Line data Source code
1 : /*
2 : Unix SMB/CIFS implementation.
3 : async sids2xids
4 : Copyright (C) Volker Lendecke 2011
5 : Copyright (C) Michael Adam 2012
6 :
7 : This program is free software; you can redistribute it and/or modify
8 : it under the terms of the GNU General Public License as published by
9 : the Free Software Foundation; either version 3 of the License, or
10 : (at your option) any later version.
11 :
12 : This program is distributed in the hope that it will be useful,
13 : but WITHOUT ANY WARRANTY; without even the implied warranty of
14 : MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 : GNU General Public License for more details.
16 :
17 : You should have received a copy of the GNU General Public License
18 : along with this program. If not, see <http://www.gnu.org/licenses/>.
19 : */
20 :
21 : #include "includes.h"
22 : #include "winbindd.h"
23 : #include "../libcli/security/security.h"
24 : #include "idmap_cache.h"
25 : #include "librpc/gen_ndr/ndr_winbind_c.h"
26 : #include "librpc/gen_ndr/ndr_netlogon.h"
27 : #include "lsa.h"
28 :
29 : struct wb_sids2xids_state {
30 : struct tevent_context *ev;
31 :
32 : const struct wb_parent_idmap_config *cfg;
33 :
34 : struct dom_sid *sids;
35 : uint32_t num_sids;
36 :
37 : struct wbint_TransIDArray all_ids;
38 :
39 : /* Used to translated the idx back into all_ids.ids[idx] */
40 : uint32_t *tmp_idx;
41 :
42 : uint32_t lookup_count;
43 : struct dom_sid *lookup_sids;
44 :
45 : struct wbint_TransIDArray map_ids_in;
46 : struct wbint_TransIDArray map_ids_out;
47 :
48 : /*
49 : * Domain array to use for the idmap call. The output from
50 : * lookupsids cannot be used directly since for migrated
51 : * objects the returned domain SID can be different than the
52 : * original one. The new domain SID cannot be combined with
53 : * the RID from the previous domain.
54 : *
55 : * The proper way would be asking for the correct RID in the
56 : * new domain, but this approach avoids id mappings for
57 : * invalid SIDs.
58 : */
59 : struct lsa_RefDomainList idmap_doms;
60 :
61 : uint32_t dom_index;
62 : struct lsa_RefDomainList idmap_dom;
63 : bool tried_dclookup;
64 : };
65 :
66 : static void wb_sids2xids_idmap_setup_done(struct tevent_req *subreq);
67 : static bool wb_sids2xids_in_cache(struct dom_sid *sid, struct id_map *map);
68 : static void wb_sids2xids_lookupsids_done(struct tevent_req *subreq);
69 : static void wb_sids2xids_done(struct tevent_req *subreq);
70 : static void wb_sids2xids_gotdc(struct tevent_req *subreq);
71 : static void wb_sids2xids_next_sids2unix(struct tevent_req *req);
72 : static enum id_type lsa_SidType_to_id_type(const enum lsa_SidType sid_type);
73 :
74 17576 : struct tevent_req *wb_sids2xids_send(TALLOC_CTX *mem_ctx,
75 : struct tevent_context *ev,
76 : const struct dom_sid *sids,
77 : const uint32_t num_sids)
78 : {
79 : struct tevent_req *req, *subreq;
80 : struct wb_sids2xids_state *state;
81 : uint32_t i;
82 17576 : uint32_t num_valid = 0;
83 :
84 17576 : D_INFO("WB command sids2xids start.\n"
85 : "Resolving %"PRIu32" SID(s).\n", num_sids);
86 :
87 17576 : req = tevent_req_create(mem_ctx, &state,
88 : struct wb_sids2xids_state);
89 17576 : if (req == NULL) {
90 0 : return NULL;
91 : }
92 :
93 17576 : state->ev = ev;
94 :
95 17576 : state->num_sids = num_sids;
96 :
