Line data Source code
1 : /*
2 : Unix SMB/CIFS implementation.
3 :
4 : Winbind rpc backend functions
5 :
6 : Copyright (C) Tim Potter 2000-2001,2003
7 : Copyright (C) Andrew Tridgell 2001
8 : Copyright (C) Volker Lendecke 2005
9 : Copyright (C) Guenther Deschner 2008 (pidl conversion)
10 :
11 : This program is free software; you can redistribute it and/or modify
12 : it under the terms of the GNU General Public License as published by
13 : the Free Software Foundation; either version 3 of the License, or
14 : (at your option) any later version.
15 :
16 : This program is distributed in the hope that it will be useful,
17 : but WITHOUT ANY WARRANTY; without even the implied warranty of
18 : MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 : GNU General Public License for more details.
20 :
21 : You should have received a copy of the GNU General Public License
22 : along with this program. If not, see <http://www.gnu.org/licenses/>.
23 : */
24 :
25 : #include "includes.h"
26 : #include "winbindd.h"
27 : #include "winbindd_rpc.h"
28 :
29 : #include "../librpc/gen_ndr/ndr_samr_c.h"
30 : #include "rpc_client/cli_pipe.h"
31 : #include "rpc_client/cli_samr.h"
32 : #include "rpc_client/cli_lsarpc.h"
33 : #include "../libcli/security/security.h"
34 : #include "libsmb/samlogon_cache.h"
35 :
36 : #undef DBGC_CLASS
37 : #define DBGC_CLASS DBGC_WINBIND
38 :
39 : static NTSTATUS winbindd_lookup_names(TALLOC_CTX *mem_ctx,
40 : struct winbindd_domain *domain,
41 : uint32_t num_names,
42 : const char **names,
43 : const char ***domains,
44 : struct dom_sid **sids,
45 : enum lsa_SidType **types);
46 :
47 : /* Query display info for a domain. This returns enough information plus a
48 : bit extra to give an overview of domain users for the User Manager
49 : application. */
50 0 : static NTSTATUS msrpc_query_user_list(struct winbindd_domain *domain,
51 : TALLOC_CTX *mem_ctx,
52 : uint32_t **prids)
53 : {
54 0 : struct rpc_pipe_client *samr_pipe = NULL;
55 0 : struct policy_handle dom_pol;
56 0 : uint32_t *rids = NULL;
57 0 : TALLOC_CTX *tmp_ctx;
58 0 : NTSTATUS status;
59 :
60 0 : DEBUG(3, ("msrpc_query_user_list\n"));
61 :
62 0 : tmp_ctx = talloc_stackframe();
63 0 : if (tmp_ctx == NULL) {
64 0 : return NT_STATUS_NO_MEMORY;
65 : }
66 :
67 0 : if ( !winbindd_can_contact_domain( domain ) ) {
68 0 : DEBUG(10,("query_user_list: No incoming trust for domain %s\n",
69 : domain->name));
70 0 : status = NT_STATUS_OK;
71 0 : goto done;
72 : }
73 :
74 0 : status = cm_connect_sam(domain, tmp_ctx, false, &samr_pipe, &dom_pol);
75 0 : if (!NT_STATUS_IS_OK(status)) {
76 0 : goto done;
77 : }
78 :
79 0 : status = rpc_query_user_list(tmp_ctx,
80 : samr_pipe,
81 : &dom_pol,
82 0 : &domain->sid,
83 : &rids);
84 0 : if (!NT_STATUS_IS_OK(status)) {
85 0 : goto done;
86 : }
87 :
88 0 : if (prids) {
89 0 : *prids = talloc_move(mem_ctx, &rids);
90 : }
91 :
92 0 : done:
93 0 : TALLOC_FREE(rids);
94 0 : TALLOC_FREE(tmp_ctx);
95 0 : return status;
96 : }
97 :
98 : /* list all domain groups */
99 0 : static NTSTATUS msrpc_enum_dom_groups(struct winbindd_domain *domain,
100 : TALLOC_CTX *mem_ctx,
101 : uint32_t *pnum_info,
102 : struct wb_acct_info **pinfo)
103 : {
104 0 : struct rpc_pipe_client *samr_pipe;
105 0 : struct policy_handle dom_pol;
106 0 : struct wb_acct_info *info = NULL;
107 0 : uint32_t num_info = 0;
108 0 : TALLOC_CTX *tmp_ctx;
109 0 : NTSTATUS status;
110 :
111 0 : DEBUG(3,("msrpc_enum_dom_groups\n"));
112 :
113 0 : if (pnum_info) {
114 0 : *pnum_info = 0;
115 : }
116 :
117 0 : tmp_ctx = talloc_stackframe();
118 0 : if (tmp_ctx == NULL) {
119 0 : return NT_STATUS_NO_MEMORY;
120 : }
121 :
122 0 : if ( !winbindd_can_contact_domain( domain ) ) {
123 0 : DEBUG(10,("enum_domain_groups: No incoming trust for domain %s\n",
124 : domain->name));
125 0 : status = NT_STATUS_OK;
126 0 : goto done;
127 : }
128 :
129 0 : status = cm_connect_sam(domain, tmp_ctx, false, &samr_pipe, &dom_pol);
130 0 : if (!NT_STATUS_IS_OK(status)) {
131 0 : goto done;
132 : }
133 :
134 0 : status = rpc_enum_dom_groups(tmp_ctx,
135 : samr_pipe,
136 : &dom_pol,
