source: trunk/server/source3/winbindd/winbindd_ads.c

Last change on this file was 751, checked in by Silvan Scherrer, 13 years ago

Samba Server: updated trunk to 3.6.9
File size: 40.1 KB
Line 
1/*
2 Unix SMB/CIFS implementation.
3
4 Winbind ADS backend functions
5
6 Copyright (C) Andrew Tridgell 2001
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003
8 Copyright (C) Gerald (Jerry) Carter 2004
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22*/
23
24#include "includes.h"
25#include "winbindd.h"
26#include "rpc_client/rpc_client.h"
27#include "../librpc/gen_ndr/ndr_netlogon_c.h"
28#include "../libds/common/flags.h"
29#include "ads.h"
30#include "secrets.h"
31#include "../libcli/ldap/ldap_ndr.h"
32#include "../libcli/security/security.h"
33#include "../libds/common/flag_mapping.h"
34#include "passdb.h"
35
36#ifdef HAVE_ADS
37
38#undef DBGC_CLASS
39#define DBGC_CLASS DBGC_WINBIND
40
41extern struct winbindd_methods reconnect_methods;
42
43/*
44 return our ads connections structure for a domain. We keep the connection
45 open to make things faster
46*/
47static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain)
48{
49 ADS_STRUCT *ads;
50 ADS_STATUS status;
51 fstring dc_name;
52 struct sockaddr_storage dc_ss;
53
54 DEBUG(10,("ads_cached_connection\n"));
55
56 if (domain->private_data) {
57
58 time_t expire;
59 time_t now = time(NULL);
60
61 /* check for a valid structure */
62 ads = (ADS_STRUCT *)domain->private_data;
63
64 expire = MIN(ads->auth.tgt_expire, ads->auth.tgs_expire);
65
66 DEBUG(7, ("Current tickets expire in %d seconds (at %d, time is now %d)\n",
67 (uint32)expire-(uint32)now, (uint32) expire, (uint32) now));
68
69 if ( ads->config.realm && (expire > now)) {
70 return ads;
71 } else {
72 /* we own this ADS_STRUCT so make sure it goes away */
73 DEBUG(7,("Deleting expired krb5 credential cache\n"));
74 ads->is_mine = True;
75 ads_destroy( &ads );
76 ads_kdestroy("MEMORY:winbind_ccache");
77 domain->private_data = NULL;
78 }
79 }
80
81 /* we don't want this to affect the users ccache */
82 setenv("KRB5CCNAME", "MEMORY:winbind_ccache", 1);
83
84 ads = ads_init(domain->alt_name, domain->name, NULL);
85 if (!ads) {
86 DEBUG(1,("ads_init for domain %s failed\n", domain->name));
87 return NULL;
88 }
89
90 /* the machine acct password might have change - fetch it every time */
91
92 SAFE_FREE(ads->auth.password);
93 SAFE_FREE(ads->auth.realm);
94
95 if ( IS_DC ) {
96
97 if ( !pdb_get_trusteddom_pw( domain->name, &ads->auth.password, NULL, NULL ) ) {
98 ads_destroy( &ads );
99 return NULL;
100 }
101 ads->auth.realm = SMB_STRDUP( ads->server.realm );
102 strupper_m( ads->auth.realm );
103 }
104 else {
105 struct winbindd_domain *our_domain = domain;
106
107 ads->auth.password = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
108
109 /* always give preference to the alt_name in our
110 primary domain if possible */
111
112 if ( !domain->primary )
113 our_domain = find_our_domain();
114
115 if ( our_domain->alt_name[0] != '\0' ) {
116 ads->auth.realm = SMB_STRDUP( our_domain->alt_name );
117 strupper_m( ads->auth.realm );
118 }
119 else
120 ads->auth.realm = SMB_STRDUP( lp_realm() );
121 }
122
123 ads->auth.renewable = WINBINDD_PAM_AUTH_KRB5_RENEW_TIME;
124
125 /* Setup the server affinity cache. We don't reaally care
126 about the name. Just setup affinity and the KRB5_CONFIG
127 file. */
128
129 get_dc_name( ads->server.workgroup, ads->server.realm, dc_name, &dc_ss );
130
131 status = ads_connect(ads);
132 if (!ADS_ERR_OK(status) || !ads->config.realm) {
133 DEBUG(1,("ads_connect for domain %s failed: %s\n",
134 domain->name, ads_errstr(status)));
135 ads_destroy(&ads);
136
137 /* if we get ECONNREFUSED then it might be a NT4
138 server, fall back to MSRPC */
139 if (status.error_type == ENUM_ADS_ERROR_SYSTEM &&
140 status.err.rc == ECONNREFUSED) {
141 /* 'reconnect_methods' is the MS-RPC backend. */
142 DEBUG(1,("Trying MSRPC methods\n"));
143 domain->backend = &reconnect_methods;
144 }
145 return NULL;
146 }
147
148 /* set the flag that says we don't own the memory even
149 though we do so that ads_destroy() won't destroy the
150 structure we pass back by reference */
151
152 ads->is_mine = False;
153
154 domain->private_data = (void *)ads;
155 return ads;
156}
157
158
159/* Query display info for a realm. This is the basic user list fn */
160static NTSTATUS query_user_list(struct winbindd_domain *domain,
161 TALLOC_CTX *mem_ctx,
162 uint32 *num_entries,
163 struct wbint_userinfo **pinfo)
164{
165 ADS_STRUCT *ads = NULL;
166 const char *attrs[] = { "*", NULL };
167 int i, count;
168 ADS_STATUS rc;
169 LDAPMessage *res = NULL;
170 LDAPMessage *msg = NULL;
171 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
172
173 *num_entries = 0;
174
175 DEBUG(3,("ads: query_user_list\n"));
176
177 if ( !winbindd_can_contact_domain( domain ) ) {
178 DEBUG(10,("query_user_list: No incoming trust for domain %s\n",
179 domain->name));
180 return NT_STATUS_OK;
181 }
182
183 ads = ads_cached_connection(domain);
184
185 if (!ads) {
186 domain->last_status = NT_STATUS_SERVER_DISABLED;
187 goto done;
188 }
189
190 rc = ads_search_retry(ads, &res, "(objectCategory=user)", attrs);
191 if (!ADS_ERR_OK(rc)) {
192 DEBUG(1,("query_user_list ads_search: %s\n", ads_errstr(rc)));
193 status = ads_ntstatus(rc);
194 } else if (!res) {
195 DEBUG(1,("query_user_list ads_search returned NULL res\n"));
196
197 goto done;
198 }
199
200 count = ads_count_replies(ads, res);
201 if (count == 0) {
202 DEBUG(1,("query_user_list: No users found\n"));
203 goto done;
204 }
205
206 (*pinfo) = TALLOC_ZERO_ARRAY(mem_ctx, struct wbint_userinfo, count);
207 if (!*pinfo) {
208 status = NT_STATUS_NO_MEMORY;
209 goto done;
210 }
211
212 count = 0;
213
214 for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
