source: branches/samba-3.0/source/nsswitch/winbindd_ads.c

Last change on this file was 165, checked in by Paul Smedley, 17 years ago

Add 'missing' 3.0.34 diffs
File size: 29.7 KB
Line 
1/*
2 Unix SMB/CIFS implementation.
3
4 Winbind ADS backend functions
5
6 Copyright (C) Andrew Tridgell 2001
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003
8 Copyright (C) Gerald (Jerry) Carter 2004
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 2 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program; if not, write to the Free Software
22 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
23*/
24
25#include "includes.h"
26#include "winbindd.h"
27
28#ifdef HAVE_ADS
29
30#undef DBGC_CLASS
31#define DBGC_CLASS DBGC_WINBIND
32
33extern struct winbindd_methods reconnect_methods;
34
35/*
36 return our ads connections structure for a domain. We keep the connection
37 open to make things faster
38*/
39static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain)
40{
41 ADS_STRUCT *ads;
42 ADS_STATUS status;
43 fstring dc_name;
44 struct in_addr dc_ip;
45
46 DEBUG(10,("ads_cached_connection\n"));
47
48 if (domain->private_data) {
49
50 time_t expire;
51 time_t now = time(NULL);
52
53 /* check for a valid structure */
54 ads = (ADS_STRUCT *)domain->private_data;
55
56 expire = MIN(ads->auth.tgt_expire, ads->auth.tgs_expire);
57
58 DEBUG(7, ("Current tickets expire in %d seconds (at %d, time is now %d)\n",
59 (uint32)expire-(uint32)now, (uint32) expire, (uint32) now));
60
61 if ( ads->config.realm && (expire > now)) {
62 return ads;
63 } else {
64 /* we own this ADS_STRUCT so make sure it goes away */
65 DEBUG(7,("Deleting expired krb5 credential cache\n"));
66 ads->is_mine = True;
67 ads_destroy( &ads );
68 ads_kdestroy("MEMORY:winbind_ccache");
69 domain->private_data = NULL;
70 }
71 }
72
73 /* we don't want this to affect the users ccache */
74 setenv("KRB5CCNAME", "MEMORY:winbind_ccache", 1);
75
76 ads = ads_init(domain->alt_name, domain->name, NULL);
77 if (!ads) {
78 DEBUG(1,("ads_init for domain %s failed\n", domain->name));
79 return NULL;
80 }
81
82 /* the machine acct password might have change - fetch it every time */
83
84 SAFE_FREE(ads->auth.password);
85 SAFE_FREE(ads->auth.realm);
86
87 if ( IS_DC ) {
88 DOM_SID sid;
89 time_t last_set_time;
90
91 if ( !secrets_fetch_trusted_domain_password( domain->name, &ads->auth.password, &sid, &last_set_time ) ) {
92 ads_destroy( &ads );
93 return NULL;
94 }
95 ads->auth.realm = SMB_STRDUP( ads->server.realm );
96 strupper_m( ads->auth.realm );
97 }
98 else {
99 struct winbindd_domain *our_domain = domain;
100
101 ads->auth.password = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
102
103 /* always give preference to the alt_name in our
104 primary domain if possible */
105
106 if ( !domain->primary )
107 our_domain = find_our_domain();
108
109 if ( our_domain->alt_name[0] != '\0' ) {
110 ads->auth.realm = SMB_STRDUP( our_domain->alt_name );
111 strupper_m( ads->auth.realm );
112 }
113 else
114 ads->auth.realm = SMB_STRDUP( lp_realm() );
115 }
116
117 ads->auth.renewable = WINBINDD_PAM_AUTH_KRB5_RENEW_TIME;
118
119 /* Setup the server affinity cache. We don't reaally care
120 about the name. Just setup affinity and the KRB5_CONFIG
121 file. */
122
123 get_dc_name( ads->server.workgroup, ads->server.realm, dc_name, &dc_ip );
124
125 status = ads_connect(ads);
126 if (!ADS_ERR_OK(status) || !ads->config.realm) {
127 DEBUG(1,("ads_connect for domain %s failed: %s\n",
128 domain->name, ads_errstr(status)));
129 ads_destroy(&ads);
130
131 /* if we get ECONNREFUSED then it might be a NT4
132 server, fall back to MSRPC */
133 if (status.error_type == ENUM_ADS_ERROR_SYSTEM &&
134 status.err.rc == ECONNREFUSED) {
135 /* 'reconnect_methods' is the MS-RPC backend. */
136 DEBUG(1,("Trying MSRPC methods\n"));
137 domain->backend = &reconnect_methods;
138 }
139 return NULL;
140 }
141
142 /* set the flag that says we don't own the memory even
143 though we do so that ads_destroy() won't destroy the
144 structure we pass back by reference */
145
146 ads->is_mine = False;
147
148 domain->private_data = (void *)ads;
149 return ads;
150}
151
152
