2 Unix SMB/CIFS implementation.
4 Winbind rpc backend functions
6 Copyright (C) Tim Potter 2000-2001,2003
7 Copyright (C) Andrew Tridgell 2001
8 Copyright (C) Volker Lendecke 2005
9 Copyright (C) Guenther Deschner 2008 (pidl conversion)
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 3 of the License, or
14 (at your option) any later version.
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
21 You should have received a copy of the GNU General Public License
22 along with this program. If not, see <http://www.gnu.org/licenses/>.
29 #define DBGC_CLASS DBGC_WINBIND
32 /* Query display info for a domain. This returns enough information plus a
33 bit extra to give an overview of domain users for the User Manager
35 static NTSTATUS query_user_list(struct winbindd_domain *domain,
38 WINBIND_USERINFO **info)
41 struct policy_handle dom_pol;
42 unsigned int i, start_idx;
44 struct rpc_pipe_client *cli;
46 DEBUG(3,("rpc: query_user_list\n"));
51 if ( !winbindd_can_contact_domain( domain ) ) {
52 DEBUG(10,("query_user_list: No incoming trust for domain %s\n",
57 result = cm_connect_sam(domain, mem_ctx, &cli, &dom_pol);
58 if (!NT_STATUS_IS_OK(result))
65 uint32 num_dom_users, j;
66 uint32 max_entries, max_size;
67 uint32_t total_size, returned_size;
69 union samr_DispInfo disp_info;
71 /* this next bit is copied from net_user_list_internal() */
73 get_query_dispinfo_params(loop_count, &max_entries,
76 result = rpccli_samr_QueryDisplayInfo(cli, mem_ctx,
85 num_dom_users = disp_info.info1.count;
86 start_idx += disp_info.info1.count;
89 *num_entries += num_dom_users;
91 *info = TALLOC_REALLOC_ARRAY(mem_ctx, *info, WINBIND_USERINFO,
95 return NT_STATUS_NO_MEMORY;
98 for (j = 0; j < num_dom_users; i++, j++) {
100 uint32_t rid = disp_info.info1.entries[j].rid;
102 (*info)[i].acct_name = talloc_strdup(mem_ctx,
103 disp_info.info1.entries[j].account_name.string);
104 (*info)[i].full_name = talloc_strdup(mem_ctx,
105 disp_info.info1.entries[j].full_name.string);
106 (*info)[i].homedir = NULL;
107 (*info)[i].shell = NULL;
108 sid_compose(&(*info)[i].user_sid, &domain->sid, rid);
110 /* For the moment we set the primary group for
111 every user to be the Domain Users group.
112 There are serious problems with determining
113 the actual primary group for large domains.
114 This should really be made into a 'winbind
115 force group' smb.conf parameter or
116 something like that. */
118 sid_compose(&(*info)[i].group_sid, &domain->sid,
119 DOMAIN_GROUP_RID_USERS);
122 } while (NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES));
127 /* list all domain groups */
128 static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
131 struct acct_info **info)
133 struct policy_handle dom_pol;
136 struct rpc_pipe_client *cli;
141 DEBUG(3,("rpc: enum_dom_groups\n"));
143 if ( !winbindd_can_contact_domain( domain ) ) {
144 DEBUG(10,("enum_domain_groups: No incoming trust for domain %s\n",
149 status = cm_connect_sam(domain, mem_ctx, &cli, &dom_pol);
150 if (!NT_STATUS_IS_OK(status))
154 struct samr_SamArray *sam_array = NULL;
156 TALLOC_CTX *mem_ctx2;
159 mem_ctx2 = talloc_init("enum_dom_groups[rpc]");
161 /* start is updated by this call. */
162 status = rpccli_samr_EnumDomainGroups(cli, mem_ctx2,
166 0xFFFF, /* buffer size? */
169 if (!NT_STATUS_IS_OK(status) &&
