/* [<][>][^][v][top][bottom][index][help] */
DEFINITIONS
This source file includes following definitions.
- dns_domain_from_principal
- LDB_lookup_spn_alias
- DsCrackNameSPNAlias
- DsCrackNameUPN
- DsCrackNameOneName
- DsCrackNameOneSyntactical
- DsCrackNameOneFilter
- crack_user_principal_name
- crack_service_principal_name
- crack_name_to_nt4_name
- crack_auto_name_to_nt4_name
1 /*
2 Unix SMB/CIFS implementation.
3
4 endpoint server for the drsuapi pipe
5 DsCrackNames()
6
7 Copyright (C) Stefan Metzmacher 2004
8 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "librpc/gen_ndr/drsuapi.h"
26 #include "rpc_server/common/common.h"
27 #include "lib/events/events.h"
28 #include "lib/ldb/include/ldb.h"
29 #include "lib/ldb/include/ldb_errors.h"
30 #include "system/kerberos.h"
31 #include "auth/kerberos/kerberos.h"
32 #include "libcli/ldap/ldap_ndr.h"
33 #include "libcli/security/security.h"
34 #include "librpc/gen_ndr/ndr_misc.h"
35 #include "auth/auth.h"
36 #include "../lib/util/util_ldb.h"
37 #include "dsdb/samdb/samdb.h"
38 #include "param/param.h"
39
40 static WERROR DsCrackNameOneFilter(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
41 struct smb_krb5_context *smb_krb5_context,
42 uint32_t format_flags, uint32_t format_offered, uint32_t format_desired,
43 struct ldb_dn *name_dn, const char *name,
44 const char *domain_filter, const char *result_filter,
45 struct drsuapi_DsNameInfo1 *info1);
46 static WERROR DsCrackNameOneSyntactical(TALLOC_CTX *mem_ctx,
47 uint32_t format_offered, uint32_t format_desired,
48 struct ldb_dn *name_dn, const char *name,
49 struct drsuapi_DsNameInfo1 *info1);
50
51 static WERROR dns_domain_from_principal(TALLOC_CTX *mem_ctx, struct smb_krb5_context *smb_krb5_context,
/* [<][>][^][v][top][bottom][index][help] */
52 const char *name,
53 struct drsuapi_DsNameInfo1 *info1)
54 {
55 krb5_error_code ret;
56 krb5_principal principal;
57 /* perhaps it's a principal with a realm, so return the right 'domain only' response */
58 char **realm;
59 ret = krb5_parse_name_flags(smb_krb5_context->krb5_context, name,
60 KRB5_PRINCIPAL_PARSE_MUST_REALM, &principal);
61 if (ret) {
62 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
63 return WERR_OK;
64 }
65
66 /* This isn't an allocation assignemnt, so it is free'ed with the krb5_free_principal */
67 realm = krb5_princ_realm(smb_krb5_context->krb5_context, principal);
68
69 info1->dns_domain_name = talloc_strdup(mem_ctx, *realm);
70 krb5_free_principal(smb_krb5_context->krb5_context, principal);
71
72 W_ERROR_HAVE_NO_MEMORY(info1->dns_domain_name);
73
74 info1->status = DRSUAPI_DS_NAME_STATUS_DOMAIN_ONLY;
75 return WERR_OK;
76 }
77
78 static enum drsuapi_DsNameStatus LDB_lookup_spn_alias(krb5_context context, struct ldb_context *ldb_ctx,
/* [<][>][^][v][top][bottom][index][help] */
79 TALLOC_CTX *mem_ctx,
80 const char *alias_from,
81 char **alias_to)
82 {
83 int i;
84 int ret;
85 struct ldb_result *res;
86 struct ldb_message_element *spnmappings;
87 TALLOC_CTX *tmp_ctx;
88 struct ldb_dn *service_dn;
89 char *service_dn_str;
90
91 const char *directory_attrs[] = {
92 "sPNMappings",
93 NULL
94 };
95
96 tmp_ctx = talloc_new(mem_ctx);
97 if (!tmp_ctx) {
98 return DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
99 }
100
101 service_dn = ldb_dn_new(tmp_ctx, ldb_ctx, "CN=Directory Service,CN=Windows NT,CN=Services");
102 if ( ! ldb_dn_add_base(service_dn, samdb_config_dn(ldb_ctx))) {
103 return DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
104 }
105 service_dn_str = ldb_dn_alloc_linearized(tmp_ctx, service_dn);
106 if ( ! service_dn_str) {
107 return DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
108 }
109
110 ret = ldb_search(ldb_ctx, tmp_ctx, &res, service_dn, LDB_SCOPE_BASE,
111 directory_attrs, "(objectClass=nTDSService)");
112
113 if (ret != LDB_SUCCESS && ret != LDB_ERR_NO_SUCH_OBJECT) {
114 DEBUG(1, ("ldb_search: dn: %s not found: %s", service_dn_str, ldb_errstring(ldb_ctx)));
115 return DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
116 } else if (ret == LDB_ERR_NO_SUCH_OBJECT) {
117 DEBUG(1, ("ldb_search: dn: %s not found", service_dn_str));
118 return DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
119 } else if (res->count != 1) {
120 talloc_free(res);
121 DEBUG(1, ("ldb_search: dn: %s not found", service_dn_str));
122 return DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
123 }
124
125 spnmappings = ldb_msg_find_element(res->msgs[0], "sPNMappings");
126 if (!spnmappings || spnmappings->num_values == 0) {
127 DEBUG(1, ("ldb_search: dn: %s no sPNMappings attribute", service_dn_str));
128 talloc_free(tmp_ctx);
129 return DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
130 }
131
132 for (i = 0; i < spnmappings->num_values; i++) {
133 char *mapping, *p, *str;
134 mapping = talloc_strdup(tmp_ctx,
135 (const char *)spnmappings->values[i].data);
136 if (!mapping) {
137 DEBUG(1, ("LDB_lookup_spn_alias: ldb_search: dn: %s did not have an sPNMapping\n", service_dn_str));
138 talloc_free(tmp_ctx);
139 return DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
140 }
141
142 /* C string manipulation sucks */
143
144 p = strchr(mapping, '=');
145 if (!p) {
146 DEBUG(1, ("ldb_search: dn: %s sPNMapping malformed: %s\n",
147 service_dn_str, mapping));
148 talloc_free(tmp_ctx);
149 return DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
150 }
151 p[0] = '\0';
152 p++;
153 do {
154 str = p;
155 p = strchr(p, ',');
156 if (p) {
157 p[0] = '\0';
158 p++;
159 }
160 if (strcasecmp(str, alias_from) == 0) {
161 *alias_to = mapping;
162 talloc_steal(mem_ctx, mapping);
163 talloc_free(tmp_ctx);
164 return DRSUAPI_DS_NAME_STATUS_OK;
165 }
166 } while (p);
167 }
168 DEBUG(4, ("LDB_lookup_spn_alias: no alias for service %s applicable\n", alias_from));
169 talloc_free(tmp_ctx);
170 return DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
171 }
172
173 /* When cracking a ServicePrincipalName, many services may be served
174 * by the host/ servicePrincipalName. The incoming query is for cifs/
175 * but we translate it here, and search on host/. This is done after
176 * the cifs/ entry has been searched for, making this a fallback */
177
178 static WERROR DsCrackNameSPNAlias(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
/* [<][>][^][v][top][bottom][index][help] */
179 struct smb_krb5_context *smb_krb5_context,
180 uint32_t format_flags, uint32_t format_offered, uint32_t format_desired,