137 : &num_info,
138 : &info);
139 0 : if (!NT_STATUS_IS_OK(status)) {
140 0 : goto done;
141 : }
142 :
143 0 : if (pnum_info) {
144 0 : *pnum_info = num_info;
145 : }
146 :
147 0 : if (pinfo) {
148 0 : *pinfo = talloc_move(mem_ctx, &info);
149 : }
150 :
151 0 : done:
152 0 : TALLOC_FREE(tmp_ctx);
153 0 : return status;
154 : }
155 :
156 : /* List all domain groups */
157 :
158 0 : static NTSTATUS msrpc_enum_local_groups(struct winbindd_domain *domain,
159 : TALLOC_CTX *mem_ctx,
160 : uint32_t *pnum_info,
161 : struct wb_acct_info **pinfo)
162 : {
163 0 : struct rpc_pipe_client *samr_pipe;
164 0 : struct policy_handle dom_pol;
165 0 : struct wb_acct_info *info = NULL;
166 0 : uint32_t num_info = 0;
167 0 : TALLOC_CTX *tmp_ctx;
168 0 : NTSTATUS status;
169 :
170 0 : DEBUG(3,("msrpc_enum_local_groups\n"));
171 :
172 0 : if (pnum_info) {
173 0 : *pnum_info = 0;
174 : }
175 :
176 0 : tmp_ctx = talloc_stackframe();
177 0 : if (tmp_ctx == NULL) {
178 0 : return NT_STATUS_NO_MEMORY;
179 : }
180 :
181 0 : if ( !winbindd_can_contact_domain( domain ) ) {
182 0 : DEBUG(10,("enum_local_groups: No incoming trust for domain %s\n",
183 : domain->name));
184 0 : status = NT_STATUS_OK;
185 0 : goto done;
186 : }
187 :
188 0 : status = cm_connect_sam(domain, tmp_ctx, false, &samr_pipe, &dom_pol);
189 0 : if (!NT_STATUS_IS_OK(status)) {
190 0 : goto done;
191 : }
192 :
193 0 : status = rpc_enum_local_groups(mem_ctx,
194 : samr_pipe,
195 : &dom_pol,
196 : &num_info,
197 : &info);
198 0 : if (!NT_STATUS_IS_OK(status)) {
199 0 : goto done;
200 : }
201 :
202 0 : if (pnum_info) {
203 0 : *pnum_info = num_info;
204 : }
205 :
206 0 : if (pinfo) {
207 0 : *pinfo = talloc_move(mem_ctx, &info);
208 : }
209 :
210 0 : done:
211 0 : TALLOC_FREE(tmp_ctx);
212 0 : return status;
213 : }
214 :
215 : /* convert a single name to a sid in a domain */
216 0 : static NTSTATUS msrpc_name_to_sid(struct winbindd_domain *domain,
217 : TALLOC_CTX *mem_ctx,
218 : const char *domain_name,
219 : const char *name,
220 : uint32_t flags,
221 : const char **pdom_name,
222 : struct dom_sid *sid,
223 : enum lsa_SidType *type)
224 : {
225 0 : NTSTATUS result;
226 0 : struct dom_sid *sids = NULL;
227 0 : enum lsa_SidType *types = NULL;
228 0 : char *full_name = NULL;
229 0 : const char *names[1];
230 0 : const char **domains;
231 0 : NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL;
232 0 : char *mapped_name = NULL;
233 :
234 0 : if (name == NULL || *name=='\0') {
235 0 : full_name = talloc_asprintf(mem_ctx, "%s", domain_name);
236 0 : } else if (domain_name == NULL || *domain_name == '\0') {
237 0 : full_name = talloc_asprintf(mem_ctx, "%s", name);
238 : } else {
239 0 : full_name = talloc_asprintf(mem_ctx, "%s\\%s", domain_name, name);
240 : }
241 0 : if (!full_name) {
242 0 : DEBUG(0, ("talloc_asprintf failed!\n"));
243 0 : return NT_STATUS_NO_MEMORY;
244 : }
245 :
246 0 : DEBUG(3, ("msrpc_name_to_sid: name=%s\n", full_name));
247 :
248 0 : name_map_status = normalize_name_unmap(mem_ctx, full_name,
249 : &mapped_name);
250 :
251 : /* Reset the full_name pointer if we mapped anything */
252 :
253 0 : if (NT_STATUS_IS_OK(name_map_status) ||
254 0 : NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED))
255 : {
256 0 : full_name = mapped_name;
257 : }
258 :
259 0 : DEBUG(3,("name_to_sid [rpc] %s for domain %s\n",
260 : full_name?full_name:"", domain_name ));
261 :
262 0 : names[0] = full_name;
263 :
264 0 : result = winbindd_lookup_names(mem_ctx, domain, 1,
265 : names, &domains,
266 : &sids, &types);
267 0 : if (!NT_STATUS_IS_OK(result))
268 0 : return result;
269 :
270 : /* Return rid and type if lookup successful */
271 :
272 0 : if (pdom_name != NULL) {
273 0 : const char *dom_name;
274 :
275 0 : dom_name = talloc_strdup(mem_ctx, domains[0]);
276 0 : if (dom_name == NULL) {
277 0 : return NT_STATUS_NO_MEMORY;
278 : }
279 :
280 0 : *pdom_name = dom_name;
281 : }
282 :
283 0 : sid_copy(sid, &sids[0]);
284 0 : *type = types[0];
285 :
286 0 : return NT_STATUS_OK;
287 : }
288 :
289 : /*
290 : convert a domain SID to a user or group name
291 : */
