samba-mirror/source3/winbindd/winbindd_samr.c

/*
 * Unix SMB/CIFS implementation.
 *
 * Winbind rpc backend functions
 *
 * Copyright (c) 2000-2003 Tim Potter
 * Copyright (c) 2001      Andrew Tridgell
 * Copyright (c) 2005      Volker Lendecke
 * Copyright (c) 2008      Guenther Deschner (pidl conversion)
 * Copyright (c) 2010      Andreas Schneider <asn@samba.org>
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 3 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */

#include "includes.h"
#include "winbindd.h"
#include "winbindd_rpc.h"
#include "lib/util_unixsids.h"
#include "rpc_client/rpc_client.h"
#include "rpc_client/cli_pipe.h"
#include "../librpc/gen_ndr/ndr_samr_c.h"
#include "rpc_client/cli_samr.h"
#include "../librpc/gen_ndr/ndr_lsa_c.h"
#include "rpc_client/cli_lsarpc.h"
#include "rpc_server/rpc_ncacn_np.h"
#include "../libcli/security/security.h"
#include "passdb/machine_sid.h"
#include "auth.h"
#include "source3/lib/global_contexts.h"

#undef DBGC_CLASS
#define DBGC_CLASS DBGC_WINBIND

/*
 * The other end of this won't go away easily, so we can trust it
 *
 * It is either a long-lived process with the same lifetime as
 * winbindd or a part of this process
 */
struct winbind_internal_pipes {
	struct tevent_timer *shutdown_timer;
	struct rpc_pipe_client *samr_pipe;
	struct policy_handle samr_domain_hnd;
	struct rpc_pipe_client *lsa_pipe;
	struct policy_handle lsa_hnd;
};


NTSTATUS open_internal_samr_conn(TALLOC_CTX *mem_ctx,
				 struct winbindd_domain *domain,
				 struct rpc_pipe_client **samr_pipe,
				 struct policy_handle *samr_domain_hnd)
{
	NTSTATUS status, result;
	struct policy_handle samr_connect_hnd;
	struct dcerpc_binding_handle *b;

	status = wb_open_internal_pipe(mem_ctx, &ndr_table_samr, samr_pipe);
	if (!NT_STATUS_IS_OK(status)) {
		DBG_ERR("Could not connect to %s pipe: %s\n",
			ndr_table_samr.name, nt_errstr(status));
		return status;
	}

	b = (*samr_pipe)->binding_handle;

	status = dcerpc_samr_Connect2(b, mem_ctx,
				      (*samr_pipe)->desthost,
				      SEC_FLAG_MAXIMUM_ALLOWED,
				      &samr_connect_hnd,
				      &result);
	if (!NT_STATUS_IS_OK(status)) {
		return status;
	}
	if (!NT_STATUS_IS_OK(result)) {
		return result;
	}

	status = dcerpc_samr_OpenDomain(b, mem_ctx,
					&samr_connect_hnd,
					SEC_FLAG_MAXIMUM_ALLOWED,
					&domain->sid,
					samr_domain_hnd,
					&result);
	if (!NT_STATUS_IS_OK(status)) {
		return status;
	}

	return result;
}

NTSTATUS open_internal_lsa_conn(TALLOC_CTX *mem_ctx,
				struct rpc_pipe_client **lsa_pipe,
				struct policy_handle *lsa_hnd)
{
	NTSTATUS status;

	status = wb_open_internal_pipe(mem_ctx, &ndr_table_lsarpc, lsa_pipe);
	if (!NT_STATUS_IS_OK(status)) {
		DBG_ERR("Could not connect to %s pipe: %s\n",
			ndr_table_lsarpc.name, nt_errstr(status));
		return status;
	}

	status = rpccli_lsa_open_policy((*lsa_pipe),
					mem_ctx,
					true,
					SEC_FLAG_MAXIMUM_ALLOWED,
					lsa_hnd);

	return status;
}

static void cached_internal_pipe_close(
	struct tevent_context *ev,
	struct tevent_timer *te,
	struct timeval current_time,
	void *private_data)
{
	struct winbindd_domain *domain = talloc_get_type_abort(
		private_data, struct winbindd_domain);
	/*
	 * Freeing samr_pipes closes the cached pipes.
	 *
	 * We can do a hard close because at the time of this commit
	 * we only use synchronous calls to external pipes. So we can't
	 * have any outstanding requests. Also, we don't set
	 * dcerpc_binding_handle_set_sync_ev in winbind, so we don't
	 * get nested event loops. Once we start to get async in
	 * winbind children, we need to check for outstanding calls
	 */
	TALLOC_FREE(domain->backend_data.samr_pipes);
}

static NTSTATUS open_cached_internal_pipe_conn(
	struct winbindd_domain *domain,
	struct rpc_pipe_client **samr_pipe,
	struct policy_handle *samr_domain_hnd,
	struct rpc_pipe_client **lsa_pipe,
	struct policy_handle *lsa_hnd)
{
	struct winbind_internal_pipes *internal_pipes =
		domain->backend_data.samr_pipes;

	if (internal_pipes == NULL) {
		TALLOC_CTX *frame = talloc_stackframe();
		NTSTATUS status;

