#include "includes.h"
#include "winbindd.h"
-#include "../librpc/gen_ndr/cli_netlogon.h"
+#include "winbindd_ads.h"
+#include "libsmb/namequery.h"
+#include "rpc_client/rpc_client.h"
+#include "../librpc/gen_ndr/ndr_netlogon_c.h"
#include "../libds/common/flags.h"
#include "ads.h"
-#include "secrets.h"
+#include "../libcli/ldap/ldap_ndr.h"
+#include "../libcli/security/security.h"
+#include "../libds/common/flag_mapping.h"
+#include "libsmb/samlogon_cache.h"
+#include "passdb.h"
#ifdef HAVE_ADS
#define DBGC_CLASS DBGC_WINBIND
extern struct winbindd_methods reconnect_methods;
+extern struct winbindd_methods msrpc_methods;
-/*
- return our ads connections structure for a domain. We keep the connection
- open to make things faster
-*/
-static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain)
-{
- ADS_STRUCT *ads;
- ADS_STATUS status;
- fstring dc_name;
- struct sockaddr_storage dc_ss;
+#define WINBIND_CCACHE_NAME "MEMORY:winbind_ccache"
- DEBUG(10,("ads_cached_connection\n"));
+/**
+ * Check if cached connection can be reused. If the connection cannot
+ * be reused the ADS_STRUCT is freed and the pointer is set to NULL.
+ */
+static void ads_cached_connection_reuse(ADS_STRUCT **adsp)
+{
- if (domain->private_data) {
+ ADS_STRUCT *ads = *adsp;
+ if (ads != NULL) {
time_t expire;
time_t now = time(NULL);
- /* check for a valid structure */
- ads = (ADS_STRUCT *)domain->private_data;
-
expire = MIN(ads->auth.tgt_expire, ads->auth.tgs_expire);
- DEBUG(7, ("Current tickets expire in %d seconds (at %d, time is now %d)\n",
- (uint32)expire-(uint32)now, (uint32) expire, (uint32) now));
+ DEBUG(7, ("Current tickets expire in %d seconds (at %d, time "
+ "is now %d)\n", (uint32_t)expire - (uint32_t)now,
+ (uint32_t) expire, (uint32_t) now));
if ( ads->config.realm && (expire > now)) {
- return ads;
+ return;
} else {
/* we own this ADS_STRUCT so make sure it goes away */
DEBUG(7,("Deleting expired krb5 credential cache\n"));
ads->is_mine = True;
ads_destroy( &ads );
- ads_kdestroy("MEMORY:winbind_ccache");
- domain->private_data = NULL;
+ ads_kdestroy(WINBIND_CCACHE_NAME);
+ *adsp = NULL;
}
}
+}
+
+/**
+ * @brief Establish a connection to a DC
+ *
+ * @param[out] adsp ADS_STRUCT that will be created
+ * @param[in] target_realm Realm of domain to connect to
+ * @param[in] target_dom_name 'workgroup' name of domain to connect to
+ * @param[in] ldap_server DNS name of server to connect to
+ * @param[in] password Our machine acount secret
+ * @param[in] auth_realm Realm of local domain for creating krb token
+ * @param[in] renewable Renewable ticket time
+ *
+ * @return ADS_STATUS
+ */
+static ADS_STATUS ads_cached_connection_connect(ADS_STRUCT **adsp,
+ const char *target_realm,
+ const char *target_dom_name,
+ const char *ldap_server,
+ char *password,
+ char *auth_realm,
+ time_t renewable)
+{
+ ADS_STRUCT *ads;
+ ADS_STATUS status;
+ struct sockaddr_storage dc_ss;
+ fstring dc_name;
+
+ if (auth_realm == NULL) {
+ return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
+ }
/* we don't want this to affect the users ccache */
- setenv("KRB5CCNAME", "MEMORY:winbind_ccache", 1);
+ setenv("KRB5CCNAME", WINBIND_CCACHE_NAME, 1);
- ads = ads_init(domain->alt_name, domain->name, NULL);
+ ads = ads_init(target_realm, target_dom_name, ldap_server);
if (!ads) {
- DEBUG(1,("ads_init for domain %s failed\n", domain->name));
+ DEBUG(1,("ads_init for domain %s failed\n", target_dom_name));
+ return ADS_ERROR(LDAP_NO_MEMORY);
+ }
+
+ SAFE_FREE(ads->auth._password);
+ SAFE_FREE(ads->auth._realm);
+
+ ads->auth._renewable = renewable;
+ ads->auth._password = password;
+
+ ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
+
+ ads->auth._realm = SMB_STRDUP(auth_realm);
+ if (!strupper_m(ads->auth._realm)) {
+ ads_destroy(&ads);
+ return ADS_ERROR_NT(NT_STATUS_INTERNAL_ERROR);
+ }
+
+ /* Setup the server affinity cache. We don't reaally care
+ about the name. Just setup affinity and the KRB5_CONFIG
+ file. */
+ get_dc_name(ads->server.workgroup, ads->server.realm, dc_name, &dc_ss);
+
+ status = ads_connect(ads);
+ if (!ADS_ERR_OK(status)) {
+ DEBUG(1,("ads_connect for domain %s failed: %s\n",
+ target_dom_name, ads_errstr(status)));
+ ads_destroy(&ads);
+ return status;
+ }
+
+ /* set the flag that says we don't own the memory even
+ though we do so that ads_destroy() won't destroy the
+ structure we pass back by reference */
+
+ ads->is_mine = False;
+
+ *adsp = ads;
+
+ return status;
+}
+
+ADS_STATUS ads_idmap_cached_connection(ADS_STRUCT **adsp, const char *dom_name)
+{
+ char *ldap_server, *realm, *password;
+ struct winbindd_domain *wb_dom;
+ ADS_STATUS status;
+
+ if (IS_AD_DC) {
+ /*
+ * Make sure we never try to use LDAP against
+ * a trusted domain as AD DC.
