2 * idmap_ad: map between Active Directory and RFC 2307 or "Services for Unix" (SFU) Accounts
4 * Unix SMB/CIFS implementation.
6 * Winbind ADS backend functions
8 * Copyright (C) Andrew Tridgell 2001
9 * Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003
10 * Copyright (C) Gerald (Jerry) Carter 2004-2007
11 * Copyright (C) Luke Howard 2001-2004
12 * Copyright (C) Michael Adam 2008,2010
14 * This program is free software; you can redistribute it and/or modify
15 * it under the terms of the GNU General Public License as published by
16 * the Free Software Foundation; either version 3 of the License, or
17 * (at your option) any later version.
19 * This program is distributed in the hope that it will be useful,
20 * but WITHOUT ANY WARRANTY; without even the implied warranty of
21 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 * GNU General Public License for more details.
24 * You should have received a copy of the GNU General Public License
25 * along with this program; if not, see <http://www.gnu.org/licenses/>.
30 #include "../libds/common/flags.h"
32 #include "libads/ldap_schema.h"
36 #include "../libcli/ldap/ldap_ndr.h"
37 #include "../libcli/security/security.h"
40 #define DBGC_CLASS DBGC_IDMAP
42 #define WINBIND_CCACHE_NAME "MEMORY:winbind_ccache"
44 #define IDMAP_AD_MAX_IDS 30
45 #define CHECK_ALLOC_DONE(mem) do { \
47 DEBUG(0, ("Out of memory!\n")); \
48 ret = NT_STATUS_NO_MEMORY; \
53 struct idmap_ad_context {
55 struct posix_schema *ad_schema;
56 enum wb_posix_mapping ad_map_type; /* WB_POSIX_MAP_UNKNOWN */
59 NTSTATUS init_module(void);
61 /************************************************************************
62 ***********************************************************************/
64 static ADS_STATUS ad_idmap_cached_connection_internal(struct idmap_domain *dom)
70 struct sockaddr_storage dc_ip;
71 struct idmap_ad_context *ctx;
72 char *ldap_server = NULL;
74 struct winbindd_domain *wb_dom;
76 DEBUG(10, ("ad_idmap_cached_connection: called for domain '%s'\n",
79 ctx = talloc_get_type(dom->private_data, struct idmap_ad_context);
81 if (ctx->ads != NULL) {
84 time_t now = time(NULL);
88 expire = MIN(ads->auth.tgt_expire, ads->auth.tgs_expire);
90 /* check for a valid structure */
91 DEBUG(7, ("Current tickets expire in %d seconds (at %d, time is now %d)\n",
92 (uint32)expire-(uint32)now, (uint32) expire, (uint32) now));
94 if ( ads->config.realm && (expire > time(NULL))) {
97 /* we own this ADS_STRUCT so make sure it goes away */
98 DEBUG(7,("Deleting expired krb5 credential cache\n"));
101 ads_kdestroy(WINBIND_CCACHE_NAME);
107 /* we don't want this to affect the users ccache */
108 setenv("KRB5CCNAME", WINBIND_CCACHE_NAME, 1);
112 * At this point we only have the NetBIOS domain name.
113 * Check if we can get server nam and realm from SAF cache
114 * and the domain list.
