search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
idl: Remove unused KRB5_EDATA_NTSTATUS
[samba4-gss.git] / source3 / winbindd / idmap_ad.c
blob00a75a6f3ecb5a35cee1be93c26e7c9ba1e0711d
1 /*
2 * idmap_ad: map between Active Directory and RFC 2307 accounts
3 *
4 * Copyright (C) Volker Lendecke 2015
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
18 */
19
20 #include "includes.h"
21 #include "winbindd.h"
22 #include "libsmb/namequery.h"
23 #include "idmap.h"
24 #include "tldap.h"
25 #include "tldap_util.h"
26 #include "tldap_tls_connect.h"
27 #include "tldap_gensec_bind.h"
28 #include "passdb.h"
29 #include "lib/param/param.h"
30 #include "auth/gensec/gensec.h"
31 #include "librpc/gen_ndr/ndr_netlogon.h"
32 #include "libads/ldap_schema_oids.h"
33 #include "../libds/common/flags.h"
34 #include "libcli/ldap/ldap_ndr.h"
35 #include "libcli/security/dom_sid.h"
36 #include "source3/libads/sitename_cache.h"
37 #include "source3/libads/kerberos_proto.h"
38 #include "source3/librpc/gen_ndr/ads.h"
39 #include "source3/lib/global_contexts.h"
40 #include <ldb.h>
41
42 struct idmap_ad_schema_names;
43
44 struct idmap_ad_context {
45 struct idmap_domain *dom;
46 struct tldap_context *ld;
47 struct idmap_ad_schema_names *schema;
48 const char *default_nc;
49
50 bool unix_primary_group;
51 bool unix_nss_info;
52
53 struct ldb_context *ldb;
54 struct ldb_dn **deny_ous;
55 struct ldb_dn **allow_ous;
56 };
57
58 static NTSTATUS idmap_ad_get_context(struct idmap_domain *dom,
59 struct idmap_ad_context **pctx);
60
61 static char *get_schema_path(TALLOC_CTX *mem_ctx, struct tldap_context *ld)
62 {
63 struct tldap_message *rootdse;
64
65 rootdse = tldap_rootdse(ld);
66 if (rootdse == NULL) {
67 return NULL;
68 }
69
70 return tldap_talloc_single_attribute(rootdse, "schemaNamingContext",
71 mem_ctx);
72 }
73
74 static char *get_default_nc(TALLOC_CTX *mem_ctx, struct tldap_context *ld)
75 {
76 struct tldap_message *rootdse;
77
78 rootdse = tldap_rootdse(ld);
79 if (rootdse == NULL) {
80 return NULL;
81 }
82
83 return tldap_talloc_single_attribute(rootdse, "defaultNamingContext",
84 mem_ctx);
85 }
86
87 struct idmap_ad_schema_names {
88 char *name;
89 char *uid;
90 char *gid;
91 char *gecos;
92 char *dir;
93 char *shell;
94 };
95
96 static TLDAPRC get_attrnames_by_oids(struct tldap_context *ld,
97 TALLOC_CTX *mem_ctx,
98 const char *schema_path,
99 size_t num_oids,
100 const char **oids,
101 char **names)
102 {
103 char *filter;
104 const char *attrs[] = { "lDAPDisplayName", "attributeId" };
105 size_t i;
106 TLDAPRC rc;
107 struct tldap_message **msgs;
108 size_t num_msgs;
109
110 filter = talloc_strdup(mem_ctx, "(|");
111
112 for (i=0; i<num_oids; i++) {
113 talloc_asprintf_addbuf(&filter, "(attributeId=%s)", oids[i]);
114 }
115 talloc_asprintf_addbuf(&filter, ")");
116
117 if (filter == NULL) {
118 return TLDAP_NO_MEMORY;
119 }
120
121 rc = tldap_search(ld, schema_path, TLDAP_SCOPE_SUB, filter,
122 attrs, ARRAY_SIZE(attrs), 0, NULL, 0, NULL, 0,
123 0, 0, 0, mem_ctx, &msgs);;
124 TALLOC_FREE(filter);
125 if (!TLDAP_RC_IS_SUCCESS(rc)) {
126 return rc;
127 }
128
129 for (i=0; i<num_oids; i++) {
130 names[i] = NULL;
131 }
132
133 num_msgs = talloc_array_length(msgs);
134
135 for (i=0; i<num_msgs; i++) {
136 struct tldap_message *msg = msgs[i];
137 char *oid;
138 size_t j;
139
140 if (tldap_msg_type(msg) != TLDAP_RES_SEARCH_ENTRY) {
141 /* Could be a TLDAP_RES_SEARCH_REFERENCE */
142 continue;
143 }
144
145 oid = tldap_talloc_single_attribute(
146 msg, "attributeId", msg);
147 if (oid == NULL) {
148 continue;
149 }
150
151 for (j=0; j<num_oids; j++) {
152 if (strequal(oid, oids[j])) {
153 break;
154 }
155 }
156 TALLOC_FREE(oid);
157
158 if (j == num_oids) {
159 /* not found */
160 continue;
161 }
162
163 names[j] = tldap_talloc_single_attribute(
164 msg, "lDAPDisplayName", mem_ctx);
165 }
166
167 TALLOC_FREE(msgs);
168 for (i=0; i<num_oids; i++) {
169 if (names[i] == NULL) {
170 DBG_ERR("Failed to retrieve schema name for "
171 "oid [%s]. Schema mode is incorrect "
172 "for this domain.\n", oids[i]);
173 return TLDAP_FILTER_ERROR;
174 }
175 }
176