215 struct wbint_userinfo *info = &((*pinfo)[count]);
216 uint32 group;
217 uint32 atype;
218
219 if (!ads_pull_uint32(ads, msg, "sAMAccountType", &atype) ||
220 ds_atype_map(atype) != SID_NAME_USER) {
221 DEBUG(1,("Not a user account? atype=0x%x\n", atype));
222 continue;
223 }
224
225 info->acct_name = ads_pull_username(ads, mem_ctx, msg);
226 info->full_name = ads_pull_string(ads, mem_ctx, msg, "name");
227 info->homedir = NULL;
228 info->shell = NULL;
229 info->primary_gid = (gid_t)-1;
230
231 if (!ads_pull_sid(ads, msg, "objectSid",
232 &info->user_sid)) {
233 DEBUG(1, ("No sid for %s !?\n", info->acct_name));
234 continue;
235 }
236
237 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &group)) {
238 DEBUG(1, ("No primary group for %s !?\n",
239 info->acct_name));
240 continue;
241 }
242 sid_compose(&info->group_sid, &domain->sid, group);
243
244 count += 1;
245 }
246
247 (*num_entries) = count;
248 ads_msgfree(ads, res);
249
250 for (i=0; i<count; i++) {
251 struct wbint_userinfo *info = &((*pinfo)[i]);
252 const char *gecos = NULL;
253 gid_t primary_gid = (gid_t)-1;
254
255 status = nss_get_info_cached(domain, &info->user_sid, mem_ctx,
256 &info->homedir, &info->shell,
257 &gecos, &primary_gid);
258 if (!NT_STATUS_IS_OK(status)) {
259 /*
260 * Deliberately ignore this error, there might be more
261 * users to fill
262 */
263 continue;
264 }
265
266 if (gecos != NULL) {
267 info->full_name = gecos;
268 }
269 info->primary_gid = primary_gid;
270 }
271
272 status = NT_STATUS_OK;
273
274 DEBUG(3,("ads query_user_list gave %d entries\n", (*num_entries)));
275
276done:
277 return status;
278}
279
280/* list all domain groups */
281static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
282 TALLOC_CTX *mem_ctx,
283 uint32 *num_entries,
284 struct wb_acct_info **info)
285{
286 ADS_STRUCT *ads = NULL;
287 const char *attrs[] = {"userPrincipalName", "sAMAccountName",
288 "name", "objectSid", NULL};
289 int i, count;
290 ADS_STATUS rc;
291 LDAPMessage *res = NULL;
292 LDAPMessage *msg = NULL;
293 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
294 const char *filter;
295 bool enum_dom_local_groups = False;
296
297 *num_entries = 0;
298
299 DEBUG(3,("ads: enum_dom_groups\n"));
300
301 if ( !winbindd_can_contact_domain( domain ) ) {
302 DEBUG(10,("enum_dom_groups: No incoming trust for domain %s\n",
303 domain->name));
304 return NT_STATUS_OK;
305 }
306
307 /* only grab domain local groups for our domain */
308 if ( domain->active_directory && strequal(lp_realm(), domain->alt_name) ) {
309 enum_dom_local_groups = True;
310 }
311
312 /* Workaround ADS LDAP bug present in MS W2K3 SP0 and W2K SP4 w/o
313 * rollup-fixes:
314 *
315 * According to Section 5.1(4) of RFC 2251 if a value of a type is it's
316 * default value, it MUST be absent. In case of extensible matching the
317 * "dnattr" boolean defaults to FALSE and so it must be only be present
318 * when set to TRUE.
319 *
320 * When it is set to FALSE and the OpenLDAP lib (correctly) encodes a
321 * filter using bitwise matching rule then the buggy AD fails to decode
322 * the extensible match. As a workaround set it to TRUE and thereby add
323 * the dnAttributes "dn" field to cope with those older AD versions.
324 * It should not harm and won't put any additional load on the AD since
325 * none of the dn components have a bitmask-attribute.
326 *
327 * Thanks to Ralf Haferkamp for input and testing - Guenther */
328
329 filter = talloc_asprintf(mem_ctx, "(&(objectCategory=group)(&(groupType:dn:%s:=%d)(!(groupType:dn:%s:=%d))))",
330 ADS_LDAP_MATCHING_RULE_BIT_AND, GROUP_TYPE_SECURITY_ENABLED,
331 ADS_LDAP_MATCHING_RULE_BIT_AND,
332 enum_dom_local_groups ? GROUP_TYPE_BUILTIN_LOCAL_GROUP : GROUP_TYPE_RESOURCE_GROUP);
333
334 if (filter == NULL) {
335 status = NT_STATUS_NO_MEMORY;
336 goto done;
337 }
338
339 ads = ads_cached_connection(domain);
340
341 if (!ads) {
342 domain->last_status = NT_STATUS_SERVER_DISABLED;
343 goto done;
344 }
345
346 rc = ads_search_retry(ads, &res, filter, attrs);
347 if (!ADS_ERR_OK(rc)) {
348 status = ads_ntstatus(rc);
349 DEBUG(1,("enum_dom_groups ads_search: %s\n", ads_errstr(rc)));
350 goto done;
351 } else if (!res) {
352 DEBUG(1,("enum_dom_groups ads_search returned NULL res\n"));
353 goto done;
354 }
355
356 count = ads_count_replies(ads, res);
357 if (count == 0) {
358 DEBUG(1,("enum_dom_groups: No groups found\n"));
359 goto done;
360 }
361
362 (*info) = TALLOC_ZERO_ARRAY(mem_ctx, struct wb_acct_info, count);
363 if (!*info) {
364 status = NT_STATUS_NO_MEMORY;
365 goto done;
366 }
367
368 i = 0;
369
370 for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
371 char *name, *gecos;
372 struct dom_sid sid;
373 uint32 rid;
374
375 name = ads_pull_username(ads, mem_ctx, msg);
376 gecos = ads_pull_string(ads, mem_ctx, msg, "name");
377 if (!ads_pull_sid(ads, msg, "objectSid", &sid)) {
378 DEBUG(1,("No sid for %s !?\n", name));
379 continue;
380 }
381
382 if (!sid_peek_check_rid(&domain->sid, &sid, &rid)) {
383 DEBUG(1,("No rid for %s !?\n", name));
384 continue;
385 }
386
387 fstrcpy((*info)[i].acct_name, name);
388 fstrcpy((*info)[i].acct_desc, gecos);
389 (*info)[i].rid = rid;
390 i++;
391 }
392
393 (*num_entries) = i;
394
395 status = NT_STATUS_OK;
396
397 DEBUG(3,("ads enum_dom_groups gave %d entries\n", (*num_entries)));
398
399done:
400 if (res)
401 ads_msgfree(ads, res);
402
403 return status;
404}
405
406/* list all domain local groups */
407static NTSTATUS enum_local_groups(struct winbindd_domain *domain,
408 TALLOC_CTX *mem_ctx,
409 uint32 *num_entries,
410 struct wb_acct_info **info)
411{
412 /*
413 * This is a stub function only as we returned the domain
414 * local groups in enum_dom_groups() if the domain->native field
415 * was true. This is a simple performance optimization when
416 * using LDAP.
