This commit was generated by cvs2svn to compensate for changes in r30,

which included commits to RCS files with non-trunk default branches.
(This used to be commit 3a69cffb062d4f1238b8cae10481c1f2ea4d3d8b)

1 files changed, 837 insertions, 0 deletions

diff --git a/source4/nsswitch/winbindd_ads.c b/source4/nsswitch/winbindd_ads.c
new file mode 100644
index 0000000000..de3757aa44
--- /dev/null
+++ b/source4/nsswitch/winbindd_ads.c
@@ -0,0 +1,837 @@
+/* 
+   Unix SMB/CIFS implementation.
+
+   Winbind ADS backend functions
+
+   Copyright (C) Andrew Tridgell 2001
+   Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 2 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program; if not, write to the Free Software
+   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#include "winbindd.h"
+
+#ifdef HAVE_ADS
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_WINBIND
+
+/* the realm of our primary LDAP server */
+static char *primary_realm;
+
+
+/*
+  return our ads connections structure for a domain. We keep the connection
+  open to make things faster
+*/
+static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain)
+{
+	ADS_STRUCT *ads;
+	ADS_STATUS status;
+
+	if (domain->private) {
+		return (ADS_STRUCT *)domain->private;
+	}
+
+	/* we don't want this to affect the users ccache */
+	setenv("KRB5CCNAME", "MEMORY:winbind_ccache", 1);
+
+	ads = ads_init(domain->alt_name, domain->name, NULL);
+	if (!ads) {
+		DEBUG(1,("ads_init for domain %s failed\n", domain->name));
+		return NULL;
+	}
+
+	/* the machine acct password might have change - fetch it every time */
+	SAFE_FREE(ads->auth.password);
+	ads->auth.password = secrets_fetch_machine_password();
+
+	if (primary_realm) {
+		SAFE_FREE(ads->auth.realm);
+		ads->auth.realm = strdup(primary_realm);
+	}
+
+	status = ads_connect(ads);
+	if (!ADS_ERR_OK(status) || !ads->config.realm) {
+		extern struct winbindd_methods msrpc_methods;
+		DEBUG(1,("ads_connect for domain %s failed: %s\n", 
+			 domain->name, ads_errstr(status)));
+		ads_destroy(&ads);
+
+		/* if we get ECONNREFUSED then it might be a NT4
+                   server, fall back to MSRPC */
+		if (status.error_type == ADS_ERROR_SYSTEM &&
+		    status.err.rc == ECONNREFUSED) {
+			DEBUG(1,("Trying MSRPC methods\n"));
+			domain->methods = &msrpc_methods;
+		}
+		return NULL;
+	}
+
+	/* remember our primary realm for trusted domain support */
+	if (!primary_realm) {
+		primary_realm = strdup(ads->config.realm);
+	}
+
+	domain->private = (void *)ads;
+	return ads;
+}
+
+
+/* Query display info for a realm. This is the basic user list fn */
+static NTSTATUS query_user_list(struct winbindd_domain *domain,
+			       TALLOC_CTX *mem_ctx,
+			       uint32 *num_entries, 
+			       WINBIND_USERINFO **info)
+{
+	ADS_STRUCT *ads = NULL;
+	const char *attrs[] = {"userPrincipalName",
+			       "sAMAccountName",
+			       "name", "objectSid", "primaryGroupID", 
+			       "sAMAccountType", NULL};
+	int i, count;
+	ADS_STATUS rc;
+	void *res = NULL;
+	void *msg = NULL;
