2 Unix SMB/CIFS implementation.
4 Winbind ADS backend functions
6 Copyright (C) Andrew Tridgell 2001
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003
8 Copyright (C) Gerald (Jerry) Carter 2004
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
30 #define DBGC_CLASS DBGC_WINBIND
32 extern struct winbindd_methods reconnect_methods;
35 return our ads connections structure for a domain. We keep the connection
36 open to make things faster
38 static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain)
43 struct sockaddr_storage dc_ss;
45 DEBUG(10,("ads_cached_connection\n"));
47 if (domain->private_data) {
50 time_t now = time(NULL);
52 /* check for a valid structure */
53 ads = (ADS_STRUCT *)domain->private_data;
55 expire = MIN(ads->auth.tgt_expire, ads->auth.tgs_expire);
57 DEBUG(7, ("Current tickets expire in %d seconds (at %d, time is now %d)\n",
58 (uint32)expire-(uint32)now, (uint32) expire, (uint32) now));
60 if ( ads->config.realm && (expire > now)) {
63 /* we own this ADS_STRUCT so make sure it goes away */
64 DEBUG(7,("Deleting expired krb5 credential cache\n"));
67 ads_kdestroy("MEMORY:winbind_ccache");
68 domain->private_data = NULL;
72 /* we don't want this to affect the users ccache */
73 setenv("KRB5CCNAME", "MEMORY:winbind_ccache", 1);
75 ads = ads_init(domain->alt_name, domain->name, NULL);
77 DEBUG(1,("ads_init for domain %s failed\n", domain->name));
81 /* the machine acct password might have change - fetch it every time */
83 SAFE_FREE(ads->auth.password);
84 SAFE_FREE(ads->auth.realm);
90 if ( !pdb_get_trusteddom_pw( domain->name, &ads->auth.password, &sid, &last_set_time ) ) {
94 ads->auth.realm = SMB_STRDUP( ads->server.realm );
95 strupper_m( ads->auth.realm );
98 struct winbindd_domain *our_domain = domain;
100 ads->auth.password = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
102 /* always give preference to the alt_name in our
103 primary domain if possible */
105 if ( !domain->primary )
106 our_domain = find_our_domain();
108 if ( our_domain->alt_name[0] != '\0' ) {
109 ads->auth.realm = SMB_STRDUP( our_domain->alt_name );
110 strupper_m( ads->auth.realm );
113 ads->auth.realm = SMB_STRDUP( lp_realm() );
116 ads->auth.renewable = WINBINDD_PAM_AUTH_KRB5_RENEW_TIME;
118 /* Setup the server affinity cache. We don't reaally care
119 about the name. Just setup affinity and the KRB5_CONFIG
122 get_dc_name( ads->server.workgroup, ads->server.realm, dc_name, &dc_ss );
124 status = ads_connect(ads);
125 if (!ADS_ERR_OK(status) || !ads->config.realm) {
126 DEBUG(1,("ads_connect for domain %s failed: %s\n",
127 domain->name, ads_errstr(status)));
130 /* if we get ECONNREFUSED then it might be a NT4
131 server, fall back to MSRPC */
132 if (status.error_type == ENUM_ADS_ERROR_SYSTEM &&
133 status.err.rc == ECONNREFUSED) {
134 /* 'reconnect_methods' is the MS-RPC backend. */
135 DEBUG(1,("Trying MSRPC methods\n"));
136 domain->backend = &reconnect_methods;
141 /* set the flag that says we don't own the memory even
142 though we do so that ads_destroy() won't destroy the
143 structure we pass back by reference */
145 ads->is_mine = False;
147 domain->private_data = (void *)ads;
152 /* Query display info for a realm. This is the basic user list fn */
153 static NTSTATUS query_user_list(struct winbindd_domain *domain,
156 WINBIND_USERINFO **info)
158 ADS_STRUCT *ads = NULL;
159 const char *attrs[] = { "*", NULL };
162 LDAPMessage *res = NULL;
163 LDAPMessage *msg = NULL;
164 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
168 DEBUG(3,("ads: query_user_list\n"));
170 if ( !winbindd_can_contact_domain( domain ) ) {
171 DEBUG(10,("query_user_list: No incoming trust for domain %s\n",
176 ads = ads_cached_connection(domain);
179 domain->last_status = NT_STATUS_SERVER_DISABLED;
183 rc = ads_search_retry(ads, &res, "(objectCategory=user)", attrs);
184 if (!ADS_ERR_OK(rc) || !res) {
185 DEBUG(1,("query_user_list ads_search: %s\n", ads_errstr(rc)));
189 count = ads_count_replies(ads, res);
191 DEBUG(1,("query_user_list: No users found\n"));
195 (*info) = TALLOC_ZERO_ARRAY(mem_ctx, WINBIND_USERINFO, count);
197 status = NT_STATUS_NO_MEMORY;
203 for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
204 char *name, *gecos = NULL;
205 char *homedir = NULL;
210 gid_t primary_gid = (gid_t)-1;
212 if (!ads_pull_uint32(ads, msg, "sAMAccountType", &atype) ||
213 ads_atype_map(atype) != SID_NAME_USER) {
214 DEBUG(1,("Not a user account? atype=0x%x\n", atype));
218 name = ads_pull_username(ads, mem_ctx, msg);
220 if ( ads_pull_sid( ads, msg, "objectSid", &user_sid ) ) {
221 status = nss_get_info_cached( domain, &user_sid, mem_ctx,
222 ads, msg, &homedir, &shell, &gecos,
227 gecos = ads_pull_string(ads, mem_ctx, msg, "name");
230 if (!ads_pull_sid(ads, msg, "objectSid",
231 &(*info)[i].user_sid)) {