292 0 : static NTSTATUS msrpc_sid_to_name(struct winbindd_domain *domain,
293 : TALLOC_CTX *mem_ctx,
294 : const struct dom_sid *sid,
295 : char **domain_name,
296 : char **name,
297 : enum lsa_SidType *type)
298 : {
299 0 : char **domains;
300 0 : char **names;
301 0 : enum lsa_SidType *types = NULL;
302 0 : NTSTATUS result;
303 0 : NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL;
304 0 : char *mapped_name = NULL;
305 0 : struct dom_sid_buf buf;
306 :
307 0 : DEBUG(3, ("msrpc_sid_to_name: %s for domain %s\n",
308 : dom_sid_str_buf(sid, &buf),
309 : domain->name));
310 :
311 0 : result = winbindd_lookup_sids(mem_ctx,
312 : domain,
313 : 1,
314 : sid,
315 : &domains,
316 : &names,
317 : &types);
318 0 : if (!NT_STATUS_IS_OK(result)) {
319 0 : DEBUG(2,("msrpc_sid_to_name: failed to lookup sids: %s\n",
320 : nt_errstr(result)));
321 0 : return result;
322 : }
323 :
324 :
325 0 : *type = (enum lsa_SidType)types[0];
326 0 : *domain_name = domains[0];
327 0 : *name = names[0];
328 :
329 0 : DEBUG(5,("Mapped sid to [%s]\\[%s]\n", domains[0], *name));
330 :
331 0 : name_map_status = normalize_name_map(mem_ctx, domain->name, *name,
332 : &mapped_name);
333 0 : if (NT_STATUS_IS_OK(name_map_status) ||
334 0 : NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED))
335 : {
336 0 : *name = mapped_name;
337 0 : DEBUG(5,("returning mapped name -- %s\n", *name));
338 : }
339 :
340 0 : return NT_STATUS_OK;
341 : }
342 :
343 0 : static NTSTATUS msrpc_rids_to_names(struct winbindd_domain *domain,
344 : TALLOC_CTX *mem_ctx,
345 : const struct dom_sid *sid,
346 : uint32_t *rids,
347 : size_t num_rids,
348 : char **domain_name,
349 : char ***names,
350 : enum lsa_SidType **types)
351 : {
352 0 : char **domains;
353 0 : NTSTATUS result;
354 0 : struct dom_sid *sids;
355 0 : size_t i;
356 0 : char **ret_names;
357 :
358 0 : DEBUG(3, ("msrpc_rids_to_names: domain %s\n", domain->name ));
359 :
360 0 : if (num_rids) {
361 0 : sids = talloc_array(mem_ctx, struct dom_sid, num_rids);
362 0 : if (sids == NULL) {
363 0 : return NT_STATUS_NO_MEMORY;
364 : }
365 : } else {
366 0 : sids = NULL;
367 : }
368 :
369 0 : for (i=0; i<num_rids; i++) {
370 0 : if (!sid_compose(&sids[i], sid, rids[i])) {
371 0 : return NT_STATUS_INTERNAL_ERROR;
372 : }
373 : }
374 :
375 0 : result = winbindd_lookup_sids(mem_ctx,
376 : domain,
377 : num_rids,
378 : sids,
379 : &domains,
380 : names,
381 : types);
382 :
383 0 : if (!NT_STATUS_IS_OK(result) &&
384 0 : !NT_STATUS_EQUAL(result, STATUS_SOME_UNMAPPED)) {
385 0 : return result;
386 : }
387 :
388 0 : ret_names = *names;
389 0 : for (i=0; i<num_rids; i++) {
390 0 : NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL;
391 0 : char *mapped_name = NULL;
392 :
393 0 : if ((*types)[i] != SID_NAME_UNKNOWN) {
394 0 : name_map_status = normalize_name_map(mem_ctx,
395 0 : domain->name,
396 0 : ret_names[i],
397 : &mapped_name);
398 0 : if (NT_STATUS_IS_OK(name_map_status) ||
399 0 : NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED))
400 : {
401 0 : ret_names[i] = mapped_name;
402 : }
403 :
404 0 : *domain_name = domains[i];
405 : }
406 : }
407 :
408 0 : return result;
409 : }
410 :
411 : /* Lookup groups a user is a member of. I wish Unix had a call like this! */
412 0 : static NTSTATUS msrpc_lookup_usergroups(struct winbindd_domain *domain,
413 : TALLOC_CTX *mem_ctx,
414 : const struct dom_sid *user_sid,
415 : uint32_t *pnum_groups,
416 : struct dom_sid **puser_grpsids)
417 : {
418 0 : struct rpc_pipe_client *samr_pipe;
419 0 : struct policy_handle dom_pol;
420 0 : struct dom_sid *user_grpsids = NULL;
421 0 : struct dom_sid_buf buf;
422 0 : uint32_t num_groups = 0;
423 0 : TALLOC_CTX *tmp_ctx;
424 0 : NTSTATUS status;
425 :
426 0 : DEBUG(3,("msrpc_lookup_usergroups sid=%s\n",
427 : dom_sid_str_buf(user_sid, &buf)));
428 :
429 0 : *pnum_groups = 0;
430 :
431 0 : tmp_ctx = talloc_stackframe();
432 0 : if (tmp_ctx == NULL) {
433 0 : return NT_STATUS_NO_MEMORY;
434 : }
435 :
436 : /* Check if we have a cached user_info_3 */
437 0 : status = lookup_usergroups_cached(tmp_ctx,
438 : user_sid,
439 : &num_groups,