417 *
418 * if we ever need to enumerate domain local groups separately,
419 * then this optimization in enum_dom_groups() will need
420 * to be split out
421 */
422 *num_entries = 0;
423
424 return NT_STATUS_OK;
425}
426
427/* convert a single name to a sid in a domain - use rpc methods */
428static NTSTATUS name_to_sid(struct winbindd_domain *domain,
429 TALLOC_CTX *mem_ctx,
430 const char *domain_name,
431 const char *name,
432 uint32_t flags,
433 struct dom_sid *sid,
434 enum lsa_SidType *type)
435{
436 return reconnect_methods.name_to_sid(domain, mem_ctx,
437 domain_name, name, flags,
438 sid, type);
439}
440
441/* convert a domain SID to a user or group name - use rpc methods */
442static NTSTATUS sid_to_name(struct winbindd_domain *domain,
443 TALLOC_CTX *mem_ctx,
444 const struct dom_sid *sid,
445 char **domain_name,
446 char **name,
447 enum lsa_SidType *type)
448{
449 return reconnect_methods.sid_to_name(domain, mem_ctx, sid,
450 domain_name, name, type);
451}
452
453/* convert a list of rids to names - use rpc methods */
454static NTSTATUS rids_to_names(struct winbindd_domain *domain,
455 TALLOC_CTX *mem_ctx,
456 const struct dom_sid *sid,
457 uint32 *rids,
458 size_t num_rids,
459 char **domain_name,
460 char ***names,
461 enum lsa_SidType **types)
462{
463 return reconnect_methods.rids_to_names(domain, mem_ctx, sid,
464 rids, num_rids,
465 domain_name, names, types);
466}
467
468/* If you are looking for "dn_lookup": Yes, it used to be here!
469 * It has gone now since it was a major speed bottleneck in
470 * lookup_groupmem (its only use). It has been replaced by
471 * an rpc lookup sids call... R.I.P. */
472
473/* Lookup user information from a rid */
474static NTSTATUS query_user(struct winbindd_domain *domain,
475 TALLOC_CTX *mem_ctx,
476 const struct dom_sid *sid,
477 struct wbint_userinfo *info)
478{
479 ADS_STRUCT *ads = NULL;
480 const char *attrs[] = { "*", NULL };
481 ADS_STATUS rc;
482 int count;
483 LDAPMessage *msg = NULL;
484 char *ldap_exp;
485 char *sidstr;
486 uint32 group_rid;
487 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
488 struct netr_SamInfo3 *user = NULL;
489 gid_t gid = -1;
490 int ret;
491 char *ads_name;
492
493 DEBUG(3,("ads: query_user\n"));
494
495 info->homedir = NULL;
496 info->shell = NULL;
497
498 /* try netsamlogon cache first */
499
500 if ( (user = netsamlogon_cache_get( mem_ctx, sid )) != NULL )
501 {
502 DEBUG(5,("query_user: Cache lookup succeeded for %s\n",
503 sid_string_dbg(sid)));
504
505 sid_compose(&info->user_sid, &domain->sid, user->base.rid);
506 sid_compose(&info->group_sid, &domain->sid, user->base.primary_gid);
507
508 info->acct_name = talloc_strdup(mem_ctx, user->base.account_name.string);
509 info->full_name = talloc_strdup(mem_ctx, user->base.full_name.string);
510
511 nss_get_info_cached( domain, sid, mem_ctx,
512 &info->homedir, &info->shell, &info->full_name,
513 &gid );
514 info->primary_gid = gid;
515
516 TALLOC_FREE(user);
517
518 return NT_STATUS_OK;
519 }
520
521 if ( !winbindd_can_contact_domain(domain)) {
522 DEBUG(8,("query_user: No incoming trust from domain %s\n",
523 domain->name));
524
525 /* We still need to generate some basic information
526 about the user even if we cannot contact the
527 domain. Most of this stuff we can deduce. */
528
529 sid_copy( &info->user_sid, sid );
530
531 /* Assume "Domain Users" for the primary group */
532
533 sid_compose(&info->group_sid, &domain->sid, DOMAIN_RID_USERS );
534
535 /* Try to fill in what the nss_info backend can do */
536
537 nss_get_info_cached( domain, sid, mem_ctx,
538 &info->homedir, &info->shell, &info->full_name,
539 &gid);
540 info->primary_gid = gid;
541
542 return NT_STATUS_OK;
543 }
544
545 /* no cache...do the query */
546
547 if ( (ads = ads_cached_connection(domain)) == NULL ) {
548 domain->last_status = NT_STATUS_SERVER_DISABLED;
549 return NT_STATUS_SERVER_DISABLED;
550 }
551
552 sidstr = ldap_encode_ndr_dom_sid(talloc_tos(), sid);
553
554 ret = asprintf(&ldap_exp, "(objectSid=%s)", sidstr);
555 TALLOC_FREE(sidstr);
556 if (ret == -1) {
557 return NT_STATUS_NO_MEMORY;
558 }
559 rc = ads_search_retry(ads, &msg, ldap_exp, attrs);
560 SAFE_FREE(ldap_exp);
561 if (!ADS_ERR_OK(rc)) {
562 DEBUG(1,("query_user(sid=%s) ads_search: %s\n",
563 sid_string_dbg(sid), ads_errstr(rc)));
564 return ads_ntstatus(rc);
565 } else if (!msg) {
566 DEBUG(1,("query_user(sid=%s) ads_search returned NULL res\n",
567 sid_string_dbg(sid)));
568 return NT_STATUS_INTERNAL_ERROR;
569 }
570
571 count = ads_count_replies(ads, msg);
572 if (count != 1) {
573 DEBUG(1,("query_user(sid=%s): Not found\n",
574 sid_string_dbg(sid)));
575 ads_msgfree(ads, msg);
576 return NT_STATUS_NO_SUCH_USER;
577 }
578
579 info->acct_name = ads_pull_username(ads, mem_ctx, msg);
580
581 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &group_rid)) {
582 DEBUG(1,("No primary group for %s !?\n",
583 sid_string_dbg(sid)));
584 ads_msgfree(ads, msg);
585 return NT_STATUS_NO_SUCH_USER;
586 }
587 sid_copy(&info->user_sid, sid);
588 sid_compose(&info->group_sid, &domain->sid, group_rid);
589
590 /*
591 * We have to fetch the "name" attribute before doing the
592 * nss_get_info_cached call. nss_get_info_cached might destroy
593 * the ads struct, potentially invalidating the ldap message.