97 17576 : state->sids = talloc_zero_array(state, struct dom_sid, num_sids);
98 17576 : if (tevent_req_nomem(state->sids, req)) {
99 0 : return tevent_req_post(req, ev);
100 : }
101 :
102 77006 : for (i = 0; i < num_sids; i++) {
103 59430 : sid_copy(&state->sids[i], &sids[i]);
104 : }
105 :
106 17576 : state->all_ids.num_ids = num_sids;
107 17576 : state->all_ids.ids = talloc_zero_array(state, struct wbint_TransID, num_sids);
108 17576 : if (tevent_req_nomem(state->all_ids.ids, req)) {
109 0 : return tevent_req_post(req, ev);
110 : }
111 :
112 17576 : state->tmp_idx = talloc_zero_array(state, uint32_t, num_sids);
113 17576 : if (tevent_req_nomem(state->tmp_idx, req)) {
114 0 : return tevent_req_post(req, ev);
115 : }
116 :
117 17576 : state->lookup_sids = talloc_zero_array(state, struct dom_sid, num_sids);
118 17576 : if (tevent_req_nomem(state->lookup_sids, req)) {
119 0 : return tevent_req_post(req, ev);
120 : }
121 :
122 17576 : state->map_ids_in.ids = talloc_zero_array(state, struct wbint_TransID, num_sids);
123 17576 : if (tevent_req_nomem(state->map_ids_in.ids, req)) {
124 0 : return tevent_req_post(req, ev);
125 : }
126 :
127 : /*
128 : * Extract those sids that can not be resolved from cache
129 : * into a separate list to be handed to id mapping, keeping
130 : * the same index.
131 : */
132 77006 : for (i=0; i<state->num_sids; i++) {
133 59430 : struct wbint_TransID *cur_id = &state->all_ids.ids[i];
134 : struct dom_sid domain_sid;
135 : struct dom_sid_buf buf;
136 59430 : struct id_map map = { .status = ID_UNMAPPED, };
137 59430 : uint32_t rid = 0;
138 : bool in_cache;
139 :
140 59430 : sid_copy(&domain_sid, &state->sids[i]);
141 59430 : sid_split_rid(&domain_sid, &rid);
142 :
143 : /*
144 : * Start with an invalid entry.
145 : */
146 59430 : *cur_id = (struct wbint_TransID) {
147 : .type_hint = ID_TYPE_NOT_SPECIFIED,
148 : .domain_index = UINT32_MAX - 1, /* invalid */
149 : .rid = rid,
150 : .xid = {
151 : .id = UINT32_MAX,
152 : .type = ID_TYPE_NOT_SPECIFIED,
153 : },
154 : };
155 :
156 59430 : D_DEBUG("%"PRIu32": SID %s\n",
157 : i, dom_sid_str_buf(&state->sids[i], &buf));
158 :
159 59430 : in_cache = wb_sids2xids_in_cache(&state->sids[i], &map);
160 59430 : if (in_cache) {
161 : /*
162 : * We used to ignore map.status and just rely
163 : * on map.xid.type.
164 : *
165 : * Lets keep this logic for now...
166 : */
167 :
168 57748 : cur_id->xid = map.xid;
169 57748 : cur_id->domain_index = UINT32_MAX; /* this marks it as filled entry */
170 57748 : num_valid += 1;
171 57748 : continue;
172 : }
173 : }
174 :
175 17576 : D_DEBUG("Found %"PRIu32" (out of %"PRIu32") SID(s) in cache.\n",
176 : num_valid, num_sids);
177 17576 : if (num_valid == num_sids) {
178 16463 : tevent_req_done(req);
179 16463 : return tevent_req_post(req, ev);
180 : }
181 :
182 1113 : subreq = wb_parent_idmap_setup_send(state, state->ev);
183 1113 : if (tevent_req_nomem(subreq, req)) {
184 0 : return tevent_req_post(req, ev);
185 : }
186 1113 : tevent_req_set_callback(subreq, wb_sids2xids_idmap_setup_done, req);
187 1113 : return req;
188 : }
189 :
190 1113 : static void wb_sids2xids_idmap_setup_done(struct tevent_req *subreq)
191 : {
192 1113 : struct tevent_req *req = tevent_req_callback_data(
193 : subreq, struct tevent_req);
194 1113 : struct wb_sids2xids_state *state = tevent_req_data(