440 : &user_grpsids);
441 0 : if (NT_STATUS_IS_OK(status)) {
442 0 : goto cached;
443 : }
444 :
445 0 : if ( !winbindd_can_contact_domain( domain ) ) {
446 0 : DEBUG(10,("lookup_usergroups: No incoming trust for domain %s\n",
447 : domain->name));
448 :
449 : /* Tell the cache manager not to remember this one */
450 0 : status = NT_STATUS_SYNCHRONIZATION_REQUIRED;
451 0 : goto done;
452 : }
453 :
454 : /* no cache; hit the wire */
455 0 : status = cm_connect_sam(domain, tmp_ctx, false, &samr_pipe, &dom_pol);
456 0 : if (!NT_STATUS_IS_OK(status)) {
457 0 : goto done;
458 : }
459 :
460 0 : status = rpc_lookup_usergroups(tmp_ctx,
461 : samr_pipe,
462 : &dom_pol,
463 0 : &domain->sid,
464 : user_sid,
465 : &num_groups,
466 : &user_grpsids);
467 0 : if (!NT_STATUS_IS_OK(status)) {
468 0 : goto done;
469 : }
470 :
471 0 : cached:
472 0 : *pnum_groups = num_groups;
473 :
474 0 : if (puser_grpsids) {
475 0 : *puser_grpsids = talloc_move(mem_ctx, &user_grpsids);
476 : }
477 :
478 0 : done:
479 0 : TALLOC_FREE(tmp_ctx);
480 0 : return status;
481 : return NT_STATUS_OK;
482 : }
483 :
484 : #define MAX_SAM_ENTRIES_W2K 0x400 /* 1024 */
485 :
486 0 : static NTSTATUS msrpc_lookup_useraliases(struct winbindd_domain *domain,
487 : TALLOC_CTX *mem_ctx,
488 : uint32_t num_sids, const struct dom_sid *sids,
489 : uint32_t *pnum_aliases,
490 : uint32_t **palias_rids)
491 : {
492 0 : struct rpc_pipe_client *samr_pipe;
493 0 : struct policy_handle dom_pol;
494 0 : uint32_t num_aliases = 0;
495 0 : uint32_t *alias_rids = NULL;
496 0 : TALLOC_CTX *tmp_ctx;
497 0 : NTSTATUS status;
498 :
499 0 : DEBUG(3,("msrpc_lookup_useraliases\n"));
500 :
501 0 : if (pnum_aliases) {
502 0 : *pnum_aliases = 0;
503 : }
504 :
505 0 : tmp_ctx = talloc_stackframe();
506 0 : if (tmp_ctx == NULL) {
507 0 : return NT_STATUS_NO_MEMORY;
508 : }
509 :
510 0 : if (!winbindd_can_contact_domain(domain)) {
511 0 : DEBUG(10,("msrpc_lookup_useraliases: No incoming trust for domain %s\n",
512 : domain->name));
513 : /* Tell the cache manager not to remember this one */
514 0 : status = NT_STATUS_SYNCHRONIZATION_REQUIRED;
515 0 : goto done;
516 : }
517 :
518 0 : status = cm_connect_sam(domain, tmp_ctx, false, &samr_pipe, &dom_pol);
519 0 : if (!NT_STATUS_IS_OK(status)) {
520 0 : goto done;
521 : }
522 :
523 0 : status = rpc_lookup_useraliases(tmp_ctx,
524 : samr_pipe,
525 : &dom_pol,
526 : num_sids,
527 : sids,
528 : &num_aliases,
529 : &alias_rids);
530 0 : if (!NT_STATUS_IS_OK(status)) {
531 0 : goto done;
532 : }
533 :
534 0 : if (pnum_aliases) {
535 0 : *pnum_aliases = num_aliases;
536 : }
537 :
538 0 : if (palias_rids) {
539 0 : *palias_rids = talloc_move(mem_ctx, &alias_rids);
540 : }
541 :
542 0 : done:
543 0 : TALLOC_FREE(tmp_ctx);
544 0 : return status;
545 : }
546 :
547 : /* lookup alias membership */
548 0 : static NTSTATUS msrpc_lookup_aliasmem(struct winbindd_domain *domain,
549 : TALLOC_CTX *mem_ctx,
550 : const struct dom_sid *alias_sid,
551 : enum lsa_SidType type,
552 : uint32_t *pnum_sids,
553 : struct dom_sid **sid_mem)
554 : {
555 0 : struct rpc_pipe_client *samr_pipe = NULL;
556 0 : struct policy_handle dom_pol;
557 0 : struct dom_sid *alias_members = NULL;
558 0 : struct dom_sid_buf buf;
559 0 : uint32_t num_groups = 0;
560 0 : TALLOC_CTX *tmp_ctx = talloc_stackframe();
561 0 : NTSTATUS status;
562 :
563 0 : D_INFO("Lookup alias members in domain=%s for sid=%s.\n",
564 : domain->name,
565 : dom_sid_str_buf(alias_sid, &buf));
566 :
567 0 : *pnum_sids = 0;
568 :
569 0 : if (!winbindd_can_contact_domain(domain)) {
570 0 : D_DEBUG("No incoming trust for domain %s\n", domain->name);
571 0 : status = NT_STATUS_OK;
572 0 : goto done;
573 : }
574 :
575 0 : status = cm_connect_sam(domain, tmp_ctx, false, &samr_pipe, &dom_pol);
576 0 : if (!NT_STATUS_IS_OK(status)) {
577 0 : goto done;
578 : }
579 :
580 0 : status = rpc_lookup_aliasmem(tmp_ctx,
581 : samr_pipe,
582 : &dom_pol,
583 0 : &domain->sid,
584 : alias_sid,
585 : type,
586 : &num_groups,
587 : &alias_members);
588 0 : if (!NT_STATUS_IS_OK(status)) {
589 0 : goto done;
590 : }
591 :