181 const char *name, struct drsuapi_DsNameInfo1 *info1)
182 {
183 WERROR wret;
184 krb5_error_code ret;
185 krb5_principal principal;
186 const char *service, *dns_name;
187 char *new_service;
188 char *new_princ;
189 enum drsuapi_DsNameStatus namestatus;
190
191 /* parse principal */
192 ret = krb5_parse_name_flags(smb_krb5_context->krb5_context,
193 name, KRB5_PRINCIPAL_PARSE_NO_REALM, &principal);
194 if (ret) {
195 DEBUG(2, ("Could not parse principal: %s: %s",
196 name, smb_get_krb5_error_message(smb_krb5_context->krb5_context,
197 ret, mem_ctx)));
198 return WERR_NOMEM;
199 }
200
201 /* grab cifs/, http/ etc */
202
203 /* This is checked for in callers, but be safe */
204 if (principal->name.name_string.len < 2) {
205 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
206 return WERR_OK;
207 }
208 service = principal->name.name_string.val[0];
209 dns_name = principal->name.name_string.val[1];
210
211 /* MAP it */
212 namestatus = LDB_lookup_spn_alias(smb_krb5_context->krb5_context,
213 sam_ctx, mem_ctx,
214 service, &new_service);
215
216 if (namestatus == DRSUAPI_DS_NAME_STATUS_NOT_FOUND) {
217 info1->status = DRSUAPI_DS_NAME_STATUS_DOMAIN_ONLY;
218 info1->dns_domain_name = talloc_strdup(mem_ctx, dns_name);
219 if (!info1->dns_domain_name) {
220 krb5_free_principal(smb_krb5_context->krb5_context, principal);
221 return WERR_NOMEM;
222 }
223 return WERR_OK;
224 } else if (namestatus != DRSUAPI_DS_NAME_STATUS_OK) {
225 info1->status = namestatus;
226 krb5_free_principal(smb_krb5_context->krb5_context, principal);
227 return WERR_OK;
228 }
229
230 /* ooh, very nasty playing around in the Principal... */
231 free(principal->name.name_string.val[0]);
232 principal->name.name_string.val[0] = strdup(new_service);
233 if (!principal->name.name_string.val[0]) {
234 krb5_free_principal(smb_krb5_context->krb5_context, principal);
235 return WERR_NOMEM;
236 }
237
238 /* reform principal */
239 ret = krb5_unparse_name_flags(smb_krb5_context->krb5_context, principal,
240 KRB5_PRINCIPAL_UNPARSE_NO_REALM, &new_princ);
241
242 if (ret) {
243 krb5_free_principal(smb_krb5_context->krb5_context, principal);
244 return WERR_NOMEM;
245 }
246
247 wret = DsCrackNameOneName(sam_ctx, mem_ctx, format_flags, format_offered, format_desired,
248 new_princ, info1);
249 free(new_princ);
250 if (W_ERROR_IS_OK(wret) && (info1->status == DRSUAPI_DS_NAME_STATUS_NOT_FOUND)) {
251 info1->status = DRSUAPI_DS_NAME_STATUS_DOMAIN_ONLY;
252 info1->dns_domain_name = talloc_strdup(mem_ctx, dns_name);
253 if (!info1->dns_domain_name) {
254 wret = WERR_NOMEM;
255 }
256 }
257 krb5_free_principal(smb_krb5_context->krb5_context, principal);
258 return wret;
259 }
260
261 /* Subcase of CrackNames, for the userPrincipalName */
262
263 static WERROR DsCrackNameUPN(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
/* [<][>][^][v][top][bottom][index][help] */
264 struct smb_krb5_context *smb_krb5_context,
265 uint32_t format_flags, uint32_t format_offered, uint32_t format_desired,
266 const char *name, struct drsuapi_DsNameInfo1 *info1)
267 {
268 int ldb_ret;
269 WERROR status;
270 const char *domain_filter = NULL;
271 const char *result_filter = NULL;
272 krb5_error_code ret;
273 krb5_principal principal;
274 char **realm;
275 char *unparsed_name_short;
276 const char *domain_attrs[] = { NULL };
277 struct ldb_result *domain_res = NULL;
278
279 /* Prevent recursion */
280 if (!name) {
281 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
282 return WERR_OK;
283 }
284
285 ret = krb5_parse_name_flags(smb_krb5_context->krb5_context, name,
286 KRB5_PRINCIPAL_PARSE_MUST_REALM, &principal);
287 if (ret) {
288 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
289 return WERR_OK;
290 }
291
292 realm = krb5_princ_realm(smb_krb5_context->krb5_context, principal);
293
294 ldb_ret = ldb_search(sam_ctx, mem_ctx, &domain_res,
295 samdb_partitions_dn(sam_ctx, mem_ctx),
296 LDB_SCOPE_ONELEVEL,
297 domain_attrs,
298 "(&(&(|(&(dnsRoot=%s)(nETBIOSName=*))(nETBIOSName=%s))(objectclass=crossRef))(ncName=*))",
299 ldb_binary_encode_string(mem_ctx, *realm),
300 ldb_binary_encode_string(mem_ctx, *realm));
301
302 if (ldb_ret != LDB_SUCCESS) {
303 DEBUG(2, ("DsCrackNameUPN domain ref search failed: %s", ldb_errstring(sam_ctx)));
304 info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
305 return WERR_OK;
306 }
307
308 switch (domain_res->count) {
309 case 1:
310 break;
311 case 0:
312 return dns_domain_from_principal(mem_ctx, smb_krb5_context,
313 name, info1);
314 default:
315 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE;
316 return WERR_OK;
317 }
318
319 ret = krb5_unparse_name_flags(smb_krb5_context->krb5_context, principal,
320 KRB5_PRINCIPAL_UNPARSE_NO_REALM, &unparsed_name_short);
321 krb5_free_principal(smb_krb5_context->krb5_context, principal);
322
323 if (ret) {
324 free(unparsed_name_short);
325 return WERR_NOMEM;
326 }
327
328 /* This may need to be extended for more userPrincipalName variations */
329 result_filter = talloc_asprintf(mem_ctx, "(&(objectClass=user)(samAccountName=%s))",
330 ldb_binary_encode_string(mem_ctx, unparsed_name_short));
331
332 domain_filter = talloc_asprintf(mem_ctx, "(distinguishedName=%s)", ldb_dn_get_linearized(domain_res->msgs[0]->dn));
333
334 if (!result_filter || !domain_filter) {
335 free(unparsed_name_short);
336 return WERR_NOMEM;
337 }
338 status = DsCrackNameOneFilter(sam_ctx, mem_ctx,
339 smb_krb5_context,
340 format_flags, format_offered, format_desired,
341 NULL, unparsed_name_short, domain_filter, result_filter,
342 info1);
343 free(unparsed_name_short);
344
345 return status;
346 }
347
348 /* Crack a single 'name', from format_offered into format_desired, returning the result in info1 */
349
350 WERROR DsCrackNameOneName(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
/* [<][>][^][v][top][bottom][index][help] */
351 uint32_t format_flags, uint32_t format_offered, uint32_t format_desired,
352 const char *name, struct drsuapi_DsNameInfo1 *info1)
353 {
354 krb5_error_code ret;
355 const char *domain_filter = NULL;
356 const char *result_filter = NULL;
357 struct ldb_dn *name_dn = NULL;
358
359 struct smb_krb5_context *smb_krb5_context = NULL;
360
361 info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
362 info1->dns_domain_name = NULL;
363 info1->result_name = NULL;
364
365 if (!name) {
366 return WERR_INVALID_PARAM;
367 }
368
369 /* TODO: - fill the correct names in all cases!