195 : req, struct wb_sids2xids_state);
196 : NTSTATUS status;
197 : uint32_t i;
198 :
199 1113 : status = wb_parent_idmap_setup_recv(subreq, &state->cfg);
200 1113 : TALLOC_FREE(subreq);
201 1113 : if (tevent_req_nterror(req, status)) {
202 0 : D_WARNING("Failed with %s.\n", nt_errstr(status));
203 0 : return;
204 : }
205 1113 : SMB_ASSERT(state->cfg->num_doms > 0);
206 1113 : D_DEBUG("We will loop over %"PRIu32" SID(s) (skipping those already resolved via cache) and over %"PRIu32" domain(s).\n",
207 : state->num_sids,
208 : state->cfg->num_doms);
209 :
210 : /*
211 : * Now we build a list with all domain
212 : * with non cached entries
213 : */
214 4831 : for (i=0; i<state->num_sids; i++) {
215 3718 : struct wbint_TransID *t = &state->all_ids.ids[i];
216 : struct dom_sid domain_sid;
217 3718 : const char *domain_name = NULL;
218 : int domain_index;
219 3718 : uint32_t rid = 0;
220 : uint32_t di;
221 : struct dom_sid_buf buf0, buf1;
222 :
223 3718 : D_DEBUG("%"PRIu32": Processing SID %s\n",
224 : i,
225 : dom_sid_str_buf(&state->sids[i], &buf0));
226 3718 : if (t->domain_index == UINT32_MAX) {
227 : /* ignore already filled entries */
228 2036 : D_DEBUG("%"PRIu32": Ignoring already resolved SID %s\n",
229 : i,
230 : dom_sid_str_buf(&state->sids[i], &buf0));
231 2036 : continue;
232 : }
233 :
234 1682 : sid_copy(&domain_sid, &state->sids[i]);
235 1682 : sid_split_rid(&domain_sid, &rid);
236 1682 : D_DEBUG("%"PRIu32": Splitted SID %s into domain SID %s and RID %"PRIu32"\n",
237 : i,
238 : dom_sid_str_buf(&state->sids[i], &buf0),
239 : dom_sid_str_buf(&domain_sid, &buf1),
240 : rid);
241 :
242 1682 : if (t->type_hint == ID_TYPE_NOT_SPECIFIED) {
243 1682 : const char *tmp_name = NULL;
244 1682 : enum lsa_SidType sid_type = SID_NAME_USE_NONE;
245 1682 : const struct dom_sid *tmp_authority_sid = NULL;
246 1682 : const char *tmp_authority_name = NULL;
247 :
248 : /*
249 : * Try to get a type hint from for predefined sids
250 : */
251 1682 : status = dom_sid_lookup_predefined_sid(&state->sids[i],
252 : &tmp_name,
253 : &sid_type,
254 : &tmp_authority_sid,
255 : &tmp_authority_name);
256 1682 : if (NT_STATUS_IS_OK(status)) {
257 166 : t->type_hint = lsa_SidType_to_id_type(sid_type);
258 166 : D_DEBUG("Got a type hint: %d from predefined SID.\n",
259 : t->type_hint);
260 : }
261 : }
262 :
263 1682 : D_DEBUG("Looping over %"PRIu32" domain(s) to find domain SID %s.\n",
264 : state->cfg->num_doms,
265 : dom_sid_str_buf(&domain_sid, &buf0));
266 6767 : for (di = 0; di < state->cfg->num_doms; di++) {
267 3083 : struct wb_parent_idmap_config_dom *dom =
268 3083 : &state->cfg->doms[di];
269 : bool match;
270 :
271 3083 : match = dom_sid_equal(&domain_sid, &dom->sid);
272 3083 : if (!match) {
273 2509 : continue;
274 : }
275 :
276 574 : domain_name = dom->name;
277 574 : D_DEBUG("Found domain '%s'.\n", domain_name);
278 574 : break;
279 : }
280 1682 : if (domain_name == NULL) {
281 1108 : struct winbindd_domain *wb_domain = NULL;
282 :
283 1108 : D_DEBUG("Could not find a domain for domain SID %s. Trying to fill the domain name from list of known domains.\n",
284 : dom_sid_str_buf(&domain_sid, &buf0));
285 : /*
286 : * Try to fill the name if we already know it
287 : */
288 1108 : wb_domain = find_domain_from_sid_noinit(&state->sids[i]);
289 1108 : if (wb_domain != NULL) {
