mirror of
https://github.com/samba-team/samba.git
synced 2025-01-22 22:04:08 +03:00
91395e660a
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15046 Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
1334 lines
29 KiB
C
1334 lines
29 KiB
C
/*
|
|
* Unix SMB/CIFS implementation.
|
|
*
|
|
* Winbind rpc backend functions
|
|
*
|
|
* Copyright (c) 2000-2003 Tim Potter
|
|
* Copyright (c) 2001 Andrew Tridgell
|
|
* Copyright (c) 2005 Volker Lendecke
|
|
* Copyright (c) 2008 Guenther Deschner (pidl conversion)
|
|
* Copyright (c) 2010 Andreas Schneider <asn@samba.org>
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License as published by
|
|
* the Free Software Foundation; either version 3 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* This program is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
*/
|
|
|
|
#include "includes.h"
|
|
#include "winbindd.h"
|
|
#include "winbindd_rpc.h"
|
|
#include "lib/util_unixsids.h"
|
|
#include "rpc_client/rpc_client.h"
|
|
#include "rpc_client/cli_pipe.h"
|
|
#include "../librpc/gen_ndr/ndr_samr_c.h"
|
|
#include "rpc_client/cli_samr.h"
|
|
#include "../librpc/gen_ndr/ndr_lsa_c.h"
|
|
#include "rpc_client/cli_lsarpc.h"
|
|
#include "rpc_server/rpc_ncacn_np.h"
|
|
#include "../libcli/security/security.h"
|
|
#include "passdb/machine_sid.h"
|
|
#include "auth.h"
|
|
#include "source3/lib/global_contexts.h"
|
|
|
|
#undef DBGC_CLASS
|
|
#define DBGC_CLASS DBGC_WINBIND
|
|
|
|
/*
|
|
* The other end of this won't go away easily, so we can trust it
|
|
*
|
|
* It is either a long-lived process with the same lifetime as
|
|
* winbindd or a part of this process
|
|
*/
|
|
struct winbind_internal_pipes {
|
|
struct tevent_timer *shutdown_timer;
|
|
struct rpc_pipe_client *samr_pipe;
|
|
struct policy_handle samr_domain_hnd;
|
|
struct rpc_pipe_client *lsa_pipe;
|
|
struct policy_handle lsa_hnd;
|
|
};
|
|
|
|
|
|
NTSTATUS open_internal_samr_conn(TALLOC_CTX *mem_ctx,
|
|
struct winbindd_domain *domain,
|
|
struct rpc_pipe_client **samr_pipe,
|
|
struct policy_handle *samr_domain_hnd)
|
|
{
|
|
NTSTATUS status, result;
|
|
struct policy_handle samr_connect_hnd;
|
|
struct dcerpc_binding_handle *b;
|
|
|
|
status = wb_open_internal_pipe(mem_ctx, &ndr_table_samr, samr_pipe);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
DBG_ERR("Could not connect to %s pipe: %s\n",
|
|
ndr_table_samr.name, nt_errstr(status));
|
|
return status;
|
|
}
|
|
|
|
b = (*samr_pipe)->binding_handle;
|
|
|
|
status = dcerpc_samr_Connect2(b, mem_ctx,
|
|
(*samr_pipe)->desthost,
|
|
SEC_FLAG_MAXIMUM_ALLOWED,
|
|
&samr_connect_hnd,
|
|
&result);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
return status;
|
|
}
|
|
if (!NT_STATUS_IS_OK(result)) {
|
|
return result;
|
|
}
|
|
|
|
status = dcerpc_samr_OpenDomain(b, mem_ctx,
|
|
&samr_connect_hnd,
|
|
SEC_FLAG_MAXIMUM_ALLOWED,
|
|
&domain->sid,
|
|
samr_domain_hnd,
|
|
&result);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
return status;
|
|
}
|
|
|
|
return result;
|
|
}
|
|
|
|
NTSTATUS open_internal_lsa_conn(TALLOC_CTX *mem_ctx,
|
|
struct rpc_pipe_client **lsa_pipe,
|
|
struct policy_handle *lsa_hnd)
|
|
{
|
|
NTSTATUS status;
|
|
|
|
status = wb_open_internal_pipe(mem_ctx, &ndr_table_lsarpc, lsa_pipe);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
DBG_ERR("Could not connect to %s pipe: %s\n",
|
|
ndr_table_lsarpc.name, nt_errstr(status));
|
|
return status;
|
|
}
|
|
|
|
status = rpccli_lsa_open_policy((*lsa_pipe),
|
|
mem_ctx,
|
|
true,
|
|
SEC_FLAG_MAXIMUM_ALLOWED,
|
|
lsa_hnd);
|
|
|
|
return status;
|
|
}
|
|
|
|
static void cached_internal_pipe_close(
|
|
struct tevent_context *ev,
|
|
struct tevent_timer *te,
|
|
struct timeval current_time,
|
|
void *private_data)
|
|
{
|
|
struct winbindd_domain *domain = talloc_get_type_abort(
|
|
private_data, struct winbindd_domain);
|
|
/*
|
|
* Freeing samr_pipes closes the cached pipes.