116 ldap_server = saf_fetch(dom->name);
117 DEBUG(10, ("ldap_server from saf cache: '%s'\n", ldap_server?ldap_server:""));
119 wb_dom = find_domain_from_name_noinit(dom->name);
120 if (wb_dom == NULL) {
121 DEBUG(10, ("find_domain_from_name_noinit did not find domain '%s'\n",
125 DEBUG(10, ("find_domain_from_name_noinit found realm '%s' for "
126 " domain '%s'\n", wb_dom->alt_name, dom->name));
127 realm = wb_dom->alt_name;
130 if ( (ads = ads_init(realm, dom->name, ldap_server)) == NULL ) {
131 DEBUG(1,("ads_init failed\n"));
132 return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
135 /* the machine acct password might have change - fetch it every time */
136 SAFE_FREE(ads->auth.password);
137 ads->auth.password = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
139 SAFE_FREE(ads->auth.realm);
140 ads->auth.realm = SMB_STRDUP(lp_realm());
142 /* setup server affinity */
144 get_dc_name(dom->name, realm, dc_name, &dc_ip );
146 status = ads_connect(ads);
147 if (!ADS_ERR_OK(status)) {
148 DEBUG(1, ("ad_idmap_cached_connection_internal: failed to "
154 ads->is_mine = False;
161 /************************************************************************
162 ***********************************************************************/
164 static ADS_STATUS ad_idmap_cached_connection(struct idmap_domain *dom)
167 struct idmap_ad_context * ctx;
169 status = ad_idmap_cached_connection_internal(dom);
170 if (!ADS_ERR_OK(status)) {
174 ctx = talloc_get_type(dom->private_data, struct idmap_ad_context);
176 /* if we have a valid ADS_STRUCT and the schema model is
177 defined, then we can return here. */
179 if ( ctx->ad_schema ) {
183 /* Otherwise, set the schema model */
185 if ( (ctx->ad_map_type == WB_POSIX_MAP_SFU) ||
186 (ctx->ad_map_type == WB_POSIX_MAP_SFU20) ||
187 (ctx->ad_map_type == WB_POSIX_MAP_RFC2307) )
189 status = ads_check_posix_schema_mapping(
190 ctx, ctx->ads, ctx->ad_map_type, &ctx->ad_schema);
191 if ( !ADS_ERR_OK(status) ) {
192 DEBUG(2,("ad_idmap_cached_connection: Failed to obtain schema details!\n"));
199 static int idmap_ad_context_destructor(struct idmap_ad_context *ctx)
201 if (ctx->ads != NULL) {
202 /* we own this ADS_STRUCT so make sure it goes away */
203 ctx->ads->is_mine = True;
204 ads_destroy( &ctx->ads );
210 /************************************************************************
211 ***********************************************************************/
213 static NTSTATUS idmap_ad_initialize(struct idmap_domain *dom,
216 struct idmap_ad_context *ctx;
218 const char *schema_mode = NULL;
220 ctx = TALLOC_ZERO_P(dom, struct idmap_ad_context);
222 DEBUG(0, ("Out of memory!\n"));
223 return NT_STATUS_NO_MEMORY;
225 talloc_set_destructor(ctx, idmap_ad_context_destructor);
227 config_option = talloc_asprintf(ctx, "idmap config %s", dom->name);
228 if (config_option == NULL) {
229 DEBUG(0, ("Out of memory!\n"));
231 return NT_STATUS_NO_MEMORY;
234 /* default map type */
235 ctx->ad_map_type = WB_POSIX_MAP_RFC2307;
238 schema_mode = lp_parm_const_string(-1, config_option, "schema_mode", NULL);
239 if ( schema_mode && schema_mode[0] ) {
240 if ( strequal(schema_mode, "sfu") )
241 ctx->ad_map_type = WB_POSIX_MAP_SFU;
242 else if ( strequal(schema_mode, "sfu20" ) )
243 ctx->ad_map_type = WB_POSIX_MAP_SFU20;
244 else if ( strequal(schema_mode, "rfc2307" ) )
245 ctx->ad_map_type = WB_POSIX_MAP_RFC2307;
247 DEBUG(0,("idmap_ad_initialize: Unknown schema_mode (%s)\n",
251 dom->private_data = ctx;
253 talloc_free(config_option);
