2 Unix SMB/CIFS implementation.
4 endpoint server for the drsuapi pipe
7 Copyright (C) Stefan Metzmacher 2004
8 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "librpc/gen_ndr/drsuapi.h"
26 #include "rpc_server/common/common.h"
27 #include "lib/ldb/include/ldb_errors.h"
28 #include "system/kerberos.h"
29 #include "auth/kerberos/kerberos.h"
30 #include "libcli/ldap/ldap.h"
31 #include "libcli/security/security.h"
32 #include "librpc/gen_ndr/ndr_misc.h"
33 #include "auth/auth.h"
34 #include "util/util_ldb.h"
35 #include "dsdb/samdb/samdb.h"
37 static WERROR DsCrackNameOneFilter(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
38 struct smb_krb5_context *smb_krb5_context,
39 uint32_t format_flags, uint32_t format_offered, uint32_t format_desired,
40 struct ldb_dn *name_dn, const char *name,
41 const char *domain_filter, const char *result_filter,
42 struct drsuapi_DsNameInfo1 *info1);
43 static WERROR DsCrackNameOneSyntactical(TALLOC_CTX *mem_ctx,
44 uint32_t format_offered, uint32_t format_desired,
45 struct ldb_dn *name_dn, const char *name,
46 struct drsuapi_DsNameInfo1 *info1);
48 static WERROR dns_domain_from_principal(TALLOC_CTX *mem_ctx, struct smb_krb5_context *smb_krb5_context,
50 struct drsuapi_DsNameInfo1 *info1)
53 krb5_principal principal;
54 /* perhaps it's a principal with a realm, so return the right 'domain only' response */
56 ret = krb5_parse_name_flags(smb_krb5_context->krb5_context, name,
57 KRB5_PRINCIPAL_PARSE_MUST_REALM, &principal);
59 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
63 /* This isn't an allocation assignemnt, so it is free'ed with the krb5_free_principal */
64 realm = krb5_princ_realm(smb_krb5_context->krb5_context, principal);
66 info1->dns_domain_name = talloc_strdup(mem_ctx, *realm);
67 krb5_free_principal(smb_krb5_context->krb5_context, principal);
69 W_ERROR_HAVE_NO_MEMORY(info1->dns_domain_name);
71 info1->status = DRSUAPI_DS_NAME_STATUS_DOMAIN_ONLY;
75 static enum drsuapi_DsNameStatus LDB_lookup_spn_alias(krb5_context context, struct ldb_context *ldb_ctx,
77 const char *alias_from,
82 struct ldb_result *res;
83 struct ldb_message_element *spnmappings;
85 struct ldb_dn *service_dn;
88 const char *directory_attrs[] = {
93 tmp_ctx = talloc_new(mem_ctx);
95 return DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
98 service_dn = ldb_dn_new(tmp_ctx, ldb_ctx, "CN=Directory Service,CN=Windows NT,CN=Services");
99 if ( ! ldb_dn_add_base(service_dn, samdb_config_dn(ldb_ctx))) {
100 return DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
102 service_dn_str = ldb_dn_alloc_linearized(tmp_ctx, service_dn);
103 if ( ! service_dn_str) {
104 return DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
107 ret = ldb_search(ldb_ctx, service_dn, LDB_SCOPE_BASE, "(objectClass=nTDSService)",
108 directory_attrs, &res);
110 if (ret != LDB_SUCCESS && ret != LDB_ERR_NO_SUCH_OBJECT) {
111 DEBUG(1, ("ldb_search: dn: %s not found: %s", service_dn_str, ldb_errstring(ldb_ctx)));
112 return DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
113 } else if (ret == LDB_ERR_NO_SUCH_OBJECT) {
114 DEBUG(1, ("ldb_search: dn: %s not found", service_dn_str));
115 return DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
116 } else if (res->count != 1) {
118 DEBUG(1, ("ldb_search: dn: %s not found", service_dn_str));
119 return DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
121 talloc_steal(tmp_ctx, res);
123 spnmappings = ldb_msg_find_element(res->msgs[0], "sPNMappings");
124 if (!spnmappings || spnmappings->num_values == 0) {
125 DEBUG(1, ("ldb_search: dn: %s no sPNMappings attribute", service_dn_str));
126 talloc_free(tmp_ctx);
127 return DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
130 for (i = 0; i < spnmappings->num_values; i++) {
131 char *mapping, *p, *str;
132 mapping = talloc_strdup(tmp_ctx,
133 (const char *)spnmappings->values[i].data);
135 DEBUG(1, ("LDB_lookup_spn_alias: ldb_search: dn: %s did not have an sPNMapping\n", service_dn_str));
136 talloc_free(tmp_ctx);
137 return DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
140 /* C string manipulation sucks */
142 p = strchr(mapping, '=');
144 DEBUG(1, ("ldb_search: dn: %s sPNMapping malformed: %s\n",
145 service_dn_str, mapping));
146 talloc_free(tmp_ctx);
147 return DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
158 if (strcasecmp(str, alias_from) == 0) {
160 talloc_steal(mem_ctx, mapping);
161 talloc_free(tmp_ctx);
162 return DRSUAPI_DS_NAME_STATUS_OK;
166 DEBUG(4, ("LDB_lookup_spn_alias: no alias for service %s applicable\n", alias_from));
167 talloc_free(tmp_ctx);
168 return DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
171 /* When cracking a ServicePrincipalName, many services may be served
172 * by the host/ servicePrincipalName. The incoming query is for cifs/
173 * but we translate it here, and search on host/. This is done after
174 * the cifs/ entry has been searched for, making this a fallback */
176 static WERROR DsCrackNameSPNAlias(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
177 struct smb_krb5_context *smb_krb5_context,
178 uint32_t format_flags, uint32_t format_offered, uint32_t format_desired,
179 const char *name, struct drsuapi_DsNameInfo1 *info1)
183 krb5_principal principal;