232 DEBUG(1,("No sid for %s !?\n", name));
235 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &group)) {
236 DEBUG(1,("No primary group for %s !?\n", name));
240 (*info)[i].acct_name = name;
241 (*info)[i].full_name = gecos;
242 (*info)[i].homedir = homedir;
243 (*info)[i].shell = shell;
244 (*info)[i].primary_gid = primary_gid;
245 sid_compose(&(*info)[i].group_sid, &domain->sid, group);
250 status = NT_STATUS_OK;
252 DEBUG(3,("ads query_user_list gave %d entries\n", (*num_entries)));
256 ads_msgfree(ads, res);
261 /* list all domain groups */
262 static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
265 struct acct_info **info)
267 ADS_STRUCT *ads = NULL;
268 const char *attrs[] = {"userPrincipalName", "sAMAccountName",
269 "name", "objectSid", NULL};
272 LDAPMessage *res = NULL;
273 LDAPMessage *msg = NULL;
274 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
276 bool enum_dom_local_groups = False;
280 DEBUG(3,("ads: enum_dom_groups\n"));
282 if ( !winbindd_can_contact_domain( domain ) ) {
283 DEBUG(10,("enum_dom_groups: No incoming trust for domain %s\n",
288 /* only grab domain local groups for our domain */
289 if ( domain->active_directory && strequal(lp_realm(), domain->alt_name) ) {
290 enum_dom_local_groups = True;
293 /* Workaround ADS LDAP bug present in MS W2K3 SP0 and W2K SP4 w/o
296 * According to Section 5.1(4) of RFC 2251 if a value of a type is it's
297 * default value, it MUST be absent. In case of extensible matching the
298 * "dnattr" boolean defaults to FALSE and so it must be only be present
301 * When it is set to FALSE and the OpenLDAP lib (correctly) encodes a
302 * filter using bitwise matching rule then the buggy AD fails to decode
303 * the extensible match. As a workaround set it to TRUE and thereby add
304 * the dnAttributes "dn" field to cope with those older AD versions.
305 * It should not harm and won't put any additional load on the AD since
306 * none of the dn components have a bitmask-attribute.
308 * Thanks to Ralf Haferkamp for input and testing - Guenther */
310 filter = talloc_asprintf(mem_ctx, "(&(objectCategory=group)(&(groupType:dn:%s:=%d)(!(groupType:dn:%s:=%d))))",
311 ADS_LDAP_MATCHING_RULE_BIT_AND, GROUP_TYPE_SECURITY_ENABLED,
312 ADS_LDAP_MATCHING_RULE_BIT_AND,
313 enum_dom_local_groups ? GROUP_TYPE_BUILTIN_LOCAL_GROUP : GROUP_TYPE_RESOURCE_GROUP);
315 if (filter == NULL) {
316 status = NT_STATUS_NO_MEMORY;
320 ads = ads_cached_connection(domain);
323 domain->last_status = NT_STATUS_SERVER_DISABLED;
327 rc = ads_search_retry(ads, &res, filter, attrs);
328 if (!ADS_ERR_OK(rc) || !res) {
329 DEBUG(1,("enum_dom_groups ads_search: %s\n", ads_errstr(rc)));
333 count = ads_count_replies(ads, res);
335 DEBUG(1,("enum_dom_groups: No groups found\n"));
339 (*info) = TALLOC_ZERO_ARRAY(mem_ctx, struct acct_info, count);
341 status = NT_STATUS_NO_MEMORY;
347 for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
352 name = ads_pull_username(ads, mem_ctx, msg);
353 gecos = ads_pull_string(ads, mem_ctx, msg, "name");
354 if (!ads_pull_sid(ads, msg, "objectSid", &sid)) {
355 DEBUG(1,("No sid for %s !?\n", name));
359 if (!sid_peek_check_rid(&domain->sid, &sid, &rid)) {
360 DEBUG(1,("No rid for %s !?\n", name));
364 fstrcpy((*info)[i].acct_name, name);
365 fstrcpy((*info)[i].acct_desc, gecos);
366 (*info)[i].rid = rid;
372 status = NT_STATUS_OK;
374 DEBUG(3,("ads enum_dom_groups gave %d entries\n", (*num_entries)));
378 ads_msgfree(ads, res);
383 /* list all domain local groups */
384 static NTSTATUS enum_local_groups(struct winbindd_domain *domain,
387 struct acct_info **info)
390 * This is a stub function only as we returned the domain
391 * local groups in enum_dom_groups() if the domain->native field
392 * was true. This is a simple performance optimization when
395 * if we ever need to enumerate domain local groups separately,
396 * then this optimization in enum_dom_groups() will need
404 /* convert a single name to a sid in a domain - use rpc methods */
405 static NTSTATUS name_to_sid(struct winbindd_domain *domain,
407 enum winbindd_cmd orig_cmd,
408 const char *domain_name,
411 enum lsa_SidType *type)
413 return reconnect_methods.name_to_sid(domain, mem_ctx, orig_cmd,
418 /* convert a domain SID to a user or group name - use rpc methods */
419 static NTSTATUS sid_to_name(struct winbindd_domain *domain,
424 enum lsa_SidType *type)
426 return reconnect_methods.sid_to_name(domain, mem_ctx, sid,
427 domain_name, name, type);
430 /* convert a list of rids to names - use rpc methods */
431 static NTSTATUS rids_to_names(struct winbindd_domain *domain,
438 enum lsa_SidType **types)
440 return reconnect_methods.rids_to_names(domain, mem_ctx, sid,
442 domain_name, names, types);
445 /* If you are looking for "dn_lookup": Yes, it used to be here!