177 return TLDAP_SUCCESS;
178 }
179
180 static TLDAPRC get_posix_schema_names(struct tldap_context *ld,
181 const char *schema_mode,
182 TALLOC_CTX *mem_ctx,
183 struct idmap_ad_schema_names **pschema)
184 {
185 char *schema_path;
186 struct idmap_ad_schema_names *schema;
187 char *names[6];
188 const char *oids_sfu[] = {
189 ADS_ATTR_SFU_UIDNUMBER_OID,
190 ADS_ATTR_SFU_GIDNUMBER_OID,
191 ADS_ATTR_SFU_HOMEDIR_OID,
192 ADS_ATTR_SFU_SHELL_OID,
193 ADS_ATTR_SFU_GECOS_OID,
194 ADS_ATTR_SFU_UID_OID
195 };
196 const char *oids_sfu20[] = {
197 ADS_ATTR_SFU20_UIDNUMBER_OID,
198 ADS_ATTR_SFU20_GIDNUMBER_OID,
199 ADS_ATTR_SFU20_HOMEDIR_OID,
200 ADS_ATTR_SFU20_SHELL_OID,
201 ADS_ATTR_SFU20_GECOS_OID,
202 ADS_ATTR_SFU20_UID_OID
203 };
204 const char *oids_rfc2307[] = {
205 ADS_ATTR_RFC2307_UIDNUMBER_OID,
206 ADS_ATTR_RFC2307_GIDNUMBER_OID,
207 ADS_ATTR_RFC2307_HOMEDIR_OID,
208 ADS_ATTR_RFC2307_SHELL_OID,
209 ADS_ATTR_RFC2307_GECOS_OID,
210 ADS_ATTR_RFC2307_UID_OID
211 };
212 const char **oids;
213
214 TLDAPRC rc;
215
216 schema = talloc(mem_ctx, struct idmap_ad_schema_names);
217 if (schema == NULL) {
218 return TLDAP_NO_MEMORY;
219 }
220
221 schema_path = get_schema_path(schema, ld);
222 if (schema_path == NULL) {
223 TALLOC_FREE(schema);
224 return TLDAP_NO_MEMORY;
225 }
226
227 oids = oids_rfc2307;
228
229 if ((schema_mode != NULL) && (schema_mode[0] != '\0')) {
230 if (strequal(schema_mode, "sfu")) {
231 oids = oids_sfu;
232 } else if (strequal(schema_mode, "sfu20")) {
233 oids = oids_sfu20;
234 } else if (strequal(schema_mode, "rfc2307" )) {
235 oids = oids_rfc2307;
236 } else {
237 DBG_WARNING("Unknown schema mode %s\n", schema_mode);
238 }
239 }
240
241 rc = get_attrnames_by_oids(ld, schema, schema_path, 6, oids, names);
242 TALLOC_FREE(schema_path);
243 if (!TLDAP_RC_IS_SUCCESS(rc)) {
244 TALLOC_FREE(schema);
245 return rc;
246 }
247
248 schema->uid = names[0];
249 schema->gid = names[1];
250 schema->dir = names[2];
251 schema->shell = names[3];
252 schema->gecos = names[4];
253 schema->name = names[5];
254
255 *pschema = schema;
256
257 return TLDAP_SUCCESS;
258 }
259
260 static void PRINTF_ATTRIBUTE(3, 0) idmap_ad_tldap_debug(
261 void *log_private,
262 enum tldap_debug_level level,
263 const char *fmt,
264 va_list ap)
265 {
266 int samba_level = -1;
267
268 switch (level) {
269 case TLDAP_DEBUG_FATAL:
270 samba_level = DBGLVL_ERR;
271 break;
272 case TLDAP_DEBUG_ERROR:
273 samba_level = DBGLVL_ERR;
274 break;
275 case TLDAP_DEBUG_WARNING:
276 samba_level = DBGLVL_WARNING;
277 break;
278 case TLDAP_DEBUG_TRACE:
279 samba_level = DBGLVL_DEBUG;
280 break;
281 }
282
283 if (CHECK_DEBUGLVL(samba_level)) {
284 char *s = NULL;
285 int ret;
286
287 ret = vasprintf(&s, fmt, ap);
288 if (ret == -1) {
289 return;
290 }
291 DEBUG(samba_level, ("idmap_ad_tldap: %s", s));
292 free(s);
293 }
294 }
295
296 static NTSTATUS idmap_ad_get_tldap_ctx(TALLOC_CTX *mem_ctx,
297 const char *domname,
298 struct tldap_context **pld)
299 {
300 struct netr_DsRGetDCNameInfo *dcinfo;
301 struct sockaddr_storage dcaddr = {
302 .ss_family = AF_UNSPEC,
303 };
304 struct sockaddr_storage *pdcaddr = NULL;
305 struct winbindd_domain *creds_domain = NULL;
306 struct cli_credentials *creds;
307 struct loadparm_context *lp_ctx;
308 struct tldap_context *ld;
309 int tcp_port = 389;
310 bool use_tls = false;
311 bool use_starttls = false;
312 int wrap_flags = -1;
313 uint32_t gensec_features = 0;
314 char *sitename = NULL;
315 int fd;
316 NTSTATUS status;
317 bool ok;
318 TLDAPRC rc;
319
320 wrap_flags = lp_client_ldap_sasl_wrapping();
321
322 if (wrap_flags & ADS_AUTH_SASL_LDAPS) {
323 use_tls = true;
324 tcp_port = 636;
325 } else if (wrap_flags & ADS_AUTH_SASL_STARTTLS) {
326 use_tls = true;
327 use_starttls = true;
328 }
329 if (wrap_flags & ADS_AUTH_SASL_SEAL) {
330 gensec_features |= GENSEC_FEATURE_SEAL;
331 }
332 if (wrap_flags & ADS_AUTH_SASL_SIGN) {
333 gensec_features |= GENSEC_FEATURE_SIGN;
334 }
335
336 if (gensec_features != 0) {
337 gensec_features |= GENSEC_FEATURE_LDAP_STYLE;
338 }
339
340 status = wb_dsgetdcname_gencache_get(mem_ctx, domname, &dcinfo);