170 !NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES)) {
171 talloc_destroy(mem_ctx2);
175 (*info) = TALLOC_REALLOC_ARRAY(mem_ctx, *info,
177 (*num_entries) + count);
179 talloc_destroy(mem_ctx2);
180 return NT_STATUS_NO_MEMORY;
183 for (g=0; g < count; g++) {
185 fstrcpy((*info)[*num_entries + g].acct_name,
186 sam_array->entries[g].name.string);
187 (*info)[*num_entries + g].rid = sam_array->entries[g].idx;
190 (*num_entries) += count;
191 talloc_destroy(mem_ctx2);
192 } while (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES));
197 /* List all domain groups */
199 static NTSTATUS enum_local_groups(struct winbindd_domain *domain,
202 struct acct_info **info)
204 struct policy_handle dom_pol;
206 struct rpc_pipe_client *cli;
211 DEBUG(3,("rpc: enum_local_groups\n"));
213 if ( !winbindd_can_contact_domain( domain ) ) {
214 DEBUG(10,("enum_local_groups: No incoming trust for domain %s\n",
219 result = cm_connect_sam(domain, mem_ctx, &cli, &dom_pol);
220 if (!NT_STATUS_IS_OK(result))
224 struct samr_SamArray *sam_array = NULL;
225 uint32 count = 0, start = *num_entries;
226 TALLOC_CTX *mem_ctx2;
229 mem_ctx2 = talloc_init("enum_dom_local_groups[rpc]");
231 result = rpccli_samr_EnumDomainAliases(cli, mem_ctx2,
235 0xFFFF, /* buffer size? */
237 if (!NT_STATUS_IS_OK(result) &&
238 !NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES) )
240 talloc_destroy(mem_ctx2);
244 (*info) = TALLOC_REALLOC_ARRAY(mem_ctx, *info,
246 (*num_entries) + count);
248 talloc_destroy(mem_ctx2);
249 return NT_STATUS_NO_MEMORY;
252 for (g=0; g < count; g++) {
254 fstrcpy((*info)[*num_entries + g].acct_name,
255 sam_array->entries[g].name.string);
256 (*info)[*num_entries + g].rid = sam_array->entries[g].idx;
259 (*num_entries) += count;
260 talloc_destroy(mem_ctx2);
262 } while (NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES));
267 /* convert a single name to a sid in a domain */
268 static NTSTATUS msrpc_name_to_sid(struct winbindd_domain *domain,
270 enum winbindd_cmd original_cmd,
271 const char *domain_name,
274 enum lsa_SidType *type)
277 DOM_SID *sids = NULL;
278 enum lsa_SidType *types = NULL;
279 char *full_name = NULL;
280 struct rpc_pipe_client *cli;
281 struct policy_handle lsa_policy;
282 NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL;
283 char *mapped_name = NULL;
284 unsigned int orig_timeout;
286 if (name == NULL || *name=='\0') {
287 full_name = talloc_asprintf(mem_ctx, "%s", domain_name);
288 } else if (domain_name == NULL || *domain_name == '\0') {
289 full_name = talloc_asprintf(mem_ctx, "%s", name);
291 full_name = talloc_asprintf(mem_ctx, "%s\\%s", domain_name, name);
294 DEBUG(0, ("talloc_asprintf failed!\n"));
295 return NT_STATUS_NO_MEMORY;
298 DEBUG(3,("rpc: name_to_sid name=%s\n", full_name));
300 name_map_status = normalize_name_unmap(mem_ctx, full_name,
303 /* Reset the full_name pointer if we mapped anytthing */
305 if (NT_STATUS_IS_OK(name_map_status) ||
306 NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED))
308 full_name = mapped_name;
311 DEBUG(3,("name_to_sid [rpc] %s for domain %s\n",
312 full_name?full_name:"", domain_name ));
314 result = cm_connect_lsa(domain, mem_ctx, &cli, &lsa_policy);
315 if (!NT_STATUS_IS_OK(result))
319 * This call can take a long time
320 * allow the server to time out.
321 * 35 seconds should do it.