+ */
+ return ADS_ERROR_NT(NT_STATUS_REQUEST_NOT_ACCEPTED);
+ }
+
+ ads_cached_connection_reuse(adsp);
+ if (*adsp != NULL) {
+ return ADS_SUCCESS;
+ }
+
+ /*
+ * At this point we only have the NetBIOS domain name.
+ * Check if we can get server nam and realm from SAF cache
+ * and the domain list.
+ */
+ ldap_server = saf_fetch(talloc_tos(), dom_name);
+ DEBUG(10, ("ldap_server from saf cache: '%s'\n",
+ ldap_server ? ldap_server : ""));
+
+ wb_dom = find_domain_from_name(dom_name);
+ if (wb_dom == NULL) {
+ DEBUG(10, ("could not find domain '%s'\n", dom_name));
+ return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
+ }
+
+ DEBUG(10, ("find_domain_from_name found realm '%s' for "
+ " domain '%s'\n", wb_dom->alt_name, dom_name));
+
+ if (!get_trust_pw_clear(dom_name, &password, NULL, NULL)) {
+ TALLOC_FREE(ldap_server);
+ return ADS_ERROR_NT(NT_STATUS_CANT_ACCESS_DOMAIN_INFO);
+ }
+
+ if (IS_DC) {
+ SMB_ASSERT(wb_dom->alt_name != NULL);
+ realm = SMB_STRDUP(wb_dom->alt_name);
+ } else {
+ struct winbindd_domain *our_domain = wb_dom;
+
+ /* always give preference to the alt_name in our
+ primary domain if possible */
+
+ if (!wb_dom->primary) {
+ our_domain = find_our_domain();
+ }
+
+ if (our_domain->alt_name != NULL) {
+ realm = SMB_STRDUP(our_domain->alt_name);
+ } else {
+ realm = SMB_STRDUP(lp_realm());
+ }
+ }
+
+ status = ads_cached_connection_connect(
+ adsp, /* Returns ads struct. */
+ wb_dom->alt_name, /* realm to connect to. */
+ dom_name, /* 'workgroup' name for ads_init */
+ ldap_server, /* DNS name to connect to. */
+ password, /* password for auth realm. */
+ realm, /* realm used for krb5 ticket. */
+ 0); /* renewable ticket time. */
+
+ SAFE_FREE(realm);
+ TALLOC_FREE(ldap_server);
+
+ return status;
+}
+
+/*
+ return our ads connections structure for a domain. We keep the connection
+ open to make things faster
+*/
+static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain)
+{
+ ADS_STATUS status;
+ char *password, *realm;
+
+ if (IS_AD_DC) {
+ /*
+ * Make sure we never try to use LDAP against
+ * a trusted domain as AD DC.