290 372 : domain_name = wb_domain->name;
291 372 : D_DEBUG("Found domain '%s' in list of known domains.\n", domain_name);
292 : }
293 : }
294 1682 : if (domain_name == NULL) {
295 736 : domain_name = "";
296 736 : D_DEBUG("Not found domain in list of known domains, setting empty domain name.\n");
297 : }
298 :
299 1682 : if (t->type_hint == ID_TYPE_NOT_SPECIFIED) {
300 1523 : if (domain_name[0] != '\0') {
301 : /*
302 : * We know the domain, we indicate this
303 : * by passing ID_TYPE_BOTH as a hint
304 : *
305 : * Maybe that's already enough for the backend
306 : */
307 946 : t->type_hint = ID_TYPE_BOTH;
308 946 : D_DEBUG("Setting type hint ID_TYPE_BOTH for domain '%s'.\n", domain_name);
309 : }
310 : }
311 :
312 1682 : domain_index = init_lsa_ref_domain_list(state,
313 : &state->idmap_doms,
314 : domain_name,
315 : &domain_sid);
316 1682 : if (domain_index == -1) {
317 0 : tevent_req_oom(req);
318 0 : return;
319 : }
320 1682 : t->domain_index = domain_index;
321 : }
322 :
323 : /*
324 : * We defer lookupsids because it requires domain controller
325 : * interaction.
326 : *
327 : * First we ask the idmap child without explicit type hints.
328 : * In most cases mappings already exist in the backend and
329 : * a type_hint is not needed.
330 : */
331 1113 : wb_sids2xids_next_sids2unix(req);
332 : }
333 :
334 59430 : static bool wb_sids2xids_in_cache(struct dom_sid *sid, struct id_map *map)
335 : {
336 : struct unixid id;
337 : bool expired;
338 :
339 59430 : if (!winbindd_use_idmap_cache()) {
340 0 : return false;
341 : }
342 59430 : if (idmap_cache_find_sid2unixid(sid, &id, &expired)) {
343 57748 : if (expired && is_domain_online(find_our_domain())) {
344 0 : return false;
345 : }
346 57748 : map->sid = sid;
347 57748 : map->xid = id;
348 57748 : map->status = ID_MAPPED;
349 57748 : return true;
350 : }
351 1682 : return false;
352 : }
353 :
354 609 : static void wb_sids2xids_lookupsids_done(struct tevent_req *subreq)
355 : {
356 609 : struct tevent_req *req = tevent_req_callback_data(
357 : subreq, struct tevent_req);
358 609 : struct wb_sids2xids_state *state = tevent_req_data(
359 : req, struct wb_sids2xids_state);
360 609 : struct lsa_RefDomainList *domains = NULL;
361 609 : struct lsa_TransNameArray *names = NULL;
362 : NTSTATUS status;
363 : uint32_t li;
364 :
365 609 : status = wb_lookupsids_recv(subreq, state, &domains, &names);
366 609 : TALLOC_FREE(subreq);
367 609 : if (tevent_req_nterror(req, status)) {
368 516 : D_WARNING("Failed with %s.\n", nt_errstr(status));
369 774 : return;
370 : }
371 :
372 93 : if (domains == NULL) {
373 0 : tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
374 0 : D_WARNING("Failed with NT_STATUS_INTERNAL_ERROR.\n");
375 0 : return;
376 : }
377 :
378 93 : if (names == NULL) {
379 0 : tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
380 0 : D_WARNING("Failed with NT_STATUS_INTERNAL_ERROR.\n");
381 0 : return;
382 : }
383 :
384 194 : for (li = 0; li < state->lookup_count; li++) {
385 101 : struct lsa_TranslatedName *n = &names->names[li];
386 101 : uint32_t ai = state->tmp_idx[li];
387 101 : struct wbint_TransID *t = &state->all_ids.ids[ai];
388 : enum id_type type_hint;
389 :
390 101 : type_hint = lsa_SidType_to_id_type(n->sid_type);
391 101 : if (type_hint != ID_TYPE_NOT_SPECIFIED) {
392 : /*
393 : * We know it's a valid user or group.