153/* Query display info for a realm. This is the basic user list fn */
154static NTSTATUS query_user_list(struct winbindd_domain *domain,
155 TALLOC_CTX *mem_ctx,
156 uint32 *num_entries,
157 WINBIND_USERINFO **info)
158{
159 ADS_STRUCT *ads = NULL;
160 const char *attrs[] = { "*", NULL };
161 int i, count;
162 ADS_STATUS rc;
163 LDAPMessage *res = NULL;
164 LDAPMessage *msg = NULL;
165 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
166
167 *num_entries = 0;
168
169 DEBUG(3,("ads: query_user_list\n"));
170
171 ads = ads_cached_connection(domain);
172
173 if (!ads) {
174 domain->last_status = NT_STATUS_SERVER_DISABLED;
175 goto done;
176 }
177
178 rc = ads_search_retry(ads, &res, "(objectCategory=user)", attrs);
179 if (!ADS_ERR_OK(rc) || !res) {
180 DEBUG(1,("query_user_list ads_search: %s\n", ads_errstr(rc)));
181 goto done;
182 }
183
184 count = ads_count_replies(ads, res);
185 if (count == 0) {
186 DEBUG(1,("query_user_list: No users found\n"));
187 goto done;
188 }
189
190 (*info) = TALLOC_ZERO_ARRAY(mem_ctx, WINBIND_USERINFO, count);
191 if (!*info) {
192 status = NT_STATUS_NO_MEMORY;
193 goto done;
194 }
195
196 i = 0;
197
198 for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
199 char *name, *gecos = NULL;
200 char *homedir = NULL;
201 char *shell = NULL;
202 uint32 group;
203 uint32 atype;
204 DOM_SID user_sid;
205 gid_t primary_gid = (gid_t)-1;
206
207 if (!ads_pull_uint32(ads, msg, "sAMAccountType", &atype) ||
208 ads_atype_map(atype) != SID_NAME_USER) {
209 DEBUG(1,("Not a user account? atype=0x%x\n", atype));
210 continue;
211 }
212
213 name = ads_pull_username(ads, mem_ctx, msg);
214
215 if ( ads_pull_sid( ads, msg, "objectSid", &user_sid ) ) {
216 status = nss_get_info( domain->name, &user_sid, mem_ctx,
217 ads, msg, &homedir, &shell, &gecos,
218 &primary_gid );
219 }
220
221 if (gecos == NULL) {
222 gecos = ads_pull_string(ads, mem_ctx, msg, "name");
223 }
224
225 if (!ads_pull_sid(ads, msg, "objectSid",
226 &(*info)[i].user_sid)) {
227 DEBUG(1,("No sid for %s !?\n", name));
228 continue;
229 }
230 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &group)) {
231 DEBUG(1,("No primary group for %s !?\n", name));
232 continue;
233 }
234
235 (*info)[i].acct_name = name;
236 (*info)[i].full_name = gecos;
237 (*info)[i].homedir = homedir;
238 (*info)[i].shell = shell;
239 (*info)[i].primary_gid = primary_gid;
240 sid_compose(&(*info)[i].group_sid, &domain->sid, group);
241 i++;
242 }
243
244 (*num_entries) = i;
245 status = NT_STATUS_OK;
246
247 DEBUG(3,("ads query_user_list gave %d entries\n", (*num_entries)));
248
249done:
250 if (res)
251 ads_msgfree(ads, res);
252
253 return status;
254}
255
256/* list all domain groups */
257static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
258 TALLOC_CTX *mem_ctx,
259 uint32 *num_entries,
260 struct acct_info **info)
261{
262 ADS_STRUCT *ads = NULL;
263 const char *attrs[] = {"userPrincipalName", "sAMAccountName",
264 "name", "objectSid", NULL};
265 int i, count;
266 ADS_STATUS rc;
267 LDAPMessage *res = NULL;
268 LDAPMessage *msg = NULL;
269 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
270 const char *filter;
271 BOOL enum_dom_local_groups = False;
272
273 *num_entries = 0;
274
275 DEBUG(3,("ads: enum_dom_groups\n"));
276
277 /* only grab domain local groups for our domain */
278 if ( domain->native_mode && strequal(lp_realm(), domain->alt_name) ) {
279 enum_dom_local_groups = True;
280 }
281
282 /* Workaround ADS LDAP bug present in MS W2K3 SP0 and W2K SP4 w/o
283 * rollup-fixes:
284 *
285 * According to Section 5.1(4) of RFC 2251 if a value of a type is it's
286 * default value, it MUST be absent. In case of extensible matching the
287 * "dnattr" boolean defaults to FALSE and so it must be only be present
288 * when set to TRUE.
289 *
290 * When it is set to FALSE and the OpenLDAP lib (correctly) encodes a
291 * filter using bitwise matching rule then the buggy AD fails to decode
292 * the extensible match. As a workaround set it to TRUE and thereby add
293 * the dnAttributes "dn" field to cope with those older AD versions.
294 * It should not harm and won't put any additional load on the AD since
295 * none of the dn components have a bitmask-attribute.
