mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
92ad2c7b9b
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
594 lines
16 KiB
C
594 lines
16 KiB
C
/*
|
|
Unix SMB/CIFS implementation.
|
|
|
|
Helpers to add users and groups to the DB
|
|
|
|
Copyright (C) Andrew Tridgell 2004
|
|
Copyright (C) Volker Lendecke 2004
|
|
Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2010
|
|
Copyright (C) Matthias Dieter Wallnöfer 2009
|
|
|
|
This program is free software; you can redistribute it and/or modify
|
|
it under the terms of the GNU General Public License as published by
|
|
the Free Software Foundation; either version 3 of the License, or
|
|
(at your option) any later version.
|
|
|
|
This program is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
GNU General Public License for more details.
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
*/
|
|
|
|
#include "includes.h"
|
|
#include "dsdb/samdb/samdb.h"
|
|
#include "dsdb/common/util.h"
|
|
#include "../libds/common/flags.h"
|
|
#include "libcli/security/security.h"
|
|
|
|
#include "libds/common/flag_mapping.h"
|
|
|
|
/* Add a user, SAMR style, including the correct transaction
|
|
* semantics. Used by the SAMR server and by pdb_samba4 */
|
|
NTSTATUS dsdb_add_user(struct ldb_context *ldb,
|
|
TALLOC_CTX *mem_ctx,
|
|
const char *account_name,
|
|
uint32_t acct_flags,
|
|
const struct dom_sid *forced_sid,
|
|
struct dom_sid **sid,
|
|
struct ldb_dn **dn)
|
|
{
|
|
const char *name;
|
|
struct ldb_message *msg;
|
|
int ret;
|
|
const char *container, *obj_class=NULL;
|
|
char *cn_name;
|
|
size_t cn_name_len;
|
|
|
|
const char *attrs[] = {
|
|
"objectSid",
|
|
"userAccountControl",
|
|
NULL
|
|
};
|
|
|
|
uint32_t user_account_control;
|
|
struct ldb_dn *account_dn;
|
|
struct dom_sid *account_sid;
|
|
|
|
const char *account_name_encoded = NULL;
|
|
|
|
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
|
|
NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
|
|
|
|
account_name_encoded = ldb_binary_encode_string(tmp_ctx, account_name);
|
|
if (account_name_encoded == NULL) {
|
|
talloc_free(tmp_ctx);
|
|
return NT_STATUS_NO_MEMORY;
|
|
}
|
|
|
|
/*
|
|
* Start a transaction, so we can query and do a subsequent atomic
|
|
* modify
|
|
*/
|
|
|
|
ret = ldb_transaction_start(ldb);
|
|
if (ret != LDB_SUCCESS) {
|
|
DEBUG(0,("Failed to start a transaction for user creation: %s\n",
|
|
ldb_errstring(ldb)));
|
|
talloc_free(tmp_ctx);
|
|
return NT_STATUS_LOCK_NOT_GRANTED;
|
|
}
|
|
|
|
/* check if the user already exists */
|
|
name = samdb_search_string(ldb, tmp_ctx, NULL,
|
|
"sAMAccountName",
|
|
"(&(sAMAccountName=%s)(objectclass=user))",
|
|
account_name_encoded);
|
|
if (name != NULL) {
|
|
ldb_transaction_cancel(ldb);
|
|
talloc_free(tmp_ctx);
|
|
return NT_STATUS_USER_EXISTS;
|
|
}
|
|
|
|
cn_name = talloc_strdup(tmp_ctx, account_name);
|
|
if (!cn_name) {
|
|
ldb_transaction_cancel(ldb);
|
|
talloc_free(tmp_ctx);
|
|
return NT_STATUS_NO_MEMORY;
|
|
}
|
|
|
|