		internal_pipes = talloc_zero(frame,
					     struct winbind_internal_pipes);

		status = open_internal_samr_conn(
			internal_pipes,
			domain,
			&internal_pipes->samr_pipe,
			&internal_pipes->samr_domain_hnd);
		if (!NT_STATUS_IS_OK(status)) {
			TALLOC_FREE(frame);
			return status;
		}

		status = open_internal_lsa_conn(internal_pipes,
						&internal_pipes->lsa_pipe,
						&internal_pipes->lsa_hnd);

		if (!NT_STATUS_IS_OK(status)) {
			TALLOC_FREE(frame);
			return status;
		}

		internal_pipes->shutdown_timer = tevent_add_timer(
			global_event_context(),
			internal_pipes,
			timeval_current_ofs(5, 0),
			cached_internal_pipe_close,
			domain);
		if (internal_pipes->shutdown_timer == NULL) {
			TALLOC_FREE(frame);
			return NT_STATUS_NO_MEMORY;
		}

		domain->backend_data.samr_pipes =
			talloc_steal(domain, internal_pipes);

		TALLOC_FREE(frame);
	}

	if (samr_domain_hnd) {
		*samr_domain_hnd = internal_pipes->samr_domain_hnd;
	}

	if (samr_pipe) {
		*samr_pipe = internal_pipes->samr_pipe;
	}

	if (lsa_hnd) {
		*lsa_hnd = internal_pipes->lsa_hnd;
	}

	if (lsa_pipe) {
		*lsa_pipe = internal_pipes->lsa_pipe;
	}

	tevent_update_timer(
		internal_pipes->shutdown_timer,
		timeval_current_ofs(5, 0));

	return NT_STATUS_OK;
}

static bool reset_connection_on_error(struct winbindd_domain *domain,
				      struct rpc_pipe_client *p,
				      NTSTATUS status)
{
	struct dcerpc_binding_handle *b = p->binding_handle;

	if (NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) ||
	    NT_STATUS_EQUAL(status, NT_STATUS_IO_DEVICE_ERROR))
	{
		TALLOC_FREE(domain->backend_data.samr_pipes);
		return true;
	}

	if (!dcerpc_binding_handle_is_connected(b)) {
		TALLOC_FREE(domain->backend_data.samr_pipes);
		return true;
	}

	return false;
}

/*********************************************************************
 SAM specific functions.
*********************************************************************/

/* List all domain groups */
static NTSTATUS sam_enum_dom_groups(struct winbindd_domain *domain,
				    TALLOC_CTX *mem_ctx,
				    uint32_t *pnum_info,
				    struct wb_acct_info **pinfo)
{
	struct rpc_pipe_client *samr_pipe;
	struct policy_handle dom_pol = { 0 };
	struct wb_acct_info *info = NULL;
	uint32_t num_info = 0;
	TALLOC_CTX *tmp_ctx = talloc_stackframe();
	NTSTATUS status;
	bool retry = false;

	DEBUG(3,("sam_enum_dom_groups\n"));

	if (pnum_info) {
		*pnum_info = 0;
	}

again:
	status = open_cached_internal_pipe_conn(domain,
						&samr_pipe,
						&dom_pol,
						NULL,
						NULL);
	if (!NT_STATUS_IS_OK(status)) {
		TALLOC_FREE(tmp_ctx);
		return status;
	}

	status = rpc_enum_dom_groups(tmp_ctx,
				     samr_pipe,
				     &dom_pol,
				     &num_info,
				     &info);

	if (!retry && reset_connection_on_error(domain, samr_pipe, status)) {
		retry = true;
		goto again;
	}

	if (!NT_STATUS_IS_OK(status)) {
		TALLOC_FREE(tmp_ctx);
		return status;
	}

	if (pnum_info) {
		*pnum_info = num_info;
	}

	if (pinfo) {
		*pinfo = talloc_move(mem_ctx, &info);
	}

	TALLOC_FREE(tmp_ctx);
	return status;
}

/* Query display info for a domain */
static NTSTATUS sam_query_user_list(struct winbindd_domain *domain,
				    TALLOC_CTX *mem_ctx,
				    uint32_t **prids)
{
	struct rpc_pipe_client *samr_pipe = NULL;
	struct policy_handle dom_pol = { 0 };
	uint32_t *rids = NULL;
	TALLOC_CTX *tmp_ctx = talloc_stackframe();
	NTSTATUS status;
	bool retry = false;

	DEBUG(3,("samr_query_user_list\n"));

again:
	status = open_cached_internal_pipe_conn(domain,
						&samr_pipe,
						&dom_pol,
						NULL,
						NULL);
	if (!NT_STATUS_IS_OK(status)) {
		goto done;
	}

	status = rpc_query_user_list(tmp_ctx,
				     samr_pipe,
				     &dom_pol,
				     &domain->sid,
				     &rids);
	if (!retry && reset_connection_on_error(domain, samr_pipe, status)) {
		retry = true;
		goto again;
	}

	if (!NT_STATUS_IS_OK(status)) {
		goto done;
	}

	if (prids != NULL) {
		*prids = talloc_move(mem_ctx, &rids);
	}

done:
	TALLOC_FREE(rids);
	TALLOC_FREE(tmp_ctx);
	return status;
}

/* get a list of trusted domains - builtin domain */
static NTSTATUS sam_trusted_domains(struct winbindd_domain *domain,
				    TALLOC_CTX *mem_ctx,
				    struct netr_DomainTrustList *ptrust_list)
{
	struct rpc_pipe_client *lsa_pipe;
	struct policy_handle lsa_policy = { 0 };
	struct netr_DomainTrust *trusts = NULL;
	uint32_t num_trusts = 0;
	TALLOC_CTX *tmp_ctx = talloc_stackframe();
	NTSTATUS status;
	bool retry = false;

