2 Unix SMB/CIFS implementation.
4 Winbind rpc backend functions
6 Copyright (C) Tim Potter 2000-2001,2003
7 Copyright (C) Andrew Tridgell 2001
8 Copyright (C) Volker Lendecke 2005
9 Copyright (C) Guenther Deschner 2008 (pidl conversion)
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 3 of the License, or
14 (at your option) any later version.
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
21 You should have received a copy of the GNU General Public License
22 along with this program. If not, see <http://www.gnu.org/licenses/>.
27 #include "winbindd_rpc.h"
29 #include "../librpc/gen_ndr/ndr_samr_c.h"
30 #include "rpc_client/cli_samr.h"
31 #include "rpc_client/cli_lsarpc.h"
32 #include "../libcli/security/security.h"
35 #define DBGC_CLASS DBGC_WINBIND
38 /* Query display info for a domain. This returns enough information plus a
39 bit extra to give an overview of domain users for the User Manager
41 static NTSTATUS msrpc_query_user_list(struct winbindd_domain *domain,
44 struct wbint_userinfo **pinfo)
46 struct rpc_pipe_client *samr_pipe = NULL;
47 struct policy_handle dom_pol;
48 struct wbint_userinfo *info = NULL;
49 uint32_t num_info = 0;
53 DEBUG(3, ("msrpc_query_user_list\n"));
59 tmp_ctx = talloc_stackframe();
60 if (tmp_ctx == NULL) {
61 return NT_STATUS_NO_MEMORY;
64 if ( !winbindd_can_contact_domain( domain ) ) {
65 DEBUG(10,("query_user_list: No incoming trust for domain %s\n",
67 status = NT_STATUS_OK;
71 status = cm_connect_sam(domain, tmp_ctx, &samr_pipe, &dom_pol);
72 if (!NT_STATUS_IS_OK(status)) {
76 status = rpc_query_user_list(tmp_ctx,
82 if (!NT_STATUS_IS_OK(status)) {
87 *pnum_info = num_info;
91 *pinfo = talloc_move(mem_ctx, &info);
99 /* list all domain groups */
100 static NTSTATUS msrpc_enum_dom_groups(struct winbindd_domain *domain,
103 struct acct_info **pinfo)
105 struct rpc_pipe_client *samr_pipe;
106 struct policy_handle dom_pol;
107 struct acct_info *info = NULL;
108 uint32_t num_info = 0;
112 DEBUG(3,("msrpc_enum_dom_groups\n"));
118 tmp_ctx = talloc_stackframe();
119 if (tmp_ctx == NULL) {
120 return NT_STATUS_NO_MEMORY;
123 if ( !winbindd_can_contact_domain( domain ) ) {
124 DEBUG(10,("enum_domain_groups: No incoming trust for domain %s\n",
126 status = NT_STATUS_OK;
130 status = cm_connect_sam(domain, tmp_ctx, &samr_pipe, &dom_pol);
131 if (!NT_STATUS_IS_OK(status)) {
135 status = rpc_enum_dom_groups(tmp_ctx,
140 if (!NT_STATUS_IS_OK(status)) {
145 *pnum_info = num_info;
149 *pinfo = talloc_move(mem_ctx, &info);
153 TALLOC_FREE(tmp_ctx);
157 /* List all domain groups */
159 static NTSTATUS msrpc_enum_local_groups(struct winbindd_domain *domain,
162 struct acct_info **pinfo)
164 struct rpc_pipe_client *samr_pipe;
165 struct policy_handle dom_pol;
166 struct acct_info *info = NULL;
167 uint32_t num_info = 0;
171 DEBUG(3,("msrpc_enum_local_groups\n"));
177 tmp_ctx = talloc_stackframe();
178 if (tmp_ctx == NULL) {
179 return NT_STATUS_NO_MEMORY;
182 if ( !winbindd_can_contact_domain( domain ) ) {
183 DEBUG(10,("enum_local_groups: No incoming trust for domain %s\n",
185 status = NT_STATUS_OK;
189 status = cm_connect_sam(domain, tmp_ctx, &samr_pipe, &dom_pol);
190 if (!NT_STATUS_IS_OK(status)) {
194 status = rpc_enum_local_groups(mem_ctx,
199 if (!NT_STATUS_IS_OK(status)) {
204 *pnum_info = num_info;
