static NTSTATUS add_new_domain_info(struct smbldap_state *ldap_state, const char *domain_name) { fstring sid_string; fstring algorithmic_rid_base_string; char *filter = NULL; char *dn = NULL; LDAPMod **mods = NULL; int rc; LDAPMessage *result = NULL; int num_result; const char **attr_list; char *escape_domain_name; /* escape for filter */ escape_domain_name = escape_ldap_string(talloc_tos(), domain_name); if (!escape_domain_name) { DEBUG(0, ("Out of memory!\n")); return NT_STATUS_NO_MEMORY; } if (asprintf(&filter, "(&(%s=%s)(objectclass=%s))", get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOMAIN), escape_domain_name, LDAP_OBJ_DOMINFO) < 0) { TALLOC_FREE(escape_domain_name); return NT_STATUS_NO_MEMORY; } TALLOC_FREE(escape_domain_name); attr_list = get_attr_list(NULL, dominfo_attr_list ); rc = smbldap_search_suffix(ldap_state, filter, attr_list, &result); TALLOC_FREE( attr_list ); SAFE_FREE(filter); if (rc != LDAP_SUCCESS) { return NT_STATUS_UNSUCCESSFUL; } num_result = ldap_count_entries(ldap_state->ldap_struct, result); if (num_result > 1) { DEBUG (0, ("add_new_domain_info: More than domain with that name exists: bailing " "out!\n")); ldap_msgfree(result); return NT_STATUS_UNSUCCESSFUL; } /* Check if we need to add an entry */ DEBUG(3,("add_new_domain_info: Adding new domain\n")); /* this time escape for DN */ escape_domain_name = escape_rdn_val_string_alloc(domain_name); if (!escape_domain_name) { DEBUG(0, ("Out of memory!\n")); return NT_STATUS_NO_MEMORY; } if (asprintf(&dn, "%s=%s,%s", get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOMAIN), escape_domain_name, lp_ldap_suffix(talloc_tos())) < 0) { SAFE_FREE(escape_domain_name); return NT_STATUS_NO_MEMORY; } SAFE_FREE(escape_domain_name); /* Free original search */ ldap_msgfree(result); /* make the changes - the entry *must* not already have samba * attributes */ smbldap_set_mod(&mods, LDAP_MOD_ADD, get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOMAIN), domain_name); /* If we don't have an entry, then ask secrets.tdb for what it thinks. It may choose to make it up */ sid_to_fstring(sid_string, get_global_sam_sid()); smbldap_set_mod(&mods, LDAP_MOD_ADD, get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOM_SID), sid_string); slprintf(algorithmic_rid_base_string, sizeof(algorithmic_rid_base_string) - 1, "%i", algorithmic_rid_base()); smbldap_set_mod(&mods, LDAP_MOD_ADD, get_attr_key2string(dominfo_attr_list, LDAP_ATTR_ALGORITHMIC_RID_BASE), algorithmic_rid_base_string); smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_DOMINFO); /* add the sambaNextUserRid attributes. */ { uint32_t rid = BASE_RID; fstring rid_str; fstr_sprintf( rid_str, "%i", rid ); DEBUG(10,("add_new_domain_info: setting next available user rid [%s]\n", rid_str)); smbldap_set_mod(&mods, LDAP_MOD_ADD, get_attr_key2string(dominfo_attr_list, LDAP_ATTR_NEXT_USERRID), rid_str); } rc = smbldap_add(ldap_state, dn, mods); if (rc!=LDAP_SUCCESS) { char *ld_error = NULL; ldap_get_option(ldap_state->ldap_struct, LDAP_OPT_ERROR_STRING, &ld_error); DEBUG(1,("add_new_domain_info: failed to add domain dn= %s with: %s\n\t%s\n", dn, ldap_err2string(rc), ld_error?ld_error:"unknown")); SAFE_FREE(ld_error); SAFE_FREE(dn); ldap_mods_free(mods, True); return NT_STATUS_UNSUCCESSFUL; } DEBUG(2,("add_new_domain_info: added: domain = %s in the LDAP database\n", domain_name)); ldap_mods_free(mods, True); SAFE_FREE(dn); return NT_STATUS_OK; }