184 const char *service, *dns_name;
187 enum drsuapi_DsNameStatus namestatus;
189 /* parse principal */
190 ret = krb5_parse_name_flags(smb_krb5_context->krb5_context,
191 name, KRB5_PRINCIPAL_PARSE_NO_REALM, &principal);
193 DEBUG(2, ("Could not parse principal: %s: %s",
194 name, smb_get_krb5_error_message(smb_krb5_context->krb5_context,
199 /* grab cifs/, http/ etc */
201 /* This is checked for in callers, but be safe */
202 if (principal->name.name_string.len < 2) {
203 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
206 service = principal->name.name_string.val[0];
207 dns_name = principal->name.name_string.val[1];
210 namestatus = LDB_lookup_spn_alias(smb_krb5_context->krb5_context,
212 service, &new_service);
214 if (namestatus == DRSUAPI_DS_NAME_STATUS_NOT_FOUND) {
215 info1->status = DRSUAPI_DS_NAME_STATUS_DOMAIN_ONLY;
216 info1->dns_domain_name = talloc_strdup(mem_ctx, dns_name);
217 if (!info1->dns_domain_name) {
218 krb5_free_principal(smb_krb5_context->krb5_context, principal);
222 } else if (namestatus != DRSUAPI_DS_NAME_STATUS_OK) {
223 info1->status = namestatus;
224 krb5_free_principal(smb_krb5_context->krb5_context, principal);
228 /* ooh, very nasty playing around in the Principal... */
229 free(principal->name.name_string.val[0]);
230 principal->name.name_string.val[0] = strdup(new_service);
231 if (!principal->name.name_string.val[0]) {
232 krb5_free_principal(smb_krb5_context->krb5_context, principal);
236 /* reform principal */
237 ret = krb5_unparse_name_flags(smb_krb5_context->krb5_context, principal,
238 KRB5_PRINCIPAL_UNPARSE_NO_REALM, &new_princ);
241 krb5_free_principal(smb_krb5_context->krb5_context, principal);
245 wret = DsCrackNameOneName(sam_ctx, mem_ctx, format_flags, format_offered, format_desired,
248 if (W_ERROR_IS_OK(wret) && (info1->status == DRSUAPI_DS_NAME_STATUS_NOT_FOUND)) {
249 info1->status = DRSUAPI_DS_NAME_STATUS_DOMAIN_ONLY;
250 info1->dns_domain_name = talloc_strdup(mem_ctx, dns_name);
251 if (!info1->dns_domain_name) {
255 krb5_free_principal(smb_krb5_context->krb5_context, principal);
259 /* Subcase of CrackNames, for the userPrincipalName */
261 static WERROR DsCrackNameUPN(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
262 struct smb_krb5_context *smb_krb5_context,
263 uint32_t format_flags, uint32_t format_offered, uint32_t format_desired,
264 const char *name, struct drsuapi_DsNameInfo1 *info1)
268 const char *domain_filter = NULL;
269 const char *result_filter = NULL;
271 krb5_principal principal;
273 char *unparsed_name_short;
274 const char *domain_attrs[] = { NULL };
275 struct ldb_result *domain_res = NULL;
277 /* Prevent recursion */
279 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
283 ret = krb5_parse_name_flags(smb_krb5_context->krb5_context, name,
284 KRB5_PRINCIPAL_PARSE_MUST_REALM, &principal);
286 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
290 realm = krb5_princ_realm(smb_krb5_context->krb5_context, principal);
292 ldb_ret = ldb_search_exp_fmt(sam_ctx, mem_ctx, &domain_res,
293 samdb_partitions_dn(sam_ctx, mem_ctx),
296 "(&(&(|(&(dnsRoot=%s)(nETBIOSName=*))(nETBIOSName=%s))(objectclass=crossRef))(ncName=*))",
297 ldb_binary_encode_string(mem_ctx, *realm),
298 ldb_binary_encode_string(mem_ctx, *realm));
300 if (ldb_ret != LDB_SUCCESS) {
301 DEBUG(2, ("DsCrackNameUPN domain ref search failed: %s", ldb_errstring(sam_ctx)));
302 info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
306 switch (domain_res->count) {
310 return dns_domain_from_principal(mem_ctx, smb_krb5_context,
313 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE;
317 ret = krb5_unparse_name_flags(smb_krb5_context->krb5_context, principal,
318 KRB5_PRINCIPAL_UNPARSE_NO_REALM, &unparsed_name_short);
319 krb5_free_principal(smb_krb5_context->krb5_context, principal);
322 free(unparsed_name_short);
326 /* This may need to be extended for more userPrincipalName variations */
327 result_filter = talloc_asprintf(mem_ctx, "(&(objectClass=user)(samAccountName=%s))",
328 ldb_binary_encode_string(mem_ctx, unparsed_name_short));
330 domain_filter = talloc_asprintf(mem_ctx, "(dn=%s)", ldb_dn_get_linearized(domain_res->msgs[0]->dn));
332 if (!result_filter || !domain_filter) {
333 free(unparsed_name_short);
336 status = DsCrackNameOneFilter(sam_ctx, mem_ctx,
338 format_flags, format_offered, format_desired,
339 NULL, unparsed_name_short, domain_filter, result_filter,
341 free(unparsed_name_short);
346 /* Crack a single 'name', from format_offered into format_desired, returning the result in info1 */
348 WERROR DsCrackNameOneName(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
349 uint32_t format_flags, uint32_t format_offered, uint32_t format_desired,
350 const char *name, struct drsuapi_DsNameInfo1 *info1)
353 const char *domain_filter = NULL;
354 const char *result_filter = NULL;
355 struct ldb_dn *name_dn = NULL;
357 struct smb_krb5_context *smb_krb5_context;
358 ret = smb_krb5_init_context(mem_ctx,
359 (struct event_context *)ldb_get_opaque(sam_ctx, "EventContext"),
366 info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
367 info1->dns_domain_name = NULL;
368 info1->result_name = NULL;
371 return WERR_INVALID_PARAM;
374 /* TODO: - fill the correct names in all cases!
