ads_struct

[metze/samba/wip.git] / source3 / winbindd / winbindd_ads.c

diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
index 83579686ff4032a456c8a5b85eb02d99ebdae84f..04f8c9d8f5254ce30ee384a5bd6fbe0d6e504b75 100644 (file)
--- a/source3/winbindd/winbindd_ads.c
+++ b/source3/winbindd/winbindd_ads.c
@@ -23,6 +23,8 @@
 
 #include "includes.h"
 #include "winbindd.h"
+#include "winbindd_ads.h"
+#include "libsmb/namequery.h"
 #include "rpc_client/rpc_client.h"
 #include "../librpc/gen_ndr/ndr_netlogon_c.h"
 #include "../libds/common/flags.h"
@@ -114,14 +116,16 @@ static ADS_STATUS ads_cached_connection_connect(ADS_STRUCT **adsp,
                return ADS_ERROR(LDAP_NO_MEMORY);
        }
 
-       SAFE_FREE(ads->auth.password);
-       SAFE_FREE(ads->auth.realm);
+       SAFE_FREE(ads->auth._password);
+       SAFE_FREE(ads->auth._realm);
 
-       ads->auth.renewable = renewable;
-       ads->auth.password = password;
+       ads->auth._renewable = renewable;
+       ads->auth._password = password;
 
-       ads->auth.realm = SMB_STRDUP(auth_realm);
-       if (!strupper_m(ads->auth.realm)) {
+       ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
+
+       ads->auth._realm = SMB_STRDUP(auth_realm);
+       if (!strupper_m(ads->auth._realm)) {
                ads_destroy(&ads);
                return ADS_ERROR_NT(NT_STATUS_INTERNAL_ERROR);
        }
@@ -156,6 +160,14 @@ ADS_STATUS ads_idmap_cached_connection(ADS_STRUCT **adsp, const char *dom_name)
        struct winbindd_domain *wb_dom;
        ADS_STATUS status;
 
+       if (IS_AD_DC) {
+               /*
+                * Make sure we never try to use LDAP against
+                * a trusted domain as AD DC.
+                */
+               return ADS_ERROR_NT(NT_STATUS_REQUEST_NOT_ACCEPTED);
+       }
+
        ads_cached_connection_reuse(adsp);
        if (*adsp != NULL) {
                return ADS_SUCCESS;
@@ -228,6 +240,14 @@ static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain)
        ADS_STATUS status;
        char *password, *realm;
 
+       if (IS_AD_DC) {
+               /*
+                * Make sure we never try to use LDAP against
+                * a trusted domain as AD DC.
+                */
+               return NULL;
+       }
+
        DEBUG(10,("ads_cached_connection\n"));
        ads_cached_connection_reuse((ADS_STRUCT **)&domain->private_data);
 
@@ -293,14 +313,12 @@ static NTSTATUS query_user_list(struct winbindd_domain *domain,
        ADS_STRUCT *ads = NULL;
        const char *attrs[] = { "sAMAccountType", "objectSid", NULL };
        int count;
-       uint32_t *rids;
+       uint32_t *rids = NULL;
        ADS_STATUS rc;
        LDAPMessage *res = NULL;
        LDAPMessage *msg = NULL;
        NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
 
-       *prids = NULL;
-
        DEBUG(3,("ads: query_user_list\n"));
 
        if ( !winbindd_can_contact_domain( domain ) ) {
@@ -356,16 +374,17 @@ static NTSTATUS query_user_list(struct winbindd_domain *domain,
                }
 
                if (!ads_pull_sid(ads, msg, "objectSid", &user_sid)) {
-                       DBG_INFO("No sid for %s !?\n",
-                                ads_get_dn(ads, talloc_tos(), msg));
+                       char *dn = ads_get_dn(ads, talloc_tos(), msg);
+                       DBG_INFO("No sid for %s !?\n", dn);
+                       TALLOC_FREE(dn);
                        continue;
                }
 
                if (!dom_sid_in_domain(&domain->sid, &user_sid)) {
-                       fstring sidstr, domstr;
+                       struct dom_sid_buf sidstr, domstr;
                        DBG_WARNING("Got sid %s in domain %s\n",
-                                   sid_to_fstring(sidstr, &user_sid),
-                                   sid_to_fstring(domstr, &domain->sid));
+                                   dom_sid_str_buf(&user_sid, &sidstr),
+                                   dom_sid_str_buf(&domain->sid, &domstr));
                        continue;
                }
 