+	NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
+
+	*num_entries = 0;
+
+	DEBUG(3,("ads: query_user_list\n"));
+
+	ads = ads_cached_connection(domain);
+	if (!ads) goto done;
+
+	rc = ads_search_retry(ads, &res, "(objectCategory=user)", attrs);
+	if (!ADS_ERR_OK(rc)) {
+		DEBUG(1,("query_user_list ads_search: %s\n", ads_errstr(rc)));
+		goto done;
+	}
+
+	count = ads_count_replies(ads, res);
+	if (count == 0) {
+		DEBUG(1,("query_user_list: No users found\n"));
+		goto done;
+	}
+
+	(*info) = talloc_zero(mem_ctx, count * sizeof(**info));
+	if (!*info) {
+		status = NT_STATUS_NO_MEMORY;
+		goto done;
+	}
+
+	i = 0;
+
+	for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
+		char *name, *gecos;
+		DOM_SID sid;
+		DOM_SID *sid2;
+		DOM_SID *group_sid;
+		uint32 group;
+		uint32 atype;
+
+		if (!ads_pull_uint32(ads, msg, "sAMAccountType", &atype) ||
+		    ads_atype_map(atype) != SID_NAME_USER) {
+			DEBUG(1,("Not a user account? atype=0x%x\n", atype));
+			continue;
+		}
+
+		name = ads_pull_username(ads, mem_ctx, msg);
+		gecos = ads_pull_string(ads, mem_ctx, msg, "name");
+		if (!ads_pull_sid(ads, msg, "objectSid", &sid)) {
+			DEBUG(1,("No sid for %s !?\n", name));
+			continue;
+		}
+		if (!ads_pull_uint32(ads, msg, "primaryGroupID", &group)) {
+			DEBUG(1,("No primary group for %s !?\n", name));
+			continue;
+		}
+
+		sid2 = talloc(mem_ctx, sizeof(*sid2));
+		if (!sid2) {
+			status = NT_STATUS_NO_MEMORY;
+			goto done;
+		}
+
+		sid_copy(sid2, &sid);
+
+		group_sid = rid_to_talloced_sid(domain, mem_ctx, group);
+
+		(*info)[i].acct_name = name;
+		(*info)[i].full_name = gecos;
+		(*info)[i].user_sid = sid2;
+		(*info)[i].group_sid = group_sid;
+		i++;
+	}
+
+	(*num_entries) = i;
+	status = NT_STATUS_OK;
+
+	DEBUG(3,("ads query_user_list gave %d entries\n", (*num_entries)));
+
+done:
+	if (res) ads_msgfree(ads, res);
+
+	return status;
+}
+
+/* list all domain groups */
+static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
+				TALLOC_CTX *mem_ctx,
+				uint32 *num_entries, 
+				struct acct_info **info)
+{
+	ADS_STRUCT *ads = NULL;
+	const char *attrs[] = {"userPrincipalName", "sAMAccountName",
+			       "name", "objectSid", 
+			       "sAMAccountType", NULL};
+	int i, count;
+	ADS_STATUS rc;
+	void *res = NULL;
+	void *msg = NULL;
+	NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
+	uint32 group_flags;
+
+	*num_entries = 0;
+
+	DEBUG(3,("ads: enum_dom_groups\n"));
+
+	ads = ads_cached_connection(domain);
+	if (!ads) goto done;
+
+	rc = ads_search_retry(ads, &res, "(objectCategory=group)", attrs);
+	if (!ADS_ERR_OK(rc)) {
+		DEBUG(1,("enum_dom_groups ads_search: %s\n", ads_errstr(rc)));
+		goto done;
+	}
+
+	count = ads_count_replies(ads, res);
+	if (count == 0) {
+		DEBUG(1,("enum_dom_groups: No groups found\n"));
+		goto done;
+	}
+
+	(*info) = talloc_zero(mem_ctx, count * sizeof(**info));
+	if (!*info) {
+		status = NT_STATUS_NO_MEMORY;
+		goto done;
+	}
+
+	i = 0;
+	
+	group_flags = ATYPE_GLOBAL_GROUP;
+	if ( domain->native_mode )
+		group_flags |= ATYPE_LOCAL_GROUP;
+
