Changeset 228 for branches/samba-3.2.x/source/winbindd/winbindd_ads.c
- Timestamp:
- May 26, 2009, 9:44:50 AM (16 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
branches/samba-3.2.x/source/winbindd/winbindd_ads.c
r204 r228 402 402 } 403 403 404 /* convert a single name to a sid in a domain - use rpc methods */ 405 static NTSTATUS name_to_sid(struct winbindd_domain *domain, 406 TALLOC_CTX *mem_ctx, 407 enum winbindd_cmd orig_cmd, 408 const char *domain_name, 409 const char *name, 410 DOM_SID *sid, 411 enum lsa_SidType *type) 412 { 413 return reconnect_methods.name_to_sid(domain, mem_ctx, orig_cmd, 414 domain_name, name, 415 sid, type); 416 } 417 418 /* convert a domain SID to a user or group name - use rpc methods */ 419 static NTSTATUS sid_to_name(struct winbindd_domain *domain, 420 TALLOC_CTX *mem_ctx, 421 const DOM_SID *sid, 422 char **domain_name, 423 char **name, 424 enum lsa_SidType *type) 425 { 426 return reconnect_methods.sid_to_name(domain, mem_ctx, sid, 427 domain_name, name, type); 428 } 429 430 /* convert a list of rids to names - use rpc methods */ 431 static NTSTATUS rids_to_names(struct winbindd_domain *domain, 432 TALLOC_CTX *mem_ctx, 433 const DOM_SID *sid, 434 uint32 *rids, 435 size_t num_rids, 436 char **domain_name, 437 char ***names, 438 enum lsa_SidType **types) 439 { 440 return reconnect_methods.rids_to_names(domain, mem_ctx, sid, 441 rids, num_rids, 442 domain_name, names, types); 443 } 444 404 445 /* If you are looking for "dn_lookup": Yes, it used to be here! 405 446 * It has gone now since it was a major speed bottleneck in … … 642 683 static NTSTATUS lookup_usergroups_memberof(struct winbindd_domain *domain, 643 684 TALLOC_CTX *mem_ctx, 644 const char *user_dn, 685 const char *user_dn, 645 686 DOM_SID *primary_group, 646 size_t *p_num_groups, DOM_SID **user_sids) 687 size_t *p_num_groups, 688 DOM_SID **user_sids) 647 689 { 648 690 ADS_STATUS rc; … … 653 695 DOM_SID *group_sids = NULL; 654 696 int i; 655 char **strings ;656 size_t num_strings = 0 ;697 char **strings = NULL; 698 size_t num_strings = 0, num_sids = 0; 657 699 658 700 … … 660 702 661 703 if ( !winbindd_can_contact_domain( domain ) ) { 662 DEBUG(10,("lookup_usergroups_memberof: No incoming trust for domain %s\n",663 domain->name));704 DEBUG(10,("lookup_usergroups_memberof: No incoming trust for " 705 "domain %s\n", domain->name)); 664 706 return NT_STATUS_OK; 665 707 } … … 669 711 if (!ads) { 670 712 domain->last_status = NT_STATUS_SERVER_DISABLED; 671 goto done;672 } 673 674 rc = ads_search_retry_extended_dn_ranged(ads, mem_ctx, user_dn, attrs, 675 ADS_EXTENDED_DN_HEX_STRING, 713 return NT_STATUS_UNSUCCESSFUL; 714 } 715 716 rc = ads_search_retry_extended_dn_ranged(ads, mem_ctx, user_dn, attrs, 717 ADS_EXTENDED_DN_HEX_STRING, 676 718 &strings, &num_strings); 677 719 678 720 if (!ADS_ERR_OK(rc)) { 679 DEBUG(1,("lookup_usergroups_memberof ads_search member=%s: %s\n",680 user_dn, ads_errstr(rc)));721 DEBUG(1,("lookup_usergroups_memberof