summaryrefslogtreecommitdiff
path: root/source3
diff options
context:
space:
mode:
Diffstat (limited to 'source3')
-rw-r--r--source3/nsswitch/winbindd_ads.c184
1 files changed, 77 insertions, 107 deletions
diff --git a/source3/nsswitch/winbindd_ads.c b/source3/nsswitch/winbindd_ads.c
index 9c96496261..b069793d6b 100644
--- a/source3/nsswitch/winbindd_ads.c
+++ b/source3/nsswitch/winbindd_ads.c
@@ -402,49 +402,10 @@ static NTSTATUS enum_local_groups(struct winbindd_domain *domain,
return NT_STATUS_OK;
}
-/* convert a DN to a name, SID and name type
- this might become a major speed bottleneck if groups have
- lots of users, in which case we could cache the results
-*/
-static BOOL dn_lookup(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx,
- const char *dn,
- char **name, uint32 *name_type, DOM_SID *sid)
-{
- LDAPMessage *res = NULL;
- const char *attrs[] = {"userPrincipalName", "sAMAccountName",
- "objectSid", "sAMAccountType", NULL};
- ADS_STATUS rc;
- uint32 atype;
- DEBUG(3,("ads: dn_lookup\n"));
-
- rc = ads_search_retry_dn(ads, &res, dn, attrs);
-
- if (!ADS_ERR_OK(rc) || !res) {
- goto failed;
- }
-
- (*name) = ads_pull_username(ads, mem_ctx, res);
-
- if (!ads_pull_uint32(ads, res, "sAMAccountType", &atype)) {
- goto failed;
- }
- (*name_type) = ads_atype_map(atype);
-
- if (!ads_pull_sid(ads, res, "objectSid", sid)) {
- goto failed;
- }
-
- if (res)
- ads_msgfree(ads, res);
-
- return True;
-
-failed:
- if (res)
- ads_msgfree(ads, res);
-
- return False;
-}
+/* If you are looking for "dn_lookup": Yes, it used to be here!
+ * It has gone now since it was a major speed bottleneck in
+ * lookup_groupmem (its only use). It has been replaced by
+ * an rpc lookup sids call... R.I.P. */
/* Lookup user information from a rid */
static NTSTATUS query_user(struct winbindd_domain *domain,
@@ -942,11 +903,14 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
char *ldap_exp;
NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
char *sidstr;
- char **members;
+ char **members = NULL;
int i;
- size_t num_members;
- fstring sid_string;
+ size_t num_members = 0;
ads_control args;
+ char **domains = NULL; /* only needed for rpccli_lsa_lookup_sids */
+ struct rpc_pipe_client *cli;
+ POLICY_HND lsa_policy;
+
DEBUG(10,("ads: lookup_groupmem %s sid=%s\n", domain->name,
sid_string_static(group_sid)));
@@ -980,9 +944,6 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
}
SAFE_FREE(sidstr);
- members = NULL;
- num_members = 0;
-
args.control = ADS_EXTENDED_DN_OID;
args.val = ADS_EXTENDED_DN_HEX_STRING;
args.critical = True;
@@ -996,69 +957,78 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
goto done;
}
- /* now we need to turn a list of members into rids, names and name types
- the problem is that the members are in the form of distinguised names
- */
-
- if (num_members) {
- (*sid_mem) = TALLOC_ZERO_ARRAY(mem_ctx, DOM_SID, num_members);
- (*name_types) = TALLOC_ZERO_ARRAY(mem_ctx, uint32, num_members);
- (*names) = TALLOC_ZERO_ARRAY(mem_ctx, char *, num_members);
-
- if ((members == NULL) || (*sid_mem == NULL) ||
- (*name_types == NULL) || (*names == NULL)) {
- DEBUG(1, ("talloc failed\n"));
- status = NT_STATUS_NO_MEMORY;
- goto done;
- }
- } else {
- (*sid_mem) = NULL;
- (*name_types) = NULL;
- (*names) = NULL;
- }
-
- for (i=0;i<num_members;i++) {
