MAPPED)
681 ids[i]->status = ID_UNMAPPED;
689 /************************************************************************
690 ***********************************************************************/
692 static NTSTATUS idmap_ad_close(struct idmap_domain *dom)
694 struct idmap_ad_context * ctx;
696 ctx = talloc_get_type(dom->private_data, struct idmap_ad_context);
698 if (ctx->ads != NULL) {
699 /* we own this ADS_STRUCT so make sure it goes away */
700 ctx->ads->is_mine = True;
701 ads_destroy( &ctx->ads );
705 TALLOC_FREE( ctx->ad_schema );
711 * nss_info_{sfu,sfu20,rfc2307}
714 /************************************************************************
715 Initialize the {sfu,sfu20,rfc2307} state
716 ***********************************************************************/
718 static const char *wb_posix_map_unknown_string = "WB_POSIX_MAP_UNKNOWN";
719 static const char *wb_posix_map_template_string = "WB_POSIX_MAP_TEMPLATE";
720 static const char *wb_posix_map_sfu_string = "WB_POSIX_MAP_SFU";
721 static const char *wb_posix_map_sfu20_string = "WB_POSIX_MAP_SFU20";
722 static const char *wb_posix_map_rfc2307_string = "WB_POSIX_MAP_RFC2307";
723 static const char *wb_posix_map_unixinfo_string = "WB_POSIX_MAP_UNIXINFO";
725 static const char *ad_map_type_string(enum wb_posix_mapping map_type)
728 case WB_POSIX_MAP_TEMPLATE:
729 return wb_posix_map_template_string;
730 case WB_POSIX_MAP_SFU:
731 return wb_posix_map_sfu_string;
732 case WB_POSIX_MAP_SFU20:
733 return wb_posix_map_sfu20_string;
734 case WB_POSIX_MAP_RFC2307:
735 return wb_posix_map_rfc2307_string;
736 case WB_POSIX_MAP_UNIXINFO:
737 return wb_posix_map_unixinfo_string;
739 return wb_posix_map_unknown_string;
743 static NTSTATUS nss_ad_generic_init(struct nss_domain_entry *e,
744 enum wb_posix_mapping new_ad_map_type)
746 struct idmap_domain *dom;
747 struct idmap_ad_context *ctx;
749 if (e->state != NULL) {
750 dom = talloc_get_type(e->state, struct idmap_domain);
752 dom = TALLOC_ZERO_P(e, struct idmap_domain);
754 DEBUG(0, ("Out of memory!\n"));
755 return NT_STATUS_NO_MEMORY;
760 if (e->domain != NULL) {
761 dom->name = talloc_strdup(dom, e->domain);
762 if (dom->name == NULL) {
763 DEBUG(0, ("Out of memory!\n"));
764 return NT_STATUS_NO_MEMORY;
768 if (dom->private_data != NULL) {
769 ctx = talloc_get_type(dom->private_data,
770 struct idmap_ad_context);
772 ctx = TALLOC_ZERO_P(dom, struct idmap_ad_context);
774 DEBUG(0, ("Out of memory!\n"));
775 return NT_STATUS_NO_MEMORY;
777 ctx->ad_map_type = WB_POSIX_MAP_RFC2307;
778 dom->private_data = ctx;
781 if ((ctx->ad_map_type != WB_POSIX_MAP_UNKNOWN) &&
782 (ctx->ad_map_type != new_ad_map_type))
784 DEBUG(2, ("nss_ad_generic_init: "
785 "Warning: overriding previously set posix map type "
786 "%s for domain %s with map type %s.\n",
787 ad_map_type_string(ctx->ad_map_type),
789 ad_map_type_string(new_ad_map_type)));
792 ctx->ad_map_type = new_ad_map_type;
797 static NTSTATUS nss_sfu_init( struct nss_domain_entry *e )
799 return nss_ad_generic_init(e, WB_POSIX_MAP_SFU);
802 static NTSTATUS nss_sfu20_init( struct nss_domain_entry *e )
804 return nss_ad_generic_init(e, WB_POSIX_MAP_SFU20);