	DEBUG(3,("samr: trusted domains\n"));

	if (ptrust_list) {
		ZERO_STRUCTP(ptrust_list);
	}

again:
	status = open_cached_internal_pipe_conn(domain,
						NULL,
						NULL,
						&lsa_pipe,
						&lsa_policy);
	if (!NT_STATUS_IS_OK(status)) {
		goto done;
	}

	status = rpc_trusted_domains(tmp_ctx,
				     lsa_pipe,
				     &lsa_policy,
				     &num_trusts,
				     &trusts);

	if (!retry && reset_connection_on_error(domain, lsa_pipe, status)) {
		retry = true;
		goto again;
	}

	if (!NT_STATUS_IS_OK(status)) {
		goto done;
	}

	if (ptrust_list) {
		ptrust_list->count = num_trusts;
		ptrust_list->array = talloc_move(mem_ctx, &trusts);
	}

done:
	TALLOC_FREE(tmp_ctx);
	return status;
}

/* Lookup group membership given a rid.   */
static NTSTATUS sam_lookup_groupmem(struct winbindd_domain *domain,
				    TALLOC_CTX *mem_ctx,
				    const struct dom_sid *group_sid,
				    enum lsa_SidType type,
				    uint32_t *pnum_names,
				    struct dom_sid **psid_mem,
				    char ***pnames,
				    uint32_t **pname_types)
{
	struct rpc_pipe_client *samr_pipe;
	struct policy_handle dom_pol = { 0 };

	uint32_t num_names = 0;
	struct dom_sid *sid_mem = NULL;
	char **names = NULL;
	uint32_t *name_types = NULL;

	TALLOC_CTX *tmp_ctx = talloc_stackframe();
	NTSTATUS status;
	bool retry = false;

	DEBUG(3,("sam_lookup_groupmem\n"));

	/* Paranoia check */
	if (sid_check_is_in_builtin(group_sid) && (type != SID_NAME_ALIAS)) {
		/* There's no groups, only aliases in BUILTIN */
		status = NT_STATUS_NO_SUCH_GROUP;
		goto done;
	}

	if (pnum_names) {
		*pnum_names = 0;
	}

again:
	status = open_cached_internal_pipe_conn(domain,
						&samr_pipe,
						&dom_pol,
						NULL,
						NULL);
	if (!NT_STATUS_IS_OK(status)) {
		goto done;
	}

	status = rpc_lookup_groupmem(tmp_ctx,
				     samr_pipe,
				     &dom_pol,
				     domain->name,
				     &domain->sid,
				     group_sid,
				     type,
				     &num_names,
				     &sid_mem,
				     &names,
				     &name_types);

	if (!retry && reset_connection_on_error(domain, samr_pipe, status)) {
		retry = true;
		goto again;
	}

	if (pnum_names) {
		*pnum_names = num_names;
	}

	if (pnames) {
		*pnames = talloc_move(mem_ctx, &names);
	}

	if (pname_types) {
		*pname_types = talloc_move(mem_ctx, &name_types);
	}

	if (psid_mem) {
		*psid_mem = talloc_move(mem_ctx, &sid_mem);
	}

done:
	TALLOC_FREE(tmp_ctx);
	return status;
}

/* Lookup alias membership */
static NTSTATUS sam_lookup_aliasmem(struct winbindd_domain *domain,
				    TALLOC_CTX *mem_ctx,
				    const struct dom_sid *group_sid,
				    enum lsa_SidType type,
				    uint32_t *pnum_sids,
				    struct dom_sid **psid_mem)
{
	struct rpc_pipe_client *samr_pipe;
	struct policy_handle dom_pol = {0};

	uint32_t num_sids = 0;
	struct dom_sid *sid_mem = NULL;

	TALLOC_CTX *tmp_ctx = talloc_stackframe();
	NTSTATUS status;
	bool retry = false;

	DBG_INFO("sam_lookup_aliasmem\n");

	/* Paranoia check */
	if (type != SID_NAME_ALIAS) {
		status = NT_STATUS_NO_SUCH_ALIAS;
		goto done;
	}

	if (pnum_sids) {
		*pnum_sids = 0;
	}

again:
	status = open_cached_internal_pipe_conn(domain,
						&samr_pipe,
						&dom_pol,
						NULL,
						NULL);
	if (!NT_STATUS_IS_OK(status)) {
		goto done;
	}

	status = rpc_lookup_aliasmem(tmp_ctx,
				     samr_pipe,
				     &dom_pol,
				     &domain->sid,
				     group_sid,
				     type,
				     &num_sids,
				     &sid_mem);

	if (!retry && reset_connection_on_error(domain, samr_pipe, status)) {
		retry = true;
		goto again;
	}

	if (pnum_sids) {
		*pnum_sids = num_sids;
	}

	if (psid_mem) {
		*psid_mem = talloc_move(mem_ctx, &sid_mem);
	}

done:
	TALLOC_FREE(tmp_ctx);
	return status;
}

/*********************************************************************
 BUILTIN specific functions.
*********************************************************************/