446 * It has gone now since it was a major speed bottleneck in
447 * lookup_groupmem (its only use). It has been replaced by
448 * an rpc lookup sids call... R.I.P. */
450 /* Lookup user information from a rid */
451 static NTSTATUS query_user(struct winbindd_domain *domain,
454 WINBIND_USERINFO *info)
456 ADS_STRUCT *ads = NULL;
457 const char *attrs[] = { "*", NULL };
460 LDAPMessage *msg = NULL;
464 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
465 struct netr_SamInfo3 *user = NULL;
467 DEBUG(3,("ads: query_user\n"));
469 info->homedir = NULL;
471 info->primary_gid = (gid_t)-1;
473 /* try netsamlogon cache first */
475 if ( (user = netsamlogon_cache_get( mem_ctx, sid )) != NULL )
478 DEBUG(5,("query_user: Cache lookup succeeded for %s\n",
479 sid_string_dbg(sid)));
481 sid_compose(&info->user_sid, &domain->sid, user->base.rid);
482 sid_compose(&info->group_sid, &domain->sid, user->base.primary_gid);
484 info->acct_name = talloc_strdup(mem_ctx, user->base.account_name.string);
485 info->full_name = talloc_strdup(mem_ctx, user->base.full_name.string);
487 nss_get_info_cached( domain, sid, mem_ctx, NULL, NULL,
488 &info->homedir, &info->shell, &info->full_name,
489 &info->primary_gid );
496 if ( !winbindd_can_contact_domain(domain)) {
497 DEBUG(8,("query_user: No incoming trust from domain %s\n",
500 /* We still need to generate some basic information
501 about the user even if we cannot contact the
502 domain. Most of this stuff we can deduce. */
504 sid_copy( &info->user_sid, sid );
506 /* Assume "Domain Users" for the primary group */
508 sid_compose(&info->group_sid, &domain->sid, DOMAIN_GROUP_RID_USERS );
510 /* Try to fill in what the nss_info backend can do */
512 nss_get_info_cached( domain, sid, mem_ctx, NULL, NULL,
513 &info->homedir, &info->shell, &info->full_name,
514 &info->primary_gid );
516 status = NT_STATUS_OK;
520 /* no cache...do the query */
522 if ( (ads = ads_cached_connection(domain)) == NULL ) {
523 domain->last_status = NT_STATUS_SERVER_DISABLED;
527 sidstr = sid_binstring(sid);
528 if (asprintf(&ldap_exp, "(objectSid=%s)", sidstr) == -1) {
529 status = NT_STATUS_NO_MEMORY;
532 rc = ads_search_retry(ads, &msg, ldap_exp, attrs);
535 if (!ADS_ERR_OK(rc) || !msg) {
536 DEBUG(1,("query_user(sid=%s) ads_search: %s\n",
537 sid_string_dbg(sid), ads_errstr(rc)));
541 count = ads_count_replies(ads, msg);
543 DEBUG(1,("query_user(sid=%s): Not found\n",
544 sid_string_dbg(sid)));
548 info->acct_name = ads_pull_username(ads, mem_ctx, msg);
550 nss_get_info_cached( domain, sid, mem_ctx, ads, msg,
551 &info->homedir, &info->shell, &info->full_name,
552 &info->primary_gid );
554 if (info->full_name == NULL) {
555 info->full_name = ads_pull_string(ads, mem_ctx, msg, "name");
558 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &group_rid)) {
559 DEBUG(1,("No primary group for %s !?\n",
560 sid_string_dbg(sid)));
564 sid_copy(&info->user_sid, sid);
565 sid_compose(&info->group_sid, &domain->sid, group_rid);
567 status = NT_STATUS_OK;
569 DEBUG(3,("ads query_user gave %s\n", info->acct_name));
572 ads_msgfree(ads, msg);
577 /* Lookup groups a user is a member of - alternate method, for when
578 tokenGroups are not available. */
579 static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain,
582 DOM_SID *primary_group,
583 size_t *p_num_groups, DOM_SID **user_sids)
586 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
588 LDAPMessage *res = NULL;
589 LDAPMessage *msg = NULL;
592 const char *group_attrs[] = {"objectSid", NULL};
594 size_t num_groups = 0;
596 DEBUG(3,("ads: lookup_usergroups_member\n"));
598 if ( !winbindd_can_contact_domain( domain ) ) {
599 DEBUG(10,("lookup_usergroups_members: No incoming trust for domain %s\n",
604 ads = ads_cached_connection(domain);
607 domain->last_status = NT_STATUS_SERVER_DISABLED;
611 if (!(escaped_dn = escape_ldap_string_alloc(user_dn))) {
612 status = NT_STATUS_NO_MEMORY;