296 *
297 * Thanks to Ralf Haferkamp for input and testing - Guenther */
298
299 filter = talloc_asprintf(mem_ctx, "(&(objectCategory=group)(&(groupType:dn:%s:=%d)(!(groupType:dn:%s:=%d))))",
300 ADS_LDAP_MATCHING_RULE_BIT_AND, GROUP_TYPE_SECURITY_ENABLED,
301 ADS_LDAP_MATCHING_RULE_BIT_AND,
302 enum_dom_local_groups ? GROUP_TYPE_BUILTIN_LOCAL_GROUP : GROUP_TYPE_RESOURCE_GROUP);
303
304 if (filter == NULL) {
305 status = NT_STATUS_NO_MEMORY;
306 goto done;
307 }
308
309 ads = ads_cached_connection(domain);
310
311 if (!ads) {
312 domain->last_status = NT_STATUS_SERVER_DISABLED;
313 goto done;
314 }
315
316 rc = ads_search_retry(ads, &res, filter, attrs);
317 if (!ADS_ERR_OK(rc) || !res) {
318 DEBUG(1,("enum_dom_groups ads_search: %s\n", ads_errstr(rc)));
319 goto done;
320 }
321
322 count = ads_count_replies(ads, res);
323 if (count == 0) {
324 DEBUG(1,("enum_dom_groups: No groups found\n"));
325 goto done;
326 }
327
328 (*info) = TALLOC_ZERO_ARRAY(mem_ctx, struct acct_info, count);
329 if (!*info) {
330 status = NT_STATUS_NO_MEMORY;
331 goto done;
332 }
333
334 i = 0;
335
336 for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
337 char *name, *gecos;
338 DOM_SID sid;
339 uint32 rid;
340
341 name = ads_pull_username(ads, mem_ctx, msg);
342 gecos = ads_pull_string(ads, mem_ctx, msg, "name");
343 if (!ads_pull_sid(ads, msg, "objectSid", &sid)) {
344 DEBUG(1,("No sid for %s !?\n", name));
345 continue;
346 }
347
348 if (!sid_peek_check_rid(&domain->sid, &sid, &rid)) {
349 DEBUG(1,("No rid for %s !?\n", name));
350 continue;
351 }
352
353 fstrcpy((*info)[i].acct_name, name);
354 fstrcpy((*info)[i].acct_desc, gecos);
355 (*info)[i].rid = rid;
356 i++;
357 }
358
359 (*num_entries) = i;
360
361 status = NT_STATUS_OK;
362
363 DEBUG(3,("ads enum_dom_groups gave %d entries\n", (*num_entries)));
364
365done:
366 if (res)
367 ads_msgfree(ads, res);
368
369 return status;
370}
371
372/* list all domain local groups */
373static NTSTATUS enum_local_groups(struct winbindd_domain *domain,
374 TALLOC_CTX *mem_ctx,
375 uint32 *num_entries,
376 struct acct_info **info)
377{
378 /*
379 * This is a stub function only as we returned the domain
380 * local groups in enum_dom_groups() if the domain->native field
381 * was true. This is a simple performance optimization when
382 * using LDAP.
383 *
384 * if we ever need to enumerate domain local groups separately,
385 * then this the optimization in enum_dom_groups() will need
386 * to be split out
387 */
388 *num_entries = 0;
389
390 return NT_STATUS_OK;
391}
392
393/* convert a single name to a sid in a domain - use rpc methods */
394static NTSTATUS name_to_sid(struct winbindd_domain *domain,
395 TALLOC_CTX *mem_ctx,
396 const char *domain_name,
397 const char *name,
398 DOM_SID *sid,
399 enum lsa_SidType *type)
400{
401 return reconnect_methods.name_to_sid(domain, mem_ctx,
402 domain_name, name,
403 sid, type);
404}
405
406/* convert a domain SID to a user or group name - use rpc methods */
407static NTSTATUS sid_to_name(struct winbindd_domain *domain,
408 TALLOC_CTX *mem_ctx,
409 const DOM_SID *sid,
410 char **domain_name,
411 char **name,
412 enum lsa_SidType *type)
413{
414 return reconnect_methods.sid_to_name(domain, mem_ctx, sid,
415 domain_name, name, type);
416}
417
418/* convert a list of rids to names - use rpc methods */
419static NTSTATUS rids_to_names(struct winbindd_domain *domain,
420 TALLOC_CTX *mem_ctx,
421 const DOM_SID *sid,
422 uint32 *rids,
423 size_t num_rids,
424 char **domain_name,
425 char ***names,
426 enum lsa_SidType **types)
427{
428 return reconnect_methods.rids_to_names(domain, mem_ctx, sid,
429 rids, num_rids,
430 domain_name, names, types);
431}
432
433/* convert a DN to a name, SID and name type
434 this might become a major speed bottleneck if groups have
435 lots of users, in which case we could cache the results
436*/
437static BOOL dn_lookup(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx,
438 const char *dn,
439 char **name, uint32 *name_type, DOM_SID *sid)
440{