|
|
*
|
|
* We can do a hard close because at the time of this commit
|
|
* we only use sychronous calls to external pipes. So we can't
|
|
* have any outstanding requests. Also, we don't set
|
|
* dcerpc_binding_handle_set_sync_ev in winbind, so we don't
|
|
* get nested event loops. Once we start to get async in
|
|
* winbind children, we need to check for outstanding calls
|
|
*/
|
|
TALLOC_FREE(domain->backend_data.samr_pipes);
|
|
}
|
|
|
|
static NTSTATUS open_cached_internal_pipe_conn(
|
|
struct winbindd_domain *domain,
|
|
struct rpc_pipe_client **samr_pipe,
|
|
struct policy_handle *samr_domain_hnd,
|
|
struct rpc_pipe_client **lsa_pipe,
|
|
struct policy_handle *lsa_hnd)
|
|
{
|
|
struct winbind_internal_pipes *internal_pipes =
|
|
domain->backend_data.samr_pipes;
|
|
|
|
if (internal_pipes == NULL) {
|
|
TALLOC_CTX *frame = talloc_stackframe();
|
|
NTSTATUS status;
|
|
|
|
internal_pipes = talloc_zero(frame,
|
|
struct winbind_internal_pipes);
|
|
|
|
status = open_internal_samr_conn(
|
|
internal_pipes,
|
|
domain,
|
|
&internal_pipes->samr_pipe,
|
|
&internal_pipes->samr_domain_hnd);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
TALLOC_FREE(frame);
|
|
return status;
|
|
}
|
|
|
|
status = open_internal_lsa_conn(internal_pipes,
|
|
&internal_pipes->lsa_pipe,
|
|
&internal_pipes->lsa_hnd);
|
|
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
TALLOC_FREE(frame);
|
|
return status;
|
|
}
|
|
|
|
internal_pipes->shutdown_timer = tevent_add_timer(
|
|
global_event_context(),
|
|
internal_pipes,
|
|
timeval_current_ofs(5, 0),
|
|
cached_internal_pipe_close,
|
|
domain);
|
|
if (internal_pipes->shutdown_timer == NULL) {
|
|
TALLOC_FREE(frame);
|
|
return NT_STATUS_NO_MEMORY;
|
|
}
|
|
|
|
domain->backend_data.samr_pipes =
|
|
talloc_steal(domain, internal_pipes);
|
|
|
|
TALLOC_FREE(frame);
|
|
}
|
|
|
|
if (samr_domain_hnd) {
|
|
*samr_domain_hnd = internal_pipes->samr_domain_hnd;
|
|
}
|
|
|
|
if (samr_pipe) {
|
|
*samr_pipe = internal_pipes->samr_pipe;
|
|
}
|
|
|
|
if (lsa_hnd) {
|
|
*lsa_hnd = internal_pipes->lsa_hnd;
|
|
}
|
|
|
|
if (lsa_pipe) {
|
|
*lsa_pipe = internal_pipes->lsa_pipe;
|
|
}
|
|
|
|
tevent_update_timer(
|
|
internal_pipes->shutdown_timer,
|
|
timeval_current_ofs(5, 0));
|
|
|
|
return NT_STATUS_OK;
|
|
}
|
|
|
|
static bool reset_connection_on_error(struct winbindd_domain *domain,
|
|
struct rpc_pipe_client *p,
|
|
NTSTATUS status)
|
|
{
|
|
struct dcerpc_binding_handle *b = p->binding_handle;
|
|
|
|
if (NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) ||
|
|
NT_STATUS_EQUAL(status, NT_STATUS_IO_DEVICE_ERROR))
|
|
{
|
|
TALLOC_FREE(domain->backend_data.samr_pipes);
|
|
return true;
|
|
}
|
|
|
|
if (!dcerpc_binding_handle_is_connected(b)) {
|
|
TALLOC_FREE(domain->backend_data.samr_pipes);
|
|
return true;
|
|
}
|
|
|
|
return false;
|
|
}
|
|
|
|
/*********************************************************************
|
|
SAM specific functions.
|
|
*********************************************************************/
|
|
|
|
/* List all domain groups */
|
|
static NTSTATUS sam_enum_dom_groups(struct winbindd_domain *domain,
|
|
TALLOC_CTX *mem_ctx,
|
|
uint32_t *pnum_info,
|
|
struct wb_acct_info **pinfo)
|
|
{
|
|
struct rpc_pipe_client *samr_pipe;
|
|
struct policy_handle dom_pol = { 0 };
|
|
struct wb_acct_info *info = NULL;
|
|
uint32_t num_info = 0;
|
|
TALLOC_CTX *tmp_ctx = talloc_stackframe();
|
|
NTSTATUS status;
|
|
bool retry = false;
|
|
|
|
DEBUG(3,("sam_enum_dom_groups\n"));
|
|
|
|
if (pnum_info) {
|
|
*pnum_info = 0;
|
|
}
|
|
|
|
again:
|
|
status = open_cached_internal_pipe_conn(domain,
|
|
&samr_pipe,
|
|
&dom_pol,
|
|
NULL,
|
|
NULL);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
TALLOC_FREE(tmp_ctx);
|
|
return status;
|
|
}
|
|
|
|
status = rpc_enum_dom_groups(tmp_ctx,
|
|
samr_pipe,
|
|
&dom_pol,
|
|
&num_info,
|
|
&info);
|
|
|
|
if (!retry && reset_connection_on_error(domain, samr_pipe, status)) {
|
|
retry = true;
|
|
goto again;
|
|
}
|
|
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
TALLOC_FREE(tmp_ctx);
|
|
return status;
|
|
}
|
|
|
|
if (pnum_info) {
|
|
*pnum_info = num_info;
|
|
}
|
|
|
|
if (pinfo) {
|
|
*pinfo = talloc_move(mem_ctx, &info);
|
|
}
|
|
|
|
TALLOC_FREE(tmp_ctx);
|
