summaryrefslogtreecommitdiffstats
path: root/source3/libads
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-19 17:20:00 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-19 17:20:00 +0000
commit8daa83a594a2e98f39d764422bfbdbc62c9efd44 (patch)
tree4099e8021376c7d8c05bdf8503093d80e9c7bad0 /source3/libads
parentInitial commit. (diff)
downloadsamba-8daa83a594a2e98f39d764422bfbdbc62c9efd44.tar.xz
samba-8daa83a594a2e98f39d764422bfbdbc62c9efd44.zip
Adding upstream version 2:4.20.0+dfsg.upstream/2%4.20.0+dfsg
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
-rw-r--r--source3/libads/ads_ldap_protos.h142
-rw-r--r--source3/libads/ads_proto.h229
-rw-r--r--source3/libads/ads_status.c157
-rw-r--r--source3/libads/ads_status.h68
-rw-r--r--source3/libads/ads_struct.c239
-rw-r--r--source3/libads/authdata.c323
-rw-r--r--source3/libads/cldap.c453
-rw-r--r--source3/libads/cldap.h60
-rw-r--r--source3/libads/disp_sec.c254
-rw-r--r--source3/libads/kerberos.c908
-rw-r--r--source3/libads/kerberos_keytab.c1026
-rw-r--r--source3/libads/kerberos_proto.h104
-rw-r--r--source3/libads/kerberos_util.c80
-rw-r--r--source3/libads/krb5_setpw.c329
-rw-r--r--source3/libads/ldap.c4684
-rw-r--r--source3/libads/ldap_printer.c361
-rw-r--r--source3/libads/ldap_schema.c354
-rw-r--r--source3/libads/ldap_schema.h57
-rw-r--r--source3/libads/ldap_schema_oids.h49
-rw-r--r--source3/libads/ldap_user.c132
-rw-r--r--source3/libads/ldap_utils.c389
-rw-r--r--source3/libads/net_ads_setspn.c229
-rw-r--r--source3/libads/sasl.c855
-rw-r--r--source3/libads/sasl_wrapping.c351
-rw-r--r--source3/libads/sitename_cache.c132
-rw-r--r--source3/libads/sitename_cache.h28
-rw-r--r--source3/libads/util.c236
27 files changed, 12229 insertions, 0 deletions
diff --git a/source3/libads/ads_ldap_protos.h b/source3/libads/ads_ldap_protos.h
new file mode 100644
index 0000000..b063815
--- /dev/null
+++ b/source3/libads/ads_ldap_protos.h
@@ -0,0 +1,142 @@
+/*
+ Unix SMB/CIFS implementation.
+ ads (active directory) utility library
+ Copyright (C) Andrew Tridgell 2001
+ Copyright (C) Remus Koos 2001
+ Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002
+ Copyright (C) Guenther Deschner 2005
+ Copyright (C) Gerald Carter 2006
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#ifndef _LIBADS_ADS_LDAP_PROTOS_H_
+#define _LIBADS_ADS_LDAP_PROTOS_H_
+
+#ifdef HAVE_LDAP_INIT_FD
+int ldap_init_fd(ber_socket_t fd, int proto, char *uri, LDAP **ldp);
+#endif
+
+/*
+ * Prototypes for ads
+ */
+
+LDAP *ldap_open_with_timeout(const char *server,
+ struct sockaddr_storage *ss,
+ int port, unsigned int to);
+void ads_msgfree(ADS_STRUCT *ads, LDAPMessage *msg);
+char *ads_get_dn(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, LDAPMessage *msg);
+
+char *ads_pull_string(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, LDAPMessage *msg,
+ const char *field);
+char **ads_pull_strings(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx,
+ LDAPMessage *msg, const char *field,
+ size_t *num_values);
+char **ads_pull_strings_range(ADS_STRUCT *ads,
+ TALLOC_CTX *mem_ctx,
+ LDAPMessage *msg, const char *field,
+ char **current_strings,
+ const char **next_attribute,
+ size_t *num_strings,
+ bool *more_strings);
+bool ads_pull_uint32(ADS_STRUCT *ads, LDAPMessage *msg, const char *field,
+ uint32_t *v);
+bool ads_pull_guid(ADS_STRUCT *ads, LDAPMessage *msg, struct GUID *guid);
+bool ads_pull_sid(ADS_STRUCT *ads, LDAPMessage *msg, const char *field,
+ struct dom_sid *sid);
+int ads_pull_sids(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx,
+ LDAPMessage *msg, const char *field, struct dom_sid **sids);
+bool ads_pull_sd(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx,
+ LDAPMessage *msg, const char *field, struct security_descriptor **sd);
+char *ads_pull_username(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx,
+ LDAPMessage *msg);
+ADS_STATUS ads_find_machine_acct(ADS_STRUCT *ads, LDAPMessage **res,
+ const char *machine);
+ADS_STATUS ads_find_printer_on_server(ADS_STRUCT *ads, LDAPMessage **res,
+ const char *printer,
+ const char *servername);
+ADS_STATUS ads_find_printers(ADS_STRUCT *ads, LDAPMessage **res);
+ADS_STATUS ads_find_user_acct(ADS_STRUCT *ads, LDAPMessage **res,
+ const char *user);
+