@@ -374,7 +393,9 @@ static NTSTATUS query_user_list(struct winbindd_domain *domain,
        }
 
        rids = talloc_realloc(mem_ctx, rids, uint32_t, count);
-       *prids = rids;
+       if (prids != NULL) {
+               *prids = rids;
+       }
 
        status = NT_STATUS_OK;
 
@@ -479,8 +500,8 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
                struct dom_sid sid;
                uint32_t rid;
 
-               name = ads_pull_username(ads, mem_ctx, msg);
-               gecos = ads_pull_string(ads, mem_ctx, msg, "name");
+               name = ads_pull_username(ads, (*info), msg);
+               gecos = ads_pull_string(ads, (*info), msg, "name");
                if (!ads_pull_sid(ads, msg, "objectSid", &sid)) {
                        DEBUG(1,("No sid for %s !?\n", name));
                        continue;
@@ -491,8 +512,8 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
                        continue;
                }
 
-               fstrcpy((*info)[i].acct_name, name);
-               fstrcpy((*info)[i].acct_desc, gecos);
+               (*info)[i].acct_name = name;
+               (*info)[i].acct_desc = gecos;
                (*info)[i].rid = rid;
                i++;
        }
@@ -571,6 +592,387 @@ static NTSTATUS rids_to_names(struct winbindd_domain *domain,
                                           domain_name, names, types);
 }
 