441 LDAPMessage *res = NULL;
442 const char *attrs[] = {"userPrincipalName", "sAMAccountName",
443 "objectSid", "sAMAccountType", NULL};
444 ADS_STATUS rc;
445 uint32 atype;
446 DEBUG(3,("ads: dn_lookup\n"));
447
448 rc = ads_search_retry_dn(ads, &res, dn, attrs);
449
450 if (!ADS_ERR_OK(rc) || !res) {
451 goto failed;
452 }
453
454 (*name) = ads_pull_username(ads, mem_ctx, res);
455
456 if (!ads_pull_uint32(ads, res, "sAMAccountType", &atype)) {
457 goto failed;
458 }
459 (*name_type) = ads_atype_map(atype);
460
461 if (!ads_pull_sid(ads, res, "objectSid", sid)) {
462 goto failed;
463 }
464
465 if (res)
466 ads_msgfree(ads, res);
467
468 return True;
469
470failed:
471 if (res)
472 ads_msgfree(ads, res);
473
474 return False;
475}
476
477/* Lookup user information from a rid */
478static NTSTATUS query_user(struct winbindd_domain *domain,
479 TALLOC_CTX *mem_ctx,
480 const DOM_SID *sid,
481 WINBIND_USERINFO *info)
482{
483 ADS_STRUCT *ads = NULL;
484 const char *attrs[] = { "*", NULL };
485 ADS_STATUS rc;
486 int count;
487 LDAPMessage *msg = NULL;
488 char *ldap_exp;
489 char *sidstr;
490 uint32 group_rid;
491 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
492
493 DEBUG(3,("ads: query_user\n"));
494
495 if ( (ads = ads_cached_connection(domain)) == NULL ) {
496 domain->last_status = NT_STATUS_SERVER_DISABLED;
497 goto done;
498 }
499
500 sidstr = sid_binstring(sid);
501 asprintf(&ldap_exp, "(objectSid=%s)", sidstr);
502 rc = ads_search_retry(ads, &msg, ldap_exp, attrs);
503 free(ldap_exp);
504 free(sidstr);
505 if (!ADS_ERR_OK(rc) || !msg) {
506 DEBUG(1,("query_user(sid=%s) ads_search: %s\n",
507 sid_string_static(sid), ads_errstr(rc)));
508 goto done;
509 }
510
511 count = ads_count_replies(ads, msg);
512 if (count != 1) {
513 DEBUG(1,("query_user(sid=%s): Not found\n",
514 sid_string_static(sid)));
515 goto done;
516 }
517
518 info->acct_name = ads_pull_username(ads, mem_ctx, msg);
519
520 info->primary_gid = (gid_t)-1;
521 nss_get_info( domain->name, sid, mem_ctx, ads, msg,
522 &info->homedir, &info->shell, &info->full_name, &info->primary_gid );
523
524 if (info->full_name == NULL) {
525 info->full_name = ads_pull_string(ads, mem_ctx, msg, "name");
526 }
527
528 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &group_rid)) {
529 DEBUG(1,("No primary group for %s !?\n",
530 sid_string_static(sid)));
531 goto done;
532 }
533
534 sid_copy(&info->user_sid, sid);
535 sid_compose(&info->group_sid, &domain->sid, group_rid);
536
537 status = NT_STATUS_OK;
538
539 DEBUG(3,("ads query_user gave %s\n", info->acct_name));
540done:
541 if (msg)
542 ads_msgfree(ads, msg);
543
544 return status;
545}
546
547/* Lookup groups a user is a member of - alternate method, for when
548 tokenGroups are not available. */
549static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain,
550 TALLOC_CTX *mem_ctx,
551 const char *user_dn,
552 DOM_SID *primary_group,
553 size_t *p_num_groups, DOM_SID **user_sids)
554{
555 ADS_STATUS rc;
556 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
557 int count;
558 LDAPMessage *res = NULL;
559 LDAPMessage *msg = NULL;
560 char *ldap_exp;
561 ADS_STRUCT *ads;
562 const char *group_attrs[] = {"objectSid", NULL};
563 char *escaped_dn;
564 size_t num_groups = 0;
565
566 DEBUG(3,("ads: lookup_usergroups_member\n"));
567
568 ads = ads_cached_connection(domain);
569
570 if (!ads) {
571 domain->last_status = NT_STATUS_SERVER_DISABLED;
572 goto done;
573 }
574
575 if (!(escaped_dn = escape_ldap_string_alloc(user_dn))) {
576 status = NT_STATUS_NO_MEMORY;
577 goto done;
578 }
579
580 if (!(ldap_exp = talloc_asprintf(mem_ctx, "(&(member=%s)(objectCategory=group))", escaped_dn))) {
581 DEBUG(1,("lookup_usergroups(dn=%s) asprintf failed!\n", user_dn));
582 SAFE_FREE(escaped_dn);
583 status = NT_STATUS_NO_MEMORY;
584 goto done;
585 }
586
587 SAFE_FREE(escaped_dn);
588
589 rc = ads_search_retry(ads, &res, ldap_exp, group_attrs);
590
591 if (!ADS_ERR_OK(rc) || !res) {
592 DEBUG(1,("lookup_usergroups ads_search member=%s: %s\n", user_dn, ads_errstr(rc)));