+	for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
+		char *name, *gecos;
+		DOM_SID sid;
+		uint32 rid;
+		uint32 account_type;
+
+		if (!ads_pull_uint32(ads, msg, "sAMAccountType", &account_type) || !(account_type & group_flags) ) 
+			continue; 
+			
+		name = ads_pull_username(ads, mem_ctx, msg);
+		gecos = ads_pull_string(ads, mem_ctx, msg, "name");
+		if (!ads_pull_sid(ads, msg, "objectSid", &sid)) {
+			DEBUG(1,("No sid for %s !?\n", name));
+			continue;
+		}
+
+		if (!sid_peek_check_rid(&domain->sid, &sid, &rid)) {
+			DEBUG(1,("No rid for %s !?\n", name));
+			continue;
+		}
+
+		fstrcpy((*info)[i].acct_name, name);
+		fstrcpy((*info)[i].acct_desc, gecos);
+		(*info)[i].rid = rid;
+		i++;
+	}
+
+	(*num_entries) = i;
+
+	status = NT_STATUS_OK;
+
+	DEBUG(3,("ads enum_dom_groups gave %d entries\n", (*num_entries)));
+
+done:
+	if (res) ads_msgfree(ads, res);
+
+	return status;
+}
+
+/* list all domain local groups */
+static NTSTATUS enum_local_groups(struct winbindd_domain *domain,
+				TALLOC_CTX *mem_ctx,
+				uint32 *num_entries, 
+				struct acct_info **info)
+{
+	/*
+	 * This is a stub function only as we returned the domain 
+	 * ocal groups in enum_dom_groups() if the domain->native field
+	 * was true.  This is a simple performance optimization when
+	 * using LDAP.
+	 *
+	 * if we ever need to enumerate domain local groups separately, 
+	 * then this the optimization in enum_dom_groups() will need 
+	 * to be split out
+	 */
+	*num_entries = 0;
+	
+	return NT_STATUS_OK;
+}
+
+/* convert a single name to a sid in a domain */
+static NTSTATUS name_to_sid(struct winbindd_domain *domain,
+			    TALLOC_CTX *mem_ctx,
+			    const char *name,
+			    DOM_SID *sid,
+			    enum SID_NAME_USE *type)
+{
+	ADS_STRUCT *ads;
+
+	DEBUG(3,("ads: name_to_sid\n"));
+
+	ads = ads_cached_connection(domain);
+	if (!ads) 
+		return NT_STATUS_UNSUCCESSFUL;
+
+	return ads_name_to_sid(ads, name, sid, type);
+}
+
+/* convert a sid to a user or group name */
+static NTSTATUS sid_to_name(struct winbindd_domain *domain,
+			    TALLOC_CTX *mem_ctx,
+			    DOM_SID *sid,
+			    char **name,
+			    enum SID_NAME_USE *type)
+{
+	ADS_STRUCT *ads = NULL;
+	DEBUG(3,("ads: sid_to_name\n"));
+	ads = ads_cached_connection(domain);
+	if (!ads) 
+		return NT_STATUS_UNSUCCESSFUL;
+
+	return ads_sid_to_name(ads, mem_ctx, sid, name, type);
+}
+
+
+/* convert a DN to a name, SID and name type 
+   this might become a major speed bottleneck if groups have
+   lots of users, in which case we could cache the results
+*/
+static BOOL dn_lookup(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx,
+		      const char *dn,
+		      char **name, uint32 *name_type, DOM_SID *sid)
+{
+	char *exp;
+	void *res = NULL;
+	const char *attrs[] = {"userPrincipalName", "sAMAccountName",
+			       "objectSid", "sAMAccountType", NULL};
+	ADS_STATUS rc;
+	uint32 atype;
+	char *escaped_dn = escape_ldap_string_alloc(dn);
+
+	if (!escaped_dn) {
+		return False;
+	}
+
+	asprintf(&exp, "(distinguishedName=%s)", dn);
+	rc = ads_search_retry(ads, &res, exp, attrs);