/* List all domain groups */
static NTSTATUS builtin_enum_dom_groups(struct winbindd_domain *domain,
				TALLOC_CTX *mem_ctx,
				uint32_t *num_entries,
				struct wb_acct_info **info)
{
	/* BUILTIN doesn't have domain groups */
	*num_entries = 0;
	*info = NULL;
	return NT_STATUS_OK;
}

/* Query display info for a domain */
static NTSTATUS builtin_query_user_list(struct winbindd_domain *domain,
				TALLOC_CTX *mem_ctx,
				uint32_t **rids)
{
	/* We don't have users */
	*rids = NULL;
	return NT_STATUS_OK;
}

/* get a list of trusted domains - builtin domain */
static NTSTATUS builtin_trusted_domains(struct winbindd_domain *domain,
					TALLOC_CTX *mem_ctx,
					struct netr_DomainTrustList *trusts)
{
	ZERO_STRUCTP(trusts);
	return NT_STATUS_OK;
}

/*********************************************************************
 COMMON functions.
*********************************************************************/

/* List all local groups (aliases) */
static NTSTATUS sam_enum_local_groups(struct winbindd_domain *domain,
				      TALLOC_CTX *mem_ctx,
				      uint32_t *pnum_info,
				      struct wb_acct_info **pinfo)
{
	struct rpc_pipe_client *samr_pipe;
	struct policy_handle dom_pol = { 0 };
	struct wb_acct_info *info = NULL;
	uint32_t num_info = 0;
	TALLOC_CTX *tmp_ctx = talloc_stackframe();
	NTSTATUS status;
	bool retry = false;

	DEBUG(3,("samr: enum local groups\n"));

	if (pnum_info) {
		*pnum_info = 0;
	}

again:
	status = open_cached_internal_pipe_conn(domain,
						&samr_pipe,
						&dom_pol,
						NULL,
						NULL);
	if (!NT_STATUS_IS_OK(status)) {
		goto done;
	}

	status = rpc_enum_local_groups(mem_ctx,
				       samr_pipe,
				       &dom_pol,
				       &num_info,

				       &info);
	if (!retry && reset_connection_on_error(domain, samr_pipe, status)) {
		retry = true;
		goto again;
	}

	if (!NT_STATUS_IS_OK(status)) {
		goto done;
	}

	if (pnum_info) {
		*pnum_info = num_info;
	}

	if (pinfo) {
		*pinfo = talloc_move(mem_ctx, &info);
	}

done:
	TALLOC_FREE(tmp_ctx);
	return status;
}

/* convert a single name to a sid in a domain */
static NTSTATUS sam_name_to_sid(struct winbindd_domain *domain,
				   TALLOC_CTX *mem_ctx,
				   const char *domain_name,
				   const char *name,
				   uint32_t flags,
				   const char **pdom_name,
				   struct dom_sid *psid,
				   enum lsa_SidType *ptype)
{
	struct rpc_pipe_client *samr_pipe = NULL;
	struct dcerpc_binding_handle *h = NULL;
	struct policy_handle dom_pol = { .handle_type = 0, };
	struct dom_sid sid;
	const char *dom_name = domain_name;
	struct lsa_String lsa_name = { .string = name };
	struct samr_Ids rids = { .count = 0 };
	struct samr_Ids types = { .count = 0 };
	enum lsa_SidType type;
	TALLOC_CTX *tmp_ctx = talloc_stackframe();
	NTSTATUS status = NT_STATUS_NONE_MAPPED;
	NTSTATUS result;
	bool retry = false;
	bool ok;

	DBG_NOTICE("%s\\%s\n", domain_name, name);

	*ptype = SID_NAME_UNKNOWN;

	if (strequal(domain_name, unix_users_domain_name())) {
		struct passwd *pwd = NULL;

		if (name[0] == '\0') {
			sid_copy(&sid, &global_sid_Unix_Users);
			type = SID_NAME_DOMAIN;
			goto done;
		}

		pwd = Get_Pwnam_alloc(tmp_ctx, name);
		if (pwd == NULL) {
			goto fail;
		}
		ok = sid_compose(&sid, &global_sid_Unix_Users, pwd->pw_uid);
		if (!ok) {
			status = NT_STATUS_INTERNAL_ERROR;
			goto fail;
		}
		type = SID_NAME_USER;
		goto done;
	}

	if (strequal(domain_name, unix_groups_domain_name())) {
		struct group *grp = NULL;

		if (name[0] == '\0') {
			sid_copy(&sid, &global_sid_Unix_Groups);
			type = SID_NAME_DOMAIN;
			goto done;
		}

		grp = getgrnam(name);
		if (grp == NULL) {
			goto fail;
		}
		ok = sid_compose(&sid, &global_sid_Unix_Groups, grp->gr_gid);
		if (!ok) {
			status = NT_STATUS_INTERNAL_ERROR;
			goto fail;
		}
		type = SID_NAME_DOM_GRP;
		goto done;
	}

	if (name[0] == '\0') {
		sid_copy(&sid, &domain->sid);
		type = SID_NAME_DOMAIN;
		goto done;
	}

	ok = lookup_wellknown_name(tmp_ctx, name, &sid, &dom_name);
	if (ok) {
		type = SID_NAME_WKN_GRP;
		goto done;
	}

