root/source4/dsdb/samdb/cracknames.c

/* [<][>][^][v][top][bottom][index][help] */

DEFINITIONS

This source file includes following definitions.
  1. dns_domain_from_principal
  2. LDB_lookup_spn_alias
  3. DsCrackNameSPNAlias
  4. DsCrackNameUPN
  5. DsCrackNameOneName
  6. DsCrackNameOneSyntactical
  7. DsCrackNameOneFilter
  8. crack_user_principal_name
  9. crack_service_principal_name
  10. crack_name_to_nt4_name
  11. crack_auto_name_to_nt4_name

   1 /* 
   2    Unix SMB/CIFS implementation.
   3 
   4    endpoint server for the drsuapi pipe
   5    DsCrackNames()
   6 
   7    Copyright (C) Stefan Metzmacher 2004
   8    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
   9    
  10    This program is free software; you can redistribute it and/or modify
  11    it under the terms of the GNU General Public License as published by
  12    the Free Software Foundation; either version 3 of the License, or
  13    (at your option) any later version.
  14    
  15    This program is distributed in the hope that it will be useful,
  16    but WITHOUT ANY WARRANTY; without even the implied warranty of
  17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18    GNU General Public License for more details.
  19    
  20    You should have received a copy of the GNU General Public License
  21    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  22 */
  23 
  24 #include "includes.h"
  25 #include "librpc/gen_ndr/drsuapi.h"
  26 #include "rpc_server/common/common.h"
  27 #include "lib/events/events.h"
  28 #include "lib/ldb/include/ldb.h"
  29 #include "lib/ldb/include/ldb_errors.h"
  30 #include "system/kerberos.h"
  31 #include "auth/kerberos/kerberos.h"
  32 #include "libcli/ldap/ldap_ndr.h"
  33 #include "libcli/security/security.h"
  34 #include "librpc/gen_ndr/ndr_misc.h"
  35 #include "auth/auth.h"
  36 #include "../lib/util/util_ldb.h"
  37 #include "dsdb/samdb/samdb.h"
  38 #include "param/param.h"
  39 
  40 static WERROR DsCrackNameOneFilter(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
  41                                    struct smb_krb5_context *smb_krb5_context,
  42                                    uint32_t format_flags, uint32_t format_offered, uint32_t format_desired,
  43                                    struct ldb_dn *name_dn, const char *name, 
  44                                    const char *domain_filter, const char *result_filter, 
  45                                    struct drsuapi_DsNameInfo1 *info1);
  46 static WERROR DsCrackNameOneSyntactical(TALLOC_CTX *mem_ctx,
  47                                         uint32_t format_offered, uint32_t format_desired,
  48                                         struct ldb_dn *name_dn, const char *name, 
  49                                         struct drsuapi_DsNameInfo1 *info1);
  50 
  51 static WERROR dns_domain_from_principal(TALLOC_CTX *mem_ctx, struct smb_krb5_context *smb_krb5_context, 
     /* [<][>][^][v][top][bottom][index][help] */
  52                                         const char *name, 
  53                                         struct drsuapi_DsNameInfo1 *info1) 
  54 {
  55         krb5_error_code ret;
  56         krb5_principal principal;
  57         /* perhaps it's a principal with a realm, so return the right 'domain only' response */
  58         char **realm;
  59         ret = krb5_parse_name_flags(smb_krb5_context->krb5_context, name, 
  60                                     KRB5_PRINCIPAL_PARSE_MUST_REALM, &principal);
  61         if (ret) {
  62                 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
  63                 return WERR_OK;
  64         }
  65 
  66         /* This isn't an allocation assignemnt, so it is free'ed with the krb5_free_principal */
  67         realm = krb5_princ_realm(smb_krb5_context->krb5_context, principal);
  68         
  69         info1->dns_domain_name  = talloc_strdup(mem_ctx, *realm);
  70         krb5_free_principal(smb_krb5_context->krb5_context, principal);
  71         
  72         W_ERROR_HAVE_NO_MEMORY(info1->dns_domain_name);
  73         
  74         info1->status = DRSUAPI_DS_NAME_STATUS_DOMAIN_ONLY;
  75         return WERR_OK;
  76 }               
  77 
  78 static enum drsuapi_DsNameStatus LDB_lookup_spn_alias(krb5_context context, struct ldb_context *ldb_ctx, 
     /* [<][>][^][v][top][bottom][index][help] */
  79                                                       TALLOC_CTX *mem_ctx,
  80                                                       const char *alias_from,
  81                                                       char **alias_to)
  82 {
  83         int i;
  84         int ret;
  85         struct ldb_result *res;
  86         struct ldb_message_element *spnmappings;
  87         TALLOC_CTX *tmp_ctx;
  88         struct ldb_dn *service_dn;
  89         char *service_dn_str;
  90 
  91         const char *directory_attrs[] = {
  92                 "sPNMappings", 
  93                 NULL
  94         };
  95 
  96         tmp_ctx = talloc_new(mem_ctx);
  97         if (!tmp_ctx) {
  98                 return DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
  99         }
 100 
 101         service_dn = ldb_dn_new(tmp_ctx, ldb_ctx, "CN=Directory Service,CN=Windows NT,CN=Services");
 102         if ( ! ldb_dn_add_base(service_dn, samdb_config_dn(ldb_ctx))) {
 103                 return DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
 104         }
 105         service_dn_str = ldb_dn_alloc_linearized(tmp_ctx, service_dn);
 106         if ( ! service_dn_str) {
 107                 return DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
 108         }
 109 
 110         ret = ldb_search(ldb_ctx, tmp_ctx, &res, service_dn, LDB_SCOPE_BASE,
 111                          directory_attrs, "(objectClass=nTDSService)");
 112 
 113         if (ret != LDB_SUCCESS && ret != LDB_ERR_NO_SUCH_OBJECT) {
 114                 DEBUG(1, ("ldb_search: dn: %s not found: %s", service_dn_str, ldb_errstring(ldb_ctx)));
 115                 return DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
 116         } else if (ret == LDB_ERR_NO_SUCH_OBJECT) {
 117                 DEBUG(1, ("ldb_search: dn: %s not found", service_dn_str));
 118                 return DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
 119         } else if (res->count != 1) {
 120                 talloc_free(res);
 121                 DEBUG(1, ("ldb_search: dn: %s not found", service_dn_str));
 122                 return DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
 123         }
 124         
 125         spnmappings = ldb_msg_find_element(res->msgs[0], "sPNMappings");
 126         if (!spnmappings || spnmappings->num_values == 0) {
 127                 DEBUG(1, ("ldb_search: dn: %s no sPNMappings attribute", service_dn_str));
 128                 talloc_free(tmp_ctx);
 129                 return DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
 130         }
 131 
 132         for (i = 0; i < spnmappings->num_values; i++) {
 133                 char *mapping, *p, *str;
 134                 mapping = talloc_strdup(tmp_ctx, 
 135                                         (const char *)spnmappings->values[i].data);
 136                 if (!mapping) {
 137                         DEBUG(1, ("LDB_lookup_spn_alias: ldb_search: dn: %s did not have an sPNMapping\n", service_dn_str));
 138                         talloc_free(tmp_ctx);
 139                         return DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
 140                 }
 141                 
 142                 /* C string manipulation sucks */
 143                 
 144                 p = strchr(mapping, '=');
 145                 if (!p) {
 146                         DEBUG(1, ("ldb_search: dn: %s sPNMapping malformed: %s\n", 
 147                                   service_dn_str, mapping));
 148                         talloc_free(tmp_ctx);
 149                         return DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
 150                 }
 151                 p[0] = '\0';
 152                 p++;
 153                 do {
 154                         str = p;
 155                         p = strchr(p, ',');
 156                         if (p) {
 157                                 p[0] = '\0';
 158                                 p++;
 159                         }
 160                         if (strcasecmp(str, alias_from) == 0) {
 161                                 *alias_to = mapping;
 162                                 talloc_steal(mem_ctx, mapping);
 163                                 talloc_free(tmp_ctx);
 164                                 return DRSUAPI_DS_NAME_STATUS_OK;
 165                         }
 166                 } while (p);
 167         }
 168         DEBUG(4, ("LDB_lookup_spn_alias: no alias for service %s applicable\n", alias_from));
 169         talloc_free(tmp_ctx);
 170         return DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
 171 }
 172 
 173 /* When cracking a ServicePrincipalName, many services may be served
 174  * by the host/ servicePrincipalName.  The incoming query is for cifs/
 175  * but we translate it here, and search on host/.  This is done after
 176  * the cifs/ entry has been searched for, making this a fallback */
 177 
 178 static WERROR DsCrackNameSPNAlias(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