- uint32 name_type;
- char *name, *domain_name, *dn;
- DOM_SID sid;
-
- if ((!ads_get_sid_from_extended_dn(mem_ctx, members[i], ADS_EXTENDED_DN_HEX_STRING, &sid)) ||
- (!ads_get_dn_from_extended_dn(mem_ctx, members[i], &dn)))
- {
- status = NT_STATUS_INVALID_PARAMETER;
- goto done;
- }
-
- if (lookup_cached_sid(mem_ctx, &sid, &domain_name, &name, &name_type)) {
-
- DEBUG(10,("ads: lookup_groupmem: got sid %s from cache\n",
- sid_string_static(&sid)));
-
- (*names)[*num_names] = CONST_DISCARD(char *,name);
- (*name_types)[*num_names] = name_type;
- sid_copy(&(*sid_mem)[*num_names], &sid);
-
- (*num_names)++;
+ (*sid_mem) = TALLOC_ZERO_ARRAY(mem_ctx, DOM_SID, num_members);
+ if ((num_members != 0) &&
+ ((members == NULL) || (*sid_mem == NULL))) {
+ DEBUG(1, ("talloc failed\n"));
+ status = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
- continue;
+ for (i=0; i<num_members; i++) {
+ if (!ads_get_sid_from_extended_dn(mem_ctx, members[i], args.val, &(*sid_mem)[i])) {
+ goto done;
}
-
- if (dn_lookup(ads, mem_ctx, dn, &name, &name_type, &sid)) {
-
- DEBUG(10,("ads: lookup_groupmem: got sid %s from dn_lookup\n",
- sid_string_static(&sid)));
-
- (*names)[*num_names] = name;
- (*name_types)[*num_names] = name_type;
- sid_copy(&(*sid_mem)[*num_names], &sid);
-
+ }
+
+ DEBUG(10, ("ads lookup_groupmem: got %d sids via extended dn call\n", num_members));
+
+ /* now that we have a list of sids, we need to get the
+ * lists of names and name_types belonging to these sids.
+ * even though conceptually not quite clean, we use the
+ * RPC call lsa_lookup_sids for this since it can handle a
+ * list of sids. ldap calls can just resolve one sid at a time. */
+
+ status = cm_connect_lsa(domain, mem_ctx, &cli, &lsa_policy);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+
+ status = rpccli_lsa_lookup_sids_all(cli, mem_ctx, &lsa_policy,
+ num_members, *sid_mem, &domains,
+ names, name_types);
+
+ if (NT_STATUS_IS_OK(status)) {
+ *num_names = num_members;
+ }
+ else if (NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED)) {
+ /* We need to remove gaps from the arrays...
+ * Do this by simply moving entries down in the
+ * arrays once a gap is encountered instead of
+ * allocating (and reallocating...) new arrays and
+ * copying complete entries over. */
+ *num_names = 0;
+ for (i=0; i < num_members; i++) {
+ if (((*names)[i] == NULL) || ((*name_types)[i] == SID_NAME_UNKNOWN))
+ {
+ /* unresolved sid: gap! */
+ continue;
+ }
+ if (i != *num_names) {
+ /* if we have already had a gap, copy down: */
+ (*names)[*num_names] = (*names)[i];
+ (*name_types)[*num_names] = (*name_types)[i];
+ (*sid_mem)[*num_names] = (*sid_mem)[i];
+ }
(*num_names)++;
-
}
- }
-
+ }
+ else if (NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)) {
+ DEBUG(10, ("lookup_groupmem: lsa_lookup_sids could "
+ "not map any SIDs at all.\n"));
+ goto done;
+ }
+ else if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(10, ("lookup_groupmem: Error looking up %d "
+ "sids via rpc_lsa_lookup_sids: %s\n",
+ num_members, nt_errstr(status)));
+ goto done;
+ }
+
status = NT_STATUS_OK;
- DEBUG(3,("ads lookup_groupmem for sid=%s succeeded\n", sid_to_string(sid_string, group_sid)));
+ DEBUG(3,("ads lookup_groupmem for sid=%s succeeded\n",
+ sid_string_static(group_sid)));
+
done:
if (res)