2 Unix SMB/CIFS implementation.
4 Winbind rpc backend functions
6 Copyright (C) Tim Potter 2000-2001,2003
7 Copyright (C) Andrew Tridgell 2001
8 Copyright (C) Volker Lendecke 2005
9 Copyright (C) Guenther Deschner 2008 (pidl conversion)
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 3 of the License, or
14 (at your option) any later version.
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
21 You should have received a copy of the GNU General Public License
22 along with this program. If not, see <http://www.gnu.org/licenses/>.
27 #include "winbindd_rpc.h"
29 #include "../librpc/gen_ndr/ndr_samr_c.h"
30 #include "rpc_client/cli_pipe.h"
31 #include "rpc_client/cli_samr.h"
32 #include "rpc_client/cli_lsarpc.h"
33 #include "../libcli/security/security.h"
34 #include "libsmb/samlogon_cache.h"
37 #define DBGC_CLASS DBGC_WINBIND
39 static NTSTATUS winbindd_lookup_names(TALLOC_CTX *mem_ctx,
40 struct winbindd_domain *domain,
43 const char ***domains,
44 struct dom_sid **sids,
45 enum lsa_SidType **types);
47 /* Query display info for a domain. This returns enough information plus a
48 bit extra to give an overview of domain users for the User Manager
50 static NTSTATUS msrpc_query_user_list(struct winbindd_domain *domain,
53 struct wbint_userinfo **pinfo)
55 struct rpc_pipe_client *samr_pipe = NULL;
56 struct policy_handle dom_pol;
57 struct wbint_userinfo *info = NULL;
58 uint32_t num_info = 0;
62 DEBUG(3, ("msrpc_query_user_list\n"));
68 tmp_ctx = talloc_stackframe();
69 if (tmp_ctx == NULL) {
70 return NT_STATUS_NO_MEMORY;
73 if ( !winbindd_can_contact_domain( domain ) ) {
74 DEBUG(10,("query_user_list: No incoming trust for domain %s\n",
76 status = NT_STATUS_OK;
80 status = cm_connect_sam(domain, tmp_ctx, false, &samr_pipe, &dom_pol);
81 if (!NT_STATUS_IS_OK(status)) {
85 status = rpc_query_user_list(tmp_ctx,
91 if (!NT_STATUS_IS_OK(status)) {
96 *pnum_info = num_info;
100 *pinfo = talloc_move(mem_ctx, &info);
104 TALLOC_FREE(tmp_ctx);
108 /* list all domain groups */
109 static NTSTATUS msrpc_enum_dom_groups(struct winbindd_domain *domain,
112 struct wb_acct_info **pinfo)
114 struct rpc_pipe_client *samr_pipe;
115 struct policy_handle dom_pol;
116 struct wb_acct_info *info = NULL;
117 uint32_t num_info = 0;
121 DEBUG(3,("msrpc_enum_dom_groups\n"));
127 tmp_ctx = talloc_stackframe();
128 if (tmp_ctx == NULL) {
129 return NT_STATUS_NO_MEMORY;
132 if ( !winbindd_can_contact_domain( domain ) ) {
133 DEBUG(10,("enum_domain_groups: No incoming trust for domain %s\n",
135 status = NT_STATUS_OK;
139 status = cm_connect_sam(domain, tmp_ctx, false, &samr_pipe, &dom_pol);
140 if (!NT_STATUS_IS_OK(status)) {
144 status = rpc_enum_dom_groups(tmp_ctx,
149 if (!NT_STATUS_IS_OK(status)) {
154 *pnum_info = num_info;
158 *pinfo = talloc_move(mem_ctx, &info);
162 TALLOC_FREE(tmp_ctx);
166 /* List all domain groups */
168 static NTSTATUS msrpc_enum_local_groups(struct winbindd_domain *domain,
171 struct wb_acct_info **pinfo)
173 struct rpc_pipe_client *samr_pipe;
174 struct policy_handle dom_pol;
175 struct wb_acct_info *info = NULL;
176 uint32_t num_info = 0;
180 DEBUG(3,("msrpc_enum_local_groups\n"));
186 tmp_ctx = talloc_stackframe();
187 if (tmp_ctx == NULL) {
188 return NT_STATUS_NO_MEMORY;
191 if ( !winbindd_can_contact_domain( domain ) ) {
192 DEBUG(10,("enum_local_groups: No incoming trust for domain %s\n",
194 status = NT_STATUS_OK;