208 *pinfo = talloc_move(mem_ctx, &info);
212 TALLOC_FREE(tmp_ctx);
216 /* convert a single name to a sid in a domain */
217 static NTSTATUS msrpc_name_to_sid(struct winbindd_domain *domain,
219 const char *domain_name,
223 enum lsa_SidType *type)
226 struct dom_sid *sids = NULL;
227 enum lsa_SidType *types = NULL;
228 char *full_name = NULL;
229 NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL;
230 char *mapped_name = NULL;
232 if (name == NULL || *name=='\0') {
233 full_name = talloc_asprintf(mem_ctx, "%s", domain_name);
234 } else if (domain_name == NULL || *domain_name == '\0') {
235 full_name = talloc_asprintf(mem_ctx, "%s", name);
237 full_name = talloc_asprintf(mem_ctx, "%s\\%s", domain_name, name);
240 DEBUG(0, ("talloc_asprintf failed!\n"));
241 return NT_STATUS_NO_MEMORY;
244 DEBUG(3, ("msrpc_name_to_sid: name=%s\n", full_name));
246 name_map_status = normalize_name_unmap(mem_ctx, full_name,
249 /* Reset the full_name pointer if we mapped anytthing */
251 if (NT_STATUS_IS_OK(name_map_status) ||
252 NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED))
254 full_name = mapped_name;
257 DEBUG(3,("name_to_sid [rpc] %s for domain %s\n",
258 full_name?full_name:"", domain_name ));
260 result = winbindd_lookup_names(mem_ctx, domain, 1,
261 (const char **)&full_name, NULL,
263 if (!NT_STATUS_IS_OK(result))
266 /* Return rid and type if lookup successful */
268 sid_copy(sid, &sids[0]);
275 convert a domain SID to a user or group name
277 static NTSTATUS msrpc_sid_to_name(struct winbindd_domain *domain,
279 const struct dom_sid *sid,
282 enum lsa_SidType *type)
286 enum lsa_SidType *types = NULL;
288 NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL;
289 char *mapped_name = NULL;
291 DEBUG(3, ("msrpc_sid_to_name: %s for domain %s\n", sid_string_dbg(sid),
294 result = winbindd_lookup_sids(mem_ctx,
301 if (!NT_STATUS_IS_OK(result)) {
302 DEBUG(2,("msrpc_sid_to_name: failed to lookup sids: %s\n",
308 *type = (enum lsa_SidType)types[0];
309 *domain_name = domains[0];
312 DEBUG(5,("Mapped sid to [%s]\\[%s]\n", domains[0], *name));
314 name_map_status = normalize_name_map(mem_ctx, domain, *name,
316 if (NT_STATUS_IS_OK(name_map_status) ||
317 NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED))
320 DEBUG(5,("returning mapped name -- %s\n", *name));
326 static NTSTATUS msrpc_rids_to_names(struct winbindd_domain *domain,
328 const struct dom_sid *sid,
333 enum lsa_SidType **types)
337 struct dom_sid *sids;
341 DEBUG(3, ("msrpc_rids_to_names: domain %s\n", domain->name ));
344 sids = TALLOC_ARRAY(mem_ctx, struct dom_sid, num_rids);
346 return NT_STATUS_NO_MEMORY;
352 for (i=0; i<num_rids; i++) {
353 if (!sid_compose(&sids[i], sid, rids[i])) {
354 return NT_STATUS_INTERNAL_ERROR;
358 result = winbindd_lookup_sids(mem_ctx,
366 if (!NT_STATUS_IS_OK(result) &&
367 !NT_STATUS_EQUAL(result, STATUS_SOME_UNMAPPED)) {
372 for (i=0; i<num_rids; i++) {
373 NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL;
374 char *mapped_name = NULL;
376 if ((*types)[i] != SID_NAME_UNKNOWN) {
377 name_map_status = normalize_name_map(mem_ctx,
381 if (NT_STATUS_IS_OK(name_map_status) ||
382 NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED))
384 ret_names[i] = mapped_name;
387 *domain_name = domains[i];
394 /* Lookup user information from a rid or username. */