+ */
return NULL;
}
+ DEBUG(10,("ads_cached_connection\n"));
+ ads_cached_connection_reuse((ADS_STRUCT **)&domain->private_data);
+
+ if (domain->private_data) {
+ return (ADS_STRUCT *)domain->private_data;
+ }
+
/* the machine acct password might have change - fetch it every time */
- SAFE_FREE(ads->auth.password);
- SAFE_FREE(ads->auth.realm);
+ if (!get_trust_pw_clear(domain->name, &password, NULL, NULL)) {
+ return NULL;
+ }
if ( IS_DC ) {
-
- if ( !pdb_get_trusteddom_pw( domain->name, &ads->auth.password, NULL, NULL ) ) {
- ads_destroy( &ads );
- return NULL;
- }
- ads->auth.realm = SMB_STRDUP( ads->server.realm );
- strupper_m( ads->auth.realm );
+ SMB_ASSERT(domain->alt_name != NULL);
+ realm = SMB_STRDUP(domain->alt_name);
}
else {
struct winbindd_domain *our_domain = domain;
- ads->auth.password = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
/* always give preference to the alt_name in our
primary domain if possible */
if ( !domain->primary )
our_domain = find_our_domain();
- if ( our_domain->alt_name[0] != '\0' ) {
- ads->auth.realm = SMB_STRDUP( our_domain->alt_name );
- strupper_m( ads->auth.realm );
+ if (our_domain->alt_name != NULL) {
+ realm = SMB_STRDUP( our_domain->alt_name );
}
else
- ads->auth.realm = SMB_STRDUP( lp_realm() );
+ realm = SMB_STRDUP( lp_realm() );
}
- ads->auth.renewable = WINBINDD_PAM_AUTH_KRB5_RENEW_TIME;
-
- /* Setup the server affinity cache. We don't reaally care
- about the name. Just setup affinity and the KRB5_CONFIG
- file. */
-
- get_dc_name( ads->server.workgroup, ads->server.realm, dc_name, &dc_ss );
-
- status = ads_connect(ads);
- if (!ADS_ERR_OK(status) || !ads->config.realm) {
- DEBUG(1,("ads_connect for domain %s failed: %s\n",
- domain->name, ads_errstr(status)));
- ads_destroy(&ads);
+ status = ads_cached_connection_connect(
+ (ADS_STRUCT **)&domain->private_data,
+ domain->alt_name,
+ domain->name, NULL,
+ password, realm,
+ WINBINDD_PAM_AUTH_KRB5_RENEW_TIME);
+ SAFE_FREE(realm);
+ if (!ADS_ERR_OK(status)) {
/* if we get ECONNREFUSED then it might be a NT4
server, fall back to MSRPC */
if (status.error_type == ENUM_ADS_ERROR_SYSTEM &&
return NULL;
}
- /* set the flag that says we don't own the memory even
- though we do so that ads_destroy() won't destroy the
- structure we pass back by reference */
-
- ads->is_mine = False;
-
- domain->private_data = (void *)ads;
- return ads;
+ return (ADS_STRUCT *)domain->private_data;
}
-
/* Query display info for a realm. This is the basic user list fn */
static NTSTATUS query_user_list(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
- uint32 *num_entries,
- struct wbint_userinfo **pinfo)
+ uint32_t **prids)
{
ADS_STRUCT *ads = NULL;
- const char *attrs[] = { "*", NULL };
- int i, count;
+ const char *attrs[] = { "sAMAccountType", "objectSid", NULL };
+ int count;
+ uint32_t *rids = NULL;
ADS_STATUS rc;
LDAPMessage *res = NULL;
LDAPMessage *msg = NULL;
NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
- *num_entries = 0;
-
DEBUG(3,("ads: query_user_list\n"));
if ( !winbindd_can_contact_domain( domain ) ) {
}
rc = ads_search_retry(ads, &res, "(objectCategory=user)", attrs);
- if (!ADS_ERR_OK(rc) || !res) {
+ if (!ADS_ERR_OK(rc)) {
DEBUG(1,("query_user_list ads_search: %s\n", ads_errstr(rc)));
+ status = ads_ntstatus(rc);
+ goto done;
+ } else if (!res) {
+ DEBUG(1,("query_user_list ads_search returned NULL res\n"));
goto done;
}
goto done;
}
- (*pinfo) = TALLOC_ZERO_ARRAY(mem_ctx, struct wbint_userinfo, count);
- if (!*pinfo) {
+ rids = talloc_zero_array(mem_ctx, uint32_t, count);
+ if (rids == NULL) {
status = NT_STATUS_NO_MEMORY;
goto done;
}
count = 0;
for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
- struct wbint_userinfo *info = &((*pinfo)[count]);
- uint32 group;
- uint32 atype;
+ struct dom_sid user_sid;
+ uint32_t atype;
+ bool ok;
- if (!ads_pull_uint32(ads, msg, "sAMAccountType", &atype) ||
- ds_atype_map(atype) != SID_NAME_USER) {
- DEBUG(1,("Not a user account? atype=0x%x\n", atype));
+ ok = ads_pull_uint32(ads, msg, "sAMAccountType", &atype);
+ if (!ok) {
+ DBG_INFO("Object lacks sAMAccountType attribute\n");
+ continue;
+ }
+ if (ds_atype_map(atype) != SID_NAME_USER) {
+ DBG_INFO("Not a user account? atype=0x%x\n", atype);
continue;
}
- info->acct_name = ads_pull_username(ads, mem_ctx, msg);
- info->full_name = ads_pull_string(ads, mem_ctx, msg, "name");
- info->homedir = NULL;
- info->shell = NULL;
- info->primary_gid = (gid_t)-1;
-
- if (!ads_pull_sid(ads, msg, "objectSid",
- &info->user_sid)) {
- DEBUG(1, ("No sid for %s !?\n", info->acct_name));
+ if (!ads_pull_sid(ads, msg, "objectSid", &user_sid)) {
+ char *dn = ads_get_dn(ads, talloc_tos(), msg);
+ DBG_INFO("No sid for %s !?\n", dn);
+ TALLOC_FREE(dn);
continue;
}
- if (!ads_pull_uint32(ads, msg, "primaryGroupID", &group)) {
- DEBUG(1, ("No primary group for %s !?\n",
- info->acct_name));
+ if (!dom_sid_in_domain(&domain->sid, &user_sid)) {
+ struct dom_sid_buf sidstr, domstr;
+ DBG_WARNING("Got sid %s in domain %s\n",
+ dom_sid_str_buf(&user_sid, &sidstr),
+ dom_sid_str_buf(&domain->sid, &domstr));
continue;
}
- sid_compose(&info->group_sid, &domain->sid, group);
+ sid_split_rid(&user_sid, &rids[count]);
count += 1;
}
- (*num_entries) = count;
- ads_msgfree(ads, res);
-
- for (i=0; i<count; i++) {
- struct wbint_userinfo *info = &((*pinfo)[i]);
- const char *gecos = NULL;
- gid_t primary_gid = (gid_t)-1;
-
- /*
- * Don't use our variable "ads" in this call here, every call
- * to nss_get_info_cached can destroy the connection inside
- * the domain.