394 : */
395 84 : t->type_hint = type_hint;
396 84 : continue;
397 : }
398 :
399 17 : if (n->sid_index == UINT32_MAX) {
400 : /*
401 : * The domain is not known, there's
402 : * no point to try mapping again.
403 : * mark is done and add a negative cache
404 : * entry.
405 : */
406 10 : t->domain_index = UINT32_MAX; /* mark as valid */
407 10 : idmap_cache_set_sid2unixid(&state->sids[ai], &t->xid);
408 10 : continue;
409 : }
410 :
411 7 : if (n->sid_index >= domains->count) {
412 0 : tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
413 0 : D_WARNING("Failed with NT_STATUS_INTERNAL_ERROR.\n");
414 0 : return;
415 : }
416 :
417 7 : if (domains->domains[n->sid_index].name.string == NULL) {
418 0 : tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
419 0 : D_WARNING("Failed with NT_STATUS_INTERNAL_ERROR.\n");
420 0 : return;
421 : }
422 7 : if (domains->domains[n->sid_index].sid == NULL) {
423 0 : tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
424 0 : D_WARNING("Failed with NT_STATUS_INTERNAL_ERROR.\n");
425 0 : return;
426 : }
427 :
428 7 : if (t->type_hint != ID_TYPE_NOT_SPECIFIED) {
429 : /*
430 : * We already tried with a type hint there's
431 : * no point to try mapping again with ID_TYPE_BOTH.
432 : *
433 : * Mark is done and add a negative cache entry.
434 : */
435 7 : t->domain_index = UINT32_MAX; /* mark as valid */
436 7 : idmap_cache_set_sid2unixid(&state->sids[ai], &t->xid);
437 7 : continue;
438 : }
439 :
440 : /*
441 : * We only know the domain exists, but the user doesn't
442 : */
443 0 : t->type_hint = ID_TYPE_BOTH;
444 : }
445 :
446 93 : TALLOC_FREE(names);
447 93 : TALLOC_FREE(domains);
448 :
449 : /*
450 : * Now that we have type_hints for the remaining sids,
451 : * we need to restart with the first domain.
452 : */
453 93 : state->dom_index = 0;
454 93 : wb_sids2xids_next_sids2unix(req);
455 : }
456 :
457 2577 : static void wb_sids2xids_next_sids2unix(struct tevent_req *req)
458 : {
459 2577 : struct wb_sids2xids_state *state = tevent_req_data(
460 : req, struct wb_sids2xids_state);
461 2577 : struct tevent_req *subreq = NULL;
462 2577 : struct dcerpc_binding_handle *child_binding_handle = NULL;
463 2577 : const struct wbint_TransIDArray *src = NULL;
464 2577 : struct wbint_TransIDArray *dst = NULL;
465 : uint32_t si;
466 :
467 2594 : next_domain:
468 2594 : state->tried_dclookup = false;
469 :
470 2594 : D_DEBUG("Processing next domain (dom_index=%"PRIu32", idmap_doms.count=%"PRIu32", lookup_count=%"PRIu32").\n",
471 : state->dom_index,
472 : state->idmap_doms.count,
473 : state->lookup_count);
474 2594 : if (state->dom_index == state->idmap_doms.count) {
475 1194 : if (state->lookup_count != 0) {
476 : /*
477 : * We already called wb_lookupsids_send()
478 : * before, so we're done.
479 : */
480 93 : D_DEBUG("We already called wb_lookupsids_send() before, so we're done.\n");
481 93 : tevent_req_done(req);
482 477 : return;
483 : }
484 :
485 4671 : for (si=0; si < state->num_sids; si++) {
486 3570 : struct wbint_TransID *t = &state->all_ids.ids[si];
487 :
488 3570 : if (t->domain_index == UINT32_MAX) {
489 : /* ignore already filled entries */
490 2903 : continue;
491 : }
492 :
493 667 : state->tmp_idx[state->lookup_count] = si;
494 667 : sid_copy(&state->lookup_sids[state->lookup_count],
495 667 : &state->sids[si]);
496 667 : state->lookup_count += 1;
497 : }
498 :
499 1101 : D_DEBUG("Prepared %"PRIu32" SID(s) for lookup wb_lookupsids_send().\n",
500 : state->lookup_count);
501 1101 : if (state->lookup_count == 0) {
502 : /*
503 : * no wb_lookupsids_send() needed...