395 static NTSTATUS msrpc_query_user(struct winbindd_domain *domain,
397 const struct dom_sid *user_sid,
398 struct wbint_userinfo *user_info)
400 struct rpc_pipe_client *samr_pipe;
401 struct policy_handle dom_pol;
402 struct netr_SamInfo3 *user;
406 DEBUG(3,("msrpc_query_user sid=%s\n", sid_string_dbg(user_sid)));
408 tmp_ctx = talloc_stackframe();
409 if (tmp_ctx == NULL) {
410 return NT_STATUS_NO_MEMORY;
414 user_info->homedir = NULL;
415 user_info->shell = NULL;
416 user_info->primary_gid = (gid_t)-1;
419 /* try netsamlogon cache first */
420 user = netsamlogon_cache_get(tmp_ctx, user_sid);
422 DEBUG(5,("msrpc_query_user: Cache lookup succeeded for %s\n",
423 sid_string_dbg(user_sid)));
425 sid_compose(&user_info->user_sid, &domain->sid, user->base.rid);
426 sid_compose(&user_info->group_sid, &domain->sid,
427 user->base.primary_gid);
429 user_info->acct_name = talloc_strdup(user_info,
430 user->base.account_name.string);
431 user_info->full_name = talloc_strdup(user_info,
432 user->base.full_name.string);
434 status = NT_STATUS_OK;
438 if ( !winbindd_can_contact_domain( domain ) ) {
439 DEBUG(10,("query_user: No incoming trust for domain %s\n",
441 /* Tell the cache manager not to remember this one */
442 status = NT_STATUS_SYNCHRONIZATION_REQUIRED;
446 /* no cache; hit the wire */
447 status = cm_connect_sam(domain, tmp_ctx, &samr_pipe, &dom_pol);
448 if (!NT_STATUS_IS_OK(status)) {
452 status = rpc_query_user(tmp_ctx,
460 TALLOC_FREE(tmp_ctx);
464 /* Lookup groups a user is a member of. I wish Unix had a call like this! */
465 static NTSTATUS msrpc_lookup_usergroups(struct winbindd_domain *domain,
467 const struct dom_sid *user_sid,
468 uint32_t *pnum_groups,
469 struct dom_sid **puser_grpsids)
471 struct rpc_pipe_client *samr_pipe;
472 struct policy_handle dom_pol;
473 struct dom_sid *user_grpsids = NULL;
474 uint32_t num_groups = 0;
478 DEBUG(3,("msrpc_lookup_usergroups sid=%s\n", sid_string_dbg(user_sid)));
482 tmp_ctx = talloc_stackframe();
483 if (tmp_ctx == NULL) {
484 return NT_STATUS_NO_MEMORY;
487 /* Check if we have a cached user_info_3 */
488 status = lookup_usergroups_cached(domain,
493 if (NT_STATUS_IS_OK(status)) {
497 if ( !winbindd_can_contact_domain( domain ) ) {
498 DEBUG(10,("lookup_usergroups: No incoming trust for domain %s\n",
501 /* Tell the cache manager not to remember this one */
502 status = NT_STATUS_SYNCHRONIZATION_REQUIRED;
506 /* no cache; hit the wire */
507 status = cm_connect_sam(domain, tmp_ctx, &samr_pipe, &dom_pol);
508 if (!NT_STATUS_IS_OK(status)) {
512 status = rpc_lookup_usergroups(tmp_ctx,
519 if (!NT_STATUS_IS_OK(status)) {
525 *pnum_groups = num_groups;
529 *puser_grpsids = talloc_move(mem_ctx, &user_grpsids);
533 TALLOC_FREE(tmp_ctx);
538 #define MAX_SAM_ENTRIES_W2K 0x400 /* 1024 */
540 static NTSTATUS msrpc_lookup_useraliases(struct winbindd_domain *domain,
542 uint32 num_sids, const struct dom_sid *sids,
543 uint32 *pnum_aliases,
544 uint32 **palias_rids)
546 struct rpc_pipe_client *samr_pipe;
547 struct policy_handle dom_pol;
548 uint32_t num_aliases = 0;
549 uint32_t *alias_rids = NULL;
553 DEBUG(3,("msrpc_lookup_useraliases\n"));
559 tmp_ctx = talloc_stackframe();
560 if (tmp_ctx == NULL) {
561 return NT_STATUS_NO_MEMORY;
564 if (!winbindd_can_contact_domain(domain)) {
565 DEBUG(10,("msrpc_lookup_useraliases: No incoming trust for domain %s\n",