323 orig_timeout = rpccli_set_timeout(cli, 35000);
325 result = rpccli_lsa_lookup_names(cli, mem_ctx, &lsa_policy, 1,
326 (const char**) &full_name, NULL, 1, &sids, &types);
328 /* And restore our original timeout. */
329 rpccli_set_timeout(cli, orig_timeout);
331 if (!NT_STATUS_IS_OK(result))
334 /* Return rid and type if lookup successful */
336 sid_copy(sid, &sids[0]);
343 convert a domain SID to a user or group name
345 static NTSTATUS msrpc_sid_to_name(struct winbindd_domain *domain,
350 enum lsa_SidType *type)
354 enum lsa_SidType *types = NULL;
356 NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL;
357 char *mapped_name = NULL;
359 DEBUG(3,("sid_to_name [rpc] %s for domain %s\n", sid_string_dbg(sid),
362 result = winbindd_lookup_sids(mem_ctx,
369 if (!NT_STATUS_IS_OK(result)) {
370 DEBUG(2,("msrpc_sid_to_name: failed to lookup sids: %s\n",
376 *type = (enum lsa_SidType)types[0];
377 *domain_name = domains[0];
380 DEBUG(5,("Mapped sid to [%s]\\[%s]\n", domains[0], *name));
382 name_map_status = normalize_name_map(mem_ctx, domain, *name,
384 if (NT_STATUS_IS_OK(name_map_status) ||
385 NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED))
388 DEBUG(5,("returning mapped name -- %s\n", *name));
394 static NTSTATUS msrpc_rids_to_names(struct winbindd_domain *domain,
401 enum lsa_SidType **types)
409 DEBUG(3, ("rids_to_names [rpc] for domain %s\n", domain->name ));
412 sids = TALLOC_ARRAY(mem_ctx, DOM_SID, num_rids);
414 return NT_STATUS_NO_MEMORY;
420 for (i=0; i<num_rids; i++) {
421 if (!sid_compose(&sids[i], sid, rids[i])) {
422 return NT_STATUS_INTERNAL_ERROR;
426 result = winbindd_lookup_sids(mem_ctx,
434 if (!NT_STATUS_IS_OK(result) &&
435 !NT_STATUS_EQUAL(result, STATUS_SOME_UNMAPPED)) {
440 for (i=0; i<num_rids; i++) {
441 NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL;
442 char *mapped_name = NULL;
444 if ((*types)[i] != SID_NAME_UNKNOWN) {
445 name_map_status = normalize_name_map(mem_ctx,
449 if (NT_STATUS_IS_OK(name_map_status) ||
450 NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED))
452 ret_names[i] = mapped_name;
455 *domain_name = domains[i];
462 /* Lookup user information from a rid or username. */
463 static NTSTATUS query_user(struct winbindd_domain *domain,
465 const DOM_SID *user_sid,
466 WINBIND_USERINFO *user_info)
468 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
469 struct policy_handle dom_pol, user_pol;
470 union samr_UserInfo *info = NULL;
472 struct netr_SamInfo3 *user;
473 struct rpc_pipe_client *cli;
475 DEBUG(3,("rpc: query_user sid=%s\n", sid_string_dbg(user_sid)));
477 if (!sid_peek_check_rid(&domain->sid, user_sid, &user_rid))
478 return NT_STATUS_UNSUCCESSFUL;
480 user_info->homedir = NULL;
481 user_info->shell = NULL;
482 user_info->primary_gid = (gid_t)-1;
484 /* try netsamlogon cache first */
486 if ( (user = netsamlogon_cache_get( mem_ctx, user_sid )) != NULL )
489 DEBUG(5,("query_user: Cache lookup succeeded for %s\n",
490 sid_string_dbg(user_sid)));
492 sid_compose(&user_info->user_sid, &domain->sid, user->base.rid);
493 sid_compose(&user_info->group_sid, &domain->sid,