370 * - handle format_flags
371 */
372
373 /* here we need to set the domain_filter and/or the result_filter */
374 switch (format_offered) {
375 case DRSUAPI_DS_NAME_FORMAT_UNKNOWN:
376 {
377 int i;
378 enum drsuapi_DsNameFormat formats[] = {
379 DRSUAPI_DS_NAME_FORMAT_FQDN_1779, DRSUAPI_DS_NAME_FORMAT_USER_PRINCIPAL,
380 DRSUAPI_DS_NAME_FORMAT_NT4_ACCOUNT, DRSUAPI_DS_NAME_FORMAT_CANONICAL,
381 DRSUAPI_DS_NAME_FORMAT_GUID, DRSUAPI_DS_NAME_FORMAT_DISPLAY,
382 DRSUAPI_DS_NAME_FORMAT_SERVICE_PRINCIPAL,
383 DRSUAPI_DS_NAME_FORMAT_SID_OR_SID_HISTORY,
384 DRSUAPI_DS_NAME_FORMAT_CANONICAL_EX
385 };
386 WERROR werr;
387 for (i=0; i < ARRAY_SIZE(formats); i++) {
388 werr = DsCrackNameOneName(sam_ctx, mem_ctx, format_flags, formats[i], format_desired, name, info1);
389 if (!W_ERROR_IS_OK(werr)) {
390 return werr;
391 }
392 if (info1->status != DRSUAPI_DS_NAME_STATUS_NOT_FOUND) {
393 return werr;
394 }
395 }
396 return werr;
397 }
398
399 case DRSUAPI_DS_NAME_FORMAT_CANONICAL:
400 case DRSUAPI_DS_NAME_FORMAT_CANONICAL_EX:
401 {
402 char *str, *s, *account;
403
404 if (strlen(name) == 0) {
405 info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
406 return WERR_OK;
407 }
408
409 str = talloc_strdup(mem_ctx, name);
410 W_ERROR_HAVE_NO_MEMORY(str);
411
412 if (format_offered == DRSUAPI_DS_NAME_FORMAT_CANONICAL_EX) {
413 /* Look backwards for the \n, and replace it with / */
414 s = strrchr(str, '\n');
415 if (!s) {
416 info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
417 return WERR_OK;
418 }
419 s[0] = '/';
420 }
421
422 s = strchr(str, '/');
423 if (!s) {
424 /* there must be at least one / */
425 info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
426 return WERR_OK;
427 }
428
429 s[0] = '\0';
430 s++;
431
432 domain_filter = talloc_asprintf(mem_ctx, "(&(objectClass=crossRef)(ncName=%s))",
433 ldb_dn_get_linearized(samdb_dns_domain_to_dn(sam_ctx, mem_ctx, str)));
434 W_ERROR_HAVE_NO_MEMORY(domain_filter);
435
436 /* There may not be anything after the domain component (search for the domain itself) */
437 if (s[0]) {
438
439 account = strrchr(s, '/');
440 if (!account) {
441 account = s;
442 } else {
443 account++;
444 }
445 account = ldb_binary_encode_string(mem_ctx, account);
446 W_ERROR_HAVE_NO_MEMORY(account);
447 result_filter = talloc_asprintf(mem_ctx, "(name=%s)",
448 account);
449 W_ERROR_HAVE_NO_MEMORY(result_filter);
450 }
451 break;
452 }
453 case DRSUAPI_DS_NAME_FORMAT_NT4_ACCOUNT: {
454 char *p;
455 char *domain;
456 const char *account = NULL;
457
458 domain = talloc_strdup(mem_ctx, name);
459 W_ERROR_HAVE_NO_MEMORY(domain);
460
461 p = strchr(domain, '\\');
462 if (!p) {
463 /* invalid input format */
464 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
465 return WERR_OK;
466 }
467 p[0] = '\0';
468
469 if (p[1]) {
470 account = &p[1];
471 }
472
473 domain_filter = talloc_asprintf(mem_ctx,
474 "(&(&(nETBIOSName=%s)(objectclass=crossRef))(ncName=*))",
475 ldb_binary_encode_string(mem_ctx, domain));
476 W_ERROR_HAVE_NO_MEMORY(domain_filter);
477 if (account) {
478 result_filter = talloc_asprintf(mem_ctx, "(sAMAccountName=%s)",
479 ldb_binary_encode_string(mem_ctx, account));
480 W_ERROR_HAVE_NO_MEMORY(result_filter);
481 }
482
483 talloc_free(domain);
484 break;
485 }
486
487 /* A LDAP DN as a string */
488 case DRSUAPI_DS_NAME_FORMAT_FQDN_1779: {
489 domain_filter = NULL;
490 name_dn = ldb_dn_new(mem_ctx, sam_ctx, name);
491 if (! ldb_dn_validate(name_dn)) {
492 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
493 return WERR_OK;
494 }
495 break;
496 }
497
498 /* A GUID as a string */
499 case DRSUAPI_DS_NAME_FORMAT_GUID: {
500 struct GUID guid;
501 char *ldap_guid;
502 NTSTATUS nt_status;
503 domain_filter = NULL;
504
505 nt_status = GUID_from_string(name, &guid);
506 if (!NT_STATUS_IS_OK(nt_status)) {
507 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
508 return WERR_OK;
509 }
510
511 ldap_guid = ldap_encode_ndr_GUID(mem_ctx, &guid);
512 if (!ldap_guid) {
513 return WERR_NOMEM;
514 }
515 result_filter = talloc_asprintf(mem_ctx, "(objectGUID=%s)",
516 ldap_guid);
517 W_ERROR_HAVE_NO_MEMORY(result_filter);
518 break;
519 }
520 case DRSUAPI_DS_NAME_FORMAT_DISPLAY: {
521 domain_filter = NULL;
522
523 result_filter = talloc_asprintf(mem_ctx, "(|(displayName=%s)(samAccountName=%s))",
524 ldb_binary_encode_string(mem_ctx, name),
525 ldb_binary_encode_string(mem_ctx, name));
526 W_ERROR_HAVE_NO_MEMORY(result_filter);
527 break;
528 }
529
530 /* A S-1234-5678 style string */
531 case DRSUAPI_DS_NAME_FORMAT_SID_OR_SID_HISTORY: {
532 struct dom_sid *sid = dom_sid_parse_talloc(mem_ctx, name);
533 char *ldap_sid;
534
535 domain_filter = NULL;
536 if (!sid) {
537 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
538 return WERR_OK;
539 }
540 ldap_sid = ldap_encode_ndr_dom_sid(mem_ctx,
541 sid);
542 if (!ldap_sid) {
543 return WERR_NOMEM;
544 }
545 result_filter = talloc_asprintf(mem_ctx, "(objectSid=%s)",
546 ldap_sid);
547 W_ERROR_HAVE_NO_MEMORY(result_filter);
548 break;
549 }
550 case DRSUAPI_DS_NAME_FORMAT_USER_PRINCIPAL: {