258 /************************************************************************
259 Search up to IDMAP_AD_MAX_IDS entries in maps for a match.
260 ***********************************************************************/
262 static struct id_map *find_map_by_id(struct id_map **maps, enum id_type type, uint32_t id)
266 for (i = 0; maps[i] && i<IDMAP_AD_MAX_IDS; i++) {
267 if ((maps[i]->xid.type == type) && (maps[i]->xid.id == id)) {
275 /************************************************************************
276 Search up to IDMAP_AD_MAX_IDS entries in maps for a match
277 ***********************************************************************/
279 static struct id_map *find_map_by_sid(struct id_map **maps, struct dom_sid *sid)
283 for (i = 0; maps[i] && i<IDMAP_AD_MAX_IDS; i++) {
284 if (dom_sid_equal(maps[i]->sid, sid)) {
292 /************************************************************************
293 ***********************************************************************/
295 static NTSTATUS idmap_ad_unixids_to_sids(struct idmap_domain *dom, struct id_map **ids)
299 struct idmap_ad_context *ctx;
301 const char *attrs[] = { "sAMAccountType",
303 NULL, /* uidnumber */
304 NULL, /* gidnumber */
306 LDAPMessage *res = NULL;
307 LDAPMessage *entry = NULL;
313 char *u_filter = NULL;
314 char *g_filter = NULL;
316 /* initialize the status to avoid suprise */
317 for (i = 0; ids[i]; i++) {
318 ids[i]->status = ID_UNKNOWN;
321 /* Only do query if we are online */
322 if (idmap_is_offline()) {
323 return NT_STATUS_FILE_IS_OFFLINE;
326 ctx = talloc_get_type(dom->private_data, struct idmap_ad_context);
328 if ( (memctx = talloc_new(ctx)) == NULL ) {
329 DEBUG(0, ("Out of memory!\n"));
330 return NT_STATUS_NO_MEMORY;
333 rc = ad_idmap_cached_connection(dom);
334 if (!ADS_ERR_OK(rc)) {
335 DEBUG(1, ("ADS uninitialized: %s\n", ads_errstr(rc)));
336 ret = NT_STATUS_UNSUCCESSFUL;
337 /* ret = ads_ntstatus(rc); */
341 attrs[2] = ctx->ad_schema->posix_uidnumber_attr;
342 attrs[3] = ctx->ad_schema->posix_gidnumber_attr;
346 for (i = 0; (i < IDMAP_AD_MAX_IDS) && ids[idx]; i++, idx++) {
347 switch (ids[idx]->xid.type) {
350 u_filter = talloc_asprintf(memctx, "(&(|"
351 "(sAMAccountType=%d)"
352 "(sAMAccountType=%d)"
353 "(sAMAccountType=%d))(|",
354 ATYPE_NORMAL_ACCOUNT,
355 ATYPE_WORKSTATION_TRUST,
356 ATYPE_INTERDOMAIN_TRUST);
358 u_filter = talloc_asprintf_append_buffer(u_filter, "(%s=%lu)",
359 ctx->ad_schema->posix_uidnumber_attr,
360 (unsigned long)ids[idx]->xid.id);
361 CHECK_ALLOC_DONE(u_filter);
366 g_filter = talloc_asprintf(memctx, "(&(|"
367 "(sAMAccountType=%d)"
368 "(sAMAccountType=%d))(|",
369 ATYPE_SECURITY_GLOBAL_GROUP,
370 ATYPE_SECURITY_LOCAL_GROUP);
372 g_filter = talloc_asprintf_append_buffer(g_filter, "(%s=%lu)",
373 ctx->ad_schema->posix_gidnumber_attr,
374 (unsigned long)ids[idx]->xid.id);
375 CHECK_ALLOC_DONE(g_filter);
379 DEBUG(3, ("Error: mapping requested but Unknown ID type\n"));
380 ids[idx]->status = ID_UNKNOWN;
384 filter = talloc_asprintf(memctx, "(|");
385 CHECK_ALLOC_DONE(filter);
387 filter = talloc_asprintf_append_buffer(filter, "%s))", u_filter);
388 CHECK_ALLOC_DONE(filter);
389 TALLOC_FREE(u_filter);
392 filter = talloc_asprintf_append_buffer(filter, "%s))", g_filter);
393 CHECK_ALLOC_DONE(filter);
394 TALLOC_FREE(g_filter);
396 filter = talloc_asprintf_append_buffer(filter, ")");
397 CHECK_ALLOC_DONE(filter);
399 rc = ads_search_retry(ctx->ads, &res, filter, attrs);
400 if (!ADS_ERR_OK(rc)) {
401 DEBUG(1, ("ERROR: ads search returned: %s\n", ads_errstr(rc)));
402 ret = NT_STATUS_UNSUCCESSFUL;
406 if ( (count = ads_count_replies(ctx->ads, res)) == 0 ) {
407 DEBUG(10, ("No IDs found\n"));
411 for (i = 0; (i < count) && entry; i++) {
418 if (i == 0) { /* first entry */
419 entry = ads_first_entry(ctx->ads, entry);
420 } else { /* following ones */
421 entry = ads_next_entry(ctx->ads, entry);
425 DEBUG(2, ("ERROR: Unable to fetch ldap entries from results\n"));
429 /* first check if the SID is present */
430 if (!ads_pull_sid(ctx->ads, entry, "objectSid", &sid)) {
431 DEBUG(2, ("Could not retrieve SID from entry\n"));
436 if (!ads_pull_uint32(ctx->ads, entry, "sAMAccountType", &atype)) {
437 DEBUG(1, ("could not get SAM account type\n"));
441 switch (atype & 0xF0000000) {
442 case ATYPE_SECURITY_GLOBAL_GROUP:
443 case ATYPE_SECURITY_LOCAL_GROUP:
446 case ATYPE_NORMAL_ACCOUNT:
447 case ATYPE_WORKSTATION_TRUST:
448 case ATYPE_INTERDOMAIN_TRUST:
452 DEBUG(1, ("unrecognized SAM account type %08x\n", atype));
456 if (!ads_pull_uint32(ctx->ads, entry, (type==ID_TYPE_UID) ?