cn_name_len = strlen(cn_name);
|
|
if (cn_name_len < 1) {
|
|
ldb_transaction_cancel(ldb);
|
|
talloc_free(tmp_ctx);
|
|
return NT_STATUS_INVALID_PARAMETER;
|
|
}
|
|
|
|
msg = ldb_msg_new(tmp_ctx);
|
|
if (msg == NULL) {
|
|
ldb_transaction_cancel(ldb);
|
|
talloc_free(tmp_ctx);
|
|
return NT_STATUS_NO_MEMORY;
|
|
}
|
|
|
|
/* This must be one of these values *only* */
|
|
if (acct_flags == ACB_NORMAL) {
|
|
container = "CN=Users";
|
|
obj_class = "user";
|
|
user_account_control = UF_NORMAL_ACCOUNT;
|
|
} else if (acct_flags == ACB_WSTRUST) {
|
|
if (cn_name[cn_name_len - 1] != '$') {
|
|
ldb_transaction_cancel(ldb);
|
|
return NT_STATUS_FOOBAR;
|
|
}
|
|
cn_name[cn_name_len - 1] = '\0';
|
|
container = "CN=Computers";
|
|
obj_class = "computer";
|
|
user_account_control = UF_WORKSTATION_TRUST_ACCOUNT;
|
|
|
|
} else if (acct_flags == ACB_SVRTRUST) {
|
|
if (cn_name[cn_name_len - 1] != '$') {
|
|
ldb_transaction_cancel(ldb);
|
|
return NT_STATUS_FOOBAR;
|
|
}
|
|
cn_name[cn_name_len - 1] = '\0';
|
|
container = "OU=Domain Controllers";
|
|
obj_class = "computer";
|
|
user_account_control = UF_SERVER_TRUST_ACCOUNT;
|
|
} else if (acct_flags == ACB_DOMTRUST) {
|
|
DEBUG(3, ("Invalid account flags specified: cannot create domain trusts via this interface (must use LSA CreateTrustedDomain calls\n"));
|
|
ldb_transaction_cancel(ldb);
|
|
talloc_free(tmp_ctx);
|
|
return NT_STATUS_INVALID_PARAMETER;
|
|
} else {
|
|
DEBUG(3, ("Invalid account flags specified 0x%08X, must be exactly one of \n"
|
|
"ACB_NORMAL (0x%08X) ACB_WSTRUST (0x%08X) or ACB_SVRTRUST (0x%08X)\n",
|
|
acct_flags,
|
|
ACB_NORMAL, ACB_WSTRUST, ACB_SVRTRUST));
|
|
ldb_transaction_cancel(ldb);
|
|
talloc_free(tmp_ctx);
|
|
return NT_STATUS_INVALID_PARAMETER;
|
|
}
|
|
|
|
user_account_control |= UF_ACCOUNTDISABLE | UF_PASSWD_NOTREQD;
|
|
|
|
/* add core elements to the ldb_message for the user */
|
|
msg->dn = ldb_dn_copy(msg, ldb_get_default_basedn(ldb));
|
|
if ( ! ldb_dn_add_child_fmt(msg->dn, "CN=%s,%s", cn_name, container)) {
|
|
ldb_transaction_cancel(ldb);
|
|
talloc_free(tmp_ctx);
|
|
return NT_STATUS_FOOBAR;
|
|
}
|
|
|
|
ret = ldb_msg_add_string(msg, "sAMAccountName", account_name);
|
|
if (ret != LDB_SUCCESS) {
|
|
goto failed;
|
|
}
|
|
ret = ldb_msg_add_string(msg, "objectClass", obj_class);
|
|
if (ret != LDB_SUCCESS) {
|
|
goto failed;
|
|
}
|
|
ret = samdb_msg_add_uint(ldb, tmp_ctx, msg,
|
|
"userAccountControl",
|
|
user_account_control);
|
|
if (ret != LDB_SUCCESS) {
|
|
goto failed;
|
|
}
|
|
|
|
/* This is only here for migrations using pdb_samba4, the
|
|
* caller and the samldb are responsible for ensuring it makes
|
|
* sense */
|
|
if (forced_sid) {
|
|
ret = samdb_msg_add_dom_sid(ldb, msg, msg, "objectSID", forced_sid);
|
|
if (ret != LDB_SUCCESS) {
|
|
ldb_transaction_cancel(ldb);
|
|
talloc_free(tmp_ctx);
|
|
return NT_STATUS_INTERNAL_ERROR;
|
|
}
|
|
}
|
|
|
|
/* create the user */
|
|
ret = ldb_add(ldb, msg);
|
|
switch (ret) {
|
|
case LDB_SUCCESS:
|
|
break;
|
|