593 return ads_ntstatus(rc);
594 }
595
596 count = ads_count_replies(ads, res);
597
598 *user_sids = NULL;
599 num_groups = 0;
600
601 /* always add the primary group to the sid array */
602 if (!add_sid_to_array(mem_ctx, primary_group, user_sids, &num_groups)) {
603 status = NT_STATUS_NO_MEMORY;
604 goto done;
605 }
606
607 if (count > 0) {
608 for (msg = ads_first_entry(ads, res); msg;
609 msg = ads_next_entry(ads, msg)) {
610 DOM_SID group_sid;
611
612 if (!ads_pull_sid(ads, msg, "objectSid", &group_sid)) {
613 DEBUG(1,("No sid for this group ?!?\n"));
614 continue;
615 }
616
617 /* ignore Builtin groups from ADS - Guenther */
618 if (sid_check_is_in_builtin(&group_sid)) {
619 continue;
620 }
621
622 if (!add_sid_to_array(mem_ctx, &group_sid, user_sids,
623 &num_groups)) {
624 status = NT_STATUS_NO_MEMORY;
625 goto done;
626 }
627 }
628
629 }
630
631 *p_num_groups = num_groups;
632 status = (user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
633
634 DEBUG(3,("ads lookup_usergroups (member) succeeded for dn=%s\n", user_dn));
635done:
636 if (res)
637 ads_msgfree(ads, res);
638
639 return status;
640}
641
642/* Lookup groups a user is a member of - alternate method, for when
643 tokenGroups are not available. */
644static NTSTATUS lookup_usergroups_memberof(struct winbindd_domain *domain,
645 TALLOC_CTX *mem_ctx,
646 const char *user_dn,
647 DOM_SID *primary_group,
648 size_t *p_num_groups, DOM_SID **user_sids)
649{
650 ADS_STATUS rc;
651 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
652 int count;
653 LDAPMessage *res = NULL;
654 ADS_STRUCT *ads;
655 const char *attrs[] = {"memberOf", NULL};
656 size_t num_groups = 0;
657 DOM_SID *group_sids = NULL;
658 int i;
659
660 DEBUG(3,("ads: lookup_usergroups_memberof\n"));
661
662 ads = ads_cached_connection(domain);
663
664 if (!ads) {
665 domain->last_status = NT_STATUS_SERVER_DISABLED;
666 goto done;
667 }
668
669 rc = ads_search_retry_extended_dn(ads, &res, user_dn, attrs,
670 ADS_EXTENDED_DN_HEX_STRING);
671
672 if (!ADS_ERR_OK(rc) || !res) {
673 DEBUG(1,("lookup_usergroups_memberof ads_search member=%s: %s\n",
674 user_dn, ads_errstr(rc)));
675 return ads_ntstatus(rc);
676 }
677
678 count = ads_count_replies(ads, res);
679
680 if (count == 0) {
681 status = NT_STATUS_NO_SUCH_USER;
682 goto done;
683 }
684
685 *user_sids = NULL;
686 num_groups = 0;
687
688 /* always add the primary group to the sid array */
689 if (!add_sid_to_array(mem_ctx, primary_group, user_sids, &num_groups)) {
690 status = NT_STATUS_NO_MEMORY;
691 goto done;
692 }
693
694 count = ads_pull_sids_from_extendeddn(ads, mem_ctx, res, "memberOf",
695 ADS_EXTENDED_DN_HEX_STRING,
696 &group_sids);
697 if (count == 0) {
698 DEBUG(1,("No memberOf for this user?!?\n"));
699 status = NT_STATUS_NO_MEMORY;
700 goto done;
701 }
702
703 for (i=0; i<count; i++) {
704
705 /* ignore Builtin groups from ADS - Guenther */
706 if (sid_check_is_in_builtin(&group_sids[i])) {
707 continue;
708 }
709
710 if (!add_sid_to_array(mem_ctx, &group_sids[i], user_sids,
711 &num_groups)) {
712 status = NT_STATUS_NO_MEMORY;
713 goto done;
714 }
715
716 }
717
718 *p_num_groups = num_groups;
719 status = (*user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
720
721 DEBUG(3,("ads lookup_usergroups (memberof) succeeded for dn=%s\n", user_dn));
722done:
723 TALLOC_FREE(group_sids);
724 if (res)
725 ads_msgfree(ads, res);
726
727 return status;
728}
729
730
731/* Lookup groups a user is a member of. */
732static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
733 TALLOC_CTX *mem_ctx,
734 const DOM_SID *sid,
735 uint32 *p_num_groups, DOM_SID **user_sids)
736{
737 ADS_STRUCT *ads = NULL;
738 const char *attrs[] = {"tokenGroups", "primaryGroupID", NULL};
739 ADS_STATUS rc;
740 int count;
741 LDAPMessage *msg = NULL;
742 char *user_dn = NULL;
743 DOM_SID *sids;
744 int i;
745 DOM_SID primary_group;
746 uint32 primary_group_rid;
747 fstring sid_string;
748 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
