/// <summary> /// Returns true if the domain identified by sid is in a forest trusted by the caller's forest, /// as determined by the FOREST_TRUST_INFORMATION state of the caller's forest, false otherwise. /// </summary> /// <param name="dc"></param> /// <param name="sid">The SID of a domain.</param> /// <returns></returns> static bool IsDomainSidInTrustedForest(DsServer dc, NT4SID sid) { FOREST_TRUST_INFORMATION f; bool b; RootDSE rootDse = LdapUtility.GetRootDSE(dc); string[] tdos = LdapUtility.GetAttributeValuesString( dc, rootDse.rootDomainNamingContext, "distinguishedName", "(&(objectClass=trustedDomain)(msDS-TrustForestTrustInfo=*)(trustAttributes:1.2.840.113556.1.4.803:=0x8))", System.DirectoryServices.Protocols.SearchScope.Subtree); foreach (string o in tdos) { byte[] trustInfo = (byte[])LdapUtility.GetAttributeValue(dc, o, "msDS-TrustForestTrustInfo"); if (!TrustInfo.UnmarshalForestTrustInfo(trustInfo, out f)) { return(false); } foreach (Record e in f.Records) { if (e.RecordType == (byte)FOREST_TRUST_RECORD_TYPE.ForestTrustDomainInfo && (DrsrHelper.IsByteArrayEqual(sid.Data, ((RecordDomainInfo)e.ForestTrustData).Sid.Data)) && ((e.Flags & TrustInfo.LSA_FTRECORD_DISABLED_REASONS) == 0)) { b = true; foreach (Record g in f.Records) { if (g.RecordType == (byte)FOREST_TRUST_RECORD_TYPE.ForestTrustTopLevelNameEx && (g.Flags & TrustInfo.LSA_FTRECORD_DISABLED_REASONS) == 0 && ( ((RecordTopLevelName)g.ForestTrustData).TopLevelName == ((RecordDomainInfo)e.ForestTrustData).DnsName || TrustInfo.IsSubdomainOf( ((RecordDomainInfo)e.ForestTrustData).DnsName, ((RecordTopLevelName)g.ForestTrustData).TopLevelName) ) ) { b = false; break; } } if (b) { return(true); } } } } return(false); }
static bool IsDomainDnsNameInTrustedForest(DsServer dc, string name, ref string referredDomain) { FOREST_TRUST_INFORMATION f; RootDSE rootDse = LdapUtility.GetRootDSE(dc); string[] tdos = LdapUtility.GetAttributeValuesString( dc, rootDse.rootDomainNamingContext, "distinguishedName", "(&(objectClass=trustedDomain)(msDS-TrustForestTrustInfo=*)(trustAttributes:1.2.840.113556.1.4.803:=0x8))", System.DirectoryServices.Protocols.SearchScope.Subtree); if (tdos == null) { return(false); } foreach (string o in tdos) { byte[] trustInfo = (byte[])LdapUtility.GetAttributeValue(dc, o, "msDS-TrustForestTrustInfo"); if (!TrustInfo.UnmarshalForestTrustInfo(trustInfo, out f)) { return(false); } foreach (Record e in f.Records) { if (e.RecordType == (byte)FOREST_TRUST_RECORD_TYPE.ForestTrustDomainInfo) { RecordDomainInfo ee = (RecordDomainInfo)e.ForestTrustData; if (ee.DnsName == name && (e.Flags & (uint)TrustInfo.FOREST_TRUST_RECORD_FLAGS_DOMAIN_INFO.LSA_SID_DISABLED_ADMIN) == 0 && (e.Flags & (uint)TrustInfo.FOREST_TRUST_RECORD_FLAGS_DOMAIN_INFO.LSA_SID_DISABLED_CONFLICT) == 0 && ForestTrustOwnsName(f, ee.DnsName)) { referredDomain = (string)LdapUtility.GetAttributeValue(dc, o, "trustPartner"); return(true); } } } } return(false); }