198 status = cm_connect_sam(domain, tmp_ctx, false, &samr_pipe, &dom_pol);
199 if (!NT_STATUS_IS_OK(status)) {
203 status = rpc_enum_local_groups(mem_ctx,
208 if (!NT_STATUS_IS_OK(status)) {
213 *pnum_info = num_info;
217 *pinfo = talloc_move(mem_ctx, &info);
221 TALLOC_FREE(tmp_ctx);
225 /* convert a single name to a sid in a domain */
226 static NTSTATUS msrpc_name_to_sid(struct winbindd_domain *domain,
228 const char *domain_name,
232 enum lsa_SidType *type)
235 struct dom_sid *sids = NULL;
236 enum lsa_SidType *types = NULL;
237 char *full_name = NULL;
238 const char *names[1];
239 NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL;
240 char *mapped_name = NULL;
242 if (name == NULL || *name=='\0') {
243 full_name = talloc_asprintf(mem_ctx, "%s", domain_name);
244 } else if (domain_name == NULL || *domain_name == '\0') {
245 full_name = talloc_asprintf(mem_ctx, "%s", name);
247 full_name = talloc_asprintf(mem_ctx, "%s\\%s", domain_name, name);
250 DEBUG(0, ("talloc_asprintf failed!\n"));
251 return NT_STATUS_NO_MEMORY;
254 DEBUG(3, ("msrpc_name_to_sid: name=%s\n", full_name));
256 name_map_status = normalize_name_unmap(mem_ctx, full_name,
259 /* Reset the full_name pointer if we mapped anything */
261 if (NT_STATUS_IS_OK(name_map_status) ||
262 NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED))
264 full_name = mapped_name;
267 DEBUG(3,("name_to_sid [rpc] %s for domain %s\n",
268 full_name?full_name:"", domain_name ));
270 names[0] = full_name;
272 result = winbindd_lookup_names(mem_ctx, domain, 1,
275 if (!NT_STATUS_IS_OK(result))
278 /* Return rid and type if lookup successful */
280 sid_copy(sid, &sids[0]);
287 convert a domain SID to a user or group name
289 static NTSTATUS msrpc_sid_to_name(struct winbindd_domain *domain,
291 const struct dom_sid *sid,
294 enum lsa_SidType *type)
298 enum lsa_SidType *types = NULL;
300 NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL;
301 char *mapped_name = NULL;
303 DEBUG(3, ("msrpc_sid_to_name: %s for domain %s\n", sid_string_dbg(sid),
306 result = winbindd_lookup_sids(mem_ctx,
313 if (!NT_STATUS_IS_OK(result)) {
314 DEBUG(2,("msrpc_sid_to_name: failed to lookup sids: %s\n",
320 *type = (enum lsa_SidType)types[0];
321 *domain_name = domains[0];
324 DEBUG(5,("Mapped sid to [%s]\\[%s]\n", domains[0], *name));
326 name_map_status = normalize_name_map(mem_ctx, domain, *name,
328 if (NT_STATUS_IS_OK(name_map_status) ||
329 NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED))
332 DEBUG(5,("returning mapped name -- %s\n", *name));
338 static NTSTATUS msrpc_rids_to_names(struct winbindd_domain *domain,
340 const struct dom_sid *sid,
345 enum lsa_SidType **types)
349 struct dom_sid *sids;
353 DEBUG(3, ("msrpc_rids_to_names: domain %s\n", domain->name ));
356 sids = talloc_array(mem_ctx, struct dom_sid, num_rids);
358 return NT_STATUS_NO_MEMORY;
364 for (i=0; i<num_rids; i++) {
365 if (!sid_compose(&sids[i], sid, rids[i])) {
366 return NT_STATUS_INTERNAL_ERROR;
370 result = winbindd_lookup_sids(mem_ctx,
378 if (!NT_STATUS_IS_OK(result) &&
379 !NT_STATUS_EQUAL(result, STATUS_SOME_UNMAPPED)) {
384 for (i=0; i<num_rids; i++) {
385 NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL;
386 char *mapped_name = NULL;
388 if ((*types)[i] != SID_NAME_UNKNOWN) {
389 name_map_status = normalize_name_map(mem_ctx,
393 if (NT_STATUS_IS_OK(name_map_status) ||
394 NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED))