     /* [<][>][^][v][top][bottom][index][help] */
 179                                   struct smb_krb5_context *smb_krb5_context,
 180                                   uint32_t format_flags, uint32_t format_offered, uint32_t format_desired,
 181                                   const char *name, struct drsuapi_DsNameInfo1 *info1)
 182 {
 183         WERROR wret;
 184         krb5_error_code ret;
 185         krb5_principal principal;
 186         const char *service, *dns_name;
 187         char *new_service;
 188         char *new_princ;
 189         enum drsuapi_DsNameStatus namestatus;
 190         
 191         /* parse principal */
 192         ret = krb5_parse_name_flags(smb_krb5_context->krb5_context, 
 193                                     name, KRB5_PRINCIPAL_PARSE_NO_REALM, &principal);
 194         if (ret) {
 195                 DEBUG(2, ("Could not parse principal: %s: %s",
 196                           name, smb_get_krb5_error_message(smb_krb5_context->krb5_context, 
 197                                                            ret, mem_ctx)));
 198                 return WERR_NOMEM;
 199         }
 200         
 201         /* grab cifs/, http/ etc */
 202         
 203         /* This is checked for in callers, but be safe */
 204         if (principal->name.name_string.len < 2) {
 205                 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
 206                 return WERR_OK;
 207         }
 208         service = principal->name.name_string.val[0];
 209         dns_name = principal->name.name_string.val[1];
 210         
 211         /* MAP it */
 212         namestatus = LDB_lookup_spn_alias(smb_krb5_context->krb5_context, 
 213                                           sam_ctx, mem_ctx, 
 214                                           service, &new_service);
 215         
 216         if (namestatus == DRSUAPI_DS_NAME_STATUS_NOT_FOUND) {
 217                 info1->status           = DRSUAPI_DS_NAME_STATUS_DOMAIN_ONLY;
 218                 info1->dns_domain_name  = talloc_strdup(mem_ctx, dns_name);
 219                 if (!info1->dns_domain_name) {
 220                         krb5_free_principal(smb_krb5_context->krb5_context, principal);
 221                         return WERR_NOMEM;
 222                 }
 223                 return WERR_OK;
 224         } else if (namestatus != DRSUAPI_DS_NAME_STATUS_OK) {
 225                 info1->status = namestatus;
 226                 krb5_free_principal(smb_krb5_context->krb5_context, principal);
 227                 return WERR_OK;
 228         }
 229         
 230         /* ooh, very nasty playing around in the Principal... */
 231         free(principal->name.name_string.val[0]);
 232         principal->name.name_string.val[0] = strdup(new_service);
 233         if (!principal->name.name_string.val[0]) {
 234                 krb5_free_principal(smb_krb5_context->krb5_context, principal);
 235                 return WERR_NOMEM;
 236         }
 237         
 238         /* reform principal */
 239         ret = krb5_unparse_name_flags(smb_krb5_context->krb5_context, principal, 
 240                                       KRB5_PRINCIPAL_UNPARSE_NO_REALM, &new_princ);
 241 
 242         if (ret) {
 243                 krb5_free_principal(smb_krb5_context->krb5_context, principal);
 244                 return WERR_NOMEM;
 245         }
 246         
 247         wret = DsCrackNameOneName(sam_ctx, mem_ctx, format_flags, format_offered, format_desired,
 248                                   new_princ, info1);
 249         free(new_princ);
 250         if (W_ERROR_IS_OK(wret) && (info1->status == DRSUAPI_DS_NAME_STATUS_NOT_FOUND)) {
 251                 info1->status           = DRSUAPI_DS_NAME_STATUS_DOMAIN_ONLY;
 252                 info1->dns_domain_name  = talloc_strdup(mem_ctx, dns_name);
 253                 if (!info1->dns_domain_name) {
 254                         wret = WERR_NOMEM;
 255                 }
 256         }
 257         krb5_free_principal(smb_krb5_context->krb5_context, principal);
 258         return wret;
 259 }
 260 
 261 /* Subcase of CrackNames, for the userPrincipalName */
 262 
 263 static WERROR DsCrackNameUPN(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
     /* [<][>][^][v][top][bottom][index][help] */
 264                              struct smb_krb5_context *smb_krb5_context,
 265                              uint32_t format_flags, uint32_t format_offered, uint32_t format_desired,
 266                              const char *name, struct drsuapi_DsNameInfo1 *info1)
 267 {
 268         int ldb_ret;
 269         WERROR status;
 270         const char *domain_filter = NULL;
 271         const char *result_filter = NULL;
 272         krb5_error_code ret;
 273         krb5_principal principal;
 274         char **realm;
 275         char *unparsed_name_short;
 276         const char *domain_attrs[] = { NULL };
 277         struct ldb_result *domain_res = NULL;
 278         
 279         /* Prevent recursion */
 280         if (!name) {
 281                 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
 282                 return WERR_OK;
 283         }
 284 
 285         ret = krb5_parse_name_flags(smb_krb5_context->krb5_context, name, 
 286                                     KRB5_PRINCIPAL_PARSE_MUST_REALM, &principal);
 287         if (ret) {
 288                 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
 289                 return WERR_OK;
 290         }
 291         
 292         realm = krb5_princ_realm(smb_krb5_context->krb5_context, principal);
 293 
 294         ldb_ret = ldb_search(sam_ctx, mem_ctx, &domain_res,
 295                                      samdb_partitions_dn(sam_ctx, mem_ctx), 
 296                                      LDB_SCOPE_ONELEVEL,
 297                                      domain_attrs,
 298                                      "(&(&(|(&(dnsRoot=%s)(nETBIOSName=*))(nETBIOSName=%s))(objectclass=crossRef))(ncName=*))",
 299                                      ldb_binary_encode_string(mem_ctx, *realm), 
 300                                      ldb_binary_encode_string(mem_ctx, *realm));
 301 
 302         if (ldb_ret != LDB_SUCCESS) {
 303                 DEBUG(2, ("DsCrackNameUPN domain ref search failed: %s", ldb_errstring(sam_ctx)));
 304                 info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
 305                 return WERR_OK;
 306         }
 307         
 308         switch (domain_res->count) {
 309         case 1:
 310                 break;
 311         case 0:
 312                 return dns_domain_from_principal(mem_ctx, smb_krb5_context, 
 313                                                  name, info1);
 314         default:
 315                 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE;
 316                 return WERR_OK;
 317         }
 318         
 319         ret = krb5_unparse_name_flags(smb_krb5_context->krb5_context, principal, 
 320                                       KRB5_PRINCIPAL_UNPARSE_NO_REALM, &unparsed_name_short);
 321         krb5_free_principal(smb_krb5_context->krb5_context, principal);
 322                 
 323         if (ret) {
 324                 free(unparsed_name_short);
 325                 return WERR_NOMEM;
 326         }
 327         
 328         /* This may need to be extended for more userPrincipalName variations */
 329         result_filter = talloc_asprintf(mem_ctx, "(&(objectClass=user)(samAccountName=%s))", 
 330                                         ldb_binary_encode_string(mem_ctx, unparsed_name_short));
 331 
 332         domain_filter = talloc_asprintf(mem_ctx, "(distinguishedName=%s)", ldb_dn_get_linearized(domain_res->msgs[0]->dn));
 333 
 334         if (!result_filter || !domain_filter) {
 335                 free(unparsed_name_short);
 336                 return WERR_NOMEM;
 337         }
 338         status = DsCrackNameOneFilter(sam_ctx, mem_ctx, 
 339                                       smb_krb5_context, 
 340                                       format_flags, format_offered, format_desired, 
 341                                       NULL, unparsed_name_short, domain_filter, result_filter, 
 342                                       info1);
 343         free(unparsed_name_short);
 344 
 345         return status;
 346 }
 347 
 348 /* Crack a single 'name', from format_offered into format_desired, returning the result in info1 */
 349 
 350 WERROR DsCrackNameOneName(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
     /* [<][>][^][v][top][bottom][index][help] */
 351                           uint32_t format_flags, uint32_t format_offered, uint32_t format_desired,
 352                           const char *name, struct drsuapi_DsNameInfo1 *info1)
 353 {
 354         krb5_error_code ret;
 355         const char *domain_filter = NULL;
 356         const char *result_filter = NULL;
 357         struct ldb_dn *name_dn = NULL;
 358 
 359         struct smb_krb5_context *smb_krb5_context = NULL;
 360 
 361         info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
 362         info1->dns_domain_name = NULL;
 363         info1->result_name = NULL;
 364 
 365         if (!name) {
 366                 return WERR_INVALID_PARAM;
 367         }
 368 
 369         /* TODO: - fill the correct names in all cases!