567 /* Tell the cache manager not to remember this one */
568 status = NT_STATUS_SYNCHRONIZATION_REQUIRED;
572 status = cm_connect_sam(domain, tmp_ctx, &samr_pipe, &dom_pol);
573 if (!NT_STATUS_IS_OK(status)) {
577 status = rpc_lookup_useraliases(tmp_ctx,
584 if (!NT_STATUS_IS_OK(status)) {
589 *pnum_aliases = num_aliases;
593 *palias_rids = talloc_move(mem_ctx, &alias_rids);
597 TALLOC_FREE(tmp_ctx);
602 /* Lookup group membership given a rid. */
603 static NTSTATUS msrpc_lookup_groupmem(struct winbindd_domain *domain,
605 const struct dom_sid *group_sid,
606 enum lsa_SidType type,
608 struct dom_sid **sid_mem,
610 uint32_t **name_types)
612 NTSTATUS status, result;
613 uint32 i, total_names = 0;
614 struct policy_handle dom_pol, group_pol;
615 uint32 des_access = SEC_FLAG_MAXIMUM_ALLOWED;
616 uint32 *rid_mem = NULL;
619 struct rpc_pipe_client *cli;
620 unsigned int orig_timeout;
621 struct samr_RidAttrArray *rids = NULL;
622 struct dcerpc_binding_handle *b;
624 DEBUG(3,("msrpc_lookup_groupmem: %s sid=%s\n", domain->name,
625 sid_string_dbg(group_sid)));
627 if ( !winbindd_can_contact_domain( domain ) ) {
628 DEBUG(10,("lookup_groupmem: No incoming trust for domain %s\n",
633 if (!sid_peek_check_rid(&domain->sid, group_sid, &group_rid))
634 return NT_STATUS_UNSUCCESSFUL;
638 result = cm_connect_sam(domain, mem_ctx, &cli, &dom_pol);
639 if (!NT_STATUS_IS_OK(result))
642 b = cli->binding_handle;
644 status = dcerpc_samr_OpenGroup(b, mem_ctx,
650 if (!NT_STATUS_IS_OK(status)) {
653 if (!NT_STATUS_IS_OK(result)) {
657 /* Step #1: Get a list of user rids that are the members of the
660 /* This call can take a long time - allow the server to time out.
661 35 seconds should do it. */
663 orig_timeout = rpccli_set_timeout(cli, 35000);
665 status = dcerpc_samr_QueryGroupMember(b, mem_ctx,
670 /* And restore our original timeout. */
671 rpccli_set_timeout(cli, orig_timeout);
675 dcerpc_samr_Close(b, mem_ctx, &group_pol, &_result);
678 if (!NT_STATUS_IS_OK(status)) {
682 if (!NT_STATUS_IS_OK(result)) {
686 if (!rids || !rids->count) {
693 *num_names = rids->count;
694 rid_mem = rids->rids;
696 /* Step #2: Convert list of rids into list of usernames. Do this
697 in bunches of ~1000 to avoid crashing NT4. It looks like there
698 is a buffer overflow or something like that lurking around
701 #define MAX_LOOKUP_RIDS 900
703 *names = TALLOC_ZERO_ARRAY(mem_ctx, char *, *num_names);
704 *name_types = TALLOC_ZERO_ARRAY(mem_ctx, uint32, *num_names);
705 *sid_mem = TALLOC_ZERO_ARRAY(mem_ctx, struct dom_sid, *num_names);
707 for (j=0;j<(*num_names);j++)
708 sid_compose(&(*sid_mem)[j], &domain->sid, rid_mem[j]);
710 if (*num_names>0 && (!*names || !*name_types))
711 return NT_STATUS_NO_MEMORY;
713 for (i = 0; i < *num_names; i += MAX_LOOKUP_RIDS) {
714 int num_lookup_rids = MIN(*num_names - i, MAX_LOOKUP_RIDS);
715 struct lsa_Strings tmp_names;
716 struct samr_Ids tmp_types;
718 /* Lookup a chunk of rids */
720 status = dcerpc_samr_LookupRids(b, mem_ctx,
727 if (!NT_STATUS_IS_OK(status)) {
731 /* see if we have a real error (and yes the
732 STATUS_SOME_UNMAPPED is the one returned from 2k) */
734 if (!NT_STATUS_IS_OK(result) &&
735 !NT_STATUS_EQUAL(result, STATUS_SOME_UNMAPPED))
738 /* Copy result into array. The talloc system will take