457 ctx->ad_schema->posix_uidnumber_attr :
458 ctx->ad_schema->posix_gidnumber_attr,
461 DEBUG(1, ("Could not get unix ID\n"));
465 if (!idmap_unix_id_is_in_range(id, dom)) {
466 DEBUG(5, ("Requested id (%u) out of range (%u - %u). Filtered!\n",
467 id, dom->low_id, dom->high_id));
471 map = find_map_by_id(&ids[bidx], type, id);
473 DEBUG(2, ("WARNING: couldn't match result with requested ID\n"));
477 sid_copy(map->sid, &sid);
480 map->status = ID_MAPPED;
482 DEBUG(10, ("Mapped %s -> %lu (%d)\n", sid_string_dbg(map->sid),
483 (unsigned long)map->xid.id,
488 ads_msgfree(ctx->ads, res);
491 if (ids[idx]) { /* still some values to map */
497 /* mark all unknown/expired ones as unmapped */
498 for (i = 0; ids[i]; i++) {
499 if (ids[i]->status != ID_MAPPED)
500 ids[i]->status = ID_UNMAPPED;
508 /************************************************************************
509 ***********************************************************************/
511 static NTSTATUS idmap_ad_sids_to_unixids(struct idmap_domain *dom, struct id_map **ids)
515 struct idmap_ad_context *ctx;
517 const char *attrs[] = { "sAMAccountType",
519 NULL, /* attr_uidnumber */
520 NULL, /* attr_gidnumber */
522 LDAPMessage *res = NULL;
523 LDAPMessage *entry = NULL;
531 /* initialize the status to avoid suprise */
532 for (i = 0; ids[i]; i++) {
533 ids[i]->status = ID_UNKNOWN;
536 /* Only do query if we are online */
537 if (idmap_is_offline()) {
538 return NT_STATUS_FILE_IS_OFFLINE;
541 ctx = talloc_get_type(dom->private_data, struct idmap_ad_context);
543 if ( (memctx = talloc_new(ctx)) == NULL ) {
544 DEBUG(0, ("Out of memory!\n"));
545 return NT_STATUS_NO_MEMORY;
548 rc = ad_idmap_cached_connection(dom);
549 if (!ADS_ERR_OK(rc)) {
550 DEBUG(1, ("ADS uninitialized: %s\n", ads_errstr(rc)));
551 ret = NT_STATUS_UNSUCCESSFUL;
552 /* ret = ads_ntstatus(rc); */
556 if (ctx->ad_schema == NULL) {
557 DEBUG(0, ("haven't got ctx->ad_schema ! \n"));
558 ret = NT_STATUS_UNSUCCESSFUL;
562 attrs[2] = ctx->ad_schema->posix_uidnumber_attr;
563 attrs[3] = ctx->ad_schema->posix_gidnumber_attr;
566 filter = talloc_asprintf(memctx, "(&(|"
567 "(sAMAccountType=%d)(sAMAccountType=%d)(sAMAccountType=%d)" /* user account types */
568 "(sAMAccountType=%d)(sAMAccountType=%d)" /* group account types */
570 ATYPE_NORMAL_ACCOUNT, ATYPE_WORKSTATION_TRUST, ATYPE_INTERDOMAIN_TRUST,
571 ATYPE_SECURITY_GLOBAL_GROUP, ATYPE_SECURITY_LOCAL_GROUP);
573 CHECK_ALLOC_DONE(filter);
576 for (i = 0; (i < IDMAP_AD_MAX_IDS) && ids[idx]; i++, idx++) {
578 ids[idx]->status = ID_UNKNOWN;
580 sidstr = ldap_encode_ndr_dom_sid(talloc_tos(), ids[idx]->sid);
581 filter = talloc_asprintf_append_buffer(filter, "(objectSid=%s)", sidstr);
584 CHECK_ALLOC_DONE(filter);
586 filter = talloc_asprintf_append_buffer(filter, "))");
587 CHECK_ALLOC_DONE(filter);
588 DEBUG(10, ("Filter: [%s]\n", filter));
590 rc = ads_search_retry(ctx->ads, &res, filter, attrs);
591 if (!ADS_ERR_OK(rc)) {
592 DEBUG(1, ("ERROR: ads search returned: %s\n", ads_errstr(rc)));
593 ret = NT_STATUS_UNSUCCESSFUL;
597 if ( (count = ads_count_replies(ctx->ads, res)) == 0 ) {
598 DEBUG(10, ("No IDs found\n"));
602 for (i = 0; (i < count) && entry; i++) {
609 if (i == 0) { /* first entry */