	{
		char *normalized = NULL;
		NTSTATUS nstatus = normalize_name_unmap(
			tmp_ctx, name, &normalized);
		if (NT_STATUS_IS_OK(nstatus) ||
		    NT_STATUS_EQUAL(nstatus, NT_STATUS_FILE_RENAMED)) {
			lsa_name.string = normalized;
		}
	}

again:
	status = open_cached_internal_pipe_conn(
		domain, &samr_pipe, &dom_pol, NULL, NULL);
	if (!NT_STATUS_IS_OK(status)) {
		goto fail;
	}
	h = samr_pipe->binding_handle;

	status = dcerpc_samr_LookupNames(
		h, tmp_ctx, &dom_pol, 1, &lsa_name, &rids, &types, &result);

	if (!retry && reset_connection_on_error(domain, samr_pipe, status)) {
		retry = true;
		goto again;
	}

	if (!NT_STATUS_IS_OK(status)) {
		DBG_DEBUG("dcerpc_samr_LookupNames returned %s\n",
			  nt_errstr(status));
		goto fail;
	}
	if (!NT_STATUS_IS_OK(result)) {
		DBG_DEBUG("dcerpc_samr_LookupNames resulted in %s\n",
			  nt_errstr(status));
		status = result;
		goto fail;
	}

	sid_compose(&sid, &domain->sid, rids.ids[0]);
	type = types.ids[0];

done:
	if (pdom_name != NULL) {
		*pdom_name = talloc_strdup(mem_ctx, dom_name);
		if (*pdom_name == NULL) {
			status = NT_STATUS_NO_MEMORY;
			goto fail;
		}
	}

	if (psid) {
		sid_copy(psid, &sid);
	}
	if (ptype) {
		*ptype = type;
	}

	status = NT_STATUS_OK;
fail:
	if (NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED) ||
	    NT_STATUS_EQUAL(status, NT_STATUS_SOME_NOT_MAPPED))
	{
		status = NT_STATUS_OK;
	}
	TALLOC_FREE(tmp_ctx);
	return status;
}

/* convert a domain SID to a user or group name */
static NTSTATUS sam_sid_to_name(struct winbindd_domain *domain,
				TALLOC_CTX *mem_ctx,
				const struct dom_sid *sid,
				char **pdomain_name,
				char **pname,
				enum lsa_SidType *ptype)
{
	struct rpc_pipe_client *samr_pipe = NULL;
	struct dcerpc_binding_handle *h = NULL;
	struct policy_handle dom_pol = { .handle_type = 0, };
	const char *domain_name = "";
	const char *name = "";
	enum lsa_SidType type = SID_NAME_USE_NONE;
	struct lsa_Strings names = { .count = 0, };
	struct samr_Ids types = { .count = 0 };
	struct dom_sid domain_sid;
	uint32_t rid;
	TALLOC_CTX *tmp_ctx = talloc_stackframe();
	NTSTATUS status = NT_STATUS_NONE_MAPPED;
	NTSTATUS result;
	bool retry = false;
	bool ok;

	DEBUG(3,("sam_sid_to_name\n"));

	if (sid_check_is_unix_users(sid)) {
		domain_name = unix_users_domain_name();
		type = SID_NAME_DOMAIN;
		goto done;
	}
	if (sid_check_is_in_unix_users(sid)) {
		struct passwd *pwd = NULL;

		ok = sid_peek_rid(sid, &rid);
		if (!ok) {
			goto fail;
		}
		pwd = getpwuid(rid);
		if (pwd == NULL) {
			goto fail;
		}

		domain_name = unix_users_domain_name();
		name = talloc_strdup(tmp_ctx, pwd->pw_name);
		if (name == NULL) {
			status = NT_STATUS_NO_MEMORY;
			goto fail;
		}
		type = SID_NAME_USER;
		goto done;
	}

	if (sid_check_is_unix_groups(sid)) {
		domain_name = unix_groups_domain_name();
		type = SID_NAME_DOMAIN;
		goto done;
	}
	if (sid_check_is_in_unix_groups(sid)) {
		struct group *grp = NULL;

		ok = sid_peek_rid(sid, &rid);
		if (!ok) {
			goto fail;
		}
		grp = getgrgid(rid);
		if (grp == NULL) {
			goto fail;
		}

		domain_name = unix_groups_domain_name();
		name = talloc_strdup(tmp_ctx, grp->gr_name);
		if (name == NULL) {
			status = NT_STATUS_NO_MEMORY;
			goto fail;
		}
		type = SID_NAME_DOM_GRP;
		goto done;
	}

	ok = lookup_wellknown_sid(tmp_ctx, sid, &domain_name, &name);
	if (ok) {
		type = SID_NAME_WKN_GRP;
		goto done;
	}