739 care of freeing the temporary arrays later on. */
741 if (tmp_names.count != tmp_types.count) {
742 return NT_STATUS_UNSUCCESSFUL;
745 for (r=0; r<tmp_names.count; r++) {
746 if (tmp_types.ids[r] == SID_NAME_UNKNOWN) {
749 (*names)[total_names] = fill_domain_username_talloc(
750 mem_ctx, domain->name,
751 tmp_names.names[r].string, true);
752 (*name_types)[total_names] = tmp_types.ids[r];
757 *num_names = total_names;
766 static int get_ldap_seq(const char *server, int port, uint32 *seq)
770 const char *attrs[] = {"highestCommittedUSN", NULL};
771 LDAPMessage *res = NULL;
772 char **values = NULL;
775 *seq = DOM_SEQUENCE_NONE;
778 * Parameterised (5) second timeout on open. This is needed as the
779 * search timeout doesn't seem to apply to doing an open as well. JRA.
782 ldp = ldap_open_with_timeout(server, port, lp_ldap_timeout());
786 /* Timeout if no response within 20 seconds. */
790 if (ldap_search_st(ldp, "", LDAP_SCOPE_BASE, "(objectclass=*)",
791 CONST_DISCARD(char **, attrs), 0, &to, &res))
794 if (ldap_count_entries(ldp, res) != 1)
797 values = ldap_get_values(ldp, res, "highestCommittedUSN");
798 if (!values || !values[0])
801 *seq = atoi(values[0]);
807 ldap_value_free(values);
815 /**********************************************************************
816 Get the sequence number for a Windows AD native mode domain using
818 **********************************************************************/
820 static int get_ldap_sequence_number(struct winbindd_domain *domain, uint32 *seq)
823 char addr[INET6_ADDRSTRLEN];
825 print_sockaddr(addr, sizeof(addr), &domain->dcaddr);
826 if ((ret = get_ldap_seq(addr, LDAP_PORT, seq)) == 0) {
827 DEBUG(3, ("get_ldap_sequence_number: Retrieved sequence "
828 "number for Domain (%s) from DC (%s)\n",
829 domain->name, addr));
834 #endif /* HAVE_LDAP */
836 /* find the sequence number for a domain */
837 static NTSTATUS msrpc_sequence_number(struct winbindd_domain *domain,
840 struct rpc_pipe_client *samr_pipe;
841 struct policy_handle dom_pol;
846 DEBUG(3, ("msrpc_sequence_number: fetch sequence_number for %s\n", domain->name));
849 *pseq = DOM_SEQUENCE_NONE;
852 tmp_ctx = talloc_stackframe();
853 if (tmp_ctx == NULL) {
854 return NT_STATUS_NO_MEMORY;
857 if ( !winbindd_can_contact_domain( domain ) ) {
858 DEBUG(10,("sequence_number: No incoming trust for domain %s\n",
863 status = NT_STATUS_OK;
868 if (domain->active_directory) {
871 DEBUG(8,("using get_ldap_seq() to retrieve the "
872 "sequence number\n"));
874 rc = get_ldap_sequence_number(domain, &seq);
876 DEBUG(10,("domain_sequence_number: LDAP for "
884 status = NT_STATUS_OK;
888 DEBUG(10,("domain_sequence_number: failed to get LDAP "
889 "sequence number for domain %s\n",
892 #endif /* HAVE_LDAP */
894 status = cm_connect_sam(domain, tmp_ctx, &samr_pipe, &dom_pol);
895 if (!NT_STATUS_IS_OK(status)) {
899 status = rpc_sequence_number(tmp_ctx,
904 if (!NT_STATUS_IS_OK(status)) {
913 TALLOC_FREE(tmp_ctx);
917 /* get a list of trusted domains */
918 static NTSTATUS msrpc_trusted_domains(struct winbindd_domain *domain,
920 struct netr_DomainTrustList *ptrust_list)
922 struct rpc_pipe_client *lsa_pipe;
923 struct policy_handle lsa_policy;
924 struct netr_DomainTrust *trusts = NULL;
925 uint32_t num_trusts = 0;
929 DEBUG(3,("msrpc_trusted_domains\n"));
932 ZERO_STRUCTP(ptrust_list);