341 if (!NT_STATUS_IS_OK(status)) {
342 DBG_DEBUG("Could not get dcinfo for %s: %s\n", domname,
343 nt_errstr(status));
344 return status;
345 }
346
347 if (dcinfo->dc_unc == NULL) {
348 TALLOC_FREE(dcinfo);
349 return NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
350 }
351 if (dcinfo->dc_unc[0] == '\\') {
352 dcinfo->dc_unc += 1;
353 }
354 if (dcinfo->dc_unc[0] == '\\') {
355 dcinfo->dc_unc += 1;
356 }
357
358 ok = resolve_name(dcinfo->dc_unc, &dcaddr, 0x20, true);
359 if (!ok) {
360 DBG_DEBUG("Could not resolve name %s\n", dcinfo->dc_unc);
361 TALLOC_FREE(dcinfo);
362 return NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
363 }
364
365 sitename = sitename_fetch(talloc_tos(), lp_realm());
366
367 /*
368 * create_local_private_krb5_conf_for_domain() can deal with
369 * sitename==NULL
370 */
371 if (strequal(domname, lp_realm()) || strequal(domname, lp_workgroup()))
372 {
373 pdcaddr = &dcaddr;
374 }
375
376 ok = create_local_private_krb5_conf_for_domain(
377 lp_realm(), lp_workgroup(), sitename, pdcaddr);
378 TALLOC_FREE(sitename);
379 if (!ok) {
380 DBG_DEBUG("Could not create private krb5.conf\n");
381 TALLOC_FREE(dcinfo);
382 return NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
383 }
384
385 status = open_socket_out(&dcaddr, tcp_port, 10000, &fd);
386 if (!NT_STATUS_IS_OK(status)) {
387 DBG_DEBUG("open_socket_out failed: %s\n", nt_errstr(status));
388 TALLOC_FREE(dcinfo);
389 return status;
390 }
391
392 ld = tldap_context_create(dcinfo, fd);
393 if (ld == NULL) {
394 DBG_DEBUG("tldap_context_create failed\n");
395 close(fd);
396 TALLOC_FREE(dcinfo);
397 return NT_STATUS_NO_MEMORY;
398 }
399 tldap_set_debug(ld, idmap_ad_tldap_debug, NULL);
400
401 /*
402 * Here we use or own machine account as
403 * we run as domain member.
404 */
405 creds_domain = find_our_domain();
406 if (creds_domain == NULL) {
407 DBG_ERR("find_our_domain() returned NULL\n");
408 TALLOC_FREE(dcinfo);
409 return NT_STATUS_INTERNAL_ERROR;
410 }
411 status = winbindd_get_trust_credentials(creds_domain,
412 dcinfo,
413 false, /* netlogon */
414 false, /* ipc_fallback */
415 &creds);
416 if (!NT_STATUS_IS_OK(status)) {
417 DBG_ERR("winbindd_get_trust_credentials(%s) failed - %s\n",
418 creds_domain->name, nt_errstr(status));
419 TALLOC_FREE(dcinfo);
420 return status;
421 }
422
423 lp_ctx = loadparm_init_s3(dcinfo, loadparm_s3_helpers());
424 if (lp_ctx == NULL) {
425 DBG_DEBUG("loadparm_init_s3 failed\n");
426 TALLOC_FREE(dcinfo);
427 return NT_STATUS_NO_MEMORY;
428 }
429
430 if (use_tls && !tldap_has_tls_tstream(ld)) {
431 tldap_set_starttls_needed(ld, use_starttls);
432
433 rc = tldap_tls_connect(ld, lp_ctx, dcinfo->dc_unc);
434 if (!TLDAP_RC_IS_SUCCESS(rc)) {
435 DBG_ERR("tldap_gensec_bind(%s) failed: %s\n",
436 dcinfo->dc_unc,
437 tldap_errstr(dcinfo, ld, rc));
438 TALLOC_FREE(dcinfo);
439 return NT_STATUS_LDAP(TLDAP_RC_V(rc));
440 }
441 }
442
443 rc = tldap_gensec_bind(ld, creds, "ldap", dcinfo->dc_unc, NULL, lp_ctx,
444 gensec_features);
445 if (!TLDAP_RC_IS_SUCCESS(rc)) {
446 DBG_DEBUG("tldap_gensec_bind failed: %s\n",
447 tldap_errstr(dcinfo, ld, rc));
448 TALLOC_FREE(dcinfo);
449 return NT_STATUS_LDAP(TLDAP_RC_V(rc));
450 }
451
452 rc = tldap_fetch_rootdse(ld);
453 if (!TLDAP_RC_IS_SUCCESS(rc)) {
454 DBG_DEBUG("tldap_fetch_rootdse failed: %s\n",
455 tldap_errstr(dcinfo, ld, rc));
456 TALLOC_FREE(dcinfo);
457 return NT_STATUS_LDAP(TLDAP_RC_V(rc));
458 }
459
460 *pld = talloc_move(mem_ctx, &ld);
461 TALLOC_FREE(dcinfo);
462 return NT_STATUS_OK;
463 }
464
465 static int idmap_ad_context_destructor(struct idmap_ad_context *ctx)
466 {
467 if ((ctx->dom != NULL) && (ctx->dom->private_data == ctx)) {
468 ctx->dom->private_data = NULL;
469 }
470 return 0;
471 }
472
473 static struct ldb_dn **str_list_to_dns(TALLOC_CTX *mem_ctx,
474 const char *dbgmsg,
475 struct ldb_context *ldb,
476 const char **strlist)
477 {
478 size_t i, num_dns = str_list_length(strlist);
479 char *dbgstr = NULL;
480 struct ldb_dn **dns = NULL;
481
482 dns = talloc_array(mem_ctx, struct ldb_dn *, num_dns);
483 if (dns == NULL) {
484 TALLOC_FREE(dbgstr);
485 return NULL;
486 }