610 entry = ads_first_entry(ctx->ads, entry);
611 } else { /* following ones */
612 entry = ads_next_entry(ctx->ads, entry);
616 DEBUG(2, ("ERROR: Unable to fetch ldap entries from results\n"));
620 /* first check if the SID is present */
621 if (!ads_pull_sid(ctx->ads, entry, "objectSid", &sid)) {
622 DEBUG(2, ("Could not retrieve SID from entry\n"));
626 map = find_map_by_sid(&ids[bidx], &sid);
628 DEBUG(2, ("WARNING: couldn't match result with requested SID\n"));
633 if (!ads_pull_uint32(ctx->ads, entry, "sAMAccountType", &atype)) {
634 DEBUG(1, ("could not get SAM account type\n"));
638 switch (atype & 0xF0000000) {
639 case ATYPE_SECURITY_GLOBAL_GROUP:
640 case ATYPE_SECURITY_LOCAL_GROUP:
643 case ATYPE_NORMAL_ACCOUNT:
644 case ATYPE_WORKSTATION_TRUST:
645 case ATYPE_INTERDOMAIN_TRUST:
649 DEBUG(1, ("unrecognized SAM account type %08x\n", atype));
653 if (!ads_pull_uint32(ctx->ads, entry, (type==ID_TYPE_UID) ?
654 ctx->ad_schema->posix_uidnumber_attr :
655 ctx->ad_schema->posix_gidnumber_attr,
658 DEBUG(1, ("Could not get unix ID\n"));
661 if (!idmap_unix_id_is_in_range(id, dom)) {
662 DEBUG(5, ("Requested id (%u) out of range (%u - %u). Filtered!\n",
663 id, dom->low_id, dom->high_id));
668 map->xid.type = type;
670 map->status = ID_MAPPED;
672 DEBUG(10, ("Mapped %s -> %lu (%d)\n", sid_string_dbg(map->sid),
673 (unsigned long)map->xid.id,
678 ads_msgfree(ctx->ads, res);
681 if (ids[idx]) { /* still some values to map */
687 /* mark all unknown/expired ones as unmapped */
688 for (i = 0; ids[i]; i++) {
689 if (ids[i]->status != ID_MAPPED)
690 ids[i]->status = ID_UNMAPPED;
699 * nss_info_{sfu,sfu20,rfc2307}
702 /************************************************************************
703 Initialize the {sfu,sfu20,rfc2307} state
704 ***********************************************************************/
706 static const char *wb_posix_map_unknown_string = "WB_POSIX_MAP_UNKNOWN";
707 static const char *wb_posix_map_template_string = "WB_POSIX_MAP_TEMPLATE";
708 static const char *wb_posix_map_sfu_string = "WB_POSIX_MAP_SFU";
709 static const char *wb_posix_map_sfu20_string = "WB_POSIX_MAP_SFU20";
710 static const char *wb_posix_map_rfc2307_string = "WB_POSIX_MAP_RFC2307";
711 static const char *wb_posix_map_unixinfo_string = "WB_POSIX_MAP_UNIXINFO";
713 static const char *ad_map_type_string(enum wb_posix_mapping map_type)
716 case WB_POSIX_MAP_TEMPLATE:
717 return wb_posix_map_template_string;
718 case WB_POSIX_MAP_SFU:
719 return wb_posix_map_sfu_string;
720 case WB_POSIX_MAP_SFU20:
721 return wb_posix_map_sfu20_string;
722 case WB_POSIX_MAP_RFC2307:
723 return wb_posix_map_rfc2307_string;
724 case WB_POSIX_MAP_UNIXINFO:
725 return wb_posix_map_unixinfo_string;
727 return wb_posix_map_unknown_string;
731 static NTSTATUS nss_ad_generic_init(struct nss_domain_entry *e,
732 enum wb_posix_mapping new_ad_map_type)
734 struct idmap_domain *dom;
735 struct idmap_ad_context *ctx;
737 if (e->state != NULL) {
738 dom = talloc_get_type(e->state, struct idmap_domain);
740 dom = TALLOC_ZERO_P(e, struct idmap_domain);
742 DEBUG(0, ("Out of memory!\n"));
743 return NT_STATUS_NO_MEMORY;
748 if (e->domain != NULL) {
749 dom->name = talloc_strdup(dom, e->domain);