396 ret_names[i] = mapped_name;
399 *domain_name = domains[i];
406 /* Lookup user information from a rid or username. */
407 static NTSTATUS msrpc_query_user(struct winbindd_domain *domain,
409 const struct dom_sid *user_sid,
410 struct wbint_userinfo *user_info)
412 struct rpc_pipe_client *samr_pipe;
413 struct policy_handle dom_pol;
414 struct netr_SamInfo3 *user;
418 DEBUG(3,("msrpc_query_user sid=%s\n", sid_string_dbg(user_sid)));
420 tmp_ctx = talloc_stackframe();
421 if (tmp_ctx == NULL) {
422 return NT_STATUS_NO_MEMORY;
426 user_info->homedir = NULL;
427 user_info->shell = NULL;
428 user_info->primary_gid = (gid_t)-1;
431 /* try netsamlogon cache first */
432 user = netsamlogon_cache_get(tmp_ctx, user_sid);
434 DEBUG(5,("msrpc_query_user: Cache lookup succeeded for %s\n",
435 sid_string_dbg(user_sid)));
437 sid_compose(&user_info->user_sid, &domain->sid, user->base.rid);
438 sid_compose(&user_info->group_sid, &domain->sid,
439 user->base.primary_gid);
441 user_info->acct_name = talloc_strdup(user_info,
442 user->base.account_name.string);
443 user_info->full_name = talloc_strdup(user_info,
444 user->base.full_name.string);
446 if (user_info->full_name == NULL) {
447 /* this might fail so we don't check the return code */
448 wcache_query_user_fullname(domain,
451 &user_info->full_name);
454 status = NT_STATUS_OK;
458 if ( !winbindd_can_contact_domain( domain ) ) {
459 DEBUG(10,("query_user: No incoming trust for domain %s\n",
461 /* Tell the cache manager not to remember this one */
462 status = NT_STATUS_SYNCHRONIZATION_REQUIRED;
466 /* no cache; hit the wire */
467 status = cm_connect_sam(domain, tmp_ctx, false, &samr_pipe, &dom_pol);
468 if (!NT_STATUS_IS_OK(status)) {
472 status = rpc_query_user(tmp_ctx,
480 TALLOC_FREE(tmp_ctx);
484 /* Lookup groups a user is a member of. I wish Unix had a call like this! */
485 static NTSTATUS msrpc_lookup_usergroups(struct winbindd_domain *domain,
487 const struct dom_sid *user_sid,
488 uint32_t *pnum_groups,
489 struct dom_sid **puser_grpsids)
491 struct rpc_pipe_client *samr_pipe;
492 struct policy_handle dom_pol;
493 struct dom_sid *user_grpsids = NULL;
494 uint32_t num_groups = 0;
498 DEBUG(3,("msrpc_lookup_usergroups sid=%s\n", sid_string_dbg(user_sid)));
502 tmp_ctx = talloc_stackframe();
503 if (tmp_ctx == NULL) {
504 return NT_STATUS_NO_MEMORY;
507 /* Check if we have a cached user_info_3 */
508 status = lookup_usergroups_cached(domain,
513 if (NT_STATUS_IS_OK(status)) {
517 if ( !winbindd_can_contact_domain( domain ) ) {
518 DEBUG(10,("lookup_usergroups: No incoming trust for domain %s\n",
521 /* Tell the cache manager not to remember this one */
522 status = NT_STATUS_SYNCHRONIZATION_REQUIRED;
526 /* no cache; hit the wire */
527 status = cm_connect_sam(domain, tmp_ctx, false, &samr_pipe, &dom_pol);
528 if (!NT_STATUS_IS_OK(status)) {
532 status = rpc_lookup_usergroups(tmp_ctx,
539 if (!NT_STATUS_IS_OK(status)) {
544 *pnum_groups = num_groups;
547 *puser_grpsids = talloc_move(mem_ctx, &user_grpsids);
551 TALLOC_FREE(tmp_ctx);
556 #define MAX_SAM_ENTRIES_W2K 0x400 /* 1024 */
558 static NTSTATUS msrpc_lookup_useraliases(struct winbindd_domain *domain,
560 uint32_t num_sids, const struct dom_sid *sids,
561 uint32_t *pnum_aliases,
562 uint32_t **palias_rids)
564 struct rpc_pipe_client *samr_pipe;
565 struct policy_handle dom_pol;
566 uint32_t num_aliases = 0;
567 uint32_t *alias_rids = NULL;