935 tmp_ctx = talloc_stackframe();
936 if (tmp_ctx == NULL) {
937 return NT_STATUS_NO_MEMORY;
940 status = cm_connect_lsa(domain, tmp_ctx, &lsa_pipe, &lsa_policy);
941 if (!NT_STATUS_IS_OK(status))
944 status = rpc_trusted_domains(tmp_ctx,
949 if (!NT_STATUS_IS_OK(status)) {
954 ptrust_list->count = num_trusts;
955 ptrust_list->array = talloc_move(mem_ctx, &trusts);
959 TALLOC_FREE(tmp_ctx);
963 /* find the lockout policy for a domain */
964 static NTSTATUS msrpc_lockout_policy(struct winbindd_domain *domain,
966 struct samr_DomInfo12 *lockout_policy)
968 NTSTATUS status, result;
969 struct rpc_pipe_client *cli;
970 struct policy_handle dom_pol;
971 union samr_DomainInfo *info = NULL;
972 struct dcerpc_binding_handle *b;
974 DEBUG(3, ("msrpc_lockout_policy: fetch lockout policy for %s\n", domain->name));
976 if ( !winbindd_can_contact_domain( domain ) ) {
977 DEBUG(10,("msrpc_lockout_policy: No incoming trust for domain %s\n",
979 return NT_STATUS_NOT_SUPPORTED;
982 status = cm_connect_sam(domain, mem_ctx, &cli, &dom_pol);
983 if (!NT_STATUS_IS_OK(status)) {
987 b = cli->binding_handle;
989 status = dcerpc_samr_QueryDomainInfo(b, mem_ctx,
994 if (!NT_STATUS_IS_OK(status)) {
997 if (!NT_STATUS_IS_OK(result)) {
1002 *lockout_policy = info->info12;
1004 DEBUG(10,("msrpc_lockout_policy: lockout_threshold %d\n",
1005 info->info12.lockout_threshold));
1012 /* find the password policy for a domain */
1013 static NTSTATUS msrpc_password_policy(struct winbindd_domain *domain,
1014 TALLOC_CTX *mem_ctx,
1015 struct samr_DomInfo1 *password_policy)
1017 NTSTATUS status, result;
1018 struct rpc_pipe_client *cli;
1019 struct policy_handle dom_pol;
1020 union samr_DomainInfo *info = NULL;
1021 struct dcerpc_binding_handle *b;
1023 DEBUG(3, ("msrpc_password_policy: fetch password policy for %s\n",
1026 if ( !winbindd_can_contact_domain( domain ) ) {
1027 DEBUG(10,("msrpc_password_policy: No incoming trust for domain %s\n",
1029 return NT_STATUS_NOT_SUPPORTED;
1032 status = cm_connect_sam(domain, mem_ctx, &cli, &dom_pol);
1033 if (!NT_STATUS_IS_OK(status)) {
1037 b = cli->binding_handle;
1039 status = dcerpc_samr_QueryDomainInfo(b, mem_ctx,
1044 if (!NT_STATUS_IS_OK(status)) {
1047 if (!NT_STATUS_IS_OK(result)) {
1051 *password_policy = info->info1;
1053 DEBUG(10,("msrpc_password_policy: min_length_password %d\n",
1054 info->info1.min_password_length));
1061 typedef NTSTATUS (*lookup_sids_fn_t)(struct rpc_pipe_client *cli,
1062 TALLOC_CTX *mem_ctx,
1063 struct policy_handle *pol,
1065 const struct dom_sid *sids,
1068 enum lsa_SidType **ptypes);
1070 NTSTATUS winbindd_lookup_sids(TALLOC_CTX *mem_ctx,
1071 struct winbindd_domain *domain,
1073 const struct dom_sid *sids,
1076 enum lsa_SidType **types)
1079 struct rpc_pipe_client *cli = NULL;
1080 struct policy_handle lsa_policy;
1081 unsigned int orig_timeout;
1082 lookup_sids_fn_t lookup_sids_fn = rpccli_lsa_lookup_sids;
1084 if (domain->can_do_ncacn_ip_tcp) {
1085 status = cm_connect_lsa_tcp(domain, mem_ctx, &cli);
1086 if (NT_STATUS_IS_OK(status)) {
1087 lookup_sids_fn = rpccli_lsa_lookup_sids3;
1090 domain->can_do_ncacn_ip_tcp = false;
1092 status = cm_connect_lsa(domain, mem_ctx, &cli, &lsa_policy);
1094 if (!NT_STATUS_IS_OK(status)) {
1100 * This call can take a long time
1101 * allow the server to time out.