+/* Lookup groups a user is a member of - alternate method, for when
+   tokenGroups are not available. */
+static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain,
+                                        TALLOC_CTX *mem_ctx,
+                                        const char *user_dn, 
+                                        struct dom_sid *primary_group,
+                                        uint32_t *p_num_groups, struct dom_sid **user_sids)
+{
+       ADS_STATUS rc;
+       NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
+       int count;
+       LDAPMessage *res = NULL;
+       LDAPMessage *msg = NULL;
+       char *ldap_exp;
+       ADS_STRUCT *ads;
+       const char *group_attrs[] = {"objectSid", NULL};
+       char *escaped_dn;
+       uint32_t num_groups = 0;
+
+       DEBUG(3,("ads: lookup_usergroups_member\n"));
+
+       if ( !winbindd_can_contact_domain( domain ) ) {
+               DEBUG(10,("lookup_usergroups_members: No incoming trust for domain %s\n",
+                         domain->name));               
+               return NT_STATUS_OK;
+       }
+
+       ads = ads_cached_connection(domain);
+
+       if (!ads) {
+               domain->last_status = NT_STATUS_SERVER_DISABLED;
+               goto done;
+       }
+
+       if (!(escaped_dn = escape_ldap_string(talloc_tos(), user_dn))) {
+               status = NT_STATUS_NO_MEMORY;
+               goto done;
+       }
+
+       ldap_exp = talloc_asprintf(mem_ctx,
+               "(&(member=%s)(objectCategory=group)(groupType:dn:%s:=%d))",
+               escaped_dn,
+               ADS_LDAP_MATCHING_RULE_BIT_AND,
+               GROUP_TYPE_SECURITY_ENABLED);
+       if (!ldap_exp) {
+               DEBUG(1,("lookup_usergroups(dn=%s) asprintf failed!\n", user_dn));
+               TALLOC_FREE(escaped_dn);
+               status = NT_STATUS_NO_MEMORY;
+               goto done;
+       }
+
+       TALLOC_FREE(escaped_dn);
+
+       rc = ads_search_retry(ads, &res, ldap_exp, group_attrs);
+
+       if (!ADS_ERR_OK(rc)) {
+               DEBUG(1,("lookup_usergroups ads_search member=%s: %s\n", user_dn, ads_errstr(rc)));
+               return ads_ntstatus(rc);
+       } else if (!res) {
+               DEBUG(1,("lookup_usergroups ads_search returned NULL res\n"));
+               return NT_STATUS_INTERNAL_ERROR;
+       }
+
+
+       count = ads_count_replies(ads, res);
+
+       *user_sids = NULL;
+       num_groups = 0;
+
+       /* always add the primary group to the sid array */
+       status = add_sid_to_array(mem_ctx, primary_group, user_sids,
+                                 &num_groups);
+       if (!NT_STATUS_IS_OK(status)) {
+               goto done;
+       }
+
+       if (count > 0) {
+               for (msg = ads_first_entry(ads, res); msg;
+                    msg = ads_next_entry(ads, msg)) {
+                       struct dom_sid group_sid;
+
+                       if (!ads_pull_sid(ads, msg, "objectSid", &group_sid)) {
+                               DEBUG(1,("No sid for this group ?!?\n"));
+                               continue;
+                       }
+
+                       /* ignore Builtin groups from ADS - Guenther */
+                       if (sid_check_is_in_builtin(&group_sid)) {
+                               continue;
+                       }
+
+                       status = add_sid_to_array(mem_ctx, &group_sid,
+                                                 user_sids, &num_groups);
+                       if (!NT_STATUS_IS_OK(status)) {
+                               goto done;
+                       }
+               }
+
+       }
+
+       *p_num_groups = num_groups;
+       status = (user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
+
+       DEBUG(3,("ads lookup_usergroups (member) succeeded for dn=%s\n", user_dn));
+done:
+       if (res) 
+               ads_msgfree(ads, res);
+
+       return status;
+}
+
+/* Lookup groups a user is a member of - alternate method, for when
+   tokenGroups are not available. */
+static NTSTATUS lookup_usergroups_memberof(struct winbindd_domain *domain,
+                                          TALLOC_CTX *mem_ctx,
+                                          const char *user_dn,
+                                          struct dom_sid *primary_group,
+                                          uint32_t *p_num_groups,
+                                          struct dom_sid **user_sids)
+{
+       ADS_STATUS rc;
+       NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
+       ADS_STRUCT *ads;
+       const char *attrs[] = {"memberOf", NULL};
+       uint32_t num_groups = 0;
+       struct dom_sid *group_sids = NULL;
+       int i;
+       char **strings = NULL;
+       size_t num_strings = 0, num_sids = 0;
+
+
+       DEBUG(3,("ads: lookup_usergroups_memberof\n"));
+
+       if ( !winbindd_can_contact_domain( domain ) ) {
+               DEBUG(10,("lookup_usergroups_memberof: No incoming trust for "
+                         "domain %s\n", domain->name));
+               return NT_STATUS_OK;
+       }
+
+       ads = ads_cached_connection(domain);
+
+       if (!ads) {
+               domain->last_status = NT_STATUS_SERVER_DISABLED;
+               return NT_STATUS_UNSUCCESSFUL;
+       }
+
+       rc = ads_search_retry_extended_dn_ranged(ads, mem_ctx, user_dn, attrs,
+                                                ADS_EXTENDED_DN_HEX_STRING,
+                                                &strings, &num_strings);
+
+       if (!ADS_ERR_OK(rc)) {
+               DEBUG(1,("lookup_usergroups_memberof ads_search "
+                       "member=%s: %s\n", user_dn, ads_errstr(rc)));
+               return ads_ntstatus(rc);
+       }
+
+       *user_sids = NULL;
+       num_groups = 0;
+
+       /* always add the primary group to the sid array */
+       status = add_sid_to_array(mem_ctx, primary_group, user_sids,
+                                 &num_groups);
+       if (!NT_STATUS_IS_OK(status)) {
+               goto done;
+       }
+
+       group_sids = talloc_zero_array(mem_ctx, struct dom_sid, num_strings + 1);
+       if (!group_sids) {
+               status = NT_STATUS_NO_MEMORY;
+               goto done;
+       }
+
+       for (i=0; i<num_strings; i++) {
+               rc = ads_get_sid_from_extended_dn(mem_ctx, strings[i],
+                                                 ADS_EXTENDED_DN_HEX_STRING,
+                                                 &(group_sids)[i]);
+               if (!ADS_ERR_OK(rc)) {
+                       /* ignore members without SIDs */
+                       if (NT_STATUS_EQUAL(ads_ntstatus(rc),
+                           NT_STATUS_NOT_FOUND)) {
+                               continue;
+                       }
+                       else {
+                               status = ads_ntstatus(rc);
+                               goto done;