+ADS_STATUS ads_do_search(ADS_STRUCT *ads, const char *bind_path, int scope,
+ const char *expr,
+ const char **attrs, LDAPMessage **res);
+ADS_STATUS ads_search(ADS_STRUCT *ads, LDAPMessage **res,
+ const char *expr, const char **attrs);
+ADS_STATUS ads_search_dn(ADS_STRUCT *ads, LDAPMessage **res,
+ const char *dn, const char **attrs);
+ADS_STATUS ads_do_search_all_args(ADS_STRUCT *ads, const char *bind_path,
+ int scope, const char *expr,
+ const char **attrs, void *args,
+ LDAPMessage **res);
+ADS_STATUS ads_do_search_all(ADS_STRUCT *ads, const char *bind_path,
+ int scope, const char *expr,
+ const char **attrs, LDAPMessage **res);
+ADS_STATUS ads_do_search_retry(ADS_STRUCT *ads, const char *bind_path,
+ int scope,
+ const char *expr,
+ const char **attrs, LDAPMessage **res);
+ADS_STATUS ads_search_retry(ADS_STRUCT *ads, LDAPMessage **res,
+ const char *expr, const char **attrs);
+ADS_STATUS ads_search_retry_dn(ADS_STRUCT *ads, LDAPMessage **res,
+ const char *dn,
+ const char **attrs);
+ADS_STATUS ads_search_retry_extended_dn_ranged(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx,
+ const char *dn,
+ const char **attrs,
+ enum ads_extended_dn_flags flags,
+ char ***strings,
+ size_t *num_strings);
+ADS_STATUS ads_search_retry_sid(ADS_STRUCT *ads, LDAPMessage **res,
+ const struct dom_sid *sid,
+ const char **attrs);
+
+
+LDAPMessage *ads_first_entry(ADS_STRUCT *ads, LDAPMessage *res);
+LDAPMessage *ads_next_entry(ADS_STRUCT *ads, LDAPMessage *res);
+LDAPMessage *ads_first_message(ADS_STRUCT *ads, LDAPMessage *res);
+LDAPMessage *ads_next_message(ADS_STRUCT *ads, LDAPMessage *res);
+void ads_process_results(ADS_STRUCT *ads, LDAPMessage *res,
+ bool (*fn)(ADS_STRUCT *,char *, void **, void *),
+ void *data_area);
+void ads_dump(ADS_STRUCT *ads, LDAPMessage *res);
+
+struct GROUP_POLICY_OBJECT;
+ADS_STATUS ads_parse_gpo(ADS_STRUCT *ads,
+ TALLOC_CTX *mem_ctx,
+ LDAPMessage *res,
+ const char *gpo_dn,
+ struct GROUP_POLICY_OBJECT *gpo);
+ADS_STATUS ads_search_retry_dn_sd_flags(ADS_STRUCT *ads, LDAPMessage **res,
+ uint32_t sd_flags,
+ const char *dn,
+ const char **attrs);
+ADS_STATUS ads_do_search_all_sd_flags(ADS_STRUCT *ads, const char *bind_path,
+ int scope, const char *expr,
+ const char **attrs, uint32_t sd_flags,
+ LDAPMessage **res);
+ADS_STATUS ads_get_tokensids(ADS_STRUCT *ads,
+ TALLOC_CTX *mem_ctx,
+ const char *dn,
+ struct dom_sid *user_sid,
+ struct dom_sid *primary_group_sid,
+ struct dom_sid **sids,
+ size_t *num_sids);
+ADS_STATUS ads_get_joinable_ous(ADS_STRUCT *ads,
+ TALLOC_CTX *mem_ctx,
+ char ***ous,
+ size_t *num_ous);
+
+#endif /* _LIBADS_ADS_LDAP_PROTOS_H_ */
diff --git a/source3/libads/ads_proto.h b/source3/libads/ads_proto.h
new file mode 100644
index 0000000..ceefcd6
--- /dev/null
+++ b/source3/libads/ads_proto.h
@@ -0,0 +1,229 @@
+/*
+ * Unix SMB/CIFS implementation.
+ * ads (active directory) utility library
+ *
+ * Copyright (C) Andrew Bartlett 2001
+ * Copyright (C) Andrew Tridgell 2001
+ * Copyright (C) Remus Koos (remuskoos@yahoo.com) 2001
+ * Copyright (C) Alexey Kotovich 2002
+ * Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002-2003
+ * Copyright (C) Luke Howard 2003
+ * Copyright (C) Guenther Deschner 2003-2008
+ * Copyright (C) Rakesh Patel 2004
+ * Copyright (C) Dan Perry 2004
+ * Copyright (C) Jeremy Allison 2004
+ * Copyright (C) Gerald Carter 2006
+ * Copyright (C) Stefan Metzmacher 2007
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef _LIBADS_ADS_PROTO_H_
+#define _LIBADS_ADS_PROTO_H_
+
+enum ads_sasl_state_e {
+ ADS_SASL_PLAIN = 0,
+ ADS_SASL_SIGN,
+ ADS_SASL_SEAL,
+};
+
+/* The following definitions come from libads/ads_struct.c */
+
+ADS_STATUS ads_build_path(const char *realm,
+ const char *sep,
+ const char *field,
+ int reverse,
+ char **_path);
+ADS_STATUS ads_build_dn(const char *realm, TALLOC_CTX *mem_ctx, char **_dn);
+char *ads_build_domain(const char *dn);
+ADS_STRUCT *ads_init(TALLOC_CTX *mem_ctx,
+ const char *realm,
+ const char *workgroup,
+ const char *ldap_server,
+ enum ads_sasl_state_e sasl_state);
+bool ads_set_sasl_wrap_flags(ADS_STRUCT *ads, unsigned flags);
+
+/* The following definitions come from libads/disp_sec.c */
+
+void ads_disp_sd(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct security_descriptor *sd);