case LDB_ERR_ENTRY_ALREADY_EXISTS:
|
|
ldb_transaction_cancel(ldb);
|
|
DEBUG(0,("Failed to create user record %s: %s\n",
|
|
ldb_dn_get_linearized(msg->dn),
|
|
ldb_errstring(ldb)));
|
|
talloc_free(tmp_ctx);
|
|
return NT_STATUS_USER_EXISTS;
|
|
case LDB_ERR_UNWILLING_TO_PERFORM:
|
|
case LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS:
|
|
ldb_transaction_cancel(ldb);
|
|
DEBUG(0,("Failed to create user record %s: %s\n",
|
|
ldb_dn_get_linearized(msg->dn),
|
|
ldb_errstring(ldb)));
|
|
talloc_free(tmp_ctx);
|
|
return NT_STATUS_ACCESS_DENIED;
|
|
default:
|
|
ldb_transaction_cancel(ldb);
|
|
DEBUG(0,("Failed to create user record %s: %s\n",
|
|
ldb_dn_get_linearized(msg->dn),
|
|
ldb_errstring(ldb)));
|
|
talloc_free(tmp_ctx);
|
|
return NT_STATUS_INTERNAL_DB_CORRUPTION;
|
|
}
|
|
|
|
account_dn = msg->dn;
|
|
|
|
/* retrieve the sid and account control bits for the user just created */
|
|
ret = dsdb_search_one(ldb, tmp_ctx, &msg,
|
|
account_dn, LDB_SCOPE_BASE, attrs, 0, NULL);
|
|
|
|
if (ret != LDB_SUCCESS) {
|
|
ldb_transaction_cancel(ldb);
|
|
DEBUG(0,("Can't locate the account we just created %s: %s\n",
|
|
ldb_dn_get_linearized(account_dn), ldb_errstring(ldb)));
|
|
talloc_free(tmp_ctx);
|
|
return NT_STATUS_INTERNAL_DB_CORRUPTION;
|
|
}
|
|
account_sid = samdb_result_dom_sid(tmp_ctx, msg, "objectSid");
|
|
if (account_sid == NULL) {
|
|
ldb_transaction_cancel(ldb);
|
|
DEBUG(0,("Apparently we failed to get the objectSid of the just created account record %s\n",
|
|
ldb_dn_get_linearized(msg->dn)));
|
|
talloc_free(tmp_ctx);
|
|
return NT_STATUS_INTERNAL_DB_CORRUPTION;
|
|
}
|
|
|
|
ret = ldb_transaction_commit(ldb);
|
|
if (ret != LDB_SUCCESS) {
|
|
DEBUG(0,("Failed to commit transaction to add and modify account record %s: %s\n",
|
|
ldb_dn_get_linearized(msg->dn),
|
|
ldb_errstring(ldb)));
|
|
talloc_free(tmp_ctx);
|
|
return NT_STATUS_INTERNAL_DB_CORRUPTION;
|
|
}
|
|
*dn = talloc_steal(mem_ctx, account_dn);
|
|
if (sid) {
|
|
*sid = talloc_steal(mem_ctx, account_sid);
|
|
}
|
|
talloc_free(tmp_ctx);
|
|
return NT_STATUS_OK;
|
|
|
|
failed:
|
|
ldb_transaction_cancel(ldb);
|
|
talloc_free(tmp_ctx);
|
|
return NT_STATUS_INTERNAL_ERROR;
|
|
}
|
|
|
|
/*
|
|
called by samr_CreateDomainGroup and pdb_samba4
|
|
*/
|
|
NTSTATUS dsdb_add_domain_group(struct ldb_context *ldb,
|
|
TALLOC_CTX *mem_ctx,
|
|
const char *groupname,
|
|
struct dom_sid **sid,
|
|
struct ldb_dn **dn)
|
|
{
|
|
const char *name;
|
|
struct ldb_message *msg;
|
|
struct dom_sid *group_sid;
|
|
const char *groupname_encoded = NULL;
|
|
int ret;
|
|
|
|
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
|
|
NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
|
|
|
|
groupname_encoded = ldb_binary_encode_string(tmp_ctx, groupname);
|
|
if (groupname_encoded == NULL) {
|
|
talloc_free(tmp_ctx);
|
|
return NT_STATUS_NO_MEMORY;
|
|
}
|
|
|
|
/* check if the group already exists */
|
|
name = samdb_search_string(ldb, tmp_ctx, NULL,
|
|
"sAMAccountName",
|
|
"(&(sAMAccountName=%s)(objectclass=group))",