504 : */
505 492 : tevent_req_done(req);
506 492 : return;
507 : }
508 :
509 609 : subreq = wb_lookupsids_send(state,
510 : state->ev,
511 : state->lookup_sids,
512 : state->lookup_count);
513 609 : if (tevent_req_nomem(subreq, req)) {
514 0 : return;
515 : }
516 609 : tevent_req_set_callback(subreq, wb_sids2xids_lookupsids_done, req);
517 609 : return;
518 : }
519 :
520 1400 : src = &state->all_ids;
521 1400 : dst = &state->map_ids_in;
522 1400 : dst->num_ids = 0;
523 :
524 6738 : for (si=0; si < src->num_ids; si++) {
525 5338 : if (src->ids[si].domain_index != state->dom_index) {
526 3608 : continue;
527 : }
528 :
529 1730 : state->tmp_idx[dst->num_ids] = si;
530 1730 : dst->ids[dst->num_ids] = src->ids[si];
531 1730 : dst->ids[dst->num_ids].domain_index = 0;
532 1730 : dst->num_ids += 1;
533 : }
534 :
535 1400 : if (dst->num_ids == 0) {
536 17 : state->dom_index += 1;
537 17 : D_DEBUG("Go to next domain.\n");
538 17 : goto next_domain;
539 : }
540 :
541 1383 : state->idmap_dom = (struct lsa_RefDomainList) {
542 : .count = 1,
543 1383 : .domains = &state->idmap_doms.domains[state->dom_index],
544 : .max_size = 1
545 : };
546 :
547 : /*
548 : * dcerpc_wbint_Sids2UnixIDs_send/recv will
549 : * allocate a new array for the response
550 : * and overwrite _ids->ids pointer.
551 : *
552 : * So we better make a temporary copy
553 : * of state->map_ids_in (which contains the request array)
554 : * into state->map_ids_out.
555 : *
556 : * That makes it possible to reuse the pre-allocated
557 : * state->map_ids_in.ids array.
558 : */
559 1383 : state->map_ids_out = state->map_ids_in;
560 1383 : child_binding_handle = idmap_child_handle();
561 1383 : subreq = dcerpc_wbint_Sids2UnixIDs_send(
562 : state, state->ev, child_binding_handle, &state->idmap_dom,
563 : &state->map_ids_out);
564 1383 : if (tevent_req_nomem(subreq, req)) {
565 0 : return;
566 : }
567 1383 : tevent_req_set_callback(subreq, wb_sids2xids_done, req);
568 : }
569 :
570 267 : static enum id_type lsa_SidType_to_id_type(const enum lsa_SidType sid_type)
571 : {
572 : enum id_type type;
573 :
574 267 : switch(sid_type) {
575 42 : case SID_NAME_COMPUTER:
576 : case SID_NAME_USER:
577 42 : type = ID_TYPE_UID;
578 42 : break;
579 201 : case SID_NAME_DOM_GRP:
580 : case SID_NAME_ALIAS:
581 : case SID_NAME_WKN_GRP:
582 201 : type = ID_TYPE_GID;
583 201 : break;
584 24 : default:
585 24 : type = ID_TYPE_NOT_SPECIFIED;
586 24 : break;
587 : }
588 :
589 267 : return type;
590 : }
591 :
592 1373 : static void wb_sids2xids_done(struct tevent_req *subreq)
593 : {
594 1373 : struct tevent_req *req = tevent_req_callback_data(
595 : subreq, struct tevent_req);
596 1373 : struct wb_sids2xids_state *state = tevent_req_data(
597 : req, struct wb_sids2xids_state);
598 : NTSTATUS status, result;
599 1373 : const struct wbint_TransIDArray *src = NULL;
600 1373 : struct wbint_TransIDArray *dst = NULL;
601 : uint32_t si;
602 :
603 1373 : status = dcerpc_wbint_Sids2UnixIDs_recv(subreq, state, &result);
604 1373 : TALLOC_FREE(subreq);
605 :
606 1373 : if (tevent_req_nterror(req, status)) {