487
488 dbgstr = talloc_strdup(talloc_tos(), "");
489
490 for (i = 0; i < num_dns; i++) {
491 dns[i] = ldb_dn_new(dns, ldb, strlist[i]);
492 if (dns[i] == NULL) {
493 DBG_WARNING("ldb_dn_new(%s) failed\n", strlist[i]);
494 TALLOC_FREE(dns);
495 return NULL;
496 }
497 talloc_asprintf_addbuf(
498 &dbgstr,
499 "%s ",
500 ldb_dn_get_extended_linearized(dbgstr, dns[i], 1));
501 }
502
503 DBG_DEBUG("%s %s\n", dbgmsg, dbgstr);
504 TALLOC_FREE(dbgstr);
505
506 return dns;
507 }
508
509 static NTSTATUS idmap_ad_context_create(TALLOC_CTX *mem_ctx,
510 struct idmap_domain *dom,
511 const char *domname,
512 struct idmap_ad_context **pctx)
513 {
514 struct idmap_ad_context *ctx;
515 const char *schema_mode;
516 const char **allow = NULL;
517 const char **deny = NULL;
518 NTSTATUS status;
519 TLDAPRC rc;
520
521 ctx = talloc_zero(mem_ctx, struct idmap_ad_context);
522 if (ctx == NULL) {
523 return NT_STATUS_NO_MEMORY;
524 }
525 ctx->dom = dom;
526
527 talloc_set_destructor(ctx, idmap_ad_context_destructor);
528
529 status = idmap_ad_get_tldap_ctx(ctx, domname, &ctx->ld);
530 if (!NT_STATUS_IS_OK(status)) {
531 DBG_DEBUG("idmap_ad_get_tldap_ctx failed: %s\n",
532 nt_errstr(status));
533 TALLOC_FREE(ctx);
534 return status;
535 }
536
537 ctx->default_nc = get_default_nc(ctx, ctx->ld);
538 if (ctx->default_nc == NULL) {
539 DBG_DEBUG("No default nc\n");
540 TALLOC_FREE(ctx);
541 return status;
542 }
543
544 ctx->unix_primary_group = idmap_config_bool(
545 domname, "unix_primary_group", false);
546 ctx->unix_nss_info = idmap_config_bool(
547 domname, "unix_nss_info", false);
548
549 schema_mode = idmap_config_const_string(
550 domname, "schema_mode", "rfc2307");
551
552 rc = get_posix_schema_names(ctx->ld, schema_mode, ctx, &ctx->schema);
553 if (!TLDAP_RC_IS_SUCCESS(rc)) {
554 DBG_DEBUG("get_posix_schema_names failed: %s\n",
555 tldap_errstr(ctx, ctx->ld, rc));
556 TALLOC_FREE(ctx);
557 return NT_STATUS_LDAP(TLDAP_RC_V(rc));
558 }
559
560 deny = idmap_config_string_list(domname, "deny ous", NULL);
561 allow = idmap_config_string_list(domname, "allow ous", NULL);
562
563 if ((deny != NULL) || (allow != NULL)) {
564 int ret = ldb_global_init();
565 if (ret == -1) {
566 status = map_nt_error_from_unix(errno);
567 DBG_WARNING("ldb_global_init() failed: %s\n",
568 strerror(errno));
569 TALLOC_FREE(ctx);
570 return status;
571 }
572
573 ctx->ldb = ldb_init(ctx, global_event_context());
574 if (ctx->ldb == NULL) {
575 status = map_nt_error_from_unix(errno);
576 DBG_WARNING("ldb_init() failed: %s\n", strerror(errno));
577 TALLOC_FREE(ctx);
578 return status;
579 }
580 }
581
582 if (deny != NULL) {
583 ctx->deny_ous = str_list_to_dns(ctx, "Denying", ctx->ldb, deny);
584 if (ctx->deny_ous == NULL) {
585 DBG_DEBUG("str_list_to_dns failed\n");
586 TALLOC_FREE(ctx);
587 return NT_STATUS_NO_MEMORY;
588 }
589 }
590
591 if (allow != NULL) {
592 ctx->allow_ous =
593 str_list_to_dns(ctx, "Allowing", ctx->ldb, allow);
594 if (ctx->allow_ous == NULL) {
595 DBG_DEBUG("str_list_to_dns failed\n");
596 TALLOC_FREE(ctx);
597 return NT_STATUS_NO_MEMORY;
598 }
599 }
600
601 *pctx = ctx;
602 return NT_STATUS_OK;
603 }
604
605 static bool check_dn(struct ldb_dn **dns, struct ldb_dn *dn)
606 {
607 size_t i, num_dns = talloc_array_length(dns);
608
609 for (i = 0; i < num_dns; i++) {
610 struct ldb_dn *base = dns[i];
611 int ret = ldb_dn_compare_base(base, dn);
612 if (ret == 0) {
613 return true;
614 }
615 }
616 return false;
617 }
618
619 static bool idmap_ad_dn_filter(struct idmap_domain *dom, const char *dnstr)
620 {
621 struct idmap_ad_context *ctx = NULL;
622 struct ldb_dn *dn = NULL;
623 NTSTATUS status;
624 bool result = false;
625
626 status = idmap_ad_get_context(dom, &ctx);
627 if (!NT_STATUS_IS_OK(status)) {
628 DBG_DEBUG("idmap_ad_get_context failed: %s\n",
629 nt_errstr(status));
630 return false;
631 }
632
633 if ((ctx->allow_ous == NULL) && (ctx->deny_ous == NULL)) {
634 /*
635 * Nothing to check
636 */
637 return true;
638 }
639
640 dn = ldb_dn_new(talloc_tos(), ctx->ldb, dnstr);
641 if (dn == NULL) {
642 DBG_DEBUG("ldb_dn_new(%s) failed\n", dnstr);
643 return false;