 370          *       - handle format_flags
 371          */
 372 
 373         /* here we need to set the domain_filter and/or the result_filter */
 374         switch (format_offered) {
 375         case DRSUAPI_DS_NAME_FORMAT_UNKNOWN:
 376         {
 377                 int i;
 378                 enum drsuapi_DsNameFormat formats[] = {
 379                         DRSUAPI_DS_NAME_FORMAT_FQDN_1779, DRSUAPI_DS_NAME_FORMAT_USER_PRINCIPAL,
 380                         DRSUAPI_DS_NAME_FORMAT_NT4_ACCOUNT, DRSUAPI_DS_NAME_FORMAT_CANONICAL,
 381                         DRSUAPI_DS_NAME_FORMAT_GUID, DRSUAPI_DS_NAME_FORMAT_DISPLAY,
 382                         DRSUAPI_DS_NAME_FORMAT_SERVICE_PRINCIPAL,
 383                         DRSUAPI_DS_NAME_FORMAT_SID_OR_SID_HISTORY,
 384                         DRSUAPI_DS_NAME_FORMAT_CANONICAL_EX
 385                 };
 386                 WERROR werr;
 387                 for (i=0; i < ARRAY_SIZE(formats); i++) {
 388                         werr = DsCrackNameOneName(sam_ctx, mem_ctx, format_flags, formats[i], format_desired, name, info1);
 389                         if (!W_ERROR_IS_OK(werr)) {
 390                                 return werr;
 391                         }
 392                         if (info1->status != DRSUAPI_DS_NAME_STATUS_NOT_FOUND) {
 393                                 return werr;
 394                         }
 395                 }
 396                 return werr;
 397         }
 398 
 399         case DRSUAPI_DS_NAME_FORMAT_CANONICAL:
 400         case DRSUAPI_DS_NAME_FORMAT_CANONICAL_EX:
 401         {
 402                 char *str, *s, *account;
 403                 
 404                 if (strlen(name) == 0) {
 405                         info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
 406                         return WERR_OK;
 407                 }
 408                 
 409                 str = talloc_strdup(mem_ctx, name);
 410                 W_ERROR_HAVE_NO_MEMORY(str);
 411                 
 412                 if (format_offered == DRSUAPI_DS_NAME_FORMAT_CANONICAL_EX) {
 413                         /* Look backwards for the \n, and replace it with / */
 414                         s = strrchr(str, '\n');
 415                         if (!s) {
 416                                 info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
 417                                 return WERR_OK;
 418                         }
 419                         s[0] = '/';
 420                 }
 421 
 422                 s = strchr(str, '/');
 423                 if (!s) {
 424                         /* there must be at least one / */
 425                         info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
 426                         return WERR_OK;
 427                 }
 428                 
 429                 s[0] = '\0';
 430                 s++;
 431 
 432                 domain_filter = talloc_asprintf(mem_ctx, "(&(objectClass=crossRef)(ncName=%s))", 
 433                                                 ldb_dn_get_linearized(samdb_dns_domain_to_dn(sam_ctx, mem_ctx, str)));
 434                 W_ERROR_HAVE_NO_MEMORY(domain_filter);
 435 
 436                 /* There may not be anything after the domain component (search for the domain itself) */
 437                 if (s[0]) {
 438                         
 439                         account = strrchr(s, '/');
 440                         if (!account) {
 441                                 account = s;
 442                         } else {
 443                                 account++;
 444                         }
 445                         account = ldb_binary_encode_string(mem_ctx, account);
 446                         W_ERROR_HAVE_NO_MEMORY(account);
 447                         result_filter = talloc_asprintf(mem_ctx, "(name=%s)",
 448                                                         account);              
 449                         W_ERROR_HAVE_NO_MEMORY(result_filter);
 450                 }
 451                 break;
 452         }
 453         case DRSUAPI_DS_NAME_FORMAT_NT4_ACCOUNT: {
 454                 char *p;
 455                 char *domain;
 456                 const char *account = NULL;
 457                 
 458                 domain = talloc_strdup(mem_ctx, name);
 459                 W_ERROR_HAVE_NO_MEMORY(domain);
 460                 
 461                 p = strchr(domain, '\\');
 462                 if (!p) {
 463                         /* invalid input format */
 464                         info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
 465                         return WERR_OK;
 466                 }
 467                 p[0] = '\0';
 468                 
 469                 if (p[1]) {
 470                         account = &p[1];
 471                 }
 472                 
 473                 domain_filter = talloc_asprintf(mem_ctx, 
 474                                                 "(&(&(nETBIOSName=%s)(objectclass=crossRef))(ncName=*))", 
 475                                                 ldb_binary_encode_string(mem_ctx, domain));
 476                 W_ERROR_HAVE_NO_MEMORY(domain_filter);
 477                 if (account) {
 478                         result_filter = talloc_asprintf(mem_ctx, "(sAMAccountName=%s)",
 479                                                         ldb_binary_encode_string(mem_ctx, account));
 480                         W_ERROR_HAVE_NO_MEMORY(result_filter);
 481                 }
 482                 
 483                 talloc_free(domain);
 484                 break;
 485         }
 486 
 487                 /* A LDAP DN as a string */
 488         case DRSUAPI_DS_NAME_FORMAT_FQDN_1779: {
 489                 domain_filter = NULL;
 490                 name_dn = ldb_dn_new(mem_ctx, sam_ctx, name);
 491                 if (! ldb_dn_validate(name_dn)) {
 492                         info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
 493                         return WERR_OK;
 494                 }
 495                 break;
 496         }
 497 
 498                 /* A GUID as a string */
 499         case DRSUAPI_DS_NAME_FORMAT_GUID: {
 500                 struct GUID guid;
 501                 char *ldap_guid;
 502                 NTSTATUS nt_status;
 503                 domain_filter = NULL;
 504 
 505                 nt_status = GUID_from_string(name, &guid);
 506                 if (!NT_STATUS_IS_OK(nt_status)) {
 507                         info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
 508                         return WERR_OK;
 509                 }
 510                         
 511                 ldap_guid = ldap_encode_ndr_GUID(mem_ctx, &guid);
 512                 if (!ldap_guid) {
 513                         return WERR_NOMEM;
 514                 }
 515                 result_filter = talloc_asprintf(mem_ctx, "(objectGUID=%s)",
 516                                                 ldap_guid);
 517                 W_ERROR_HAVE_NO_MEMORY(result_filter);
 518                 break;
 519         }
 520         case DRSUAPI_DS_NAME_FORMAT_DISPLAY: {
 521                 domain_filter = NULL;
 522 
 523                 result_filter = talloc_asprintf(mem_ctx, "(|(displayName=%s)(samAccountName=%s))",
 524                                                 ldb_binary_encode_string(mem_ctx, name), 
 525                                                 ldb_binary_encode_string(mem_ctx, name));
 526                 W_ERROR_HAVE_NO_MEMORY(result_filter);
 527                 break;
 528         }
 529         
 530                 /* A S-1234-5678 style string */
 531         case DRSUAPI_DS_NAME_FORMAT_SID_OR_SID_HISTORY: {
 532                 struct dom_sid *sid = dom_sid_parse_talloc(mem_ctx, name);
 533                 char *ldap_sid;
 534                                                                             
 535                 domain_filter = NULL;
 536                 if (!sid) {
 537                         info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
 538                         return WERR_OK;
 539                 }
 540                 ldap_sid = ldap_encode_ndr_dom_sid(mem_ctx, 
 541                                                    sid);
 542                 if (!ldap_sid) {