+	SAFE_FREE(exp);
+	SAFE_FREE(escaped_dn);
+
+	if (!ADS_ERR_OK(rc)) {
+		goto failed;
+	}
+
+	(*name) = ads_pull_username(ads, mem_ctx, res);
+
+	if (!ads_pull_uint32(ads, res, "sAMAccountType", &atype)) {
+		goto failed;
+	}
+	(*name_type) = ads_atype_map(atype);
+
+	if (!ads_pull_sid(ads, res, "objectSid", sid)) {
+		goto failed;
+	}
+
+	if (res) ads_msgfree(ads, res);
+	return True;
+
+failed:
+	if (res) ads_msgfree(ads, res);
+	return False;
+}
+
+/* Lookup user information from a rid */
+static NTSTATUS query_user(struct winbindd_domain *domain, 
+			   TALLOC_CTX *mem_ctx, 
+			   DOM_SID *sid, 
+			   WINBIND_USERINFO *info)
+{
+	ADS_STRUCT *ads = NULL;
+	const char *attrs[] = {"userPrincipalName", 
+			       "sAMAccountName",
+			       "name", 
+			       "primaryGroupID", NULL};
+	ADS_STATUS rc;
+	int count;
+	void *msg = NULL;
+	char *exp;
+	char *sidstr;
+	uint32 group_rid;
+	NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
+	DOM_SID *sid2;
+	fstring sid_string;
+
+	DEBUG(3,("ads: query_user\n"));
+
+	ads = ads_cached_connection(domain);
+	if (!ads) goto done;
+
+	sidstr = sid_binstring(sid);
+	asprintf(&exp, "(objectSid=%s)", sidstr);
+	rc = ads_search_retry(ads, &msg, exp, attrs);
+	free(exp);
+	free(sidstr);
+	if (!ADS_ERR_OK(rc)) {
+		DEBUG(1,("query_user(sid=%s) ads_search: %s\n", sid_to_string(sid_string, sid), ads_errstr(rc)));
+		goto done;
+	}
+
+	count = ads_count_replies(ads, msg);
+	if (count != 1) {
+		DEBUG(1,("query_user(sid=%s): Not found\n", sid_to_string(sid_string, sid)));
+		goto done;
+	}
+
+	info->acct_name = ads_pull_username(ads, mem_ctx, msg);
+	info->full_name = ads_pull_string(ads, mem_ctx, msg, "name");
+
+	if (!ads_pull_uint32(ads, msg, "primaryGroupID", &group_rid)) {
+		DEBUG(1,("No primary group for %s !?\n", sid_to_string(sid_string, sid)));
+		goto done;
+	}
+	
+	sid2 = talloc(mem_ctx, sizeof(*sid2));
+	if (!sid2) {
+		status = NT_STATUS_NO_MEMORY;
+		goto done;
+	}
+	sid_copy(sid2, sid);
+	
+	info->user_sid = sid2;
+
+	info->group_sid = rid_to_talloced_sid(domain, mem_ctx, group_rid);
+
+	status = NT_STATUS_OK;
+
+	DEBUG(3,("ads query_user gave %s\n", info->acct_name));
+done:
+	if (msg) ads_msgfree(ads, msg);
+
+	return status;
+}
+
+/* Lookup groups a user is a member of - alternate method, for when
+   tokenGroups are not available. */
+static NTSTATUS lookup_usergroups_alt(struct winbindd_domain *domain,
+				      TALLOC_CTX *mem_ctx,
+				      const char *user_dn, 
+				      DOM_SID *primary_group,
+				      uint32 *num_groups, DOM_SID ***user_gids)
+{
+	ADS_STATUS rc;
+	NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
+	int count;
+	void *res = NULL;
+	void *msg = NULL;
+	char *exp;
+	ADS_STRUCT *ads;
+	const char *group_attrs[] = {"objectSid", NULL};
+
+	ads = ads_cached_connection(domain);
+	if (!ads) goto done;
+
+	/* buggy server, no tokenGroups.  Instead lookup what groups this user
+	   is a member of by DN search on member*/
+	if (asprintf(&exp, "(&(member=%s)(objectClass=group))", user_dn) == -1) {