644 }
645
646 if (ctx->deny_ous != NULL) {
647 bool denied = check_dn(ctx->deny_ous, dn);
648 if (denied) {
649 DBG_WARNING("Denied %s\n", dnstr);
650 TALLOC_FREE(dn);
651 return false;
652 }
653
654 if (ctx->allow_ous == NULL) {
655 /*
656 * Only a few denied OUs around, allow by
657 * default
658 */
659 result = true;
660 }
661 }
662
663 if (ctx->allow_ous != NULL) {
664 bool allowed = check_dn(ctx->allow_ous, dn);
665 if (allowed) {
666 return true;
667 }
668 DBG_WARNING("Did not allow %s\n", dnstr);
669 }
670
671 return result;
672 }
673
674 static NTSTATUS idmap_ad_query_user(struct idmap_domain *domain,
675 struct wbint_userinfo *info)
676 {
677 struct idmap_ad_context *ctx;
678 TLDAPRC rc;
679 NTSTATUS status;
680 char *sidstr, *filter;
681 const char *attrs[4];
682 size_t i, num_msgs;
683 struct tldap_message **msgs;
684
685 status = idmap_ad_get_context(domain, &ctx);
686 if (!NT_STATUS_IS_OK(status)) {
687 return status;
688 }
689
690 if (!(ctx->unix_primary_group || ctx->unix_nss_info)) {
691 return NT_STATUS_OK;
692 }
693
694 attrs[0] = ctx->schema->gid;
695 attrs[1] = ctx->schema->gecos;
696 attrs[2] = ctx->schema->dir;
697 attrs[3] = ctx->schema->shell;
698
699 sidstr = ldap_encode_ndr_dom_sid(talloc_tos(), &info->user_sid);
700 if (sidstr == NULL) {
701 return NT_STATUS_NO_MEMORY;
702 }
703
704 filter = talloc_asprintf(talloc_tos(), "(objectsid=%s)", sidstr);
705 TALLOC_FREE(sidstr);
706 if (filter == NULL) {
707 return NT_STATUS_NO_MEMORY;
708 }
709
710 DBG_DEBUG("Filter: [%s]\n", filter);
711
712 rc = tldap_search(ctx->ld, ctx->default_nc, TLDAP_SCOPE_SUB, filter,
713 attrs, ARRAY_SIZE(attrs), 0, NULL, 0, NULL, 0,
714 0, 0, 0, talloc_tos(), &msgs);
715 if (!TLDAP_RC_IS_SUCCESS(rc)) {
716 return NT_STATUS_LDAP(TLDAP_RC_V(rc));
717 }
718
719 TALLOC_FREE(filter);
720
721 num_msgs = talloc_array_length(msgs);
722
723 for (i=0; i<num_msgs; i++) {
724 struct tldap_message *msg = msgs[i];
725 char *dn = NULL;
726 bool ok;
727
728 if (tldap_msg_type(msg) != TLDAP_RES_SEARCH_ENTRY) {
729 continue;
730 }
731 ok = tldap_entry_dn(msg, &dn);
732 if (!ok) {
733 continue;
734 }
735 ok = idmap_ad_dn_filter(domain, dn);
736 if (!ok) {
737 DBG_DEBUG("%s filtered out\n", dn);
738 continue;
739 }
740
741 if (ctx->unix_primary_group) {
742 uint32_t gid;
743
744 ok = tldap_pull_uint32(msg, ctx->schema->gid, &gid);
745 if (ok) {
746 DBG_DEBUG("Setting primary group "
747 "to %"PRIu32" from attr %s\n",
748 gid, ctx->schema->gid);
749 info->primary_gid = gid;
750 }
751 }
752
753 if (ctx->unix_nss_info) {
754 char *attr;
755
756 attr = tldap_talloc_single_attribute(
757 msg, ctx->schema->dir, talloc_tos());
758 if (attr != NULL) {
759 info->homedir = talloc_move(info, &attr);
760 }
761 TALLOC_FREE(attr);
762
763 attr = tldap_talloc_single_attribute(
764 msg, ctx->schema->shell, talloc_tos());
765 if (attr != NULL) {
766 info->shell = talloc_move(info, &attr);
767 }
768 TALLOC_FREE(attr);
769
770 attr = tldap_talloc_single_attribute(
771 msg, ctx->schema->gecos, talloc_tos());
772 if (attr != NULL) {
773 info->full_name = talloc_move(info, &attr);
774 }
775 TALLOC_FREE(attr);
776 }
777 }
778
779 return NT_STATUS_OK;
780 }
781
782 static NTSTATUS idmap_ad_query_user_retry(struct idmap_domain *domain,
783 struct wbint_userinfo *info)
784 {
785 const NTSTATUS status_server_down =
786 NT_STATUS_LDAP(TLDAP_RC_V(TLDAP_SERVER_DOWN));
787 NTSTATUS status;
788
789 status = idmap_ad_query_user(domain, info);
790
791 if (NT_STATUS_EQUAL(status, status_server_down)) {
792 TALLOC_FREE(domain->private_data);
793 status = idmap_ad_query_user(domain, info);
794 }
795
796 return status;
797 }
798
799 static NTSTATUS idmap_ad_initialize(struct idmap_domain *dom)
800 {
801 dom->query_user = idmap_ad_query_user_retry;
802 dom->private_data = NULL;
803 return NT_STATUS_OK;
804 }
805
806 static NTSTATUS idmap_ad_get_context(struct idmap_domain *dom,
807 struct idmap_ad_context **pctx)
808 {
809 struct idmap_ad_context *ctx = NULL;
810 NTSTATUS status;
811
812 if (IS_AD_DC) {
813 /*
814 * Make sure we never try to use LDAP against
815 * a trusted domain as AD_DC.