 543                         return WERR_NOMEM;
 544                 }
 545                 result_filter = talloc_asprintf(mem_ctx, "(objectSid=%s)",
 546                                                 ldap_sid);
 547                 W_ERROR_HAVE_NO_MEMORY(result_filter);
 548                 break;
 549         }
 550         case DRSUAPI_DS_NAME_FORMAT_USER_PRINCIPAL: {
 551                 krb5_principal principal;
 552                 char *unparsed_name;
 553 
 554                 ret = smb_krb5_init_context(mem_ctx, 
 555                                             ldb_get_event_context(sam_ctx),
 556                                             (struct loadparm_context *)ldb_get_opaque(sam_ctx, "loadparm"), 
 557                                             &smb_krb5_context);
 558                 
 559                 if (ret) {
 560                         return WERR_NOMEM;
 561                 }
 562 
 563                 ret = krb5_parse_name(smb_krb5_context->krb5_context, name, &principal);
 564                 if (ret) {
 565                         info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
 566                         return WERR_OK;
 567                 }
 568                 
 569                 domain_filter = NULL;
 570                 
 571                 ret = krb5_unparse_name(smb_krb5_context->krb5_context, principal, &unparsed_name);
 572                 if (ret) {
 573                         krb5_free_principal(smb_krb5_context->krb5_context, principal);
 574                         return WERR_NOMEM;
 575                 }
 576 
 577                 krb5_free_principal(smb_krb5_context->krb5_context, principal);
 578                 result_filter = talloc_asprintf(mem_ctx, "(&(objectClass=user)(userPrincipalName=%s))", 
 579                                                 ldb_binary_encode_string(mem_ctx, unparsed_name));
 580                 
 581                 free(unparsed_name);
 582                 W_ERROR_HAVE_NO_MEMORY(result_filter);
 583                 break;
 584         }
 585         case DRSUAPI_DS_NAME_FORMAT_SERVICE_PRINCIPAL: {
 586                 krb5_principal principal;
 587                 char *unparsed_name_short;
 588                 char *service;
 589 
 590                 ret = smb_krb5_init_context(mem_ctx, 
 591                                             ldb_get_event_context(sam_ctx),
 592                                             (struct loadparm_context *)ldb_get_opaque(sam_ctx, "loadparm"), 
 593                                             &smb_krb5_context);
 594                 
 595                 if (ret) {
 596                         return WERR_NOMEM;
 597                 }
 598 
 599                 ret = krb5_parse_name(smb_krb5_context->krb5_context, name, &principal);
 600                 if (ret == 0 && principal->name.name_string.len < 2) {
 601                         info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
 602                         krb5_free_principal(smb_krb5_context->krb5_context, principal);
 603                         return WERR_OK;
 604                 }
 605                 ret = krb5_parse_name_flags(smb_krb5_context->krb5_context, name, 
 606                                             KRB5_PRINCIPAL_PARSE_NO_REALM, &principal);
 607                 if (ret) {
 608                         krb5_free_principal(smb_krb5_context->krb5_context, principal);
 609 
 610                         return dns_domain_from_principal(mem_ctx, smb_krb5_context,
 611                                                          name, info1);
 612                 }
 613 
 614                 domain_filter = NULL;
 615                 
 616                 ret = krb5_unparse_name_flags(smb_krb5_context->krb5_context, principal, 
 617                                               KRB5_PRINCIPAL_UNPARSE_NO_REALM, &unparsed_name_short);
 618                 if (ret) {
 619                         krb5_free_principal(smb_krb5_context->krb5_context, principal);
 620                         return WERR_NOMEM;
 621                 }
 622 
 623                 service = principal->name.name_string.val[0];
 624                 if ((principal->name.name_string.len == 2) && (strcasecmp(service, "host") == 0)) {
 625                         /* the 'cn' attribute is just the leading part of the name */
 626                         char *computer_name;
 627                         computer_name = talloc_strndup(mem_ctx, principal->name.name_string.val[1], 
 628                                                       strcspn(principal->name.name_string.val[1], "."));
 629                         if (computer_name == NULL) {
 630                                 return WERR_NOMEM;
 631                         }
 632 
 633                         result_filter = talloc_asprintf(mem_ctx, "(|(&(servicePrincipalName=%s)(objectClass=user))(&(cn=%s)(objectClass=computer)))", 
 634                                                         ldb_binary_encode_string(mem_ctx, unparsed_name_short), 
 635                                                         ldb_binary_encode_string(mem_ctx, computer_name));
 636                 } else {
 637                         result_filter = talloc_asprintf(mem_ctx, "(&(servicePrincipalName=%s)(objectClass=user))",
 638                                                         ldb_binary_encode_string(mem_ctx, unparsed_name_short));
 639                 }
 640                 krb5_free_principal(smb_krb5_context->krb5_context, principal);
 641                 free(unparsed_name_short);
 642                 W_ERROR_HAVE_NO_MEMORY(result_filter);
 643                 
 644                 break;
 645         }
 646         default: {
 647                 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
 648                 return WERR_OK;
 649         }
 650 
 651         }
 652 
 653         if (format_flags & DRSUAPI_DS_NAME_FLAG_SYNTACTICAL_ONLY) {
 654                 return DsCrackNameOneSyntactical(mem_ctx, format_offered, format_desired,
 655                                                  name_dn, name, info1);
 656         }
 657         
 658         return DsCrackNameOneFilter(sam_ctx, mem_ctx, 
 659                                     smb_krb5_context, 
 660                                     format_flags, format_offered, format_desired, 
 661                                     name_dn, name, 
 662                                     domain_filter, result_filter, 
 663                                     info1);
 664 }
 665 
 666 /* Subcase of CrackNames.  It is possible to translate a LDAP-style DN
 667  * (FQDN_1779) into a canoical name without actually searching the
 668  * database */
 669 
 670 static WERROR DsCrackNameOneSyntactical(TALLOC_CTX *mem_ctx,
     /* [<][>][^][v][top][bottom][index][help] */
 671                                         uint32_t format_offered, uint32_t format_desired,
 672                                         struct ldb_dn *name_dn, const char *name, 
 673                                         struct drsuapi_DsNameInfo1 *info1)
 674 {
 675         char *cracked;
 676         if (format_offered != DRSUAPI_DS_NAME_FORMAT_FQDN_1779) {
 677                 info1->status = DRSUAPI_DS_NAME_STATUS_NO_SYNTACTICAL_MAPPING;
 678                 return WERR_OK;
 679         }
 680 
 681         switch (format_desired) {
 682         case DRSUAPI_DS_NAME_FORMAT_CANONICAL: 
 683                 cracked = ldb_dn_canonical_string(mem_ctx, name_dn);
 684                 break;
 685         case DRSUAPI_DS_NAME_FORMAT_CANONICAL_EX:
 686                 cracked = ldb_dn_canonical_ex_string(mem_ctx, name_dn);
 687                 break;
 688         default:
 689                 info1->status = DRSUAPI_DS_NAME_STATUS_NO_SYNTACTICAL_MAPPING;
 690                 return WERR_OK;
 691         }
 692         info1->status = DRSUAPI_DS_NAME_STATUS_OK;
 693         info1->result_name      = cracked;
 694         if (!cracked) {
 695                 return WERR_NOMEM;
 696         }
 697         
 698         return WERR_OK; 
 699 }
 700 
 701 /* Given a filter for the domain, and one for the result, perform the
 702  * ldb search. The format offered and desired flags change the
 703  * behaviours, including what attributes to return.