616 ldap_exp = talloc_asprintf(mem_ctx,
617 "(&(member=%s)(objectCategory=group)(groupType:dn:%s:=%d))",
619 ADS_LDAP_MATCHING_RULE_BIT_AND,
620 GROUP_TYPE_SECURITY_ENABLED);
622 DEBUG(1,("lookup_usergroups(dn=%s) asprintf failed!\n", user_dn));
623 SAFE_FREE(escaped_dn);
624 status = NT_STATUS_NO_MEMORY;
628 SAFE_FREE(escaped_dn);
630 rc = ads_search_retry(ads, &res, ldap_exp, group_attrs);
632 if (!ADS_ERR_OK(rc) || !res) {
633 DEBUG(1,("lookup_usergroups ads_search member=%s: %s\n", user_dn, ads_errstr(rc)));
634 return ads_ntstatus(rc);
637 count = ads_count_replies(ads, res);
642 /* always add the primary group to the sid array */
643 status = add_sid_to_array(mem_ctx, primary_group, user_sids,
645 if (!NT_STATUS_IS_OK(status)) {
650 for (msg = ads_first_entry(ads, res); msg;
651 msg = ads_next_entry(ads, msg)) {
654 if (!ads_pull_sid(ads, msg, "objectSid", &group_sid)) {
655 DEBUG(1,("No sid for this group ?!?\n"));
659 /* ignore Builtin groups from ADS - Guenther */
660 if (sid_check_is_in_builtin(&group_sid)) {
664 status = add_sid_to_array(mem_ctx, &group_sid,
665 user_sids, &num_groups);
666 if (!NT_STATUS_IS_OK(status)) {
673 *p_num_groups = num_groups;
674 status = (user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
676 DEBUG(3,("ads lookup_usergroups (member) succeeded for dn=%s\n", user_dn));
679 ads_msgfree(ads, res);
684 /* Lookup groups a user is a member of - alternate method, for when
685 tokenGroups are not available. */
686 static NTSTATUS lookup_usergroups_memberof(struct winbindd_domain *domain,
689 DOM_SID *primary_group,
690 size_t *p_num_groups,
694 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
696 const char *attrs[] = {"memberOf", NULL};
697 size_t num_groups = 0;
698 DOM_SID *group_sids = NULL;
700 char **strings = NULL;
701 size_t num_strings = 0, num_sids = 0;
704 DEBUG(3,("ads: lookup_usergroups_memberof\n"));
706 if ( !winbindd_can_contact_domain( domain ) ) {
707 DEBUG(10,("lookup_usergroups_memberof: No incoming trust for "
708 "domain %s\n", domain->name));
712 ads = ads_cached_connection(domain);
715 domain->last_status = NT_STATUS_SERVER_DISABLED;
716 return NT_STATUS_UNSUCCESSFUL;
719 rc = ads_search_retry_extended_dn_ranged(ads, mem_ctx, user_dn, attrs,
720 ADS_EXTENDED_DN_HEX_STRING,
721 &strings, &num_strings);
723 if (!ADS_ERR_OK(rc)) {
724 DEBUG(1,("lookup_usergroups_memberof ads_search "
725 "member=%s: %s\n", user_dn, ads_errstr(rc)));
726 return ads_ntstatus(rc);
732 /* always add the primary group to the sid array */
733 status = add_sid_to_array(mem_ctx, primary_group, user_sids,
735 if (!NT_STATUS_IS_OK(status)) {
739 group_sids = TALLOC_ZERO_ARRAY(mem_ctx, DOM_SID, num_strings + 1);
741 status = NT_STATUS_NO_MEMORY;
745 for (i=0; i<num_strings; i++) {
746 rc = ads_get_sid_from_extended_dn(mem_ctx, strings[i],
747 ADS_EXTENDED_DN_HEX_STRING,
749 if (!ADS_ERR_OK(rc)) {
750 /* ignore members without SIDs */
751 if (NT_STATUS_EQUAL(ads_ntstatus(rc),
752 NT_STATUS_NOT_FOUND)) {
756 status = ads_ntstatus(rc);
764 DEBUG(1,("No memberOf for this user?!?\n"));
765 status = NT_STATUS_NO_MEMORY;
769 for (i=0; i<num_sids; i++) {
771 /* ignore Builtin groups from ADS - Guenther */
772 if (sid_check_is_in_builtin(&group_sids[i])) {
776 status = add_sid_to_array(mem_ctx, &group_sids[i], user_sids,
778 if (!NT_STATUS_IS_OK(status)) {
784 *p_num_groups = num_groups;
785 status = (*user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
787 DEBUG(3,("ads lookup_usergroups (memberof) succeeded for dn=%s\n",
791 TALLOC_FREE(strings);
792 TALLOC_FREE(group_sids);
798 /* Lookup groups a user is a member of. */
799 static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
802 uint32 *p_num_groups, DOM_SID **user_sids)
804 ADS_STRUCT *ads = NULL;
805 const char *attrs[] = {"tokenGroups", "primaryGroupID", NULL};
808 LDAPMessage *msg = NULL;
809 char *user_dn = NULL;