375 * - handle format_flags
378 /* here we need to set the domain_filter and/or the result_filter */
379 switch (format_offered) {
380 case DRSUAPI_DS_NAME_FORMAT_CANONICAL:
381 case DRSUAPI_DS_NAME_FORMAT_CANONICAL_EX:
383 char *str, *s, *account;
385 if (strlen(name) == 0) {
386 info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
390 str = talloc_strdup(mem_ctx, name);
391 W_ERROR_HAVE_NO_MEMORY(str);
393 if (format_offered == DRSUAPI_DS_NAME_FORMAT_CANONICAL_EX) {
394 /* Look backwards for the \n, and replace it with / */
395 s = strrchr(str, '\n');
397 info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
403 s = strchr(str, '/');
405 /* there must be at least one / */
406 info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
413 domain_filter = talloc_asprintf(mem_ctx, "(&(objectClass=crossRef)(ncName=%s))",
414 ldb_dn_get_linearized(samdb_dns_domain_to_dn(sam_ctx, mem_ctx, str)));
415 W_ERROR_HAVE_NO_MEMORY(domain_filter);
417 /* There may not be anything after the domain component (search for the domain itself) */
420 account = strrchr(s, '/');
426 account = ldb_binary_encode_string(mem_ctx, account);
427 W_ERROR_HAVE_NO_MEMORY(account);
428 result_filter = talloc_asprintf(mem_ctx, "(name=%s)",
430 W_ERROR_HAVE_NO_MEMORY(result_filter);
434 case DRSUAPI_DS_NAME_FORMAT_NT4_ACCOUNT: {
437 const char *account = NULL;
439 domain = talloc_strdup(mem_ctx, name);
440 W_ERROR_HAVE_NO_MEMORY(domain);
442 p = strchr(domain, '\\');
444 /* invalid input format */
445 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
454 domain_filter = talloc_asprintf(mem_ctx,
455 "(&(&(nETBIOSName=%s)(objectclass=crossRef))(ncName=*))",
456 ldb_binary_encode_string(mem_ctx, domain));
457 W_ERROR_HAVE_NO_MEMORY(domain_filter);
459 result_filter = talloc_asprintf(mem_ctx, "(sAMAccountName=%s)",
460 ldb_binary_encode_string(mem_ctx, account));
461 W_ERROR_HAVE_NO_MEMORY(result_filter);
468 /* A LDAP DN as a string */
469 case DRSUAPI_DS_NAME_FORMAT_FQDN_1779: {
470 domain_filter = NULL;
471 name_dn = ldb_dn_new(mem_ctx, sam_ctx, name);
472 if (! ldb_dn_validate(name_dn)) {
473 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
479 /* A GUID as a string */
480 case DRSUAPI_DS_NAME_FORMAT_GUID: {
484 domain_filter = NULL;
486 nt_status = GUID_from_string(name, &guid);
487 if (!NT_STATUS_IS_OK(nt_status)) {
488 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
492 ldap_guid = ldap_encode_ndr_GUID(mem_ctx, &guid);
496 result_filter = talloc_asprintf(mem_ctx, "(objectGUID=%s)",
498 W_ERROR_HAVE_NO_MEMORY(result_filter);
501 case DRSUAPI_DS_NAME_FORMAT_DISPLAY: {
502 domain_filter = NULL;
504 result_filter = talloc_asprintf(mem_ctx, "(|(displayName=%s)(samAccountName=%s))",
505 ldb_binary_encode_string(mem_ctx, name),
506 ldb_binary_encode_string(mem_ctx, name));
507 W_ERROR_HAVE_NO_MEMORY(result_filter);
511 /* A S-1234-5678 style string */
512 case DRSUAPI_DS_NAME_FORMAT_SID_OR_SID_HISTORY: {
513 struct dom_sid *sid = dom_sid_parse_talloc(mem_ctx, name);
516 domain_filter = NULL;
518 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
521 ldap_sid = ldap_encode_ndr_dom_sid(mem_ctx,
526 result_filter = talloc_asprintf(mem_ctx, "(objectSid=%s)",
528 W_ERROR_HAVE_NO_MEMORY(result_filter);
531 case DRSUAPI_DS_NAME_FORMAT_USER_PRINCIPAL: {
532 krb5_principal principal;
534 ret = krb5_parse_name(smb_krb5_context->krb5_context, name, &principal);
536 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
540 domain_filter = NULL;
542 ret = krb5_unparse_name(smb_krb5_context->krb5_context, principal, &unparsed_name);