public DS_NAME_RESULT_ITEMW LookupNames( DsServer dc, uint flags, uint formatOffered, uint formatDesired, string name) { DS_NAME_RESULT_ITEMW result = new DS_NAME_RESULT_ITEMW(); string referredDomain = ""; // Unknown name if (formatOffered == (uint)DS_NAME_FORMAT.DS_UNKNOWN_NAME) { return(LookupUnknownName(dc, flags, formatDesired, name)); } DSNAME[] rt = null; string domainName = null; switch (formatOffered) { case (uint)DS_NAME_FORMAT.DS_UNKNOWN_NAME: return(LookupUnknownName(dc, flags, formatDesired, name)); case (uint)DS_NAME_FORMAT.DS_FQDN_1779_NAME: { rt = LookupAttr(dc, flags, "distinguishedName", name); if (EnvironmentConfig.TestDS) { DSNAME?dcDsname = GetDsName(dc, RetrieveDCSuffixFromDn(name)); if (dcDsname != null) { domainName = DomainDNSNameFromDomain(dc, dcDsname.Value); } } } break; case (uint)DS_NAME_FORMAT.DS_NT4_ACCOUNT_NAME: { rt = LookupAttr(dc, flags, "sAMAccountName", LdapUtility.UserNameFromNT4AccountName(name)); if (EnvironmentConfig.TestDS) { domainName = LdapUtility.DomainNameFromNT4AccountName(name); } } break; case (uint)DS_NAME_FORMAT.DS_USER_PRINCIPAL_NAME: { rt = LookupUPNAndAltSecID(dc, flags, false, name); if (EnvironmentConfig.TestDS) { domainName = DomainNameFromUPN(name); } } break; case (uint)DS_NAME_FORMAT.DS_CANONICAL_NAME: { DSNAME?v = LookupCanonicalName(dc, name); if (v != null) { rt = new DSNAME[] { v.Value } } ; else { rt = null; } if (EnvironmentConfig.TestDS) { domainName = DomainNameFromCanonicalName(name); } } break; case (uint)DS_NAME_FORMAT.DS_UNIQUE_ID_NAME: { RootDSE rootDse = LdapUtility.GetRootDSE(dc); // The GUID is in the curly braced form, so we need // to remove the braces first. if (!name.Contains("{") && name.Contains("}")) { rt = null; break; } string guidStr = name.Substring(1, name.Length - 2); Guid guid = new Guid(guidStr); string dn = null; dn = LdapUtility.GetObjectDnByGuid(dc, rootDse.rootDomainNamingContext, guid); if (dn == null) { dn = LdapUtility.GetObjectDnByGuid(dc, rootDse.configurationNamingContext, guid); } if (dn == null) { dn = LdapUtility.GetObjectDnByGuid(dc, rootDse.schemaNamingContext, guid); } if (dn == null) { break; } rt = new DSNAME[] { LdapUtility.CreateDSNameForObject(dc, dn) }; } break; case (uint)DS_NAME_FORMAT.DS_DISPLAY_NAME: { rt = LookupAttr(dc, flags, "displayName", name); } break; case (uint)DS_NAME_FORMAT.DS_SERVICE_PRINCIPAL_NAME: { rt = LookupSPN(dc, flags, name); if (EnvironmentConfig.TestDS) { domainName = GetServiceNameFromSPN(name); } } break; case (uint)DS_NAME_FORMAT.DS_SID_OR_SID_HISTORY_NAME: case (uint)formatOffered_Values.DS_STRING_SID_NAME: { rt = LookupSID(dc, flags, SidFromStringSid(name)); if (EnvironmentConfig.TestDS) { domainName = DomainNameFromSid(dc, DomainSidFromSid(SidFromStringSid(name))); } } break; case (uint)DS_NAME_FORMAT.DS_CANONICAL_NAME_EX: { DSNAME?v = LookupCanonicalName(dc, CanonicalNameFromCanonicalNameEx(name)); if (v == null) { rt = null; } else { rt = new DSNAME[] { v.Value } }; if (EnvironmentConfig.TestDS) { domainName = DomainNameFromCanonicalName(name); } } break; case (uint)formatOffered_Values.DS_NT4_ACCOUNT_NAME_SANS_DOMAIN: case (uint)formatOffered_Values.DS_NT4_ACCOUNT_NAME_SANS_DOMAIN_EX: { rt = LookupAttr(dc, flags, "sAMAccountName", name); } break; case (uint)formatOffered_Values.DS_ALT_SECURITY_IDENTITIES_NAME: { rt = LookupAttr(dc, flags, "altSecurityIdentities", name); } break; case (uint)formatOffered_Values.DS_USER_PRINCIPAL_NAME_AND_ALTSECID: { rt = LookupUPNAndAltSecID(dc, flags, true, name); if (EnvironmentConfig.TestDS) { domainName = DomainNameFromUPN(name); } } break; default: rt = null; break; } if (rt == null && domainName != null) { result.status = DS_NAME_ERROR.DS_NAME_ERROR_DOMAIN_ONLY; if (formatOffered == (uint)DS_NAME_FORMAT.DS_NT4_ACCOUNT_NAME || formatOffered == (uint)DS_NAME_FORMAT.DS_USER_PRINCIPAL_NAME || formatOffered == (uint)DS_NAME_FORMAT.DS_SERVICE_PRINCIPAL_NAME || formatOffered == (uint)DS_NAME_FORMAT.DS_SID_OR_SID_HISTORY_NAME || formatOffered == (uint)formatOffered_Values.DS_STRING_SID_NAME || formatOffered == (uint)formatOffered_Values.DS_USER_PRINCIPAL_NAME_AND_ALTSECID) { if (TrustInfo.IsDomainNameInTrustedForest(dc, domainName, ref referredDomain)) { result.pDomain = referredDomain; if ((flags & (uint)DRS_MSG_CRACKREQ_FLAGS.DS_NAME_FLAG_TRUST_REFERRAL) > 0) { result.status = DS_NAME_ERROR.DS_NAME_ERROR_TRUST_REFERRAL; } else { result.status = DS_NAME_ERROR.DS_NAME_ERROR_DOMAIN_ONLY; } } } return(result); } if (rt == null) { result.status = DS_NAME_ERROR.DS_NAME_ERROR_NOT_FOUND; return(result); } if (rt.Length > 1) { result.status = DS_NAME_ERROR.DS_NAME_ERROR_NOT_UNIQUE; return(result); } DSNAME obj = rt[0]; if (formatOffered == (uint)formatOffered_Values.DS_NT4_ACCOUNT_NAME_SANS_DOMAIN_EX) { string uacStr = (string)GetAttributeValue( dc, LdapUtility.ConvertUshortArrayToString(obj.StringName), "userAccountControl"); uint uac = Convert.ToUInt32(uacStr); const uint ADS_UF_ACCOUNTDISABLE = 0x0002; const uint ADS_UF_TEMP_DUPLICATE_ACCOUNT = 0x0100; if ((uac & (ADS_UF_ACCOUNTDISABLE | ADS_UF_TEMP_DUPLICATE_ACCOUNT)) > 0) { result.status = DS_NAME_ERROR.DS_NAME_ERROR_NOT_FOUND; return(result); } } string[] names = ConstructOutput(dc, obj, formatDesired); if ((names == null) && (obj.SidLen != 0) && ((flags & (uint)DRS_MSG_CRACKREQ_FLAGS.DS_NAME_FLAG_PRIVATE_RESOLVE_FPOS) > 0)) { if (formatDesired == (uint)DS_NAME_FORMAT.DS_NT4_ACCOUNT_NAME || formatDesired == (uint)DS_NAME_FORMAT.DS_DISPLAY_NAME || formatDesired == (uint)DS_NAME_FORMAT.DS_CANONICAL_NAME || formatDesired == (uint)DS_NAME_FORMAT.DS_CANONICAL_NAME_EX || formatDesired == (uint)DS_NAME_FORMAT.DS_USER_PRINCIPAL_NAME || formatDesired == (uint)formatDesired_Values.DS_USER_PRINCIPAL_NAME_FOR_LOGON || formatDesired == (uint)DS_NAME_FORMAT.DS_SERVICE_PRINCIPAL_NAME) { bool fCanonicalEx = false; if (formatDesired == (uint)DS_NAME_FORMAT.DS_CANONICAL_NAME_EX) { fCanonicalEx = true; } result = LookupFPO(fCanonicalEx, obj, result); return(result); } } if (names == null) { if (formatDesired == (uint)DS_NAME_FORMAT.DS_SID_OR_SID_HISTORY_NAME || formatDesired == (uint)DS_NAME_FORMAT.DS_UNKNOWN_NAME) { result.status = DS_NAME_ERROR.DS_NAME_ERROR_RESOLVING; } else { result.status = DS_NAME_ERROR.DS_NAME_ERROR_NO_MAPPING; } return(result); } if (names.Length > 1) { result.status = DS_NAME_ERROR.DS_NAME_ERROR_NOT_UNIQUE; return(result); } result.pName = names[0]; if (EnvironmentConfig.TestDS) { string objDn = LdapUtility.ConvertUshortArrayToString(obj.StringName); DSNAME?dcDsname = GetDsName(dc, RetrieveDCSuffixFromDn(objDn)); string domainDn = ""; if (dcDsname != null) { domainDn = DomainDNSNameFromDomain(dc, dcDsname.Value); } result.pDomain = domainDn; } else { result.pDomain = ""; } result.status = DS_NAME_ERROR.DS_NAME_NO_ERROR; return(result); }