494 user->base.primary_gid);
496 user_info->acct_name = talloc_strdup(mem_ctx,
497 user->base.account_name.string);
498 user_info->full_name = talloc_strdup(mem_ctx,
499 user->base.full_name.string);
506 if ( !winbindd_can_contact_domain( domain ) ) {
507 DEBUG(10,("query_user: No incoming trust for domain %s\n",
512 if ( !winbindd_can_contact_domain( domain ) ) {
513 DEBUG(10,("query_user: No incoming trust for domain %s\n",
518 if ( !winbindd_can_contact_domain( domain ) ) {
519 DEBUG(10,("query_user: No incoming trust for domain %s\n",
524 /* no cache; hit the wire */
526 result = cm_connect_sam(domain, mem_ctx, &cli, &dom_pol);
527 if (!NT_STATUS_IS_OK(result))
530 /* Get user handle */
531 result = rpccli_samr_OpenUser(cli, mem_ctx,
533 SEC_FLAG_MAXIMUM_ALLOWED,
537 if (!NT_STATUS_IS_OK(result))
541 result = rpccli_samr_QueryUserInfo(cli, mem_ctx,
546 rpccli_samr_Close(cli, mem_ctx, &user_pol);
548 if (!NT_STATUS_IS_OK(result))
551 sid_compose(&user_info->user_sid, &domain->sid, user_rid);
552 sid_compose(&user_info->group_sid, &domain->sid,
553 info->info21.primary_gid);
554 user_info->acct_name = talloc_strdup(mem_ctx,
555 info->info21.account_name.string);
556 user_info->full_name = talloc_strdup(mem_ctx,
557 info->info21.full_name.string);
558 user_info->homedir = NULL;
559 user_info->shell = NULL;
560 user_info->primary_gid = (gid_t)-1;
565 /* Lookup groups a user is a member of. I wish Unix had a call like this! */
566 static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
568 const DOM_SID *user_sid,
569 uint32 *num_groups, DOM_SID **user_grpsids)
571 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
572 struct policy_handle dom_pol, user_pol;
573 uint32 des_access = SEC_FLAG_MAXIMUM_ALLOWED;
574 struct samr_RidWithAttributeArray *rid_array = NULL;
577 struct rpc_pipe_client *cli;
579 DEBUG(3,("rpc: lookup_usergroups sid=%s\n", sid_string_dbg(user_sid)));
581 if (!sid_peek_check_rid(&domain->sid, user_sid, &user_rid))
582 return NT_STATUS_UNSUCCESSFUL;
585 *user_grpsids = NULL;
587 /* so lets see if we have a cached user_info_3 */
588 result = lookup_usergroups_cached(domain, mem_ctx, user_sid,
589 num_groups, user_grpsids);
591 if (NT_STATUS_IS_OK(result)) {
595 if ( !winbindd_can_contact_domain( domain ) ) {
596 DEBUG(10,("lookup_usergroups: No incoming trust for domain %s\n",
599 /* Tell the cache manager not to remember this one */
601 return NT_STATUS_SYNCHRONIZATION_REQUIRED;
604 /* no cache; hit the wire */
606 result = cm_connect_sam(domain, mem_ctx, &cli, &dom_pol);
607 if (!NT_STATUS_IS_OK(result))
610 /* Get user handle */
611 result = rpccli_samr_OpenUser(cli, mem_ctx,
617 if (!NT_STATUS_IS_OK(result))
620 /* Query user rids */
621 result = rpccli_samr_GetGroupsForUser(cli, mem_ctx,
624 *num_groups = rid_array->count;
626 rpccli_samr_Close(cli, mem_ctx, &user_pol);
628 if (!NT_STATUS_IS_OK(result) || (*num_groups) == 0)
631 (*user_grpsids) = TALLOC_ARRAY(mem_ctx, DOM_SID, *num_groups);
632 if (!(*user_grpsids))
633 return NT_STATUS_NO_MEMORY;
635 for (i=0;i<(*num_groups);i++) {
636 sid_copy(&((*user_grpsids)[i]), &domain->sid);