807 static NTSTATUS nss_rfc2307_init( struct nss_domain_entry *e )
809 return nss_ad_generic_init(e, WB_POSIX_MAP_RFC2307);
813 /************************************************************************
814 ***********************************************************************/
816 static NTSTATUS nss_ad_get_info( struct nss_domain_entry *e,
826 const char *attrs[] = {NULL, /* attr_homedir */
827 NULL, /* attr_shell */
828 NULL, /* attr_gecos */
829 NULL, /* attr_gidnumber */
832 LDAPMessage *msg_internal = NULL;
833 ADS_STATUS ads_status = ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
834 NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
836 struct idmap_domain *dom;
837 struct idmap_ad_context *ctx;
839 DEBUG(10, ("nss_ad_get_info called for sid [%s] in domain '%s'\n",
840 sid_string_dbg(sid), e->domain?e->domain:"NULL"));
842 /* Only do query if we are online */
843 if (idmap_is_offline()) {
844 return NT_STATUS_FILE_IS_OFFLINE;
847 dom = talloc_get_type(e->state, struct idmap_domain);
848 ctx = talloc_get_type(dom->private_data, struct idmap_ad_context);
850 ads_status = ad_idmap_cached_connection(dom);
851 if (!ADS_ERR_OK(ads_status)) {
852 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
855 if (!ctx->ad_schema) {
856 DEBUG(10, ("nss_ad_get_info: no ad_schema configured!\n"));
857 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
860 if (!sid || !homedir || !shell || !gecos) {
861 return NT_STATUS_INVALID_PARAMETER;
864 /* See if we can use the ADS connection struct swe were given */
867 DEBUG(10, ("nss_ad_get_info: using given ads connection and "
868 "LDAP message (%p)\n", msg));
870 *homedir = ads_pull_string( ads, mem_ctx, msg, ctx->ad_schema->posix_homedir_attr );
871 *shell = ads_pull_string( ads, mem_ctx, msg, ctx->ad_schema->posix_shell_attr );
872 *gecos = ads_pull_string( ads, mem_ctx, msg, ctx->ad_schema->posix_gecos_attr );
875 if ( !ads_pull_uint32(ads, msg, ctx->ad_schema->posix_gidnumber_attr, gid ) )
879 nt_status = NT_STATUS_OK;
883 /* Have to do our own query */
885 DEBUG(10, ("nss_ad_get_info: no ads connection given, doing our "
888 attrs[0] = ctx->ad_schema->posix_homedir_attr;
889 attrs[1] = ctx->ad_schema->posix_shell_attr;
890 attrs[2] = ctx->ad_schema->posix_gecos_attr;
891 attrs[3] = ctx->ad_schema->posix_gidnumber_attr;
893 sidstr = sid_binstring(sid);
894 filter = talloc_asprintf(mem_ctx, "(objectSid=%s)", sidstr);
898 nt_status = NT_STATUS_NO_MEMORY;
902 ads_status = ads_search_retry(ctx->ads, &msg_internal, filter, attrs);
903 if (!ADS_ERR_OK(ads_status)) {
904 nt_status = ads_ntstatus(ads_status);
908 *homedir = ads_pull_string(ctx->ads, mem_ctx, msg_internal, ctx->ad_schema->posix_homedir_attr);
909 *shell = ads_pull_string(ctx->ads, mem_ctx, msg_internal, ctx->ad_schema->posix_shell_attr);
910 *gecos = ads_pull_string(ctx->ads, mem_ctx, msg_internal, ctx->ad_schema->posix_gecos_attr);
913 if (!ads_pull_uint32(ctx->ads, msg_internal, ctx->ad_schema->posix_gidnumber_attr, gid))
917 nt_status = NT_STATUS_OK;
921 ads_msgfree(ctx->ads, msg_internal);
927 /**********************************************************************
928 *********************************************************************/