+
+/* The following definitions come from libads/kerberos_keytab.c */
+
+int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc,
+ bool update_ads);
+int ads_keytab_delete_entry(ADS_STRUCT *ads, const char *srvPrinc);
+int ads_keytab_flush(ADS_STRUCT *ads);
+int ads_keytab_create_default(ADS_STRUCT *ads);
+int ads_keytab_list(const char *keytab_name);
+
+/* The following definitions come from libads/net_ads_setspn.c */
+bool ads_setspn_list(ADS_STRUCT *ads, const char *machine);
+bool ads_setspn_add(ADS_STRUCT *ads, const char *machine_name,
+ const char * spn);
+bool ads_setspn_delete(ADS_STRUCT *ads, const char *machine_name,
+ const char * spn);
+
+/* The following definitions come from libads/krb5_errs.c */
+
+/* The following definitions come from libads/kerberos_util.c */
+
+int ads_kinit_password(ADS_STRUCT *ads);
+
+/* The following definitions come from libads/ldap.c */
+
+bool ads_sitename_match(ADS_STRUCT *ads);
+bool ads_closest_dc(ADS_STRUCT *ads);
+ADS_STATUS ads_connect(ADS_STRUCT *ads);
+ADS_STATUS ads_connect_user_creds(ADS_STRUCT *ads);
+void ads_zero_ldap(ADS_STRUCT *ads);
+void ads_disconnect(ADS_STRUCT *ads);
+ADS_STATUS ads_do_search_all_fn(ADS_STRUCT *ads, const char *bind_path,
+ int scope, const char *expr, const char **attrs,
+ bool (*fn)(ADS_STRUCT *, char *, void **, void *),
+ void *data_area);
+char *ads_parent_dn(const char *dn);
+ADS_MODLIST ads_init_mods(TALLOC_CTX *ctx);
+ADS_STATUS ads_mod_str(TALLOC_CTX *ctx, ADS_MODLIST *mods,
+ const char *name, const char *val);
+ADS_STATUS ads_mod_strlist(TALLOC_CTX *ctx, ADS_MODLIST *mods,
+ const char *name, const char **vals);
+ADS_STATUS ads_gen_mod(ADS_STRUCT *ads, const char *mod_dn, ADS_MODLIST mods);
+ADS_STATUS ads_gen_add(ADS_STRUCT *ads, const char *new_dn, ADS_MODLIST mods);
+ADS_STATUS ads_del_dn(ADS_STRUCT *ads, char *del_dn);
+char *ads_ou_string(ADS_STRUCT *ads, const char *org_unit);
+char *ads_default_ou_string(ADS_STRUCT *ads, const char *wknguid);
+ADS_STATUS ads_add_strlist(TALLOC_CTX *ctx, ADS_MODLIST *mods,
+ const char *name, const char **vals);
+uint32_t ads_get_kvno(ADS_STRUCT *ads, const char *account_name);
+uint32_t ads_get_machine_kvno(ADS_STRUCT *ads, const char *machine_name);
+
+bool ads_element_in_array(const char **el_array, size_t num_el, const char *el);
+
+ADS_STATUS ads_get_service_principal_names(TALLOC_CTX *mem_ctx,
+ ADS_STRUCT *ads,
+ const char *machine_name,
+ char ***spn_array,
+ size_t *num_spns);
+ADS_STATUS ads_clear_service_principal_names(ADS_STRUCT *ads, const char *machine_name);
+ADS_STATUS ads_add_service_principal_names(ADS_STRUCT *ads, const char *machine_name,
+ const char **spns);
+ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads,
+ const char *machine_name,
+ const char *machine_password,
+ const char *org_unit,
+ uint32_t etype_list,
+ const char *dns_domain_name);
+ADS_STATUS ads_move_machine_acct(ADS_STRUCT *ads, const char *machine_name,
+ const char *org_unit, bool *moved);
+int ads_count_replies(ADS_STRUCT *ads, void *res);
+ADS_STATUS ads_USN(ADS_STRUCT *ads, uint32_t *usn);
+ADS_STATUS ads_current_time(ADS_STRUCT *ads);
+ADS_STATUS ads_domain_func_level(ADS_STRUCT *ads, uint32_t *val);
+ADS_STATUS ads_domain_sid(ADS_STRUCT *ads, struct dom_sid *sid);
+ADS_STATUS ads_site_dn(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, const char **site_name);
+ADS_STATUS ads_site_dn_for_machine(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, const char *computer_name, const char **site_dn);
+ADS_STATUS ads_upn_suffixes(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, char ***suffixes, size_t *num_suffixes);
+ADS_STATUS ads_get_joinable_ous(ADS_STRUCT *ads,
+ TALLOC_CTX *mem_ctx,
+ char ***ous,
+ size_t *num_ous);
+ADS_STATUS ads_get_sid_from_extended_dn(TALLOC_CTX *mem_ctx,
+ const char *extended_dn,
+ enum ads_extended_dn_flags flags,
+ struct dom_sid *sid);
+char* ads_get_dnshostname( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name );
+ADS_STATUS ads_get_additional_dns_hostnames(TALLOC_CTX *mem_ctx,
+ ADS_STRUCT *ads,
+ const char *machine_name,
+ char ***hostnames_array,
+ size_t *num_hostnames);
+char* ads_get_upn( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name );