NTSTATUS smbldap_search_domain_info(struct smbldap_state *ldap_state, LDAPMessage ** result, const char *domain_name, bool try_add) { NTSTATUS status = NT_STATUS_UNSUCCESSFUL; char *filter = NULL; int rc; const char **attr_list; int count; char *escape_domain_name; escape_domain_name = escape_ldap_string(talloc_tos(), domain_name); if (!escape_domain_name) { DEBUG(0, ("Out of memory!\n")); return NT_STATUS_NO_MEMORY; } if (asprintf(&filter, "(&(objectClass=%s)(%s=%s))", LDAP_OBJ_DOMINFO, get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOMAIN), escape_domain_name) < 0) { TALLOC_FREE(escape_domain_name); return NT_STATUS_NO_MEMORY; } TALLOC_FREE(escape_domain_name); DEBUG(2, ("smbldap_search_domain_info: Searching for:[%s]\n", filter)); attr_list = get_attr_list( NULL, dominfo_attr_list ); rc = smbldap_search_suffix(ldap_state, filter, attr_list , result); TALLOC_FREE( attr_list ); if (rc != LDAP_SUCCESS) { DEBUG(2,("smbldap_search_domain_info: Problem during LDAPsearch: %s\n", ldap_err2string (rc))); DEBUG(2,("smbldap_search_domain_info: Query was: %s, %s\n", lp_ldap_suffix(talloc_tos()), filter)); goto failed; } SAFE_FREE(filter); count = ldap_count_entries(ldap_state->ldap_struct, *result); if (count == 1) { return NT_STATUS_OK; } ldap_msgfree(*result); *result = NULL; if (count < 1) { DEBUG(3, ("smbldap_search_domain_info: Got no domain info entries for domain\n")); if (!try_add) goto failed; status = add_new_domain_info(ldap_state, domain_name); if (!NT_STATUS_IS_OK(status)) { DEBUG(0, ("smbldap_search_domain_info: Adding domain info for %s failed with %s\n", domain_name, nt_errstr(status))); goto failed; } status = add_new_domain_account_policies(ldap_state, domain_name); if (!NT_STATUS_IS_OK(status)) { DEBUG(0, ("smbldap_search_domain_info: Adding domain account policies for %s failed with %s\n", domain_name, nt_errstr(status))); goto failed; } return smbldap_search_domain_info(ldap_state, result, domain_name, False); } if (count > 1 ) { DEBUG(0, ("smbldap_search_domain_info: Got too many (%d) domain info entries for domain %s\n", count, domain_name)); goto failed; } failed: return status; }
/* Lookup groups a user is a member of - alternate method, for when tokenGroups are not available. */ static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, const char *user_dn, struct dom_sid *primary_group, uint32_t *p_num_groups, struct dom_sid **user_sids) { ADS_STATUS rc; NTSTATUS status = NT_STATUS_UNSUCCESSFUL; int count; LDAPMessage *res = NULL; LDAPMessage *msg = NULL; char *ldap_exp; ADS_STRUCT *ads; const char *group_attrs[] = {"objectSid", NULL}; char *escaped_dn; uint32_t num_groups = 0; DEBUG(3,("ads: lookup_usergroups_member\n")); if ( !winbindd_can_contact_domain( domain ) ) { DEBUG(10,("lookup_usergroups_members: No incoming trust for domain %s\n", domain->name)); return NT_STATUS_OK; } ads = ads_cached_connection(domain); if (!ads) { domain->last_status = NT_STATUS_SERVER_DISABLED; goto done; } if (!(escaped_dn = escape_ldap_string(talloc_tos(), user_dn))) { status = NT_STATUS_NO_MEMORY; goto done; } ldap_exp = talloc_asprintf(mem_ctx, "(&(member=%s)(objectCategory=group)(groupType:dn:%s:=%d))", escaped_dn, ADS_LDAP_MATCHING_RULE_BIT_AND, GROUP_TYPE_SECURITY_ENABLED); if (!ldap_exp) { DEBUG(1,("lookup_usergroups(dn=%s) asprintf failed!\n", user_dn)); TALLOC_FREE(escaped_dn); status = NT_STATUS_NO_MEMORY; goto done; } TALLOC_FREE(escaped_dn); rc = ads_search_retry(ads, &res, ldap_exp, group_attrs); if (!ADS_ERR_OK(rc) || !res) { DEBUG(1,("lookup_usergroups ads_search member=%s: %s\n", user_dn, ads_errstr(rc))); return ads_ntstatus(rc); } count = ads_count_replies(ads, res); *user_sids = NULL; num_groups = 0; /* always add the primary group to the sid array */ status = add_sid_to_array(mem_ctx, primary_group, user_sids, &num_groups); if (!NT_STATUS_IS_OK(status)) { goto done; } if (count > 0) { for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) { struct dom_sid group_sid; if (!ads_pull_sid(ads, msg, "objectSid", &group_sid)) { DEBUG(1,("No sid for this group ?!?\n")); continue; } /* ignore Builtin groups from ADS - Guenther */ if (sid_check_is_in_builtin(&group_sid)) { continue; } status = add_sid_to_array(mem_ctx, &group_sid, user_sids, &num_groups); if (!NT_STATUS_IS_OK(status)) { goto done; } } } *p_num_groups = num_groups; status = (user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY; DEBUG(3,("ads lookup_usergroups (member) succeeded for dn=%s\n", user_dn)); done: if (res) ads_msgfree(ads, res); return status; }