544 krb5_free_principal(smb_krb5_context->krb5_context, principal);
548 krb5_free_principal(smb_krb5_context->krb5_context, principal);
549 result_filter = talloc_asprintf(mem_ctx, "(&(objectClass=user)(userPrincipalName=%s))",
550 ldb_binary_encode_string(mem_ctx, unparsed_name));
553 W_ERROR_HAVE_NO_MEMORY(result_filter);
556 case DRSUAPI_DS_NAME_FORMAT_SERVICE_PRINCIPAL: {
557 krb5_principal principal;
558 char *unparsed_name_short;
560 ret = krb5_parse_name(smb_krb5_context->krb5_context, name, &principal);
561 if (ret == 0 && principal->name.name_string.len < 2) {
562 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
563 krb5_free_principal(smb_krb5_context->krb5_context, principal);
566 ret = krb5_parse_name_flags(smb_krb5_context->krb5_context, name,
567 KRB5_PRINCIPAL_PARSE_NO_REALM, &principal);
569 krb5_free_principal(smb_krb5_context->krb5_context, principal);
571 return dns_domain_from_principal(mem_ctx, smb_krb5_context,
575 domain_filter = NULL;
577 ret = krb5_unparse_name_flags(smb_krb5_context->krb5_context, principal,
578 KRB5_PRINCIPAL_UNPARSE_NO_REALM, &unparsed_name_short);
580 krb5_free_principal(smb_krb5_context->krb5_context, principal);
584 service = principal->name.name_string.val[0];
585 if ((principal->name.name_string.len == 2) && (strcasecmp(service, "host") == 0)) {
586 /* the 'cn' attribute is just the leading part of the name */
588 computer_name = talloc_strndup(mem_ctx, principal->name.name_string.val[1],
589 strcspn(principal->name.name_string.val[1], "."));
590 if (computer_name == NULL) {
594 result_filter = talloc_asprintf(mem_ctx, "(|(&(servicePrincipalName=%s)(objectClass=user))(&(cn=%s)(objectClass=computer)))",
595 ldb_binary_encode_string(mem_ctx, unparsed_name_short),
596 ldb_binary_encode_string(mem_ctx, computer_name));
598 result_filter = talloc_asprintf(mem_ctx, "(&(servicePrincipalName=%s)(objectClass=user))",
599 ldb_binary_encode_string(mem_ctx, unparsed_name_short));
601 krb5_free_principal(smb_krb5_context->krb5_context, principal);
602 free(unparsed_name_short);
603 W_ERROR_HAVE_NO_MEMORY(result_filter);
608 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
614 if (format_flags & DRSUAPI_DS_NAME_FLAG_SYNTACTICAL_ONLY) {
615 return DsCrackNameOneSyntactical(mem_ctx, format_offered, format_desired,
616 name_dn, name, info1);
619 return DsCrackNameOneFilter(sam_ctx, mem_ctx,
621 format_flags, format_offered, format_desired,
623 domain_filter, result_filter,
627 /* Subcase of CrackNames. It is possible to translate a LDAP-style DN
628 * (FQDN_1779) into a canoical name without actually searching the
631 static WERROR DsCrackNameOneSyntactical(TALLOC_CTX *mem_ctx,
632 uint32_t format_offered, uint32_t format_desired,
633 struct ldb_dn *name_dn, const char *name,
634 struct drsuapi_DsNameInfo1 *info1)
637 if (format_offered != DRSUAPI_DS_NAME_FORMAT_FQDN_1779) {
638 info1->status = DRSUAPI_DS_NAME_STATUS_NO_SYNTACTICAL_MAPPING;
642 switch (format_desired) {
643 case DRSUAPI_DS_NAME_FORMAT_CANONICAL:
644 cracked = ldb_dn_canonical_string(mem_ctx, name_dn);
646 case DRSUAPI_DS_NAME_FORMAT_CANONICAL_EX:
647 cracked = ldb_dn_canonical_ex_string(mem_ctx, name_dn);
650 info1->status = DRSUAPI_DS_NAME_STATUS_NO_SYNTACTICAL_MAPPING;
653 info1->status = DRSUAPI_DS_NAME_STATUS_OK;
654 info1->result_name = cracked;
662 /* Given a filter for the domain, and one for the result, perform the
663 * ldb search. The format offered and desired flags change the
664 * behaviours, including what attributes to return.