- */
- status = nss_get_info_cached(domain, &info->user_sid, mem_ctx,
- ads_cached_connection(domain),
- msg, &info->homedir, &info->shell,
- &gecos, &primary_gid);
- if (!NT_STATUS_IS_OK(status)) {
- /*
- * Deliberately ignore this error, there might be more
- * users to fill
- */
- continue;
- }
-
- if (gecos != NULL) {
- info->full_name = gecos;
- }
- info->primary_gid = primary_gid;
+ rids = talloc_realloc(mem_ctx, rids, uint32_t, count);
+ if (prids != NULL) {
+ *prids = rids;
}
status = NT_STATUS_OK;
- DEBUG(3,("ads query_user_list gave %d entries\n", (*num_entries)));
+ DBG_NOTICE("ads query_user_list gave %d entries\n", count);
done:
return status;
/* list all domain groups */
static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
- uint32 *num_entries,
- struct acct_info **info)
+ uint32_t *num_entries,
+ struct wb_acct_info **info)
{
ADS_STRUCT *ads = NULL;
const char *attrs[] = {"userPrincipalName", "sAMAccountName",
}
rc = ads_search_retry(ads, &res, filter, attrs);
- if (!ADS_ERR_OK(rc) || !res) {
+ if (!ADS_ERR_OK(rc)) {
+ status = ads_ntstatus(rc);
DEBUG(1,("enum_dom_groups ads_search: %s\n", ads_errstr(rc)));
goto done;
+ } else if (!res) {
+ DEBUG(1,("enum_dom_groups ads_search returned NULL res\n"));
+ goto done;
}
count = ads_count_replies(ads, res);
goto done;
}
- (*info) = TALLOC_ZERO_ARRAY(mem_ctx, struct acct_info, count);
+ (*info) = talloc_zero_array(mem_ctx, struct wb_acct_info, count);
if (!*info) {
status = NT_STATUS_NO_MEMORY;
goto done;
for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
char *name, *gecos;
struct dom_sid sid;
- uint32 rid;
+ uint32_t rid;
- name = ads_pull_username(ads, mem_ctx, msg);
- gecos = ads_pull_string(ads, mem_ctx, msg, "name");
+ name = ads_pull_username(ads, (*info), msg);
+ gecos = ads_pull_string(ads, (*info), msg, "name");
if (!ads_pull_sid(ads, msg, "objectSid", &sid)) {
DEBUG(1,("No sid for %s !?\n", name));
continue;
continue;
}
- fstrcpy((*info)[i].acct_name, name);
- fstrcpy((*info)[i].acct_desc, gecos);
+ (*info)[i].acct_name = name;
+ (*info)[i].acct_desc = gecos;
(*info)[i].rid = rid;
i++;
}
/* list all domain local groups */
static NTSTATUS enum_local_groups(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
- uint32 *num_entries,
- struct acct_info **info)
+ uint32_t *num_entries,
+ struct wb_acct_info **info)
{
/*
* This is a stub function only as we returned the domain
struct dom_sid *sid,
enum lsa_SidType *type)
{
- return reconnect_methods.name_to_sid(domain, mem_ctx,
- domain_name, name, flags,
- sid, type);
+ return msrpc_methods.name_to_sid(domain, mem_ctx, domain_name, name,
+ flags, sid, type);
}
/* convert a domain SID to a user or group name - use rpc methods */
char **name,
enum lsa_SidType *type)
{
- return reconnect_methods.sid_to_name(domain, mem_ctx, sid,
- domain_name, name, type);
+ return msrpc_methods.sid_to_name(domain, mem_ctx, sid,
+ domain_name, name, type);
}
/* convert a list of rids to names - use rpc methods */
static NTSTATUS rids_to_names(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
const struct dom_sid *sid,
- uint32 *rids,
+ uint32_t *rids,
size_t num_rids,
char **domain_name,
char ***names,
enum lsa_SidType **types)
{
- return reconnect_methods.rids_to_names(domain, mem_ctx, sid,
- rids, num_rids,
- domain_name, names, types);
-}
-
-/* If you are looking for "dn_lookup": Yes, it used to be here!