|
return status;
|
|
}
|
|
|
|
/* Query display info for a domain */
|
|
static NTSTATUS sam_query_user_list(struct winbindd_domain *domain,
|
|
TALLOC_CTX *mem_ctx,
|
|
uint32_t **prids)
|
|
{
|
|
struct rpc_pipe_client *samr_pipe = NULL;
|
|
struct policy_handle dom_pol = { 0 };
|
|
uint32_t *rids = NULL;
|
|
TALLOC_CTX *tmp_ctx = talloc_stackframe();
|
|
NTSTATUS status;
|
|
bool retry = false;
|
|
|
|
DEBUG(3,("samr_query_user_list\n"));
|
|
|
|
again:
|
|
status = open_cached_internal_pipe_conn(domain,
|
|
&samr_pipe,
|
|
&dom_pol,
|
|
NULL,
|
|
NULL);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
goto done;
|
|
}
|
|
|
|
status = rpc_query_user_list(tmp_ctx,
|
|
samr_pipe,
|
|
&dom_pol,
|
|
&domain->sid,
|
|
&rids);
|
|
if (!retry && reset_connection_on_error(domain, samr_pipe, status)) {
|
|
retry = true;
|
|
goto again;
|
|
}
|
|
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
goto done;
|
|
}
|
|
|
|
if (prids != NULL) {
|
|
*prids = talloc_move(mem_ctx, &rids);
|
|
}
|
|
|
|
done:
|
|
TALLOC_FREE(rids);
|
|
TALLOC_FREE(tmp_ctx);
|
|
return status;
|
|
}
|
|
|
|
/* get a list of trusted domains - builtin domain */
|
|
static NTSTATUS sam_trusted_domains(struct winbindd_domain *domain,
|
|
TALLOC_CTX *mem_ctx,
|
|
struct netr_DomainTrustList *ptrust_list)
|
|
{
|
|
struct rpc_pipe_client *lsa_pipe;
|
|
struct policy_handle lsa_policy = { 0 };
|
|
struct netr_DomainTrust *trusts = NULL;
|
|
uint32_t num_trusts = 0;
|
|
TALLOC_CTX *tmp_ctx = talloc_stackframe();
|
|
NTSTATUS status;
|
|
bool retry = false;
|
|
|
|
DEBUG(3,("samr: trusted domains\n"));
|
|
|
|
if (ptrust_list) {
|
|
ZERO_STRUCTP(ptrust_list);
|
|
}
|
|
|
|
again:
|
|
status = open_cached_internal_pipe_conn(domain,
|
|
NULL,
|
|
NULL,
|
|
&lsa_pipe,
|
|
&lsa_policy);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
goto done;
|
|
}
|
|
|
|
status = rpc_trusted_domains(tmp_ctx,
|
|
lsa_pipe,
|
|
&lsa_policy,
|
|
&num_trusts,
|
|
&trusts);
|
|
|
|
if (!retry && reset_connection_on_error(domain, lsa_pipe, status)) {
|
|
retry = true;
|
|
goto again;
|
|
}
|
|
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
goto done;
|
|
}
|
|
|
|
if (ptrust_list) {
|
|
ptrust_list->count = num_trusts;
|
|
ptrust_list->array = talloc_move(mem_ctx, &trusts);
|
|
}
|
|
|
|
done:
|
|
TALLOC_FREE(tmp_ctx);
|
|
return status;
|
|
}
|
|
|
|
/* Lookup group membership given a rid. */
|
|
static NTSTATUS sam_lookup_groupmem(struct winbindd_domain *domain,
|
|
TALLOC_CTX *mem_ctx,
|
|
const struct dom_sid *group_sid,
|
|
enum lsa_SidType type,
|
|
uint32_t *pnum_names,
|
|
struct dom_sid **psid_mem,
|
|
char ***pnames,
|
|
uint32_t **pname_types)
|
|
{
|
|
struct rpc_pipe_client *samr_pipe;
|
|
struct policy_handle dom_pol = { 0 };
|
|
|
|
uint32_t num_names = 0;
|
|
struct dom_sid *sid_mem = NULL;
|
|
char **names = NULL;
|
|
uint32_t *name_types = NULL;
|
|
|
|
TALLOC_CTX *tmp_ctx = talloc_stackframe();
|
|
NTSTATUS status;
|
|
bool retry = false;
|
|
|
|
DEBUG(3,("sam_lookup_groupmem\n"));
|
|
|
|
/* Paranoia check */
|
|
if (sid_check_is_in_builtin(group_sid) && (type != SID_NAME_ALIAS)) {
|
|
/* There's no groups, only aliases in BUILTIN */
|
|
status = NT_STATUS_NO_SUCH_GROUP;
|
|
goto done;
|
|
}
|
|
|
|
if (pnum_names) {
|
|
*pnum_names = 0;
|
|
}
|
|
|
|
again:
|
|
status = open_cached_internal_pipe_conn(domain,
|
|
&samr_pipe,
|
|
&dom_pol,
|
|
NULL,
|
|
NULL);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
goto done;
|
|
}
|
|
|
|
status = rpc_lookup_groupmem(tmp_ctx,
|
|
samr_pipe,
|
|
&dom_pol,
|
|
domain->name,
|
|
&domain->sid,
|
|
group_sid,
|
|
type,
|
|
&num_names,
|
|
&sid_mem,
|
|
&names,
|
|
&name_types);
|
|
|
|
if (!retry && reset_connection_on_error(domain, samr_pipe, status)) {
|
|
retry = true;
|
|
goto again;
|
|
}
|
|
|
|
if (pnum_names) {
|
|
*pnum_names = num_names;
|
|
}
|
|
|
|
if (pnames) {
|
|
*pnames = talloc_move(mem_ctx, &names);
|
|
}
|
|
|
|
if (pname_types) {
|
|
*pname_types = talloc_move(mem_ctx, &name_types);
|
|
}
|
|
|
|
if (psid_mem) {
|
|
*psid_mem = talloc_move(mem_ctx, &sid_mem);
|
|
}
|
|
|
|
done:
|
|
TALLOC_FREE(tmp_ctx);
|
|
return status;
|
|
}
|
|
|
|
/*********************************************************************
|
|
BUILTIN specific functions.