|
|
groupname_encoded);
|
|
if (name != NULL) {
|
|
talloc_free(tmp_ctx);
|
|
return NT_STATUS_GROUP_EXISTS;
|
|
}
|
|
|
|
msg = ldb_msg_new(tmp_ctx);
|
|
if (msg == NULL) {
|
|
talloc_free(tmp_ctx);
|
|
return NT_STATUS_NO_MEMORY;
|
|
}
|
|
|
|
/* add core elements to the ldb_message for the user */
|
|
msg->dn = ldb_dn_copy(tmp_ctx, ldb_get_default_basedn(ldb));
|
|
ldb_dn_add_child_fmt(msg->dn, "CN=%s,CN=Users", groupname);
|
|
if (!msg->dn) {
|
|
talloc_free(tmp_ctx);
|
|
return NT_STATUS_NO_MEMORY;
|
|
}
|
|
ldb_msg_add_string(msg, "sAMAccountName", groupname);
|
|
ldb_msg_add_string(msg, "objectClass", "group");
|
|
|
|
/* create the group */
|
|
ret = ldb_add(ldb, msg);
|
|
switch (ret) {
|
|
case LDB_SUCCESS:
|
|
break;
|
|
case LDB_ERR_ENTRY_ALREADY_EXISTS:
|
|
DEBUG(0,("Failed to create group record %s: %s\n",
|
|
ldb_dn_get_linearized(msg->dn),
|
|
ldb_errstring(ldb)));
|
|
talloc_free(tmp_ctx);
|
|
return NT_STATUS_GROUP_EXISTS;
|
|
case LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS:
|
|
DEBUG(0,("Failed to create group record %s: %s\n",
|
|
ldb_dn_get_linearized(msg->dn),
|
|
ldb_errstring(ldb)));
|
|
talloc_free(tmp_ctx);
|
|
return NT_STATUS_ACCESS_DENIED;
|
|
default:
|
|
DEBUG(0,("Failed to create group record %s: %s\n",
|
|
ldb_dn_get_linearized(msg->dn),
|
|
ldb_errstring(ldb)));
|
|
talloc_free(tmp_ctx);
|
|
return NT_STATUS_INTERNAL_DB_CORRUPTION;
|
|
}
|
|
|
|
/* retrieve the sid for the group just created */
|
|
group_sid = samdb_search_dom_sid(ldb, tmp_ctx,
|
|
msg->dn, "objectSid", NULL);
|
|
if (group_sid == NULL) {
|
|
talloc_free(tmp_ctx);
|
|
return NT_STATUS_UNSUCCESSFUL;
|
|
}
|
|
|
|
*dn = talloc_steal(mem_ctx, msg->dn);
|
|
*sid = talloc_steal(mem_ctx, group_sid);
|
|
talloc_free(tmp_ctx);
|
|
return NT_STATUS_OK;
|
|
}
|
|
|
|
NTSTATUS dsdb_add_domain_alias(struct ldb_context *ldb,
|
|
TALLOC_CTX *mem_ctx,
|
|
const char *alias_name,
|
|
struct dom_sid **sid,
|
|
struct ldb_dn **dn)
|
|
{
|
|
const char *name;
|
|
struct ldb_message *msg;
|
|
struct dom_sid *alias_sid;
|
|
const char *alias_name_encoded = NULL;
|
|
int ret;
|
|
|
|
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
|
|
NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
|
|
|
|
alias_name_encoded = ldb_binary_encode_string(tmp_ctx, alias_name);
|
|
if (alias_name_encoded == NULL) {
|
|
return NT_STATUS_NO_MEMORY;
|
|
}
|
|
|
|
if (ldb_transaction_start(ldb) != LDB_SUCCESS) {
|
|
DEBUG(0, ("Failed to start transaction in dsdb_add_domain_alias(): %s\n", ldb_errstring(ldb)));
|
|
talloc_free(tmp_ctx);
|
|
return NT_STATUS_INTERNAL_ERROR;
|
|
}
|
|
|
|
/* Check if alias already exists */
|
|
name = samdb_search_string(ldb, tmp_ctx, NULL,
|
|
"sAMAccountName",
|
|
"(sAMAccountName=%s)(objectclass=group))",
|
|
alias_name_encoded);
|
|
|
|
if (name != NULL) {
|
|
talloc_free(tmp_ctx);
|
|
ldb_transaction_cancel(ldb);
|
|
return NT_STATUS_ALIAS_EXISTS;
|
|
}
|
|
|
|
msg = ldb_msg_new(tmp_ctx);
|
|
if (msg == NULL) {
|
|