ads_search " 722 "member=%s: %s\n", user_dn, ads_errstr(rc))); 681 723 return ads_ntstatus(rc); 682 724 } 683 725 684 726 *user_sids = NULL; 685 727 num_groups = 0; … … 694 736 group_sids = TALLOC_ZERO_ARRAY(mem_ctx, DOM_SID, num_strings + 1); 695 737 if (!group_sids) { 696 TALLOC_FREE(strings);697 738 status = NT_STATUS_NO_MEMORY; 698 739 goto done; … … 700 741 701 742 for (i=0; i<num_strings; i++) { 702 703 if (!ads_get_sid_from_extended_dn(mem_ctx, strings[i], 704 ADS_EXTENDED_DN_HEX_STRING, 705 &(group_sids)[i])) { 706 TALLOC_FREE(group_sids); 707 TALLOC_FREE(strings); 708 status = NT_STATUS_NO_MEMORY; 709 goto done; 710 } 743 rc = ads_get_sid_from_extended_dn(mem_ctx, strings[i], 744 ADS_EXTENDED_DN_HEX_STRING, 745 &(group_sids)[i]); 746 if (!ADS_ERR_OK(rc)) { 747 /* ignore members without SIDs */ 748 if (NT_STATUS_EQUAL(ads_ntstatus(rc), 749 NT_STATUS_NOT_FOUND)) { 750 continue; 751 } 752 else { 753 status = ads_ntstatus(rc); 754 goto done; 755 } 756 } 757 num_sids++; 711 758 } 712 759 … … 717 764 } 718 765 719 for (i=0; i<num_s trings; i++) {766 for (i=0; i<num_sids; i++) { 720 767 721 768 /* ignore Builtin groups from ADS - Guenther */ … … 729 776 goto done; 730 777 } 731 778 732 779 } 733 780 … … 735 782 status = (*user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY; 736 783 737 DEBUG(3,("ads lookup_usergroups (memberof) succeeded for dn=%s\n", user_dn)); 784 DEBUG(3,("ads lookup_usergroups (memberof) succeeded for dn=%s\n", 785 user_dn)); 786 738 787 done: 788 TALLOC_FREE(strings); 739 789 TALLOC_FREE(group_sids); 740 790 … … 895 945 } 896 946 947 /* Lookup aliases a user is member of - use rpc methods */ 948 static NTSTATUS lookup_useraliases(struct winbindd_domain *domain, 949 TALLOC_CTX *mem_ctx, 950 uint32 num_sids, const DOM_SID *sids, 951 uint32 *num_aliases, uint32 **alias_rids) 952 { 953 return reconnect_methods.lookup_useraliases(domain, mem_ctx, 954 num_sids, sids, 955 num_aliases, 956 alias_rids); 957 } 958 897 959 /* 898 960 find the members of a group, given a group rid and domain … … 900 962 static NTSTATUS lookup_groupmem(struct winbindd_domain *domain, 901 963 TALLOC_CTX *mem_ctx, 902 const DOM_SID *group_sid, uint32 *num_names, 903 DOM_SID **sid_mem, char ***names, 964 const DOM_SID *group_sid, uint32 *num_names, 965 DOM_SID **sid_mem, char ***names, 904 966 uint32 **name_types) 905 967 { … … 922 984 TALLOC_CTX *tmp_ctx = NULL; 923 985 924 DEBUG(10,("ads: lookup_groupmem %s sid=%s\n", domain->name, 986 DEBUG(10,("ads: lookup_groupmem %s sid=%s\n", domain->name, 925 987 sid_string_dbg(group_sid))); 926 988 … … 936 998 if ( !winbindd_can_contact_domain( domain ) ) { 937 999 DEBUG(10,("lookup_groupmem: No incoming trust for domain %s\n", 938 domain->name)); 1000 domain->name)); 939 1001 return NT_STATUS_OK; 940 1002 } 941 1003 942 1004 ads = ads_cached_connection(domain); 943 1005 944 1006 if (!ads) { 945 1007 domain->last_status = NT_STATUS_SERVER_DISABLED; … … 953 1015 954 1016 /* search for all members of the group */ 955 if (!