594 */
595 ads_name = ads_pull_string(ads, mem_ctx, msg, "name");
596
597 ads_msgfree(ads, msg);
598 msg = NULL;
599
600 status = nss_get_info_cached( domain, sid, mem_ctx,
601 &info->homedir, &info->shell, &info->full_name,
602 &gid);
603 info->primary_gid = gid;
604 if (!NT_STATUS_IS_OK(status)) {
605 DEBUG(1, ("nss_get_info_cached failed: %s\n",
606 nt_errstr(status)));
607 return status;
608 }
609
610 if (info->full_name == NULL) {
611 info->full_name = ads_name;
612 } else {
613 TALLOC_FREE(ads_name);
614 }
615
616 status = NT_STATUS_OK;
617
618 DEBUG(3,("ads query_user gave %s\n", info->acct_name));
619 return NT_STATUS_OK;
620}
621
622/* Lookup groups a user is a member of - alternate method, for when
623 tokenGroups are not available. */
624static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain,
625 TALLOC_CTX *mem_ctx,
626 const char *user_dn,
627 struct dom_sid *primary_group,
628 uint32_t *p_num_groups, struct dom_sid **user_sids)
629{
630 ADS_STATUS rc;
631 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
632 int count;
633 LDAPMessage *res = NULL;
634 LDAPMessage *msg = NULL;
635 char *ldap_exp;
636 ADS_STRUCT *ads;
637 const char *group_attrs[] = {"objectSid", NULL};
638 char *escaped_dn;
639 uint32_t num_groups = 0;
640
641 DEBUG(3,("ads: lookup_usergroups_member\n"));
642
643 if ( !winbindd_can_contact_domain( domain ) ) {
644 DEBUG(10,("lookup_usergroups_members: No incoming trust for domain %s\n",
645 domain->name));
646 return NT_STATUS_OK;
647 }
648
649 ads = ads_cached_connection(domain);
650
651 if (!ads) {
652 domain->last_status = NT_STATUS_SERVER_DISABLED;
653 goto done;
654 }
655
656 if (!(escaped_dn = escape_ldap_string(talloc_tos(), user_dn))) {
657 status = NT_STATUS_NO_MEMORY;
658 goto done;
659 }
660
661 ldap_exp = talloc_asprintf(mem_ctx,
662 "(&(member=%s)(objectCategory=group)(groupType:dn:%s:=%d))",
663 escaped_dn,
664 ADS_LDAP_MATCHING_RULE_BIT_AND,
665 GROUP_TYPE_SECURITY_ENABLED);
666 if (!ldap_exp) {
667 DEBUG(1,("lookup_usergroups(dn=%s) asprintf failed!\n", user_dn));
668 TALLOC_FREE(escaped_dn);
669 status = NT_STATUS_NO_MEMORY;
670 goto done;
671 }
672
673 TALLOC_FREE(escaped_dn);
674
675 rc = ads_search_retry(ads, &res, ldap_exp, group_attrs);
676
677 if (!ADS_ERR_OK(rc)) {
678 DEBUG(1,("lookup_usergroups ads_search member=%s: %s\n", user_dn, ads_errstr(rc)));
679 return ads_ntstatus(rc);
680 } else if (!res) {
681 DEBUG(1,("lookup_usergroups ads_search returned NULL res\n"));
682 return NT_STATUS_INTERNAL_ERROR;
683 }
684
685
686 count = ads_count_replies(ads, res);
687
688 *user_sids = NULL;
689 num_groups = 0;
690
691 /* always add the primary group to the sid array */
692 status = add_sid_to_array(mem_ctx, primary_group, user_sids,
693 &num_groups);
694 if (!NT_STATUS_IS_OK(status)) {
695 goto done;
696 }
697
698 if (count > 0) {
699 for (msg = ads_first_entry(ads, res); msg;
700 msg = ads_next_entry(ads, msg)) {
701 struct dom_sid group_sid;
702
703 if (!ads_pull_sid(ads, msg, "objectSid", &group_sid)) {
704 DEBUG(1,("No sid for this group ?!?\n"));
705 continue;
706 }
707
708 /* ignore Builtin groups from ADS - Guenther */
709 if (sid_check_is_in_builtin(&group_sid)) {
710 continue;
711 }
712
713 status = add_sid_to_array(mem_ctx, &group_sid,
714 user_sids, &num_groups);
715 if (!NT_STATUS_IS_OK(status)) {
716 goto done;
717 }
718 }
719
720 }
721
722 *p_num_groups = num_groups;
723 status = (user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
724
725 DEBUG(3,("ads lookup_usergroups (member) succeeded for dn=%s\n", user_dn));
726done:
727 if (res)
728 ads_msgfree(ads, res);
729
730 return status;
731}
732
733/* Lookup groups a user is a member of - alternate method, for when
734 tokenGroups are not available. */
735static NTSTATUS lookup_usergroups_memberof(struct winbindd_domain *domain,
736 TALLOC_CTX *mem_ctx,
737 const char *user_dn,
738 struct dom_sid *primary_group,
739 uint32_t *p_num_groups,
740 struct dom_sid **user_sids)
741{
742 ADS_STATUS rc;
743 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
744 ADS_STRUCT *ads;
745 const char *attrs[] = {"memberOf", NULL};
746 uint32_t num_groups = 0;
747 struct dom_sid *group_sids = NULL;
748 int i;
749 char **strings = NULL;
750 size_t num_strings = 0, num_sids = 0;
751
752
753 DEBUG(3,("ads: lookup_usergroups_memberof\n"));
754
755 if ( !winbindd_can_contact_domain( domain ) ) {
756 DEBUG(10,("lookup_usergroups_memberof: No incoming trust for "
757 "domain %s\n", domain->name));
758 return NT_STATUS_OK;
759 }
760
761 ads = ads_cached_connection(domain);
762
763 if (!ads) {
764 domain->last_status = NT_STATUS_SERVER_DISABLED;