930 static NTSTATUS nss_ad_map_to_alias(TALLOC_CTX *mem_ctx,
931 struct nss_domain_entry *e,
935 const char *attrs[] = {NULL, /* attr_uid */
938 LDAPMessage *msg = NULL;
939 ADS_STATUS ads_status = ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
940 NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
941 struct idmap_domain *dom;
942 struct idmap_ad_context *ctx = NULL;
944 /* Check incoming parameters */
946 if ( !e || !e->domain || !name || !*alias) {
947 nt_status = NT_STATUS_INVALID_PARAMETER;
951 /* Only do query if we are online */
953 if (idmap_is_offline()) {
954 nt_status = NT_STATUS_FILE_IS_OFFLINE;
958 dom = talloc_get_type(e->state, struct idmap_domain);
959 ctx = talloc_get_type(dom->private_data, struct idmap_ad_context);
961 ads_status = ad_idmap_cached_connection(dom);
962 if (!ADS_ERR_OK(ads_status)) {
963 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
966 if (!ctx->ad_schema) {
967 nt_status = NT_STATUS_OBJECT_PATH_NOT_FOUND;
971 attrs[0] = ctx->ad_schema->posix_uid_attr;
973 filter = talloc_asprintf(mem_ctx,
974 "(sAMAccountName=%s)",
977 nt_status = NT_STATUS_NO_MEMORY;
981 ads_status = ads_search_retry(ctx->ads, &msg, filter, attrs);
982 if (!ADS_ERR_OK(ads_status)) {
983 nt_status = ads_ntstatus(ads_status);
987 *alias = ads_pull_string(ctx->ads, mem_ctx, msg, ctx->ad_schema->posix_uid_attr);
990 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
993 nt_status = NT_STATUS_OK;
997 talloc_destroy(filter);
1000 ads_msgfree(ctx->ads, msg);
1006 /**********************************************************************
1007 *********************************************************************/
1009 static NTSTATUS nss_ad_map_from_alias( TALLOC_CTX *mem_ctx,
1010 struct nss_domain_entry *e,
1014 const char *attrs[] = {"sAMAccountName",
1016 char *filter = NULL;
1017 LDAPMessage *msg = NULL;
1018 ADS_STATUS ads_status = ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
1019 NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
1021 struct idmap_domain *dom;
1022 struct idmap_ad_context *ctx = NULL;
1024 /* Check incoming parameters */
1026 if ( !alias || !name) {
1027 nt_status = NT_STATUS_INVALID_PARAMETER;
1031 /* Only do query if we are online */
1033 if (idmap_is_offline()) {
1034 nt_status = NT_STATUS_FILE_IS_OFFLINE;
1038 dom = talloc_get_type(e->state, struct idmap_domain);
1039 ctx = talloc_get_type(dom->private_data, struct idmap_ad_context);
1041 ads_status = ad_idmap_cached_connection(dom);
1042 if (!ADS_ERR_OK(ads_status)) {
1043 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1046 if (!ctx->ad_schema) {
1047 nt_status = NT_STATUS_OBJECT_PATH_NOT_FOUND;
1051 filter = talloc_asprintf(mem_ctx,
1053 ctx->ad_schema->posix_uid_attr,
1056 nt_status = NT_STATUS_NO_MEMORY;
1060 ads_status = ads_search_retry(ctx->ads, &msg, filter, attrs);
1061 if (!ADS_ERR_OK(ads_status)) {
1062 nt_status = ads_ntstatus(ads_status);
1066 username = ads_pull_string(ctx->ads, mem_ctx, msg,
1069 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1072 *name = talloc_asprintf(mem_ctx, "%s\\%s",
1076 nt_status = NT_STATUS_NO_MEMORY;
1080 nt_status = NT_STATUS_OK;