 704  *
 705  * The smb_krb5_context is required because we use the krb5 libs for principal parsing
 706  */
 707 
 708 static WERROR DsCrackNameOneFilter(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
     /* [<][>][^][v][top][bottom][index][help] */
 709                                    struct smb_krb5_context *smb_krb5_context,
 710                                    uint32_t format_flags, uint32_t format_offered, uint32_t format_desired,
 711                                    struct ldb_dn *name_dn, const char *name, 
 712                                    const char *domain_filter, const char *result_filter, 
 713                                    struct drsuapi_DsNameInfo1 *info1)
 714 {
 715         int ldb_ret;
 716         struct ldb_result *domain_res = NULL;
 717         const char * const *domain_attrs;
 718         const char * const *result_attrs;
 719         struct ldb_message **result_res = NULL;
 720         struct ldb_message *result = NULL;
 721         struct ldb_dn *result_basedn = NULL;
 722         int i;
 723         char *p;
 724         struct ldb_dn *partitions_basedn = samdb_partitions_dn(sam_ctx, mem_ctx);
 725 
 726         const char * const _domain_attrs_1779[] = { "ncName", "dnsRoot", NULL};
 727         const char * const _result_attrs_null[] = { NULL };
 728 
 729         const char * const _domain_attrs_canonical[] = { "ncName", "dnsRoot", NULL};
 730         const char * const _result_attrs_canonical[] = { "canonicalName", NULL };
 731 
 732         const char * const _domain_attrs_nt4[] = { "ncName", "dnsRoot", "nETBIOSName", NULL};
 733         const char * const _result_attrs_nt4[] = { "sAMAccountName", "objectSid", "objectClass", NULL};
 734                 
 735         const char * const _domain_attrs_guid[] = { "ncName", "dnsRoot", NULL};
 736         const char * const _result_attrs_guid[] = { "objectGUID", NULL};
 737                 
 738         const char * const _domain_attrs_display[] = { "ncName", "dnsRoot", NULL};
 739         const char * const _result_attrs_display[] = { "displayName", "samAccountName", NULL};
 740 
 741         const char * const _domain_attrs_none[] = { "ncName", "dnsRoot" , NULL};
 742         const char * const _result_attrs_none[] = { NULL};
 743 
 744         /* here we need to set the attrs lists for domain and result lookups */
 745         switch (format_desired) {
 746         case DRSUAPI_DS_NAME_FORMAT_FQDN_1779:
 747         case DRSUAPI_DS_NAME_FORMAT_CANONICAL_EX:
 748                 domain_attrs = _domain_attrs_1779;
 749                 result_attrs = _result_attrs_null;
 750                 break;
 751         case DRSUAPI_DS_NAME_FORMAT_CANONICAL:
 752                 domain_attrs = _domain_attrs_canonical;
 753                 result_attrs = _result_attrs_canonical;
 754                 break;
 755         case DRSUAPI_DS_NAME_FORMAT_NT4_ACCOUNT:
 756                 domain_attrs = _domain_attrs_nt4;
 757                 result_attrs = _result_attrs_nt4;
 758                 break;
 759         case DRSUAPI_DS_NAME_FORMAT_GUID:               
 760                 domain_attrs = _domain_attrs_guid;
 761                 result_attrs = _result_attrs_guid;
 762                 break;
 763         case DRSUAPI_DS_NAME_FORMAT_DISPLAY:            
 764                 domain_attrs = _domain_attrs_display;
 765                 result_attrs = _result_attrs_display;
 766                 break;
 767         default:
 768                 domain_attrs = _domain_attrs_none;
 769                 result_attrs = _result_attrs_none;
 770                 break;
 771         }
 772 
 773         if (domain_filter) {
 774                 /* if we have a domain_filter look it up and set the result_basedn and the dns_domain_name */
 775                 ldb_ret = ldb_search(sam_ctx, mem_ctx, &domain_res,
 776                                              partitions_basedn,
 777                                              LDB_SCOPE_ONELEVEL,
 778                                              domain_attrs,
 779                                              "%s", domain_filter);
 780                 
 781                 if (ldb_ret != LDB_SUCCESS) {
 782                         DEBUG(2, ("DsCrackNameOneFilter domain ref search failed: %s", ldb_errstring(sam_ctx)));
 783                         info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
 784                         return WERR_OK;
 785                 }
 786                 
 787                 switch (domain_res->count) {
 788                 case 1:
 789                         break;
 790                 case 0:
 791                         info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
 792                         return WERR_OK;
 793                 default:
 794                         info1->status = DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE;
 795                         return WERR_OK;
 796                 }
 797 
 798                 info1->dns_domain_name  = samdb_result_string(domain_res->msgs[0], "dnsRoot", NULL);
 799                 W_ERROR_HAVE_NO_MEMORY(info1->dns_domain_name);
 800                 info1->status           = DRSUAPI_DS_NAME_STATUS_DOMAIN_ONLY;
 801         } else {
 802                 info1->dns_domain_name  = NULL;
 803                 info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
 804         }
 805 
 806         if (result_filter) {
 807                 int ret;
 808                 struct ldb_result *res;
 809                 if (domain_res) {
 810                         result_basedn = samdb_result_dn(sam_ctx, mem_ctx, domain_res->msgs[0], "ncName", NULL);
 811                         
 812                         ret = ldb_search(sam_ctx, mem_ctx, &res,
 813                                                  result_basedn, LDB_SCOPE_SUBTREE, 
 814                                                  result_attrs, "%s", result_filter);
 815                         if (ret != LDB_SUCCESS) {
 816                                 talloc_free(result_res);
 817                                 info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
 818                                 return WERR_OK;
 819                         }
 820                         ldb_ret = res->count;
 821                         result_res = res->msgs;
 822                 } else {
 823                         /* search with the 'phantom root' flag */
 824                         struct ldb_request *req;
 825 
 826                         res = talloc_zero(mem_ctx, struct ldb_result);
 827                         W_ERROR_HAVE_NO_MEMORY(res);
 828                         
 829                         ret = ldb_build_search_req(&req, sam_ctx, mem_ctx,
 830                                                    ldb_get_root_basedn(sam_ctx),
 831                                                    LDB_SCOPE_SUBTREE,
 832                                                    result_filter,
 833                                                    result_attrs,
 834                                                    NULL,
 835                                                    res,
 836                                                    ldb_search_default_callback,
 837                                                    NULL);
 838                         if (ret == LDB_SUCCESS) {
 839                                 struct ldb_search_options_control *search_options;
 840                                 search_options = talloc(req, struct ldb_search_options_control);
 841                                 W_ERROR_HAVE_NO_MEMORY(search_options);
 842                                 search_options->search_options = LDB_SEARCH_OPTION_PHANTOM_ROOT;
 843 
 844                                 ret = ldb_request_add_control(req, LDB_CONTROL_SEARCH_OPTIONS_OID, false, search_options);
 845                         }
 846                         if (ret != LDB_SUCCESS) {
 847                                 talloc_free(res);
 848                                 info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
 849                                 return WERR_OK;
 850                         }
 851                         