|
|
*********************************************************************/
|
|
|
|
/* List all domain groups */
|
|
static NTSTATUS builtin_enum_dom_groups(struct winbindd_domain *domain,
|
|
TALLOC_CTX *mem_ctx,
|
|
uint32_t *num_entries,
|
|
struct wb_acct_info **info)
|
|
{
|
|
/* BUILTIN doesn't have domain groups */
|
|
*num_entries = 0;
|
|
*info = NULL;
|
|
return NT_STATUS_OK;
|
|
}
|
|
|
|
/* Query display info for a domain */
|
|
static NTSTATUS builtin_query_user_list(struct winbindd_domain *domain,
|
|
TALLOC_CTX *mem_ctx,
|
|
uint32_t **rids)
|
|
{
|
|
/* We don't have users */
|
|
*rids = NULL;
|
|
return NT_STATUS_OK;
|
|
}
|
|
|
|
/* get a list of trusted domains - builtin domain */
|
|
static NTSTATUS builtin_trusted_domains(struct winbindd_domain *domain,
|
|
TALLOC_CTX *mem_ctx,
|
|
struct netr_DomainTrustList *trusts)
|
|
{
|
|
ZERO_STRUCTP(trusts);
|
|
return NT_STATUS_OK;
|
|
}
|
|
|
|
/*********************************************************************
|
|
COMMON functions.
|
|
*********************************************************************/
|
|
|
|
/* List all local groups (aliases) */
|
|
static NTSTATUS sam_enum_local_groups(struct winbindd_domain *domain,
|
|
TALLOC_CTX *mem_ctx,
|
|
uint32_t *pnum_info,
|
|
struct wb_acct_info **pinfo)
|
|
{
|
|
struct rpc_pipe_client *samr_pipe;
|
|
struct policy_handle dom_pol = { 0 };
|
|
struct wb_acct_info *info = NULL;
|
|
uint32_t num_info = 0;
|
|
TALLOC_CTX *tmp_ctx = talloc_stackframe();
|
|
NTSTATUS status;
|
|
bool retry = false;
|
|
|
|
DEBUG(3,("samr: enum local groups\n"));
|
|
|
|
if (pnum_info) {
|
|
*pnum_info = 0;
|
|
}
|
|
|
|
again:
|
|
status = open_cached_internal_pipe_conn(domain,
|
|
&samr_pipe,
|
|
&dom_pol,
|
|
NULL,
|
|
NULL);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
goto done;
|
|
}
|
|
|
|
status = rpc_enum_local_groups(mem_ctx,
|
|
samr_pipe,
|
|
&dom_pol,
|
|
&num_info,
|
|
|
|
&info);
|
|
if (!retry && reset_connection_on_error(domain, samr_pipe, status)) {
|
|
retry = true;
|
|
goto again;
|
|
}
|
|
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
goto done;
|
|
}
|
|
|
|
if (pnum_info) {
|
|
*pnum_info = num_info;
|
|
}
|
|
|
|
if (pinfo) {
|
|
*pinfo = talloc_move(mem_ctx, &info);
|
|
}
|
|
|
|
done:
|
|
TALLOC_FREE(tmp_ctx);
|
|
return status;
|
|
}
|
|
|
|
/* convert a single name to a sid in a domain */
|
|
static NTSTATUS sam_name_to_sid(struct winbindd_domain *domain,
|
|
TALLOC_CTX *mem_ctx,
|
|
const char *domain_name,
|
|
const char *name,
|
|
uint32_t flags,
|
|
const char **pdom_name,
|
|
struct dom_sid *psid,
|
|
enum lsa_SidType *ptype)
|
|
{
|
|
struct rpc_pipe_client *samr_pipe = NULL;
|
|
struct dcerpc_binding_handle *h = NULL;
|
|
struct policy_handle dom_pol = { .handle_type = 0, };
|
|
struct dom_sid sid;
|
|
const char *dom_name = domain_name;
|
|
struct lsa_String lsa_name = { .string = name };
|
|
struct samr_Ids rids = { .count = 0 };
|
|
struct samr_Ids types = { .count = 0 };
|
|
enum lsa_SidType type;
|
|
TALLOC_CTX *tmp_ctx = talloc_stackframe();
|
|
NTSTATUS status = NT_STATUS_NONE_MAPPED;
|
|
NTSTATUS result;
|
|
bool retry = false;
|
|
bool ok;
|
|
|
|
DBG_NOTICE("%s\\%s\n", domain_name, name);
|
|
|
|
if (strequal(domain_name, unix_users_domain_name())) {
|
|
struct passwd *pwd = NULL;
|
|
|
|
if (name[0] == '\0') {
|
|
sid_copy(&sid, &global_sid_Unix_Users);
|
|
type = SID_NAME_DOMAIN;
|
|
goto done;
|
|
}
|
|
|
|
pwd = Get_Pwnam_alloc(tmp_ctx, name);
|
|
if (pwd == NULL) {
|
|
goto fail;
|
|
}
|
|
ok = sid_compose(&sid, &global_sid_Unix_Users, pwd->pw_uid);
|
|
if (!ok) {
|
|
status = NT_STATUS_INTERNAL_ERROR;
|
|
goto fail;
|
|
}
|
|
type = SID_NAME_USER;
|
|
goto done;
|
|
}
|
|
|
|
if (strequal(domain_name, unix_groups_domain_name())) {
|
|
struct group *grp = NULL;
|
|
|
|
if (name[0] == '\0') {
|
|
sid_copy(&sid, &global_sid_Unix_Groups);
|
|
type = SID_NAME_DOMAIN;
|
|
goto done;
|
|
}
|
|
|
|
grp = getgrnam(name);
|
|
if (grp == NULL) {
|
|
goto fail;
|
|
}
|
|
ok = sid_compose(&sid, &global_sid_Unix_Groups, grp->gr_gid);