765 return NT_STATUS_UNSUCCESSFUL;
766 }
767
768 rc = ads_search_retry_extended_dn_ranged(ads, mem_ctx, user_dn, attrs,
769 ADS_EXTENDED_DN_HEX_STRING,
770 &strings, &num_strings);
771
772 if (!ADS_ERR_OK(rc)) {
773 DEBUG(1,("lookup_usergroups_memberof ads_search "
774 "member=%s: %s\n", user_dn, ads_errstr(rc)));
775 return ads_ntstatus(rc);
776 }
777
778 *user_sids = NULL;
779 num_groups = 0;
780
781 /* always add the primary group to the sid array */
782 status = add_sid_to_array(mem_ctx, primary_group, user_sids,
783 &num_groups);
784 if (!NT_STATUS_IS_OK(status)) {
785 goto done;
786 }
787
788 group_sids = TALLOC_ZERO_ARRAY(mem_ctx, struct dom_sid, num_strings + 1);
789 if (!group_sids) {
790 status = NT_STATUS_NO_MEMORY;
791 goto done;
792 }
793
794 for (i=0; i<num_strings; i++) {
795 rc = ads_get_sid_from_extended_dn(mem_ctx, strings[i],
796 ADS_EXTENDED_DN_HEX_STRING,
797 &(group_sids)[i]);
798 if (!ADS_ERR_OK(rc)) {
799 /* ignore members without SIDs */
800 if (NT_STATUS_EQUAL(ads_ntstatus(rc),
801 NT_STATUS_NOT_FOUND)) {
802 continue;
803 }
804 else {
805 status = ads_ntstatus(rc);
806 goto done;
807 }
808 }
809 num_sids++;
810 }
811
812 if (i == 0) {
813 DEBUG(1,("No memberOf for this user?!?\n"));
814 status = NT_STATUS_NO_MEMORY;
815 goto done;
816 }
817
818 for (i=0; i<num_sids; i++) {
819
820 /* ignore Builtin groups from ADS - Guenther */
821 if (sid_check_is_in_builtin(&group_sids[i])) {
822 continue;
823 }
824
825 status = add_sid_to_array(mem_ctx, &group_sids[i], user_sids,
826 &num_groups);
827 if (!NT_STATUS_IS_OK(status)) {
828 goto done;
829 }
830
831 }
832
833 *p_num_groups = num_groups;
834 status = (*user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
835
836 DEBUG(3,("ads lookup_usergroups (memberof) succeeded for dn=%s\n",
837 user_dn));
838
839done:
840 TALLOC_FREE(strings);
841 TALLOC_FREE(group_sids);
842
843 return status;
844}
845
846
847/* Lookup groups a user is a member of. */
848static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
849 TALLOC_CTX *mem_ctx,
850 const struct dom_sid *sid,
851 uint32 *p_num_groups, struct dom_sid **user_sids)
852{
853 ADS_STRUCT *ads = NULL;
854 const char *attrs[] = {"tokenGroups", "primaryGroupID", NULL};
855 ADS_STATUS rc;
856 int count;
857 LDAPMessage *msg = NULL;
858 char *user_dn = NULL;
859 struct dom_sid *sids;
860 int i;
861 struct dom_sid primary_group;
862 uint32 primary_group_rid;
863 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
864 uint32_t num_groups = 0;
865
866 DEBUG(3,("ads: lookup_usergroups\n"));
867 *p_num_groups = 0;
868
869 status = lookup_usergroups_cached(domain, mem_ctx, sid,
870 p_num_groups, user_sids);
871 if (NT_STATUS_IS_OK(status)) {
872 return NT_STATUS_OK;
873 }
874
875 if ( !winbindd_can_contact_domain( domain ) ) {
876 DEBUG(10,("lookup_usergroups: No incoming trust for domain %s\n",
877 domain->name));
878
879 /* Tell the cache manager not to remember this one */
880
881 return NT_STATUS_SYNCHRONIZATION_REQUIRED;
882 }
883
884 ads = ads_cached_connection(domain);
885
886 if (!ads) {
887 domain->last_status = NT_STATUS_SERVER_DISABLED;
888 status = NT_STATUS_SERVER_DISABLED;
889 goto done;
890 }
891
892 rc = ads_search_retry_sid(ads, &msg, sid, attrs);
893
894 if (!ADS_ERR_OK(rc)) {
895 status = ads_ntstatus(rc);
896 DEBUG(1, ("lookup_usergroups(sid=%s) ads_search tokenGroups: "
897 "%s\n", sid_string_dbg(sid), ads_errstr(rc)));
898 goto done;
899 }
900
901 count = ads_count_replies(ads, msg);
902 if (count != 1) {
903 status = NT_STATUS_UNSUCCESSFUL;
904 DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: "
905 "invalid number of results (count=%d)\n",
906 sid_string_dbg(sid), count));
907 goto done;
908 }
909
910 if (!msg) {
911 DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: NULL msg\n",
912 sid_string_dbg(sid)));
913 status = NT_STATUS_UNSUCCESSFUL;
914 goto done;
915 }
916
917 user_dn = ads_get_dn(ads, mem_ctx, msg);
918 if (user_dn == NULL) {
919 status = NT_STATUS_NO_MEMORY;
920 goto done;
921 }
922
923 if (!ads_pull_uint32(ads, msg, "primaryGroupID", &primary_group_rid)) {
924 DEBUG(1,("%s: No primary group for sid=%s !?\n",
925 domain->name, sid_string_dbg(sid)));
926 goto done;
927 }
928
929 sid_compose(&primary_group, &domain->sid, primary_group_rid);
930
931 count = ads_pull_sids(ads, mem_ctx, msg, "tokenGroups", &sids);
932
933 /* there must always be at least one group in the token,
934 unless we are talking to a buggy Win2k server */
935
936 /* actually this only happens when the machine account has no read
937 * permissions on the tokenGroup attribute - gd */