551 krb5_principal principal;
552 char *unparsed_name;
553
554 ret = smb_krb5_init_context(mem_ctx,
555 ldb_get_event_context(sam_ctx),
556 (struct loadparm_context *)ldb_get_opaque(sam_ctx, "loadparm"),
557 &smb_krb5_context);
558
559 if (ret) {
560 return WERR_NOMEM;
561 }
562
563 ret = krb5_parse_name(smb_krb5_context->krb5_context, name, &principal);
564 if (ret) {
565 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
566 return WERR_OK;
567 }
568
569 domain_filter = NULL;
570
571 ret = krb5_unparse_name(smb_krb5_context->krb5_context, principal, &unparsed_name);
572 if (ret) {
573 krb5_free_principal(smb_krb5_context->krb5_context, principal);
574 return WERR_NOMEM;
575 }
576
577 krb5_free_principal(smb_krb5_context->krb5_context, principal);
578 result_filter = talloc_asprintf(mem_ctx, "(&(objectClass=user)(userPrincipalName=%s))",
579 ldb_binary_encode_string(mem_ctx, unparsed_name));
580
581 free(unparsed_name);
582 W_ERROR_HAVE_NO_MEMORY(result_filter);
583 break;
584 }
585 case DRSUAPI_DS_NAME_FORMAT_SERVICE_PRINCIPAL: {
586 krb5_principal principal;
587 char *unparsed_name_short;
588 char *service;
589
590 ret = smb_krb5_init_context(mem_ctx,
591 ldb_get_event_context(sam_ctx),
592 (struct loadparm_context *)ldb_get_opaque(sam_ctx, "loadparm"),
593 &smb_krb5_context);
594
595 if (ret) {
596 return WERR_NOMEM;
597 }
598
599 ret = krb5_parse_name(smb_krb5_context->krb5_context, name, &principal);
600 if (ret == 0 && principal->name.name_string.len < 2) {
601 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
602 krb5_free_principal(smb_krb5_context->krb5_context, principal);
603 return WERR_OK;
604 }
605 ret = krb5_parse_name_flags(smb_krb5_context->krb5_context, name,
606 KRB5_PRINCIPAL_PARSE_NO_REALM, &principal);
607 if (ret) {
608 krb5_free_principal(smb_krb5_context->krb5_context, principal);
609
610 return dns_domain_from_principal(mem_ctx, smb_krb5_context,
611 name, info1);
612 }
613
614 domain_filter = NULL;
615
616 ret = krb5_unparse_name_flags(smb_krb5_context->krb5_context, principal,
617 KRB5_PRINCIPAL_UNPARSE_NO_REALM, &unparsed_name_short);
618 if (ret) {
619 krb5_free_principal(smb_krb5_context->krb5_context, principal);
620 return WERR_NOMEM;
621 }
622
623 service = principal->name.name_string.val[0];
624 if ((principal->name.name_string.len == 2) && (strcasecmp(service, "host") == 0)) {
625 /* the 'cn' attribute is just the leading part of the name */
626 char *computer_name;
627 computer_name = talloc_strndup(mem_ctx, principal->name.name_string.val[1],
628 strcspn(principal->name.name_string.val[1], "."));
629 if (computer_name == NULL) {
630 return WERR_NOMEM;
631 }
632
633 result_filter = talloc_asprintf(mem_ctx, "(|(&(servicePrincipalName=%s)(objectClass=user))(&(cn=%s)(objectClass=computer)))",
634 ldb_binary_encode_string(mem_ctx, unparsed_name_short),
635 ldb_binary_encode_string(mem_ctx, computer_name));
636 } else {
637 result_filter = talloc_asprintf(mem_ctx, "(&(servicePrincipalName=%s)(objectClass=user))",
638 ldb_binary_encode_string(mem_ctx, unparsed_name_short));
639 }
640 krb5_free_principal(smb_krb5_context->krb5_context, principal);
641 free(unparsed_name_short);
642 W_ERROR_HAVE_NO_MEMORY(result_filter);
643
644 break;
645 }
646 default: {
647 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
648 return WERR_OK;
649 }
650
651 }
652
653 if (format_flags & DRSUAPI_DS_NAME_FLAG_SYNTACTICAL_ONLY) {
654 return DsCrackNameOneSyntactical(mem_ctx, format_offered, format_desired,
655 name_dn, name, info1);
656 }
657
658 return DsCrackNameOneFilter(sam_ctx, mem_ctx,
659 smb_krb5_context,
660 format_flags, format_offered, format_desired,
661 name_dn, name,
662 domain_filter, result_filter,
663 info1);
664 }
665
666 /* Subcase of CrackNames. It is possible to translate a LDAP-style DN
667 * (FQDN_1779) into a canoical name without actually searching the
668 * database */
669
670 static WERROR DsCrackNameOneSyntactical(TALLOC_CTX *mem_ctx,
/* [<][>][^][v][top][bottom][index][help] */
671 uint32_t format_offered, uint32_t format_desired,
672 struct ldb_dn *name_dn, const char *name,
673 struct drsuapi_DsNameInfo1 *info1)
674 {
675 char *cracked;
676 if (format_offered != DRSUAPI_DS_NAME_FORMAT_FQDN_1779) {
677 info1->status = DRSUAPI_DS_NAME_STATUS_NO_SYNTACTICAL_MAPPING;
678 return WERR_OK;
679 }
680
681 switch (format_desired) {
682 case DRSUAPI_DS_NAME_FORMAT_CANONICAL:
683 cracked = ldb_dn_canonical_string(mem_ctx, name_dn);
684 break;
685 case DRSUAPI_DS_NAME_FORMAT_CANONICAL_EX:
686 cracked = ldb_dn_canonical_ex_string(mem_ctx, name_dn);
687 break;
688 default:
689 info1->status = DRSUAPI_DS_NAME_STATUS_NO_SYNTACTICAL_MAPPING;
690 return WERR_OK;
691 }
692 info1->status = DRSUAPI_DS_NAME_STATUS_OK;
693 info1->result_name = cracked;
694 if (!cracked) {
695 return WERR_NOMEM;
696 }
697
698 return WERR_OK;
699 }
700
701 /* Given a filter for the domain, and one for the result, perform the
702 * ldb search. The format offered and desired flags change the
703 * behaviours, including what attributes to return.