666 * The smb_krb5_context is required because we use the krb5 libs for principal parsing
669 static WERROR DsCrackNameOneFilter(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
670 struct smb_krb5_context *smb_krb5_context,
671 uint32_t format_flags, uint32_t format_offered, uint32_t format_desired,
672 struct ldb_dn *name_dn, const char *name,
673 const char *domain_filter, const char *result_filter,
674 struct drsuapi_DsNameInfo1 *info1)
677 struct ldb_result *domain_res = NULL;
678 const char * const *domain_attrs;
679 const char * const *result_attrs;
680 struct ldb_message **result_res = NULL;
681 struct ldb_message *result = NULL;
682 struct ldb_dn *result_basedn = NULL;
685 struct ldb_dn *partitions_basedn = samdb_partitions_dn(sam_ctx, mem_ctx);
687 const char * const _domain_attrs_1779[] = { "ncName", "dnsRoot", NULL};
688 const char * const _result_attrs_null[] = { NULL };
690 const char * const _domain_attrs_canonical[] = { "ncName", "dnsRoot", NULL};
691 const char * const _result_attrs_canonical[] = { "canonicalName", NULL };
693 const char * const _domain_attrs_nt4[] = { "ncName", "dnsRoot", "nETBIOSName", NULL};
694 const char * const _result_attrs_nt4[] = { "sAMAccountName", "objectSid", "objectClass", NULL};
696 const char * const _domain_attrs_guid[] = { "ncName", "dnsRoot", NULL};
697 const char * const _result_attrs_guid[] = { "objectGUID", NULL};
699 const char * const _domain_attrs_display[] = { "ncName", "dnsRoot", NULL};
700 const char * const _result_attrs_display[] = { "displayName", "samAccountName", NULL};
702 const char * const _domain_attrs_none[] = { "ncName", "dnsRoot" , NULL};
703 const char * const _result_attrs_none[] = { NULL};
705 /* here we need to set the attrs lists for domain and result lookups */
706 switch (format_desired) {
707 case DRSUAPI_DS_NAME_FORMAT_FQDN_1779:
708 case DRSUAPI_DS_NAME_FORMAT_CANONICAL_EX:
709 domain_attrs = _domain_attrs_1779;
710 result_attrs = _result_attrs_null;
712 case DRSUAPI_DS_NAME_FORMAT_CANONICAL:
713 domain_attrs = _domain_attrs_canonical;
714 result_attrs = _result_attrs_canonical;
716 case DRSUAPI_DS_NAME_FORMAT_NT4_ACCOUNT:
717 domain_attrs = _domain_attrs_nt4;
718 result_attrs = _result_attrs_nt4;
720 case DRSUAPI_DS_NAME_FORMAT_GUID:
721 domain_attrs = _domain_attrs_guid;
722 result_attrs = _result_attrs_guid;
724 case DRSUAPI_DS_NAME_FORMAT_DISPLAY:
725 domain_attrs = _domain_attrs_display;
726 result_attrs = _result_attrs_display;
729 domain_attrs = _domain_attrs_none;
730 result_attrs = _result_attrs_none;
735 /* if we have a domain_filter look it up and set the result_basedn and the dns_domain_name */
736 ldb_ret = ldb_search_exp_fmt(sam_ctx, mem_ctx, &domain_res,
740 "%s", domain_filter);
742 if (ldb_ret != LDB_SUCCESS) {
743 DEBUG(2, ("DsCrackNameOneFilter domain ref search failed: %s", ldb_errstring(sam_ctx)));
744 info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
748 switch (domain_res->count) {
752 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
755 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE;
759 info1->dns_domain_name = samdb_result_string(domain_res->msgs[0], "dnsRoot", NULL);
760 W_ERROR_HAVE_NO_MEMORY(info1->dns_domain_name);
761 info1->status = DRSUAPI_DS_NAME_STATUS_DOMAIN_ONLY;
763 info1->dns_domain_name = NULL;
764 info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
769 struct ldb_result *res;
771 result_basedn = samdb_result_dn(sam_ctx, mem_ctx, domain_res->msgs[0], "ncName", NULL);
773 ret = ldb_search_exp_fmt(sam_ctx, mem_ctx, &res,
774 result_basedn, LDB_SCOPE_SUBTREE,
775 result_attrs, "%s", result_filter);
776 if (ret != LDB_SUCCESS) {
777 talloc_free(result_res);
778 info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
781 ldb_ret = res->count;
782 result_res = res->msgs;
784 /* search with the 'phantom root' flag */
785 struct ldb_request *req;
787 res = talloc_zero(mem_ctx, struct ldb_result);
788 W_ERROR_HAVE_NO_MEMORY(res);
790 ret = ldb_build_search_req(&req, sam_ctx, mem_ctx,
791 ldb_get_root_basedn(sam_ctx),
797 ldb_search_default_callback);
798 if (ret == LDB_SUCCESS) {
799 struct ldb_search_options_control *search_options;