938
939 if (count == 0) {
940
941 /* no tokenGroups */
942
943 /* lookup what groups this user is a member of by DN search on
944 * "memberOf" */
945
946 status = lookup_usergroups_memberof(domain, mem_ctx, user_dn,
947 &primary_group,
948 &num_groups, user_sids);
949 *p_num_groups = num_groups;
950 if (NT_STATUS_IS_OK(status)) {
951 goto done;
952 }
953
954 /* lookup what groups this user is a member of by DN search on
955 * "member" */
956
957 status = lookup_usergroups_member(domain, mem_ctx, user_dn,
958 &primary_group,
959 &num_groups, user_sids);
960 *p_num_groups = num_groups;
961 goto done;
962 }
963
964 *user_sids = NULL;
965 num_groups = 0;
966
967 status = add_sid_to_array(mem_ctx, &primary_group, user_sids,
968 &num_groups);
969 if (!NT_STATUS_IS_OK(status)) {
970 goto done;
971 }
972
973 for (i=0;i<count;i++) {
974
975 /* ignore Builtin groups from ADS - Guenther */
976 if (sid_check_is_in_builtin(&sids[i])) {
977 continue;
978 }
979
980 status = add_sid_to_array_unique(mem_ctx, &sids[i],
981 user_sids, &num_groups);
982 if (!NT_STATUS_IS_OK(status)) {
983 goto done;
984 }
985 }
986
987 *p_num_groups = (uint32)num_groups;
988 status = (*user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
989
990 DEBUG(3,("ads lookup_usergroups (tokenGroups) succeeded for sid=%s\n",
991 sid_string_dbg(sid)));
992done:
993 TALLOC_FREE(user_dn);
994 ads_msgfree(ads, msg);
995 return status;
996}
997
998/* Lookup aliases a user is member of - use rpc methods */
999static NTSTATUS lookup_useraliases(struct winbindd_domain *domain,
1000 TALLOC_CTX *mem_ctx,
1001 uint32 num_sids, const struct dom_sid *sids,
1002 uint32 *num_aliases, uint32 **alias_rids)
1003{
1004 return reconnect_methods.lookup_useraliases(domain, mem_ctx,
1005 num_sids, sids,
1006 num_aliases,
1007 alias_rids);
1008}
1009
1010/*
1011 find the members of a group, given a group rid and domain
1012 */
1013static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
1014 TALLOC_CTX *mem_ctx,
1015 const struct dom_sid *group_sid,
1016 enum lsa_SidType type,
1017 uint32 *num_names,
1018 struct dom_sid **sid_mem, char ***names,
1019 uint32 **name_types)
1020{
1021 ADS_STATUS rc;
1022 ADS_STRUCT *ads = NULL;
1023 char *ldap_exp;
1024 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
1025 char *sidbinstr;
1026 char **members = NULL;
1027 int i;
1028 size_t num_members = 0;
1029 ads_control args;
1030 struct dom_sid *sid_mem_nocache = NULL;
1031 char **names_nocache = NULL;
1032 enum lsa_SidType *name_types_nocache = NULL;
1033 char **domains_nocache = NULL; /* only needed for rpccli_lsa_lookup_sids */
1034 uint32 num_nocache = 0;
1035 TALLOC_CTX *tmp_ctx = NULL;
1036
1037 DEBUG(10,("ads: lookup_groupmem %s sid=%s\n", domain->name,
1038 sid_string_dbg(group_sid)));
1039
1040 *num_names = 0;
1041
1042 tmp_ctx = talloc_new(mem_ctx);
1043 if (!tmp_ctx) {
1044 DEBUG(1, ("ads: lookup_groupmem: talloc failed\n"));
1045 status = NT_STATUS_NO_MEMORY;
1046 goto done;
1047 }
1048
1049 if ( !winbindd_can_contact_domain( domain ) ) {
1050 DEBUG(10,("lookup_groupmem: No incoming trust for domain %s\n",
1051 domain->name));
1052 return NT_STATUS_OK;
1053 }
1054
1055 ads = ads_cached_connection(domain);
1056
1057 if (!ads) {
1058 domain->last_status = NT_STATUS_SERVER_DISABLED;
1059 goto done;
1060 }
1061
1062 if ((sidbinstr = ldap_encode_ndr_dom_sid(talloc_tos(), group_sid)) == NULL) {
1063 status = NT_STATUS_NO_MEMORY;
1064 goto done;
1065 }
1066
1067 /* search for all members of the group */
1068 ldap_exp = talloc_asprintf(tmp_ctx, "(objectSid=%s)", sidbinstr);
1069 TALLOC_FREE(sidbinstr);
1070 if (ldap_exp == NULL) {
1071 DEBUG(1, ("ads: lookup_groupmem: talloc_asprintf for ldap_exp failed!\n"));
1072 status = NT_STATUS_NO_MEMORY;
1073 goto done;
1074 }
1075
1076 args.control = ADS_EXTENDED_DN_OID;
1077 args.val = ADS_EXTENDED_DN_HEX_STRING;
1078 args.critical = True;
1079
1080 rc = ads_ranged_search(ads, tmp_ctx, LDAP_SCOPE_SUBTREE, ads->config.bind_path,
1081 ldap_exp, &args, "member", &members, &num_members);
1082
1083 if (!ADS_ERR_OK(rc)) {
1084 DEBUG(0,("ads_ranged_search failed with: %s\n", ads_errstr(rc)));
1085 status = NT_STATUS_UNSUCCESSFUL;
1086 goto done;
1087 }
1088
1089 DEBUG(10, ("ads lookup_groupmem: got %d sids via extended dn call\n", (int)num_members));
1090
1091 /* Now that we have a list of sids, we need to get the
1092 * lists of names and name_types belonging to these sids.
1093 * even though conceptually not quite clean, we use the
1094 * RPC call lsa_lookup_sids for this since it can handle a
1095 * list of sids. ldap calls can just resolve one sid at a time.
