From 2285b99cb1047ea85589ef23d4ca73278a15ee08 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 3 Dec 2001 06:04:18 +0000 Subject: added a basic ADS backend to winbind. More work needed, but at least basic operations work (This used to be commit 88241cab983b2c7db7d477c6c4654694a7a56cd3) --- source3/Makefile.in | 3 +- source3/include/ads.h | 3 + source3/lib/util_sid.c | 18 +++- source3/libads/ldap.c | 88 +++++++++++++++-- source3/nsswitch/winbindd_ads.c | 207 +++++++++++++++++++++++++++++++++++++++ source3/nsswitch/winbindd_rpc.c | 20 ++-- source3/nsswitch/winbindd_util.c | 18 +++- 7 files changed, 335 insertions(+), 22 deletions(-) create mode 100644 source3/nsswitch/winbindd_ads.c (limited to 'source3') diff --git a/source3/Makefile.in b/source3/Makefile.in index 1aa3e02efa..e347d19766 100644 --- a/source3/Makefile.in +++ b/source3/Makefile.in @@ -415,7 +415,8 @@ WINBINDD_OBJ1 = \ nsswitch/winbindd_sid.o \ nsswitch/winbindd_misc.o \ nsswitch/winbindd_cm.o \ - nsswitch/winbindd_rpc.o + nsswitch/winbindd_rpc.o \ + nsswitch/winbindd_ads.o NECESSARY_BECAUSE_SAMBA_DEPENDENCIES_ARE_SO_BROKEN_OBJ = \ rpc_client/cli_netlogon.o rpc_client/cli_login.o \ diff --git a/source3/include/ads.h b/source3/include/ads.h index a2584454ec..3c26ed39c1 100644 --- a/source3/include/ads.h +++ b/source3/include/ads.h @@ -27,3 +27,6 @@ typedef struct { #define UF_INTERDOMAIN_TRUST_ACCOUNT 0x0800 #define UF_WORKSTATION_TRUST_ACCOUNT 0x1000 #define UF_SERVER_TRUST_ACCOUNT 0x2000 + +/* account types */ +#define ATYPE_NORMAL_GROUP 0x10000000 diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index 06ff9510b7..0f1b22ca27 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -494,7 +494,6 @@ DOM_SID *sid_dup(DOM_SID *src) /***************************************************************** Write a sid out into on-the-wire format. *****************************************************************/ - BOOL sid_linearize(char *outbuf, size_t len, DOM_SID *sid) { size_t i; @@ -511,6 +510,23 @@ BOOL sid_linearize(char *outbuf, size_t len, DOM_SID *sid) return True; } +/***************************************************************** + parse a on-the-wire SID to a DOM_SID +*****************************************************************/ +BOOL sid_parse(char *inbuf, size_t len, DOM_SID *sid) +{ + int i; + if (len < 8) return False; + sid->sid_rev_num = CVAL(inbuf, 0); + sid->num_auths = CVAL(inbuf, 1); + memcpy(sid->id_auth, inbuf+2, 6); + if (len < 8 + sid->num_auths*4) return False; + for (i=0;inum_auths;i++) { + sid->sub_auths[i] = IVAL(inbuf, 8+i*4); + } + return True; +} + /***************************************************************** Compare two sids. *****************************************************************/ diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c index 3e24273dc7..61d805ab86 100644 --- a/source3/libads/ldap.c +++ b/source3/libads/ldap.c @@ -228,7 +228,7 @@ static void dump_string(const char *field, struct berval **values) void ads_dump(ADS_STRUCT *ads, void *res) { char *field; - LDAPMessage *msg; + void *msg; BerElement *b; struct { char *name; @@ -239,15 +239,14 @@ void ads_dump(ADS_STRUCT *ads, void *res) {NULL, NULL} }; - for (msg = ldap_first_entry(ads->ld, (LDAPMessage *)res); - msg; msg = ldap_next_entry(ads->ld, msg)) { - for (field = ldap_first_attribute(ads->ld, msg, &b); + for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) { + for (field = ldap_first_attribute(ads->ld, (LDAPMessage *)msg, &b); field; - field = ldap_next_attribute(ads->ld, msg, b)) { + field = ldap_next_attribute(ads->ld, (LDAPMessage *)msg, b)) { struct berval **values; int i; - values = ldap_get_values_len(ads->ld, msg, field); + values = ldap_get_values_len(ads->ld, (LDAPMessage *)msg, field); for (i=0; handlers[i].name; i++) { if (StrCaseCmp(handlers[i].name, field) == 0) { @@ -365,8 +364,79 @@ NTSTATUS ads_set_machine_password(ADS_STRUCT *ads, return ret; } +/* + pull the first entry from a ADS result +*/ +void *ads_first_entry(ADS_STRUCT *ads, void *res) +{ + return (void *)ldap_first_entry(ads->ld, (LDAPMessage *)res); +} + +/* + pull the next entry from a ADS result +*/ +void *ads_next_entry(ADS_STRUCT *ads, void *res) +{ + return (void *)ldap_next_entry(ads->ld, (LDAPMessage *)res); +} + +/* + pull a single string from a ADS result +*/ +char *ads_pull_string(ADS_STRUCT *ads, + TALLOC_CTX *mem_ctx, void *msg, const char *field) +{ + char **values; + char *ret; + + values = ldap_get_values(ads->ld, msg, field); + + if (!values || !values[0]) return NULL; + + ret = talloc_strdup(mem_ctx, values[0]); + ldap_value_free(values); + return ret; +} + +/* + pull a single uint32 from a ADS result +*/ +BOOL ads_pull_uint32(ADS_STRUCT *ads, + void *msg, const char *field, uint32 *v) +{ + char **values; + + values = ldap_get_values(ads->ld, msg, field); + + if (!values || !values[0]) return False; + + *v = atoi(values[0]); + ldap_value_free(values); + return True; +} + +/* + pull a single DOM_SID from a ADS result +*/ +BOOL ads_pull_sid(ADS_STRUCT *ads, + void *msg, const char *field, DOM_SID *sid) +{ + struct berval **values; + BOOL ret; + + values = ldap_get_values_len(ads->ld, msg, field); + + if (!values || !values[0]) return False; + + ret = sid_parse(values[0]->bv_val, values[0]->bv_len, sid); + + ldap_value_free_len(values); + return ret; +} + + /* find the update serial number - this is the core of the ldap cache */ -BOOL ads_USN(ADS_STRUCT *ads, unsigned *usn) +BOOL ads_USN(ADS_STRUCT *ads, uint32 *usn) { const char *attrs[] = {"highestCommittedUSN", NULL}; int rc; @@ -375,7 +445,9 @@ BOOL ads_USN(ADS_STRUCT *ads, unsigned *usn) rc = ldap_search_s(ads->ld, ads->bind_path, LDAP_SCOPE_BASE, "(objectclass=*)", (char **)attrs, 0, (LDAPMessage **)&res); if (rc || ads_count_replies(ads, res) != 1) return False; - return False; + return ads_pull_uint32(ads, res, "highestCommittedUSN", usn); } + + #endif diff --git a/source3/nsswitch/winbindd_ads.c b/source3/nsswitch/winbindd_ads.c new file mode 100644 index 0000000000..c728f9659c --- /dev/null +++ b/source3/nsswitch/winbindd_ads.c @@ -0,0 +1,207 @@ +/* + Unix SMB/Netbios implementation. + + Winbind ADS backend functions + + Copyright (C) Andrew Tridgell 2001 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "winbindd.h" + +#ifdef HAVE_ADS + +/* Query display info for a realm. This is the basic user list fn */ +static NTSTATUS query_dispinfo(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + uint32 *start_ndx, uint32 *num_entries, + WINBIND_DISPINFO **info) +{ + ADS_STRUCT *ads; + const char *attrs[] = {"sAMAccountName", "name", "objectSid", "primaryGroupID", + "userAccountControl", NULL}; + int