800 search_options = talloc(req, struct ldb_search_options_control);
801 W_ERROR_HAVE_NO_MEMORY(search_options);
802 search_options->search_options = LDB_SEARCH_OPTION_PHANTOM_ROOT;
804 ret = ldb_request_add_control(req, LDB_CONTROL_SEARCH_OPTIONS_OID, false, search_options);
806 if (ret != LDB_SUCCESS) {
808 info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
812 ldb_set_timeout(sam_ctx, req, 0); /* use default timeout */
814 ret = ldb_request(sam_ctx, req);
816 if (ret == LDB_SUCCESS) {
817 ret = ldb_wait(req->handle, LDB_WAIT_ALL);
822 if (ret != LDB_SUCCESS) {
823 DEBUG(2, ("DsCrackNameOneFilter phantom root search failed: %s",
824 ldb_errstring(sam_ctx)));
825 info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
828 ldb_ret = res->count;
829 result_res = res->msgs;
831 } else if (format_offered == DRSUAPI_DS_NAME_FORMAT_FQDN_1779) {
832 ldb_ret = gendb_search_dn(sam_ctx, mem_ctx, name_dn, &result_res,
834 } else if (domain_res) {
835 name_dn = samdb_result_dn(sam_ctx, mem_ctx, domain_res->msgs[0], "ncName", NULL);
836 ldb_ret = gendb_search_dn(sam_ctx, mem_ctx, name_dn, &result_res,
840 DEBUG(0, ("LOGIC ERROR: DsCrackNameOneFilter domain ref search not availible: This can't happen..."));
841 info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
847 result = result_res[0];
850 switch (format_offered) {
851 case DRSUAPI_DS_NAME_FORMAT_SERVICE_PRINCIPAL:
852 return DsCrackNameSPNAlias(sam_ctx, mem_ctx,
854 format_flags, format_offered, format_desired,
857 case DRSUAPI_DS_NAME_FORMAT_USER_PRINCIPAL:
858 return DsCrackNameUPN(sam_ctx, mem_ctx, smb_krb5_context,
859 format_flags, format_offered, format_desired,
862 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
865 DEBUG(2, ("DsCrackNameOneFilter result search failed: %s", ldb_errstring(sam_ctx)));
866 info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
869 switch (format_offered) {
870 case DRSUAPI_DS_NAME_FORMAT_CANONICAL:
871 case DRSUAPI_DS_NAME_FORMAT_CANONICAL_EX:
873 const char *canonical_name = NULL; /* Not required, but we get warnings... */
874 /* We may need to manually filter further */
875 for (i = 0; i < ldb_ret; i++) {
876 switch (format_offered) {
877 case DRSUAPI_DS_NAME_FORMAT_CANONICAL:
878 canonical_name = ldb_dn_canonical_string(mem_ctx, result_res[i]->dn);
880 case DRSUAPI_DS_NAME_FORMAT_CANONICAL_EX:
881 canonical_name = ldb_dn_canonical_ex_string(mem_ctx, result_res[i]->dn);
884 if (strcasecmp_m(canonical_name, name) == 0) {
885 result = result_res[i];
890 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
895 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE;
900 info1->dns_domain_name = ldb_dn_canonical_string(mem_ctx, result->dn);
901 W_ERROR_HAVE_NO_MEMORY(info1->dns_domain_name);
902 p = strchr(info1->dns_domain_name, '/');
907 /* here we can use result and domain_res[0] */
908 switch (format_desired) {
909 case DRSUAPI_DS_NAME_FORMAT_FQDN_1779: {
910 info1->result_name = ldb_dn_alloc_linearized(mem_ctx, result->dn);
911 W_ERROR_HAVE_NO_MEMORY(info1->result_name);
913 info1->status = DRSUAPI_DS_NAME_STATUS_OK;
916 case DRSUAPI_DS_NAME_FORMAT_CANONICAL: {
917 info1->result_name = samdb_result_string(result, "canonicalName", NULL);
918 info1->status = DRSUAPI_DS_NAME_STATUS_OK;
921 case DRSUAPI_DS_NAME_FORMAT_CANONICAL_EX: {
922 /* Not in the virtual ldb attribute */
923 return DsCrackNameOneSyntactical(mem_ctx,
924 DRSUAPI_DS_NAME_FORMAT_FQDN_1779,
925 DRSUAPI_DS_NAME_FORMAT_CANONICAL_EX,
926 result->dn, name, info1);
928 case DRSUAPI_DS_NAME_FORMAT_NT4_ACCOUNT: {
930 const struct dom_sid *sid = samdb_result_dom_sid(mem_ctx, result, "objectSid");
931 const char *_acc = "", *_dom = "";
933 if (samdb_find_attribute(sam_ctx, result, "objectClass", "domain")) {
935 ldb_ret = ldb_search_exp_fmt(sam_ctx, mem_ctx, &domain_res,
939 "(ncName=%s)", ldb_dn_get_linearized(result->dn));
941 if (ldb_ret != LDB_SUCCESS) {
942 DEBUG(2, ("DsCrackNameOneFilter domain ref search failed: %s", ldb_errstring(sam_ctx)));
943 info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
947 switch (domain_res->count) {
951 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