 852                         ret = ldb_request(sam_ctx, req);
 853                         
 854                         if (ret == LDB_SUCCESS) {
 855                                 ret = ldb_wait(req->handle, LDB_WAIT_ALL);
 856                         }
 857                         
 858                         talloc_free(req);
 859 
 860                         if (ret != LDB_SUCCESS) {
 861                                 DEBUG(2, ("DsCrackNameOneFilter phantom root search failed: %s", 
 862                                           ldb_errstring(sam_ctx)));
 863                                 info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
 864                                 return WERR_OK;
 865                         }
 866                         ldb_ret = res->count;
 867                         result_res = res->msgs;
 868                 }
 869         } else if (format_offered == DRSUAPI_DS_NAME_FORMAT_FQDN_1779) {
 870                 ldb_ret = gendb_search_dn(sam_ctx, mem_ctx, name_dn, &result_res,
 871                                           result_attrs);
 872         } else if (domain_res) {
 873                 name_dn = samdb_result_dn(sam_ctx, mem_ctx, domain_res->msgs[0], "ncName", NULL);
 874                 ldb_ret = gendb_search_dn(sam_ctx, mem_ctx, name_dn, &result_res,
 875                                           result_attrs);
 876         } else {
 877                 /* Can't happen */
 878                 DEBUG(0, ("LOGIC ERROR: DsCrackNameOneFilter domain ref search not availible: This can't happen..."));
 879                 info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
 880                 return WERR_OK;
 881         }
 882 
 883         switch (ldb_ret) {
 884         case 1:
 885                 result = result_res[0];
 886                 break;
 887         case 0:
 888                 switch (format_offered) {
 889                 case DRSUAPI_DS_NAME_FORMAT_SERVICE_PRINCIPAL: 
 890                         return DsCrackNameSPNAlias(sam_ctx, mem_ctx, 
 891                                                    smb_krb5_context, 
 892                                                    format_flags, format_offered, format_desired,
 893                                                    name, info1);
 894                         
 895                 case DRSUAPI_DS_NAME_FORMAT_USER_PRINCIPAL:
 896                         return DsCrackNameUPN(sam_ctx, mem_ctx, smb_krb5_context, 
 897                                               format_flags, format_offered, format_desired,
 898                                               name, info1);
 899                 }
 900                 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
 901                 return WERR_OK;
 902         case -1:
 903                 DEBUG(2, ("DsCrackNameOneFilter result search failed: %s", ldb_errstring(sam_ctx)));
 904                 info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
 905                 return WERR_OK;
 906         default:
 907                 switch (format_offered) {
 908                 case DRSUAPI_DS_NAME_FORMAT_CANONICAL:
 909                 case DRSUAPI_DS_NAME_FORMAT_CANONICAL_EX:
 910                 {
 911                         const char *canonical_name = NULL; /* Not required, but we get warnings... */
 912                         /* We may need to manually filter further */
 913                         for (i = 0; i < ldb_ret; i++) {
 914                                 switch (format_offered) {
 915                                 case DRSUAPI_DS_NAME_FORMAT_CANONICAL:
 916                                         canonical_name = ldb_dn_canonical_string(mem_ctx, result_res[i]->dn);
 917                                         break;
 918                                 case DRSUAPI_DS_NAME_FORMAT_CANONICAL_EX:
 919                                         canonical_name = ldb_dn_canonical_ex_string(mem_ctx, result_res[i]->dn);
 920                                         break;
 921                                 }
 922                                 if (strcasecmp_m(canonical_name, name) == 0) {
 923                                         result = result_res[i];
 924                                         break;
 925                                 }
 926                         }
 927                         if (!result) {
 928                                 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
 929                                 return WERR_OK;
 930                         }
 931                 }
 932                 default:
 933                         info1->status = DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE;
 934                         return WERR_OK;
 935                 }
 936         }
 937 
 938         info1->dns_domain_name = ldb_dn_canonical_string(mem_ctx, result->dn);
 939         W_ERROR_HAVE_NO_MEMORY(info1->dns_domain_name);
 940         p = strchr(info1->dns_domain_name, '/');
 941         if (p) {
 942                 p[0] = '\0';
 943         }
 944         
 945         /* here we can use result and domain_res[0] */
 946         switch (format_desired) {
 947         case DRSUAPI_DS_NAME_FORMAT_FQDN_1779: {
 948                 info1->result_name      = ldb_dn_alloc_linearized(mem_ctx, result->dn);
 949                 W_ERROR_HAVE_NO_MEMORY(info1->result_name);
 950 
 951                 info1->status           = DRSUAPI_DS_NAME_STATUS_OK;
 952                 return WERR_OK;
 953         }
 954         case DRSUAPI_DS_NAME_FORMAT_CANONICAL: {
 955                 info1->result_name      = samdb_result_string(result, "canonicalName", NULL);
 956                 info1->status           = DRSUAPI_DS_NAME_STATUS_OK;
 957                 return WERR_OK;
 958         }
 959         case DRSUAPI_DS_NAME_FORMAT_CANONICAL_EX: {
 960                 /* Not in the virtual ldb attribute */
 961                 return DsCrackNameOneSyntactical(mem_ctx, 
 962                                                  DRSUAPI_DS_NAME_FORMAT_FQDN_1779, 
 963                                                  DRSUAPI_DS_NAME_FORMAT_CANONICAL_EX,
 964                                                  result->dn, name, info1);
 965         }
 966         case DRSUAPI_DS_NAME_FORMAT_NT4_ACCOUNT: {
 967 
 968                 const struct dom_sid *sid = samdb_result_dom_sid(mem_ctx, result, "objectSid");
 969                 const char *_acc = "", *_dom = "";
 970                 
 971                 if (samdb_find_attribute(sam_ctx, result, "objectClass", "domain")) {
 972 
 973                         ldb_ret = ldb_search(sam_ctx, mem_ctx, &domain_res,
 974                                                      partitions_basedn,
 975                                                      LDB_SCOPE_ONELEVEL,
 976                                                      domain_attrs,
 977                                                      "(ncName=%s)", ldb_dn_get_linearized(result->dn));
 978                         
 979                         if (ldb_ret != LDB_SUCCESS) {
 980                                 DEBUG(2, ("DsCrackNameOneFilter domain ref search failed: %s", ldb_errstring(sam_ctx)));
 981                                 info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
 982                                 return WERR_OK;
 983                         }
 984                         
 985                         switch (domain_res->count) {
 986                         case 1:
 987                                 break;
 988                         case 0:
 989                                 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
 990                                 return WERR_OK;
 991                         default:
 992                                 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE;
 993                                 return WERR_OK;
 994                         }
 995                         _dom = samdb_result_string(domain_res->msgs[0], "nETBIOSName", NULL);
 996                         W_ERROR_HAVE_NO_MEMORY(_dom);
 997                 } else {
 998                         _acc = samdb_result_string(result, "sAMAccountName", NULL);
 999                         if (!_acc) {