rc, i, count; + void *res; + void *msg; + + DEBUG(3,("ads: query_dispinfo\n")); + + if ((*start_ndx) != 0) { + DEBUG(1,("ads backend start_ndx not implemented\n")); + return NT_STATUS_NOT_IMPLEMENTED; + } + + ads = ads_init(NULL, NULL, NULL); + if (!ads) { + DEBUG(1,("ads_init failed\n")); + return NT_STATUS_UNSUCCESSFUL; + } + + rc = ads_connect(ads); + if (rc) { + DEBUG(1,("query_dispinfo ads_connect: %s\n", ads_errstr(rc))); + return NT_STATUS_UNSUCCESSFUL; + } + + rc = ads_search(ads, &res, "(objectclass=user)", attrs); + if (rc) { + DEBUG(1,("query_dispinfo ads_search: %s\n", ads_errstr(rc))); + return NT_STATUS_UNSUCCESSFUL; + } + + count = ads_count_replies(ads, res); + if (count == 0) { + DEBUG(1,("query_dispinfo: No users found\n")); + return NT_STATUS_UNSUCCESSFUL; + } + + (*info) = talloc(mem_ctx, count * sizeof(**info)); + if (!*info) return NT_STATUS_NO_MEMORY; + + i = 0; + + for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) { + char *name, *gecos; + DOM_SID sid; + uint32 rid, group; + uint32 account_control; + + if (!ads_pull_uint32(ads, msg, "userAccountControl", + &account_control) || + !(account_control & UF_NORMAL_ACCOUNT)) continue; + + name = ads_pull_string(ads, mem_ctx, msg, "sAMAccountName"); + gecos = ads_pull_string(ads, mem_ctx, msg, "name"); + if (!ads_pull_sid(ads, msg, "objectSid", &sid)) { + DEBUG(1,("No sid for %s !?\n", name)); + continue; + } + if (!ads_pull_uint32(ads, msg, "primaryGroupID", &group)) { + DEBUG(1,("No primary group for %s !?\n", name)); + continue; + } + + if (!sid_peek_rid(&sid, &rid)) { + DEBUG(1,("No rid for %s !?\n", name)); + continue; + } + + (*info)[i].acct_name = name; + (*info)[i].full_name = gecos; + (*info)[i].user_rid = rid; + (*info)[i].group_rid = group; + i++; + } + + (*num_entries) = i; + + ads_destroy(&ads); + + return NT_STATUS_OK; +} + +/* list all domain groups */ +static NTSTATUS enum_dom_groups(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + uint32 *start_ndx, uint32 *num_entries, + struct acct_info **info) +{ + ADS_STRUCT *ads; + const char *attrs[] = {"sAMAccountName", "name", "objectSid", + "sAMAccountType", NULL}; + int rc, i, count; + void *res; + void *msg; + + DEBUG(3,("ads: enum_dom_groups\n")); + + if ((*start_ndx) != 0) { + DEBUG(1,("ads backend start_ndx not implemented\n")); + return NT_STATUS_NOT_IMPLEMENTED; + } + + ads = ads_init(NULL, NULL, NULL); + if (!ads) { + DEBUG(1,("ads_init failed\n")); + return NT_STATUS_UNSUCCESSFUL; + } + + rc = ads_connect(ads); + if (rc) { + DEBUG(1,("query_dispinfo ads_connect: %s\n", ads_errstr(rc))); + return NT_STATUS_UNSUCCESSFUL; + } + + rc = ads_search(ads, &res, "(objectclass=group)", attrs); + if (rc) { + DEBUG(1,("query_dispinfo ads_search: %s\n", ads_errstr(rc))); + return NT_STATUS_UNSUCCESSFUL; + } + + count = ads_count_replies(ads, res); + if (count == 0) { + DEBUG(1,("query_dispinfo: No users found\n")); + return NT_STATUS_UNSUCCESSFUL; + } + + (*info) = talloc(mem_ctx, count * sizeof(**info)); + if (!*info) return NT_STATUS_NO_MEMORY; + + i = 0; + + for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) { + char *name, *gecos; + DOM_SID sid; + uint32 rid; + uint32 account_type; + + if (!ads_pull_uint32(ads, msg, "sAMAccountType", + &account_type) || + !