+bool ads_has_samaccountname( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name );
+ADS_STATUS ads_join_realm(ADS_STRUCT *ads, const char *machine_name,
+ uint32_t account_type, const char *org_unit);
+ADS_STATUS ads_leave_realm(ADS_STRUCT *ads, const char *hostname);
+ADS_STATUS ads_find_samaccount(ADS_STRUCT *ads,
+ TALLOC_CTX *mem_ctx,
+ const char *samaccountname,
+ uint32_t *uac_ret,
+ const char **dn_ret);
+ADS_STATUS ads_config_path(ADS_STRUCT *ads,
+ TALLOC_CTX *mem_ctx,
+ char **config_path);
+const char *ads_get_extended_right_name_by_guid(ADS_STRUCT *ads,
+ const char *config_path,
+ TALLOC_CTX *mem_ctx,
+ const struct GUID *rights_guid);
+ADS_STATUS ads_check_ou_dn(TALLOC_CTX *mem_ctx,
+ ADS_STRUCT *ads,
+ const char **account_ou);
+
+/* The following definitions come from libads/ldap_printer.c */
+
+ADS_STATUS ads_mod_printer_entry(ADS_STRUCT *ads, char *prt_dn,
+ TALLOC_CTX *ctx, const ADS_MODLIST *mods);
+ADS_STATUS ads_add_printer_entry(ADS_STRUCT *ads, char *prt_dn,
+ TALLOC_CTX *ctx, ADS_MODLIST *mods);
+WERROR get_remote_printer_publishing_data(struct rpc_pipe_client *cli,
+ TALLOC_CTX *mem_ctx,
+ ADS_MODLIST *mods,
+ const char *printer);
+
+/* The following definitions come from libads/ldap_user.c */
+
+ADS_STATUS ads_add_user_acct(ADS_STRUCT *ads, const char *user,
+ const char *container, const char *fullname);
+ADS_STATUS ads_add_group_acct(ADS_STRUCT *ads, const char *group,
+ const char *container, const char *comment);
+
+/* The following definitions come from libads/ldap_utils.c */
+
+ADS_STATUS ads_ranged_search(ADS_STRUCT *ads,
+ TALLOC_CTX *mem_ctx,
+ int scope,
+ const char *base,
+ const char *filter,
+ void *args,
+ const char *range_attr,
+ char ***strings,
+ size_t *num_strings);
+
+/* The following definitions come from libads/sasl.c */
+
+ADS_STATUS ads_sasl_bind(ADS_STRUCT *ads);
+
+/* The following definitions come from libads/sasl_wrapping.c */
+
+ADS_STATUS ads_setup_sasl_wrapping(struct ads_saslwrap *wrap, LDAP *ld,
+ const struct ads_saslwrap_ops *ops,
+ void *private_data);
+void ndr_print_ads_saslwrap_struct(struct ndr_print *ndr,
+ const char *name,
+ const struct ads_saslwrap *r);
+
+/* The following definitions come from libads/util.c */
+
+ADS_STATUS ads_change_trust_account_password(ADS_STRUCT *ads, char *host_principal);
+
+struct spn_struct {
+ const char *serviceclass;
+ const char *servicename;
+ const char *host;
+ int32_t port;
+};
+
+/* parse a windows style SPN, returns NULL if parsing fails */
+struct spn_struct *parse_spn(TALLOC_CTX *ctx, const char *srvprinc);
+
+#endif /* _LIBADS_ADS_PROTO_H_ */
diff --git a/source3/libads/ads_status.c b/source3/libads/ads_status.c
new file mode 100644
index 0000000..7056994
--- /dev/null
+++ b/source3/libads/ads_status.c
@@ -0,0 +1,157 @@
+/*
+ Unix SMB/CIFS implementation.
+ ads (active directory) utility library
+ Copyright (C) Andrew Tridgell 2001
+ Copyright (C) Remus Koos 2001
+ Copyright (C) Andrew Bartlett 2001
+
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "smb_krb5.h"
+#include "system/gssapi.h"
+#include "smb_ldap.h"
+#include "libads/ads_status.h"
+
+/*
+ build a ADS_STATUS structure
+*/
+ADS_STATUS ads_build_error(enum ads_error_type etype,
+ int rc, int minor_status)
+{
+ ADS_STATUS ret;
+
+ if (etype == ENUM_ADS_ERROR_NT) {
+ DEBUG(0,("don't use ads_build_error with ENUM_ADS_ERROR_NT!\n"));
+ ret.err.rc = -1;
+ ret.error_type = ENUM_ADS_ERROR_SYSTEM;
+ ret.minor_status = 0;
+ return ret;
+ }
+
+ ret.err.rc = rc;
+ ret.error_type = etype;
+ ret.minor_status = minor_status;
+ return ret;
+}
+
+ADS_STATUS ads_build_nt_error(enum ads_error_type etype,
+ NTSTATUS nt_status)
+{
+ ADS_STATUS ret;
+
+ if (etype != ENUM_ADS_ERROR_NT) {
+ DEBUG(0,("don't use ads_build_nt_error without ENUM_ADS_ERROR_NT!\n"));
+ ret.err.rc = -1;
+ ret.error_type = ENUM_ADS_ERROR_SYSTEM;
+ ret.minor_status = 0;
+ return ret;
+ }
+ ret.err.nt_status = nt_status;
+ ret.error_type = etype;
+ ret.minor_status = 0;
+ return ret;
+}
+
+/*
+ do a rough conversion between ads error codes and NT status codes
+ we'll need to fill this in more
+*/
+NTSTATUS ads_ntstatus(ADS_STATUS status)
+{
+ switch (status.error_type) {
+ case ENUM_ADS_ERROR_NT:
+ return status.err.nt_status;