1096 *
1097 * At this stage, the sids are still hidden in the exetended dn
1098 * member output format. We actually do a little better than
1099 * stated above: In extracting the sids from the member strings,
1100 * we try to resolve as many sids as possible from the
1101 * cache. Only the rest is passed to the lsa_lookup_sids call. */
1102
1103 if (num_members) {
1104 (*sid_mem) = TALLOC_ZERO_ARRAY(mem_ctx, struct dom_sid, num_members);
1105 (*names) = TALLOC_ZERO_ARRAY(mem_ctx, char *, num_members);
1106 (*name_types) = TALLOC_ZERO_ARRAY(mem_ctx, uint32, num_members);
1107 (sid_mem_nocache) = TALLOC_ZERO_ARRAY(tmp_ctx, struct dom_sid, num_members);
1108
1109 if ((members == NULL) || (*sid_mem == NULL) ||
1110 (*names == NULL) || (*name_types == NULL) ||
1111 (sid_mem_nocache == NULL))
1112 {
1113 DEBUG(1, ("ads: lookup_groupmem: talloc failed\n"));
1114 status = NT_STATUS_NO_MEMORY;
1115 goto done;
1116 }
1117 }
1118 else {
1119 (*sid_mem) = NULL;
1120 (*names) = NULL;
1121 (*name_types) = NULL;
1122 }
1123
1124 for (i=0; i<num_members; i++) {
1125 enum lsa_SidType name_type;
1126 char *name, *domain_name;
1127 struct dom_sid sid;
1128
1129 rc = ads_get_sid_from_extended_dn(tmp_ctx, members[i], args.val,
1130 &sid);
1131 if (!ADS_ERR_OK(rc)) {
1132 if (NT_STATUS_EQUAL(ads_ntstatus(rc),
1133 NT_STATUS_NOT_FOUND)) {
1134 /* Group members can be objects, like Exchange
1135 * Public Folders, that don't have a SID. Skip
1136 * them. */
1137 continue;
1138 }
1139 else {
1140 status = ads_ntstatus(rc);
1141 goto done;
1142 }
1143 }
1144 if (lookup_cached_sid(mem_ctx, &sid, &domain_name, &name,
1145 &name_type)) {
1146 DEBUG(10,("ads: lookup_groupmem: got sid %s from "
1147 "cache\n", sid_string_dbg(&sid)));
1148 sid_copy(&(*sid_mem)[*num_names], &sid);
1149 (*names)[*num_names] = fill_domain_username_talloc(
1150 *names,
1151 domain_name,
1152 name,
1153 true);
1154
1155 (*name_types)[*num_names] = name_type;
1156 (*num_names)++;
1157 }
1158 else {
1159 DEBUG(10, ("ads: lookup_groupmem: sid %s not found in "
1160 "cache\n", sid_string_dbg(&sid)));
1161 sid_copy(&(sid_mem_nocache)[num_nocache], &sid);
1162 num_nocache++;
1163 }
1164 }
1165
1166 DEBUG(10, ("ads: lookup_groupmem: %d sids found in cache, "
1167 "%d left for lsa_lookupsids\n", *num_names, num_nocache));
1168
1169 /* handle sids not resolved from cache by lsa_lookup_sids */
1170 if (num_nocache > 0) {
1171
1172 status = winbindd_lookup_sids(tmp_ctx,
1173 domain,
1174 num_nocache,
1175 sid_mem_nocache,
1176 &domains_nocache,
1177 &names_nocache,
1178 &name_types_nocache);
1179
1180 if (!(NT_STATUS_IS_OK(status) ||
1181 NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED) ||
1182 NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)))
1183 {
1184 DEBUG(1, ("lsa_lookupsids call failed with %s "
1185 "- retrying...\n", nt_errstr(status)));
1186
1187 status = winbindd_lookup_sids(tmp_ctx,
1188 domain,
1189 num_nocache,
1190 sid_mem_nocache,
1191 &domains_nocache,
1192 &names_nocache,
1193 &name_types_nocache);
1194 }
1195
1196 if (NT_STATUS_IS_OK(status) ||
1197 NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED))
1198 {
1199 /* Copy the entries over from the "_nocache" arrays
1200 * to the result arrays, skipping the gaps the
1201 * lookup_sids call left. */
1202 for (i=0; i < num_nocache; i++) {
1203 if (((names_nocache)[i] != NULL) &&
1204 ((name_types_nocache)[i] != SID_NAME_UNKNOWN))
1205 {
1206 sid_copy(&(*sid_mem)[*num_names],
1207 &sid_mem_nocache[i]);
1208 (*names)[*num_names] =
1209 fill_domain_username_talloc(
1210 *names,
1211 domains_nocache[i],
1212 names_nocache[i],
1213 true);
1214 (*name_types)[*num_names] = name_types_nocache[i];
1215 (*num_names)++;
1216 }
1217 }
1218 }
1219 else if (NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)) {
1220 DEBUG(10, ("lookup_groupmem: lsa_lookup_sids could "
1221 "not map any SIDs at all.\n"));
1222 /* Don't handle this as an error here.
1223 * There is nothing left to do with respect to the
1224 * overall result... */
1225 }
1226 else if (!NT_STATUS_IS_OK(status)) {
1227 DEBUG(10, ("lookup_groupmem: Error looking up %d "
1228 "sids via rpc_lsa_lookup_sids: %s\n",
1229 (int)num_members, nt_errstr(status)));
1230 goto done;
1231 }
1232 }
1233
1234 status = NT_STATUS_OK;
1235 DEBUG(3,("ads lookup_groupmem for sid=%s succeeded\n",
1236 sid_string_dbg(group_sid)));
1237
1238done:
1239
1240 TALLOC_FREE(tmp_ctx);
1241
1242 return status;
1243}
1244
1245/* find the sequence number for a domain */
1246static NTSTATUS sequence_number(struct winbindd_domain *domain, uint32 *seq)
1247{
1248 ADS_STRUCT *ads = NULL;
1249 ADS_STATUS rc;
1250
1251 DEBUG(3,("ads: fetch sequence_number for %s\n", domain->name));
1252
1253 if ( !winbindd_can_contact_domain( domain ) ) {
1254 DEBUG(10,("sequence: No incoming trust for domain %s\n",
1255 domain->name));
1256 *seq = time(NULL);
1257 return NT_STATUS_OK;
1258 }
1259
1260 *seq = DOM_SEQUENCE_NONE;
1261
1262 ads = ads_cached_connection(domain);
1263
1264 if (!ads) {
1265 domain->last_status = NT_STATUS_SERVER_DISABLED;
1266 return NT_STATUS_UNSUCCESSFUL;
1267 }
1268
1269 rc = ads_USN(ads, seq);
1270
1271 if (!ADS_ERR_OK(rc)) {
1272
1273 /* its a dead connection, destroy it */
1274
1275 if (domain->private_data) {
1276 ads = (ADS_STRUCT *)domain->private_data;
1277 ads->is_mine = True;
1278 ads_destroy(&ads);
1279 ads_kdestroy("MEMORY:winbind_ccache");
1280 domain->private_data = NULL;
1281 }
1282 }
1283 return ads_ntstatus(rc);
1284}
1285
1286/* find the lockout policy of a domain - use rpc methods */
1287static NTSTATUS lockout_policy(struct winbindd_domain *domain,
1288 TALLOC_CTX *mem_ctx,
1289 struct samr_DomInfo12 *policy)
1290{