(account_type & ATYPE_NORMAL_GROUP)) continue; + + name = ads_pull_string(ads, mem_ctx, msg, "sAMAccountName"); + gecos = ads_pull_string(ads, mem_ctx, msg, "name"); + if (!ads_pull_sid(ads, msg, "objectSid", &sid)) { + DEBUG(1,("No sid for %s !?\n", name)); + continue; + } + + if (!sid_peek_rid(&sid, &rid)) { + DEBUG(1,("No rid for %s !?\n", name)); + continue; + } + + fstrcpy((*info)[i].acct_name, name); + fstrcpy((*info)[i].acct_desc, gecos); + (*info)[i].rid = rid; + i++; + } + + (*num_entries) = i; + + ads_destroy(&ads); + + return NT_STATUS_OK; +} + + +/* the rpc backend methods are exposed via this structure */ +struct winbindd_methods ads_methods = { + query_dispinfo, + enum_dom_groups +}; + +#endif diff --git a/source3/nsswitch/winbindd_rpc.c b/source3/nsswitch/winbindd_rpc.c index 6b86ebd2da..ba428c5aed 100644 --- a/source3/nsswitch/winbindd_rpc.c +++ b/source3/nsswitch/winbindd_rpc.c @@ -26,10 +26,10 @@ /* Query display info for a domain. This returns enough information plus a bit extra to give an overview of domain users for the User Manager application. */ -static NTSTATUS winbindd_query_dispinfo(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - uint32 *start_ndx, uint32 *num_entries, - WINBIND_DISPINFO **info) +static NTSTATUS query_dispinfo(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + uint32 *start_ndx, uint32 *num_entries, + WINBIND_DISPINFO **info) { CLI_POLICY_HND *hnd; NTSTATUS result = NT_STATUS_UNSUCCESSFUL; @@ -89,10 +89,10 @@ static NTSTATUS winbindd_query_dispinfo(struct winbindd_domain *domain, } /* list all domain groups */ -static NTSTATUS winbindd_enum_dom_groups(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - uint32 *start_ndx, uint32 *num_entries, - struct acct_info **info) +static NTSTATUS enum_dom_groups(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + uint32 *start_ndx, uint32 *num_entries, + struct acct_info **info) { uint32 des_access = SEC_RIGHTS_MAXIMUM_ALLOWED; CLI_POLICY_HND *hnd; @@ -124,7 +124,7 @@ static NTSTATUS winbindd_enum_dom_groups(struct winbindd_domain *domain, /* the rpc backend methods are exposed via this structure */ struct winbindd_methods msrpc_methods = { - winbindd_query_dispinfo, - winbindd_enum_dom_groups + query_dispinfo, + enum_dom_groups }; diff --git a/source3/nsswitch/winbindd_util.c b/source3/nsswitch/winbindd_util.c index 258a940225..50cc76f1e9 100644 --- a/source3/nsswitch/winbindd_util.c +++ b/source3/nsswitch/winbindd_util.c @@ -135,6 +135,20 @@ BOOL get_domain_info(void) BOOL rv = False; TALLOC_CTX *mem_ctx; extern struct winbindd_methods msrpc_methods; + struct winbindd_methods *methods; + + switch (lp_security()) { +#ifdef HAVE_ADS + case SEC_ADS: + { + extern struct winbindd_methods ads_methods; + methods = &ads_methods; + break; + } +#endif + default: + methods = &msrpc_methods; + } DEBUG(1, ("getting trusted domain list\n")); @@ -152,7 +166,7 @@ BOOL get_domain_info(void) if (!NT_STATUS_IS_OK(result)) goto done; - add_trusted_domain(lp_workgroup(), &domain_sid, &msrpc_methods); + add_trusted_domain(lp_workgroup(), &domain_sid, methods); /* Enumerate list of trusted domains */ @@ -168,7 +182,7 @@ BOOL get_domain_info(void) /* Add each domain to the trusted domain list */ for(i = 0; i < num_doms; i++) - add_trusted_domain(domains[i], &sids[i], &msrpc_methods); + add_trusted_domain(domains[i], &sids[i], methods); rv = True; -- cgit