talloc_free(tmp_ctx);
|
|
ldb_transaction_cancel(ldb);
|
|
return NT_STATUS_NO_MEMORY;
|
|
}
|
|
|
|
/* add core elements to the ldb_message for the alias */
|
|
msg->dn = ldb_dn_copy(mem_ctx, ldb_get_default_basedn(ldb));
|
|
ldb_dn_add_child_fmt(msg->dn, "CN=%s,CN=Users", alias_name);
|
|
if (!msg->dn) {
|
|
talloc_free(tmp_ctx);
|
|
ldb_transaction_cancel(ldb);
|
|
return NT_STATUS_NO_MEMORY;
|
|
}
|
|
|
|
ldb_msg_add_string(msg, "sAMAccountName", alias_name);
|
|
ldb_msg_add_string(msg, "objectClass", "group");
|
|
samdb_msg_add_int(ldb, mem_ctx, msg, "groupType", GTYPE_SECURITY_DOMAIN_LOCAL_GROUP);
|
|
|
|
/* create the alias */
|
|
ret = ldb_add(ldb, msg);
|
|
switch (ret) {
|
|
case LDB_SUCCESS:
|
|
break;
|
|
case LDB_ERR_ENTRY_ALREADY_EXISTS:
|
|
talloc_free(tmp_ctx);
|
|
ldb_transaction_cancel(ldb);
|
|
return NT_STATUS_ALIAS_EXISTS;
|
|
case LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS:
|
|
talloc_free(tmp_ctx);
|
|
ldb_transaction_cancel(ldb);
|
|
return NT_STATUS_ACCESS_DENIED;
|
|
default:
|
|
DEBUG(0,("Failed to create alias record %s: %s\n",
|
|
ldb_dn_get_linearized(msg->dn),
|
|
ldb_errstring(ldb)));
|
|
talloc_free(tmp_ctx);
|
|
ldb_transaction_cancel(ldb);
|
|
return NT_STATUS_INTERNAL_DB_CORRUPTION;
|
|
}
|
|
|
|
/* retrieve the sid for the alias just created */
|
|
alias_sid = samdb_search_dom_sid(ldb, tmp_ctx,
|
|
msg->dn, "objectSid", NULL);
|
|
|
|
if (ldb_transaction_commit(ldb) != LDB_SUCCESS) {
|
|
DEBUG(0, ("Failed to commit transaction in dsdb_add_domain_alias(): %s\n",
|
|
ldb_errstring(ldb)));
|
|
talloc_free(tmp_ctx);
|
|
return NT_STATUS_INTERNAL_ERROR;
|
|
}
|
|
|
|
*dn = talloc_steal(mem_ctx, msg->dn);
|
|
*sid = talloc_steal(mem_ctx, alias_sid);
|
|
talloc_free(tmp_ctx);
|
|
|
|
|
|
return NT_STATUS_OK;
|
|
}
|
|
|
|
/* Return the members of this group (which may be a domain group or an alias) */
|
|
NTSTATUS dsdb_enum_group_mem(struct ldb_context *ldb,
|
|
TALLOC_CTX *mem_ctx,
|
|
struct ldb_dn *dn,
|
|
struct dom_sid **members_out,
|
|
unsigned int *pnum_members)
|
|
{
|
|
struct ldb_message *msg;
|
|
unsigned int i, j;
|
|
int ret;
|
|
struct dom_sid *members;
|
|
struct ldb_message_element *member_el;
|
|
const char *attrs[] = { "member", NULL };
|
|
NTSTATUS status;
|
|
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
|
|
NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
|
|
|
|
ret = dsdb_search_one(ldb, tmp_ctx, &msg, dn, LDB_SCOPE_BASE, attrs,
|
|
DSDB_SEARCH_SHOW_EXTENDED_DN, NULL);
|
|
if (ret == LDB_ERR_NO_SUCH_OBJECT) {
|
|
talloc_free(tmp_ctx);
|
|
return NT_STATUS_OBJECT_NAME_NOT_FOUND;
|
|
}
|
|
if (ret != LDB_SUCCESS) {
|
|
DEBUG(1, ("dsdb_enum_group_mem: dsdb_search for %s failed: %s\n",
|
|
ldb_dn_get_linearized(dn), ldb_errstring(ldb)));
|
|
return NT_STATUS_INTERNAL_DB_CORRUPTION;
|
|
}
|
|
|
|
member_el = ldb_msg_find_element(msg, "member");
|
|
if (!member_el) {
|
|
*members_out = NULL;
|
|
*pnum_members = 0;
|
|
talloc_free(tmp_ctx);
|
|
return NT_STATUS_OK;
|
|
}
|
|
|
|