(ldap_exp = talloc_asprintf(tmp_ctx, "(objectSid=%s)", 956 sidbinstr))) 1017 if (!(ldap_exp = talloc_asprintf(tmp_ctx, "(objectSid=%s)", 1018 sidbinstr))) 957 1019 { 958 1020 SAFE_FREE(sidbinstr); … … 967 1029 args.critical = True; 968 1030 969 rc = ads_ranged_search(ads, tmp_ctx, LDAP_SCOPE_SUBTREE, ads->config.bind_path, 1031 rc = ads_ranged_search(ads, tmp_ctx, LDAP_SCOPE_SUBTREE, ads->config.bind_path, 970 1032 ldap_exp, &args, "member", &members, &num_members); 971 1033 … … 974 1036 status = NT_STATUS_UNSUCCESSFUL; 975 1037 goto done; 976 } 977 1038 } 1039 978 1040 DEBUG(10, ("ads lookup_groupmem: got %d sids via extended dn call\n", (int)num_members)); 979 1041 980 1042 /* Now that we have a list of sids, we need to get the 981 1043 * lists of names and name_types belonging to these sids. 982 * even though conceptually not quite clean, we use the 983 * RPC call lsa_lookup_sids for this since it can handle a 1044 * even though conceptually not quite clean, we use the 1045 * RPC call lsa_lookup_sids for this since it can handle a 984 1046 * list of sids. ldap calls can just resolve one sid at a time. 985 1047 * … … 989 1051 * we try to resolve as many sids as possible from the 990 1052 * cache. Only the rest is passed to the lsa_lookup_sids call. */ 991 1053 992 1054 if (num_members) { 993 1055 (*sid_mem) = TALLOC_ZERO_ARRAY(mem_ctx, DOM_SID, num_members); … … 1016 1078 DOM_SID sid; 1017 1079 1018 if (!ads_get_sid_from_extended_dn(tmp_ctx, members[i], args.val, &sid)) { 1019 status = NT_STATUS_INVALID_PARAMETER; 1020 goto done; 1021 } 1022 if (lookup_cached_sid(mem_ctx, &sid, &domain_name, &name, &name_type)) { 1080 rc = ads_get_sid_from_extended_dn(tmp_ctx, members[i], args.val, 1081 &sid); 1082 if (!ADS_ERR_OK(rc)) { 1083 if (NT_STATUS_EQUAL(ads_ntstatus(rc), 1084 NT_STATUS_NOT_FOUND)) { 1085 /* Group members can be objects, like Exchange 1086 * Public Folders, that don't have a SID. Skip 1087 * them. */ 1088 continue; 1089 } 1090 else { 1091 status = ads_ntstatus(rc); 1092 goto done; 1093 } 1094 } 1095 if (lookup_cached_sid(mem_ctx, &sid, &domain_name, &name, 1096 &name_type)) { 1023 1097 DEBUG(10,("ads: lookup_groupmem: got sid %s from " 1024 1098 "cache\n", sid_string_dbg(&sid))); 1025 1099 sid_copy(&(*sid_mem)[*num_names], &sid); 1026 (*names)[*num_names] = talloc_asprintf(*names, "%s%c%s", 1027 domain_name, 1028 *lp_winbind_separator(), 1029 name ); 1100 (*names)[*num_names] = fill_domain_username_talloc( 1101 *names, 1102 domain_name, 1103 name, 1104 true); 1030 1105 1031 1106 (*name_types)[*num_names] = name_type; … … 1052 1127 } 1053 1128 1054 status = rpccli_lsa_lookup_sids(cli, tmp_ctx, 1129 status = rpccli_lsa_lookup_sids(cli, tmp_ctx, 1055 1130 &lsa_policy, 1056 num_nocache, 1057 sid_mem_nocache, 1058 &domains_nocache, 1059 &names_nocache, 1131 num_nocache, 1132 sid_mem_nocache, 1133 &domains_nocache, 1134 &names_nocache, 1060 1135 &name_types_nocache); 1061 1136 1137 if (!