704 *
705 * The smb_krb5_context is required because we use the krb5 libs for principal parsing
706 */
707
708 static WERROR DsCrackNameOneFilter(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
/* [<][>][^][v][top][bottom][index][help] */
709 struct smb_krb5_context *smb_krb5_context,
710 uint32_t format_flags, uint32_t format_offered, uint32_t format_desired,
711 struct ldb_dn *name_dn, const char *name,
712 const char *domain_filter, const char *result_filter,
713 struct drsuapi_DsNameInfo1 *info1)
714 {
715 int ldb_ret;
716 struct ldb_result *domain_res = NULL;
717 const char * const *domain_attrs;
718 const char * const *result_attrs;
719 struct ldb_message **result_res = NULL;
720 struct ldb_message *result = NULL;
721 struct ldb_dn *result_basedn = NULL;
722 int i;
723 char *p;
724 struct ldb_dn *partitions_basedn = samdb_partitions_dn(sam_ctx, mem_ctx);
725
726 const char * const _domain_attrs_1779[] = { "ncName", "dnsRoot", NULL};
727 const char * const _result_attrs_null[] = { NULL };
728
729 const char * const _domain_attrs_canonical[] = { "ncName", "dnsRoot", NULL};
730 const char * const _result_attrs_canonical[] = { "canonicalName", NULL };
731
732 const char * const _domain_attrs_nt4[] = { "ncName", "dnsRoot", "nETBIOSName", NULL};
733 const char * const _result_attrs_nt4[] = { "sAMAccountName", "objectSid", "objectClass", NULL};
734
735 const char * const _domain_attrs_guid[] = { "ncName", "dnsRoot", NULL};
736 const char * const _result_attrs_guid[] = { "objectGUID", NULL};
737
738 const char * const _domain_attrs_display[] = { "ncName", "dnsRoot", NULL};
739 const char * const _result_attrs_display[] = { "displayName", "samAccountName", NULL};
740
741 const char * const _domain_attrs_none[] = { "ncName", "dnsRoot" , NULL};
742 const char * const _result_attrs_none[] = { NULL};
743
744 /* here we need to set the attrs lists for domain and result lookups */
745 switch (format_desired) {
746 case DRSUAPI_DS_NAME_FORMAT_FQDN_1779:
747 case DRSUAPI_DS_NAME_FORMAT_CANONICAL_EX:
748 domain_attrs = _domain_attrs_1779;
749 result_attrs = _result_attrs_null;
750 break;
751 case DRSUAPI_DS_NAME_FORMAT_CANONICAL:
752 domain_attrs = _domain_attrs_canonical;
753 result_attrs = _result_attrs_canonical;
754 break;
755 case DRSUAPI_DS_NAME_FORMAT_NT4_ACCOUNT:
756 domain_attrs = _domain_attrs_nt4;
757 result_attrs = _result_attrs_nt4;
758 break;
759 case DRSUAPI_DS_NAME_FORMAT_GUID:
760 domain_attrs = _domain_attrs_guid;
761 result_attrs = _result_attrs_guid;
762 break;
763 case DRSUAPI_DS_NAME_FORMAT_DISPLAY:
764 domain_attrs = _domain_attrs_display;
765 result_attrs = _result_attrs_display;
766 break;
767 default:
768 domain_attrs = _domain_attrs_none;
769 result_attrs = _result_attrs_none;
770 break;
771 }
772
773 if (domain_filter) {
774 /* if we have a domain_filter look it up and set the result_basedn and the dns_domain_name */
775 ldb_ret = ldb_search(sam_ctx, mem_ctx, &domain_res,
776 partitions_basedn,
777 LDB_SCOPE_ONELEVEL,
778 domain_attrs,
779 "%s", domain_filter);
780
781 if (ldb_ret != LDB_SUCCESS) {
782 DEBUG(2, ("DsCrackNameOneFilter domain ref search failed: %s", ldb_errstring(sam_ctx)));
783 info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
784 return WERR_OK;
785 }
786
787 switch (domain_res->count) {
788 case 1:
789 break;
790 case 0:
791 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
792 return WERR_OK;
793 default:
794 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE;
795 return WERR_OK;
796 }
797
798 info1->dns_domain_name = samdb_result_string(domain_res->msgs[0], "dnsRoot", NULL);
799 W_ERROR_HAVE_NO_MEMORY(info1->dns_domain_name);
800 info1->status = DRSUAPI_DS_NAME_STATUS_DOMAIN_ONLY;
801 } else {
802 info1->dns_domain_name = NULL;
803 info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
804 }
805
806 if (result_filter) {
807 int ret;
808 struct ldb_result *res;
809 if (domain_res) {
810 result_basedn = samdb_result_dn(sam_ctx, mem_ctx, domain_res->msgs[0], "ncName", NULL);
811
812 ret = ldb_search(sam_ctx, mem_ctx, &res,
813 result_basedn, LDB_SCOPE_SUBTREE,
814 result_attrs, "%s", result_filter);
815 if (ret != LDB_SUCCESS) {
816 talloc_free(result_res);
817 info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
818 return WERR_OK;
819 }
820 ldb_ret = res->count;
821 result_res = res->msgs;
822 } else {
823 /* search with the 'phantom root' flag */
824 struct ldb_request *req;
825
826 res = talloc_zero(mem_ctx, struct ldb_result);
827 W_ERROR_HAVE_NO_MEMORY(res);
828
829 ret = ldb_build_search_req(&req, sam_ctx, mem_ctx,
830 ldb_get_root_basedn(sam_ctx),
831 LDB_SCOPE_SUBTREE,
832 result_filter,
833 result_attrs,
834 NULL,
835 res,
836 ldb_search_default_callback,
837 NULL);
838 if (ret == LDB_SUCCESS) {
839 struct ldb_search_options_control *search_options;
840 search_options = talloc(req, struct ldb_search_options_control);
841 W_ERROR_HAVE_NO_MEMORY(search_options);
842 search_options->search_options = LDB_SEARCH_OPTION_PHANTOM_ROOT;
843
844 ret = ldb_request_add_control(req, LDB_CONTROL_SEARCH_OPTIONS_OID, false, search_options);