+                       }
+               }
+               num_sids++;
+       }
+
+       if (i == 0) {
+               DEBUG(1,("No memberOf for this user?!?\n"));
+               status = NT_STATUS_NO_MEMORY;
+               goto done;
+       }
+
+       for (i=0; i<num_sids; i++) {
+
+               /* ignore Builtin groups from ADS - Guenther */
+               if (sid_check_is_in_builtin(&group_sids[i])) {
+                       continue;
+               }
+
+               status = add_sid_to_array(mem_ctx, &group_sids[i], user_sids,
+                                         &num_groups);
+               if (!NT_STATUS_IS_OK(status)) {
+                       goto done;
+               }
+
+       }
+
+       *p_num_groups = num_groups;
+       status = (*user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
+
+       DEBUG(3,("ads lookup_usergroups (memberof) succeeded for dn=%s\n",
+               user_dn));
+
+done:
+       TALLOC_FREE(strings);
+       TALLOC_FREE(group_sids);
+
+       return status;
+}
+
+
+/* Lookup groups a user is a member of. */
+static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
+                                 TALLOC_CTX *mem_ctx,
+                                 const struct dom_sid *sid,
+                                 uint32_t *p_num_groups, struct dom_sid **user_sids)
+{
+       ADS_STRUCT *ads = NULL;
+       const char *attrs[] = {"tokenGroups", "primaryGroupID", NULL};
+       ADS_STATUS rc;
+       int count;
+       LDAPMessage *msg = NULL;
+       char *user_dn = NULL;
+       struct dom_sid *sids;
+       int i;
+       struct dom_sid primary_group;
+       uint32_t primary_group_rid;
+       NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
+       uint32_t num_groups = 0;
+       struct dom_sid_buf buf;
+
+       DEBUG(3,("ads: lookup_usergroups\n"));
+       *p_num_groups = 0;
+
+       status = lookup_usergroups_cached(mem_ctx, sid,
+                                         p_num_groups, user_sids);
+       if (NT_STATUS_IS_OK(status)) {
+               return NT_STATUS_OK;
+       }
+
+       if ( !winbindd_can_contact_domain( domain ) ) {
+               DEBUG(10,("lookup_usergroups: No incoming trust for domain %s\n",
+                         domain->name));
+
+               /* Tell the cache manager not to remember this one */
+
+               return NT_STATUS_SYNCHRONIZATION_REQUIRED;
+       }
+
+       ads = ads_cached_connection(domain);
+
+       if (!ads) {
+               domain->last_status = NT_STATUS_SERVER_DISABLED;
+               status = NT_STATUS_SERVER_DISABLED;
+               goto done;
+       }
+
+       rc = ads_search_retry_sid(ads, &msg, sid, attrs);
+
+       if (!ADS_ERR_OK(rc)) {
+               status = ads_ntstatus(rc);
+               DEBUG(1, ("lookup_usergroups(sid=%s) ads_search tokenGroups: "
+                         "%s\n",
+                         dom_sid_str_buf(sid, &buf),
+                         ads_errstr(rc)));
+               goto done;
+       }
+
+       count = ads_count_replies(ads, msg);
+       if (count != 1) {
+               status = NT_STATUS_UNSUCCESSFUL;
+               DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: "
+                        "invalid number of results (count=%d)\n", 
+                        dom_sid_str_buf(sid, &buf),
+                        count));
+               goto done;
+       }
+
+       if (!msg) {
+               DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: NULL msg\n", 
+                        dom_sid_str_buf(sid, &buf)));
+               status = NT_STATUS_UNSUCCESSFUL;
+               goto done;
+       }
+
+       user_dn = ads_get_dn(ads, mem_ctx, msg);
+       if (user_dn == NULL) {
+               status = NT_STATUS_NO_MEMORY;
+               goto done;
+       }
+
+       if (!ads_pull_uint32(ads, msg, "primaryGroupID", &primary_group_rid)) {
+               DEBUG(1,("%s: No primary group for sid=%s !?\n", 
+                        domain->name,
+                        dom_sid_str_buf(sid, &buf)));
+               goto done;
+       }
+
+       sid_compose(&primary_group, &domain->sid, primary_group_rid);
+
+       count = ads_pull_sids(ads, mem_ctx, msg, "tokenGroups", &sids);
+
+       /* there must always be at least one group in the token, 
+          unless we are talking to a buggy Win2k server */
+
+       /* actually this only happens when the machine account has no read
+        * permissions on the tokenGroup attribute - gd */
+
+       if (count == 0) {
+
+               /* no tokenGroups */
+
+               /* lookup what groups this user is a member of by DN search on
+                * "memberOf" */
+
+               status = lookup_usergroups_memberof(domain, mem_ctx, user_dn,
+                                                   &primary_group,
+                                                   &num_groups, user_sids);
+               *p_num_groups = num_groups;
+               if (NT_STATUS_IS_OK(status)) {
+                       goto done;
+               }
+
+               /* lookup what groups this user is a member of by DN search on
+                * "member" */
+
+               status = lookup_usergroups_member(domain, mem_ctx, user_dn, 
+                                                 &primary_group,
+                                                 &num_groups, user_sids);
+               *p_num_groups = num_groups;
+               goto done;
+       }
+
+       *user_sids = NULL;
+       num_groups = 0;
+
+       status = add_sid_to_array(mem_ctx, &primary_group, user_sids,
+                                 &num_groups);
+       if (!NT_STATUS_IS_OK(status)) {
+               goto done;
+       }
+
+       for (i=0;i<count;i++) {
+
+               /* ignore Builtin groups from ADS - Guenther */
+               if (sid_check_is_in_builtin(&sids[i])) {
+                       continue;
+               }
+
+               status = add_sid_to_array_unique(mem_ctx, &sids[i],
+                                                user_sids, &num_groups);
+               if (!NT_STATUS_IS_OK(status)) {
+                       goto done;
+               }
+       }
+
+       *p_num_groups = (uint32_t)num_groups;
+       status = (*user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
+
+       DEBUG(3,("ads lookup_usergroups (tokenGroups) succeeded for sid=%s\n",
+                dom_sid_str_buf(sid, &buf)));
+done:
+       TALLOC_FREE(user_dn);
+       ads_msgfree(ads, msg);
+       return status;
+}
+
 /* Lookup aliases a user is member of - use rpc methods */
 static NTSTATUS lookup_useraliases(struct winbindd_domain *domain,
                                   TALLOC_CTX *mem_ctx,
@@ -688,9 +1090,10 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
        uint32_t num_nocache = 0;
        TALLOC_CTX *tmp_ctx = NULL;
        uint32_t rid;
+       struct dom_sid_buf buf;
 
