#include "../librpc/gen_ndr/ndr_netlogon_c.h"
#include "../libds/common/flags.h"
#include "ads.h"
-#include "secrets.h"
#include "../libcli/ldap/ldap_ndr.h"
#include "../libcli/security/security.h"
#include "../libds/common/flag_mapping.h"
#define DBGC_CLASS DBGC_WINBIND
extern struct winbindd_methods reconnect_methods;
+extern struct winbindd_methods msrpc_methods;
#define WINBIND_CCACHE_NAME "MEMORY:winbind_ccache"
expire = MIN(ads->auth.tgt_expire, ads->auth.tgs_expire);
DEBUG(7, ("Current tickets expire in %d seconds (at %d, time "
- "is now %d)\n", (uint32)expire - (uint32)now,
- (uint32) expire, (uint32) now));
+ "is now %d)\n", (uint32_t)expire - (uint32_t)now,
+ (uint32_t) expire, (uint32_t) now));
if ( ads->config.realm && (expire > now)) {
return;
}
}
+/**
+ * @brief Establish a connection to a DC
+ *
+ * @param[out] adsp ADS_STRUCT that will be created
+ * @param[in] target_realm Realm of domain to connect to
+ * @param[in] target_dom_name 'workgroup' name of domain to connect to
+ * @param[in] ldap_server DNS name of server to connect to
+ * @param[in] password Our machine acount secret
+ * @param[in] auth_realm Realm of local domain for creating krb token
+ * @param[in] renewable Renewable ticket time
+ *
+ * @return ADS_STATUS
+ */
static ADS_STATUS ads_cached_connection_connect(ADS_STRUCT **adsp,
- const char *dom_name_alt,
- const char *dom_name,
+ const char *target_realm,
+ const char *target_dom_name,
const char *ldap_server,
char *password,
- char *realm,
+ char *auth_realm,
time_t renewable)
{
ADS_STRUCT *ads;
struct sockaddr_storage dc_ss;
fstring dc_name;
+ if (auth_realm == NULL) {
+ return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
+ }
+
/* we don't want this to affect the users ccache */
setenv("KRB5CCNAME", WINBIND_CCACHE_NAME, 1);
- ads = ads_init(dom_name_alt, dom_name, ldap_server);
+ ads = ads_init(target_realm, target_dom_name, ldap_server);
if (!ads) {
- DEBUG(1,("ads_init for domain %s failed\n", dom_name));
+ DEBUG(1,("ads_init for domain %s failed\n", target_dom_name));
return ADS_ERROR(LDAP_NO_MEMORY);
}
ads->auth.renewable = renewable;
ads->auth.password = password;
- ads->auth.realm = SMB_STRDUP(realm);
+ ads->auth.realm = SMB_STRDUP(auth_realm);
if (!strupper_m(ads->auth.realm)) {
ads_destroy(&ads);
return ADS_ERROR_NT(NT_STATUS_INTERNAL_ERROR);
status = ads_connect(ads);
if (!ADS_ERR_OK(status)) {
DEBUG(1,("ads_connect for domain %s failed: %s\n",
- dom_name, ads_errstr(status)));
+ target_dom_name, ads_errstr(status)));
ads_destroy(&ads);
return status;
}
* Check if we can get server nam and realm from SAF cache
* and the domain list.