749 size_t num_groups = 0;
750
751 DEBUG(3,("ads: lookup_usergroups\n"));
752 *p_num_groups = 0;
753
754 status = lookup_usergroups_cached(domain, mem_ctx, sid,
755 p_num_groups, user_sids);
756 if (NT_STATUS_IS_OK(status)) {
757 return NT_STATUS_OK;
758 }
759
760 ads = ads_cached_connection(domain);
761
762 if (!ads) {
763 domain->last_status = NT_STATUS_SERVER_DISABLED;
764 status = NT_STATUS_SERVER_DISABLED;
765 goto done;
766 }
767
768 rc = ads_search_retry_sid(ads, &msg, sid, attrs);
769
770 if (!ADS_ERR_OK(rc)) {
771 status = ads_ntstatus(rc);
772 DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: %s\n",
773 sid_to_string(sid_string, sid), ads_errstr(rc)));
774 goto done;
775 }
776
777 count = ads_count_replies(ads, msg);
778 if (count != 1) {
779 status = NT_STATUS_UNSUCCESSFUL;
780 DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: "
781 "invalid number of results (count=%d)\n",
782 sid_to_string(sid_string, sid), count));
783 goto done;
784 }
785
786 if (!msg) {
787 DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: NULL msg\n",
788 sid_to_string(sid_string, sid)));
789 status = NT_STATUS_UNSUCCESSFUL;
790 goto done;
791 }
792
793 user_dn = ads_get_dn(ads, msg);
794 if (user_dn == NULL) {
795 status = NT_STATUS_NO_MEMORY;
796 goto done;
797 }
798
799 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &primary_group_rid)) {
800 DEBUG(1,("%s: No primary group for sid=%s !?\n",
801 domain->name, sid_to_string(sid_string, sid)));
802 goto done;
803 }
804
805 sid_copy(&primary_group, &domain->sid);
806 sid_append_rid(&primary_group, primary_group_rid);
807
808 count = ads_pull_sids(ads, mem_ctx, msg, "tokenGroups", &sids);
809
810 /* there must always be at least one group in the token,
811 unless we are talking to a buggy Win2k server */
812
813 /* actually this only happens when the machine account has no read
814 * permissions on the tokenGroup attribute - gd */
815
816 if (count == 0) {
817
818 /* no tokenGroups */
819
820 /* lookup what groups this user is a member of by DN search on
821 * "memberOf" */
822
823 status = lookup_usergroups_memberof(domain, mem_ctx, user_dn,
824 &primary_group,
825 &num_groups, user_sids);
826 *p_num_groups = (uint32)num_groups;
827 if (NT_STATUS_IS_OK(status)) {
828 goto done;
829 }
830
831 /* lookup what groups this user is a member of by DN search on
832 * "member" */
833
834 status = lookup_usergroups_member(domain, mem_ctx, user_dn,
835 &primary_group,
836 &num_groups, user_sids);
837 *p_num_groups = (uint32)num_groups;
838 goto done;
839 }
840
841 *user_sids = NULL;
842 num_groups = 0;
843
844 if (!add_sid_to_array(mem_ctx, &primary_group, user_sids, &num_groups)) {
845 status = NT_STATUS_NO_MEMORY;
846 goto done;
847 }
848
849 for (i=0;i<count;i++) {
850
851 /* ignore Builtin groups from ADS - Guenther */
852 if (sid_check_is_in_builtin(&sids[i])) {
853 continue;
854 }
855
856 if (!add_sid_to_array_unique(mem_ctx, &sids[i],
857 user_sids, &num_groups)) {
858 status = NT_STATUS_NO_MEMORY;
859 goto done;
860 }
861 }
862
863 *p_num_groups = (uint32)num_groups;
864 status = (*user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
865
866 DEBUG(3,("ads lookup_usergroups (tokenGroups) succeeded for sid=%s\n",
867 sid_to_string(sid_string, sid)));
868done:
869 ads_memfree(ads, user_dn);
870 ads_msgfree(ads, msg);
871 return status;
872}
873
874/* Lookup aliases a user is member of - use rpc methods */
875static NTSTATUS lookup_useraliases(struct winbindd_domain *domain,
876 TALLOC_CTX *mem_ctx,
877 uint32 num_sids, const DOM_SID *sids,
878 uint32 *num_aliases, uint32 **alias_rids)
879{
880 return reconnect_methods.lookup_useraliases(domain, mem_ctx,
881 num_sids, sids,
882 num_aliases,
883 alias_rids);
884}
885
886/*
887 find the members of a group, given a group rid and domain
888 */
889static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
890 TALLOC_CTX *mem_ctx,
891 const DOM_SID *group_sid, uint32 *num_names,
892 DOM_SID **sid_mem, char ***names,
893 uint32 **name_types)
894{