607 0 : D_WARNING("Failed with %s.\n", nt_errstr(status));
608 2 : return;
609 : }
610 :
611 1374 : if (NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) &&
612 2 : !state->tried_dclookup) {
613 :
614 : struct lsa_DomainInfo *d;
615 2 : const char *domain_name = NULL;
616 :
617 2 : d = &state->idmap_doms.domains[state->dom_index];
618 :
619 2 : domain_name = find_dns_domain_name(d->name.string);
620 :
621 2 : D_DEBUG("Domain controller not found. Calling "
622 : "wb_dsgetdcname_send(%s) to get it.\n",
623 : domain_name);
624 :
625 2 : subreq = wb_dsgetdcname_send(state,
626 : state->ev,
627 : domain_name,
628 : NULL,
629 : NULL,
630 : DS_RETURN_DNS_NAME);
631 2 : if (tevent_req_nomem(subreq, req)) {
632 1 : return;
633 : }
634 2 : tevent_req_set_callback(subreq, wb_sids2xids_gotdc, req);
635 2 : return;
636 : }
637 :
638 1371 : src = &state->map_ids_out;
639 1371 : dst = &state->all_ids;
640 :
641 1371 : if (any_nt_status_not_ok(status, result, &status)) {
642 0 : D_DEBUG("Either status %s or result %s is not ok. Report SIDs as not mapped.\n",
643 : nt_errstr(status),
644 : nt_errstr(result));
645 : /*
646 : * All we can do here is to report "not mapped"
647 : */
648 0 : src = &state->map_ids_in;
649 0 : for (si=0; si < src->num_ids; si++) {
650 0 : src->ids[si].xid.type = ID_TYPE_NOT_SPECIFIED;
651 : }
652 : }
653 :
654 1371 : if (src->num_ids != state->map_ids_in.num_ids) {
655 0 : tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
656 0 : D_WARNING("Number of mapped SIDs does not match. Failing with NT_STATUS_INTERNAL_ERROR.\n");
657 0 : return;
658 : }
659 :
660 3053 : for (si=0; si < src->num_ids; si++) {
661 1682 : uint32_t di = state->tmp_idx[si];
662 :
663 1682 : if (src->ids[si].xid.type == ID_TYPE_WB_REQUIRE_TYPE) {
664 667 : if (state->lookup_count == 0) {
665 667 : D_DEBUG("The backend asks for more information (a type_hint), we'll do a lookupsids later.\n");
666 : /*
667 : * The backend asks for more information
668 : * (a type_hint), we'll do a lookupsids
669 : * later.
670 : */
671 667 : continue;
672 : }
673 :
674 : /*
675 : * lookupsids was not able to provide a type_hint that
676 : * satisfied the backend.
677 : *
678 : * Make sure we don't expose ID_TYPE_WB_REQUIRE_TYPE
679 : * outside of winbindd!
680 : */
681 0 : D_DEBUG("lookupsids was not able to provide a type_hint that satisfied the backend. Make sure we don't expose ID_TYPE_WB_REQUIRE_TYPE outside of winbindd!\n");
682 0 : src->ids[si].xid.type = ID_TYPE_NOT_SPECIFIED;
683 : }
684 :
685 1015 : if (src->ids[si].xid.type != ID_TYPE_NOT_SPECIFIED) {
686 955 : dst->ids[di].xid = src->ids[si].xid;
687 955 : D_DEBUG("%"PRIu32": Setting XID %"PRIu32"\n",
688 : si, src->ids[si].xid.id);
689 : }
690 1015 : dst->ids[di].domain_index = UINT32_MAX; /* mark as valid */
691 1015 : idmap_cache_set_sid2unixid(&state->sids[di], &dst->ids[di].xid);
692 : }
693 :
694 1371 : state->map_ids_in.num_ids = 0;
695 1371 : if (NT_STATUS_IS_OK(status)) {
696 : /*
697 : * If we got a valid response, we expect
698 : * state->map_ids_out.ids to be a new allocated
699 : * array, which we want to free early.