(NT_STATUS_IS_OK(status) || 1138 NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED) || 1139 NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED))) 1140 { 1141 DEBUG(1, ("lsa_lookupsids call failed with %s " 1142 "- retrying...\n", nt_errstr(status))); 1143 1144 status = cm_connect_lsa(domain, tmp_ctx, &cli, 1145 &lsa_policy); 1146 1147 if (!NT_STATUS_IS_OK(status)) { 1148 goto done; 1149 } 1150 1151 status = rpccli_lsa_lookup_sids(cli, tmp_ctx, 1152 &lsa_policy, 1153 num_nocache, 1154 sid_mem_nocache, 1155 &domains_nocache, 1156 &names_nocache, 1157 &name_types_nocache); 1158 } 1159 1062 1160 if (NT_STATUS_IS_OK(status) || 1063 NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED)) 1161 NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED)) 1064 1162 { 1065 /* Copy the entries over from the "_nocache" arrays 1066 * to the result arrays, skipping the gaps the 1163 /* Copy the entries over from the "_nocache" arrays 1164 * to the result arrays, skipping the gaps the 1067 1165 * lookup_sids call left. */ 1068 1166 for (i=0; i < num_nocache; i++) { 1069 if (((names_nocache)[i] != NULL) && 1070 ((name_types_nocache)[i] != SID_NAME_UNKNOWN)) 1167 if (((names_nocache)[i] != NULL) && 1168 ((name_types_nocache)[i] != SID_NAME_UNKNOWN)) 1071 1169 { 1072 1170 sid_copy(&(*sid_mem)[*num_names], 1073 1171 &sid_mem_nocache[i]); 1074 (*names)[*num_names] = talloc_asprintf( *names, 1075 "%s%c%s", 1076 domains_nocache[i], 1077 *lp_winbind_separator(), 1078 names_nocache[i] ); 1172 (*names)[*num_names] = 1173 fill_domain_username_talloc( 1174 *names, 1175 domains_nocache[i], 1176 names_nocache[i], 1177 true); 1079 1178 (*name_types)[*num_names] = name_types_nocache[i]; 1080 1179 (*num_names)++; … … 1147 1246 } 1148 1247 return ads_ntstatus(rc); 1248 } 1249 1250 /* find the lockout policy of a domain - use rpc methods */ 1251 static NTSTATUS lockout_policy(struct winbindd_domain *domain, 1252 TALLOC_CTX *mem_ctx, 1253 struct samr_DomInfo12 *policy) 1254 { 1255 return reconnect_methods.lockout_policy(domain, mem_ctx, policy); 1256 } 1257 1258 /* find the password policy of a domain - use rpc methods */ 1259 static NTSTATUS password_policy(struct winbindd_domain *domain, 1260 TALLOC_CTX *mem_ctx, 1261 struct samr_DomInfo1 *policy) 1262 { 1263 return reconnect_methods.password_policy(domain, mem_ctx, policy); 1149 1264 } 1150 1265 … … 1339 1454 enum_dom_groups, 1340 1455 enum_local_groups, 1341 msrpc_name_to_sid,1342 msrpc_sid_to_name,1343 msrpc_rids_to_names,1456 name_to_sid, 1457 sid_to_name, 1458 rids_to_names, 1344 1459 query_user, 1345 1460 lookup_usergroups, 1346 msrpc_lookup_useraliases,1461 lookup_useraliases, 1347 1462 lookup_groupmem, 1348 1463 sequence_number, 1349 msrpc_lockout_policy,1350 msrpc_password_policy,1464 lockout_policy, 1465 password_policy, 1351 1466 trusted_domains, 1352 1467 };
Note:
See TracChangeset
for help on using the changeset viewer.