750 if (dom->name == NULL) {
751 DEBUG(0, ("Out of memory!\n"));
752 return NT_STATUS_NO_MEMORY;
756 if (dom->private_data != NULL) {
757 ctx = talloc_get_type(dom->private_data,
758 struct idmap_ad_context);
760 ctx = TALLOC_ZERO_P(dom, struct idmap_ad_context);
762 DEBUG(0, ("Out of memory!\n"));
763 return NT_STATUS_NO_MEMORY;
765 ctx->ad_map_type = WB_POSIX_MAP_RFC2307;
766 dom->private_data = ctx;
769 if ((ctx->ad_map_type != WB_POSIX_MAP_UNKNOWN) &&
770 (ctx->ad_map_type != new_ad_map_type))
772 DEBUG(2, ("nss_ad_generic_init: "
773 "Warning: overriding previously set posix map type "
774 "%s for domain %s with map type %s.\n",
775 ad_map_type_string(ctx->ad_map_type),
777 ad_map_type_string(new_ad_map_type)));
780 ctx->ad_map_type = new_ad_map_type;
785 static NTSTATUS nss_sfu_init( struct nss_domain_entry *e )
787 return nss_ad_generic_init(e, WB_POSIX_MAP_SFU);
790 static NTSTATUS nss_sfu20_init( struct nss_domain_entry *e )
792 return nss_ad_generic_init(e, WB_POSIX_MAP_SFU20);
795 static NTSTATUS nss_rfc2307_init( struct nss_domain_entry *e )
797 return nss_ad_generic_init(e, WB_POSIX_MAP_RFC2307);
801 /************************************************************************
802 ***********************************************************************/
804 static NTSTATUS nss_ad_get_info( struct nss_domain_entry *e,
805 const struct dom_sid *sid,
807 const char **homedir,
812 const char *attrs[] = {NULL, /* attr_homedir */
813 NULL, /* attr_shell */
814 NULL, /* attr_gecos */
815 NULL, /* attr_gidnumber */
818 LDAPMessage *msg_internal = NULL;
819 ADS_STATUS ads_status = ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
820 NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
822 struct idmap_domain *dom;
823 struct idmap_ad_context *ctx;
825 DEBUG(10, ("nss_ad_get_info called for sid [%s] in domain '%s'\n",
826 sid_string_dbg(sid), e->domain?e->domain:"NULL"));
828 /* Only do query if we are online */
829 if (idmap_is_offline()) {
830 return NT_STATUS_FILE_IS_OFFLINE;
833 dom = talloc_get_type(e->state, struct idmap_domain);
834 ctx = talloc_get_type(dom->private_data, struct idmap_ad_context);
836 ads_status = ad_idmap_cached_connection(dom);
837 if (!ADS_ERR_OK(ads_status)) {
838 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
841 if (!ctx->ad_schema) {
842 DEBUG(10, ("nss_ad_get_info: no ad_schema configured!\n"));
843 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
846 if (!sid || !homedir || !shell || !gecos) {
847 return NT_STATUS_INVALID_PARAMETER;
850 /* Have to do our own query */
852 DEBUG(10, ("nss_ad_get_info: no ads connection given, doing our "
855 attrs[0] = ctx->ad_schema->posix_homedir_attr;
856 attrs[1] = ctx->ad_schema->posix_shell_attr;
857 attrs[2] = ctx->ad_schema->posix_gecos_attr;
858 attrs[3] = ctx->ad_schema->posix_gidnumber_attr;
860 sidstr = ldap_encode_ndr_dom_sid(mem_ctx, sid);
861 filter = talloc_asprintf(mem_ctx, "(objectSid=%s)", sidstr);
865 nt_status = NT_STATUS_NO_MEMORY;
869 ads_status = ads_search_retry(ctx->ads, &msg_internal, filter, attrs);
870 if (!ADS_ERR_OK(ads_status)) {
871 nt_status = ads_ntstatus(ads_status);
875 *homedir = ads_pull_string(ctx->ads, mem_ctx, msg_internal, ctx->ad_schema->posix_homedir_attr);