816 *
817 * This shouldn't be called currently,
818 * but you never know what happens in future.
819 */
820 return NT_STATUS_REQUEST_NOT_ACCEPTED;
821 }
822
823 if (dom->private_data != NULL) {
824 *pctx = talloc_get_type_abort(dom->private_data,
825 struct idmap_ad_context);
826 return NT_STATUS_OK;
827 }
828
829 status = idmap_ad_context_create(dom, dom, dom->name, &ctx);
830 if (!NT_STATUS_IS_OK(status)) {
831 DBG_DEBUG("idmap_ad_context_create failed: %s\n",
832 nt_errstr(status));
833 return status;
834 }
835
836 dom->private_data = ctx;
837 *pctx = ctx;
838 return NT_STATUS_OK;
839 }
840
841 static NTSTATUS idmap_ad_unixids_to_sids(struct idmap_domain *dom,
842 struct id_map **ids)
843 {
844 struct idmap_ad_context *ctx;
845 TLDAPRC rc;
846 NTSTATUS status;
847 struct tldap_message **msgs;
848
849 size_t i, num_msgs;
850 char *u_filter, *g_filter, *filter;
851
852 const char *attrs[] = {
853 "sAMAccountType",
854 "objectSid",
855 NULL, /* attr_uidnumber */
856 NULL, /* attr_gidnumber */
857 };
858
859 status = idmap_ad_get_context(dom, &ctx);
860 if (!NT_STATUS_IS_OK(status)) {
861 return status;
862 }
863
864 attrs[2] = ctx->schema->uid;
865 attrs[3] = ctx->schema->gid;
866
867 u_filter = talloc_strdup(talloc_tos(), "");
868 if (u_filter == NULL) {
869 return NT_STATUS_NO_MEMORY;
870 }
871
872 g_filter = talloc_strdup(talloc_tos(), "");
873 if (g_filter == NULL) {
874 return NT_STATUS_NO_MEMORY;
875 }
876
877 for (i=0; ids[i] != NULL; i++) {
878 struct id_map *id = ids[i];
879
880 id->status = ID_UNKNOWN;
881
882 switch (id->xid.type) {
883 case ID_TYPE_UID: {
884 u_filter = talloc_asprintf_append_buffer(
885 u_filter, "(%s=%ju)", ctx->schema->uid,
886 (uintmax_t)id->xid.id);
887 if (u_filter == NULL) {
888 return NT_STATUS_NO_MEMORY;
889 }
890 break;
891 }
892
893 case ID_TYPE_GID: {
894 g_filter = talloc_asprintf_append_buffer(
895 g_filter, "(%s=%ju)", ctx->schema->gid,
896 (uintmax_t)id->xid.id);
897 if (g_filter == NULL) {
898 return NT_STATUS_NO_MEMORY;
899 }
900 break;
901 }
902
903 default:
904 DBG_WARNING("Unknown id type: %u\n",
905 (unsigned)id->xid.type);
906 break;
907 }
908 }
909
910 filter = talloc_strdup(talloc_tos(), "(|");
911 if (filter == NULL) {
912 return NT_STATUS_NO_MEMORY;
913 }
914
915 if (*u_filter != '\0') {
916 filter = talloc_asprintf_append_buffer(
917 filter,
918 "(&(|(sAMAccountType=%d)(sAMAccountType=%d)"
919 "(sAMAccountType=%d))(|%s))",
920 ATYPE_NORMAL_ACCOUNT, ATYPE_WORKSTATION_TRUST,
921 ATYPE_INTERDOMAIN_TRUST, u_filter);
922 if (filter == NULL) {
923 return NT_STATUS_NO_MEMORY;
924 }
925 }
926 TALLOC_FREE(u_filter);
927
928 if (*g_filter != '\0') {
929 filter = talloc_asprintf_append_buffer(
930 filter,
931 "(&(|(sAMAccountType=%d)(sAMAccountType=%d))(|%s))",
932 ATYPE_SECURITY_GLOBAL_GROUP,
933 ATYPE_SECURITY_LOCAL_GROUP,
934 g_filter);
935 if (filter == NULL) {
936 return NT_STATUS_NO_MEMORY;
937 }
938 }
939 TALLOC_FREE(g_filter);
940
941 filter = talloc_asprintf_append_buffer(filter, ")");
942 if (filter == NULL) {
943 return NT_STATUS_NO_MEMORY;
944 }
945
946 DBG_DEBUG("Filter: [%s]\n", filter);
947
948 rc = tldap_search(ctx->ld, ctx->default_nc, TLDAP_SCOPE_SUB, filter,
949 attrs, ARRAY_SIZE(attrs), 0, NULL, 0, NULL, 0,
950 0, 0, 0, talloc_tos(), &msgs);
951 if (!TLDAP_RC_IS_SUCCESS(rc)) {
952 return NT_STATUS_LDAP(TLDAP_RC_V(rc));
953 }
954
955 TALLOC_FREE(filter);
956
957 num_msgs = talloc_array_length(msgs);
958
959 for (i=0; i<num_msgs; i++) {
960 struct tldap_message *msg = msgs[i];
961 char *dn;
962 struct id_map *map;
963 struct dom_sid sid;
964 size_t j;
965 bool ok;
966 uint32_t atype, xid;
967 enum id_type type;
968 struct dom_sid_buf sidbuf;
969
970 if (tldap_msg_type(msg) != TLDAP_RES_SEARCH_ENTRY) {
971 continue;
972 }
973
974 ok = tldap_entry_dn(msg, &dn);
975 if (!ok) {
976 DBG_DEBUG("No dn found in msg %zu\n", i);
977 continue;
978 }
979
980 ok = idmap_ad_dn_filter(dom, dn);
981 if (!ok) {
982 DBG_DEBUG("%s filtered out\n", dn);
983 continue;
984 }
985
986 ok = tldap_pull_uint32(msg, "sAMAccountType", &atype);
987 if (!ok) {
988 DBG_DEBUG("No atype in object %s\n", dn);
989 continue;
990 }
991
992 switch (atype & 0xF0000000) {
993 case ATYPE_SECURITY_GLOBAL_GROUP:
994 case ATYPE_SECURITY_LOCAL_GROUP:
995 type = ID_TYPE_GID;
996 break;
997 case ATYPE_NORMAL_ACCOUNT:
998 case ATYPE_WORKSTATION_TRUST:
999 case ATYPE_INTERDOMAIN_TRUST:
1000 type = ID_TYPE_UID;
1001 break;
1002 default:
1003 DBG_WARNING("unrecognized SAM account type %08x\n",
1004 atype);
1005 continue;
1006 }
1007
1008 ok = tldap_pull_uint32(msg, (type == ID_TYPE_UID) ?