- * It has gone now since it was a major speed bottleneck in
- * lookup_groupmem (its only use). It has been replaced by
- * an rpc lookup sids call... R.I.P. */
-
-/* Lookup user information from a rid */
-static NTSTATUS query_user(struct winbindd_domain *domain,
- TALLOC_CTX *mem_ctx,
- const struct dom_sid *sid,
- struct wbint_userinfo *info)
-{
- ADS_STRUCT *ads = NULL;
- const char *attrs[] = { "*", NULL };
- ADS_STATUS rc;
- int count;
- LDAPMessage *msg = NULL;
- char *ldap_exp;
- char *sidstr;
- uint32 group_rid;
- NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
- struct netr_SamInfo3 *user = NULL;
- gid_t gid = -1;
- int ret;
- char *ads_name;
-
- DEBUG(3,("ads: query_user\n"));
-
- info->homedir = NULL;
- info->shell = NULL;
-
- /* try netsamlogon cache first */
-
- if ( (user = netsamlogon_cache_get( mem_ctx, sid )) != NULL )
- {
- DEBUG(5,("query_user: Cache lookup succeeded for %s\n",
- sid_string_dbg(sid)));
-
- sid_compose(&info->user_sid, &domain->sid, user->base.rid);
- sid_compose(&info->group_sid, &domain->sid, user->base.primary_gid);
-
- info->acct_name = talloc_strdup(mem_ctx, user->base.account_name.string);
- info->full_name = talloc_strdup(mem_ctx, user->base.full_name.string);
-
- nss_get_info_cached( domain, sid, mem_ctx, NULL, NULL,
- &info->homedir, &info->shell, &info->full_name,
- &gid );
- info->primary_gid = gid;
-
- TALLOC_FREE(user);
-
- return NT_STATUS_OK;
- }
-
- if ( !winbindd_can_contact_domain(domain)) {
- DEBUG(8,("query_user: No incoming trust from domain %s\n",
- domain->name));
-
- /* We still need to generate some basic information
- about the user even if we cannot contact the
- domain. Most of this stuff we can deduce. */
-
- sid_copy( &info->user_sid, sid );
-
- /* Assume "Domain Users" for the primary group */
-
- sid_compose(&info->group_sid, &domain->sid, DOMAIN_RID_USERS );
-
- /* Try to fill in what the nss_info backend can do */
-
- nss_get_info_cached( domain, sid, mem_ctx, NULL, NULL,
- &info->homedir, &info->shell, &info->full_name,
- &gid);
- info->primary_gid = gid;
-
- return NT_STATUS_OK;
- }
-
- /* no cache...do the query */
-
- if ( (ads = ads_cached_connection(domain)) == NULL ) {
- domain->last_status = NT_STATUS_SERVER_DISABLED;
- return NT_STATUS_SERVER_DISABLED;
- }
-
- sidstr = sid_binstring(talloc_tos(), sid);
-
- ret = asprintf(&ldap_exp, "(objectSid=%s)", sidstr);
- TALLOC_FREE(sidstr);
- if (ret == -1) {
- return NT_STATUS_NO_MEMORY;
- }
- rc = ads_search_retry(ads, &msg, ldap_exp, attrs);
- SAFE_FREE(ldap_exp);
- if (!ADS_ERR_OK(rc) || !msg) {
- DEBUG(1,("query_user(sid=%s) ads_search: %s\n",
- sid_string_dbg(sid), ads_errstr(rc)));
- return ads_ntstatus(rc);
- }
-
- count = ads_count_replies(ads, msg);
- if (count != 1) {
- DEBUG(1,("query_user(sid=%s): Not found\n",
- sid_string_dbg(sid)));
- ads_msgfree(ads, msg);
- return NT_STATUS_NO_SUCH_USER;
- }
-
- info->acct_name = ads_pull_username(ads, mem_ctx, msg);
-
- if (!ads_pull_uint32(ads, msg, "primaryGroupID", &group_rid)) {
- DEBUG(1,("No primary group for %s !?\n",
- sid_string_dbg(sid)));
- ads_msgfree(ads, msg);
- return NT_STATUS_NO_SUCH_USER;
- }
- sid_copy(&info->user_sid, sid);
- sid_compose(&info->group_sid, &domain->sid, group_rid);
-
- /*
- * We have to fetch the "name" attribute before doing the
- * nss_get_info_cached call. nss_get_info_cached might destroy
- * the ads struct, potentially invalidating the ldap message.