592 0 : *pnum_sids = num_groups;
593 0 : if (sid_mem) {
594 0 : *sid_mem = talloc_move(mem_ctx, &alias_members);
595 : }
596 :
597 0 : done:
598 0 : talloc_free(tmp_ctx);
599 0 : return status;
600 : }
601 :
602 : /* Lookup group membership given a rid. */
603 0 : static NTSTATUS msrpc_lookup_groupmem(struct winbindd_domain *domain,
604 : TALLOC_CTX *mem_ctx,
605 : const struct dom_sid *group_sid,
606 : enum lsa_SidType type,
607 : uint32_t *num_names,
608 : struct dom_sid **sid_mem,
609 : char ***names,
610 : uint32_t **name_types)
611 : {
612 0 : NTSTATUS status, result;
613 0 : uint32_t i, total_names = 0;
614 0 : struct policy_handle dom_pol, group_pol;
615 0 : uint32_t des_access = SEC_FLAG_MAXIMUM_ALLOWED;
616 0 : uint32_t *rid_mem = NULL;
617 0 : uint32_t group_rid;
618 0 : unsigned int j, r;
619 0 : struct rpc_pipe_client *cli;
620 0 : unsigned int orig_timeout;
621 0 : struct samr_RidAttrArray *rids = NULL;
622 0 : struct dcerpc_binding_handle *b;
623 0 : struct dom_sid_buf buf;
624 :
625 0 : DEBUG(3,("msrpc_lookup_groupmem: %s sid=%s\n", domain->name,
626 : dom_sid_str_buf(group_sid, &buf)));
627 :
628 0 : if ( !winbindd_can_contact_domain( domain ) ) {
629 0 : DEBUG(10,("lookup_groupmem: No incoming trust for domain %s\n",
630 : domain->name));
631 0 : return NT_STATUS_OK;
632 : }
633 :
634 0 : if (!sid_peek_check_rid(&domain->sid, group_sid, &group_rid))
635 0 : return NT_STATUS_UNSUCCESSFUL;
636 :
637 0 : *num_names = 0;
638 :
639 0 : result = cm_connect_sam(domain, mem_ctx, false, &cli, &dom_pol);
640 0 : if (!NT_STATUS_IS_OK(result))
641 0 : return result;
642 :
643 0 : b = cli->binding_handle;
644 :
645 0 : status = dcerpc_samr_OpenGroup(b, mem_ctx,
646 : &dom_pol,
647 : des_access,
648 : group_rid,
649 : &group_pol,
650 : &result);
651 0 : if (any_nt_status_not_ok(status, result, &status)) {
652 0 : return status;
653 : }
654 :
655 : /* Step #1: Get a list of user rids that are the members of the
656 : group. */
657 :
658 : /* This call can take a long time - allow the server to time out.
659 : 35 seconds should do it. */
660 :
661 0 : orig_timeout = rpccli_set_timeout(cli, 35000);
662 :
663 0 : status = dcerpc_samr_QueryGroupMember(b, mem_ctx,
664 : &group_pol,
665 : &rids,
666 : &result);
667 :
668 : /* And restore our original timeout. */
669 0 : rpccli_set_timeout(cli, orig_timeout);
670 :
671 : {
672 0 : NTSTATUS _result;
673 0 : dcerpc_samr_Close(b, mem_ctx, &group_pol, &_result);
674 : }
675 :
676 0 : if (any_nt_status_not_ok(status, result, &status)) {
677 0 : return status;
678 : }
679 :
680 0 : if (!rids || !rids->count) {
681 0 : names = NULL;
682 0 : name_types = NULL;
683 0 : sid_mem = NULL;
684 0 : return NT_STATUS_OK;
685 : }
686 :
687 0 : *num_names = rids->count;
688 0 : rid_mem = rids->rids;
689 :
690 : /* Step #2: Convert list of rids into list of usernames. Do this
691 : in bunches of ~1000 to avoid crashing NT4. It looks like there
692 : is a buffer overflow or something like that lurking around
693 : somewhere. */
694 :
695 : #define MAX_LOOKUP_RIDS 900
696 :
697 0 : *names = talloc_zero_array(mem_ctx, char *, *num_names);
698 0 : *name_types = talloc_zero_array(mem_ctx, uint32_t, *num_names);
699 0 : *sid_mem = talloc_zero_array(mem_ctx, struct dom_sid, *num_names);
700 :
701 0 : for (j=0;j<(*num_names);j++)
702 0 : sid_compose(&(*sid_mem)[j], &domain->sid, rid_mem[j]);
703 :
704 0 : if (*num_names>0 && (!*names || !*name_types))
705 0 : return NT_STATUS_NO_MEMORY;
706 :
707 0 : for (i = 0; i < *num_names; i += MAX_LOOKUP_RIDS) {
708 0 : int num_lookup_rids = MIN(*num_names - i, MAX_LOOKUP_RIDS);
709 0 : struct lsa_Strings tmp_names;
710 0 : struct samr_Ids tmp_types;
711 :
712 : /* Lookup a chunk of rids */
713 :
714 0 : status = dcerpc_samr_LookupRids(b, mem_ctx,
715 : &dom_pol,
716 : num_lookup_rids,
717 0 : &rid_mem[i],
718 : &tmp_names,
719 : &tmp_types,
720 : &result);
721 0 : if (!NT_STATUS_IS_OK(status)) {
722 0 : return status;
723 : }
724 :
725 : /* see if we have a real error (and yes the
726 : STATUS_SOME_UNMAPPED is the one returned from 2k) */
727 :