+ case ENUM_ADS_ERROR_SYSTEM:
+ return map_nt_error_from_unix(status.err.rc);
+#ifdef HAVE_LDAP
+ case ENUM_ADS_ERROR_LDAP:
+ if (status.err.rc == LDAP_SUCCESS) {
+ return NT_STATUS_OK;
+ }
+ if (status.err.rc == LDAP_TIMELIMIT_EXCEEDED) {
+ return NT_STATUS_IO_TIMEOUT;
+ }
+ return NT_STATUS_LDAP(status.err.rc);
+#endif
+#ifdef HAVE_KRB5
+ case ENUM_ADS_ERROR_KRB5:
+ return krb5_to_nt_status(status.err.rc);
+#endif
+ default:
+ break;
+ }
+
+ if (ADS_ERR_OK(status)) {
+ return NT_STATUS_OK;
+ }
+ return NT_STATUS_UNSUCCESSFUL;
+}
+
+/*
+ return a string for an error from a ads routine
+*/
+const char *ads_errstr(ADS_STATUS status)
+{
+ switch (status.error_type) {
+ case ENUM_ADS_ERROR_SYSTEM:
+ return strerror(status.err.rc);
+#ifdef HAVE_LDAP
+ case ENUM_ADS_ERROR_LDAP:
+ return ldap_err2string(status.err.rc);
+#endif
+#ifdef HAVE_KRB5
+ case ENUM_ADS_ERROR_KRB5:
+ return error_message(status.err.rc);
+ case ENUM_ADS_ERROR_GSS:
+ {
+ char *ret;
+ uint32_t msg_ctx;
+ uint32_t minor;
+ gss_buffer_desc msg1, msg2;
+
+ msg_ctx = 0;
+
+ msg1.value = NULL;
+ msg2.value = NULL;
+ gss_display_status(&minor, status.err.rc, GSS_C_GSS_CODE,
+ GSS_C_NULL_OID, &msg_ctx, &msg1);
+ gss_display_status(&minor, status.minor_status, GSS_C_MECH_CODE,
+ GSS_C_NULL_OID, &msg_ctx, &msg2);
+ ret = talloc_asprintf(talloc_tos(), "%s : %s",
+ (char *)msg1.value, (char *)msg2.value);
+ SMB_ASSERT(ret != NULL);
+ gss_release_buffer(&minor, &msg1);
+ gss_release_buffer(&minor, &msg2);
+ return ret;
+ }
+#endif
+ case ENUM_ADS_ERROR_NT:
+ return get_friendly_nt_error_msg(ads_ntstatus(status));
+ default:
+ return "Unknown ADS error type!? (not compiled in?)";
+ }
+}
+
+#ifdef HAVE_KRB5
+NTSTATUS gss_err_to_ntstatus(uint32_t maj, uint32_t min)
+{
+ ADS_STATUS adss = ADS_ERROR_GSS(maj, min);
+ DEBUG(10,("gss_err_to_ntstatus: Error %s\n",
+ ads_errstr(adss) ));
+ return ads_ntstatus(adss);
+}
+#endif
diff --git a/source3/libads/ads_status.h b/source3/libads/ads_status.h
new file mode 100644
index 0000000..2ff4ef0
--- /dev/null
+++ b/source3/libads/ads_status.h
@@ -0,0 +1,68 @@
+/*
+ Unix SMB/CIFS implementation.
+ ads (active directory) utility library
+ Copyright (C) Andrew Tridgell 2001
+ Copyright (C) Remus Koos 2001
+ Copyright (C) Andrew Bartlett 2001
+
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#ifndef _LIBADS_ADS_STATUS_H_
+#define _LIBADS_ADS_STATUS_H_
+
+/* there are 5 possible types of errors the ads subsystem can produce */
+enum ads_error_type {ENUM_ADS_ERROR_KRB5, ENUM_ADS_ERROR_GSS,
+ ENUM_ADS_ERROR_LDAP, ENUM_ADS_ERROR_SYSTEM, ENUM_ADS_ERROR_NT};
+
+typedef struct {
+ enum ads_error_type error_type;
+ union err_state{
+ int rc;
+ NTSTATUS nt_status;
+ } err;
+ /* For error_type = ENUM_ADS_ERROR_GSS minor_status describe GSS API error */
+ /* Where rc represents major_status of GSS API error */
+ int minor_status;
+} ADS_STATUS;
+
+/* macros to simplify error returning */
+#define ADS_ERROR(rc) ADS_ERROR_LDAP(rc)
+#define ADS_ERROR_LDAP(rc) ads_build_error(ENUM_ADS_ERROR_LDAP, rc, 0)
+#define ADS_ERROR_SYSTEM(rc) ads_build_error(ENUM_ADS_ERROR_SYSTEM, rc?rc:EINVAL, 0)
+#define ADS_ERROR_KRB5(rc) ads_build_error(ENUM_ADS_ERROR_KRB5, rc, 0)
+#define ADS_ERROR_GSS(rc, minor) ads_build_error(ENUM_ADS_ERROR_GSS, rc, minor)
+#define ADS_ERROR_NT(rc) ads_build_nt_error(ENUM_ADS_ERROR_NT,rc)
+
+#define ADS_ERR_OK(status) ((status.error_type == ENUM_ADS_ERROR_NT) ? NT_STATUS_IS_OK(status.err.nt_status):(status.err.rc == 0))
+#define ADS_SUCCESS ADS_ERROR(0)
+
+#define ADS_ERROR_HAVE_NO_MEMORY(x) do { \
+ if (!(x)) {\
+ return ADS_ERROR(LDAP_NO_MEMORY);\
+ }\
+} while (0)
+
+/* The following definitions come from libads/ads_status.c */
+
+ADS_STATUS ads_build_error(enum ads_error_type etype,
+ int rc, int minor_status);
+ADS_STATUS ads_build_nt_error(enum ads_error_type etype,
+ NTSTATUS nt_status);
+NTSTATUS ads_ntstatus(ADS_STATUS status);
+const char *ads_errstr(ADS_STATUS status);
+NTSTATUS gss_err_to_ntstatus(uint32_t maj, uint32_t min);
+
+#endif /* _LIBADS_ADS_STATUS_H_ */
diff --git a/source3/libads/ads_struct.c b/source3/libads/ads_struct.c
new file mode 100644
index 0000000..97f84d1
--- /dev/null
+++ b/source3/libads/ads_struct.c
@@ -0,0 +1,239 @@
+/*
+ Unix SMB/CIFS implementation.