876 *shell = ads_pull_string(ctx->ads, mem_ctx, msg_internal, ctx->ad_schema->posix_shell_attr);
877 *gecos = ads_pull_string(ctx->ads, mem_ctx, msg_internal, ctx->ad_schema->posix_gecos_attr);
880 if (!ads_pull_uint32(ctx->ads, msg_internal, ctx->ad_schema->posix_gidnumber_attr, gid))
884 nt_status = NT_STATUS_OK;
888 ads_msgfree(ctx->ads, msg_internal);
894 /**********************************************************************
895 *********************************************************************/
897 static NTSTATUS nss_ad_map_to_alias(TALLOC_CTX *mem_ctx,
898 struct nss_domain_entry *e,
902 const char *attrs[] = {NULL, /* attr_uid */
905 LDAPMessage *msg = NULL;
906 ADS_STATUS ads_status = ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
907 NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
908 struct idmap_domain *dom;
909 struct idmap_ad_context *ctx = NULL;
911 /* Check incoming parameters */
913 if ( !e || !e->domain || !name || !*alias) {
914 nt_status = NT_STATUS_INVALID_PARAMETER;
918 /* Only do query if we are online */
920 if (idmap_is_offline()) {
921 nt_status = NT_STATUS_FILE_IS_OFFLINE;
925 dom = talloc_get_type(e->state, struct idmap_domain);
926 ctx = talloc_get_type(dom->private_data, struct idmap_ad_context);
928 ads_status = ad_idmap_cached_connection(dom);
929 if (!ADS_ERR_OK(ads_status)) {
930 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
933 if (!ctx->ad_schema) {
934 nt_status = NT_STATUS_OBJECT_PATH_NOT_FOUND;
938 attrs[0] = ctx->ad_schema->posix_uid_attr;
940 filter = talloc_asprintf(mem_ctx,
941 "(sAMAccountName=%s)",
944 nt_status = NT_STATUS_NO_MEMORY;
948 ads_status = ads_search_retry(ctx->ads, &msg, filter, attrs);
949 if (!ADS_ERR_OK(ads_status)) {
950 nt_status = ads_ntstatus(ads_status);
954 *alias = ads_pull_string(ctx->ads, mem_ctx, msg, ctx->ad_schema->posix_uid_attr);
957 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
960 nt_status = NT_STATUS_OK;
964 talloc_destroy(filter);
967 ads_msgfree(ctx->ads, msg);
973 /**********************************************************************
974 *********************************************************************/
976 static NTSTATUS nss_ad_map_from_alias( TALLOC_CTX *mem_ctx,
977 struct nss_domain_entry *e,
981 const char *attrs[] = {"sAMAccountName",
984 LDAPMessage *msg = NULL;
985 ADS_STATUS ads_status = ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
986 NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
988 struct idmap_domain *dom;
989 struct idmap_ad_context *ctx = NULL;
991 /* Check incoming parameters */
993 if ( !alias || !name) {
994 nt_status = NT_STATUS_INVALID_PARAMETER;
998 /* Only do query if we are online */
1000 if (idmap_is_offline()) {
1001 nt_status = NT_STATUS_FILE_IS_OFFLINE;
1005 dom = talloc_get_type(e->state, struct idmap_domain);
1006 ctx = talloc_get_type(dom->private_data, struct idmap_ad_context);
1008 ads_status = ad_idmap_cached_connection(dom);
1009 if (!ADS_ERR_OK(ads_status)) {
1010 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1013 if (!ctx->ad_schema) {
1014 nt_status = NT_STATUS_OBJECT_PATH_NOT_FOUND;
1018 filter = talloc_asprintf(mem_ctx,