+		DEBUG(1,("lookup_usergroups(dn=%s) asprintf failed!\n", user_dn));
+		return NT_STATUS_NO_MEMORY;
+	}
+	
+	rc = ads_search_retry(ads, &res, exp, group_attrs);
+	free(exp);
+	
+	if (!ADS_ERR_OK(rc)) {
+		DEBUG(1,("lookup_usergroups ads_search member=%s: %s\n", user_dn, ads_errstr(rc)));
+		return ads_ntstatus(rc);
+	}
+	
+	count = ads_count_replies(ads, res);
+	if (count == 0) {
+		DEBUG(5,("lookup_usergroups: No supp groups found\n"));
+		
+		status = ads_ntstatus(rc);
+		goto done;
+	}
+	
+	(*user_gids) = talloc_zero(mem_ctx, sizeof(**user_gids) * (count + 1));
+	(*user_gids)[0] = primary_group;
+	
+	*num_groups = 1;
+	
+	for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
+		DOM_SID group_sid;
+		
+		if (!ads_pull_sid(ads, msg, "objectSid", &group_sid)) {
+			DEBUG(1,("No sid for this group ?!?\n"));
+			continue;
+		}
+		
+		if (sid_equal(&group_sid, primary_group)) continue;
+		
+		(*user_gids)[*num_groups] = talloc(mem_ctx, sizeof(***user_gids));
+		if (!(*user_gids)[*num_groups]) {
+			status = NT_STATUS_NO_MEMORY;
+			goto done;
+		}
+
+		sid_copy((*user_gids)[*num_groups], &group_sid);
+
+		(*num_groups)++;
+			
+	}
+
+	status = NT_STATUS_OK;
+
+	DEBUG(3,("ads lookup_usergroups (alt) for dn=%s\n", user_dn));
+done:
+	if (res) ads_msgfree(ads, res);
+	if (msg) ads_msgfree(ads, msg);
+
+	return status;
+}
+
+/* Lookup groups a user is a member of. */
+static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
+				  TALLOC_CTX *mem_ctx,
+				  DOM_SID *sid, 
+				  uint32 *num_groups, DOM_SID ***user_gids)
+{
+	ADS_STRUCT *ads = NULL;
+	const char *attrs[] = {"distinguishedName", NULL};
+	const char *attrs2[] = {"tokenGroups", "primaryGroupID", NULL};
+	ADS_STATUS rc;
+	int count;
+	void *msg = NULL;
+	char *exp;
+	char *user_dn;
+	DOM_SID *sids;
+	int i;
+	DOM_SID *primary_group;
+	uint32 primary_group_rid;
+	char *sidstr;
+	fstring sid_string;
+	NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
+
+	DEBUG(3,("ads: lookup_usergroups\n"));
+	*num_groups = 0;
+
+	ads = ads_cached_connection(domain);
+	if (!ads) goto done;
+
+	if (!(sidstr = sid_binstring(sid))) {
+		DEBUG(1,("lookup_usergroups(sid=%s) sid_binstring returned NULL\n", sid_to_string(sid_string, sid)));
+		status = NT_STATUS_NO_MEMORY;
+		goto done;
+	}
+	if (asprintf(&exp, "(objectSid=%s)", sidstr) == -1) {
+		free(sidstr);
+		DEBUG(1,("lookup_usergroups(sid=%s) asprintf failed!\n", sid_to_string(sid_string, sid)));
+		status = NT_STATUS_NO_MEMORY;
+		goto done;
+	}
+
+	rc = ads_search_retry(ads, &msg, exp, attrs);
+	free(exp);
+	free(sidstr);
+
+	if (!ADS_ERR_OK(rc)) {
+		DEBUG(1,("lookup_usergroups(sid=%s) ads_search: %s\n", sid_to_string(sid_string, sid), ads_errstr(rc)));
+		goto done;
+	}
+
+	user_dn = ads_pull_string(ads, mem_ctx, msg, "distinguishedName");
+	if (!user_dn) {
+		DEBUG(1,("lookup_usergroups(sid=%s) ads_search did not return a a distinguishedName!\n", sid_to_string(sid_string, sid)));
+		if (msg) ads_msgfree(ads, msg);
+		goto done;
+	}
+
+	if (msg) ads_msgfree(ads, msg);
+
+	rc = ads_search_retry_dn(ads, &msg, user_dn, attrs2);