812 DOM_SID primary_group;
813 uint32 primary_group_rid;
814 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
815 size_t num_groups = 0;
817 DEBUG(3,("ads: lookup_usergroups\n"));
820 status = lookup_usergroups_cached(domain, mem_ctx, sid,
821 p_num_groups, user_sids);
822 if (NT_STATUS_IS_OK(status)) {
826 if ( !winbindd_can_contact_domain( domain ) ) {
827 DEBUG(10,("lookup_usergroups: No incoming trust for domain %s\n",
830 /* Tell the cache manager not to remember this one */
832 return NT_STATUS_SYNCHRONIZATION_REQUIRED;
835 ads = ads_cached_connection(domain);
838 domain->last_status = NT_STATUS_SERVER_DISABLED;
839 status = NT_STATUS_SERVER_DISABLED;
843 rc = ads_search_retry_sid(ads, &msg, sid, attrs);
845 if (!ADS_ERR_OK(rc)) {
846 status = ads_ntstatus(rc);
847 DEBUG(1, ("lookup_usergroups(sid=%s) ads_search tokenGroups: "
848 "%s\n", sid_string_dbg(sid), ads_errstr(rc)));
852 count = ads_count_replies(ads, msg);
854 status = NT_STATUS_UNSUCCESSFUL;
855 DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: "
856 "invalid number of results (count=%d)\n",
857 sid_string_dbg(sid), count));
862 DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: NULL msg\n",
863 sid_string_dbg(sid)));
864 status = NT_STATUS_UNSUCCESSFUL;
868 user_dn = ads_get_dn(ads, mem_ctx, msg);
869 if (user_dn == NULL) {
870 status = NT_STATUS_NO_MEMORY;
874 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &primary_group_rid)) {
875 DEBUG(1,("%s: No primary group for sid=%s !?\n",
876 domain->name, sid_string_dbg(sid)));
880 sid_copy(&primary_group, &domain->sid);
881 sid_append_rid(&primary_group, primary_group_rid);
883 count = ads_pull_sids(ads, mem_ctx, msg, "tokenGroups", &sids);
885 /* there must always be at least one group in the token,
886 unless we are talking to a buggy Win2k server */
888 /* actually this only happens when the machine account has no read
889 * permissions on the tokenGroup attribute - gd */
895 /* lookup what groups this user is a member of by DN search on
898 status = lookup_usergroups_memberof(domain, mem_ctx, user_dn,
900 &num_groups, user_sids);
901 *p_num_groups = (uint32)num_groups;
902 if (NT_STATUS_IS_OK(status)) {
906 /* lookup what groups this user is a member of by DN search on
909 status = lookup_usergroups_member(domain, mem_ctx, user_dn,
911 &num_groups, user_sids);
912 *p_num_groups = (uint32)num_groups;
919 status = add_sid_to_array(mem_ctx, &primary_group, user_sids,
921 if (!NT_STATUS_IS_OK(status)) {
925 for (i=0;i<count;i++) {
927 /* ignore Builtin groups from ADS - Guenther */
928 if (sid_check_is_in_builtin(&sids[i])) {
932 status = add_sid_to_array_unique(mem_ctx, &sids[i],
933 user_sids, &num_groups);
934 if (!NT_STATUS_IS_OK(status)) {
939 *p_num_groups = (uint32)num_groups;
940 status = (*user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
942 DEBUG(3,("ads lookup_usergroups (tokenGroups) succeeded for sid=%s\n",
943 sid_string_dbg(sid)));
945 TALLOC_FREE(user_dn);
946 ads_msgfree(ads, msg);
950 /* Lookup aliases a user is member of - use rpc methods */
951 static NTSTATUS lookup_useraliases(struct winbindd_domain *domain,
953 uint32 num_sids, const DOM_SID *sids,
954 uint32 *num_aliases, uint32 **alias_rids)
956 return reconnect_methods.lookup_useraliases(domain, mem_ctx,
963 find the members of a group, given a group rid and domain
965 static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
967 const DOM_SID *group_sid, uint32 *num_names,
968 DOM_SID **sid_mem, char ***names,
972 ADS_STRUCT *ads = NULL;
974 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
976 char **members = NULL;
978 size_t num_members = 0;
980 struct rpc_pipe_client *cli;
981 struct policy_handle lsa_policy;
982 DOM_SID *sid_mem_nocache = NULL;
983 char **names_nocache = NULL;
984 enum lsa_SidType *name_types_nocache = NULL;
985 char **domains_nocache = NULL; /* only needed for rpccli_lsa_lookup_sids */