1009 ctx->schema->uid : ctx->schema->gid,
1010 &xid);
1011 if (!ok) {
1012 DBG_WARNING("No unix id in object %s\n", dn);
1013 continue;
1014 }
1015
1016 ok = tldap_pull_binsid(msg, "objectSid", &sid);
1017 if (!ok) {
1018 DBG_DEBUG("No objectSid in object %s\n", dn);
1019 continue;
1020 }
1021
1022 map = NULL;
1023 for (j=0; ids[j]; j++) {
1024 if ((type == ids[j]->xid.type) &&
1025 (xid == ids[j]->xid.id)) {
1026 map = ids[j];
1027 break;
1028 }
1029 }
1030 if (map == NULL) {
1031 DBG_DEBUG("Got unexpected sid %s from object %s\n",
1032 dom_sid_str_buf(&sid, &sidbuf),
1033 dn);
1034 continue;
1035 }
1036
1037 sid_copy(map->sid, &sid);
1038 map->status = ID_MAPPED;
1039
1040 DBG_DEBUG("Mapped %s -> %ju (%d)\n",
1041 dom_sid_str_buf(map->sid, &sidbuf),
1042 (uintmax_t)map->xid.id, map->xid.type);
1043 }
1044
1045 TALLOC_FREE(msgs);
1046
1047 return NT_STATUS_OK;
1048 }
1049
1050 static NTSTATUS idmap_ad_sids_to_unixids(struct idmap_domain *dom,
1051 struct id_map **ids)
1052 {
1053 struct idmap_ad_context *ctx;
1054 TLDAPRC rc;
1055 NTSTATUS status;
1056 struct tldap_message **msgs;
1057
1058 char *filter;
1059 size_t i, num_msgs;
1060
1061 const char *attrs[] = {
1062 "sAMAccountType",
1063 "objectSid",
1064 NULL, /* attr_uidnumber */
1065 NULL, /* attr_gidnumber */
1066 };
1067
1068 status = idmap_ad_get_context(dom, &ctx);
1069 if (!NT_STATUS_IS_OK(status)) {
1070 return status;
1071 }
1072
1073 attrs[2] = ctx->schema->uid;
1074 attrs[3] = ctx->schema->gid;
1075
1076 filter = talloc_asprintf(
1077 talloc_tos(),
1078 "(&(|(sAMAccountType=%d)(sAMAccountType=%d)(sAMAccountType=%d)"
1079 "(sAMAccountType=%d)(sAMAccountType=%d))(|",
1080 ATYPE_NORMAL_ACCOUNT, ATYPE_WORKSTATION_TRUST,
1081 ATYPE_INTERDOMAIN_TRUST, ATYPE_SECURITY_GLOBAL_GROUP,
1082 ATYPE_SECURITY_LOCAL_GROUP);
1083 if (filter == NULL) {
1084 return NT_STATUS_NO_MEMORY;
1085 }
1086
1087 for (i=0; ids[i]; i++) {
1088 char *sidstr;
1089
1090 ids[i]->status = ID_UNKNOWN;
1091
1092 sidstr = ldap_encode_ndr_dom_sid(talloc_tos(), ids[i]->sid);
1093 if (sidstr == NULL) {
1094 return NT_STATUS_NO_MEMORY;
1095 }
1096
1097 filter = talloc_asprintf_append_buffer(
1098 filter, "(objectSid=%s)", sidstr);
1099 TALLOC_FREE(sidstr);
1100 if (filter == NULL) {
1101 return NT_STATUS_NO_MEMORY;
1102 }
1103 }
1104
1105 filter = talloc_asprintf_append_buffer(filter, "))");
1106 if (filter == NULL) {
1107 return NT_STATUS_NO_MEMORY;
1108 }
1109
1110 DBG_DEBUG("Filter: [%s]\n", filter);
1111
1112 rc = tldap_search(ctx->ld, ctx->default_nc, TLDAP_SCOPE_SUB, filter,
1113 attrs, ARRAY_SIZE(attrs), 0, NULL, 0, NULL, 0,
1114 0, 0, 0, talloc_tos(), &msgs);
1115 if (!TLDAP_RC_IS_SUCCESS(rc)) {
1116 return NT_STATUS_LDAP(TLDAP_RC_V(rc));
1117 }
1118
1119 TALLOC_FREE(filter);
1120
1121 num_msgs = talloc_array_length(msgs);
1122
1123 for (i=0; i<num_msgs; i++) {
1124 struct tldap_message *msg = msgs[i];
1125 char *dn;
1126 struct id_map *map;
1127 struct dom_sid sid;
1128 size_t j;
1129 bool ok;
1130 uint64_t account_type, xid;
1131 enum id_type type;
1132 struct dom_sid_buf buf;
1133
1134 if (tldap_msg_type(msg) != TLDAP_RES_SEARCH_ENTRY) {
1135 continue;
1136 }
1137
1138 ok = tldap_entry_dn(msg, &dn);
1139 if (!ok) {
1140 DBG_DEBUG("No dn found in msg %zu\n", i);