+	if (!ADS_ERR_OK(rc)) {
+		DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: %s\n", sid_to_string(sid_string, sid), ads_errstr(rc)));
+		goto done;
+	}
+
+	if (!ads_pull_uint32(ads, msg, "primaryGroupID", &primary_group_rid)) {
+		DEBUG(1,("%s: No primary group for sid=%s !?\n", domain->name, sid_to_string(sid_string, sid)));
+		goto done;
+	}
+
+	primary_group = rid_to_talloced_sid(domain, mem_ctx, primary_group_rid);
+
+	count = ads_pull_sids(ads, mem_ctx, msg, "tokenGroups", &sids);
+
+	if (msg) ads_msgfree(ads, msg);
+
+	/* there must always be at least one group in the token, 
+	   unless we are talking to a buggy Win2k server */
+	if (count == 0) {
+		return lookup_usergroups_alt(domain, mem_ctx, user_dn, 
+					     primary_group,
+					     num_groups, user_gids);
+	}
+
+	(*user_gids) = talloc_zero(mem_ctx, sizeof(**user_gids) * (count + 1));
+	(*user_gids)[0] = primary_group;
+	
+	*num_groups = 1;
+	
+	for (i=0;i<count;i++) {
+		if (sid_equal(&sids[i], primary_group)) continue;
+		
+		(*user_gids)[*num_groups] = talloc(mem_ctx, sizeof(***user_gids));
+		if (!(*user_gids)[*num_groups]) {
+			status = NT_STATUS_NO_MEMORY;
+			goto done;
+		}
+
+		sid_copy((*user_gids)[*num_groups], &sids[i]);
+		(*num_groups)++;
+	}
+
+	status = NT_STATUS_OK;
+	DEBUG(3,("ads lookup_usergroups for sid=%s\n", sid_to_string(sid_string, sid)));
+done:
+	return status;
+}
+
+/*
+  find the members of a group, given a group rid and domain
+ */
+static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
+				TALLOC_CTX *mem_ctx,
+				DOM_SID *group_sid, uint32 *num_names, 
+				DOM_SID ***sid_mem, char ***names, 
+				uint32 **name_types)
+{
+	ADS_STATUS rc;
+	int count;
+	void *res=NULL;
+	ADS_STRUCT *ads = NULL;
+	char *exp;
+	NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
+	char *sidstr;
+	const char *attrs[] = {"member", NULL};
+	char **members;
+	int i, num_members;
+	fstring sid_string;
+
+	*num_names = 0;
+
+	ads = ads_cached_connection(domain);
+	if (!ads) goto done;
+
+	sidstr = sid_binstring(group_sid);
+
+	/* search for all members of the group */
+	asprintf(&exp, "(objectSid=%s)",sidstr);
+	rc = ads_search_retry(ads, &res, exp, attrs);
+	free(exp);
+	free(sidstr);
+
+	if (!ADS_ERR_OK(rc)) {
+		DEBUG(1,("query_user_list ads_search: %s\n", ads_errstr(rc)));
+		goto done;
+	}
+
+	count = ads_count_replies(ads, res);
+	if (count == 0) {
+		status = NT_STATUS_OK;
+		goto done;
+	}
+
+	members = ads_pull_strings(ads, mem_ctx, res, "member");
+	if (!members) {
+		/* no members? ok ... */
+		status = NT_STATUS_OK;
+		goto done;
+	}
+
+	/* now we need to turn a list of members into rids, names and name types 
+	   the problem is that the members are in the form of distinguised names
+	*/
+	for (i=0;members[i];i++) /* noop */ ;
+	num_members = i;
+
+	(*sid_mem) = talloc_zero(mem_ctx, sizeof(**sid_mem) * num_members);
+	(*name_types) = talloc_zero(mem_ctx, sizeof(**name_types) * num_members);
+	(*names) = talloc_zero(mem_ctx, sizeof(**names) * num_members);
+
+	for (i=0;i<num_members;i++) {