845 }
846 if (ret != LDB_SUCCESS) {
847 talloc_free(res);
848 info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
849 return WERR_OK;
850 }
851
852 ret = ldb_request(sam_ctx, req);
853
854 if (ret == LDB_SUCCESS) {
855 ret = ldb_wait(req->handle, LDB_WAIT_ALL);
856 }
857
858 talloc_free(req);
859
860 if (ret != LDB_SUCCESS) {
861 DEBUG(2, ("DsCrackNameOneFilter phantom root search failed: %s",
862 ldb_errstring(sam_ctx)));
863 info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
864 return WERR_OK;
865 }
866 ldb_ret = res->count;
867 result_res = res->msgs;
868 }
869 } else if (format_offered == DRSUAPI_DS_NAME_FORMAT_FQDN_1779) {
870 ldb_ret = gendb_search_dn(sam_ctx, mem_ctx, name_dn, &result_res,
871 result_attrs);
872 } else if (domain_res) {
873 name_dn = samdb_result_dn(sam_ctx, mem_ctx, domain_res->msgs[0], "ncName", NULL);
874 ldb_ret = gendb_search_dn(sam_ctx, mem_ctx, name_dn, &result_res,
875 result_attrs);
876 } else {
877 /* Can't happen */
878 DEBUG(0, ("LOGIC ERROR: DsCrackNameOneFilter domain ref search not availible: This can't happen..."));
879 info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
880 return WERR_OK;
881 }
882
883 switch (ldb_ret) {
884 case 1:
885 result = result_res[0];
886 break;
887 case 0:
888 switch (format_offered) {
889 case DRSUAPI_DS_NAME_FORMAT_SERVICE_PRINCIPAL:
890 return DsCrackNameSPNAlias(sam_ctx, mem_ctx,
891 smb_krb5_context,
892 format_flags, format_offered, format_desired,
893 name, info1);
894
895 case DRSUAPI_DS_NAME_FORMAT_USER_PRINCIPAL:
896 return DsCrackNameUPN(sam_ctx, mem_ctx, smb_krb5_context,
897 format_flags, format_offered, format_desired,
898 name, info1);
899 }
900 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
901 return WERR_OK;
902 case -1:
903 DEBUG(2, ("DsCrackNameOneFilter result search failed: %s", ldb_errstring(sam_ctx)));
904 info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
905 return WERR_OK;
906 default:
907 switch (format_offered) {
908 case DRSUAPI_DS_NAME_FORMAT_CANONICAL:
909 case DRSUAPI_DS_NAME_FORMAT_CANONICAL_EX:
910 {
911 const char *canonical_name = NULL; /* Not required, but we get warnings... */
912 /* We may need to manually filter further */
913 for (i = 0; i < ldb_ret; i++) {
914 switch (format_offered) {
915 case DRSUAPI_DS_NAME_FORMAT_CANONICAL:
916 canonical_name = ldb_dn_canonical_string(mem_ctx, result_res[i]->dn);
917 break;
918 case DRSUAPI_DS_NAME_FORMAT_CANONICAL_EX:
919 canonical_name = ldb_dn_canonical_ex_string(mem_ctx, result_res[i]->dn);
920 break;
921 }
922 if (strcasecmp_m(canonical_name, name) == 0) {
923 result = result_res[i];
924 break;
925 }
926 }
927 if (!result) {
928 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
929 return WERR_OK;
930 }
931 }
932 default:
933 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE;
934 return WERR_OK;
935 }
936 }
937
938 info1->dns_domain_name = ldb_dn_canonical_string(mem_ctx, result->dn);
939 W_ERROR_HAVE_NO_MEMORY(info1->dns_domain_name);
940 p = strchr(info1->dns_domain_name, '/');
941 if (p) {
942 p[0] = '\0';
943 }
944
945 /* here we can use result and domain_res[0] */
946 switch (format_desired) {
947 case DRSUAPI_DS_NAME_FORMAT_FQDN_1779: {
948 info1->result_name = ldb_dn_alloc_linearized(mem_ctx, result->dn);
949 W_ERROR_HAVE_NO_MEMORY(info1->result_name);
950
951 info1->status = DRSUAPI_DS_NAME_STATUS_OK;
952 return WERR_OK;
953 }
954 case DRSUAPI_DS_NAME_FORMAT_CANONICAL: {
955 info1->result_name = samdb_result_string(result, "canonicalName", NULL);
956 info1->status = DRSUAPI_DS_NAME_STATUS_OK;
957 return WERR_OK;
958 }
959 case DRSUAPI_DS_NAME_FORMAT_CANONICAL_EX: {
960 /* Not in the virtual ldb attribute */
961 return DsCrackNameOneSyntactical(mem_ctx,
962 DRSUAPI_DS_NAME_FORMAT_FQDN_1779,
963 DRSUAPI_DS_NAME_FORMAT_CANONICAL_EX,
964 result->dn, name, info1);
965 }
966 case DRSUAPI_DS_NAME_FORMAT_NT4_ACCOUNT: {
967
968 const struct dom_sid *sid = samdb_result_dom_sid(mem_ctx, result, "objectSid");
969 const char *_acc = "", *_dom = "";
970
971 if (samdb_find_attribute(sam_ctx, result, "objectClass", "domain")) {
972
973 ldb_ret = ldb_search(sam_ctx, mem_ctx, &domain_res,
974 partitions_basedn,
975 LDB_SCOPE_ONELEVEL,
976 domain_attrs,
977 "(ncName=%s)", ldb_dn_get_linearized(result->dn));
978
979 if (ldb_ret != LDB_SUCCESS) {
980 DEBUG(2, ("DsCrackNameOneFilter domain ref search failed: %s", ldb_errstring(sam_ctx)));
981 info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
982 return WERR_OK;
983 }
984
985 switch (domain_res->count) {
986 case 1:
987 break;
988 case 0:
989 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
990 return WERR_OK;
991 default:
992 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE;
993 return WERR_OK;
994 }
995 _dom = samdb_result_string(domain_res->msgs[0], "nETBIOSName", NULL);
996 W_ERROR_HAVE_NO_MEMORY(_dom);
997 } else {
998 _acc = samdb_result_string(result, "sAMAccountName", NULL);
999 if (!_acc) {
1000 info1->status = DRSUAPI_DS_NAME_STATUS_NO_MAPPING;