|
|
if (!ok) {
|
|
status = NT_STATUS_INTERNAL_ERROR;
|
|
goto fail;
|
|
}
|
|
type = SID_NAME_DOM_GRP;
|
|
goto done;
|
|
}
|
|
|
|
if (name[0] == '\0') {
|
|
sid_copy(&sid, &domain->sid);
|
|
type = SID_NAME_DOMAIN;
|
|
goto done;
|
|
}
|
|
|
|
ok = lookup_wellknown_name(tmp_ctx, name, &sid, &dom_name);
|
|
if (ok) {
|
|
type = SID_NAME_WKN_GRP;
|
|
goto done;
|
|
}
|
|
|
|
{
|
|
char *normalized = NULL;
|
|
NTSTATUS nstatus = normalize_name_unmap(
|
|
tmp_ctx, name, &normalized);
|
|
if (NT_STATUS_IS_OK(nstatus) ||
|
|
NT_STATUS_EQUAL(nstatus, NT_STATUS_FILE_RENAMED)) {
|
|
lsa_name.string = normalized;
|
|
}
|
|
}
|
|
|
|
again:
|
|
status = open_cached_internal_pipe_conn(
|
|
domain, &samr_pipe, &dom_pol, NULL, NULL);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
goto fail;
|
|
}
|
|
h = samr_pipe->binding_handle;
|
|
|
|
status = dcerpc_samr_LookupNames(
|
|
h, tmp_ctx, &dom_pol, 1, &lsa_name, &rids, &types, &result);
|
|
|
|
if (!retry && reset_connection_on_error(domain, samr_pipe, status)) {
|
|
retry = true;
|
|
goto again;
|
|
}
|
|
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
DBG_DEBUG("dcerpc_samr_LookupNames returned %s\n",
|
|
nt_errstr(status));
|
|
goto fail;
|
|
}
|
|
if (!NT_STATUS_IS_OK(result)) {
|
|
DBG_DEBUG("dcerpc_samr_LookupNames resulted in %s\n",
|
|
nt_errstr(status));
|
|
status = result;
|
|
goto fail;
|
|
}
|
|
|
|
sid_compose(&sid, &domain->sid, rids.ids[0]);
|
|
type = types.ids[0];
|
|
|
|
done:
|
|
if (pdom_name != NULL) {
|
|
*pdom_name = talloc_strdup(mem_ctx, dom_name);
|
|
if (*pdom_name == NULL) {
|
|
status = NT_STATUS_NO_MEMORY;
|
|
goto fail;
|
|
}
|
|
}
|
|
|
|
if (psid) {
|
|
sid_copy(psid, &sid);
|
|
}
|
|
if (ptype) {
|
|
*ptype = type;
|
|
}
|
|
|
|
status = NT_STATUS_OK;
|
|
fail:
|
|
TALLOC_FREE(tmp_ctx);
|
|
return status;
|
|
}
|
|
|
|
/* convert a domain SID to a user or group name */
|
|
static NTSTATUS sam_sid_to_name(struct winbindd_domain *domain,
|
|
TALLOC_CTX *mem_ctx,
|
|
const struct dom_sid *sid,
|
|
char **pdomain_name,
|
|
char **pname,
|
|
enum lsa_SidType *ptype)
|
|
{
|
|
struct rpc_pipe_client *samr_pipe = NULL;
|
|
struct dcerpc_binding_handle *h = NULL;
|
|
struct policy_handle dom_pol = { .handle_type = 0, };
|
|
const char *domain_name = "";
|
|
const char *name = "";
|
|
enum lsa_SidType type = SID_NAME_USE_NONE;
|
|
struct lsa_Strings names = { .count = 0, };
|
|
struct samr_Ids types = { .count = 0 };
|
|
struct dom_sid domain_sid;
|
|
uint32_t rid;
|
|
TALLOC_CTX *tmp_ctx = talloc_stackframe();
|
|
NTSTATUS status = NT_STATUS_NONE_MAPPED;
|
|
NTSTATUS result;
|
|
bool retry = false;
|
|
bool ok;
|
|
|
|
DEBUG(3,("sam_sid_to_name\n"));
|
|
|
|
if (sid_check_is_unix_users(sid)) {
|
|
domain_name = unix_users_domain_name();
|
|
type = SID_NAME_DOMAIN;
|
|
goto done;
|
|
}
|
|
if (sid_check_is_in_unix_users(sid)) {
|
|
struct passwd *pwd = NULL;
|
|
|
|
ok = sid_peek_rid(sid, &rid);
|
|
if (!ok) {
|
|
goto fail;
|
|
}
|
|
pwd = getpwuid(rid);
|
|
if (pwd == NULL) {
|
|
goto fail;
|
|
}
|
|
|
|
domain_name = unix_users_domain_name();
|
|
name = talloc_strdup(tmp_ctx, pwd->pw_name);
|
|
if (name == NULL) {
|
|
status = NT_STATUS_NO_MEMORY;
|
|
goto fail;
|
|
}
|
|
type = SID_NAME_USER;
|
|
goto done;
|
|
}
|
|
|
|
if (sid_check_is_unix_groups(sid)) {
|
|
domain_name = unix_groups_domain_name();
|
|
type = SID_NAME_DOMAIN;
|
|
goto done;
|
|
}
|
|
if (sid_check_is_in_unix_groups(sid)) {
|
|
struct group *grp = NULL;
|
|
|
|
ok = sid_peek_rid(sid, &rid);
|
|
if (!ok) {
|
|
goto fail;
|
|
}
|
|
grp = getgrgid(rid);
|
|
if (grp == NULL) {
|
|
goto fail;
|
|
}
|
|
|
|
domain_name = unix_groups_domain_name();
|
|
name = talloc_strdup(tmp_ctx, grp->gr_name);
|
|
if (name == NULL) {
|
|
status = NT_STATUS_NO_MEMORY;
|
|
goto fail;
|
|
}
|
|
type = SID_NAME_DOM_GRP;
|
|
goto done;
|
|
}
|
|
|
|
ok = lookup_wellknown_sid(tmp_ctx, sid, &domain_name, &name);
|
|
if (ok) {
|
|
type = SID_NAME_WKN_GRP;
|
|
goto done;
|
|
}
|
|
|
|