728 0 : if (!NT_STATUS_IS_OK(result) &&
729 0 : !NT_STATUS_EQUAL(result, STATUS_SOME_UNMAPPED))
730 0 : return result;
731 :
732 : /* Copy result into array. The talloc system will take
733 : care of freeing the temporary arrays later on. */
734 :
735 0 : if (tmp_names.count != num_lookup_rids) {
736 0 : return NT_STATUS_INVALID_NETWORK_RESPONSE;
737 : }
738 0 : if (tmp_types.count != num_lookup_rids) {
739 0 : return NT_STATUS_INVALID_NETWORK_RESPONSE;
740 : }
741 :
742 0 : for (r=0; r<tmp_names.count; r++) {
743 0 : if (tmp_types.ids[r] == SID_NAME_UNKNOWN) {
744 0 : continue;
745 : }
746 0 : if (total_names >= *num_names) {
747 0 : break;
748 : }
749 0 : (*names)[total_names] = fill_domain_username_talloc(
750 0 : mem_ctx, domain->name,
751 0 : tmp_names.names[r].string, true);
752 0 : (*name_types)[total_names] = tmp_types.ids[r];
753 0 : total_names += 1;
754 : }
755 : }
756 :
757 0 : *num_names = total_names;
758 :
759 0 : return NT_STATUS_OK;
760 : }
761 :
762 : /* get a list of trusted domains */
763 0 : static NTSTATUS msrpc_trusted_domains(struct winbindd_domain *domain,
764 : TALLOC_CTX *mem_ctx,
765 : struct netr_DomainTrustList *ptrust_list)
766 : {
767 0 : struct rpc_pipe_client *lsa_pipe;
768 0 : struct policy_handle lsa_policy;
769 0 : struct netr_DomainTrust *trusts = NULL;
770 0 : uint32_t num_trusts = 0;
771 0 : TALLOC_CTX *tmp_ctx;
772 0 : NTSTATUS status;
773 :
774 0 : DEBUG(3,("msrpc_trusted_domains\n"));
775 :
776 0 : if (ptrust_list) {
777 0 : ZERO_STRUCTP(ptrust_list);
778 : }
779 :
780 0 : tmp_ctx = talloc_stackframe();
781 0 : if (tmp_ctx == NULL) {
782 0 : return NT_STATUS_NO_MEMORY;
783 : }
784 :
785 0 : status = cm_connect_lsa(domain, tmp_ctx, &lsa_pipe, &lsa_policy);
786 0 : if (!NT_STATUS_IS_OK(status)) {
787 0 : goto done;
788 : }
789 :
790 0 : status = rpc_trusted_domains(tmp_ctx,
791 : lsa_pipe,
792 : &lsa_policy,
793 : &num_trusts,
794 : &trusts);
795 0 : if (!NT_STATUS_IS_OK(status)) {
796 0 : goto done;
797 : }
798 :
799 0 : if (ptrust_list) {
800 0 : ptrust_list->count = num_trusts;
801 0 : ptrust_list->array = talloc_move(mem_ctx, &trusts);
802 : }
803 :
804 0 : done:
805 0 : TALLOC_FREE(tmp_ctx);
806 0 : return status;
807 : }
808 :
809 : /* find the lockout policy for a domain */
810 0 : static NTSTATUS msrpc_lockout_policy(struct winbindd_domain *domain,
811 : TALLOC_CTX *mem_ctx,
812 : struct samr_DomInfo12 *lockout_policy)
813 : {
814 0 : NTSTATUS status, result;
815 0 : struct rpc_pipe_client *cli;
816 0 : struct policy_handle dom_pol;
817 0 : union samr_DomainInfo *info = NULL;
818 0 : struct dcerpc_binding_handle *b;
819 :
820 0 : DEBUG(3, ("msrpc_lockout_policy: fetch lockout policy for %s\n", domain->name));
821 :
822 0 : if ( !winbindd_can_contact_domain( domain ) ) {
823 0 : DEBUG(10,("msrpc_lockout_policy: No incoming trust for domain %s\n",
824 : domain->name));
825 0 : return NT_STATUS_NOT_SUPPORTED;
826 : }
827 :
828 0 : status = cm_connect_sam(domain, mem_ctx, false, &cli, &dom_pol);
829 0 : if (!NT_STATUS_IS_OK(status)) {
830 0 : goto done;
831 : }
832 :
833 0 : b = cli->binding_handle;
834 :
835 0 : status = dcerpc_samr_QueryDomainInfo(b, mem_ctx,
836 : &dom_pol,
837 : DomainLockoutInformation,
838 : &info,
839 : &result);
840 0 : if (any_nt_status_not_ok(status, result, &status)) {
841 0 : return status;
842 : }
843 :
844 0 : *lockout_policy = info->info12;
845 :
846 0 : DEBUG(10,("msrpc_lockout_policy: lockout_threshold %d\n",
847 : info->info12.lockout_threshold));
848 :
849 0 : done:
850 :
851 0 : return status;
852 : }
853 :
854 : /* find the password policy for a domain */
855 0 : static NTSTATUS msrpc_password_policy(struct winbindd_domain *domain,
856 : TALLOC_CTX *mem_ctx,
857 : struct samr_DomInfo1 *password_policy)
858 : {
859 0 : NTSTATUS status, result;
860 0 : struct rpc_pipe_client *cli;
861 0 : struct policy_handle dom_pol;
862 0 : union samr_DomainInfo *info = NULL;
863 0 : struct dcerpc_binding_handle *b;
864 :
865 0 : DEBUG(3, ("msrpc_password_policy: fetch password policy for %s\n",
866 : domain->name));
867 :
868 0 : if ( !winbindd_can_contact_domain( domain ) ) {
