diff options
Diffstat (limited to 'source3/winbindd/winbindd_ads.c')
| -rw-r--r-- | source3/winbindd/winbindd_ads.c | 1604 |
1 files changed, 1604 insertions, 0 deletions
diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c new file mode 100644 index 0000000..7e572e5 --- /dev/null +++ b/source3/winbindd/winbindd_ads.c @@ -0,0 +1,1604 @@ +/* + Unix SMB/CIFS implementation. + + Winbind ADS backend functions + + Copyright (C) Andrew Tridgell 2001 + Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003 + Copyright (C) Gerald (Jerry) Carter 2004 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include "winbindd.h" +#include "winbindd_ads.h" +#include "libsmb/namequery.h" +#include "rpc_client/rpc_client.h" +#include "../librpc/gen_ndr/ndr_netlogon_c.h" +#include "../libds/common/flags.h" +#include "ads.h" +#include "../libcli/ldap/ldap_ndr.h" +#include "../libcli/security/security.h" +#include "../libds/common/flag_mapping.h" +#include "libsmb/samlogon_cache.h" +#include "passdb.h" +#include "auth/credentials/credentials.h" + +#ifdef HAVE_ADS + +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_WINBIND + +extern struct winbindd_methods reconnect_methods; +extern struct winbindd_methods msrpc_methods; + +#define WINBIND_CCACHE_NAME "MEMORY:winbind_ccache" + +/** + * Check if cached connection can be reused. If the connection cannot + * be reused the ADS_STRUCT is freed and the pointer is set to NULL. + */ +static void ads_cached_connection_reuse(ADS_STRUCT **adsp) +{ + + ADS_STRUCT *ads = *adsp; + + if (ads != NULL) { + time_t expire; + time_t now = time(NULL); + + expire = MIN(ads->auth.tgt_expire, ads->auth.tgs_expire); + + DEBUG(7, ("Current tickets expire in %d seconds (at %d, time " + "is now %d)\n", (uint32_t)expire - (uint32_t)now, + (uint32_t) expire, (uint32_t) now)); + + if ( ads->config.realm && (expire > now)) { + return; + } else { + /* we own this ADS_STRUCT so make sure it goes away */ + DEBUG(7,("Deleting expired krb5 credential cache\n")); + TALLOC_FREE(ads); + ads_kdestroy(WINBIND_CCACHE_NAME); + *adsp = NULL; + } + } +} + +/** + * @brief Establish a connection to a DC + * + * @param[out] adsp ADS_STRUCT that will be created + * @param[in] target_realm Realm of domain to connect to + * @param[in] target_dom_name 'workgroup' name of domain to connect to + * @param[in] ldap_server DNS name of server to connect to + * @param[in] password Our machine account secret + * @param[in] auth_realm Realm of local domain for creating krb token + * @param[in] renewable Renewable ticket time + * + * @return ADS_STATUS + */ +static ADS_STATUS ads_cached_connection_connect(const char *target_realm, + const char *target_dom_name, + const char *ldap_server, + char *password, + char *auth_realm, + time_t renewable, + TALLOC_CTX *mem_ctx, + ADS_STRUCT **adsp) +{ + TALLOC_CTX *tmp_ctx = talloc_stackframe(); + ADS_STRUCT *ads; + ADS_STATUS status; + struct sockaddr_storage dc_ss; + fstring dc_name; + enum credentials_use_kerberos krb5_state; + + if (auth_realm == NULL) { + TALLOC_FREE(tmp_ctx); + return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL); + } + + /* we don't want this to affect the users ccache */ + setenv("KRB5CCNAME", WINBIND_CCACHE_NAME, 1); + + ads = ads_init(tmp_ctx, + target_realm, + target_dom_name, + ldap_server, + ADS_SASL_SEAL); + if (!ads) { + DEBUG(1,("ads_init for domain %s failed\n", target_dom_name)); + status = ADS_ERROR(LDAP_NO_MEMORY); + goto out; + } + + ADS_TALLOC_CONST_FREE(ads->auth.password); + ADS_TALLOC_CONST_FREE(ads->auth.realm); + + ads->auth.renewable = renewable; + ads->auth.password = talloc_strdup(ads, password); + if (ads->auth.password == NULL) { + status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY); + goto out; + } + + /* In FIPS mode, client use kerberos is forced to required. */ + krb5_state = lp_client_use_kerberos(); + switch (krb5_state) { + case CRED_USE_KERBEROS_REQUIRED: + ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS; + ads->auth.flags &= ~ADS_AUTH_ALLOW_NTLMSSP; + break; + case CRED_USE_KERBEROS_DESIRED: + ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS; + ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP; + break; + case CRED_USE_KERBEROS_DISABLED: + ads->auth.flags |= ADS_AUTH_DISABLE_KERBEROS; + ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP; + break; + } + + ads->auth.realm = talloc_asprintf_strupper_m(ads, "%s", auth_realm); + if (ads->auth.realm == NULL) { + status = ADS_ERROR_NT(NT_STATUS_INTERNAL_ERROR); + goto out; + } + + /* Setup the server affinity cache. We don't reaally care + about the name. Just setup affinity and the KRB5_CONFIG + file. */ + get_dc_name(ads->server.workgroup, ads->server.realm, dc_name, &dc_ss); + + status = ads_connect(ads); + if (!ADS_ERR_OK(status)) { + DEBUG(1,("ads_connect for domain %s failed: %s\n", + target_dom_name, ads_errstr(status))); + goto out; + } + + *adsp = talloc_move(mem_ctx, &ads); +out: + TALLOC_FREE(tmp_ctx); + return status; +} + +ADS_STATUS ads_idmap_cached_connection(const char *dom_name, + TALLOC_CTX *mem_ctx, + ADS_STRUCT **adsp) +{ + TALLOC_CTX *tmp_ctx = talloc_stackframe(); + char *ldap_server = NULL; + char *realm = NULL; + char *password = NULL; + struct winbindd_domain *wb_dom = NULL; + ADS_STATUS status; + + if (IS_AD_DC) { + /* + * Make sure we never try to use LDAP against + * a trusted domain as AD DC. + */ + TALLOC_FREE(tmp_ctx); + return ADS_ERROR_NT(NT_STATUS_REQUEST_NOT_ACCEPTED); + } + + ads_cached_connection_reuse(adsp); + if (*adsp != NULL) { + TALLOC_FREE(tmp_ctx); + return ADS_SUCCESS; + } + + /* + * At this point we only have the NetBIOS domain name. + * Check if we can get server name and realm from SAF cache + * and the domain list. + */ + ldap_server = saf_fetch(tmp_ctx, dom_name); + + DBG_DEBUG("ldap_server from saf cache: '%s'\n", + ldap_server ? ldap_server : ""); + + wb_dom = find_domain_from_name(dom_name); + if (wb_dom == NULL) { + DBG_DEBUG("could not find domain '%s'\n", dom_name); + status = ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL); + goto out; + } + + DBG_DEBUG("find_domain_from_name found realm '%s' for " + " domain '%s'\n", wb_dom->alt_name, dom_name); + + if (!get_trust_pw_clear(dom_name, &password, NULL, NULL)) { + status = ADS_ERROR_NT(NT_STATUS_CANT_ACCESS_DOMAIN_INFO); + goto out; + } + + if (IS_DC) { + SMB_ASSERT(wb_dom->alt_name != NULL); + realm = talloc_strdup(tmp_ctx, wb_dom->alt_name); + } else { + struct winbindd_domain *our_domain = wb_dom; + + /* always give preference to the alt_name in our + primary domain if possible */ + + if (!wb_dom->primary) { + our_domain = find_our_domain(); + } + + if (our_domain->alt_name != NULL) { + realm = talloc_strdup(tmp_ctx, our_domain->alt_name); + } else { + realm = talloc_strdup(tmp_ctx, lp_realm()); + } + } + + if (realm == NULL) { + status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY); + goto out; + } + + status = ads_cached_connection_connect( + wb_dom->alt_name, /* realm to connect to. */ + dom_name, /* 'workgroup' name for ads_init */ + ldap_server, /* DNS name to connect to. */ + password, /* password for auth realm. */ + realm, /* realm used for krb5 ticket. */ + 0, /* renewable ticket time. */ + mem_ctx, /* memory context for ads struct */ + adsp); /* Returns ads struct. */ + +out: + TALLOC_FREE(tmp_ctx); + SAFE_FREE(password); + + return status; +} + +/* + return our ads connections structure for a domain. We keep the connection + open to make things faster +*/ +static ADS_STATUS ads_cached_connection(struct winbindd_domain *domain, + ADS_STRUCT **adsp) +{ + TALLOC_CTX *tmp_ctx = talloc_stackframe(); + ADS_STATUS status; + char *password = NULL; + char *realm = NULL; + + if (IS_AD_DC) { + /* + * Make sure we never try to use LDAP against + * a trusted domain as AD DC. + */ + TALLOC_FREE(tmp_ctx); + return ADS_ERROR_NT(NT_STATUS_REQUEST_NOT_ACCEPTED); + } + + DBG_DEBUG("ads_cached_connection\n"); + + ads_cached_connection_reuse(&domain->backend_data.ads_conn); + if (domain->backend_data.ads_conn != NULL) { + *adsp = domain->backend_data.ads_conn; + TALLOC_FREE(tmp_ctx); + return ADS_SUCCESS; + } + + /* the machine acct password might have change - fetch it every time */ + + if (!get_trust_pw_clear(domain->name, &password, NULL, NULL)) { + status = ADS_ERROR_NT(NT_STATUS_CANT_ACCESS_DOMAIN_INFO); + goto out; + } + + if ( IS_DC ) { + SMB_ASSERT(domain->alt_name != NULL); + realm = talloc_strdup(tmp_ctx, domain->alt_name); + } else { + struct winbindd_domain *our_domain = domain; + + + /* always give preference to the alt_name in our + primary domain if possible */ + + if ( !domain->primary ) + our_domain = find_our_domain(); + + if (our_domain->alt_name != NULL) { + realm = talloc_strdup(tmp_ctx, our_domain->alt_name ); + } else { + realm = talloc_strdup(tmp_ctx, lp_realm() ); + } + } + + if (realm == NULL) { + status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY); + goto out; + } + + status = ads_cached_connection_connect( + domain->alt_name, + domain->name, NULL, + password, + realm, + WINBINDD_PAM_AUTH_KRB5_RENEW_TIME, + domain, + &domain->backend_data.ads_conn); + if (!ADS_ERR_OK(status)) { + /* if we get ECONNREFUSED then it might be a NT4 + server, fall back to MSRPC */ + if (status.error_type == ENUM_ADS_ERROR_SYSTEM && + status.err.rc == ECONNREFUSED) { + /* 'reconnect_methods' is the MS-RPC backend. */ + DBG_NOTICE("Trying MSRPC methods for domain '%s'\n", + domain->name); + domain->backend = &reconnect_methods; + } + goto out; + } + + *adsp = domain->backend_data.ads_conn; +out: + TALLOC_FREE(tmp_ctx); + SAFE_FREE(password); + + return status; +} + +/* Query display info for a realm. This is the basic user list fn */ +static NTSTATUS query_user_list(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + uint32_t **prids) +{ + ADS_STRUCT *ads = NULL; + const char *attrs[] = { "sAMAccountType", "objectSid", NULL }; + int count; + uint32_t *rids = NULL; + ADS_STATUS rc; + LDAPMessage *res = NULL; + LDAPMessage *msg = NULL; + NTSTATUS status = NT_STATUS_UNSUCCESSFUL; + + DEBUG(3,("ads: query_user_list\n")); + + if ( !winbindd_can_contact_domain( domain ) ) { + DEBUG(10,("query_user_list: No incoming trust for domain %s\n", + domain->name)); + return NT_STATUS_OK; + } + + rc = ads_cached_connection(domain, &ads); + if (!ADS_ERR_OK(rc)) { + domain->last_status = NT_STATUS_SERVER_DISABLED; + goto done; + } + + rc = ads_search_retry(ads, &res, "(objectCategory=user)", attrs); + if (!ADS_ERR_OK(rc)) { + DEBUG(1,("query_user_list ads_search: %s\n", ads_errstr(rc))); + status = ads_ntstatus(rc); + goto done; + } else if (!res) { + DEBUG(1,("query_user_list ads_search returned NULL res\n")); + goto done; + } + + count = ads_count_replies(ads, res); + if (count == 0) { + DEBUG(1,("query_user_list: No users found\n")); + goto done; + } + + rids = talloc_zero_array(mem_ctx, uint32_t, count); + if (rids == NULL) { + status = NT_STATUS_NO_MEMORY; + goto done; + } + + count = 0; + + for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) { + struct dom_sid user_sid; + uint32_t atype; + bool ok; + + ok = ads_pull_uint32(ads, msg, "sAMAccountType", &atype); + if (!ok) { + DBG_INFO("Object lacks sAMAccountType attribute\n"); + continue; + } + if (ds_atype_map(atype) != SID_NAME_USER) { + DBG_INFO("Not a user account? atype=0x%x\n", atype); + continue; + } + + if (!ads_pull_sid(ads, msg, "objectSid", &user_sid)) { + char *dn = ads_get_dn(ads, talloc_tos(), msg); + DBG_INFO("No sid for %s !?\n", dn); + TALLOC_FREE(dn); + continue; + } + + if (!dom_sid_in_domain(&domain->sid, &user_sid)) { + struct dom_sid_buf sidstr, domstr; + DBG_WARNING("Got sid %s in domain %s\n", + dom_sid_str_buf(&user_sid, &sidstr), + dom_sid_str_buf(&domain->sid, &domstr)); + continue; + } + + sid_split_rid(&user_sid, &rids[count]); + count += 1; + } + + rids = talloc_realloc(mem_ctx, rids, uint32_t, count); + if (prids != NULL) { + *prids = rids; + } else { + TALLOC_FREE(rids); + } + + status = NT_STATUS_OK; + + DBG_NOTICE("ads query_user_list gave %d entries\n", count); + +done: + ads_msgfree(ads, res); + return status; +} + +/* list all domain groups */ +static NTSTATUS enum_dom_groups(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + uint32_t *num_entries, + struct wb_acct_info **info) +{ + ADS_STRUCT *ads = NULL; + const char *attrs[] = {"userPrincipalName", "sAMAccountName", + "name", "objectSid", NULL}; + int i, count; + ADS_STATUS rc; + LDAPMessage *res = NULL; + LDAPMessage *msg = NULL; + NTSTATUS status = NT_STATUS_UNSUCCESSFUL; + const char *filter; + bool enum_dom_local_groups = False; + + *num_entries = 0; + + DEBUG(3,("ads: enum_dom_groups\n")); + + if ( !winbindd_can_contact_domain( domain ) ) { + DEBUG(10,("enum_dom_groups: No incoming trust for domain %s\n", + domain->name)); + return NT_STATUS_OK; + } + + /* only grab domain local groups for our domain */ + if ( domain->active_directory && strequal(lp_realm(), domain->alt_name) ) { + enum_dom_local_groups = True; + } + + /* Workaround ADS LDAP bug present in MS W2K3 SP0 and W2K SP4 w/o + * rollup-fixes: + * + * According to Section 5.1(4) of RFC 2251 if a value of a type is it's + * default value, it MUST be absent. In case of extensible matching the + * "dnattr" boolean defaults to FALSE and so it must be only be present + * when set to TRUE. + * + * When it is set to FALSE and the OpenLDAP lib (correctly) encodes a + * filter using bitwise matching rule then the buggy AD fails to decode + * the extensible match. As a workaround set it to TRUE and thereby add + * the dnAttributes "dn" field to cope with those older AD versions. + * It should not harm and won't put any additional load on the AD since + * none of the dn components have a bitmask-attribute. + * + * Thanks to Ralf Haferkamp for input and testing - Guenther */ + + filter = talloc_asprintf(mem_ctx, "(&(objectCategory=group)" + "(&(groupType:dn:"ADS_LDAP_MATCHING_RULE_BIT_AND":=%d)" + "(!(groupType:dn:"ADS_LDAP_MATCHING_RULE_BIT_AND":=%d))))", + GROUP_TYPE_SECURITY_ENABLED, + enum_dom_local_groups ? GROUP_TYPE_BUILTIN_LOCAL_GROUP : GROUP_TYPE_RESOURCE_GROUP); + + if (filter == NULL) { + status = NT_STATUS_NO_MEMORY; + goto done; + } + + rc = ads_cached_connection(domain, &ads); + if (!ADS_ERR_OK(rc)) { + domain->last_status = NT_STATUS_SERVER_DISABLED; + goto done; + } + + rc = ads_search_retry(ads, &res, filter, attrs); + if (!ADS_ERR_OK(rc)) { + status = ads_ntstatus(rc); + DEBUG(1,("enum_dom_groups ads_search: %s\n", ads_errstr(rc))); + goto done; + } else if (!res) { + DEBUG(1,("enum_dom_groups ads_search returned NULL res\n")); + goto done; + } + + count = ads_count_replies(ads, res); + if (count == 0) { + DEBUG(1,("enum_dom_groups: No groups found\n")); + goto done; + } + + (*info) = talloc_zero_array(mem_ctx, struct wb_acct_info, count); + if (!*info) { + status = NT_STATUS_NO_MEMORY; + goto done; + } + + i = 0; + + for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) { + char *name, *gecos; + struct dom_sid sid; + uint32_t rid; + + name = ads_pull_username(ads, (*info), msg); + gecos = ads_pull_string(ads, (*info), msg, "name"); + if (!ads_pull_sid(ads, msg, "objectSid", &sid)) { + DEBUG(1,("No sid for %s !?\n", name)); + continue; + } + + if (!sid_peek_check_rid(&domain->sid, &sid, &rid)) { + DEBUG(1,("No rid for %s !?