        DEBUG(10,("ads: lookup_groupmem %s sid=%s\n", domain->name,
-                 sid_string_dbg(group_sid)));
+                 dom_sid_str_buf(group_sid, &buf)));
 
        *num_names = 0;
 
@@ -816,7 +1219,8 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
                if (lookup_cached_sid(mem_ctx, &sid, &domain_name, &name,
                    &name_type)) {
                        DEBUG(10,("ads: lookup_groupmem: got sid %s from "
-                                 "cache\n", sid_string_dbg(&sid)));
+                                 "cache\n",
+                                 dom_sid_str_buf(&sid, &buf)));
                        sid_copy(&(*sid_mem)[*num_names], &sid);
                        (*names)[*num_names] = fill_domain_username_talloc(
                                                        *names,
@@ -829,7 +1233,8 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
                }
                else {
                        DEBUG(10, ("ads: lookup_groupmem: sid %s not found in "
-                                  "cache\n", sid_string_dbg(&sid)));
+                                  "cache\n",
+                                  dom_sid_str_buf(&sid, &buf)));
                        sid_copy(&(sid_mem_nocache)[num_nocache], &sid);
                        num_nocache++;
                }
@@ -905,7 +1310,7 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
 
        status = NT_STATUS_OK;
        DEBUG(3,("ads lookup_groupmem for sid=%s succeeded\n",
-                sid_string_dbg(group_sid)));
+                dom_sid_str_buf(group_sid, &buf)));
 
 done:
 
@@ -929,6 +1334,13 @@ static NTSTATUS sequence_number(struct winbindd_domain *domain, uint32_t *seq)
                return NT_STATUS_OK;
        }
 
+       if (IS_AD_DC) {
+               DEBUG(10,("sequence: Avoid LDAP connection for domain %s\n",
+                         domain->name));
+               *seq = time(NULL);
+               return NT_STATUS_OK;
+       }
+
        *seq = DOM_SEQUENCE_NONE;
 
        ads = ads_cached_connection(domain);
@@ -1130,6 +1542,14 @@ static NTSTATUS trusted_domains(struct winbindd_domain *domain,
                        }
                        TALLOC_FREE(parent);
 
+                       /*
+                        * We need to pass the modified properties
+                        * to the caller.
+                        */
+                       trust->trust_flags = d.domain_flags;
+                       trust->trust_type = d.domain_type;
+                       trust->trust_attributes = d.domain_trust_attribs;
+
                        wcache_tdc_add_domain( &d );
                        ret_count++;
                }
@@ -1146,6 +1566,7 @@ struct winbindd_methods ads_methods = {
        name_to_sid,
        sid_to_name,
        rids_to_names,
+       lookup_usergroups,
        lookup_useraliases,
        lookup_groupmem,
        sequence_number,