if (dom_sid_equal(sid, &domain->sid)) {
|
|
domain_name = domain->name;
|
|
type = SID_NAME_DOMAIN;
|
|
goto done;
|
|
}
|
|
|
|
sid_copy(&domain_sid, sid);
|
|
ok = sid_split_rid(&domain_sid, &rid);
|
|
if (!ok) {
|
|
goto fail;
|
|
}
|
|
|
|
if (!dom_sid_equal(&domain_sid, &domain->sid)) {
|
|
goto fail;
|
|
}
|
|
|
|
again:
|
|
status = open_cached_internal_pipe_conn(
|
|
domain, &samr_pipe, &dom_pol, NULL, NULL);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
goto fail;
|
|
}
|
|
h = samr_pipe->binding_handle;
|
|
|
|
status = dcerpc_samr_LookupRids(
|
|
h, tmp_ctx, &dom_pol, 1, &rid, &names, &types, &result);
|
|
|
|
if (!retry && reset_connection_on_error(domain, samr_pipe, status)) {
|
|
retry = true;
|
|
goto again;
|
|
}
|
|
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
DBG_DEBUG("dcerpc_samr_LookupRids failed: %s\n",
|
|
nt_errstr(status));
|
|
goto fail;
|
|
}
|
|
if (!NT_STATUS_IS_OK(result)) {
|
|
DBG_DEBUG("dcerpc_samr_LookupRids resulted in %s\n",
|
|
nt_errstr(result));
|
|
status = result;
|
|
goto fail;
|
|
}
|
|
|
|
domain_name = domain->name;
|
|
name = names.names[0].string;
|
|
type = types.ids[0];
|
|
|
|
if (name != NULL) {
|
|
char *normalized = NULL;
|
|
NTSTATUS nstatus = normalize_name_map(
|
|
tmp_ctx, domain_name, name, &normalized);
|
|
if (NT_STATUS_IS_OK(nstatus) ||
|
|
NT_STATUS_EQUAL(nstatus, NT_STATUS_FILE_RENAMED)) {
|
|
name = normalized;
|
|
}
|
|
}
|
|
|
|
done:
|
|
if (ptype) {
|
|
*ptype = type;
|
|
}
|
|
|
|
if (pname) {
|
|
*pname = talloc_strdup(mem_ctx, name);
|
|
if (*pname == NULL) {
|
|
status = NT_STATUS_NO_MEMORY;
|
|
goto fail;
|
|
}
|
|
}
|
|
|
|
if (pdomain_name) {
|
|
*pdomain_name = talloc_strdup(mem_ctx, domain_name);
|
|
if (*pdomain_name == NULL) {
|
|
status = NT_STATUS_NO_MEMORY;
|
|
goto fail;
|
|
}
|
|
}
|
|
|
|
status = NT_STATUS_OK;
|
|
fail:
|
|
TALLOC_FREE(tmp_ctx);
|
|
return status;
|
|
}
|
|
|
|
static NTSTATUS sam_rids_to_names(struct winbindd_domain *domain,
|
|
TALLOC_CTX *mem_ctx,
|
|
const struct dom_sid *domain_sid,
|
|
uint32_t *rids,
|
|
size_t num_rids,
|
|
char **pdomain_name,
|
|
char ***pnames,
|
|
enum lsa_SidType **ptypes)
|
|
{
|
|
struct rpc_pipe_client *samr_pipe = NULL;
|
|
struct dcerpc_binding_handle *h = NULL;
|
|
struct policy_handle dom_pol = { .handle_type = 0, };
|
|
struct lsa_Strings lsa_names = { .count = 0, };
|
|
struct samr_Ids samr_types = { .count = 0, };
|
|
enum lsa_SidType *types = NULL;
|
|
char **names = NULL;
|
|
const char *domain_name = NULL;
|
|
TALLOC_CTX *tmp_ctx = talloc_stackframe();
|
|
NTSTATUS status = NT_STATUS_NO_MEMORY;
|
|
NTSTATUS result;
|
|
bool retry = false;
|
|
uint32_t i;
|
|
|
|
DEBUG(3,("sam_rids_to_names for %s\n", domain->name));
|
|
|
|
types = talloc_array(tmp_ctx, enum lsa_SidType, num_rids);
|
|
if (types == NULL) {
|
|
goto fail;
|
|
}
|
|
|
|
names = talloc_array(tmp_ctx, char *, num_rids);
|
|
if (names == NULL) {
|
|
goto fail;
|
|
}
|
|
|
|
if (sid_check_is_unix_users(domain_sid)) {
|
|
domain_name = unix_users_domain_name();
|
|
domain_sid = &global_sid_Unix_Users;
|
|
}
|
|
if (sid_check_is_unix_groups(domain_sid)) {
|
|
domain_name = unix_groups_domain_name();
|
|
domain_sid = &global_sid_Unix_Groups;
|
|
}
|
|
|
|
/* Here we're only interested in the domain name being set */
|
|
sid_check_is_wellknown_domain(domain_sid, &domain_name);
|
|
|
|
if (domain_name != NULL) {
|
|
uint32_t num_mapped = 0;
|
|
|
|
/*
|
|
* Do unix users/groups and wkn in a loop. There is no
|
|
* getpwuids() call & friends anyway
|
|
*/
|
|
|
|
for (i=0; i<num_rids; i++) {
|
|
struct dom_sid sid;
|
|
char *name = NULL;
|
|
|
|
sid_compose(&sid, domain_sid, rids[i]);
|
|
|
|
types[i] = SID_NAME_UNKNOWN;
|
|
names[i] = NULL;
|
|
|
|
status = sam_sid_to_name(
|
|
domain,
|
|
tmp_ctx,
|
|
&sid,
|
|
NULL,
|
|
&name,
|
|
&types[i]);
|
|
if (NT_STATUS_IS_OK(status)) {
|
|
names[i] = talloc_move(names, &name);
|
|
num_mapped += 1;
|
|
}
|
|
}
|
|
|
|
status = NT_STATUS_NONE_MAPPED;
|
|
if (num_mapped > 0) {
|
|
status = (num_mapped == num_rids) ?