1291 return reconnect_methods.lockout_policy(domain, mem_ctx, policy);
1292}
1293
1294/* find the password policy of a domain - use rpc methods */
1295static NTSTATUS password_policy(struct winbindd_domain *domain,
1296 TALLOC_CTX *mem_ctx,
1297 struct samr_DomInfo1 *policy)
1298{
1299 return reconnect_methods.password_policy(domain, mem_ctx, policy);
1300}
1301
1302/* get a list of trusted domains */
1303static NTSTATUS trusted_domains(struct winbindd_domain *domain,
1304 TALLOC_CTX *mem_ctx,
1305 struct netr_DomainTrustList *trusts)
1306{
1307 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1308 WERROR werr;
1309 int i;
1310 uint32 flags;
1311 struct rpc_pipe_client *cli;
1312 int ret_count;
1313 struct dcerpc_binding_handle *b;
1314
1315 DEBUG(3,("ads: trusted_domains\n"));
1316
1317 ZERO_STRUCTP(trusts);
1318
1319 /* If this is our primary domain or a root in our forest,
1320 query for all trusts. If not, then just look for domain
1321 trusts in the target forest */
1322
1323 if (domain->primary || domain_is_forest_root(domain)) {
1324 flags = NETR_TRUST_FLAG_OUTBOUND |
1325 NETR_TRUST_FLAG_INBOUND |
1326 NETR_TRUST_FLAG_IN_FOREST;
1327 } else {
1328 flags = NETR_TRUST_FLAG_IN_FOREST;
1329 }
1330
1331 result = cm_connect_netlogon(domain, &cli);
1332
1333 if (!NT_STATUS_IS_OK(result)) {
1334 DEBUG(5, ("trusted_domains: Could not open a connection to %s "
1335 "for PIPE_NETLOGON (%s)\n",
1336 domain->name, nt_errstr(result)));
1337 return NT_STATUS_UNSUCCESSFUL;
1338 }
1339
1340 b = cli->binding_handle;
1341
1342 result = dcerpc_netr_DsrEnumerateDomainTrusts(b, mem_ctx,
1343 cli->desthost,
1344 flags,
1345 trusts,
1346 &werr);
1347 if (!NT_STATUS_IS_OK(result)) {
1348 return result;
1349 }
1350
1351 if (!W_ERROR_IS_OK(werr)) {
1352 return werror_to_ntstatus(werr);
1353 }
1354 if (trusts->count == 0) {
1355 return NT_STATUS_OK;
1356 }
1357
1358 /* Copy across names and sids */
1359
1360 ret_count = 0;
1361 for (i = 0; i < trusts->count; i++) {
1362 struct netr_DomainTrust *trust = &trusts->array[i];
1363 struct winbindd_domain d;
1364
1365 ZERO_STRUCT(d);
1366
1367 /*
1368 * drop external trusts if this is not our primary
1369 * domain. This means that the returned number of
1370 * domains may be less that the ones actually trusted
1371 * by the DC.
1372 */
1373
1374 if ((trust->trust_attributes
1375 == NETR_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN) &&
1376 !domain->primary )
1377 {
1378 DEBUG(10,("trusted_domains: Skipping external trusted "
1379 "domain %s because it is outside of our "
1380 "primary domain\n",
1381 trust->netbios_name));
1382 continue;
1383 }
1384
1385 /* add to the trusted domain cache */
1386
1387 fstrcpy(d.name, trust->netbios_name);
1388 fstrcpy(d.alt_name, trust->dns_name);
1389 if (trust->sid) {
1390 sid_copy(&d.sid, trust->sid);
1391 } else {
1392 sid_copy(&d.sid, &global_sid_NULL);
1393 }
1394
1395 if ( domain->primary ) {
1396 DEBUG(10,("trusted_domains(ads): Searching "
1397 "trusted domain list of %s and storing "
1398 "trust flags for domain %s\n",
1399 domain->name, d.alt_name));
1400
1401 d.domain_flags = trust->trust_flags;
1402 d.domain_type = trust->trust_type;
1403 d.domain_trust_attribs = trust->trust_attributes;
1404
1405 wcache_tdc_add_domain( &d );
1406 ret_count++;
1407 } else if (domain_is_forest_root(domain)) {
1408 /* Check if we already have this record. If
1409 * we are following our forest root that is not
1410 * our primary domain, we want to keep trust
1411 * flags from the perspective of our primary
1412 * domain not our forest root. */
1413 struct winbindd_tdc_domain *exist = NULL;
1414
1415 exist = wcache_tdc_fetch_domain(
1416 talloc_tos(), trust->netbios_name);
1417 if (!exist) {
1418 DEBUG(10,("trusted_domains(ads): Searching "
1419 "trusted domain list of %s and "
1420 "storing trust flags for domain "
1421 "%s\n", domain->name, d.alt_name));
1422 d.domain_flags = trust->trust_flags;
1423 d.domain_type = trust->trust_type;
1424 d.domain_trust_attribs =
1425 trust->trust_attributes;
1426
1427 wcache_tdc_add_domain( &d );
1428 ret_count++;
1429 }
1430 TALLOC_FREE(exist);
1431 } else {
1432 /* This gets a little tricky. If we are
1433 following a transitive forest trust, then
1434 innerit the flags, type, and attribs from
1435 the domain we queried to make sure we don't
1436 record the view of the trust from the wrong
1437 side. Always view it from the side of our
1438 primary domain. --jerry */
1439 struct winbindd_tdc_domain *parent = NULL;
1440
1441 DEBUG(10,("trusted_domains(ads): Searching "
1442 "trusted domain list of %s and inheriting "
1443 "trust flags for domain %s\n",
1444 domain->name, d.alt_name));
1445
1446 parent = wcache_tdc_fetch_domain(talloc_tos(),
1447 domain->name);
1448 if (parent) {
1449 d.domain_flags = parent->trust_flags;
1450 d.domain_type = parent->trust_type;
1451 d.domain_trust_attribs = parent->trust_attribs;
1452 } else {
1453 d.domain_flags = domain->domain_flags;
1454 d.domain_type = domain->domain_type;
1455 d.domain_trust_attribs =
1456 domain->domain_trust_attribs;
1457 }
1458 TALLOC_FREE(parent);
1459
1460 wcache_tdc_add_domain( &d );
1461 ret_count++;
1462 }
1463 }
1464 return result;
1465}
1466
1467/* the ADS backend methods are exposed via this structure */
1468struct winbindd_methods ads_methods = {
1469 True,
1470 query_user_list,
1471 enum_dom_groups,
1472 enum_local_groups,
1473 name_to_sid,
1474 sid_to_name,
1475 rids_to_names,
1476 query_user,
1477 lookup_usergroups,
1478 lookup_useraliases,
1479 lookup_groupmem,
1480 sequence_number,
1481 lockout_policy,
1482 password_policy,
1483 trusted_domains,
1484};
1485
1486#endif
Note: See TracBrowser for help on using the repository browser.