- */
- ads_name = ads_pull_string(ads, mem_ctx, msg, "name");
-
- ads_msgfree(ads, msg);
- msg = NULL;
-
- status = nss_get_info_cached( domain, sid, mem_ctx, ads, msg,
- &info->homedir, &info->shell, &info->full_name,
- &gid);
- info->primary_gid = gid;
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(1, ("nss_get_info_cached failed: %s\n",
- nt_errstr(status)));
- return status;
- }
-
- if (info->full_name == NULL) {
- info->full_name = ads_name;
- } else {
- TALLOC_FREE(ads_name);
- }
-
- status = NT_STATUS_OK;
-
- DEBUG(3,("ads query_user gave %s\n", info->acct_name));
- return NT_STATUS_OK;
+ return msrpc_methods.rids_to_names(domain, mem_ctx, sid,
+ rids, num_rids,
+ domain_name, names, types);
}
/* Lookup groups a user is a member of - alternate method, for when
rc = ads_search_retry(ads, &res, ldap_exp, group_attrs);
- if (!ADS_ERR_OK(rc) || !res) {
+ if (!ADS_ERR_OK(rc)) {
DEBUG(1,("lookup_usergroups ads_search member=%s: %s\n", user_dn, ads_errstr(rc)));
return ads_ntstatus(rc);
+ } else if (!res) {
+ DEBUG(1,("lookup_usergroups ads_search returned NULL res\n"));
+ return NT_STATUS_INTERNAL_ERROR;
}
+
count = ads_count_replies(ads, res);
*user_sids = NULL;
goto done;
}
- group_sids = TALLOC_ZERO_ARRAY(mem_ctx, struct dom_sid, num_strings + 1);
+ group_sids = talloc_zero_array(mem_ctx, struct dom_sid, num_strings + 1);
if (!group_sids) {
status = NT_STATUS_NO_MEMORY;
goto done;
static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
const struct dom_sid *sid,
- uint32 *p_num_groups, struct dom_sid **user_sids)
+ uint32_t *p_num_groups, struct dom_sid **user_sids)
{
ADS_STRUCT *ads = NULL;
const char *attrs[] = {"tokenGroups", "primaryGroupID", NULL};
struct dom_sid *sids;
int i;
struct dom_sid primary_group;
- uint32 primary_group_rid;
+ uint32_t primary_group_rid;
NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
uint32_t num_groups = 0;
+ struct dom_sid_buf buf;
DEBUG(3,("ads: lookup_usergroups\n"));
*p_num_groups = 0;
- status = lookup_usergroups_cached(domain, mem_ctx, sid,
+ status = lookup_usergroups_cached(mem_ctx, sid,
p_num_groups, user_sids);
if (NT_STATUS_IS_OK(status)) {
return NT_STATUS_OK;
if (!ADS_ERR_OK(rc)) {
status = ads_ntstatus(rc);
DEBUG(1, ("lookup_usergroups(sid=%s) ads_search tokenGroups: "
- "%s\n", sid_string_dbg(sid), ads_errstr(rc)));
+ "%s\n",
+ dom_sid_str_buf(sid, &buf),
+ ads_errstr(rc)));
goto done;
}
status = NT_STATUS_UNSUCCESSFUL;
DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: "
"invalid number of results (count=%d)\n",
- sid_string_dbg(sid), count));
+ dom_sid_str_buf(sid, &buf),
+ count));
goto done;
}
if (!msg) {
DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: NULL msg\n",
- sid_string_dbg(sid)));
+ dom_sid_str_buf(sid, &buf)));
status = NT_STATUS_UNSUCCESSFUL;
goto done;
}
if (!ads_pull_uint32(ads, msg, "primaryGroupID", &primary_group_rid)) {
DEBUG(1,("%s: No primary group for sid=%s !?\n",
- domain->name, sid_string_dbg(sid)));
+ domain->name,
+ dom_sid_str_buf(sid, &buf)));
goto done;
}
}
}
- *p_num_groups = (uint32)num_groups;
+ *p_num_groups = (uint32_t)num_groups;
status = (*user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
DEBUG(3,("ads lookup_usergroups (tokenGroups) succeeded for sid=%s\n",
- sid_string_dbg(sid)));
+ dom_sid_str_buf(sid, &buf)));
done:
TALLOC_FREE(user_dn);
ads_msgfree(ads, msg);
/* Lookup aliases a user is member of - use rpc methods */
static NTSTATUS lookup_useraliases(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
- uint32 num_sids, const struct dom_sid *sids,
- uint32 *num_aliases, uint32 **alias_rids)
+ uint32_t num_sids, const struct dom_sid *sids,
+ uint32_t *num_aliases, uint32_t **alias_rids)
{
- return reconnect_methods.lookup_useraliases(domain, mem_ctx,