571 DEBUG(3,("msrpc_lookup_useraliases\n"));
577 tmp_ctx = talloc_stackframe();
578 if (tmp_ctx == NULL) {
579 return NT_STATUS_NO_MEMORY;
582 if (!winbindd_can_contact_domain(domain)) {
583 DEBUG(10,("msrpc_lookup_useraliases: No incoming trust for domain %s\n",
585 /* Tell the cache manager not to remember this one */
586 status = NT_STATUS_SYNCHRONIZATION_REQUIRED;
590 status = cm_connect_sam(domain, tmp_ctx, false, &samr_pipe, &dom_pol);
591 if (!NT_STATUS_IS_OK(status)) {
595 status = rpc_lookup_useraliases(tmp_ctx,
602 if (!NT_STATUS_IS_OK(status)) {
607 *pnum_aliases = num_aliases;
611 *palias_rids = talloc_move(mem_ctx, &alias_rids);
615 TALLOC_FREE(tmp_ctx);
620 /* Lookup group membership given a rid. */
621 static NTSTATUS msrpc_lookup_groupmem(struct winbindd_domain *domain,
623 const struct dom_sid *group_sid,
624 enum lsa_SidType type,
626 struct dom_sid **sid_mem,
628 uint32_t **name_types)
630 NTSTATUS status, result;
631 uint32_t i, total_names = 0;
632 struct policy_handle dom_pol, group_pol;
633 uint32_t des_access = SEC_FLAG_MAXIMUM_ALLOWED;
634 uint32_t *rid_mem = NULL;
637 struct rpc_pipe_client *cli;
638 unsigned int orig_timeout;
639 struct samr_RidAttrArray *rids = NULL;
640 struct dcerpc_binding_handle *b;
642 DEBUG(3,("msrpc_lookup_groupmem: %s sid=%s\n", domain->name,
643 sid_string_dbg(group_sid)));
645 if ( !winbindd_can_contact_domain( domain ) ) {
646 DEBUG(10,("lookup_groupmem: No incoming trust for domain %s\n",
651 if (!sid_peek_check_rid(&domain->sid, group_sid, &group_rid))
652 return NT_STATUS_UNSUCCESSFUL;
656 result = cm_connect_sam(domain, mem_ctx, false, &cli, &dom_pol);
657 if (!NT_STATUS_IS_OK(result))
660 b = cli->binding_handle;
662 status = dcerpc_samr_OpenGroup(b, mem_ctx,
668 if (!NT_STATUS_IS_OK(status)) {
671 if (!NT_STATUS_IS_OK(result)) {
675 /* Step #1: Get a list of user rids that are the members of the
678 /* This call can take a long time - allow the server to time out.
679 35 seconds should do it. */
681 orig_timeout = rpccli_set_timeout(cli, 35000);
683 status = dcerpc_samr_QueryGroupMember(b, mem_ctx,
688 /* And restore our original timeout. */
689 rpccli_set_timeout(cli, orig_timeout);
693 dcerpc_samr_Close(b, mem_ctx, &group_pol, &_result);
696 if (!NT_STATUS_IS_OK(status)) {
700 if (!NT_STATUS_IS_OK(result)) {
704 if (!rids || !rids->count) {
711 *num_names = rids->count;
712 rid_mem = rids->rids;
714 /* Step #2: Convert list of rids into list of usernames. Do this
715 in bunches of ~1000 to avoid crashing NT4. It looks like there
716 is a buffer overflow or something like that lurking around
719 #define MAX_LOOKUP_RIDS 900
721 *names = talloc_zero_array(mem_ctx, char *, *num_names);
722 *name_types = talloc_zero_array(mem_ctx, uint32_t, *num_names);
723 *sid_mem = talloc_zero_array(mem_ctx, struct dom_sid, *num_names);
725 for (j=0;j<(*num_names);j++)
726 sid_compose(&(*sid_mem)[j], &domain->sid, rid_mem[j]);
728 if (*num_names>0 && (!*names || !*name_types))
729 return NT_STATUS_NO_MEMORY;
731 for (i = 0; i < *num_names; i += MAX_LOOKUP_RIDS) {
732 int num_lookup_rids = MIN(*num_names - i, MAX_LOOKUP_RIDS);
733 struct lsa_Strings tmp_names;
734 struct samr_Ids tmp_types;
736 /* Lookup a chunk of rids */
738 status = dcerpc_samr_LookupRids(b, mem_ctx,
745 if (!NT_STATUS_IS_OK(status)) {
749 /* see if we have a real error (and yes the
750 STATUS_SOME_UNMAPPED is the one returned from 2k) */
752 if (!NT_STATUS_IS_OK(result) &&