+ ads (active directory) utility library
+ Copyright (C) Andrew Tridgell 2001
+ Copyright (C) Andrew Bartlett 2001
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "ads.h"
+
+/* return a ldap dn path from a string, given separators and field name
+ caller must free
+*/
+ADS_STATUS ads_build_path(const char *realm,
+ const char *sep,
+ const char *field,
+ int reverse,
+ char **_path)
+{
+ char *p, *r;
+ int numbits = 0;
+ char *ret;
+ int len;
+ char *saveptr;
+
+ *_path = NULL;
+
+ r = SMB_STRDUP(realm);
+ if (r == NULL) {
+ return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
+ }
+
+ for (p=r; *p; p++) {
+ if (strchr(sep, *p)) {
+ numbits++;
+ }
+ }
+
+ len = (numbits+1)*(strlen(field)+1) + strlen(r) + 1;
+
+ ret = (char *)SMB_MALLOC(len);
+ if (!ret) {
+ free(r);
+ return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
+ }
+
+ if (strlcpy(ret,field, len) >= len) {
+ /* Truncate ! */
+ free(r);
+ free(ret);
+ return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
+ }
+ p=strtok_r(r, sep, &saveptr);
+ if (p) {
+ if (strlcat(ret, p, len) >= len) {
+ free(r);
+ free(ret);
+ return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
+ }
+
+ while ((p=strtok_r(NULL, sep, &saveptr)) != NULL) {
+ int retval;
+ char *s = NULL;
+ if (reverse)
+ retval = asprintf(&s, "%s%s,%s", field, p, ret);
+ else
+ retval = asprintf(&s, "%s,%s%s", ret, field, p);
+ free(ret);
+ if (retval == -1) {
+ free(r);
+ return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
+ }
+ ret = SMB_STRDUP(s);
+ free(s);
+ }
+ }
+
+ free(r);
+
+ *_path = ret;
+
+ return ADS_ERROR_NT(NT_STATUS_OK);
+}
+
+/* return a dn of the form "dc=AA,dc=BB,dc=CC" from a
+ realm of the form AA.BB.CC
+ caller must free
+*/
+ADS_STATUS ads_build_dn(const char *realm, TALLOC_CTX *mem_ctx, char **_dn)
+{
+ ADS_STATUS status;
+ char *dn = NULL;
+
+ status = ads_build_path(realm, ".", "dc=", 0, &dn);
+ if (!ADS_ERR_OK(status)) {
+ SAFE_FREE(dn);
+ return status;
+ }
+
+ *_dn = talloc_strdup(mem_ctx, dn);
+ SAFE_FREE(dn);
+ if (*_dn == NULL) {
+ return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
+ }
+
+ return ADS_ERROR_NT(NT_STATUS_OK);
+}
+
+/* return a DNS name in the for aa.bb.cc from the DN
+ "dc=AA,dc=BB,dc=CC". caller must free
+*/
+char *ads_build_domain(const char *dn)
+{
+ char *dnsdomain = NULL;
+
+ /* result should always be shorter than the DN */
+
+ if ( (dnsdomain = SMB_STRDUP( dn )) == NULL ) {
+ DEBUG(0,("ads_build_domain: malloc() failed!\n"));
+ return NULL;
+ }
+
+ if (!strlower_m( dnsdomain )) {
+ SAFE_FREE(dnsdomain);
+ return NULL;
+ }
+
+ all_string_sub( dnsdomain, "dc=", "", 0);
+ all_string_sub( dnsdomain, ",", ".", 0 );
+
+ return dnsdomain;
+}
+
+static int ads_destructor(ADS_STRUCT *ads)
+{
+#ifdef HAVE_LDAP
+ ads_disconnect(ads);
+#endif
+ return 0;
+}
+
+/*
+ initialise a ADS_STRUCT, ready for some ads_ ops
+*/
+ADS_STRUCT *ads_init(TALLOC_CTX *mem_ctx,
+ const char *realm,
+ const char *workgroup,
+ const char *ldap_server,
+ enum ads_sasl_state_e sasl_state)
+{
+ ADS_STRUCT *ads = NULL;
+ int wrap_flags;
+
+ ads = talloc_zero(mem_ctx, ADS_STRUCT);
+ if (ads == NULL) {
+ return NULL;
+ }
+ talloc_set_destructor(ads, ads_destructor);
+
+#ifdef HAVE_LDAP
+ ads_zero_ldap(ads);
+#endif
+
+ ads->server.realm = talloc_strdup(ads, realm);
+ if (realm != NULL && ads->server.realm == NULL) {
+ DBG_WARNING("Out of memory\n");
+ TALLOC_FREE(ads);
+ return NULL;
+ }
+