1001 return WERR_OK;
1002 }
1003 if (dom_sid_in_domain(dom_sid_parse_talloc(mem_ctx, SID_BUILTIN), sid)) {
1004 _dom = "BUILTIN";
1005 } else {
1006 const char *attrs[] = { NULL };
1007 struct ldb_result *domain_res2;
1008 struct dom_sid *dom_sid = dom_sid_dup(mem_ctx, sid);
1009 if (!dom_sid) {
1010 return WERR_OK;
1011 }
1012 dom_sid->num_auths--;
1013 ldb_ret = ldb_search(sam_ctx, mem_ctx, &domain_res,
1014 NULL,
1015 LDB_SCOPE_BASE,
1016 attrs,
1017 "(&(objectSid=%s)(objectClass=domain))",
1018 ldap_encode_ndr_dom_sid(mem_ctx, dom_sid));
1019
1020 if (ldb_ret != LDB_SUCCESS) {
1021 DEBUG(2, ("DsCrackNameOneFilter domain search failed: %s", ldb_errstring(sam_ctx)));
1022 info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
1023 return WERR_OK;
1024 }
1025
1026 switch (domain_res->count) {
1027 case 1:
1028 break;
1029 case 0:
1030 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
1031 return WERR_OK;
1032 default:
1033 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE;
1034 return WERR_OK;
1035 }
1036
1037 ldb_ret = ldb_search(sam_ctx, mem_ctx, &domain_res2,
1038 partitions_basedn,
1039 LDB_SCOPE_ONELEVEL,
1040 domain_attrs,
1041 "(ncName=%s)", ldb_dn_get_linearized(domain_res->msgs[0]->dn));
1042
1043 if (ldb_ret != LDB_SUCCESS) {
1044 DEBUG(2, ("DsCrackNameOneFilter domain ref search failed: %s", ldb_errstring(sam_ctx)));
1045 info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
1046 return WERR_OK;
1047 }
1048
1049 switch (domain_res2->count) {
1050 case 1:
1051 break;
1052 case 0:
1053 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
1054 return WERR_OK;
1055 default:
1056 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE;
1057 return WERR_OK;
1058 }
1059 _dom = samdb_result_string(domain_res2->msgs[0], "nETBIOSName", NULL);
1060 W_ERROR_HAVE_NO_MEMORY(_dom);
1061 }
1062 }
1063
1064 info1->result_name = talloc_asprintf(mem_ctx, "%s\\%s", _dom, _acc);
1065 W_ERROR_HAVE_NO_MEMORY(info1->result_name);
1066
1067 info1->status = DRSUAPI_DS_NAME_STATUS_OK;
1068 return WERR_OK;
1069 }
1070 case DRSUAPI_DS_NAME_FORMAT_GUID: {
1071 struct GUID guid;
1072
1073 guid = samdb_result_guid(result, "objectGUID");
1074
1075 info1->result_name = GUID_string2(mem_ctx, &guid);
1076 W_ERROR_HAVE_NO_MEMORY(info1->result_name);
1077
1078 info1->status = DRSUAPI_DS_NAME_STATUS_OK;
1079 return WERR_OK;
1080 }
1081 case DRSUAPI_DS_NAME_FORMAT_DISPLAY: {
1082 info1->result_name = samdb_result_string(result, "displayName", NULL);
1083 if (!info1->result_name) {
1084 info1->result_name = samdb_result_string(result, "sAMAccountName", NULL);
1085 }
1086 if (!info1->result_name) {
1087 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
1088 } else {
1089 info1->status = DRSUAPI_DS_NAME_STATUS_OK;
1090 }
1091 return WERR_OK;
1092 }
1093 case DRSUAPI_DS_NAME_FORMAT_SERVICE_PRINCIPAL: {
1094 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE;
1095 return WERR_OK;
1096 }
1097 case DRSUAPI_DS_NAME_FORMAT_DNS_DOMAIN:
1098 case DRSUAPI_DS_NAME_FORMAT_SID_OR_SID_HISTORY: {
1099 info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
1100 return WERR_OK;
1101 }
1102 default:
1103 info1->status = DRSUAPI_DS_NAME_STATUS_NO_MAPPING;
1104 return WERR_OK;
1105 }
1106 }
1107
1108 /* Given a user Principal Name (such as foo@bar.com),
1109 * return the user and domain DNs. This is used in the KDC to then
1110 * return the Keys and evaluate policy */
1111
1112 NTSTATUS crack_user_principal_name(struct ldb_context *sam_ctx,
/* [<][>][^][v][top][bottom][index][help] */
1113 TALLOC_CTX *mem_ctx,
1114 const char *user_principal_name,
1115 struct ldb_dn **user_dn,
1116 struct ldb_dn **domain_dn)
1117 {
1118 WERROR werr;
1119 struct drsuapi_DsNameInfo1 info1;
1120 werr = DsCrackNameOneName(sam_ctx, mem_ctx, 0,
1121 DRSUAPI_DS_NAME_FORMAT_USER_PRINCIPAL,
1122 DRSUAPI_DS_NAME_FORMAT_FQDN_1779,
1123 user_principal_name,
1124 &info1);
1125 if (!W_ERROR_IS_OK(werr)) {
1126 return werror_to_ntstatus(werr);
1127 }
1128 switch (info1.status) {
1129 case DRSUAPI_DS_NAME_STATUS_OK:
1130 break;
1131 case DRSUAPI_DS_NAME_STATUS_NOT_FOUND:
1132 case DRSUAPI_DS_NAME_STATUS_DOMAIN_ONLY:
1133 case DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE:
1134 return NT_STATUS_NO_SUCH_USER;
1135 case DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR:
1136 default:
1137 return NT_STATUS_UNSUCCESSFUL;
1138 }
1139
1140 *user_dn = ldb_dn_new(mem_ctx, sam_ctx, info1.result_name);
1141
1142 if (domain_dn) {
1143 werr = DsCrackNameOneName(sam_ctx, mem_ctx, 0,
1144 DRSUAPI_DS_NAME_FORMAT_CANONICAL,
1145 DRSUAPI_DS_NAME_FORMAT_FQDN_1779,
1146 talloc_asprintf(mem_ctx, "%s/",
1147 info1.dns_domain_name),
1148 &info1);
1149 if (!W_ERROR_IS_OK(werr)) {
1150 return werror_to_ntstatus(werr);
1151 }
1152 switch (info1.status) {
1153 case DRSUAPI_DS_NAME_STATUS_OK:
1154 break;
1155 case DRSUAPI_DS_NAME_STATUS_NOT_FOUND:
1156 case DRSUAPI_DS_NAME_STATUS_DOMAIN_ONLY:
1157 case DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE:
1158 return NT_STATUS_NO_SUCH_USER;