|
|
NT_STATUS_OK : STATUS_SOME_UNMAPPED;
|
|
}
|
|
goto done;
|
|
}
|
|
|
|
domain_name = domain->name;
|
|
|
|
again:
|
|
status = open_cached_internal_pipe_conn(
|
|
domain, &samr_pipe, &dom_pol, NULL, NULL);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
goto done;
|
|
}
|
|
h = samr_pipe->binding_handle;
|
|
|
|
status = dcerpc_samr_LookupRids(
|
|
h,
|
|
tmp_ctx,
|
|
&dom_pol,
|
|
num_rids,
|
|
rids,
|
|
&lsa_names,
|
|
&samr_types,
|
|
&result);
|
|
|
|
if (!retry && reset_connection_on_error(domain, samr_pipe, status)) {
|
|
retry = true;
|
|
goto again;
|
|
}
|
|
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
DBG_DEBUG("dcerpc_samr_LookupRids failed: %s\n",
|
|
nt_errstr(status));
|
|
goto fail;
|
|
}
|
|
if (!NT_STATUS_IS_OK(result) &&
|
|
!NT_STATUS_EQUAL(result, STATUS_SOME_UNMAPPED)) {
|
|
DBG_DEBUG("dcerpc_samr_LookupRids resulted in %s\n",
|
|
nt_errstr(result));
|
|
status = result;
|
|
goto fail;
|
|
}
|
|
|
|
for (i=0; i<num_rids; i++) {
|
|
types[i] = samr_types.ids[i];
|
|
names[i] = talloc_move(
|
|
names,
|
|
discard_const_p(char *, &lsa_names.names[i].string));
|
|
|
|
if (names[i] != NULL) {
|
|
char *normalized = NULL;
|
|
NTSTATUS nstatus = normalize_name_map(
|
|
names, domain_name, names[i], &normalized);
|
|
if (NT_STATUS_IS_OK(nstatus) ||
|
|
NT_STATUS_EQUAL(nstatus, NT_STATUS_FILE_RENAMED)) {
|
|
names[i] = normalized;
|
|
}
|
|
}
|
|
}
|
|
|
|
done:
|
|
if (pdomain_name) {
|
|
*pdomain_name = talloc_strdup(mem_ctx, domain_name);
|
|
if (*pdomain_name == NULL) {
|
|
status = NT_STATUS_NO_MEMORY;
|
|
goto fail;
|
|
}
|
|
}
|
|
|
|
if (ptypes) {
|
|
*ptypes = talloc_move(mem_ctx, &types);
|
|
}
|
|
|
|
if (pnames) {
|
|
*pnames = talloc_move(mem_ctx, &names);
|
|
}
|
|
|
|
fail:
|
|
TALLOC_FREE(tmp_ctx);
|
|
return status;
|
|
}
|
|
|
|
static NTSTATUS sam_lockout_policy(struct winbindd_domain *domain,
|
|
TALLOC_CTX *mem_ctx,
|
|
struct samr_DomInfo12 *lockout_policy)
|
|
{
|
|
struct rpc_pipe_client *samr_pipe;
|
|
struct policy_handle dom_pol = { 0 };
|
|
union samr_DomainInfo *info = NULL;
|
|
TALLOC_CTX *tmp_ctx = talloc_stackframe();
|
|
NTSTATUS status, result;
|
|
struct dcerpc_binding_handle *b = NULL;
|
|
bool retry = false;
|
|
|
|
DEBUG(3,("sam_lockout_policy\n"));
|
|
|
|
again:
|
|
status = open_cached_internal_pipe_conn(domain,
|
|
&samr_pipe,
|
|
&dom_pol,
|
|
NULL,
|
|
NULL);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
goto error;
|
|
}
|
|
|
|
b = samr_pipe->binding_handle;
|
|
|
|
status = dcerpc_samr_QueryDomainInfo(b,
|
|
mem_ctx,
|
|
&dom_pol,
|
|
DomainLockoutInformation,
|
|
&info,
|
|
&result);
|
|
|
|
if (!retry && reset_connection_on_error(domain, samr_pipe, status)) {
|
|
retry = true;
|
|
goto again;
|
|
}
|
|
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
goto error;
|
|
}
|
|
if (!NT_STATUS_IS_OK(result)) {
|
|
status = result;
|
|
goto error;
|
|
}
|
|
|
|
*lockout_policy = info->info12;
|
|
|
|
error:
|
|
TALLOC_FREE(tmp_ctx);
|
|
return status;
|
|
}
|
|
|
|
static NTSTATUS sam_password_policy(struct winbindd_domain *domain,
|
|
TALLOC_CTX *mem_ctx,
|
|
struct samr_DomInfo1 *passwd_policy)
|
|
{
|
|
struct rpc_pipe_client *samr_pipe;
|
|
struct policy_handle dom_pol = { 0 };
|
|
union samr_DomainInfo *info = NULL;
|
|
TALLOC_CTX *tmp_ctx = talloc_stackframe();
|
|
NTSTATUS status, result;
|
|
struct dcerpc_binding_handle *b = NULL;
|
|
bool retry = false;
|
|
|
|
DEBUG(3,("sam_password_policy\n"));
|
|
|
|
again:
|
|
status = open_cached_internal_pipe_conn(domain,
|
|
&samr_pipe,
|
|
&dom_pol,
|
|
NULL,
|
|
NULL);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
goto error;
|
|
}
|
|
|
|
b = samr_pipe->binding_handle;
|
|
|
|
status = dcerpc_samr_QueryDomainInfo(b,
|
|
mem_ctx,
|
|
&dom_pol,
|
|
DomainPasswordInformation,
|
|
&info,
|
|
&result);
|
|
|
|
if (!retry && reset_connection_on_error(domain, samr_pipe, status)) {
|
|
retry = true;
|
|
goto again;
|
|
}
|
|
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
goto error;
|
|
}
|
|
if (!NT_STATUS_IS_OK(result)) {
|
|
status = result;
|
|
goto error;
|
|
}
|
|
|
|
*passwd_policy = info->info1;
