static NTSTATUS add_new_domain_info(struct smbldap_state *ldap_state,
const char *domain_name)
{
fstring sid_string;
fstring algorithmic_rid_base_string;
char *filter = NULL;
char *dn = NULL;
LDAPMod **mods = NULL;
int rc;
LDAPMessage *result = NULL;
int num_result;
const char **attr_list;
char *escape_domain_name;
/* escape for filter */
escape_domain_name = escape_ldap_string(talloc_tos(), domain_name);
if (!escape_domain_name) {
DEBUG(0, ("Out of memory!\n"));
return NT_STATUS_NO_MEMORY;
}
if (asprintf(&filter, "(&(%s=%s)(objectclass=%s))",
get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOMAIN),
escape_domain_name, LDAP_OBJ_DOMINFO) < 0) {
TALLOC_FREE(escape_domain_name);
return NT_STATUS_NO_MEMORY;
}
TALLOC_FREE(escape_domain_name);
attr_list = get_attr_list(NULL, dominfo_attr_list );
rc = smbldap_search_suffix(ldap_state, filter, attr_list, &result);
TALLOC_FREE( attr_list );
SAFE_FREE(filter);
if (rc != LDAP_SUCCESS) {
return NT_STATUS_UNSUCCESSFUL;
}
num_result = ldap_count_entries(ldap_state->ldap_struct, result);
if (num_result > 1) {
DEBUG (0, ("add_new_domain_info: More than domain with that name exists: bailing "
"out!\n"));
ldap_msgfree(result);
return NT_STATUS_UNSUCCESSFUL;
}
/* Check if we need to add an entry */
DEBUG(3,("add_new_domain_info: Adding new domain\n"));
/* this time escape for DN */
escape_domain_name = escape_rdn_val_string_alloc(domain_name);
if (!escape_domain_name) {
DEBUG(0, ("Out of memory!\n"));
return NT_STATUS_NO_MEMORY;
}
if (asprintf(&dn, "%s=%s,%s",
get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOMAIN),
escape_domain_name, lp_ldap_suffix(talloc_tos())) < 0) {
SAFE_FREE(escape_domain_name);
return NT_STATUS_NO_MEMORY;
}
SAFE_FREE(escape_domain_name);
/* Free original search */
ldap_msgfree(result);
/* make the changes - the entry *must* not already have samba
* attributes */
smbldap_set_mod(&mods, LDAP_MOD_ADD,
get_attr_key2string(dominfo_attr_list,
LDAP_ATTR_DOMAIN),
domain_name);
/* If we don't have an entry, then ask secrets.tdb for what it thinks.
It may choose to make it up */
sid_to_fstring(sid_string, get_global_sam_sid());
smbldap_set_mod(&mods, LDAP_MOD_ADD,
get_attr_key2string(dominfo_attr_list,
LDAP_ATTR_DOM_SID),
sid_string);
slprintf(algorithmic_rid_base_string,
sizeof(algorithmic_rid_base_string) - 1, "%i",
algorithmic_rid_base());
smbldap_set_mod(&mods, LDAP_MOD_ADD,
get_attr_key2string(dominfo_attr_list,
LDAP_ATTR_ALGORITHMIC_RID_BASE),
algorithmic_rid_base_string);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_DOMINFO);
/* add the sambaNextUserRid attributes. */
{
uint32_t rid = BASE_RID;
fstring rid_str;
fstr_sprintf( rid_str, "%i", rid );
DEBUG(10,("add_new_domain_info: setting next available user rid [%s]\n", rid_str));
smbldap_set_mod(&mods, LDAP_MOD_ADD,
get_attr_key2string(dominfo_attr_list,
LDAP_ATTR_NEXT_USERRID),
rid_str);
}
rc = smbldap_add(ldap_state, dn, mods);
if (rc!=LDAP_SUCCESS) {
char *ld_error = NULL;
ldap_get_option(ldap_state->ldap_struct,
LDAP_OPT_ERROR_STRING, &ld_error);
DEBUG(1,("add_new_domain_info: failed to add domain dn= %s with: %s\n\t%s\n",
dn, ldap_err2string(rc),
ld_error?ld_error:"unknown"));
SAFE_FREE(ld_error);
SAFE_FREE(dn);
ldap_mods_free(mods, True);
return NT_STATUS_UNSUCCESSFUL;
}
DEBUG(2,("add_new_domain_info: added: domain = %s in the LDAP database\n", domain_name));
ldap_mods_free(mods, True);
SAFE_FREE(dn);
return NT_STATUS_OK;
}
NTSTATUS smbldap_search_domain_info(struct smbldap_state *ldap_state,
LDAPMessage ** result, const char *domain_name,
bool try_add)
{
NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
char *filter = NULL;
int rc;
const char **attr_list;
int count;
char *escape_domain_name;
escape_domain_name = escape_ldap_string(talloc_tos(), domain_name);
if (!escape_domain_name) {
DEBUG(0, ("Out of memory!\n"));
return NT_STATUS_NO_MEMORY;
}
if (asprintf(&filter, "(&(objectClass=%s)(%s=%s))",
LDAP_OBJ_DOMINFO,
get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOMAIN),
escape_domain_name) < 0) {