\n", name)); + continue; + } + + (*info)[i].acct_name = name; + (*info)[i].acct_desc = gecos; + (*info)[i].rid = rid; + i++; + } + + (*num_entries) = i; + + status = NT_STATUS_OK; + + DEBUG(3,("ads enum_dom_groups gave %d entries\n", (*num_entries))); + +done: + if (res) + ads_msgfree(ads, res); + + return status; +} + +/* list all domain local groups */ +static NTSTATUS enum_local_groups(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + uint32_t *num_entries, + struct wb_acct_info **info) +{ + /* + * This is a stub function only as we returned the domain + * local groups in enum_dom_groups() if the domain->native field + * was true. This is a simple performance optimization when + * using LDAP. + * + * if we ever need to enumerate domain local groups separately, + * then this optimization in enum_dom_groups() will need + * to be split out + */ + *num_entries = 0; + + return NT_STATUS_OK; +} + +/* convert a single name to a sid in a domain - use rpc methods */ +static NTSTATUS name_to_sid(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + const char *domain_name, + const char *name, + uint32_t flags, + const char **pdom_name, + struct dom_sid *sid, + enum lsa_SidType *type) +{ + return msrpc_methods.name_to_sid(domain, mem_ctx, domain_name, name, + flags, pdom_name, sid, type); +} + +/* convert a domain SID to a user or group name - use rpc methods */ +static NTSTATUS sid_to_name(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + const struct dom_sid *sid, + char **domain_name, + char **name, + enum lsa_SidType *type) +{ + return msrpc_methods.sid_to_name(domain, mem_ctx, sid, + domain_name, name, type); +} + +/* convert a list of rids to names - use rpc methods */ +static NTSTATUS rids_to_names(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + const struct dom_sid *sid, + uint32_t *rids, + size_t num_rids, + char **domain_name, + char ***names, + enum lsa_SidType **types) +{ + return msrpc_methods.rids_to_names(domain, mem_ctx, sid, + rids, num_rids, + domain_name, names, types); +} + +/* Lookup groups a user is a member of - alternate method, for when + tokenGroups are not available. */ +static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + const char *user_dn, + struct dom_sid *primary_group, + uint32_t *p_num_groups, struct dom_sid **user_sids) +{ + ADS_STATUS rc; + NTSTATUS status = NT_STATUS_UNSUCCESSFUL; + int count; + LDAPMessage *res = NULL; + LDAPMessage *msg = NULL; + char *ldap_exp; + ADS_STRUCT *ads = NULL; + const char *group_attrs[] = {"objectSid", NULL}; + char *escaped_dn; + uint32_t num_groups = 0; + + DEBUG(3,("ads: lookup_usergroups_member\n")); + + if ( !winbindd_can_contact_domain( domain ) ) { + DEBUG(10,("lookup_usergroups_members: No incoming trust for domain %s\n", + domain->name)); + return NT_STATUS_OK; + } + + rc = ads_cached_connection(domain, &ads); + if (!ADS_ERR_OK(rc)) { + domain->last_status = NT_STATUS_SERVER_DISABLED; + goto done; + } + + if (!(escaped_dn = escape_ldap_string(talloc_tos(), user_dn))) { + status = NT_STATUS_NO_MEMORY; + goto done; + } + + ldap_exp = talloc_asprintf(mem_ctx, + "(&(member=%s)(objectCategory=group)" + "(groupType:dn:"ADS_LDAP_MATCHING_RULE_BIT_AND":=%d))", + escaped_dn, + GROUP_TYPE_SECURITY_ENABLED); + if (!ldap_exp) { + DEBUG(1,("lookup_usergroups(dn=%s) asprintf failed!\n", user_dn)); + TALLOC_FREE(escaped_dn); + status = NT_STATUS_NO_MEMORY; + goto done; + } + + TALLOC_FREE(escaped_dn); + + rc = ads_search_retry(ads, &res, ldap_exp, group_attrs); + + if (!ADS_ERR_OK(rc)) { + DEBUG(1,("lookup_usergroups ads_search member=%s: %s\n", user_dn, ads_errstr(rc))); + return ads_ntstatus(rc); + } else if (!res) { + DEBUG(1,("lookup_usergroups ads_search returned NULL res\n")); + return NT_STATUS_INTERNAL_ERROR; + } + + + count = ads_count_replies(ads, res); + + *user_sids = NULL; + num_groups = 0; + + /* always add the primary group to the sid array */ + status = add_sid_to_array(mem_ctx, primary_group, user_sids, + &num_groups); + if (!NT_STATUS_IS_OK(status)) { + goto done; + } + + if (count > 0) { + for (msg = ads_first_entry(ads, res); msg; + msg = ads_next_entry(ads, msg)) { + struct dom_sid group_sid; + + if (!ads_pull_sid(ads, msg, "objectSid", &group_sid)) { + DEBUG(1,("No sid for this group ?!?\n")); + continue; + } + + /* ignore Builtin groups from ADS - Guenther */ + if (sid_check_is_in_builtin(&group_sid)) { + continue; + } + + status = add_sid_to_array(mem_ctx, &group_sid, + user_sids, &num_groups); + if (!NT_STATUS_IS_OK(status)) { + goto done; + } + } + + } + + *p_num_groups = num_groups; + status = (user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY; + + DEBUG(3,("ads lookup_usergroups (member) succeeded for dn=%s\n", user_dn)); +done: + if (res) + ads_msgfree(ads, res); + + return status; +} + +/* Lookup groups a user is a member of - alternate method, for when + tokenGroups are not available. */ +static NTSTATUS lookup_usergroups_memberof(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + const char *user_dn, + struct dom_sid *primary_group, + uint32_t *p_num_groups, + struct dom_sid **user_sids) +{ + ADS_STATUS rc; + NTSTATUS status = NT_STATUS_UNSUCCESSFUL; + ADS_STRUCT *ads = NULL; + const char *attrs[] = {"memberOf", NULL}; + uint32_t num_groups = 0; + struct dom_sid *group_sids = NULL; + size_t i; + char **strings = NULL; + size_t num_strings = 0, num_sids = 0; + + + DEBUG(3,("ads: lookup_usergroups_memberof\n")); + + if ( !winbindd_can_contact_domain( domain ) ) { + DEBUG(10,("lookup_usergroups_memberof: No incoming trust for " + "domain %s\n", domain->name)); + return NT_STATUS_OK; + } + + rc = ads_cached_connection(domain, &ads); + if (!ADS_ERR_OK(rc)) { + domain->last_status = NT_STATUS_SERVER_DISABLED; + return NT_STATUS_UNSUCCESSFUL; + } + + rc = ads_search_retry_extended_dn_ranged(ads, mem_ctx, user_dn, attrs, + ADS_EXTENDED_DN_HEX_STRING, + &strings, &num_strings); + + if (!ADS_ERR_OK(rc)) { + DEBUG(1,("lookup_usergroups_memberof ads_search " + "member=%s: %s\n", user_dn, ads_errstr(rc))); + return ads_ntstatus(rc); + } + + *user_sids = NULL; + num_groups = 0; + + /* always add the primary group to the sid array */ + status = add_sid_to_array(mem_ctx, primary_group, user_sids, + &num_groups); + if (!NT_STATUS_IS_OK(status)) { + goto done; + } + + group_sids = talloc_zero_array(mem_ctx, struct dom_sid, num_strings + 1); + if (!group_sids) { + status = NT_STATUS_NO_MEMORY; + goto done; + } + + for (i=0; i<num_strings; i++) { + rc = ads_get_sid_from_extended_dn(mem_ctx, strings[i], + ADS_EXTENDED_DN_HEX_STRING, + &(group_sids)[i]); + if (!ADS_ERR_OK(rc)) { + /* ignore members without SIDs */ + if (NT_STATUS_EQUAL(ads_ntstatus(rc), + NT_STATUS_NOT_FOUND)) { + continue; + } + else { + status = ads_ntstatus(rc); + goto done; + } + } + num_sids++; + } + + if (i == 0) { + DEBUG(1,("No memberOf for this user?!?\n")); + status = NT_STATUS_NO_MEMORY; + goto done; + } + + for (i=0; i<num_sids; i++) { + + /* ignore Builtin groups from ADS - Guenther */ + if (sid_check_is_in_builtin(&group_sids[i])) { + continue; + } + + status = add_sid_to_array(mem_ctx, &group_sids[i], user_sids, + &num_groups); + if (!NT_STATUS_IS_OK(status)) { + goto done; + } + + } + + *p_num_groups = num_groups; + status = (*user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY; + + DEBUG(3,("ads lookup_usergroups (memberof) succeeded for dn=%s\n", + user_dn)); + +done: + TALLOC_FREE(strings); + TALLOC_FREE(group_sids); + + return status; +} + + +/* Lookup groups a user is a member of. */ +static NTSTATUS lookup_usergroups(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + const struct dom_sid *sid, + uint32_t *p_num_groups, struct dom_sid **user_sids) +{ + ADS_STRUCT *ads = NULL; + const char *attrs[] = {"tokenGroups", "primaryGroupID", NULL}; + ADS_STATUS rc; + int count; + LDAPMessage *msg = NULL; + char *user_dn = NULL; + struct dom_sid *sids; + int i; + struct dom_sid primary_group; + uint32_t primary_group_rid; + NTSTATUS status = NT_STATUS_UNSUCCESSFUL; + uint32_t num_groups = 0; + struct dom_sid_buf buf; + + DEBUG(3,("ads: lookup_usergroups\n")); + *p_num_groups = 0; + + status = lookup_usergroups_cached(mem_ctx, sid, + p_num_groups, user_sids); + if (NT_STATUS_IS_OK(status)) { + return NT_STATUS_OK; + } + + if ( !winbindd_can_contact_domain( domain ) ) { + DEBUG(10,("lookup_usergroups: No incoming trust for domain %s\n", + domain->name)); + + /* Tell the cache manager not to remember this one */ + + return NT_STATUS_SYNCHRONIZATION_REQUIRED; + } + + rc = ads_cached_connection(domain, &ads); + if (!ADS_ERR_OK(rc)) { + domain->last_status = NT_STATUS_SERVER_DISABLED; + status = NT_STATUS_SERVER_DISABLED; + goto done; + } + + rc = ads_search_retry_sid(ads, &msg, sid, attrs); + + if (!ADS_ERR_OK(rc)) { + status = ads_ntstatus(rc); + DEBUG(1, ("lookup_usergroups(sid=%s) ads_search tokenGroups: " + "%s\n", + dom_sid_str_buf(sid, &buf), + ads_errstr(rc))); + goto done; + } + + count = ads_count_replies(ads, msg); + if (count != 1) { + status = NT_STATUS_UNSUCCESSFUL; + DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: " + "invalid number of results (count=%d)\n", + dom_sid_str_buf(sid, &buf), + count)); + goto done; + } + + if (!msg) { + DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: NULL msg\n", + dom_sid_str_buf(sid, &buf))); + status = NT_STATUS_UNSUCCESSFUL; + goto done; + } + + user_dn = ads_get_dn(ads, mem_ctx, msg); + if (user_dn == NULL) { + status = NT_STATUS_NO_MEMORY; + goto done; + } + + if (!ads_pull_uint32(ads, msg, "primaryGroupID", &primary_group_rid)) { + DEBUG(1,("%s: No primary group for sid=%s !?\n", + domain->name, + dom_sid_str_buf(sid, &buf))); + goto done; + } + + sid_compose(&primary_group, &domain->sid, primary_group_rid); + + count = ads_pull_sids(ads, mem_ctx, msg, "tokenGroups", &sids); + + /* there must always be at least one group in the token, + unless we are talking to a buggy Win2k server */ + + /* actually this only happens when the machine account has no read + * permissions on the tokenGroup attribute - gd */ + + if (count == 0) { + + /* no tokenGroups */ + + /* lookup what groups this user is a member of by DN search on + * "memberOf" */ + + status = lookup_usergroups_memberof(domain, mem_ctx, user_dn, + &primary_group, + &num_groups, user_sids); + *p_num_groups = num_groups; + if (NT_STATUS_IS_OK(status)) { + goto done; + } + + /* lookup what groups this user is a member of by DN search on + * "member" */ + + status = lookup_usergroups_member(domain, mem_ctx, user_dn, + &primary_group, + &num_groups, user_sids); + *p_num_groups = num_groups; + goto done; + } + + *user_sids = NULL; + num_groups = 0; + + status = add_sid_to_array(mem_ctx, &primary_group, user_sids, + &num_groups); + if (!NT_STATUS_IS_OK(status)) { + goto done; + } + + for (i=0;i<count;i++) { + + /* ignore Builtin groups from ADS - Guenther */ + if (sid_check_is_in_builtin(&sids[i])) { + continue; + } + + status = add_sid_to_array_unique(mem_ctx, &sids[i], + user_sids, &num_groups); + if (!NT_STATUS_IS_OK(status)) { + goto done; + } + } + + *p_num_groups = (uint32_t)num_groups; + status = (*user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY; + + DEBUG(3,("ads lookup_usergroups (tokenGroups) succeeded for sid=%s\n", + dom_sid_str_buf(sid, &buf))); +done: + TALLOC_FREE(user_dn); + ads_msgfree(ads, msg); + return status; +} + +/* Lookup aliases a user is member of - use rpc methods */ +static NTSTATUS lookup_useraliases(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + uint32_t num_sids, const struct dom_sid *sids, + uint32_t *num_aliases, uint32_t **alias_rids) +{ + return msrpc_methods.lookup_useraliases(domain, mem_ctx, num_sids, sids, + num_aliases, alias_rids); +} + +static NTSTATUS add_primary_group_members( + ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, uint32_t rid, + char ***all_members, size_t *num_all_members) +{ + char *filter; + NTSTATUS status = NT_STATUS_NO_MEMORY; + ADS_STATUS rc; + const char *attrs[] = { "dn", NULL }; + LDAPMessage *res = NULL; + LDAPMessage *msg; + char **members; + size_t num_members; + ads_control args; + + filter = talloc_asprintf( + mem_ctx, "(&(objectCategory=user)(primaryGroupID=%u))", + (unsigned)rid); + if (filter == NULL) { + goto done; + } + + args.control = ADS_EXTENDED_DN_OID; + args.val = ADS_EXTENDED_DN_HEX_STRING; + args.critical = True; + + rc = ads_do_search_all_args(ads, ads->config.bind_path, + LDAP_SCOPE_SUBTREE, filter, attrs, &args, + &res); + + if (!ADS_ERR_OK(rc)) { + status = ads_ntstatus(rc); + DEBUG(1,("%s: ads_search: %s\n", __func__, ads_errstr(rc))); + goto done; + } + if (res == NULL) { + DEBUG(1,("%s: ads_search returned NULL res\n", __func__)); + goto done; + } + + num_members = ads_count_replies(ads, res); + + DEBUG(10, ("%s: Got %ju primary group members\n", __func__, + (uintmax_t)num_members)); + + if (num_members == 0) { + status = NT_STATUS_OK; + goto done; + } + + members = talloc_realloc(mem_ctx, *all_members, char *, + *num_all_members + num_members); + if (members == NULL) { + DEBUG(1, ("%s: talloc_realloc failed\n", __func__)); + goto done; + } + *all_members = members; + + for (msg = ads_first_entry(ads, res); msg != NULL; + msg = ads_next_entry(ads, msg)) { + char *dn; + + dn = ads_get_dn(ads, members, msg); + if (dn == NULL) { + DEBUG(1, ("%s: ads_get_dn failed\n", __func__)); + continue; + } + + members[*num_all_members] = dn; + *num_all_members += 1; + } + + status = NT_STATUS_OK; +done: + if (res != NULL) { + ads_msgfree(ads, res); + } + TALLOC_FREE(filter); + return status; +} + +/* + find the members of a group, given a group rid and domain + */ +static NTSTATUS lookup_groupmem(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + const struct dom_sid *group_sid, + enum lsa_SidType type, + uint32_t *num_names, + struct dom_sid **sid_mem, char ***names, + uint32_t **name_types) +{ + ADS_STATUS rc; + ADS_STRUCT *ads = NULL; + char *ldap_exp; + NTSTATUS status = NT_STATUS_UNSUCCESSFUL; + char *sidbinstr; + char **members = NULL; + size_t i; + size_t num_members = 0; + ads_control args; + struct dom_sid *sid_mem_nocache = NULL; + char **names_nocache = NULL; + enum lsa_SidType *name_types_nocache = NULL; + char **domains_nocache = NULL; /* only needed for rpccli_lsa_lookup_sids */ + uint32_t num_nocache = 0; + TALLOC_CTX *tmp_ctx = NULL; + uint32_t rid; + struct dom_sid_buf buf; + + DEBUG(10,("ads: lookup_groupmem %s sid=%s\n", domain->name, + dom_sid_str_buf(group_sid, &buf))); + + *num_names = 0; + + tmp_ctx = talloc_new(mem_ctx); + if (!tmp_ctx) { + DEBUG(1, ("ads: lookup_groupmem: talloc failed\n")); + status = NT_STATUS_NO_MEMORY; + goto done; + } + + if (!sid_peek_rid(group_sid, &rid)) { + DEBUG(1, ("%s: sid_peek_rid failed\n", __func__)); + status = NT_STATUS_INVALID_PARAMETER; + goto done; + } + + if ( !winbindd_can_contact_domain( domain ) ) { + DEBUG(10,("lookup_groupmem: No incoming trust for domain %s\n", + domain->name)); + return NT_STATUS_OK; + } + + rc = ads_cached_connection(domain, &ads); + if (!ADS_ERR_OK(rc)) { + domain->last_status = NT_STATUS_SERVER_DISABLED; + goto done; + } + + if ((sidbinstr = ldap_encode_ndr_dom_sid(talloc_tos(), group_sid)) == NULL) { + status = NT_STATUS_NO_MEMORY; + goto done; + } + + /* search for all members of the group */ + ldap_exp = talloc_asprintf(tmp_ctx, "(objectSid=%s)", sidbinstr); + TALLOC_FREE(sidbinstr); + if (ldap_exp == NULL) { + DEBUG(1, ("ads: lookup_groupmem: talloc_asprintf for ldap_exp failed!