986 uint32 num_nocache = 0;
987 TALLOC_CTX *tmp_ctx = NULL;
989 DEBUG(10,("ads: lookup_groupmem %s sid=%s\n", domain->name,
990 sid_string_dbg(group_sid)));
994 tmp_ctx = talloc_new(mem_ctx);
996 DEBUG(1, ("ads: lookup_groupmem: talloc failed\n"));
997 status = NT_STATUS_NO_MEMORY;
1001 if ( !winbindd_can_contact_domain( domain ) ) {
1002 DEBUG(10,("lookup_groupmem: No incoming trust for domain %s\n",
1004 return NT_STATUS_OK;
1007 ads = ads_cached_connection(domain);
1010 domain->last_status = NT_STATUS_SERVER_DISABLED;
1014 if ((sidbinstr = sid_binstring(group_sid)) == NULL) {
1015 status = NT_STATUS_NO_MEMORY;
1019 /* search for all members of the group */
1020 if (!(ldap_exp = talloc_asprintf(tmp_ctx, "(objectSid=%s)",
1023 SAFE_FREE(sidbinstr);
1024 DEBUG(1, ("ads: lookup_groupmem: talloc_asprintf for ldap_exp failed!\n"));
1025 status = NT_STATUS_NO_MEMORY;
1028 SAFE_FREE(sidbinstr);
1030 args.control = ADS_EXTENDED_DN_OID;
1031 args.val = ADS_EXTENDED_DN_HEX_STRING;
1032 args.critical = True;
1034 rc = ads_ranged_search(ads, tmp_ctx, LDAP_SCOPE_SUBTREE, ads->config.bind_path,
1035 ldap_exp, &args, "member", &members, &num_members);
1037 if (!ADS_ERR_OK(rc)) {
1038 DEBUG(0,("ads_ranged_search failed with: %s\n", ads_errstr(rc)));
1039 status = NT_STATUS_UNSUCCESSFUL;
1043 DEBUG(10, ("ads lookup_groupmem: got %d sids via extended dn call\n", (int)num_members));
1045 /* Now that we have a list of sids, we need to get the
1046 * lists of names and name_types belonging to these sids.
1047 * even though conceptually not quite clean, we use the
1048 * RPC call lsa_lookup_sids for this since it can handle a
1049 * list of sids. ldap calls can just resolve one sid at a time.
1051 * At this stage, the sids are still hidden in the exetended dn
1052 * member output format. We actually do a little better than
1053 * stated above: In extracting the sids from the member strings,
1054 * we try to resolve as many sids as possible from the
1055 * cache. Only the rest is passed to the lsa_lookup_sids call. */
1058 (*sid_mem) = TALLOC_ZERO_ARRAY(mem_ctx, DOM_SID, num_members);
1059 (*names) = TALLOC_ZERO_ARRAY(mem_ctx, char *, num_members);
1060 (*name_types) = TALLOC_ZERO_ARRAY(mem_ctx, uint32, num_members);
1061 (sid_mem_nocache) = TALLOC_ZERO_ARRAY(tmp_ctx, DOM_SID, num_members);
1063 if ((members == NULL) || (*sid_mem == NULL) ||
1064 (*names == NULL) || (*name_types == NULL) ||
1065 (sid_mem_nocache == NULL))
1067 DEBUG(1, ("ads: lookup_groupmem: talloc failed\n"));
1068 status = NT_STATUS_NO_MEMORY;
1075 (*name_types) = NULL;
1078 for (i=0; i<num_members; i++) {
1079 enum lsa_SidType name_type;
1080 char *name, *domain_name;
1083 rc = ads_get_sid_from_extended_dn(tmp_ctx, members[i], args.val,
1085 if (!ADS_ERR_OK(rc)) {
1086 if (NT_STATUS_EQUAL(ads_ntstatus(rc),
1087 NT_STATUS_NOT_FOUND)) {
1088 /* Group members can be objects, like Exchange
1089 * Public Folders, that don't have a SID. Skip
1094 status = ads_ntstatus(rc);
1098 if (lookup_cached_sid(mem_ctx, &sid, &domain_name, &name,
1100 DEBUG(10,("ads: lookup_groupmem: got sid %s from "
1101 "cache\n", sid_string_dbg(&sid)));
1102 sid_copy(&(*sid_mem)[*num_names], &sid);
1103 (*names)[*num_names] = fill_domain_username_talloc(
1109 (*name_types)[*num_names] = name_type;
1113 DEBUG(10, ("ads: lookup_groupmem: sid %s not found in "
1114 "cache\n", sid_string_dbg(&sid)));
1115 sid_copy(&(sid_mem_nocache)[num_nocache], &sid);
1120 DEBUG(10, ("ads: lookup_groupmem: %d sids found in cache, "
1121 "%d left for lsa_lookupsids\n", *num_names, num_nocache));
1123 /* handle sids not resolved from cache by lsa_lookup_sids */
1124 if (num_nocache > 0) {
1125 unsigned int orig_timeout;
1127 status = cm_connect_lsa(domain, tmp_ctx, &cli, &lsa_policy);
1129 if (!NT_STATUS_IS_OK(status)) {
1134 * This call can take a long time
1135 * allow the server to time out.
1136 * 35 seconds should do it.