1020 ctx->ad_schema->posix_uid_attr,
1023 nt_status = NT_STATUS_NO_MEMORY;
1027 ads_status = ads_search_retry(ctx->ads, &msg, filter, attrs);
1028 if (!ADS_ERR_OK(ads_status)) {
1029 nt_status = ads_ntstatus(ads_status);
1033 username = ads_pull_string(ctx->ads, mem_ctx, msg,
1036 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1039 *name = talloc_asprintf(mem_ctx, "%s\\%s",
1043 nt_status = NT_STATUS_NO_MEMORY;
1047 nt_status = NT_STATUS_OK;
1051 talloc_destroy(filter);
1054 ads_msgfree(ctx->ads, msg);
1060 /************************************************************************
1061 Function dispatch tables for the idmap and nss plugins
1062 ***********************************************************************/
1064 static struct idmap_methods ad_methods = {
1065 .init = idmap_ad_initialize,
1066 .unixids_to_sids = idmap_ad_unixids_to_sids,
1067 .sids_to_unixids = idmap_ad_sids_to_unixids,
1070 /* The SFU and RFC2307 NSS plugins share everything but the init
1071 function which sets the intended schema model to use */
1073 static struct nss_info_methods nss_rfc2307_methods = {
1074 .init = nss_rfc2307_init,
1075 .get_nss_info = nss_ad_get_info,
1076 .map_to_alias = nss_ad_map_to_alias,
1077 .map_from_alias = nss_ad_map_from_alias,
1080 static struct nss_info_methods nss_sfu_methods = {
1081 .init = nss_sfu_init,
1082 .get_nss_info = nss_ad_get_info,
1083 .map_to_alias = nss_ad_map_to_alias,
1084 .map_from_alias = nss_ad_map_from_alias,
1087 static struct nss_info_methods nss_sfu20_methods = {
1088 .init = nss_sfu20_init,
1089 .get_nss_info = nss_ad_get_info,
1090 .map_to_alias = nss_ad_map_to_alias,
1091 .map_from_alias = nss_ad_map_from_alias,
1096 /************************************************************************
1097 Initialize the plugins
1098 ***********************************************************************/
1100 NTSTATUS idmap_ad_init(void)
1102 static NTSTATUS status_idmap_ad = NT_STATUS_UNSUCCESSFUL;
1103 static NTSTATUS status_nss_rfc2307 = NT_STATUS_UNSUCCESSFUL;
1104 static NTSTATUS status_nss_sfu = NT_STATUS_UNSUCCESSFUL;
1105 static NTSTATUS status_nss_sfu20 = NT_STATUS_UNSUCCESSFUL;
1107 /* Always register the AD method first in order to get the
1108 idmap_domain interface called */
1110 if ( !NT_STATUS_IS_OK(status_idmap_ad) ) {
1111 status_idmap_ad = smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION,
1113 if ( !NT_STATUS_IS_OK(status_idmap_ad) )
1114 return status_idmap_ad;
1117 if ( !NT_STATUS_IS_OK( status_nss_rfc2307 ) ) {
1118 status_nss_rfc2307 = smb_register_idmap_nss(SMB_NSS_INFO_INTERFACE_VERSION,
1119 "rfc2307", &nss_rfc2307_methods );
1120 if ( !NT_STATUS_IS_OK(status_nss_rfc2307) )
1121 return status_nss_rfc2307;
1124 if ( !NT_STATUS_IS_OK( status_nss_sfu ) ) {
1125 status_nss_sfu = smb_register_idmap_nss(SMB_NSS_INFO_INTERFACE_VERSION,
1126 "sfu", &nss_sfu_methods );
1127 if ( !NT_STATUS_IS_OK(status_nss_sfu) )
1128 return status_nss_sfu;
1131 if ( !NT_STATUS_IS_OK( status_nss_sfu20 ) ) {
1132 status_nss_sfu20 = smb_register_idmap_nss(SMB_NSS_INFO_INTERFACE_VERSION,
1133 "sfu20", &nss_sfu20_methods );
1134 if ( !NT_STATUS_IS_OK(status_nss_sfu20) )
1135 return status_nss_sfu20;
1138 return NT_STATUS_OK;