\n")); + status = NT_STATUS_NO_MEMORY; + goto done; + } + + args.control = ADS_EXTENDED_DN_OID; + args.val = ADS_EXTENDED_DN_HEX_STRING; + args.critical = True; + + rc = ads_ranged_search(ads, tmp_ctx, LDAP_SCOPE_SUBTREE, ads->config.bind_path, + ldap_exp, &args, "member", &members, &num_members); + + if (!ADS_ERR_OK(rc)) { + DEBUG(0,("ads_ranged_search failed with: %s\n", ads_errstr(rc))); + status = NT_STATUS_UNSUCCESSFUL; + goto done; + } + + DEBUG(10, ("ads lookup_groupmem: got %d sids via extended dn call\n", (int)num_members)); + + status = add_primary_group_members(ads, mem_ctx, rid, + &members, &num_members); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(10, ("%s: add_primary_group_members failed: %s\n", + __func__, nt_errstr(status))); + goto done; + } + + DEBUG(10, ("%s: Got %d sids after adding primary group members\n", + __func__, (int)num_members)); + + /* Now that we have a list of sids, we need to get the + * lists of names and name_types belonging to these sids. + * even though conceptually not quite clean, we use the + * RPC call lsa_lookup_sids for this since it can handle a + * list of sids. ldap calls can just resolve one sid at a time. + * + * At this stage, the sids are still hidden in the exetended dn + * member output format. We actually do a little better than + * stated above: In extracting the sids from the member strings, + * we try to resolve as many sids as possible from the + * cache. Only the rest is passed to the lsa_lookup_sids call. */ + + if (num_members) { + (*sid_mem) = talloc_zero_array(mem_ctx, struct dom_sid, num_members); + (*names) = talloc_zero_array(mem_ctx, char *, num_members); + (*name_types) = talloc_zero_array(mem_ctx, uint32_t, num_members); + (sid_mem_nocache) = talloc_zero_array(tmp_ctx, struct dom_sid, num_members); + + if ((members == NULL) || (*sid_mem == NULL) || + (*names == NULL) || (*name_types == NULL) || + (sid_mem_nocache == NULL)) + { + DEBUG(1, ("ads: lookup_groupmem: talloc failed\n")); + status = NT_STATUS_NO_MEMORY; + goto done; + } + } + else { + (*sid_mem) = NULL; + (*names) = NULL; + (*name_types) = NULL; + } + + for (i=0; i<num_members; i++) { + enum lsa_SidType name_type; + char *name, *domain_name; + struct dom_sid sid; + + rc = ads_get_sid_from_extended_dn(tmp_ctx, members[i], args.val, + &sid); + if (!ADS_ERR_OK(rc)) { + if (NT_STATUS_EQUAL(ads_ntstatus(rc), + NT_STATUS_NOT_FOUND)) { + /* Group members can be objects, like Exchange + * Public Folders, that don't have a SID. Skip + * them. */ + continue; + } + else { + status = ads_ntstatus(rc); + goto done; + } + } + if (lookup_cached_sid(mem_ctx, &sid, &domain_name, &name, + &name_type)) { + DEBUG(10,("ads: lookup_groupmem: got sid %s from " + "cache\n", + dom_sid_str_buf(&sid, &buf))); + sid_copy(&(*sid_mem)[*num_names], &sid); + (*names)[*num_names] = fill_domain_username_talloc( + *names, + domain_name, + name, + true); + + (*name_types)[*num_names] = name_type; + (*num_names)++; + } + else { + DEBUG(10, ("ads: lookup_groupmem: sid %s not found in " + "cache\n", + dom_sid_str_buf(&sid, &buf))); + sid_copy(&(sid_mem_nocache)[num_nocache], &sid); + num_nocache++; + } + } + + DEBUG(10, ("ads: lookup_groupmem: %d sids found in cache, " + "%d left for lsa_lookupsids\n", *num_names, num_nocache)); + + /* handle sids not resolved from cache by lsa_lookup_sids */ + if (num_nocache > 0) { + + status = winbindd_lookup_sids(tmp_ctx, + domain, + num_nocache, + sid_mem_nocache, + &domains_nocache, + &names_nocache, + &name_types_nocache); + + if (!(NT_STATUS_IS_OK(status) || + NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED) || + NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED))) + { + DEBUG(1, ("lsa_lookupsids call failed with %s " + "- retrying...\n", nt_errstr(status))); + + status = winbindd_lookup_sids(tmp_ctx, + domain, + num_nocache, + sid_mem_nocache, + &domains_nocache, + &names_nocache, + &name_types_nocache); + } + + if (NT_STATUS_IS_OK(status) || + NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED)) + { + /* Copy the entries over from the "_nocache" arrays + * to the result arrays, skipping the gaps the + * lookup_sids call left. */ + for (i=0; i < num_nocache; i++) { + if (((names_nocache)[i] != NULL) && + ((name_types_nocache)[i] != SID_NAME_UNKNOWN)) + { + sid_copy(&(*sid_mem)[*num_names], + &sid_mem_nocache[i]); + (*names)[*num_names] = + fill_domain_username_talloc( + *names, + domains_nocache[i], + names_nocache[i], + true); + (*name_types)[*num_names] = name_types_nocache[i]; + (*num_names)++; + } + } + } + else if (NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)) { + DEBUG(10, ("lookup_groupmem: lsa_lookup_sids could " + "not map any SIDs at all.\n")); + /* Don't handle this as an error here. + * There is nothing left to do with respect to the + * overall result... */ + } + else if (!NT_STATUS_IS_OK(status)) { + DEBUG(10, ("lookup_groupmem: Error looking up %d " + "sids via rpc_lsa_lookup_sids: %s\n", + (int)num_members, nt_errstr(status))); + goto done; + } + } + + status = NT_STATUS_OK; + DEBUG(3,("ads lookup_groupmem for sid=%s succeeded\n", + dom_sid_str_buf(group_sid, &buf))); + +done: + + TALLOC_FREE(tmp_ctx); + + return status; +} + +static NTSTATUS lookup_aliasmem(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + const struct dom_sid *sid, + enum lsa_SidType type, + uint32_t *num_sids, + struct dom_sid **sids) +{ + char **names = NULL; + uint32_t *name_types = NULL; + struct dom_sid_buf buf; + + DBG_DEBUG("ads: lookup_aliasmem %s sid=%s\n", + domain->name, + dom_sid_str_buf(sid, &buf)); + /* Search for alias and group membership uses the same LDAP command. */ + return lookup_groupmem(domain, + mem_ctx, + sid, + type, + num_sids, + sids, + &names, + &name_types); +} + +/* find the lockout policy of a domain - use rpc methods */ +static NTSTATUS lockout_policy(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + struct samr_DomInfo12 *policy) +{ + return msrpc_methods.lockout_policy(domain, mem_ctx, policy); +} + +/* find the password policy of a domain - use rpc methods */ +static NTSTATUS password_policy(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + struct samr_DomInfo1 *policy) +{ + return msrpc_methods.password_policy(domain, mem_ctx, policy); +} + +/* get a list of trusted domains */ +static NTSTATUS trusted_domains(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + struct netr_DomainTrustList *trusts) +{ + NTSTATUS result = NT_STATUS_UNSUCCESSFUL; + WERROR werr; + uint32_t i; + uint32_t flags; + struct rpc_pipe_client *cli; + struct dcerpc_binding_handle *b; + + DEBUG(3,("ads: trusted_domains\n")); + + ZERO_STRUCTP(trusts); + + /* If this is our primary domain or a root in our forest, + query for all trusts. If not, then just look for domain + trusts in the target forest */ + + if (domain->primary || domain_is_forest_root(domain)) { + flags = NETR_TRUST_FLAG_OUTBOUND | + NETR_TRUST_FLAG_INBOUND | + NETR_TRUST_FLAG_IN_FOREST; + } else { + flags = NETR_TRUST_FLAG_IN_FOREST; + } + + result = cm_connect_netlogon(domain, &cli); + + if (!NT_STATUS_IS_OK(result)) { + DEBUG(5, ("trusted_domains: Could not open a connection to %s " + "for PIPE_NETLOGON (%s)\n", + domain->name, nt_errstr(result))); + return NT_STATUS_UNSUCCESSFUL; + } + + b = cli->binding_handle; + + result = dcerpc_netr_DsrEnumerateDomainTrusts(b, mem_ctx, + cli->desthost, + flags, + trusts, + &werr); + if (!NT_STATUS_IS_OK(result)) { + return result; + } + + if (!W_ERROR_IS_OK(werr)) { + return werror_to_ntstatus(werr); + } + if (trusts->count == 0) { + return NT_STATUS_OK; + } + + /* Copy across names and sids */ + + for (i = 0; i < trusts->count; i++) { + struct netr_DomainTrust *trust = &trusts->array[i]; + struct winbindd_domain d; + + ZERO_STRUCT(d); + + /* + * drop external trusts if this is not our primary + * domain. This means that the returned number of + * domains may be less that the ones actually trusted + * by the DC. + */ + + if ((trust->trust_attributes + & LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN) && + !domain->primary ) + { + DEBUG(10,("trusted_domains: Skipping external trusted " + "domain %s because it is outside of our " + "primary domain\n", + trust->netbios_name)); + continue; + } + + /* add to the trusted domain cache */ + + d.name = discard_const_p(char, trust->netbios_name); + d.alt_name = discard_const_p(char, trust->dns_name); + + if (trust->sid) { + sid_copy(&d.sid, trust->sid); + } else { + sid_copy(&d.sid, &global_sid_NULL); + } + + if ( domain->primary ) { + DEBUG(10,("trusted_domains(ads): Searching " + "trusted domain list of %s and storing " + "trust flags for domain %s\n", + domain->name, d.alt_name)); + + d.domain_flags = trust->trust_flags; + d.domain_type = trust->trust_type; + d.domain_trust_attribs = trust->trust_attributes; + + wcache_tdc_add_domain( &d ); + } else if (domain_is_forest_root(domain)) { + /* Check if we already have this record. If + * we are following our forest root that is not + * our primary domain, we want to keep trust + * flags from the perspective of our primary + * domain not our forest root. */ + struct winbindd_tdc_domain *exist = NULL; + + exist = wcache_tdc_fetch_domain( + talloc_tos(), trust->netbios_name); + if (!exist) { + DEBUG(10,("trusted_domains(ads): Searching " + "trusted domain list of %s and " + "storing trust flags for domain " + "%s\n", domain->name, d.alt_name)); + d.domain_flags = trust->trust_flags; + d.domain_type = trust->trust_type; + d.domain_trust_attribs = + trust->trust_attributes; + + wcache_tdc_add_domain( &d ); + } + TALLOC_FREE(exist); + } else { + /* This gets a little tricky. If we are + following a transitive forest trust, then + innerit the flags, type, and attribs from + the domain we queried to make sure we don't + record the view of the trust from the wrong + side. Always view it from the side of our + primary domain. --jerry */ + struct winbindd_tdc_domain *parent = NULL; + + DEBUG(10,("trusted_domains(ads): Searching " + "trusted domain list of %s and inheriting " + "trust flags for domain %s\n", + domain->name, d.alt_name)); + + parent = wcache_tdc_fetch_domain(talloc_tos(), + domain->name); + if (parent) { + d.domain_flags = parent->trust_flags; + d.domain_type = parent->trust_type; + d.domain_trust_attribs = parent->trust_attribs; + } else { + d.domain_flags = domain->domain_flags; + d.domain_type = domain->domain_type; + d.domain_trust_attribs = + domain->domain_trust_attribs; + } + TALLOC_FREE(parent); + + /* + * We need to pass the modified properties + * to the caller. + */ + trust->trust_flags = d.domain_flags; + trust->trust_type = d.domain_type; + trust->trust_attributes = d.domain_trust_attribs; + + wcache_tdc_add_domain( &d ); + } + } + return result; +} + +/* the ADS backend methods are exposed via this structure */ +struct winbindd_methods ads_methods = { + True, + query_user_list, + enum_dom_groups, + enum_local_groups, + name_to_sid, + sid_to_name, + rids_to_names, + lookup_usergroups, + lookup_useraliases, + lookup_groupmem, + lookup_aliasmem, + lockout_policy, + password_policy, + trusted_domains, +}; + +#endif |