	if (dom_sid_equal(sid, &domain->sid)) {
		domain_name = domain->name;
		type = SID_NAME_DOMAIN;
		goto done;
	}

	sid_copy(&domain_sid, sid);
	ok = sid_split_rid(&domain_sid, &rid);
	if (!ok) {
		goto fail;
	}

	if (!dom_sid_equal(&domain_sid, &domain->sid)) {
		goto fail;
	}

again:
	status = open_cached_internal_pipe_conn(
		domain, &samr_pipe, &dom_pol, NULL, NULL);
	if (!NT_STATUS_IS_OK(status)) {
		goto fail;
	}
	h = samr_pipe->binding_handle;

	status = dcerpc_samr_LookupRids(
		h, tmp_ctx, &dom_pol, 1, &rid, &names, &types, &result);

	if (!retry && reset_connection_on_error(domain, samr_pipe, status)) {
		retry = true;
		goto again;
	}

	if (!NT_STATUS_IS_OK(status)) {
		DBG_DEBUG("dcerpc_samr_LookupRids failed: %s\n",
			  nt_errstr(status));
		goto fail;
	}
	if (!NT_STATUS_IS_OK(result)) {
		DBG_DEBUG("dcerpc_samr_LookupRids resulted in %s\n",
			  nt_errstr(result));
		status = result;
		goto fail;
	}

	domain_name = domain->name;
	name = names.names[0].string;
	type = types.ids[0];

	if (name != NULL) {
		char *normalized = NULL;
		NTSTATUS nstatus = normalize_name_map(
			tmp_ctx, domain_name, name, &normalized);
		if (NT_STATUS_IS_OK(nstatus) ||
		    NT_STATUS_EQUAL(nstatus, NT_STATUS_FILE_RENAMED)) {
			name = normalized;
		}
	}

done:
	if (ptype) {
		*ptype = type;
	}

	if (pname) {
		*pname = talloc_strdup(mem_ctx, name);
		if (*pname == NULL) {
			status = NT_STATUS_NO_MEMORY;
			goto fail;
		}
	}

	if (pdomain_name) {
		*pdomain_name = talloc_strdup(mem_ctx, domain_name);
		if (*pdomain_name == NULL) {
			status = NT_STATUS_NO_MEMORY;
			goto fail;
		}
	}

	status = NT_STATUS_OK;
fail:
	TALLOC_FREE(tmp_ctx);
	return status;
}

static NTSTATUS sam_rids_to_names(struct winbindd_domain *domain,
				  TALLOC_CTX *mem_ctx,
				  const struct dom_sid *domain_sid,
				  uint32_t *rids,
				  size_t num_rids,
				  char **pdomain_name,
				  char ***pnames,
				  enum lsa_SidType **ptypes)
{
	struct rpc_pipe_client *samr_pipe = NULL;
	struct dcerpc_binding_handle *h = NULL;
	struct policy_handle dom_pol = { .handle_type = 0, };
	enum lsa_SidType *types = NULL;
	char **names = NULL;
	const char *domain_name = NULL;
	TALLOC_CTX *tmp_ctx = talloc_stackframe();
	NTSTATUS status = NT_STATUS_NO_MEMORY;
	NTSTATUS result;
	bool retry = false;
	uint32_t i;

	DEBUG(3,("sam_rids_to_names for %s\n", domain->name));

	types = talloc_array(tmp_ctx, enum lsa_SidType, num_rids);
	if (types == NULL) {
		goto fail;
	}

	names = talloc_array(tmp_ctx, char *, num_rids);
	if (names == NULL) {
		goto fail;
	}

	if (sid_check_is_unix_users(domain_sid)) {
		domain_name = unix_users_domain_name();
		domain_sid = &global_sid_Unix_Users;
	}
	if (sid_check_is_unix_groups(domain_sid)) {
		domain_name = unix_groups_domain_name();
		domain_sid = &global_sid_Unix_Groups;
	}

	/* Here we're only interested in the domain name being set */
	sid_check_is_wellknown_domain(domain_sid, &domain_name);

	if (domain_name != NULL) {
		uint32_t num_mapped = 0;

		/*
		 * Do unix users/groups and wkn in a loop. There is no
		 * getpwuids() call & friends anyway
		 */

		for (i=0; i<num_rids; i++) {
			struct dom_sid sid;
			char *name = NULL;

			sid_compose(&sid, domain_sid, rids[i]);

			types[i] = SID_NAME_UNKNOWN;
			names[i] = NULL;

			status = sam_sid_to_name(
				domain,
				tmp_ctx,
				&sid,
				NULL,
				&name,
				&types[i]);
			if (NT_STATUS_IS_OK(status)) {
				names[i] = talloc_move(names, &name);
				num_mapped += 1;
			}
		}

		status = NT_STATUS_NONE_MAPPED;
		if (num_mapped > 0) {
			status = (num_mapped == num_rids) ?
				NT_STATUS_OK : STATUS_SOME_UNMAPPED;
		}
		goto done;
	}

	domain_name = domain->name;

again:
	status = open_cached_internal_pipe_conn(
		domain, &samr_pipe, &dom_pol, NULL, NULL);
	if (!NT_STATUS_IS_OK(status)) {
		goto done;
	}
	h = samr_pipe->binding_handle;