753 !NT_STATUS_EQUAL(result, STATUS_SOME_UNMAPPED))
756 /* Copy result into array. The talloc system will take
757 care of freeing the temporary arrays later on. */
759 if (tmp_names.count != num_lookup_rids) {
760 return NT_STATUS_INVALID_NETWORK_RESPONSE;
762 if (tmp_types.count != num_lookup_rids) {
763 return NT_STATUS_INVALID_NETWORK_RESPONSE;
766 for (r=0; r<tmp_names.count; r++) {
767 if (tmp_types.ids[r] == SID_NAME_UNKNOWN) {
770 if (total_names >= *num_names) {
773 (*names)[total_names] = fill_domain_username_talloc(
774 mem_ctx, domain->name,
775 tmp_names.names[r].string, true);
776 (*name_types)[total_names] = tmp_types.ids[r];
781 *num_names = total_names;
790 static int get_ldap_seq(const char *server, struct sockaddr_storage *ss, int port, uint32_t *seq)
794 const char *attrs[] = {"highestCommittedUSN", NULL};
795 LDAPMessage *res = NULL;
796 char **values = NULL;
799 *seq = DOM_SEQUENCE_NONE;
802 * Parameterised (5) second timeout on open. This is needed as the
803 * search timeout doesn't seem to apply to doing an open as well. JRA.
806 ldp = ldap_open_with_timeout(server, ss, port, lp_ldap_timeout());
810 /* Timeout if no response within 20 seconds. */
814 if (ldap_search_st(ldp, "", LDAP_SCOPE_BASE, "(objectclass=*)",
815 discard_const_p(char *, attrs), 0, &to, &res))
818 if (ldap_count_entries(ldp, res) != 1)
821 values = ldap_get_values(ldp, res, "highestCommittedUSN");
822 if (!values || !values[0])
825 *seq = atoi(values[0]);
831 ldap_value_free(values);
839 /**********************************************************************
840 Get the sequence number for a Windows AD native mode domain using
842 **********************************************************************/
844 static int get_ldap_sequence_number(struct winbindd_domain *domain, uint32_t *seq)
847 char addr[INET6_ADDRSTRLEN];
849 print_sockaddr(addr, sizeof(addr), &domain->dcaddr);
850 if ((ret = get_ldap_seq(addr, &domain->dcaddr, LDAP_PORT, seq)) == 0) {
851 DEBUG(3, ("get_ldap_sequence_number: Retrieved sequence "
852 "number for Domain (%s) from DC (%s)\n",
853 domain->name, addr));
858 #endif /* HAVE_LDAP */
860 /* find the sequence number for a domain */
861 static NTSTATUS msrpc_sequence_number(struct winbindd_domain *domain,
864 struct rpc_pipe_client *samr_pipe;
865 struct policy_handle dom_pol;
866 uint32_t seq = DOM_SEQUENCE_NONE;
870 DEBUG(3, ("msrpc_sequence_number: fetch sequence_number for %s\n", domain->name));
873 *pseq = DOM_SEQUENCE_NONE;
876 tmp_ctx = talloc_stackframe();
877 if (tmp_ctx == NULL) {
878 return NT_STATUS_NO_MEMORY;
881 if ( !winbindd_can_contact_domain( domain ) ) {
882 DEBUG(10,("sequence_number: No incoming trust for domain %s\n",
887 status = NT_STATUS_OK;
892 if (domain->active_directory) {
895 DEBUG(8,("using get_ldap_seq() to retrieve the "
896 "sequence number\n"));
898 rc = get_ldap_sequence_number(domain, &seq);
900 DEBUG(10,("domain_sequence_number: LDAP for "
908 status = NT_STATUS_OK;
912 DEBUG(10,("domain_sequence_number: failed to get LDAP "
913 "sequence number for domain %s\n",
916 #endif /* HAVE_LDAP */
918 status = cm_connect_sam(domain, tmp_ctx, false, &samr_pipe, &dom_pol);
919 if (!NT_STATUS_IS_OK(status)) {
923 status = rpc_sequence_number(tmp_ctx,
928 if (!NT_STATUS_IS_OK(status)) {
937 TALLOC_FREE(tmp_ctx);
941 /* get a list of trusted domains */
942 static NTSTATUS msrpc_trusted_domains(struct winbindd_domain *domain,