- num_sids, sids,
- num_aliases,
- alias_rids);
+ return msrpc_methods.lookup_useraliases(domain, mem_ctx, num_sids, sids,
+ num_aliases, alias_rids);
+}
+
+static NTSTATUS add_primary_group_members(
+ ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, uint32_t rid,
+ char ***all_members, size_t *num_all_members)
+{
+ char *filter;
+ NTSTATUS status = NT_STATUS_NO_MEMORY;
+ ADS_STATUS rc;
+ const char *attrs[] = { "dn", NULL };
+ LDAPMessage *res = NULL;
+ LDAPMessage *msg;
+ char **members;
+ size_t num_members;
+ ads_control args;
+
+ filter = talloc_asprintf(
+ mem_ctx, "(&(objectCategory=user)(primaryGroupID=%u))",
+ (unsigned)rid);
+ if (filter == NULL) {
+ goto done;
+ }
+
+ args.control = ADS_EXTENDED_DN_OID;
+ args.val = ADS_EXTENDED_DN_HEX_STRING;
+ args.critical = True;
+
+ rc = ads_do_search_all_args(ads, ads->config.bind_path,
+ LDAP_SCOPE_SUBTREE, filter, attrs, &args,
+ &res);
+
+ if (!ADS_ERR_OK(rc)) {
+ status = ads_ntstatus(rc);
+ DEBUG(1,("%s: ads_search: %s\n", __func__, ads_errstr(rc)));
+ goto done;
+ }
+ if (res == NULL) {
+ DEBUG(1,("%s: ads_search returned NULL res\n", __func__));
+ goto done;
+ }
+
+ num_members = ads_count_replies(ads, res);
+
+ DEBUG(10, ("%s: Got %ju primary group members\n", __func__,
+ (uintmax_t)num_members));
+
+ if (num_members == 0) {
+ status = NT_STATUS_OK;
+ goto done;
+ }
+
+ members = talloc_realloc(mem_ctx, *all_members, char *,
+ *num_all_members + num_members);
+ if (members == NULL) {
+ DEBUG(1, ("%s: talloc_realloc failed\n", __func__));
+ goto done;
+ }
+ *all_members = members;
+
+ for (msg = ads_first_entry(ads, res); msg != NULL;
+ msg = ads_next_entry(ads, msg)) {
+ char *dn;
+
+ dn = ads_get_dn(ads, members, msg);
+ if (dn == NULL) {
+ DEBUG(1, ("%s: ads_get_dn failed\n", __func__));
+ continue;
+ }
+
+ members[*num_all_members] = dn;
+ *num_all_members += 1;
+ }
+
+ status = NT_STATUS_OK;
+done:
+ if (res != NULL) {
+ ads_msgfree(ads, res);
+ }
+ TALLOC_FREE(filter);
+ return status;
}
/*
TALLOC_CTX *mem_ctx,
const struct dom_sid *group_sid,
enum lsa_SidType type,
- uint32 *num_names,
+ uint32_t *num_names,
struct dom_sid **sid_mem, char ***names,
- uint32 **name_types)
+ uint32_t **name_types)
{
ADS_STATUS rc;
ADS_STRUCT *ads = NULL;
char **names_nocache = NULL;
enum lsa_SidType *name_types_nocache = NULL;
char **domains_nocache = NULL; /* only needed for rpccli_lsa_lookup_sids */
- uint32 num_nocache = 0;
+ uint32_t num_nocache = 0;
TALLOC_CTX *tmp_ctx = NULL;
+ uint32_t rid;
+ struct dom_sid_buf buf;
DEBUG(10,("ads: lookup_groupmem %s sid=%s\n", domain->name,
- sid_string_dbg(group_sid)));
+ dom_sid_str_buf(group_sid, &buf)));
*num_names = 0;
goto done;
}
+ if (!sid_peek_rid(group_sid, &rid)) {
+ DEBUG(1, ("%s: sid_peek_rid failed\n", __func__));
+ status = NT_STATUS_INVALID_PARAMETER;
+ goto done;
+ }
+
if ( !winbindd_can_contact_domain( domain ) ) {
DEBUG(10,("lookup_groupmem: No incoming trust for domain %s\n",
domain->name));
goto done;
}
- if ((sidbinstr = sid_binstring(talloc_tos(), group_sid)) == NULL) {
+ if ((sidbinstr = ldap_encode_ndr_dom_sid(talloc_tos(), group_sid)) == NULL) {
status = NT_STATUS_NO_MEMORY;
goto done;
}
DEBUG(10, ("ads lookup_groupmem: got %d sids via extended dn call\n", (int)num_members));
+ status = add_primary_group_members(ads, mem_ctx, rid,
+ &members, &num_members);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(10, ("%s: add_primary_group_members failed: %s\n",
+ __func__, nt_errstr(status)));
+ goto done;
+ }
+
+ DEBUG(10, ("%s: Got %d sids after adding primary group members\n",
+ __func__, (int)num_members));
+
/* Now that we have a list of sids, we need to get the
* lists of names and name_types belonging to these sids.