	/*
	 * Magic number 1000 comes from samr.idl
	 */

	for (i = 0; i < num_rids; i += 1000) {
		uint32_t num_lookup_rids = MIN(num_rids - i, 1000);
		struct lsa_Strings lsa_names = {
			.count = 0,
		};
		struct samr_Ids samr_types = {
			.count = 0,
		};
		uint32_t j;

		status = dcerpc_samr_LookupRids(h,
						tmp_ctx,
						&dom_pol,
						num_lookup_rids,
						&rids[i],
						&lsa_names,
						&samr_types,
						&result);

		if (!retry &&
		    reset_connection_on_error(domain, samr_pipe, status)) {
			retry = true;
			goto again;
		}

		if (!NT_STATUS_IS_OK(status)) {
			DBG_DEBUG("dcerpc_samr_LookupRids failed: %s\n",
				  nt_errstr(status));
			goto fail;
		}
		if (!NT_STATUS_IS_OK(result) &&
		    !NT_STATUS_EQUAL(result, STATUS_SOME_UNMAPPED)) {
			DBG_DEBUG("dcerpc_samr_LookupRids resulted in %s\n",
				  nt_errstr(result));
			status = result;
			goto fail;
		}

		for (j = 0; j < num_lookup_rids; j++) {
			uint32_t dst = i + j;

			types[dst] = samr_types.ids[j];
			names[dst] = talloc_move(
				names,
				discard_const_p(char *,
						&lsa_names.names[j].string));
			if (names[dst] != NULL) {
				char *normalized = NULL;
				NTSTATUS nstatus =
					normalize_name_map(names,
							   domain_name,
							   names[dst],
							   &normalized);
				if (NT_STATUS_IS_OK(nstatus) ||
				    NT_STATUS_EQUAL(nstatus,
						    NT_STATUS_FILE_RENAMED)) {
					names[dst] = normalized;
				}
			}
		}

		TALLOC_FREE(samr_types.ids);
		TALLOC_FREE(lsa_names.names);
	}

done:
	if (pdomain_name) {
		*pdomain_name = talloc_strdup(mem_ctx, domain_name);
		if (*pdomain_name == NULL) {
			status = NT_STATUS_NO_MEMORY;
			goto fail;
		}
	}

	if (ptypes) {
		*ptypes = talloc_move(mem_ctx, &types);
	}

	if (pnames) {
		*pnames = talloc_move(mem_ctx, &names);
	}

fail:
	TALLOC_FREE(tmp_ctx);
	return status;
}

static NTSTATUS sam_lockout_policy(struct winbindd_domain *domain,
				   TALLOC_CTX *mem_ctx,
				   struct samr_DomInfo12 *lockout_policy)
{
	struct rpc_pipe_client *samr_pipe;
	struct policy_handle dom_pol = { 0 };
	union samr_DomainInfo *info = NULL;
	TALLOC_CTX *tmp_ctx = talloc_stackframe();
	NTSTATUS status, result;
	struct dcerpc_binding_handle *b = NULL;
	bool retry = false;

	DEBUG(3,("sam_lockout_policy\n"));

again:
	status = open_cached_internal_pipe_conn(domain,
						&samr_pipe,
						&dom_pol,
						NULL,
						NULL);
	if (!NT_STATUS_IS_OK(status)) {
		goto error;
	}

	b = samr_pipe->binding_handle;

	status = dcerpc_samr_QueryDomainInfo(b,
					     mem_ctx,
					     &dom_pol,
					     DomainLockoutInformation,
					     &info,
					     &result);

	if (!retry && reset_connection_on_error(domain, samr_pipe, status)) {
		retry = true;
		goto again;
	}

	if (!NT_STATUS_IS_OK(status)) {
		goto error;
	}
	if (!NT_STATUS_IS_OK(result)) {
		status = result;
		goto error;
	}

	*lockout_policy = info->info12;

error:
	TALLOC_FREE(tmp_ctx);
	return status;
}

static NTSTATUS sam_password_policy(struct winbindd_domain *domain,
				    TALLOC_CTX *mem_ctx,
				    struct samr_DomInfo1 *passwd_policy)
{
	struct rpc_pipe_client *samr_pipe;
	struct policy_handle dom_pol = { 0 };
	union samr_DomainInfo *info = NULL;
	TALLOC_CTX *tmp_ctx = talloc_stackframe();
	NTSTATUS status, result;
	struct dcerpc_binding_handle *b = NULL;
	bool retry = false;

	DEBUG(3,("sam_password_policy\n"));

again:
	status = open_cached_internal_pipe_conn(domain,
						&samr_pipe,
						&dom_pol,
						NULL,
						NULL);
	if (!NT_STATUS_IS_OK(status)) {
		goto error;
	}

	b = samr_pipe->binding_handle;

	status = dcerpc_samr_QueryDomainInfo(b,
					     mem_ctx,
					     &dom_pol,
					     DomainPasswordInformation,
					     &info,
					     &result);

	if (!retry && reset_connection_on_error(domain, samr_pipe, status)) {
		retry = true;
		goto again;
	}

	if (!NT_STATUS_IS_OK(status)) {
		goto error;
	}
	if (!NT_STATUS_IS_OK(result)) {
		status = result;
		goto error;
	}