*/
- ldap_server = saf_fetch(dom_name);
+ ldap_server = saf_fetch(talloc_tos(), dom_name);
DEBUG(10, ("ldap_server from saf cache: '%s'\n",
ldap_server ? ldap_server : ""));
" domain '%s'\n", wb_dom->alt_name, dom_name));
if (!get_trust_pw_clear(dom_name, &password, NULL, NULL)) {
+ TALLOC_FREE(ldap_server);
return ADS_ERROR_NT(NT_STATUS_CANT_ACCESS_DOMAIN_INFO);
}
if (IS_DC) {
+ SMB_ASSERT(wb_dom->alt_name != NULL);
realm = SMB_STRDUP(wb_dom->alt_name);
} else {
struct winbindd_domain *our_domain = wb_dom;
}
}
- status = ads_cached_connection_connect(adsp, realm, dom_name, ldap_server,
- password, realm, 0);
+ status = ads_cached_connection_connect(
+ adsp, /* Returns ads struct. */
+ wb_dom->alt_name, /* realm to connect to. */
+ dom_name, /* 'workgroup' name for ads_init */
+ ldap_server, /* DNS name to connect to. */
+ password, /* password for auth realm. */
+ realm, /* realm used for krb5 ticket. */
+ 0); /* renewable ticket time. */
+
SAFE_FREE(realm);
+ TALLOC_FREE(ldap_server);
return status;
}
/* the machine acct password might have change - fetch it every time */
- if ( IS_DC ) {
+ if (!get_trust_pw_clear(domain->name, &password, NULL, NULL)) {
+ return NULL;
+ }
- if ( !pdb_get_trusteddom_pw( domain->name, &password, NULL,
- NULL ) ) {
- return NULL;
- }
+ if ( IS_DC ) {
+ SMB_ASSERT(domain->alt_name != NULL);
realm = SMB_STRDUP(domain->alt_name);
}
else {
struct winbindd_domain *our_domain = domain;
- password = secrets_fetch_machine_password(lp_workgroup(), NULL,
- NULL);
/* always give preference to the alt_name in our
primary domain if possible */
/* Query display info for a realm. This is the basic user list fn */
static NTSTATUS query_user_list(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
- uint32 *num_entries,
+ uint32_t *num_entries,
struct wbint_userinfo **pinfo)
{
ADS_STRUCT *ads = NULL;
if (!ADS_ERR_OK(rc)) {
DEBUG(1,("query_user_list ads_search: %s\n", ads_errstr(rc)));
status = ads_ntstatus(rc);
+ goto done;
} else if (!res) {
DEBUG(1,("query_user_list ads_search returned NULL res\n"));
-
goto done;
}
for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
struct wbint_userinfo *info = &((*pinfo)[count]);
- uint32 group;
- uint32 atype;
+ uint32_t group;
+ uint32_t atype;
if (!ads_pull_uint32(ads, msg, "sAMAccountType", &atype) ||
ds_atype_map(atype) != SID_NAME_USER) {
}
info->acct_name = ads_pull_username(ads, mem_ctx, msg);
- info->full_name = ads_pull_string(ads, mem_ctx, msg, "name");
+ info->full_name = ads_pull_string(ads, mem_ctx, msg, "displayName");
+ if (info->full_name == NULL) {
+ info->full_name = ads_pull_string(ads, mem_ctx, msg, "name");
+ }
info->homedir = NULL;
info->shell = NULL;
info->primary_gid = (gid_t)-1;
/* list all domain groups */
static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
- uint32 *num_entries,
+ uint32_t *num_entries,
struct wb_acct_info **info)
{
ADS_STRUCT *ads = NULL;
for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
char *name, *gecos;
struct dom_sid sid;
- uint32 rid;
+ uint32_t rid;
name = ads_pull_username(ads, mem_ctx, msg);
gecos = ads_pull_string(ads, mem_ctx, msg, "name");
/* list all domain local groups */
static NTSTATUS enum_local_groups(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
- uint32 *num_entries,
+ uint32_t *num_entries,
struct wb_acct_info **info)
{
/*
struct dom_sid *sid,
enum lsa_SidType *type)
{
- return reconnect_methods.name_to_sid(domain, mem_ctx,
- domain_name, name, flags,
- sid, type);
+ return msrpc_methods.name_to_sid(domain, mem_ctx, domain_name, name,
+ flags, sid, type);
}
/* convert a domain SID to a user or group name - use rpc methods */
char **name,
enum lsa_SidType *type)
{
- return reconnect_methods.sid_to_name(domain, mem_ctx, sid,
- domain_name, name, type);
+ return msrpc_methods.sid_to_name(domain, mem_ctx, sid,
+ domain_name, name, type);
}
/* convert a list of rids to names - use rpc methods */
static NTSTATUS rids_to_names(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
const struct dom_sid *sid,
- uint32 *rids,
+ uint32_t *rids,
size_t num_rids,
char **domain_name,
char ***names,
enum lsa_SidType **types)
{
- return reconnect_methods.rids_to_names(domain, mem_ctx, sid,
- rids, num_rids,
- domain_name, names, types);
+ return msrpc_methods.rids_to_names(domain, mem_ctx, sid,
+ rids, num_rids,
+ domain_name, names, types);
}
/* If you are looking for "dn_lookup": Yes, it used to be here!