+ ads->server.workgroup = talloc_strdup(ads, workgroup);
+ if (workgroup != NULL && ads->server.workgroup == NULL) {
+ DBG_WARNING("Out of memory\n");
+ TALLOC_FREE(ads);
+ return NULL;
+ }
+
+ ads->server.ldap_server = talloc_strdup(ads, ldap_server);
+ if (ldap_server != NULL && ads->server.ldap_server == NULL) {
+ DBG_WARNING("Out of memory\n");
+ TALLOC_FREE(ads);
+ return NULL;
+ }
+
+ wrap_flags = lp_client_ldap_sasl_wrapping();
+ if (wrap_flags == -1) {
+ wrap_flags = 0;
+ }
+
+ switch (sasl_state) {
+ case ADS_SASL_PLAIN:
+ break;
+ case ADS_SASL_SIGN:
+ wrap_flags |= ADS_AUTH_SASL_SIGN;
+ break;
+ case ADS_SASL_SEAL:
+ wrap_flags |= ADS_AUTH_SASL_SEAL;
+ break;
+ }
+
+ ads->auth.flags = wrap_flags;
+
+ /* Start with the configured page size when the connection is new,
+ * we will drop it by half we get a timeout. */
+ ads->config.ldap_page_size = lp_ldap_page_size();
+
+ return ads;
+}
+
+/****************************************************************
+****************************************************************/
+
+bool ads_set_sasl_wrap_flags(ADS_STRUCT *ads, unsigned flags)
+{
+ unsigned other_flags;
+
+ if (!ads) {
+ return false;
+ }
+
+ other_flags = ads->auth.flags & ~(ADS_AUTH_SASL_SIGN|ADS_AUTH_SASL_SEAL);
+
+ ads->auth.flags = flags | other_flags;
+
+ return true;
+}
diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
new file mode 100644
index 0000000..10adc3e
--- /dev/null
+++ b/source3/libads/authdata.c
@@ -0,0 +1,323 @@
+/*
+ Unix SMB/CIFS implementation.
+ kerberos authorization data (PAC) utility library
+ Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003
+ Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
+ Copyright (C) Andrew Tridgell 2001
+ Copyright (C) Luke Howard 2002-2003
+ Copyright (C) Stefan Metzmacher 2004-2005
+ Copyright (C) Guenther Deschner 2005,2007,2008
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "librpc/gen_ndr/ndr_krb5pac.h"
+#include "smb_krb5.h"
+#include "libads/kerberos_proto.h"
+#include "auth/common_auth.h"
+#include "lib/param/param.h"
+#include "librpc/crypto/gse.h"
+#include "auth/gensec/gensec.h"
+#include "auth/gensec/gensec_internal.h" /* TODO: remove this */
+#include "../libcli/auth/spnego.h"
+#include "lib/util/asn1.h"
+
+#ifdef HAVE_KRB5
+
+#include "auth/kerberos/pac_utils.h"
+
+struct smb_krb5_context;
+
+/*
+ generate a krb5 GSS-API wrapper packet given a ticket
+*/
+static DATA_BLOB spnego_gen_krb5_wrap(
+ TALLOC_CTX *ctx, const DATA_BLOB ticket, const uint8_t tok_id[2])
+{
+ ASN1_DATA *data;
+ DATA_BLOB ret = data_blob_null;
+
+ data = asn1_init(talloc_tos(), ASN1_MAX_TREE_DEPTH);
+ if (data == NULL) {
+ return data_blob_null;
+ }
+
+ if (!asn1_push_tag(data, ASN1_APPLICATION(0))) goto err;
+ if (!asn1_write_OID(data, OID_KERBEROS5)) goto err;
+
+ if (!asn1_write(data, tok_id, 2)) goto err;
+ if (!asn1_write(data, ticket.data, ticket.length)) goto err;
+ if (!asn1_pop_tag(data)) goto err;
+
+ if (!asn1_extract_blob(data, ctx, &ret)) {
+ goto err;
+ }
+
+ asn1_free(data);
+ data = NULL;
+
+ err:
+
+ if (data != NULL) {
+ if (asn1_has_error(data)) {
+ DEBUG(1, ("Failed to build krb5 wrapper at offset %d\n",
+ (int)asn1_current_ofs(data)));
+ }
+
+ asn1_free(data);
+ }
+
+ return ret;
+}
+
+/*
+ * Given the username/password, do a kinit, store the ticket in
+ * cache_name if specified, and return the PAC_LOGON_INFO (the
+ * structure containing the important user information such as
+ * groups).