944 struct netr_DomainTrustList *ptrust_list)
946 struct rpc_pipe_client *lsa_pipe;
947 struct policy_handle lsa_policy;
948 struct netr_DomainTrust *trusts = NULL;
949 uint32_t num_trusts = 0;
953 DEBUG(3,("msrpc_trusted_domains\n"));
956 ZERO_STRUCTP(ptrust_list);
959 tmp_ctx = talloc_stackframe();
960 if (tmp_ctx == NULL) {
961 return NT_STATUS_NO_MEMORY;
964 status = cm_connect_lsa(domain, tmp_ctx, &lsa_pipe, &lsa_policy);
965 if (!NT_STATUS_IS_OK(status)) {
969 status = rpc_trusted_domains(tmp_ctx,
974 if (!NT_STATUS_IS_OK(status)) {
979 ptrust_list->count = num_trusts;
980 ptrust_list->array = talloc_move(mem_ctx, &trusts);
984 TALLOC_FREE(tmp_ctx);
988 /* find the lockout policy for a domain */
989 static NTSTATUS msrpc_lockout_policy(struct winbindd_domain *domain,
991 struct samr_DomInfo12 *lockout_policy)
993 NTSTATUS status, result;
994 struct rpc_pipe_client *cli;
995 struct policy_handle dom_pol;
996 union samr_DomainInfo *info = NULL;
997 struct dcerpc_binding_handle *b;
999 DEBUG(3, ("msrpc_lockout_policy: fetch lockout policy for %s\n", domain->name));
1001 if ( !winbindd_can_contact_domain( domain ) ) {
1002 DEBUG(10,("msrpc_lockout_policy: No incoming trust for domain %s\n",
1004 return NT_STATUS_NOT_SUPPORTED;
1007 status = cm_connect_sam(domain, mem_ctx, false, &cli, &dom_pol);
1008 if (!NT_STATUS_IS_OK(status)) {
1012 b = cli->binding_handle;
1014 status = dcerpc_samr_QueryDomainInfo(b, mem_ctx,
1016 DomainLockoutInformation,
1019 if (!NT_STATUS_IS_OK(status)) {
1022 if (!NT_STATUS_IS_OK(result)) {
1027 *lockout_policy = info->info12;
1029 DEBUG(10,("msrpc_lockout_policy: lockout_threshold %d\n",
1030 info->info12.lockout_threshold));
1037 /* find the password policy for a domain */
1038 static NTSTATUS msrpc_password_policy(struct winbindd_domain *domain,
1039 TALLOC_CTX *mem_ctx,
1040 struct samr_DomInfo1 *password_policy)
1042 NTSTATUS status, result;
1043 struct rpc_pipe_client *cli;
1044 struct policy_handle dom_pol;
1045 union samr_DomainInfo *info = NULL;
1046 struct dcerpc_binding_handle *b;
1048 DEBUG(3, ("msrpc_password_policy: fetch password policy for %s\n",
1051 if ( !winbindd_can_contact_domain( domain ) ) {
1052 DEBUG(10,("msrpc_password_policy: No incoming trust for domain %s\n",
1054 return NT_STATUS_NOT_SUPPORTED;
1057 status = cm_connect_sam(domain, mem_ctx, false, &cli, &dom_pol);
1058 if (!NT_STATUS_IS_OK(status)) {
1062 b = cli->binding_handle;
1064 status = dcerpc_samr_QueryDomainInfo(b, mem_ctx,
1066 DomainPasswordInformation,
1069 if (!NT_STATUS_IS_OK(status)) {
1072 if (!NT_STATUS_IS_OK(result)) {
1076 *password_policy = info->info1;
1078 DEBUG(10,("msrpc_password_policy: min_length_password %d\n",
1079 info->info1.min_password_length));
1086 NTSTATUS winbindd_lookup_sids(TALLOC_CTX *mem_ctx,
1087 struct winbindd_domain *domain,
1089 const struct dom_sid *sids,
1092 enum lsa_SidType **types)
1096 struct rpc_pipe_client *cli = NULL;
1097 struct dcerpc_binding_handle *b = NULL;
1098 struct policy_handle lsa_policy;
1099 unsigned int orig_timeout;
1100 bool use_lookupsids3 = false;
1101 bool retried = false;
1104 status = cm_connect_lsat(domain, mem_ctx, &cli, &lsa_policy);
1105 if (!NT_STATUS_IS_OK(status)) {
1109 b = cli->binding_handle;
1111 if (cli->transport->transport == NCACN_IP_TCP) {
1112 use_lookupsids3 = true;
1116 * This call can take a long time
1117 * allow the server to time out.