TALLOC_FREE(escape_domain_name);
return NT_STATUS_NO_MEMORY;
}
TALLOC_FREE(escape_domain_name);
DEBUG(2, ("smbldap_search_domain_info: Searching for:[%s]\n", filter));
attr_list = get_attr_list( NULL, dominfo_attr_list );
rc = smbldap_search_suffix(ldap_state, filter, attr_list , result);
TALLOC_FREE( attr_list );
if (rc != LDAP_SUCCESS) {
DEBUG(2,("smbldap_search_domain_info: Problem during LDAPsearch: %s\n", ldap_err2string (rc)));
DEBUG(2,("smbldap_search_domain_info: Query was: %s, %s\n", lp_ldap_suffix(talloc_tos()), filter));
goto failed;
}
SAFE_FREE(filter);
count = ldap_count_entries(ldap_state->ldap_struct, *result);
if (count == 1) {
return NT_STATUS_OK;
}
ldap_msgfree(*result);
*result = NULL;
if (count < 1) {
DEBUG(3, ("smbldap_search_domain_info: Got no domain info entries for domain\n"));
if (!try_add)
goto failed;
status = add_new_domain_info(ldap_state, domain_name);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("smbldap_search_domain_info: Adding domain info for %s failed with %s\n",
domain_name, nt_errstr(status)));
goto failed;
}
status = add_new_domain_account_policies(ldap_state, domain_name);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("smbldap_search_domain_info: Adding domain account policies for %s failed with %s\n",
domain_name, nt_errstr(status)));
goto failed;
}
return smbldap_search_domain_info(ldap_state, result, domain_name, False);
}
if (count > 1 ) {
DEBUG(0, ("smbldap_search_domain_info: Got too many (%d) domain info entries for domain %s\n",
count, domain_name));
goto failed;
}
failed:
return status;
}
/* Lookup groups a user is a member of - alternate method, for when
tokenGroups are not available. */
static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
const char *user_dn,
struct dom_sid *primary_group,
uint32_t *p_num_groups, struct dom_sid **user_sids)
{
ADS_STATUS rc;
NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
int count;
LDAPMessage *res = NULL;
LDAPMessage *msg = NULL;
char *ldap_exp;
ADS_STRUCT *ads;
const char *group_attrs[] = {"objectSid", NULL};
char *escaped_dn;
uint32_t num_groups = 0;
DEBUG(3,("ads: lookup_usergroups_member\n"));
if ( !winbindd_can_contact_domain( domain ) ) {
DEBUG(10,("lookup_usergroups_members: No incoming trust for domain %s\n",
domain->name));
return NT_STATUS_OK;
}
ads = ads_cached_connection(domain);
if (!ads) {
domain->last_status = NT_STATUS_SERVER_DISABLED;
goto done;
}
if (!(escaped_dn = escape_ldap_string(talloc_tos(), user_dn))) {
status = NT_STATUS_NO_MEMORY;
goto done;
}
ldap_exp = talloc_asprintf(mem_ctx,
"(&(member=%s)(objectCategory=group)(groupType:dn:%s:=%d))",
escaped_dn,
ADS_LDAP_MATCHING_RULE_BIT_AND,
GROUP_TYPE_SECURITY_ENABLED);
if (!ldap_exp) {
DEBUG(1,("lookup_usergroups(dn=%s) asprintf failed!\n", user_dn));
TALLOC_FREE(escaped_dn);
status = NT_STATUS_NO_MEMORY;
goto done;
}
TALLOC_FREE(escaped_dn);
rc = ads_search_retry(ads, &res, ldap_exp, group_attrs);
if (!ADS_ERR_OK(rc) || !res) {
DEBUG(1,("lookup_usergroups ads_search member=%s: %s\n", user_dn, ads_errstr(rc)));
return ads_ntstatus(rc);
}
count = ads_count_replies(ads, res);
*user_sids = NULL;
num_groups = 0;
/* always add the primary group to the sid array */
status = add_sid_to_array(mem_ctx, primary_group, user_sids,
&num_groups);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
if (count > 0) {
for (msg = ads_first_entry(ads, res); msg;
msg = ads_next_entry(ads, msg)) {
struct dom_sid group_sid;
if (!ads_pull_sid(ads, msg, "objectSid", &group_sid)) {
DEBUG(1,("No sid for this group ?!?\n"));
continue;
}
/* ignore Builtin groups from ADS - Guenther */
if (sid_check_is_in_builtin(&group_sid)) {
continue;
}
status = add_sid_to_array(mem_ctx, &group_sid,
user_sids, &num_groups);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
}
}
*p_num_groups = num_groups;
status = (user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
DEBUG(3,("ads lookup_usergroups (member) succeeded for dn=%s\n", user_dn));
done:
if (res)
ads_msgfree(ads, res);
return status;
}