869 0 : DEBUG(10,("msrpc_password_policy: No incoming trust for domain %s\n",
870 : domain->name));
871 0 : return NT_STATUS_NOT_SUPPORTED;
872 : }
873 :
874 0 : status = cm_connect_sam(domain, mem_ctx, false, &cli, &dom_pol);
875 0 : if (!NT_STATUS_IS_OK(status)) {
876 0 : goto done;
877 : }
878 :
879 0 : b = cli->binding_handle;
880 :
881 0 : status = dcerpc_samr_QueryDomainInfo(b, mem_ctx,
882 : &dom_pol,
883 : DomainPasswordInformation,
884 : &info,
885 : &result);
886 0 : if (!NT_STATUS_IS_OK(status)) {
887 0 : goto done;
888 : }
889 0 : if (!NT_STATUS_IS_OK(result)) {
890 0 : goto done;
891 : }
892 :
893 0 : *password_policy = info->info1;
894 :
895 0 : DEBUG(10,("msrpc_password_policy: min_length_password %d\n",
896 : info->info1.min_password_length));
897 :
898 0 : done:
899 :
900 0 : return status;
901 : }
902 :
903 0 : static enum lsa_LookupNamesLevel winbindd_lookup_level(
904 : struct winbindd_domain *domain)
905 : {
906 0 : enum lsa_LookupNamesLevel level = LSA_LOOKUP_NAMES_DOMAINS_ONLY;
907 :
908 0 : if (domain->internal) {
909 0 : level = LSA_LOOKUP_NAMES_ALL;
910 0 : } else if (domain->secure_channel_type == SEC_CHAN_DNS_DOMAIN) {
911 0 : if (domain->domain_flags & NETR_TRUST_FLAG_IN_FOREST) {
912 : /*
913 : * TODO:
914 : *
915 : * Depending on what we want to resolve. We need to use:
916 : * 1. LsapLookupXForestReferral(5)/LSA_LOOKUP_NAMES_FOREST_TRUSTS_ONLY
917 : * if we want to pass the request into the direction of the forest
918 : * root domain. The forest root domain uses
919 : * LsapLookupXForestResolve(6)/LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2
920 : * when passing the request to trusted forests.
921 : * 2. LsapLookupGC(4)/LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY
922 : * if we're not a GC and want to resolve a name within our own forest.
923 : *
924 : * As we don't support more than one domain in our own forest
925 : * and always try to be a GC for now, we just set
926 : * LSA_LOOKUP_NAMES_FOREST_TRUSTS_ONLY.
927 : */
928 0 : level = LSA_LOOKUP_NAMES_FOREST_TRUSTS_ONLY;
929 0 : } else if (domain->domain_trust_attribs & LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) {
930 : /*
931 : * This is LsapLookupXForestResolve(6)/LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2
932 : */
933 0 : level = LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2;
934 : } else {
935 : /*
936 : * This is LsapLookupTDL(3)/LSA_LOOKUP_NAMES_PRIMARY_DOMAIN_ONLY
937 : */
938 0 : level = LSA_LOOKUP_NAMES_PRIMARY_DOMAIN_ONLY;
939 : }
940 0 : } else if (domain->secure_channel_type == SEC_CHAN_DOMAIN) {
941 : /*
942 : * This is LsapLookupTDL(3)/LSA_LOOKUP_NAMES_PRIMARY_DOMAIN_ONLY
943 : */
944 0 : level = LSA_LOOKUP_NAMES_PRIMARY_DOMAIN_ONLY;
945 0 : } else if (domain->rodc) {
946 0 : level = LSA_LOOKUP_NAMES_RODC_REFERRAL_TO_FULL_DC;
947 : } else {
948 : /*
949 : * This is LsapLookupPDC(2)/LSA_LOOKUP_NAMES_DOMAINS_ONLY
950 : */
951 0 : level = LSA_LOOKUP_NAMES_DOMAINS_ONLY;
952 : }
953 :
954 0 : return level;
955 : }
956 :
957 0 : NTSTATUS winbindd_lookup_sids(TALLOC_CTX *mem_ctx,
958 : struct winbindd_domain *domain,
959 : uint32_t num_sids,
960 : const struct dom_sid *sids,
961 : char ***domains,
962 : char ***names,
963 : enum lsa_SidType **types)
964 : {
965 0 : NTSTATUS status;
966 0 : NTSTATUS result;
967 0 : struct rpc_pipe_client *cli = NULL;
968 0 : struct dcerpc_binding_handle *b = NULL;
969 0 : struct policy_handle lsa_policy;
970 0 : unsigned int orig_timeout;
971 0 : bool use_lookupsids3 = false;
972 0 : bool retried = false;
973 0 : enum lsa_LookupNamesLevel level = LSA_LOOKUP_NAMES_ALL;
974 :
975 0 : connect:
976 0 : status = cm_connect_lsat(domain, mem_ctx, &cli, &lsa_policy);
977 0 : if (!NT_STATUS_IS_OK(status)) {
978 0 : return status;
979 : }
980 :
981 0 : b = cli->binding_handle;
982 :
983 0 : if (cli->transport->transport == NCACN_IP_TCP) {
984 0 : use_lookupsids3 = true;
985 : }
986 :
987 0 : level = winbindd_lookup_level(domain);
988 :
989 : /*
990 : * This call can take a long time
991 : * allow the server to time out.