LDAPMessage *msg = NULL;
char *ldap_exp;
char *sidstr;
- uint32 group_rid;
+ uint32_t group_rid;
NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
struct netr_SamInfo3 *user = NULL;
gid_t gid = -1;
int ret;
- char *ads_name;
+ char *full_name;
DEBUG(3,("ads: query_user\n"));
TALLOC_FREE(user);
+ if (info->full_name == NULL) {
+ /* this might fail so we don't check the return code */
+ wcache_query_user_fullname(domain,
+ mem_ctx,
+ sid,
+ &info->full_name);
+ }
+
return NT_STATUS_OK;
}
* nss_get_info_cached call. nss_get_info_cached might destroy
* the ads struct, potentially invalidating the ldap message.
*/
- ads_name = ads_pull_string(ads, mem_ctx, msg, "name");
+ full_name = ads_pull_string(ads, mem_ctx, msg, "displayName");
+ if (full_name == NULL) {
+ full_name = ads_pull_string(ads, mem_ctx, msg, "name");
+ }
ads_msgfree(ads, msg);
msg = NULL;
}
if (info->full_name == NULL) {
- info->full_name = ads_name;
+ info->full_name = full_name;
} else {
- TALLOC_FREE(ads_name);
+ TALLOC_FREE(full_name);
}
status = NT_STATUS_OK;
static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
const struct dom_sid *sid,
- uint32 *p_num_groups, struct dom_sid **user_sids)
+ uint32_t *p_num_groups, struct dom_sid **user_sids)
{
ADS_STRUCT *ads = NULL;
const char *attrs[] = {"tokenGroups", "primaryGroupID", NULL};
struct dom_sid *sids;
int i;
struct dom_sid primary_group;
- uint32 primary_group_rid;
+ uint32_t primary_group_rid;
NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
uint32_t num_groups = 0;
}
}
- *p_num_groups = (uint32)num_groups;
+ *p_num_groups = (uint32_t)num_groups;
status = (*user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
DEBUG(3,("ads lookup_usergroups (tokenGroups) succeeded for sid=%s\n",
/* Lookup aliases a user is member of - use rpc methods */
static NTSTATUS lookup_useraliases(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
- uint32 num_sids, const struct dom_sid *sids,
- uint32 *num_aliases, uint32 **alias_rids)
+ uint32_t num_sids, const struct dom_sid *sids,
+ uint32_t *num_aliases, uint32_t **alias_rids)
{
- return reconnect_methods.lookup_useraliases(domain, mem_ctx,
- num_sids, sids,
- num_aliases,
- alias_rids);
+ return msrpc_methods.lookup_useraliases(domain, mem_ctx, num_sids, sids,
+ num_aliases, alias_rids);
+}
+
+static NTSTATUS add_primary_group_members(
+ ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, uint32_t rid,
+ char ***all_members, size_t *num_all_members)
+{
+ char *filter;
+ NTSTATUS status = NT_STATUS_NO_MEMORY;
+ ADS_STATUS rc;
+ const char *attrs[] = { "dn", NULL };
+ LDAPMessage *res = NULL;
+ LDAPMessage *msg;
+ char **members;
+ size_t num_members;
+ ads_control args;
+
+ filter = talloc_asprintf(
+ mem_ctx, "(&(objectCategory=user)(primaryGroupID=%u))",
+ (unsigned)rid);
+ if (filter == NULL) {
+ goto done;
+ }
+
+ args.control = ADS_EXTENDED_DN_OID;
+ args.val = ADS_EXTENDED_DN_HEX_STRING;
+ args.critical = True;
+
+ rc = ads_do_search_all_args(ads, ads->config.bind_path,
+ LDAP_SCOPE_SUBTREE, filter, attrs, &args,
+ &res);
+
+ if (!ADS_ERR_OK(rc)) {
+ status = ads_ntstatus(rc);
+ DEBUG(1,("%s: ads_search: %s\n", __func__, ads_errstr(rc)));
+ goto done;
+ }
+ if (res == NULL) {
+ DEBUG(1,("%s: ads_search returned NULL res\n", __func__));
+ goto done;
+ }
+
+ num_members = ads_count_replies(ads, res);
+
+ DEBUG(10, ("%s: Got %ju primary group members\n", __func__,
+ (uintmax_t)num_members));
+
+ if (num_members == 0) {
+ status = NT_STATUS_OK;
+ goto done;
+ }
+
+ members = talloc_realloc(mem_ctx, *all_members, char *,
+ *num_all_members + num_members);
+ if (members == NULL) {