895 ADS_STATUS rc;
896 int count;
897 LDAPMessage *res=NULL;
898 ADS_STRUCT *ads = NULL;
899 char *ldap_exp;
900 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
901 char *sidstr;
902 char **members;
903 int i;
904 size_t num_members;
905 fstring sid_string;
906 BOOL more_values;
907 const char **attrs;
908 uint32 first_usn;
909 uint32 current_usn;
910 int num_retries = 0;
911
912 DEBUG(10,("ads: lookup_groupmem %s sid=%s\n", domain->name,
913 sid_string_static(group_sid)));
914
915 *num_names = 0;
916
917 ads = ads_cached_connection(domain);
918
919 if (!ads) {
920 domain->last_status = NT_STATUS_SERVER_DISABLED;
921 goto done;
922 }
923
924 if ((sidstr = sid_binstring(group_sid)) == NULL) {
925 status = NT_STATUS_NO_MEMORY;
926 goto done;
927 }
928
929 /* search for all members of the group */
930 if (!(ldap_exp = talloc_asprintf(mem_ctx, "(objectSid=%s)",sidstr))) {
931 SAFE_FREE(sidstr);
932 DEBUG(1, ("ads: lookup_groupmem: tallloc_asprintf for ldap_exp failed!\n"));
933 status = NT_STATUS_NO_MEMORY;
934 goto done;
935 }
936 SAFE_FREE(sidstr);
937
938 members = NULL;
939 num_members = 0;
940
941 if ((attrs = TALLOC_ARRAY(mem_ctx, const char *, 3)) == NULL) {
942 status = NT_STATUS_NO_MEMORY;
943 goto done;
944 }
945
946 attrs[1] = talloc_strdup(mem_ctx, "usnChanged");
947 attrs[2] = NULL;
948
949 do {
950 if (num_members == 0)
951 attrs[0] = talloc_strdup(mem_ctx, "member");
952
953 DEBUG(10, ("Searching for attrs[0] = %s, attrs[1] = %s\n", attrs[0], attrs[1]));
954
955 rc = ads_search_retry(ads, &res, ldap_exp, attrs);
956
957 if (!ADS_ERR_OK(rc) || !res) {
958 DEBUG(1,("ads: lookup_groupmem ads_search: %s\n",
959 ads_errstr(rc)));
960 status = ads_ntstatus(rc);
961 goto done;
962 }
963
964 count = ads_count_replies(ads, res);
965 if (count == 0)
966 break;
967
968 if (num_members == 0) {
969 if (!ads_pull_uint32(ads, res, "usnChanged", &first_usn)) {
970 DEBUG(1, ("ads: lookup_groupmem could not pull usnChanged!\n"));
971 goto done;
972 }
973 }
974
975 if (!ads_pull_uint32(ads, res, "usnChanged", &current_usn)) {
976 DEBUG(1, ("ads: lookup_groupmem could not pull usnChanged!\n"));
977 goto done;
978 }
979
980 if (first_usn != current_usn) {
981 DEBUG(5, ("ads: lookup_groupmem USN on this record changed"
982 " - restarting search\n"));
983 if (num_retries < 5) {
984 num_retries++;
985 num_members = 0;
986 ads_msgfree(ads, res);
987 res = NULL;
988 continue;
989 } else {
990 DEBUG(5, ("ads: lookup_groupmem USN on this record changed"
991 " - restarted search too many times, aborting!\n"));
992 status = NT_STATUS_UNSUCCESSFUL;
993 goto done;
994 }
995 }
996
997 members = ads_pull_strings_range(ads, mem_ctx, res,
998 "member",
999 members,
1000 &attrs[0],
1001 &num_members,
1002 &more_values);
1003
1004 ads_msgfree(ads, res);
1005 res = NULL;
1006
1007 if ((members == NULL) || (num_members == 0))
1008 break;
1009
1010 } while (more_values);
1011
1012 /* now we need to turn a list of members into rids, names and name types
1013 the problem is that the members are in the form of distinguised names
1014 */
1015
1016 if (num_members) {
1017 (*sid_mem) = TALLOC_ZERO_ARRAY(mem_ctx, DOM_SID, num_members);
1018 (*name_types) = TALLOC_ZERO_ARRAY(mem_ctx, uint32, num_members);
1019 (*names) = TALLOC_ZERO_ARRAY(mem_ctx, char *, num_members);
1020
1021 if ((members == NULL) || (*sid_mem == NULL) ||
1022 (*name_types == NULL) || (*names == NULL)) {
1023 DEBUG(1, ("talloc failed\n"));
1024 status = NT_STATUS_NO_MEMORY;
1025 goto done;
1026 }
1027 } else {
1028 (*sid_mem) = NULL;
1029 (*name_types) = NULL;
1030 (*names) = NULL;
1031 }
1032
1033 for (i=0;i<num_members;i++) {
1034 uint32 name_type;
1035 char *name;
1036 DOM_SID sid;
1037
1038 if (dn_lookup(ads, mem_ctx, members[i], &name, &name_type, &sid)) {
1039 (*names)[*num_names] = name;
1040 (*name_types)[*num_names] = name_type;
1041 sid_copy(&(*sid_mem)[*num_names], &sid);
1042 (*num_names)++;
1043 }
1044 }
1045
1046 status = NT_STATUS_OK;
1047 DEBUG(3,("ads lookup_groupmem for sid=%s\n", sid_to_string(sid_string, group_sid)));