1000                                 info1->status = DRSUAPI_DS_NAME_STATUS_NO_MAPPING;
1001                                 return WERR_OK;
1002                         }
1003                         if (dom_sid_in_domain(dom_sid_parse_talloc(mem_ctx, SID_BUILTIN), sid)) {
1004                                 _dom = "BUILTIN";
1005                         } else {
1006                                 const char *attrs[] = { NULL };
1007                                 struct ldb_result *domain_res2;
1008                                 struct dom_sid *dom_sid = dom_sid_dup(mem_ctx, sid);
1009                                 if (!dom_sid) {
1010                                         return WERR_OK;
1011                                 }
1012                                 dom_sid->num_auths--;
1013                                 ldb_ret = ldb_search(sam_ctx, mem_ctx, &domain_res,
1014                                                              NULL,
1015                                                              LDB_SCOPE_BASE,
1016                                                              attrs,
1017                                                              "(&(objectSid=%s)(objectClass=domain))", 
1018                                                              ldap_encode_ndr_dom_sid(mem_ctx, dom_sid));
1019                                 
1020                                 if (ldb_ret != LDB_SUCCESS) {
1021                                         DEBUG(2, ("DsCrackNameOneFilter domain search failed: %s", ldb_errstring(sam_ctx)));
1022                                         info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
1023                                         return WERR_OK;
1024                                 }
1025                                 
1026                                 switch (domain_res->count) {
1027                                 case 1:
1028                                         break;
1029                                 case 0:
1030                                         info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
1031                                         return WERR_OK;
1032                                 default:
1033                                         info1->status = DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE;
1034                                         return WERR_OK;
1035                                 }
1036 
1037                                 ldb_ret = ldb_search(sam_ctx, mem_ctx, &domain_res2,
1038                                                              partitions_basedn,
1039                                                              LDB_SCOPE_ONELEVEL,
1040                                                              domain_attrs,
1041                                                              "(ncName=%s)", ldb_dn_get_linearized(domain_res->msgs[0]->dn));
1042                                 
1043                                 if (ldb_ret != LDB_SUCCESS) {
1044                                         DEBUG(2, ("DsCrackNameOneFilter domain ref search failed: %s", ldb_errstring(sam_ctx)));
1045                                         info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
1046                                         return WERR_OK;
1047                                 }
1048                                 
1049                                 switch (domain_res2->count) {
1050                                 case 1:
1051                                         break;
1052                                 case 0:
1053                                         info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
1054                                         return WERR_OK;
1055                                 default:
1056                                         info1->status = DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE;
1057                                         return WERR_OK;
1058                                 }
1059                                 _dom = samdb_result_string(domain_res2->msgs[0], "nETBIOSName", NULL);
1060                                 W_ERROR_HAVE_NO_MEMORY(_dom);
1061                         }
1062                 }
1063 
1064                 info1->result_name      = talloc_asprintf(mem_ctx, "%s\\%s", _dom, _acc);
1065                 W_ERROR_HAVE_NO_MEMORY(info1->result_name);
1066                 
1067                 info1->status           = DRSUAPI_DS_NAME_STATUS_OK;
1068                 return WERR_OK;
1069         }
1070         case DRSUAPI_DS_NAME_FORMAT_GUID: {
1071                 struct GUID guid;
1072                 
1073                 guid = samdb_result_guid(result, "objectGUID");
1074                 
1075                 info1->result_name      = GUID_string2(mem_ctx, &guid);
1076                 W_ERROR_HAVE_NO_MEMORY(info1->result_name);
1077                 
1078                 info1->status           = DRSUAPI_DS_NAME_STATUS_OK;
1079                 return WERR_OK;
1080         }
1081         case DRSUAPI_DS_NAME_FORMAT_DISPLAY: {
1082                 info1->result_name      = samdb_result_string(result, "displayName", NULL);
1083                 if (!info1->result_name) {
1084                         info1->result_name      = samdb_result_string(result, "sAMAccountName", NULL);
1085                 } 
1086                 if (!info1->result_name) {
1087                         info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
1088                 } else {
1089                         info1->status = DRSUAPI_DS_NAME_STATUS_OK;
1090                 }
1091                 return WERR_OK;
1092         }
1093         case DRSUAPI_DS_NAME_FORMAT_SERVICE_PRINCIPAL: {
1094                 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE;
1095                 return WERR_OK;
1096         }
1097         case DRSUAPI_DS_NAME_FORMAT_DNS_DOMAIN: 
1098         case DRSUAPI_DS_NAME_FORMAT_SID_OR_SID_HISTORY: {
1099                 info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
1100                 return WERR_OK;
1101         }
1102         default:
1103                 info1->status = DRSUAPI_DS_NAME_STATUS_NO_MAPPING;
1104                 return WERR_OK;
1105         }
1106 }
1107 
1108 /* Given a user Principal Name (such as foo@bar.com),
1109  * return the user and domain DNs.  This is used in the KDC to then
1110  * return the Keys and evaluate policy */
1111 
1112 NTSTATUS crack_user_principal_name(struct ldb_context *sam_ctx, 
     /* [<][>][^][v][top][bottom][index][help] */
1113                                    TALLOC_CTX *mem_ctx, 
1114                                    const char *user_principal_name, 
1115                                    struct ldb_dn **user_dn,
1116                                    struct ldb_dn **domain_dn) 
1117 {
1118         WERROR werr;
1119         struct drsuapi_DsNameInfo1 info1;
1120         werr = DsCrackNameOneName(sam_ctx, mem_ctx, 0,
1121                                   DRSUAPI_DS_NAME_FORMAT_USER_PRINCIPAL,
1122                                   DRSUAPI_DS_NAME_FORMAT_FQDN_1779, 
1123                                   user_principal_name,
1124                                   &info1);
1125         if (!W_ERROR_IS_OK(werr)) {
1126                 return werror_to_ntstatus(werr);
1127         }
1128         switch (info1.status) {
1129         case DRSUAPI_DS_NAME_STATUS_OK:
1130                 break;
1131         case DRSUAPI_DS_NAME_STATUS_NOT_FOUND:
1132         case DRSUAPI_DS_NAME_STATUS_DOMAIN_ONLY:
1133         case DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE:
1134                 return NT_STATUS_NO_SUCH_USER;
1135         case DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR:
1136         default:
1137                 return NT_STATUS_UNSUCCESSFUL;
1138         }
1139         
1140         *user_dn = ldb_dn_new(mem_ctx, sam_ctx, info1.result_name);
1141         
1142         if (domain_dn) {
1143                 werr = DsCrackNameOneName(sam_ctx, mem_ctx, 0,
1144                                           DRSUAPI_DS_NAME_FORMAT_CANONICAL,
1145                                           DRSUAPI_DS_NAME_FORMAT_FQDN_1779, 