637 sid_append_rid(&((*user_grpsids)[i]),
638 rid_array->rids[i].rid);
644 #define MAX_SAM_ENTRIES_W2K 0x400 /* 1024 */
646 static NTSTATUS msrpc_lookup_useraliases(struct winbindd_domain *domain,
648 uint32 num_sids, const DOM_SID *sids,
652 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
653 struct policy_handle dom_pol;
654 uint32 num_query_sids = 0;
656 struct rpc_pipe_client *cli;
657 struct samr_Ids alias_rids_query;
658 int rangesize = MAX_SAM_ENTRIES_W2K;
659 uint32 total_sids = 0;
665 DEBUG(3,("rpc: lookup_useraliases\n"));
667 if ( !winbindd_can_contact_domain( domain ) ) {
668 DEBUG(10,("msrpc_lookup_useraliases: No incoming trust for domain %s\n",
673 result = cm_connect_sam(domain, mem_ctx, &cli, &dom_pol);
674 if (!NT_STATUS_IS_OK(result))
679 struct lsa_SidArray sid_array;
681 ZERO_STRUCT(sid_array);
683 num_query_sids = MIN(num_sids - total_sids, rangesize);
685 DEBUG(10,("rpc: lookup_useraliases: entering query %d for %d sids\n",
686 num_queries, num_query_sids));
688 if (num_query_sids) {
689 sid_array.sids = TALLOC_ZERO_ARRAY(mem_ctx, struct lsa_SidPtr, num_query_sids);
690 if (sid_array.sids == NULL) {
691 return NT_STATUS_NO_MEMORY;
694 sid_array.sids = NULL;
697 for (i=0; i<num_query_sids; i++) {
698 sid_array.sids[i].sid = sid_dup_talloc(mem_ctx, &sids[total_sids++]);
699 if (!sid_array.sids[i].sid) {
700 TALLOC_FREE(sid_array.sids);
701 return NT_STATUS_NO_MEMORY;
704 sid_array.num_sids = num_query_sids;
707 result = rpccli_samr_GetAliasMembership(cli, mem_ctx,
712 if (!NT_STATUS_IS_OK(result)) {
715 TALLOC_FREE(sid_array.sids);
721 for (i=0; i<alias_rids_query.count; i++) {
722 size_t na = *num_aliases;
723 if (!add_rid_to_array_unique(mem_ctx, alias_rids_query.ids[i],
725 return NT_STATUS_NO_MEMORY;
730 TALLOC_FREE(sid_array.sids);
734 } while (total_sids < num_sids);
737 DEBUG(10,("rpc: lookup_useraliases: got %d aliases in %d queries "
738 "(rangesize: %d)\n", *num_aliases, num_queries, rangesize));
744 /* Lookup group membership given a rid. */
745 static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
747 const DOM_SID *group_sid, uint32 *num_names,
748 DOM_SID **sid_mem, char ***names,
751 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
752 uint32 i, total_names = 0;
753 struct policy_handle dom_pol, group_pol;
754 uint32 des_access = SEC_FLAG_MAXIMUM_ALLOWED;
755 uint32 *rid_mem = NULL;
758 struct rpc_pipe_client *cli;
759 unsigned int orig_timeout;
760 struct samr_RidTypeArray *rids = NULL;
762 DEBUG(10,("rpc: lookup_groupmem %s sid=%s\n", domain->name,
763 sid_string_dbg(group_sid)));
765 if ( !winbindd_can_contact_domain( domain ) ) {
766 DEBUG(10,("lookup_groupmem: No incoming trust for domain %s\n",
771 if (!sid_peek_check_rid(&domain->sid, group_sid, &group_rid))
772 return NT_STATUS_UNSUCCESSFUL;
776 result = cm_connect_sam(domain, mem_ctx, &cli, &dom_pol);
777 if (!NT_STATUS_IS_OK(result))
780 result = rpccli_samr_OpenGroup(cli, mem_ctx,
786 if (!NT_STATUS_IS_OK(result))
789 /* Step #1: Get a list of user rids that are the members of the
792 /* This call can take a long time - allow the server to time out.