1118 * 35 seconds should do it.
1120 orig_timeout = dcerpc_binding_handle_set_timeout(b, 35000);
1122 status = dcerpc_lsa_lookup_sids_generic(b,
1133 /* And restore our original timeout. */
1134 dcerpc_binding_handle_set_timeout(b, orig_timeout);
1136 if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) ||
1137 NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR) ||
1138 NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED)) {
1140 * This can happen if the schannel key is not
1141 * valid anymore, we need to invalidate the
1142 * all connections to the dc and reestablish
1143 * a netlogon connection first.
1145 invalidate_cm_connection(domain);
1146 domain->can_do_ncacn_ip_tcp = domain->active_directory;
1151 status = NT_STATUS_ACCESS_DENIED;
1154 if (!NT_STATUS_IS_OK(status)) {
1158 if (!NT_STATUS_IS_OK(result)) {
1162 return NT_STATUS_OK;
1165 static NTSTATUS winbindd_lookup_names(TALLOC_CTX *mem_ctx,
1166 struct winbindd_domain *domain,
1169 const char ***domains,
1170 struct dom_sid **sids,
1171 enum lsa_SidType **types)
1175 struct rpc_pipe_client *cli = NULL;
1176 struct dcerpc_binding_handle *b = NULL;
1177 struct policy_handle lsa_policy;
1178 unsigned int orig_timeout = 0;
1179 bool use_lookupnames4 = false;
1180 bool retried = false;
1183 status = cm_connect_lsat(domain, mem_ctx, &cli, &lsa_policy);
1184 if (!NT_STATUS_IS_OK(status)) {
1188 b = cli->binding_handle;
1190 if (cli->transport->transport == NCACN_IP_TCP) {
1191 use_lookupnames4 = true;
1195 * This call can take a long time
1196 * allow the server to time out.
1197 * 35 seconds should do it.
1199 orig_timeout = dcerpc_binding_handle_set_timeout(b, 35000);
1201 status = dcerpc_lsa_lookup_names_generic(b,
1205 (const char **) names,
1213 /* And restore our original timeout. */
1214 dcerpc_binding_handle_set_timeout(b, orig_timeout);
1216 if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) ||
1217 NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR) ||
1218 NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED)) {
1220 * This can happen if the schannel key is not
1221 * valid anymore, we need to invalidate the
1222 * all connections to the dc and reestablish
1223 * a netlogon connection first.
1225 invalidate_cm_connection(domain);
1230 status = NT_STATUS_ACCESS_DENIED;
1233 if (!NT_STATUS_IS_OK(status)) {
1237 if (!NT_STATUS_IS_OK(result)) {
1241 return NT_STATUS_OK;
1244 /* the rpc backend methods are exposed via this structure */
1245 struct winbindd_methods msrpc_methods = {
1247 msrpc_query_user_list,
1248 msrpc_enum_dom_groups,
1249 msrpc_enum_local_groups,
1252 msrpc_rids_to_names,
1254 msrpc_lookup_usergroups,
1255 msrpc_lookup_useraliases,
1256 msrpc_lookup_groupmem,
1257 msrpc_sequence_number,
1258 msrpc_lockout_policy,
1259 msrpc_password_policy,
1260 msrpc_trusted_domains,