1146                                           talloc_asprintf(mem_ctx, "%s/", 
1147                                                           info1.dns_domain_name),
1148                                           &info1);
1149                 if (!W_ERROR_IS_OK(werr)) {
1150                         return werror_to_ntstatus(werr);
1151                 }
1152                 switch (info1.status) {
1153                 case DRSUAPI_DS_NAME_STATUS_OK:
1154                         break;
1155                 case DRSUAPI_DS_NAME_STATUS_NOT_FOUND:
1156                 case DRSUAPI_DS_NAME_STATUS_DOMAIN_ONLY:
1157                 case DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE:
1158                         return NT_STATUS_NO_SUCH_USER;
1159                 case DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR:
1160                 default:
1161                         return NT_STATUS_UNSUCCESSFUL;
1162                 }
1163                 
1164                 *domain_dn = ldb_dn_new(mem_ctx, sam_ctx, info1.result_name);
1165         }
1166 
1167         return NT_STATUS_OK;
1168         
1169 }
1170 
1171 /* Given a Service Principal Name (such as host/foo.bar.com@BAR.COM),
1172  * return the user and domain DNs.  This is used in the KDC to then
1173  * return the Keys and evaluate policy */
1174 
1175 NTSTATUS crack_service_principal_name(struct ldb_context *sam_ctx, 
     /* [<][>][^][v][top][bottom][index][help] */
1176                                       TALLOC_CTX *mem_ctx, 
1177                                       const char *service_principal_name, 
1178                                       struct ldb_dn **user_dn,
1179                                       struct ldb_dn **domain_dn) 
1180 {
1181         WERROR werr;
1182         struct drsuapi_DsNameInfo1 info1;
1183         werr = DsCrackNameOneName(sam_ctx, mem_ctx, 0,
1184                                   DRSUAPI_DS_NAME_FORMAT_SERVICE_PRINCIPAL,
1185                                   DRSUAPI_DS_NAME_FORMAT_FQDN_1779, 
1186                                   service_principal_name,
1187                                   &info1);
1188         if (!W_ERROR_IS_OK(werr)) {
1189                 return werror_to_ntstatus(werr);
1190         }
1191         switch (info1.status) {
1192         case DRSUAPI_DS_NAME_STATUS_OK:
1193                 break;
1194         case DRSUAPI_DS_NAME_STATUS_NOT_FOUND:
1195         case DRSUAPI_DS_NAME_STATUS_DOMAIN_ONLY:
1196         case DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE:
1197                 return NT_STATUS_NO_SUCH_USER;
1198         case DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR:
1199         default:
1200                 return NT_STATUS_UNSUCCESSFUL;
1201         }
1202         
1203         *user_dn = ldb_dn_new(mem_ctx, sam_ctx, info1.result_name);
1204         
1205         if (domain_dn) {
1206                 werr = DsCrackNameOneName(sam_ctx, mem_ctx, 0,
1207                                           DRSUAPI_DS_NAME_FORMAT_CANONICAL,
1208                                           DRSUAPI_DS_NAME_FORMAT_FQDN_1779, 
1209                                           talloc_asprintf(mem_ctx, "%s/", 
1210                                                           info1.dns_domain_name),
1211                                           &info1);
1212                 if (!W_ERROR_IS_OK(werr)) {
1213                         return werror_to_ntstatus(werr);
1214                 }
1215                 switch (info1.status) {
1216                 case DRSUAPI_DS_NAME_STATUS_OK:
1217                         break;
1218                 case DRSUAPI_DS_NAME_STATUS_NOT_FOUND:
1219                 case DRSUAPI_DS_NAME_STATUS_DOMAIN_ONLY:
1220                 case DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE:
1221                         return NT_STATUS_NO_SUCH_USER;
1222                 case DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR:
1223                 default:
1224                         return NT_STATUS_UNSUCCESSFUL;
1225                 }
1226                 
1227                 *domain_dn = ldb_dn_new(mem_ctx, sam_ctx, info1.result_name);
1228         }
1229 
1230         return NT_STATUS_OK;
1231         
1232 }
1233 
1234 NTSTATUS crack_name_to_nt4_name(TALLOC_CTX *mem_ctx, 
     /* [<][>][^][v][top][bottom][index][help] */
1235                                 struct tevent_context *ev_ctx, 
1236                                 struct loadparm_context *lp_ctx,
1237                                 uint32_t format_offered,
1238                                 const char *name, 
1239                                 const char **nt4_domain, const char **nt4_account)
1240 {
1241         WERROR werr;
1242         struct drsuapi_DsNameInfo1 info1;
1243         struct ldb_context *ldb;
1244         char *p;
1245 
1246         /* Handle anonymous bind */
1247         if (!name || !*name) {
1248                 *nt4_domain = "";
1249                 *nt4_account = "";
1250                 return NT_STATUS_OK;
1251         }
1252 
1253         ldb = samdb_connect(mem_ctx, ev_ctx, lp_ctx, system_session(mem_ctx, lp_ctx));
1254         if (ldb == NULL) {
1255                 return NT_STATUS_INTERNAL_DB_CORRUPTION;
1256         }
1257 
1258         werr = DsCrackNameOneName(ldb, mem_ctx, 0,
1259                                   format_offered, 
1260                                   DRSUAPI_DS_NAME_FORMAT_NT4_ACCOUNT,
1261                                   name,
1262                                   &info1);
1263         if (!W_ERROR_IS_OK(werr)) {
1264                 return werror_to_ntstatus(werr);
1265         }
1266         switch (info1.status) {
1267         case DRSUAPI_DS_NAME_STATUS_OK:
1268                 break;
1269         case DRSUAPI_DS_NAME_STATUS_NOT_FOUND:
1270         case DRSUAPI_DS_NAME_STATUS_DOMAIN_ONLY:
1271         case DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE:
1272                 return NT_STATUS_NO_SUCH_USER;
1273         case DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR:
1274         default:
1275                 return NT_STATUS_UNSUCCESSFUL;
1276         }
1277         
1278         *nt4_domain = talloc_strdup(mem_ctx, info1.result_name);
1279         
1280         p = strchr(*nt4_domain, '\\');
1281         if (!p) {
1282                 return NT_STATUS_INVALID_PARAMETER;
1283         }
1284         p[0] = '\0';
1285         
1286         if (p[1]) {
1287                 *nt4_account = talloc_strdup(mem_ctx, &p[1]);
1288         }
1289 
1290         if (!*nt4_account || !*nt4_domain) {
1291                 return NT_STATUS_NO_MEMORY;
1292         }
1293 
1294         return NT_STATUS_OK;
1295 }
1296 
1297 NTSTATUS crack_auto_name_to_nt4_name(TALLOC_CTX *mem_ctx,
     /* [<][>][^][v][top][bottom][index][help] */
1298                                      struct tevent_context *ev_ctx, 
1299                                      struct loadparm_context *lp_ctx,
1300                                      const char *name,
1301                                      const char **nt4_domain,
1302                                      const char **nt4_account)
1303 {
1304         uint32_t format_offered = DRSUAPI_DS_NAME_FORMAT_UNKNOWN;
1305 
1306         /* Handle anonymous bind */
1307         if (!name || !*name) {
1308                 *nt4_domain = "";
1309                 *nt4_account = "";
1310                 return NT_STATUS_OK;
1311         }
1312 
1313         if (strchr_m(name, '=')) {
1314                 format_offered = DRSUAPI_DS_NAME_FORMAT_FQDN_1779;
1315         } else if (strchr_m(name, '@')) {
1316                 format_offered = DRSUAPI_DS_NAME_FORMAT_USER_PRINCIPAL;
1317         } else if (strchr_m(name, '\\')) {
1318                 format_offered = DRSUAPI_DS_NAME_FORMAT_NT4_ACCOUNT;
1319         } else if (strchr_m(name, '/')) {
1320                 format_offered = DRSUAPI_DS_NAME_FORMAT_CANONICAL;
1321         } else {
1322                 return NT_STATUS_NO_SUCH_USER;
1323         }
1324 
1325         return crack_name_to_nt4_name(mem_ctx, ev_ctx, lp_ctx, format_offered, name, nt4_domain, nt4_account);
1326 }

/* [<][>][^][v][top][bottom][index][help] */