793 35 seconds should do it. */
795 orig_timeout = rpccli_set_timeout(cli, 35000);
797 result = rpccli_samr_QueryGroupMember(cli, mem_ctx,
801 /* And restore our original timeout. */
802 rpccli_set_timeout(cli, orig_timeout);
804 rpccli_samr_Close(cli, mem_ctx, &group_pol);
806 if (!NT_STATUS_IS_OK(result))
809 *num_names = rids->count;
810 rid_mem = rids->rids;
819 /* Step #2: Convert list of rids into list of usernames. Do this
820 in bunches of ~1000 to avoid crashing NT4. It looks like there
821 is a buffer overflow or something like that lurking around
824 #define MAX_LOOKUP_RIDS 900
826 *names = TALLOC_ZERO_ARRAY(mem_ctx, char *, *num_names);
827 *name_types = TALLOC_ZERO_ARRAY(mem_ctx, uint32, *num_names);
828 *sid_mem = TALLOC_ZERO_ARRAY(mem_ctx, DOM_SID, *num_names);
830 for (j=0;j<(*num_names);j++)
831 sid_compose(&(*sid_mem)[j], &domain->sid, rid_mem[j]);
833 if (*num_names>0 && (!*names || !*name_types))
834 return NT_STATUS_NO_MEMORY;
836 for (i = 0; i < *num_names; i += MAX_LOOKUP_RIDS) {
837 int num_lookup_rids = MIN(*num_names - i, MAX_LOOKUP_RIDS);
838 struct lsa_Strings tmp_names;
839 struct samr_Ids tmp_types;
841 /* Lookup a chunk of rids */
843 result = rpccli_samr_LookupRids(cli, mem_ctx,
850 /* see if we have a real error (and yes the
851 STATUS_SOME_UNMAPPED is the one returned from 2k) */
853 if (!NT_STATUS_IS_OK(result) &&
854 !NT_STATUS_EQUAL(result, STATUS_SOME_UNMAPPED))
857 /* Copy result into array. The talloc system will take
858 care of freeing the temporary arrays later on. */
860 if (tmp_names.count != tmp_types.count) {
861 return NT_STATUS_UNSUCCESSFUL;
864 for (r=0; r<tmp_names.count; r++) {
865 if (tmp_types.ids[r] == SID_NAME_UNKNOWN) {
868 (*names)[total_names] = fill_domain_username_talloc(
869 mem_ctx, domain->name,
870 tmp_names.names[r].string, true);
871 (*name_types)[total_names] = tmp_types.ids[r];
876 *num_names = total_names;
885 static int get_ldap_seq(const char *server, int port, uint32 *seq)
889 const char *attrs[] = {"highestCommittedUSN", NULL};
890 LDAPMessage *res = NULL;
891 char **values = NULL;
894 *seq = DOM_SEQUENCE_NONE;
897 * Parameterised (5) second timeout on open. This is needed as the
898 * search timeout doesn't seem to apply to doing an open as well. JRA.