1084 talloc_destroy(filter);
1087 ads_msgfree(ctx->ads, msg);
1094 /************************************************************************
1095 ***********************************************************************/
1097 static NTSTATUS nss_ad_close( void )
1099 /* nothing to do. All memory is free()'d by the idmap close_fn() */
1101 return NT_STATUS_OK;
1104 /************************************************************************
1105 Function dispatch tables for the idmap and nss plugins
1106 ***********************************************************************/
1108 static struct idmap_methods ad_methods = {
1109 .init = idmap_ad_initialize,
1110 .unixids_to_sids = idmap_ad_unixids_to_sids,
1111 .sids_to_unixids = idmap_ad_sids_to_unixids,
1112 .close_fn = idmap_ad_close
1115 /* The SFU and RFC2307 NSS plugins share everything but the init
1116 function which sets the intended schema model to use */
1118 static struct nss_info_methods nss_rfc2307_methods = {
1119 .init = nss_rfc2307_init,
1120 .get_nss_info = nss_ad_get_info,
1121 .map_to_alias = nss_ad_map_to_alias,
1122 .map_from_alias = nss_ad_map_from_alias,
1123 .close_fn = nss_ad_close
1126 static struct nss_info_methods nss_sfu_methods = {
1127 .init = nss_sfu_init,
1128 .get_nss_info = nss_ad_get_info,
1129 .map_to_alias = nss_ad_map_to_alias,
1130 .map_from_alias = nss_ad_map_from_alias,
1131 .close_fn = nss_ad_close
1134 static struct nss_info_methods nss_sfu20_methods = {
1135 .init = nss_sfu20_init,
1136 .get_nss_info = nss_ad_get_info,
1137 .map_to_alias = nss_ad_map_to_alias,
1138 .map_from_alias = nss_ad_map_from_alias,
1139 .close_fn = nss_ad_close
1144 /************************************************************************
1145 Initialize the plugins
1146 ***********************************************************************/
1148 NTSTATUS idmap_ad_init(void)
1150 static NTSTATUS status_idmap_ad = NT_STATUS_UNSUCCESSFUL;
1151 static NTSTATUS status_nss_rfc2307 = NT_STATUS_UNSUCCESSFUL;
1152 static NTSTATUS status_nss_sfu = NT_STATUS_UNSUCCESSFUL;
1153 static NTSTATUS status_nss_sfu20 = NT_STATUS_UNSUCCESSFUL;
1155 /* Always register the AD method first in order to get the
1156 idmap_domain interface called */
1158 if ( !NT_STATUS_IS_OK(status_idmap_ad) ) {
1159 status_idmap_ad = smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION,
1161 if ( !NT_STATUS_IS_OK(status_idmap_ad) )
1162 return status_idmap_ad;
1165 if ( !NT_STATUS_IS_OK( status_nss_rfc2307 ) ) {
1166 status_nss_rfc2307 = smb_register_idmap_nss(SMB_NSS_INFO_INTERFACE_VERSION,
1167 "rfc2307", &nss_rfc2307_methods );
1168 if ( !NT_STATUS_IS_OK(status_nss_rfc2307) )
1169 return status_nss_rfc2307;
1172 if ( !NT_STATUS_IS_OK( status_nss_sfu ) ) {
1173 status_nss_sfu = smb_register_idmap_nss(SMB_NSS_INFO_INTERFACE_VERSION,
1174 "sfu", &nss_sfu_methods );
1175 if ( !NT_STATUS_IS_OK(status_nss_sfu) )
1176 return status_nss_sfu;
1179 if ( !NT_STATUS_IS_OK( status_nss_sfu20 ) ) {
1180 status_nss_sfu20 = smb_register_idmap_nss(SMB_NSS_INFO_INTERFACE_VERSION,
1181 "sfu20", &nss_sfu20_methods );
1182 if ( !NT_STATUS_IS_OK(status_nss_sfu20) )
1183 return status_nss_sfu20;
1186 return NT_STATUS_OK;