	*passwd_policy = info->info1;

error:
	TALLOC_FREE(tmp_ctx);
	return status;
}

/* Lookup groups a user is a member of. */
static NTSTATUS sam_lookup_usergroups(struct winbindd_domain *domain,
				      TALLOC_CTX *mem_ctx,
				      const struct dom_sid *user_sid,
				      uint32_t *pnum_groups,
				      struct dom_sid **puser_grpsids)
{
	struct rpc_pipe_client *samr_pipe;
	struct policy_handle dom_pol;
	struct dom_sid *user_grpsids = NULL;
	uint32_t num_groups = 0;
	TALLOC_CTX *tmp_ctx = talloc_stackframe();
	NTSTATUS status;
	bool retry = false;

	DEBUG(3,("sam_lookup_usergroups\n"));

	ZERO_STRUCT(dom_pol);

	if (pnum_groups) {
		*pnum_groups = 0;
	}

again:
	status = open_cached_internal_pipe_conn(domain,
						&samr_pipe,
						&dom_pol,
						NULL,
						NULL);
	if (!NT_STATUS_IS_OK(status)) {
		goto done;
	}

	status = rpc_lookup_usergroups(tmp_ctx,
				       samr_pipe,
				       &dom_pol,
				       &domain->sid,
				       user_sid,
				       &num_groups,
				       &user_grpsids);

	if (!retry && reset_connection_on_error(domain, samr_pipe, status)) {
		retry = true;
		goto again;
	}

	if (!NT_STATUS_IS_OK(status)) {
		goto done;
	}

	if (pnum_groups) {
		*pnum_groups = num_groups;
	}

	if (puser_grpsids) {
		*puser_grpsids = talloc_move(mem_ctx, &user_grpsids);
	}

done:

	TALLOC_FREE(tmp_ctx);
	return status;
}

static NTSTATUS sam_lookup_useraliases(struct winbindd_domain *domain,
				       TALLOC_CTX *mem_ctx,
				       uint32_t num_sids,
				       const struct dom_sid *sids,
				       uint32_t *pnum_aliases,
				       uint32_t **palias_rids)
{
	struct rpc_pipe_client *samr_pipe;
	struct policy_handle dom_pol = { 0 };
	uint32_t num_aliases = 0;
	uint32_t *alias_rids = NULL;
	TALLOC_CTX *tmp_ctx = talloc_stackframe();
	NTSTATUS status;
	bool retry = false;

	DEBUG(3,("sam_lookup_useraliases\n"));

	if (pnum_aliases) {
		*pnum_aliases = 0;
	}

again:
	status = open_cached_internal_pipe_conn(domain,
						&samr_pipe,
						&dom_pol,
						NULL,
						NULL);
	if (!NT_STATUS_IS_OK(status)) {
		goto done;
	}

	status = rpc_lookup_useraliases(tmp_ctx,
					samr_pipe,
					&dom_pol,
					num_sids,
					sids,
					&num_aliases,
					&alias_rids);

	if (!retry && reset_connection_on_error(domain, samr_pipe, status)) {
		retry = true;
		goto again;
	}

	if (!NT_STATUS_IS_OK(status)) {
		goto done;
	}

	if (pnum_aliases) {
		*pnum_aliases = num_aliases;
	}

	if (palias_rids) {
		*palias_rids = talloc_move(mem_ctx, &alias_rids);
	}

done:

	TALLOC_FREE(tmp_ctx);
	return status;
}

/* the rpc backend methods are exposed via this structure */
struct winbindd_methods builtin_passdb_methods = {
	.consistent            = false,

	.query_user_list       = builtin_query_user_list,
	.enum_dom_groups       = builtin_enum_dom_groups,
	.enum_local_groups     = sam_enum_local_groups,
	.name_to_sid           = sam_name_to_sid,
	.sid_to_name           = sam_sid_to_name,
	.rids_to_names         = sam_rids_to_names,
	.lookup_usergroups     = sam_lookup_usergroups,
	.lookup_useraliases    = sam_lookup_useraliases,
	.lookup_groupmem       = sam_lookup_groupmem,
	.lookup_aliasmem       = sam_lookup_aliasmem,
	.lockout_policy        = sam_lockout_policy,
	.password_policy       = sam_password_policy,
	.trusted_domains       = builtin_trusted_domains
};

/* the rpc backend methods are exposed via this structure */
struct winbindd_methods sam_passdb_methods = {
	.consistent            = false,

	.query_user_list       = sam_query_user_list,
	.enum_dom_groups       = sam_enum_dom_groups,
	.enum_local_groups     = sam_enum_local_groups,
	.name_to_sid           = sam_name_to_sid,
	.sid_to_name           = sam_sid_to_name,
	.rids_to_names         = sam_rids_to_names,
	.lookup_usergroups     = sam_lookup_usergroups,
	.lookup_useraliases    = sam_lookup_useraliases,
	.lookup_groupmem       = sam_lookup_groupmem,
	.lookup_aliasmem       = sam_lookup_aliasmem,
	.lockout_policy        = sam_lockout_policy,
	.password_policy       = sam_password_policy,
	.trusted_domains       = sam_trusted_domains
};