992 : * 35 seconds should do it.
993 : */
994 0 : orig_timeout = dcerpc_binding_handle_set_timeout(b, 35000);
995 :
996 0 : status = dcerpc_lsa_lookup_sids_generic(b,
997 : mem_ctx,
998 : &lsa_policy,
999 : num_sids,
1000 : sids,
1001 : level,
1002 : domains,
1003 : names,
1004 : types,
1005 : use_lookupsids3,
1006 : &result);
1007 :
1008 : /* And restore our original timeout. */
1009 0 : dcerpc_binding_handle_set_timeout(b, orig_timeout);
1010 :
1011 0 : if (reset_cm_connection_on_error(domain, b, status)) {
1012 : /*
1013 : * This can happen if the schannel key is not
1014 : * valid anymore, we need to invalidate the
1015 : * all connections to the dc and reestablish
1016 : * a netlogon connection first.
1017 : */
1018 0 : domain->can_do_ncacn_ip_tcp = domain->active_directory;
1019 0 : if (!retried) {
1020 0 : retried = true;
1021 0 : goto connect;
1022 : }
1023 0 : status = NT_STATUS_ACCESS_DENIED;
1024 : }
1025 :
1026 0 : if (any_nt_status_not_ok(status, result, &status)) {
1027 0 : return status;
1028 : }
1029 :
1030 0 : return NT_STATUS_OK;
1031 : }
1032 :
1033 0 : static NTSTATUS winbindd_lookup_names(TALLOC_CTX *mem_ctx,
1034 : struct winbindd_domain *domain,
1035 : uint32_t num_names,
1036 : const char **names,
1037 : const char ***domains,
1038 : struct dom_sid **sids,
1039 : enum lsa_SidType **types)
1040 : {
1041 0 : NTSTATUS status;
1042 0 : NTSTATUS result;
1043 0 : struct rpc_pipe_client *cli = NULL;
1044 0 : struct dcerpc_binding_handle *b = NULL;
1045 0 : struct policy_handle lsa_policy;
1046 0 : unsigned int orig_timeout = 0;
1047 0 : bool use_lookupnames4 = false;
1048 0 : bool retried = false;
1049 0 : enum lsa_LookupNamesLevel level = LSA_LOOKUP_NAMES_ALL;
1050 :
1051 0 : connect:
1052 0 : status = cm_connect_lsat(domain, mem_ctx, &cli, &lsa_policy);
1053 0 : if (!NT_STATUS_IS_OK(status)) {
1054 0 : return status;
1055 : }
1056 :
1057 0 : b = cli->binding_handle;
1058 :
1059 0 : if (cli->transport->transport == NCACN_IP_TCP) {
1060 0 : use_lookupnames4 = true;
1061 : }
1062 :
1063 0 : level = winbindd_lookup_level(domain);
1064 :
1065 : /*
1066 : * This call can take a long time
1067 : * allow the server to time out.
1068 : * 35 seconds should do it.
1069 : */
1070 0 : orig_timeout = dcerpc_binding_handle_set_timeout(b, 35000);
1071 :
1072 0 : status = dcerpc_lsa_lookup_names_generic(b,
1073 : mem_ctx,
1074 : &lsa_policy,
1075 : num_names,
1076 : (const char **) names,
1077 : domains,
1078 : level,
1079 : sids,
1080 : types,
1081 : use_lookupnames4,
1082 : &result);
1083 :
1084 : /* And restore our original timeout. */
1085 0 : dcerpc_binding_handle_set_timeout(b, orig_timeout);
1086 :
1087 0 : if (reset_cm_connection_on_error(domain, b, status)) {
1088 : /*
1089 : * This can happen if the schannel key is not
1090 : * valid anymore, we need to invalidate the
1091 : * all connections to the dc and reestablish
1092 : * a netlogon connection first.
1093 : */
1094 0 : if (!retried) {
1095 0 : retried = true;
1096 0 : goto connect;
1097 : }
1098 0 : status = NT_STATUS_ACCESS_DENIED;
1099 : }
1100 :
1101 0 : if (any_nt_status_not_ok(status, result, &status)) {
1102 0 : return status;
1103 : }
1104 :
1105 0 : return NT_STATUS_OK;
1106 : }
1107 :
1108 : /* the rpc backend methods are exposed via this structure */
1109 : struct winbindd_methods msrpc_methods = {
1110 : False,
1111 : msrpc_query_user_list,
1112 : msrpc_enum_dom_groups,
1113 : msrpc_enum_local_groups,
1114 : msrpc_name_to_sid,
1115 : msrpc_sid_to_name,
1116 : msrpc_rids_to_names,
1117 : msrpc_lookup_usergroups,
1118 : msrpc_lookup_useraliases,
1119 : msrpc_lookup_groupmem,
1120 : msrpc_lookup_aliasmem,
1121 : msrpc_lockout_policy,
1122 : msrpc_password_policy,
1123 : msrpc_trusted_domains,
1124 : };
|