1048done:
1049
1050 if (res)
1051 ads_msgfree(ads, res);
1052
1053 return status;
1054}
1055
1056/* find the sequence number for a domain */
1057static NTSTATUS sequence_number(struct winbindd_domain *domain, uint32 *seq)
1058{
1059 ADS_STRUCT *ads = NULL;
1060 ADS_STATUS rc;
1061
1062 DEBUG(3,("ads: fetch sequence_number for %s\n", domain->name));
1063
1064 *seq = DOM_SEQUENCE_NONE;
1065
1066 ads = ads_cached_connection(domain);
1067
1068 if (!ads) {
1069 domain->last_status = NT_STATUS_SERVER_DISABLED;
1070 return NT_STATUS_UNSUCCESSFUL;
1071 }
1072
1073 rc = ads_USN(ads, seq);
1074
1075 if (!ADS_ERR_OK(rc)) {
1076
1077 /* its a dead connection, destroy it */
1078
1079 if (domain->private_data) {
1080 ads = (ADS_STRUCT *)domain->private_data;
1081 ads->is_mine = True;
1082 ads_destroy(&ads);
1083 ads_kdestroy("MEMORY:winbind_ccache");
1084 domain->private_data = NULL;
1085 }
1086 }
1087 return ads_ntstatus(rc);
1088}
1089
1090/* find the lockout policy of a domain - use rpc methods */
1091static NTSTATUS lockout_policy(struct winbindd_domain *domain,
1092 TALLOC_CTX *mem_ctx,
1093 SAM_UNK_INFO_12 *policy)
1094{
1095 return reconnect_methods.lockout_policy(domain, mem_ctx, policy);
1096}
1097
1098/* find the password policy of a domain - use rpc methods */
1099static NTSTATUS password_policy(struct winbindd_domain *domain,
1100 TALLOC_CTX *mem_ctx,
1101 SAM_UNK_INFO_1 *policy)
1102{
1103 return reconnect_methods.password_policy(domain, mem_ctx, policy);
1104}
1105
1106/* get a list of trusted domains */
1107static NTSTATUS trusted_domains(struct winbindd_domain *domain,
1108 TALLOC_CTX *mem_ctx,
1109 uint32 *num_domains,
1110 char ***names,
1111 char ***alt_names,
1112 DOM_SID **dom_sids)
1113{
1114 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1115 struct ds_domain_trust *domains = NULL;
1116 int count = 0;
1117 int i;
1118 uint32 flags = DS_DOMAIN_IN_FOREST | DS_DOMAIN_DIRECT_OUTBOUND;
1119 struct rpc_pipe_client *cli;
1120
1121 DEBUG(3,("ads: trusted_domains\n"));
1122
1123 *num_domains = 0;
1124 *alt_names = NULL;
1125 *names = NULL;
1126 *dom_sids = NULL;
1127
1128 result = cm_connect_netlogon(domain, &cli);
1129
1130 if (!NT_STATUS_IS_OK(result)) {
1131 DEBUG(5, ("trusted_domains: Could not open a connection to %s "
1132 "for PIPE_NETLOGON (%s)\n",
1133 domain->name, nt_errstr(result)));
1134 return NT_STATUS_UNSUCCESSFUL;
1135 }
1136
1137 if ( NT_STATUS_IS_OK(result) ) {
1138 result = rpccli_ds_enum_domain_trusts(cli, mem_ctx,
1139 cli->cli->desthost,
1140 flags, &domains,
1141 (unsigned int *)&count);
1142 }
1143
1144 if ( NT_STATUS_IS_OK(result) && count) {
1145
1146 /* Allocate memory for trusted domain names and sids */
1147
1148 if ( !(*names = TALLOC_ARRAY(mem_ctx, char *, count)) ) {
1149 DEBUG(0, ("trusted_domains: out of memory\n"));
1150 return NT_STATUS_NO_MEMORY;
1151 }
1152
1153 if ( !(*alt_names = TALLOC_ARRAY(mem_ctx, char *, count)) ) {
1154 DEBUG(0, ("trusted_domains: out of memory\n"));
1155 return NT_STATUS_NO_MEMORY;
1156 }
1157
1158 if ( !(*dom_sids = TALLOC_ARRAY(mem_ctx, DOM_SID, count)) ) {
1159 DEBUG(0, ("trusted_domains: out of memory\n"));
1160 return NT_STATUS_NO_MEMORY;
1161 }
1162
1163 /* Copy across names and sids */
1164
1165 for (i = 0; i < count; i++) {
1166 (*names)[i] = domains[i].netbios_domain;
1167 (*alt_names)[i] = domains[i].dns_domain;
1168
1169 sid_copy(&(*dom_sids)[i], &domains[i].sid);
1170 }
1171
1172 *num_domains = count;
1173 }
1174
1175 return result;
1176}
1177
1178/* the ADS backend methods are exposed via this structure */
1179struct winbindd_methods ads_methods = {
1180 True,
1181 query_user_list,
1182 enum_dom_groups,
1183 enum_local_groups,
1184 name_to_sid,
1185 sid_to_name,
1186 rids_to_names,
1187 query_user,
1188 lookup_usergroups,
1189 lookup_useraliases,
1190 lookup_groupmem,
1191 sequence_number,
1192 lockout_policy,
1193 password_policy,
1194 trusted_domains,
1195};
1196
1197#endif
Note: See TracBrowser for help on using the repository browser.