1102 * 35 seconds should do it.
1104 orig_timeout = rpccli_set_timeout(cli, 35000);
1106 status = lookup_sids_fn(cli,
1115 /* And restore our original timeout. */
1116 rpccli_set_timeout(cli, orig_timeout);
1118 if (NT_STATUS_V(status) == DCERPC_FAULT_ACCESS_DENIED ||
1119 NT_STATUS_V(status) == DCERPC_FAULT_SEC_PKG_ERROR) {
1121 * This can happen if the schannel key is not
1122 * valid anymore, we need to invalidate the
1123 * all connections to the dc and reestablish
1124 * a netlogon connection first.
1126 invalidate_cm_connection(&domain->conn);
1127 status = NT_STATUS_ACCESS_DENIED;
1130 if (!NT_STATUS_IS_OK(status)) {
1137 typedef NTSTATUS (*lookup_names_fn_t)(struct rpc_pipe_client *cli,
1138 TALLOC_CTX *mem_ctx,
1139 struct policy_handle *pol,
1142 const char ***dom_names,
1144 struct dom_sid **sids,
1145 enum lsa_SidType **types);
1147 NTSTATUS winbindd_lookup_names(TALLOC_CTX *mem_ctx,
1148 struct winbindd_domain *domain,
1151 const char ***domains,
1152 struct dom_sid **sids,
1153 enum lsa_SidType **types)
1156 struct rpc_pipe_client *cli = NULL;
1157 struct policy_handle lsa_policy;
1158 unsigned int orig_timeout = 0;
1159 lookup_names_fn_t lookup_names_fn = rpccli_lsa_lookup_names;
1161 if (domain->can_do_ncacn_ip_tcp) {
1162 status = cm_connect_lsa_tcp(domain, mem_ctx, &cli);
1163 if (NT_STATUS_IS_OK(status)) {
1164 lookup_names_fn = rpccli_lsa_lookup_names4;
1167 domain->can_do_ncacn_ip_tcp = false;
1169 status = cm_connect_lsa(domain, mem_ctx, &cli, &lsa_policy);
1171 if (!NT_STATUS_IS_OK(status)) {
1178 * This call can take a long time
1179 * allow the server to time out.
1180 * 35 seconds should do it.
1182 orig_timeout = rpccli_set_timeout(cli, 35000);
1184 status = lookup_names_fn(cli,
1188 (const char **) names,
1194 /* And restore our original timeout. */
1195 rpccli_set_timeout(cli, orig_timeout);
1197 if (NT_STATUS_V(status) == DCERPC_FAULT_ACCESS_DENIED ||
1198 NT_STATUS_V(status) == DCERPC_FAULT_SEC_PKG_ERROR) {
1200 * This can happen if the schannel key is not
1201 * valid anymore, we need to invalidate the
1202 * all connections to the dc and reestablish
1203 * a netlogon connection first.
1205 invalidate_cm_connection(&domain->conn);
1206 status = NT_STATUS_ACCESS_DENIED;
1209 if (!NT_STATUS_IS_OK(status)) {
1216 /* the rpc backend methods are exposed via this structure */
1217 struct winbindd_methods msrpc_methods = {
1219 msrpc_query_user_list,
1220 msrpc_enum_dom_groups,
1221 msrpc_enum_local_groups,
1224 msrpc_rids_to_names,
1226 msrpc_lookup_usergroups,
1227 msrpc_lookup_useraliases,
1228 msrpc_lookup_groupmem,
1229 msrpc_sequence_number,
1230 msrpc_lockout_policy,
1231 msrpc_password_policy,
1232 msrpc_trusted_domains,
git.samba.org / idra / samba.git / blob