+ DEBUG(1, ("%s: talloc_realloc failed\n", __func__));
+ goto done;
+ }
+ *all_members = members;
+
+ for (msg = ads_first_entry(ads, res); msg != NULL;
+ msg = ads_next_entry(ads, msg)) {
+ char *dn;
+
+ dn = ads_get_dn(ads, members, msg);
+ if (dn == NULL) {
+ DEBUG(1, ("%s: ads_get_dn failed\n", __func__));
+ continue;
+ }
+
+ members[*num_all_members] = dn;
+ *num_all_members += 1;
+ }
+
+ status = NT_STATUS_OK;
+done:
+ if (res != NULL) {
+ ads_msgfree(ads, res);
+ }
+ TALLOC_FREE(filter);
+ return status;
}
/*
TALLOC_CTX *mem_ctx,
const struct dom_sid *group_sid,
enum lsa_SidType type,
- uint32 *num_names,
+ uint32_t *num_names,
struct dom_sid **sid_mem, char ***names,
- uint32 **name_types)
+ uint32_t **name_types)
{
ADS_STATUS rc;
ADS_STRUCT *ads = NULL;
char **names_nocache = NULL;
enum lsa_SidType *name_types_nocache = NULL;
char **domains_nocache = NULL; /* only needed for rpccli_lsa_lookup_sids */
- uint32 num_nocache = 0;
+ uint32_t num_nocache = 0;
TALLOC_CTX *tmp_ctx = NULL;
+ uint32_t rid;
DEBUG(10,("ads: lookup_groupmem %s sid=%s\n", domain->name,
sid_string_dbg(group_sid)));
goto done;
}
+ if (!sid_peek_rid(group_sid, &rid)) {
+ DEBUG(1, ("%s: sid_peek_rid failed\n", __func__));
+ status = NT_STATUS_INVALID_PARAMETER;
+ goto done;
+ }
+
if ( !winbindd_can_contact_domain( domain ) ) {
DEBUG(10,("lookup_groupmem: No incoming trust for domain %s\n",
domain->name));
DEBUG(10, ("ads lookup_groupmem: got %d sids via extended dn call\n", (int)num_members));
+ status = add_primary_group_members(ads, mem_ctx, rid,
+ &members, &num_members);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(10, ("%s: add_primary_group_members failed: %s\n",
+ __func__, nt_errstr(status)));
+ goto done;
+ }
+
+ DEBUG(10, ("%s: Got %d sids after adding primary group members\n",
+ __func__, (int)num_members));
+
/* Now that we have a list of sids, we need to get the
* lists of names and name_types belonging to these sids.
* even though conceptually not quite clean, we use the
if (num_members) {
(*sid_mem) = talloc_zero_array(mem_ctx, struct dom_sid, num_members);
(*names) = talloc_zero_array(mem_ctx, char *, num_members);
- (*name_types) = talloc_zero_array(mem_ctx, uint32, num_members);
+ (*name_types) = talloc_zero_array(mem_ctx, uint32_t, num_members);
(sid_mem_nocache) = talloc_zero_array(tmp_ctx, struct dom_sid, num_members);
if ((members == NULL) || (*sid_mem == NULL) ||
}
/* find the sequence number for a domain */
-static NTSTATUS sequence_number(struct winbindd_domain *domain, uint32 *seq)
+static NTSTATUS sequence_number(struct winbindd_domain *domain, uint32_t *seq)
{
ADS_STRUCT *ads = NULL;
ADS_STATUS rc;
TALLOC_CTX *mem_ctx,
struct samr_DomInfo12 *policy)
{
- return reconnect_methods.lockout_policy(domain, mem_ctx, policy);
+ return msrpc_methods.lockout_policy(domain, mem_ctx, policy);
}
/* find the password policy of a domain - use rpc methods */
TALLOC_CTX *mem_ctx,
struct samr_DomInfo1 *policy)
{
- return reconnect_methods.password_policy(domain, mem_ctx, policy);
+ return msrpc_methods.password_policy(domain, mem_ctx, policy);
}
/* get a list of trusted domains */
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
WERROR werr;
int i;
- uint32 flags;
+ uint32_t flags;
struct rpc_pipe_client *cli;
int ret_count;
struct dcerpc_binding_handle *b;
*/
if ((trust->trust_attributes
- == NETR_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN) &&
+ == LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN) &&
!domain->primary )
{
DEBUG(10,("trusted_domains: Skipping external trusted "
git.samba.org / obnox / samba / samba-obnox.git / blobdiff