* even though conceptually not quite clean, we use the
* cache. Only the rest is passed to the lsa_lookup_sids call. */
if (num_members) {
- (*sid_mem) = TALLOC_ZERO_ARRAY(mem_ctx, struct dom_sid, num_members);
- (*names) = TALLOC_ZERO_ARRAY(mem_ctx, char *, num_members);
- (*name_types) = TALLOC_ZERO_ARRAY(mem_ctx, uint32, num_members);
- (sid_mem_nocache) = TALLOC_ZERO_ARRAY(tmp_ctx, struct dom_sid, num_members);
+ (*sid_mem) = talloc_zero_array(mem_ctx, struct dom_sid, num_members);
+ (*names) = talloc_zero_array(mem_ctx, char *, num_members);
+ (*name_types) = talloc_zero_array(mem_ctx, uint32_t, num_members);
+ (sid_mem_nocache) = talloc_zero_array(tmp_ctx, struct dom_sid, num_members);
if ((members == NULL) || (*sid_mem == NULL) ||
(*names == NULL) || (*name_types == NULL) ||
if (lookup_cached_sid(mem_ctx, &sid, &domain_name, &name,
&name_type)) {
DEBUG(10,("ads: lookup_groupmem: got sid %s from "
- "cache\n", sid_string_dbg(&sid)));
+ "cache\n",
+ dom_sid_str_buf(&sid, &buf)));
sid_copy(&(*sid_mem)[*num_names], &sid);
(*names)[*num_names] = fill_domain_username_talloc(
*names,
}
else {
DEBUG(10, ("ads: lookup_groupmem: sid %s not found in "
- "cache\n", sid_string_dbg(&sid)));
+ "cache\n",
+ dom_sid_str_buf(&sid, &buf)));
sid_copy(&(sid_mem_nocache)[num_nocache], &sid);
num_nocache++;
}
status = NT_STATUS_OK;
DEBUG(3,("ads lookup_groupmem for sid=%s succeeded\n",
- sid_string_dbg(group_sid)));
+ dom_sid_str_buf(group_sid, &buf)));
done:
}
/* find the sequence number for a domain */
-static NTSTATUS sequence_number(struct winbindd_domain *domain, uint32 *seq)
+static NTSTATUS sequence_number(struct winbindd_domain *domain, uint32_t *seq)
{
ADS_STRUCT *ads = NULL;
ADS_STATUS rc;
return NT_STATUS_OK;
}
+ if (IS_AD_DC) {
+ DEBUG(10,("sequence: Avoid LDAP connection for domain %s\n",
+ domain->name));
+ *seq = time(NULL);
+ return NT_STATUS_OK;
+ }
+
*seq = DOM_SEQUENCE_NONE;
ads = ads_cached_connection(domain);
ads = (ADS_STRUCT *)domain->private_data;
ads->is_mine = True;
ads_destroy(&ads);
- ads_kdestroy("MEMORY:winbind_ccache");
+ ads_kdestroy(WINBIND_CCACHE_NAME);
domain->private_data = NULL;
}
}
TALLOC_CTX *mem_ctx,
struct samr_DomInfo12 *policy)
{
- return reconnect_methods.lockout_policy(domain, mem_ctx, policy);
+ return msrpc_methods.lockout_policy(domain, mem_ctx, policy);
}
/* find the password policy of a domain - use rpc methods */
TALLOC_CTX *mem_ctx,
struct samr_DomInfo1 *policy)
{
- return reconnect_methods.password_policy(domain, mem_ctx, policy);
+ return msrpc_methods.password_policy(domain, mem_ctx, policy);
}
/* get a list of trusted domains */
struct netr_DomainTrustList *trusts)
{
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
+ WERROR werr;
int i;
- uint32 flags;
+ uint32_t flags;
struct rpc_pipe_client *cli;
int ret_count;
+ struct dcerpc_binding_handle *b;
DEBUG(3,("ads: trusted_domains\n"));
return NT_STATUS_UNSUCCESSFUL;
}
- result = rpccli_netr_DsrEnumerateDomainTrusts(cli, mem_ctx,
+ b = cli->binding_handle;
+
+ result = dcerpc_netr_DsrEnumerateDomainTrusts(b, mem_ctx,
cli->desthost,
flags,
trusts,
- NULL);
+ &werr);
if (!NT_STATUS_IS_OK(result)) {
return result;
}
+
+ if (!W_ERROR_IS_OK(werr)) {
+ return werror_to_ntstatus(werr);
+ }
if (trusts->count == 0) {
return NT_STATUS_OK;
}
*/
if ((trust->trust_attributes
- == NETR_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN) &&
+ == LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN) &&
!domain->primary )
{
DEBUG(10,("trusted_domains: Skipping external trusted "
/* add to the trusted domain cache */
- fstrcpy(d.name, trust->netbios_name);
- fstrcpy(d.alt_name, trust->dns_name);
+ d.name = discard_const_p(char, trust->netbios_name);
+ d.alt_name = discard_const_p(char, trust->dns_name);
+
if (trust->sid) {
sid_copy(&d.sid, trust->sid);
} else {
}
TALLOC_FREE(parent);
+ /*
+ * We need to pass the modified properties
+ * to the caller.
+ */
+ trust->trust_flags = d.domain_flags;
+ trust->trust_type = d.domain_type;
+ trust->trust_attributes = d.domain_trust_attribs;
+
wcache_tdc_add_domain( &d );
ret_count++;
}
name_to_sid,
sid_to_name,
rids_to_names,
- query_user,
lookup_usergroups,
lookup_useraliases,
lookup_groupmem,