1159 case DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR:
1160 default:
1161 return NT_STATUS_UNSUCCESSFUL;
1162 }
1163
1164 *domain_dn = ldb_dn_new(mem_ctx, sam_ctx, info1.result_name);
1165 }
1166
1167 return NT_STATUS_OK;
1168
1169 }
1170
1171 /* Given a Service Principal Name (such as host/foo.bar.com@BAR.COM),
1172 * return the user and domain DNs. This is used in the KDC to then
1173 * return the Keys and evaluate policy */
1174
1175 NTSTATUS crack_service_principal_name(struct ldb_context *sam_ctx,
/* [<][>][^][v][top][bottom][index][help] */
1176 TALLOC_CTX *mem_ctx,
1177 const char *service_principal_name,
1178 struct ldb_dn **user_dn,
1179 struct ldb_dn **domain_dn)
1180 {
1181 WERROR werr;
1182 struct drsuapi_DsNameInfo1 info1;
1183 werr = DsCrackNameOneName(sam_ctx, mem_ctx, 0,
1184 DRSUAPI_DS_NAME_FORMAT_SERVICE_PRINCIPAL,
1185 DRSUAPI_DS_NAME_FORMAT_FQDN_1779,
1186 service_principal_name,
1187 &info1);
1188 if (!W_ERROR_IS_OK(werr)) {
1189 return werror_to_ntstatus(werr);
1190 }
1191 switch (info1.status) {
1192 case DRSUAPI_DS_NAME_STATUS_OK:
1193 break;
1194 case DRSUAPI_DS_NAME_STATUS_NOT_FOUND:
1195 case DRSUAPI_DS_NAME_STATUS_DOMAIN_ONLY:
1196 case DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE:
1197 return NT_STATUS_NO_SUCH_USER;
1198 case DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR:
1199 default:
1200 return NT_STATUS_UNSUCCESSFUL;
1201 }
1202
1203 *user_dn = ldb_dn_new(mem_ctx, sam_ctx, info1.result_name);
1204
1205 if (domain_dn) {
1206 werr = DsCrackNameOneName(sam_ctx, mem_ctx, 0,
1207 DRSUAPI_DS_NAME_FORMAT_CANONICAL,
1208 DRSUAPI_DS_NAME_FORMAT_FQDN_1779,
1209 talloc_asprintf(mem_ctx, "%s/",
1210 info1.dns_domain_name),
1211 &info1);
1212 if (!W_ERROR_IS_OK(werr)) {
1213 return werror_to_ntstatus(werr);
1214 }
1215 switch (info1.status) {
1216 case DRSUAPI_DS_NAME_STATUS_OK:
1217 break;
1218 case DRSUAPI_DS_NAME_STATUS_NOT_FOUND:
1219 case DRSUAPI_DS_NAME_STATUS_DOMAIN_ONLY:
1220 case DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE:
1221 return NT_STATUS_NO_SUCH_USER;
1222 case DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR:
1223 default:
1224 return NT_STATUS_UNSUCCESSFUL;
1225 }
1226
1227 *domain_dn = ldb_dn_new(mem_ctx, sam_ctx, info1.result_name);
1228 }
1229
1230 return NT_STATUS_OK;
1231
1232 }
1233
1234 NTSTATUS crack_name_to_nt4_name(TALLOC_CTX *mem_ctx,
/* [<][>][^][v][top][bottom][index][help] */
1235 struct tevent_context *ev_ctx,
1236 struct loadparm_context *lp_ctx,
1237 uint32_t format_offered,
1238 const char *name,
1239 const char **nt4_domain, const char **nt4_account)
1240 {
1241 WERROR werr;
1242 struct drsuapi_DsNameInfo1 info1;
1243 struct ldb_context *ldb;
1244 char *p;
1245
1246 /* Handle anonymous bind */
1247 if (!name || !*name) {
1248 *nt4_domain = "";
1249 *nt4_account = "";
1250 return NT_STATUS_OK;
1251 }
1252
1253 ldb = samdb_connect(mem_ctx, ev_ctx, lp_ctx, system_session(mem_ctx, lp_ctx));
1254 if (ldb == NULL) {
1255 return NT_STATUS_INTERNAL_DB_CORRUPTION;
1256 }
1257
1258 werr = DsCrackNameOneName(ldb, mem_ctx, 0,
1259 format_offered,
1260 DRSUAPI_DS_NAME_FORMAT_NT4_ACCOUNT,
1261 name,
1262 &info1);
1263 if (!W_ERROR_IS_OK(werr)) {
1264 return werror_to_ntstatus(werr);
1265 }
1266 switch (info1.status) {
1267 case DRSUAPI_DS_NAME_STATUS_OK:
1268 break;
1269 case DRSUAPI_DS_NAME_STATUS_NOT_FOUND:
1270 case DRSUAPI_DS_NAME_STATUS_DOMAIN_ONLY:
1271 case DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE:
1272 return NT_STATUS_NO_SUCH_USER;
1273 case DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR:
1274 default:
1275 return NT_STATUS_UNSUCCESSFUL;
1276 }
1277
1278 *nt4_domain = talloc_strdup(mem_ctx, info1.result_name);
1279
1280 p = strchr(*nt4_domain, '\\');
1281 if (!p) {
1282 return NT_STATUS_INVALID_PARAMETER;
1283 }
1284 p[0] = '\0';
1285
1286 if (p[1]) {
1287 *nt4_account = talloc_strdup(mem_ctx, &p[1]);
1288 }
1289
1290 if (!*nt4_account || !*nt4_domain) {
1291 return NT_STATUS_NO_MEMORY;
1292 }
1293
1294 return NT_STATUS_OK;
1295 }
1296
1297 NTSTATUS crack_auto_name_to_nt4_name(TALLOC_CTX *mem_ctx,
/* [<][>][^][v][top][bottom][index][help] */
1298 struct tevent_context *ev_ctx,
1299 struct loadparm_context *lp_ctx,
1300 const char *name,
1301 const char **nt4_domain,
1302 const char **nt4_account)
1303 {
1304 uint32_t format_offered = DRSUAPI_DS_NAME_FORMAT_UNKNOWN;
1305
1306 /* Handle anonymous bind */
1307 if (!name || !*name) {
1308 *nt4_domain = "";
1309 *nt4_account = "";
1310 return NT_STATUS_OK;
1311 }
1312
1313 if (strchr_m(name, '=')) {
1314 format_offered = DRSUAPI_DS_NAME_FORMAT_FQDN_1779;
1315 } else if (strchr_m(name, '@')) {
1316 format_offered = DRSUAPI_DS_NAME_FORMAT_USER_PRINCIPAL;
1317 } else if (strchr_m(name, '\\')) {
1318 format_offered = DRSUAPI_DS_NAME_FORMAT_NT4_ACCOUNT;
1319 } else if (strchr_m(name, '/')) {
1320 format_offered = DRSUAPI_DS_NAME_FORMAT_CANONICAL;
1321 } else {
1322 return NT_STATUS_NO_SUCH_USER;
1323 }
1324
1325 return crack_name_to_nt4_name(mem_ctx, ev_ctx, lp_ctx, format_offered, name, nt4_domain, nt4_account);
1326 }