1138 orig_timeout = rpccli_set_timeout(cli, 35000);
1140 status = rpccli_lsa_lookup_sids(cli, tmp_ctx,
1146 &name_types_nocache);
1148 /* And restore our original timeout. */
1149 rpccli_set_timeout(cli, orig_timeout);
1151 if (!(NT_STATUS_IS_OK(status) ||
1152 NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED) ||
1153 NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)))
1155 DEBUG(1, ("lsa_lookupsids call failed with %s "
1156 "- retrying...\n", nt_errstr(status)));
1158 status = cm_connect_lsa(domain, tmp_ctx, &cli,
1161 if (!NT_STATUS_IS_OK(status)) {
1166 * This call can take a long time
1167 * allow the server to time out.
1168 * 35 seconds should do it.
1170 orig_timeout = rpccli_set_timeout(cli, 35000);
1172 status = rpccli_lsa_lookup_sids(cli, tmp_ctx,
1178 &name_types_nocache);
1180 /* And restore our original timeout. */
1181 rpccli_set_timeout(cli, orig_timeout);
1184 if (NT_STATUS_IS_OK(status) ||
1185 NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED))
1187 /* Copy the entries over from the "_nocache" arrays
1188 * to the result arrays, skipping the gaps the
1189 * lookup_sids call left. */
1190 for (i=0; i < num_nocache; i++) {
1191 if (((names_nocache)[i] != NULL) &&
1192 ((name_types_nocache)[i] != SID_NAME_UNKNOWN))
1194 sid_copy(&(*sid_mem)[*num_names],
1195 &sid_mem_nocache[i]);
1196 (*names)[*num_names] =
1197 fill_domain_username_talloc(
1202 (*name_types)[*num_names] = name_types_nocache[i];
1207 else if (NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)) {
1208 DEBUG(10, ("lookup_groupmem: lsa_lookup_sids could "
1209 "not map any SIDs at all.\n"));
1210 /* Don't handle this as an error here.
1211 * There is nothing left to do with respect to the
1212 * overall result... */
1214 else if (!NT_STATUS_IS_OK(status)) {
1215 DEBUG(10, ("lookup_groupmem: Error looking up %d "
1216 "sids via rpc_lsa_lookup_sids: %s\n",
1217 (int)num_members, nt_errstr(status)));
1222 status = NT_STATUS_OK;
1223 DEBUG(3,("ads lookup_groupmem for sid=%s succeeded\n",
1224 sid_string_dbg(group_sid)));
1228 TALLOC_FREE(tmp_ctx);
1233 /* find the sequence number for a domain */
1234 static NTSTATUS sequence_number(struct winbindd_domain *domain, uint32 *seq)
1236 ADS_STRUCT *ads = NULL;
1239 DEBUG(3,("ads: fetch sequence_number for %s\n", domain->name));
1241 if ( !winbindd_can_contact_domain( domain ) ) {
1242 DEBUG(10,("sequence: No incoming trust for domain %s\n",
1245 return NT_STATUS_OK;
1248 *seq = DOM_SEQUENCE_NONE;
1250 ads = ads_cached_connection(domain);
1253 domain->last_status = NT_STATUS_SERVER_DISABLED;
1254 return NT_STATUS_UNSUCCESSFUL;
1257 rc = ads_USN(ads, seq);
1259 if (!ADS_ERR_OK(rc)) {
1261 /* its a dead connection, destroy it */
1263 if (domain->private_data) {
1264 ads = (ADS_STRUCT *)domain->private_data;
1265 ads->is_mine = True;
1267 ads_kdestroy("MEMORY:winbind_ccache");
1268 domain->private_data = NULL;
1271 return ads_ntstatus(rc);
1274 /* find the lockout policy of a domain - use rpc methods */
1275 static NTSTATUS lockout_policy(struct winbindd_domain *domain,
1276 TALLOC_CTX *mem_ctx,
1277 struct samr_DomInfo12 *policy)
1279 return reconnect_methods.lockout_policy(domain, mem_ctx, policy);
1282 /* find the password policy of a domain - use rpc methods */
1283 static NTSTATUS password_policy(struct winbindd_domain *domain,
1284 TALLOC_CTX *mem_ctx,
1285 struct samr_DomInfo1 *policy)
1287 return reconnect_methods.password_policy(domain, mem_ctx, policy);
1290 /* get a list of trusted domains */
1291 static NTSTATUS trusted_domains(struct winbindd_domain *domain,
1292 TALLOC_CTX *mem_ctx,
1293 uint32 *num_domains,
1298 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1299 struct netr_DomainTrustList trusts;
1302 struct rpc_pipe_client *cli;
1303 uint32 fr_flags = (NETR_TRUST_FLAG_IN_FOREST | NETR_TRUST_FLAG_TREEROOT);
1306 DEBUG(3,("ads: trusted_domains\n"));
1313 /* If this is our primary domain or a root in our forest,
1314 query for all trusts. If not, then just look for domain
1315 trusts in the target forest */
1317 if ( domain->primary ||
1318 ((domain->domain_flags&fr_flags) == fr_flags) )
1320 flags = NETR_TRUST_FLAG_OUTBOUND |
1321 NETR_TRUST_FLAG_INBOUND |
1322 NETR_TRUST_FLAG_IN_FOREST;
1324 flags = NETR_TRUST_FLAG_IN_FOREST;