+		uint32 name_type;
+		char *name;
+		DOM_SID sid;
+
+		if (dn_lookup(ads, mem_ctx, members[i], &name, &name_type, &sid)) {
+		    (*names)[*num_names] = name;
+		    (*name_types)[*num_names] = name_type;
+		    (*sid_mem)[*num_names] = talloc(mem_ctx, sizeof(***sid_mem));
+		    if (!(*sid_mem)[*num_names]) {
+			    status = NT_STATUS_NO_MEMORY;
+			    goto done;
+		    }
+		    sid_copy((*sid_mem)[*num_names], &sid);
+		    (*num_names)++;
+		}
+	}	
+
+	status = NT_STATUS_OK;
+	DEBUG(3,("ads lookup_groupmem for sid=%s\n", sid_to_string(sid_string, group_sid)));
+done:
+	if (res) ads_msgfree(ads, res);
+
+	return status;
+}
+
+
+/* find the sequence number for a domain */
+static NTSTATUS sequence_number(struct winbindd_domain *domain, uint32 *seq)
+{
+	ADS_STRUCT *ads = NULL;
+	ADS_STATUS rc;
+
+	*seq = DOM_SEQUENCE_NONE;
+
+	ads = ads_cached_connection(domain);
+	if (!ads) return NT_STATUS_UNSUCCESSFUL;
+
+	rc = ads_USN(ads, seq);
+	if (!ADS_ERR_OK(rc)) {
+		/* its a dead connection */
+		ads_destroy(&ads);
+		domain->private = NULL;
+	}
+	return ads_ntstatus(rc);
+}
+
+/* get a list of trusted domains */
+static NTSTATUS trusted_domains(struct winbindd_domain *domain,
+				TALLOC_CTX *mem_ctx,
+				uint32 *num_domains,
+				char ***names,
+				char ***alt_names,
+				DOM_SID **dom_sids)
+{
+	ADS_STRUCT *ads;
+	ADS_STATUS rc;
+
+	*num_domains = 0;
+	*names = NULL;
+
+	ads = ads_cached_connection(domain);
+	if (!ads) return NT_STATUS_UNSUCCESSFUL;
+
+	rc = ads_trusted_domains(ads, mem_ctx, num_domains, names, alt_names, dom_sids);
+
+	return ads_ntstatus(rc);
+}
+
+/* find the domain sid for a domain */
+static NTSTATUS domain_sid(struct winbindd_domain *domain, DOM_SID *sid)
+{
+	ADS_STRUCT *ads;
+	ADS_STATUS rc;
+
+	ads = ads_cached_connection(domain);
+	if (!ads) return NT_STATUS_UNSUCCESSFUL;
+
+	rc = ads_domain_sid(ads, sid);
+
+	if (!ADS_ERR_OK(rc)) {
+		/* its a dead connection */
+		ads_destroy(&ads);
+		domain->private = NULL;
+	}
+
+	return ads_ntstatus(rc);
+}
+
+
+/* find alternate names list for the domain - for ADS this is the
+   netbios name */
+static NTSTATUS alternate_name(struct winbindd_domain *domain)
+{
+	ADS_STRUCT *ads;
+	ADS_STATUS rc;
+	TALLOC_CTX *ctx;
+	char *workgroup;
+
+	ads = ads_cached_connection(domain);
+	if (!ads) return NT_STATUS_UNSUCCESSFUL;
+
+	if (!(ctx = talloc_init("alternate_name"))) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	rc = ads_workgroup_name(ads, ctx, &workgroup);
+
+	if (ADS_ERR_OK(rc)) {
+		fstrcpy(domain->name, workgroup);
+		fstrcpy(domain->alt_name, ads->config.realm);
+		strupper(domain->alt_name);
+		strupper(domain->name);
+	}
+
+	talloc_destroy(ctx);
+
+	return ads_ntstatus(rc);	
+}
+
+/* the ADS backend methods are exposed via this structure */
+struct winbindd_methods ads_methods = {
+	True,
+	query_user_list,
+	enum_dom_groups,
+	enum_local_groups,
+	name_to_sid,
+	sid_to_name,
+	query_user,
+	lookup_usergroups,
+	lookup_groupmem,
+	sequence_number,
+	trusted_domains,
+	domain_sid,
+	alternate_name
+};
+
+#endif