members = talloc_array(mem_ctx, struct dom_sid, member_el->num_values);
|
|
if (members == NULL) {
|
|
return NT_STATUS_NO_MEMORY;
|
|
}
|
|
|
|
j = 0;
|
|
for (i=0; i <member_el->num_values; i++) {
|
|
struct ldb_dn *member_dn = ldb_dn_from_ldb_val(tmp_ctx, ldb,
|
|
&member_el->values[i]);
|
|
if (!member_dn || !ldb_dn_validate(member_dn)) {
|
|
DEBUG(1, ("Could not parse %*.*s as a DN\n",
|
|
(int)member_el->values[i].length,
|
|
(int)member_el->values[i].length,
|
|
(const char *)member_el->values[i].data));
|
|
talloc_free(tmp_ctx);
|
|
return NT_STATUS_INTERNAL_DB_CORRUPTION;
|
|
}
|
|
|
|
status = dsdb_get_extended_dn_sid(member_dn, &members[j],
|
|
"SID");
|
|
if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
|
|
/* If we fail finding a SID then this is no error since
|
|
* it could be a non SAM object - e.g. a contact */
|
|
continue;
|
|
} else if (!NT_STATUS_IS_OK(status)) {
|
|
DEBUG(1, ("When parsing DN '%s' we failed to parse it's SID component, so we cannot fetch the membership: %s\n",
|
|
ldb_dn_get_extended_linearized(tmp_ctx, member_dn, 1),
|
|
nt_errstr(status)));
|
|
talloc_free(tmp_ctx);
|
|
return status;
|
|
}
|
|
|
|
++j;
|
|
}
|
|
|
|
*members_out = members;
|
|
*pnum_members = j;
|
|
talloc_free(tmp_ctx);
|
|
return NT_STATUS_OK;
|
|
}
|
|
|
|
NTSTATUS dsdb_lookup_rids(struct ldb_context *ldb,
|
|
TALLOC_CTX *mem_ctx,
|
|
const struct dom_sid *domain_sid,
|
|
unsigned int num_rids,
|
|
uint32_t *rids,
|
|
const char **names,
|
|
enum lsa_SidType *lsa_attrs)
|
|
{
|
|
const char *attrs[] = { "sAMAccountType", "sAMAccountName", NULL };
|
|
unsigned int i, num_mapped;
|
|
|
|
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
|
|
NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
|
|
|
|
num_mapped = 0;
|
|
|
|
for (i=0; i<num_rids; i++) {
|
|
struct ldb_message *msg;
|
|
struct ldb_dn *dn;
|
|
uint32_t attr;
|
|
int rc;
|
|
|
|
lsa_attrs[i] = SID_NAME_UNKNOWN;
|
|
|
|
dn = ldb_dn_new_fmt(tmp_ctx, ldb, "<SID=%s>",
|
|
dom_sid_string(tmp_ctx,
|
|
dom_sid_add_rid(tmp_ctx, domain_sid,
|
|
rids[i])));
|
|
if (dn == NULL) {
|
|
talloc_free(tmp_ctx);
|
|
return NT_STATUS_NO_MEMORY;
|
|
}
|
|
rc = dsdb_search_one(ldb, tmp_ctx, &msg, dn, LDB_SCOPE_BASE, attrs, 0, "samAccountName=*");
|
|
if (rc == LDB_ERR_NO_SUCH_OBJECT) {
|
|
continue;
|
|
} else if (rc != LDB_SUCCESS) {
|
|
talloc_free(tmp_ctx);
|
|
return NT_STATUS_INTERNAL_DB_CORRUPTION;
|
|
}
|
|
|
|
names[i] = ldb_msg_find_attr_as_string(msg, "samAccountName", NULL);
|
|
if (names[i] == NULL) {
|
|
DEBUG(10, ("no samAccountName\n"));
|
|
continue;
|
|
}
|
|
talloc_steal(names, names[i]);
|
|
attr = ldb_msg_find_attr_as_uint(msg, "samAccountType", 0);
|
|
lsa_attrs[i] = ds_atype_map(attr);
|
|
if (lsa_attrs[i] == SID_NAME_UNKNOWN) {
|
|
continue;
|
|
}
|
|
num_mapped += 1;
|
|
}
|
|
talloc_free(tmp_ctx);
|
|
|
|
if (num_mapped == 0) {
|
|
return NT_STATUS_NONE_MAPPED;
|
|
}
|
|
if (num_mapped < num_rids) {
|
|
return STATUS_SOME_UNMAPPED;
|
|
}
|
|
return NT_STATUS_OK;
|
|
}
|
|
|