1327 result = cm_connect_netlogon(domain, &cli);
1329 if (!NT_STATUS_IS_OK(result)) {
1330 DEBUG(5, ("trusted_domains: Could not open a connection to %s "
1331 "for PIPE_NETLOGON (%s)\n",
1332 domain->name, nt_errstr(result)));
1333 return NT_STATUS_UNSUCCESSFUL;
1336 result = rpccli_netr_DsrEnumerateDomainTrusts(cli, mem_ctx,
1341 if ( NT_STATUS_IS_OK(result) && trusts.count) {
1343 /* Allocate memory for trusted domain names and sids */
1345 if ( !(*names = TALLOC_ARRAY(mem_ctx, char *, trusts.count)) ) {
1346 DEBUG(0, ("trusted_domains: out of memory\n"));
1347 return NT_STATUS_NO_MEMORY;
1350 if ( !(*alt_names = TALLOC_ARRAY(mem_ctx, char *, trusts.count)) ) {
1351 DEBUG(0, ("trusted_domains: out of memory\n"));
1352 return NT_STATUS_NO_MEMORY;
1355 if ( !(*dom_sids = TALLOC_ARRAY(mem_ctx, DOM_SID, trusts.count)) ) {
1356 DEBUG(0, ("trusted_domains: out of memory\n"));
1357 return NT_STATUS_NO_MEMORY;
1360 /* Copy across names and sids */
1364 for (i = 0; i < trusts.count; i++) {
1365 struct winbindd_domain d;
1369 /* drop external trusts if this is not our primary
1370 domain. This means that the returned number of
1371 domains may be less that the ones actually trusted
1374 if ( (trusts.array[i].trust_attributes == NETR_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN) &&
1377 DEBUG(10,("trusted_domains: Skipping external trusted domain "
1378 "%s because it is outside of our primary domain\n",
1379 trusts.array[i].netbios_name));
1383 (*names)[ret_count] = CONST_DISCARD(char *, trusts.array[i].netbios_name);
1384 (*alt_names)[ret_count] = CONST_DISCARD(char *, trusts.array[i].dns_name);
1385 if (trusts.array[i].sid) {
1386 sid_copy(&(*dom_sids)[ret_count], trusts.array[i].sid);
1388 sid_copy(&(*dom_sids)[ret_count], &global_sid_NULL);
1391 /* add to the trusted domain cache */
1393 fstrcpy( d.name, trusts.array[i].netbios_name);
1394 fstrcpy( d.alt_name, trusts.array[i].dns_name);
1395 if (trusts.array[i].sid) {
1396 sid_copy( &d.sid, trusts.array[i].sid);
1398 sid_copy(&d.sid, &global_sid_NULL);
1401 if ( domain->primary ) {
1402 DEBUG(10,("trusted_domains(ads): Searching "
1403 "trusted domain list of %s and storing "
1404 "trust flags for domain %s\n",
1405 domain->name, d.alt_name));
1407 d.domain_flags = trusts.array[i].trust_flags;
1408 d.domain_type = trusts.array[i].trust_type;
1409 d.domain_trust_attribs = trusts.array[i].trust_attributes;
1411 wcache_tdc_add_domain( &d );
1413 } else if ( (domain->domain_flags&fr_flags) == fr_flags ) {
1414 /* Check if we already have this record. If
1415 * we are following our forest root that is not
1416 * our primary domain, we want to keep trust
1417 * flags from the perspective of our primary
1418 * domain not our forest root. */
1419 struct winbindd_tdc_domain *exist = NULL;
1422 wcache_tdc_fetch_domain(NULL, trusts.array[i].netbios_name);
1424 DEBUG(10,("trusted_domains(ads): Searching "
1425 "trusted domain list of %s and storing "
1426 "trust flags for domain %s\n",
1427 domain->name, d.alt_name));
1428 d.domain_flags = trusts.array[i].trust_flags;
1429 d.domain_type = trusts.array[i].trust_type;
1430 d.domain_trust_attribs = trusts.array[i].trust_attributes;
1432 wcache_tdc_add_domain( &d );
1437 /* This gets a little tricky. If we are
1438 following a transitive forest trust, then
1439 innerit the flags, type, and attribs from
1440 the domain we queried to make sure we don't
1441 record the view of the trust from the wrong
1442 side. Always view it from the side of our
1443 primary domain. --jerry */
1444 struct winbindd_tdc_domain *parent = NULL;
1446 DEBUG(10,("trusted_domains(ads): Searching "
1447 "trusted domain list of %s and inheriting "
1448 "trust flags for domain %s\n",
1449 domain->name, d.alt_name));
1451 parent = wcache_tdc_fetch_domain(NULL, domain->name);
1453 d.domain_flags = parent->trust_flags;
1454 d.domain_type = parent->trust_type;
1455 d.domain_trust_attribs = parent->trust_attribs;
1457 d.domain_flags = domain->domain_flags;
1458 d.domain_type = domain->domain_type;
1459 d.domain_trust_attribs = domain->domain_trust_attribs;
1461 TALLOC_FREE(parent);
1463 wcache_tdc_add_domain( &d );
1468 *num_domains = ret_count;
1474 /* the ADS backend methods are exposed via this structure */
1475 struct winbindd_methods ads_methods = {