901 ldp = ldap_open_with_timeout(server, port, lp_ldap_timeout());
905 /* Timeout if no response within 20 seconds. */
909 if (ldap_search_st(ldp, "", LDAP_SCOPE_BASE, "(objectclass=*)",
910 CONST_DISCARD(char **, attrs), 0, &to, &res))
913 if (ldap_count_entries(ldp, res) != 1)
916 values = ldap_get_values(ldp, res, "highestCommittedUSN");
917 if (!values || !values[0])
920 *seq = atoi(values[0]);
926 ldap_value_free(values);
934 /**********************************************************************
935 Get the sequence number for a Windows AD native mode domain using
937 **********************************************************************/
939 static int get_ldap_sequence_number(struct winbindd_domain *domain, uint32 *seq)
942 char addr[INET6_ADDRSTRLEN];
944 print_sockaddr(addr, sizeof(addr), &domain->dcaddr);
945 if ((ret = get_ldap_seq(addr, LDAP_PORT, seq)) == 0) {
946 DEBUG(3, ("get_ldap_sequence_number: Retrieved sequence "
947 "number for Domain (%s) from DC (%s)\n",
948 domain->name, addr));
953 #endif /* HAVE_LDAP */
955 /* find the sequence number for a domain */
956 static NTSTATUS sequence_number(struct winbindd_domain *domain, uint32 *seq)
959 union samr_DomainInfo *info = NULL;
961 struct policy_handle dom_pol;
962 bool got_seq_num = False;
963 struct rpc_pipe_client *cli;
965 DEBUG(10,("rpc: fetch sequence_number for %s\n", domain->name));
967 if ( !winbindd_can_contact_domain( domain ) ) {
968 DEBUG(10,("sequence_number: No incoming trust for domain %s\n",
974 *seq = DOM_SEQUENCE_NONE;
976 if (!(mem_ctx = talloc_init("sequence_number[rpc]")))
977 return NT_STATUS_NO_MEMORY;
980 if ( domain->active_directory )
984 DEBUG(8,("using get_ldap_seq() to retrieve the "
985 "sequence number\n"));
987 res = get_ldap_sequence_number( domain, seq );
990 result = NT_STATUS_OK;
991 DEBUG(10,("domain_sequence_number: LDAP for "
993 domain->name, *seq));
997 DEBUG(10,("domain_sequence_number: failed to get LDAP "
998 "sequence number for domain %s\n",
1001 #endif /* HAVE_LDAP */
1003 result = cm_connect_sam(domain, mem_ctx, &cli, &dom_pol);
1004 if (!NT_STATUS_IS_OK(result)) {
1008 /* Query domain info */
1010 result = rpccli_samr_QueryDomainInfo(cli, mem_ctx,
1015 if (NT_STATUS_IS_OK(result)) {
1016 *seq = info->info8.sequence_num;
1021 /* retry with info-level 2 in case the dc does not support info-level 8
1022 * (like all older samba2 and samba3 dc's) - Guenther */
1024 result = rpccli_samr_QueryDomainInfo(cli, mem_ctx,
1029 if (NT_STATUS_IS_OK(result)) {
1030 *seq = info->general.sequence_num;
1036 DEBUG(10,("domain_sequence_number: for domain %s is %u\n",
1037 domain->name, (unsigned)*seq));
1039 DEBUG(10,("domain_sequence_number: failed to get sequence "
1040 "number (%u) for domain %s\n",
1041 (unsigned)*seq, domain->name ));
1046 talloc_destroy(mem_ctx);
1051 /* get a list of trusted domains */
1052 static NTSTATUS trusted_domains(struct winbindd_domain *domain,
1053 TALLOC_CTX *mem_ctx,
1054 uint32 *num_domains,
1059 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1060 uint32 enum_ctx = 0;
1061 struct rpc_pipe_client *cli;
1062 struct policy_handle lsa_policy;
1064 DEBUG(3,("rpc: trusted_domains\n"));
1071 result = cm_connect_lsa(domain, mem_ctx, &cli, &lsa_policy);
1072 if (!NT_STATUS_IS_OK(result))
1075 result = STATUS_MORE_ENTRIES;
1077 while (NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES)) {
1080 struct lsa_DomainList dom_list;
1082 result = rpccli_lsa_EnumTrustDom(cli, mem_ctx,