1141 continue;
1142 }
1143
1144 ok = idmap_ad_dn_filter(dom, dn);
1145 if (!ok) {
1146 DBG_DEBUG("%s filtered out\n", dn);
1147 continue;
1148 }
1149
1150 ok = tldap_pull_binsid(msg, "objectSid", &sid);
1151 if (!ok) {
1152 DBG_DEBUG("No objectSid in object %s\n", dn);
1153 continue;
1154 }
1155
1156 map = NULL;
1157 for (j=0; ids[j]; j++) {
1158 if (dom_sid_equal(&sid, ids[j]->sid)) {
1159 map = ids[j];
1160 break;
1161 }
1162 }
1163 if (map == NULL) {
1164 DBG_DEBUG("Got unexpected sid %s from object %s\n",
1165 dom_sid_str_buf(&sid, &buf),
1166 dn);
1167 continue;
1168 }
1169
1170 ok = tldap_pull_uint64(msg, "sAMAccountType", &account_type);
1171 if (!ok) {
1172 DBG_DEBUG("No sAMAccountType in %s\n", dn);
1173 continue;
1174 }
1175
1176 switch (account_type & 0xF0000000) {
1177 case ATYPE_SECURITY_GLOBAL_GROUP:
1178 case ATYPE_SECURITY_LOCAL_GROUP:
1179 type = ID_TYPE_GID;
1180 break;
1181 case ATYPE_NORMAL_ACCOUNT:
1182 case ATYPE_WORKSTATION_TRUST:
1183 case ATYPE_INTERDOMAIN_TRUST:
1184 type = ID_TYPE_UID;
1185 break;
1186 default:
1187 DBG_WARNING("unrecognized SAM account type %"PRIu64"\n",
1188 account_type);
1189 continue;
1190 }
1191
1192 ok = tldap_pull_uint64(msg,
1193 type == ID_TYPE_UID ?
1194 ctx->schema->uid : ctx->schema->gid,
1195 &xid);
1196 if (!ok) {
1197 DBG_DEBUG("No xid in %s\n", dn);
1198 continue;
1199 }
1200
1201 /* mapped */
1202 map->xid.type = type;
1203 map->xid.id = xid;
1204 map->status = ID_MAPPED;
1205
1206 DEBUG(10, ("Mapped %s -> %lu (%d)\n",
1207 dom_sid_str_buf(map->sid, &buf),
1208 (unsigned long)map->xid.id, map->xid.type));
1209 }
1210
1211 TALLOC_FREE(msgs);
1212
1213 return NT_STATUS_OK;
1214 }
1215
1216 static NTSTATUS idmap_ad_unixids_to_sids_retry(struct idmap_domain *dom,
1217 struct id_map **ids)
1218 {
1219 const NTSTATUS status_server_down =
1220 NT_STATUS_LDAP(TLDAP_RC_V(TLDAP_SERVER_DOWN));
1221 NTSTATUS status;
1222
1223 status = idmap_ad_unixids_to_sids(dom, ids);
1224
1225 if (NT_STATUS_EQUAL(status, status_server_down)) {
1226 TALLOC_FREE(dom->private_data);
1227 status = idmap_ad_unixids_to_sids(dom, ids);
1228 }
1229
1230 return status;
1231 }
1232
1233 static NTSTATUS idmap_ad_sids_to_unixids_retry(struct idmap_domain *dom,
1234 struct id_map **ids)
1235 {
1236 const NTSTATUS status_server_down =
1237 NT_STATUS_LDAP(TLDAP_RC_V(TLDAP_SERVER_DOWN));
1238 NTSTATUS status;
1239
1240 status = idmap_ad_sids_to_unixids(dom, ids);
1241
1242 if (NT_STATUS_EQUAL(status, status_server_down)) {
1243 TALLOC_FREE(dom->private_data);
1244 status = idmap_ad_sids_to_unixids(dom, ids);
1245 }
1246
1247 return status;
1248 }
1249
1250 static const struct idmap_methods ad_methods = {
1251 .init = idmap_ad_initialize,
1252 .unixids_to_sids = idmap_ad_unixids_to_sids_retry,
1253 .sids_to_unixids = idmap_ad_sids_to_unixids_retry,
1254 };
1255
1256 static_decl_idmap;
1257 NTSTATUS idmap_ad_init(TALLOC_CTX *ctx)
1258 {
1259 NTSTATUS status;
1260
1261 status = smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION,
1262 "ad", &ad_methods);
1263 if (!NT_STATUS_IS_OK(status)) {
1264 return status;
1265 }
1266
1267 status = idmap_ad_nss_init(ctx);
1268 if (!NT_STATUS_IS_OK(status)) {
1269 return status;
1270 }
1271
1272 return NT_STATUS_OK;
1273 }
GSS-enabled samba4