700 : */
701 1371 : SMB_ASSERT(state->map_ids_out.ids != state->map_ids_in.ids);
702 1371 : TALLOC_FREE(state->map_ids_out.ids);
703 : }
704 1371 : state->map_ids_out = (struct wbint_TransIDArray) { .num_ids = 0, };
705 :
706 1371 : state->dom_index += 1;
707 :
708 1371 : wb_sids2xids_next_sids2unix(req);
709 : }
710 :
711 2 : static void wb_sids2xids_gotdc(struct tevent_req *subreq)
712 : {
713 2 : struct tevent_req *req = tevent_req_callback_data(
714 : subreq, struct tevent_req);
715 2 : struct wb_sids2xids_state *state = tevent_req_data(
716 : req, struct wb_sids2xids_state);
717 2 : struct dcerpc_binding_handle *child_binding_handle = NULL;
718 : struct netr_DsRGetDCNameInfo *dcinfo;
719 : NTSTATUS status;
720 :
721 2 : status = wb_dsgetdcname_recv(subreq, state, &dcinfo);
722 2 : TALLOC_FREE(subreq);
723 2 : if (tevent_req_nterror(req, status)) {
724 0 : D_WARNING("Failed with %s.\n", nt_errstr(status));
725 0 : return;
726 : }
727 :
728 2 : state->tried_dclookup = true;
729 :
730 : {
731 2 : struct lsa_DomainInfo *d =
732 2 : &state->idmap_doms.domains[state->dom_index];
733 2 : const char *dom_name = d->name.string;
734 :
735 2 : status = wb_dsgetdcname_gencache_set(dom_name, dcinfo);
736 2 : if (tevent_req_nterror(req, status)) {
737 0 : D_WARNING("Failed with %s.\n", nt_errstr(status));
738 0 : return;
739 : }
740 : }
741 :
742 : /*
743 : * dcerpc_wbint_Sids2UnixIDs_send/recv will
744 : * allocate a new array for the response
745 : * and overwrite _ids->ids pointer.
746 : *
747 : * So we better make a temporary copy
748 : * of state->map_ids_in (which contains the request array)
749 : * into state->map_ids_out.
750 : *
751 : * That makes it possible to reuse the pre-allocated
752 : * state->map_ids_in.ids array.
753 : */
754 2 : state->map_ids_out = state->map_ids_in;
755 2 : child_binding_handle = idmap_child_handle();
756 2 : subreq = dcerpc_wbint_Sids2UnixIDs_send(
757 : state, state->ev, child_binding_handle, &state->idmap_dom,
758 : &state->map_ids_out);
759 2 : if (tevent_req_nomem(subreq, req)) {
760 0 : return;
761 : }
762 2 : tevent_req_set_callback(subreq, wb_sids2xids_done, req);
763 : }
764 :
765 17564 : NTSTATUS wb_sids2xids_recv(struct tevent_req *req,
766 : struct unixid xids[], uint32_t num_xids)
767 : {
768 17564 : struct wb_sids2xids_state *state = tevent_req_data(
769 : req, struct wb_sids2xids_state);
770 : NTSTATUS status;
771 : uint32_t i;
772 :
773 17564 : if (tevent_req_is_nterror(req, &status)) {
774 516 : D_WARNING("Failed with %s.\n", nt_errstr(status));
775 516 : return status;
776 : }
777 :
778 17048 : if (num_xids != state->num_sids) {
779 0 : D_WARNING("Error. We have resolved only %"PRIu32" XID(s), but caller asked for %"PRIu32".\n",
780 : state->num_sids, num_xids);
781 0 : return NT_STATUS_INTERNAL_ERROR;
782 : }
783 :
784 17048 : D_INFO("WB command sids2xids end.\n");
785 75742 : for (i=0; i<state->num_sids; i++) {
786 : struct dom_sid_buf buf;
787 58694 : xids[i] = state->all_ids.ids[i].xid;
788 58694 : D_INFO("%"PRIu32": Found XID %"PRIu32" for SID %s\n",
789 : i,
790 : xids[i].id,
791 : dom_sid_str_buf(&state->sids[i], &buf));
792 : }
793 :
794 17048 : return NT_STATUS_OK;
795 : }
|