954 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE;
957 _dom = samdb_result_string(domain_res->msgs[0], "nETBIOSName", NULL);
958 W_ERROR_HAVE_NO_MEMORY(_dom);
960 _acc = samdb_result_string(result, "sAMAccountName", NULL);
962 info1->status = DRSUAPI_DS_NAME_STATUS_NO_MAPPING;
965 if (dom_sid_in_domain(dom_sid_parse_talloc(mem_ctx, SID_BUILTIN), sid)) {
968 const char *attrs[] = { NULL };
969 struct ldb_result *domain_res2;
970 struct dom_sid *dom_sid = dom_sid_dup(mem_ctx, sid);
974 dom_sid->num_auths--;
975 ldb_ret = ldb_search_exp_fmt(sam_ctx, mem_ctx, &domain_res,
979 "(&(objectSid=%s)(objectClass=domain))",
980 ldap_encode_ndr_dom_sid(mem_ctx, dom_sid));
982 if (ldb_ret != LDB_SUCCESS) {
983 DEBUG(2, ("DsCrackNameOneFilter domain search failed: %s", ldb_errstring(sam_ctx)));
984 info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
988 switch (domain_res->count) {
992 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
995 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE;
999 ldb_ret = ldb_search_exp_fmt(sam_ctx, mem_ctx, &domain_res2,
1003 "(ncName=%s)", ldb_dn_get_linearized(domain_res->msgs[0]->dn));
1005 if (ldb_ret != LDB_SUCCESS) {
1006 DEBUG(2, ("DsCrackNameOneFilter domain ref search failed: %s", ldb_errstring(sam_ctx)));
1007 info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
1011 switch (domain_res2->count) {
1015 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
1018 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE;
1021 _dom = samdb_result_string(domain_res2->msgs[0], "nETBIOSName", NULL);
1022 W_ERROR_HAVE_NO_MEMORY(_dom);
1026 info1->result_name = talloc_asprintf(mem_ctx, "%s\\%s", _dom, _acc);
1027 W_ERROR_HAVE_NO_MEMORY(info1->result_name);
1029 info1->status = DRSUAPI_DS_NAME_STATUS_OK;
1032 case DRSUAPI_DS_NAME_FORMAT_GUID: {
1035 guid = samdb_result_guid(result, "objectGUID");
1037 info1->result_name = GUID_string2(mem_ctx, &guid);
1038 W_ERROR_HAVE_NO_MEMORY(info1->result_name);
1040 info1->status = DRSUAPI_DS_NAME_STATUS_OK;
1043 case DRSUAPI_DS_NAME_FORMAT_DISPLAY: {
1044 info1->result_name = samdb_result_string(result, "displayName", NULL);
1045 if (!info1->result_name) {
1046 info1->result_name = samdb_result_string(result, "sAMAccountName", NULL);
1048 if (!info1->result_name) {
1049 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
1051 info1->status = DRSUAPI_DS_NAME_STATUS_OK;
1055 case DRSUAPI_DS_NAME_FORMAT_SERVICE_PRINCIPAL: {
1056 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE;
1059 case DRSUAPI_DS_NAME_FORMAT_DNS_DOMAIN:
1060 case DRSUAPI_DS_NAME_FORMAT_SID_OR_SID_HISTORY: {
1061 info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
1065 info1->status = DRSUAPI_DS_NAME_STATUS_NO_MAPPING;
1070 /* Given a user Principal Name (such as foo@bar.com),
1071 * return the user and domain DNs. This is used in the KDC to then
1072 * return the Keys and evaluate policy */
1074 NTSTATUS crack_user_principal_name(struct ldb_context *sam_ctx,
1075 TALLOC_CTX *mem_ctx,
1076 const char *user_principal_name,
1077 struct ldb_dn **user_dn,
1078 struct ldb_dn **domain_dn)
1081 struct drsuapi_DsNameInfo1 info1;
1082 werr = DsCrackNameOneName(sam_ctx, mem_ctx, 0,
1083 DRSUAPI_DS_NAME_FORMAT_USER_PRINCIPAL,
1084 DRSUAPI_DS_NAME_FORMAT_FQDN_1779,
1085 user_principal_name,
1087 if (!W_ERROR_IS_OK(werr)) {
1088 return werror_to_ntstatus(werr);
1090 switch (info1.status) {
1091 case DRSUAPI_DS_NAME_STATUS_OK:
1093 case DRSUAPI_DS_NAME_STATUS_NOT_FOUND:
1094 case DRSUAPI_DS_NAME_STATUS_DOMAIN_ONLY:
1095 case DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE:
1096 return NT_STATUS_NO_SUCH_USER;
1097 case DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR:
1099 return NT_STATUS_UNSUCCESSFUL;
1102 *user_dn = ldb_dn_new(mem_ctx, sam_ctx, info1.result_name);
1105 werr = DsCrackNameOneName(sam_ctx, mem_ctx, 0,
1106 DRSUAPI_DS_NAME_FORMAT_CANONICAL,
1107 DRSUAPI_DS_NAME_FORMAT_FQDN_1779,
1108 talloc_asprintf(mem_ctx, "%s/",
1109 info1.dns_domain_name),
1111 if (!W_ERROR_IS_OK(werr)) {
1112 return werror_to_ntstatus(werr);
1114 switch (info1.status) {
1115 case DRSUAPI_DS_NAME_STATUS_OK:
1117 case DRSUAPI_DS_NAME_STATUS_NOT_FOUND:
1118 case DRSUAPI_DS_NAME_STATUS_DOMAIN_ONLY:
1119 case DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE:
1120 return NT_STATUS_NO_SUCH_USER;
1121 case DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR:
1123 return NT_STATUS_UNSUCCESSFUL;
1126 *domain_dn = ldb_dn_new(mem_ctx, sam_ctx, info1.result_name);
1129 return NT_STATUS_OK;
1133 /* Given a Service Principal Name (such as host/foo.bar.com@BAR.COM),
1134 * return the user and domain DNs. This is used in the KDC to then
1135 * return the Keys and evaluate policy */
1137 NTSTATUS crack_service_principal_name(struct ldb_context *sam_ctx,
1138 TALLOC_CTX *mem_ctx,
1139 const char *service_principal_name,
1140 struct ldb_dn **user_dn,
1141 struct ldb_dn **domain_dn)
1144 struct drsuapi_DsNameInfo1 info1;
1145 werr = DsCrackNameOneName(sam_ctx, mem_ctx, 0,
1146 DRSUAPI_DS_NAME_FORMAT_SERVICE_PRINCIPAL,
1147 DRSUAPI_DS_NAME_FORMAT_FQDN_1779,
1148 service_principal_name,
1150 if (!W_ERROR_IS_OK(werr)) {
1151 return werror_to_ntstatus(werr);
1153 switch (info1.status) {
1154 case DRSUAPI_DS_NAME_STATUS_OK:
1156 case DRSUAPI_DS_NAME_STATUS_NOT_FOUND:
1157 case DRSUAPI_DS_NAME_STATUS_DOMAIN_ONLY:
1158 case DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE:
1159 return NT_STATUS_NO_SUCH_USER;
1160 case DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR:
1162 return NT_STATUS_UNSUCCESSFUL;
1165 *user_dn = ldb_dn_new(mem_ctx, sam_ctx, info1.result_name);
1168 werr = DsCrackNameOneName(sam_ctx, mem_ctx, 0,
1169 DRSUAPI_DS_NAME_FORMAT_CANONICAL,
1170 DRSUAPI_DS_NAME_FORMAT_FQDN_1779,
1171 talloc_asprintf(mem_ctx, "%s/",
1172 info1.dns_domain_name),
1174 if (!W_ERROR_IS_OK(werr)) {
1175 return werror_to_ntstatus(werr);
1177 switch (info1.status) {
1178 case DRSUAPI_DS_NAME_STATUS_OK:
1180 case DRSUAPI_DS_NAME_STATUS_NOT_FOUND:
1181 case DRSUAPI_DS_NAME_STATUS_DOMAIN_ONLY:
1182 case DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE:
1183 return NT_STATUS_NO_SUCH_USER;
1184 case DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR:
1186 return NT_STATUS_UNSUCCESSFUL;
1189 *domain_dn = ldb_dn_new(mem_ctx, sam_ctx, info1.result_name);
1192 return NT_STATUS_OK;
1196 NTSTATUS crack_name_to_nt4_name(TALLOC_CTX *mem_ctx,
1197 uint32_t format_offered,
1199 const char **nt4_domain, const char **nt4_account)
1202 struct drsuapi_DsNameInfo1 info1;
1203 struct ldb_context *ldb;
1206 /* Handle anonymous bind */
1207 if (!name || !*name) {
1210 return NT_STATUS_OK;
1213 ldb = samdb_connect(mem_ctx, system_session(mem_ctx));
1215 return NT_STATUS_INTERNAL_DB_CORRUPTION;
1218 werr = DsCrackNameOneName(ldb, mem_ctx, 0,
1220 DRSUAPI_DS_NAME_FORMAT_NT4_ACCOUNT,
1223 if (!W_ERROR_IS_OK(werr)) {
1224 return werror_to_ntstatus(werr);
1226 switch (info1.status) {
1227 case DRSUAPI_DS_NAME_STATUS_OK:
1229 case DRSUAPI_DS_NAME_STATUS_NOT_FOUND:
1230 case DRSUAPI_DS_NAME_STATUS_DOMAIN_ONLY:
1231 case DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE:
1232 return NT_STATUS_NO_SUCH_USER;
1233 case DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR:
1235 return NT_STATUS_UNSUCCESSFUL;
1238 *nt4_domain = talloc_strdup(mem_ctx, info1.result_name);
1240 p = strchr(*nt4_domain, '\\');
1242 return NT_STATUS_INVALID_PARAMETER;
1247 *nt4_account = talloc_strdup(mem_ctx, &p[1]);
1250 if (!*nt4_account || !*nt4_domain) {
1251 return NT_STATUS_NO_MEMORY;
1254 return NT_STATUS_OK;
1257 NTSTATUS crack_auto_name_to_nt4_name(TALLOC_CTX *mem_ctx,
1259 const char **nt4_domain,
1260 const char **nt4_account)
1262 uint32_t format_offered = DRSUAPI_DS_NAME_FORMAT_UKNOWN;
1264 /* Handle anonymous bind */
1265 if (!name || !*name) {
1268 return NT_STATUS_OK;
1271 if (strchr_m(name, '=')) {
1272 format_offered = DRSUAPI_DS_NAME_FORMAT_FQDN_1779;
1273 } else if (strchr_m(name, '@')) {
1274 format_offered = DRSUAPI_DS_NAME_FORMAT_USER_PRINCIPAL;
1275 } else if (strchr_m(name, '\\')) {
1276 format_offered = DRSUAPI_DS_NAME_FORMAT_NT4_ACCOUNT;
1277 } else if (strchr_m(name, '/')) {
1278 format_offered = DRSUAPI_DS_NAME_FORMAT_CANONICAL;
1281 return crack_name_to_nt4_name(mem_ctx, format_offered, name, nt4_domain, nt4_account);