|
|
|
|
error:
|
|
TALLOC_FREE(tmp_ctx);
|
|
return status;
|
|
}
|
|
|
|
/* Lookup groups a user is a member of. */
|
|
static NTSTATUS sam_lookup_usergroups(struct winbindd_domain *domain,
|
|
TALLOC_CTX *mem_ctx,
|
|
const struct dom_sid *user_sid,
|
|
uint32_t *pnum_groups,
|
|
struct dom_sid **puser_grpsids)
|
|
{
|
|
struct rpc_pipe_client *samr_pipe;
|
|
struct policy_handle dom_pol;
|
|
struct dom_sid *user_grpsids = NULL;
|
|
uint32_t num_groups = 0;
|
|
TALLOC_CTX *tmp_ctx = talloc_stackframe();
|
|
NTSTATUS status;
|
|
bool retry = false;
|
|
|
|
DEBUG(3,("sam_lookup_usergroups\n"));
|
|
|
|
ZERO_STRUCT(dom_pol);
|
|
|
|
if (pnum_groups) {
|
|
*pnum_groups = 0;
|
|
}
|
|
|
|
again:
|
|
status = open_cached_internal_pipe_conn(domain,
|
|
&samr_pipe,
|
|
&dom_pol,
|
|
NULL,
|
|
NULL);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
goto done;
|
|
}
|
|
|
|
status = rpc_lookup_usergroups(tmp_ctx,
|
|
samr_pipe,
|
|
&dom_pol,
|
|
&domain->sid,
|
|
user_sid,
|
|
&num_groups,
|
|
&user_grpsids);
|
|
|
|
if (!retry && reset_connection_on_error(domain, samr_pipe, status)) {
|
|
retry = true;
|
|
goto again;
|
|
}
|
|
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
goto done;
|
|
}
|
|
|
|
if (pnum_groups) {
|
|
*pnum_groups = num_groups;
|
|
}
|
|
|
|
if (puser_grpsids) {
|
|
*puser_grpsids = talloc_move(mem_ctx, &user_grpsids);
|
|
}
|
|
|
|
done:
|
|
|
|
TALLOC_FREE(tmp_ctx);
|
|
return status;
|
|
}
|
|
|
|
static NTSTATUS sam_lookup_useraliases(struct winbindd_domain *domain,
|
|
TALLOC_CTX *mem_ctx,
|
|
uint32_t num_sids,
|
|
const struct dom_sid *sids,
|
|
uint32_t *pnum_aliases,
|
|
uint32_t **palias_rids)
|
|
{
|
|
struct rpc_pipe_client *samr_pipe;
|
|
struct policy_handle dom_pol = { 0 };
|
|
uint32_t num_aliases = 0;
|
|
uint32_t *alias_rids = NULL;
|
|
TALLOC_CTX *tmp_ctx = talloc_stackframe();
|
|
NTSTATUS status;
|
|
bool retry = false;
|
|
|
|
DEBUG(3,("sam_lookup_useraliases\n"));
|
|
|
|
if (pnum_aliases) {
|
|
*pnum_aliases = 0;
|
|
}
|
|
|
|
again:
|
|
status = open_cached_internal_pipe_conn(domain,
|
|
&samr_pipe,
|
|
&dom_pol,
|
|
NULL,
|
|
NULL);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
goto done;
|
|
}
|
|
|
|
status = rpc_lookup_useraliases(tmp_ctx,
|
|
samr_pipe,
|
|
&dom_pol,
|
|
num_sids,
|
|
sids,
|
|
&num_aliases,
|
|
&alias_rids);
|
|
|
|
if (!retry && reset_connection_on_error(domain, samr_pipe, status)) {
|
|
retry = true;
|
|
goto again;
|
|
}
|
|
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
goto done;
|
|
}
|
|
|
|
if (pnum_aliases) {
|
|
*pnum_aliases = num_aliases;
|
|
}
|
|
|
|
if (palias_rids) {
|
|
*palias_rids = talloc_move(mem_ctx, &alias_rids);
|
|
}
|
|
|
|
done:
|
|
|
|
TALLOC_FREE(tmp_ctx);
|
|
return status;
|
|
}
|
|
|
|
/* the rpc backend methods are exposed via this structure */
|
|
struct winbindd_methods builtin_passdb_methods = {
|
|
.consistent = false,
|
|
|
|
.query_user_list = builtin_query_user_list,
|
|
.enum_dom_groups = builtin_enum_dom_groups,
|
|
.enum_local_groups = sam_enum_local_groups,
|
|
.name_to_sid = sam_name_to_sid,
|
|
.sid_to_name = sam_sid_to_name,
|
|
.rids_to_names = sam_rids_to_names,
|
|
.lookup_usergroups = sam_lookup_usergroups,
|
|
.lookup_useraliases = sam_lookup_useraliases,
|
|
.lookup_groupmem = sam_lookup_groupmem,
|
|
.lockout_policy = sam_lockout_policy,
|
|
.password_policy = sam_password_policy,
|
|
.trusted_domains = builtin_trusted_domains
|
|
};
|
|
|
|
/* the rpc backend methods are exposed via this structure */
|
|
struct winbindd_methods sam_passdb_methods = {
|
|
.consistent = false,
|
|
|
|
.query_user_list = sam_query_user_list,
|
|
.enum_dom_groups = sam_enum_dom_groups,
|
|
.enum_local_groups = sam_enum_local_groups,
|
|
.name_to_sid = sam_name_to_sid,
|
|
.sid_to_name = sam_sid_to_name,
|
|
.rids_to_names = sam_rids_to_names,
|
|
.lookup_usergroups = sam_lookup_usergroups,
|
|
.lookup_useraliases = sam_lookup_useraliases,
|
|
.lookup_groupmem = sam_lookup_groupmem,
|
|
.lockout_policy = sam_lockout_policy,
|
|
.password_policy = sam_password_policy,
|
|
.trusted_domains = sam_trusted_domains
|
|
};
|