1088 if (!NT_STATUS_IS_OK(result) &&
1089 !NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES))
1092 start_idx = *num_domains;
1093 *num_domains += dom_list.count;
1094 *names = TALLOC_REALLOC_ARRAY(mem_ctx, *names,
1095 char *, *num_domains);
1096 *dom_sids = TALLOC_REALLOC_ARRAY(mem_ctx, *dom_sids,
1097 DOM_SID, *num_domains);
1098 *alt_names = TALLOC_REALLOC_ARRAY(mem_ctx, *alt_names,
1099 char *, *num_domains);
1100 if ((*names == NULL) || (*dom_sids == NULL) ||
1101 (*alt_names == NULL))
1102 return NT_STATUS_NO_MEMORY;
1104 for (i=0; i<dom_list.count; i++) {
1105 (*names)[start_idx+i] = CONST_DISCARD(char *, dom_list.domains[i].name.string);
1106 (*dom_sids)[start_idx+i] = *dom_list.domains[i].sid;
1107 (*alt_names)[start_idx+i] = talloc_strdup(mem_ctx, "");
1113 /* find the lockout policy for a domain */
1114 static NTSTATUS msrpc_lockout_policy(struct winbindd_domain *domain,
1115 TALLOC_CTX *mem_ctx,
1116 struct samr_DomInfo12 *lockout_policy)
1119 struct rpc_pipe_client *cli;
1120 struct policy_handle dom_pol;
1121 union samr_DomainInfo *info = NULL;
1123 DEBUG(10,("rpc: fetch lockout policy for %s\n", domain->name));
1125 if ( !winbindd_can_contact_domain( domain ) ) {
1126 DEBUG(10,("msrpc_lockout_policy: No incoming trust for domain %s\n",
1128 return NT_STATUS_NOT_SUPPORTED;
1131 result = cm_connect_sam(domain, mem_ctx, &cli, &dom_pol);
1132 if (!NT_STATUS_IS_OK(result)) {
1136 result = rpccli_samr_QueryDomainInfo(cli, mem_ctx,
1140 if (!NT_STATUS_IS_OK(result)) {
1144 *lockout_policy = info->info12;
1146 DEBUG(10,("msrpc_lockout_policy: lockout_threshold %d\n",
1147 info->info12.lockout_threshold));
1154 /* find the password policy for a domain */
1155 static NTSTATUS msrpc_password_policy(struct winbindd_domain *domain,
1156 TALLOC_CTX *mem_ctx,
1157 struct samr_DomInfo1 *password_policy)
1160 struct rpc_pipe_client *cli;
1161 struct policy_handle dom_pol;
1162 union samr_DomainInfo *info = NULL;
1164 DEBUG(10,("rpc: fetch password policy for %s\n", domain->name));
1166 if ( !winbindd_can_contact_domain( domain ) ) {
1167 DEBUG(10,("msrpc_password_policy: No incoming trust for domain %s\n",
1169 return NT_STATUS_NOT_SUPPORTED;
1172 result = cm_connect_sam(domain, mem_ctx, &cli, &dom_pol);
1173 if (!NT_STATUS_IS_OK(result)) {
1177 result = rpccli_samr_QueryDomainInfo(cli, mem_ctx,
1181 if (!NT_STATUS_IS_OK(result)) {
1185 *password_policy = info->info1;
1187 DEBUG(10,("msrpc_password_policy: min_length_password %d\n",
1188 info->info1.min_password_length));
1195 NTSTATUS winbindd_lookup_sids(TALLOC_CTX *mem_ctx,
1196 struct winbindd_domain *domain,
1198 const struct dom_sid *sids,
1201 enum lsa_SidType **types)
1204 struct rpc_pipe_client *cli = NULL;
1205 struct policy_handle lsa_policy;
1206 unsigned int orig_timeout;
1208 status = cm_connect_lsa(domain, mem_ctx, &cli, &lsa_policy);
1209 if (!NT_STATUS_IS_OK(status)) {
1214 * This call can take a long time
1215 * allow the server to time out.
1216 * 35 seconds should do it.
1218 orig_timeout = rpccli_set_timeout(cli, 35000);
1220 status = rpccli_lsa_lookup_sids(cli, mem_ctx, &lsa_policy,
1221 num_sids, sids, domains,
1224 /* And restore our original timeout. */
1225 rpccli_set_timeout(cli, orig_timeout);
1227 if (!NT_STATUS_IS_OK(status)) {
1235 /* the rpc backend methods are exposed via this structure */
1236 struct winbindd_methods msrpc_methods = {
1243 msrpc_rids_to_names,
1246 msrpc_lookup_useraliases,
1249 msrpc_lockout_policy,
1250 msrpc_password_policy,