+ */
+NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
+ const char *name,
+ const char *pass,
+ time_t time_offset,
+ time_t *expire_time,
+ time_t *renew_till_time,
+ const char *cache_name,
+ bool request_pac,
+ bool add_netbios_addr,
+ time_t renewable_time,
+ const char *impersonate_princ_s,
+ const char *local_service,
+ char **_canon_principal,
+ char **_canon_realm,
+ struct PAC_DATA_CTR **_pac_data_ctr)
+{
+ krb5_error_code ret;
+ NTSTATUS status = NT_STATUS_INVALID_PARAMETER;
+ DATA_BLOB tkt = data_blob_null;
+ DATA_BLOB tkt_wrapped = data_blob_null;
+ DATA_BLOB ap_rep = data_blob_null;
+ DATA_BLOB sesskey1 = data_blob_null;
+ const char *auth_princ = NULL;
+ const char *cc = "MEMORY:kerberos_return_pac";
+ struct auth_session_info *session_info;
+ struct gensec_security *gensec_server_context;
+ const struct gensec_security_ops **backends;
+ struct gensec_settings *gensec_settings;
+ size_t idx = 0;
+ struct auth4_context *auth_context;
+ struct loadparm_context *lp_ctx;
+ struct PAC_DATA_CTR *pac_data_ctr = NULL;
+ char *canon_principal = NULL;
+ char *canon_realm = NULL;
+
+ TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
+ NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
+
+ ZERO_STRUCT(tkt);
+ ZERO_STRUCT(ap_rep);
+ ZERO_STRUCT(sesskey1);
+
+ if (!name || !pass) {
+ status = NT_STATUS_INVALID_PARAMETER;
+ goto out;
+ }
+
+ if (_canon_principal != NULL) {
+ *_canon_principal = NULL;
+ }
+
+ if (_canon_realm != NULL) {
+ *_canon_realm = NULL;
+ }
+
+ if (cache_name) {
+ cc = cache_name;
+ }
+
+ if (!strchr_m(name, '@')) {
+ auth_princ = talloc_asprintf(mem_ctx, "%s@%s", name,
+ lp_realm());
+ } else {
+ auth_princ = name;
+ }
+ NT_STATUS_HAVE_NO_MEMORY(auth_princ);
+
+ ret = kerberos_kinit_password_ext(auth_princ,
+ pass,
+ time_offset,
+ expire_time,
+ renew_till_time,
+ cc,
+ request_pac,
+ add_netbios_addr,
+ renewable_time,
+ tmp_ctx,
+ &canon_principal,
+ &canon_realm,
+ &status);
+ if (ret) {
+ DEBUG(1,("kinit failed for '%s' with: %s (%d)\n",
+ auth_princ, error_message(ret), ret));
+ /* status already set */
+ goto out;
+ }
+
+ DEBUG(10,("got TGT for %s in %s\n", auth_princ, cc));
+ if (expire_time) {
+ DEBUGADD(10,("\tvalid until: %s (%d)\n",
+ http_timestring(talloc_tos(), *expire_time),
+ (int)*expire_time));
+ }
+ if (renew_till_time) {
+ DEBUGADD(10,("\trenewable till: %s (%d)\n",
+ http_timestring(talloc_tos(), *renew_till_time),
+ (int)*renew_till_time));
+ }
+
+ /* we cannot continue with krb5 when UF_DONT_REQUIRE_PREAUTH is set,
+ * in that case fallback to NTLM - gd */
+
+ if (expire_time && renew_till_time &&
+ (*expire_time == 0) && (*renew_till_time == 0)) {
+ status = NT_STATUS_INVALID_LOGON_TYPE;
+ goto out;
+ }
+
+ ret = ads_krb5_cli_get_ticket(mem_ctx,
+ local_service,
+ time_offset,
+ &tkt,
+ &sesskey1,
+ 0,
+ cc,
+ NULL,
+ impersonate_princ_s);
+ if (ret) {
+ DEBUG(1,("failed to get ticket for %s: %s\n",
+ local_service, error_message(ret)));
+ if (impersonate_princ_s) {
+ DEBUGADD(1,("tried S4U2SELF impersonation as: %s\n",
+ impersonate_princ_s));
+ }
+ status = krb5_to_nt_status(ret);
+ goto out;
+ }
+
+ /* wrap that up in a nice GSS-API wrapping */
+ tkt_wrapped = spnego_gen_krb5_wrap(tmp_ctx, tkt, TOK_ID_KRB_AP_REQ);
+ if (tkt_wrapped.data == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto out;
+ }
+
+ auth_context = auth4_context_for_PAC_DATA_CTR(tmp_ctx);
+ if (auth_context == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto out;
+ }
+
+ lp_ctx = loadparm_init_s3(tmp_ctx, loadparm_s3_helpers());
+ if (lp_ctx == NULL) {
+ status = NT_STATUS_INVALID_SERVER_STATE;
+ DEBUG(10, ("loadparm_init_s3 failed\n"));
+ goto out;
+ }
+
+ gensec_settings = lpcfg_gensec_settings(tmp_ctx, lp_ctx);
+ if (gensec_settings == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ DEBUG(10, ("lpcfg_gensec_settings failed\n"));
+ goto out;
+ }
+
+ backends = talloc_zero_array(gensec_settings,
+ const struct gensec_security_ops *, 2);
+ if (backends == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto out;
+ }
+ gensec_settings->backends = backends;
+
+ gensec_init();
+
+ backends[idx++] = &gensec_gse_krb5_security_ops;
+
+ status = gensec_server_start(tmp_ctx, gensec_settings,
+ auth_context, &gensec_server_context);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, (__location__ "Failed to start server-side GENSEC to validate a Kerberos ticket: %s\n", nt_errstr(status)));
+ goto out;
+ }
+
+ talloc_unlink(tmp_ctx, lp_ctx);
+ talloc_unlink(tmp_ctx, gensec_settings);
+ talloc_unlink(tmp_ctx, auth_context);
+
+ /* Session info is not complete, do not pass to auth log */
+ gensec_want_feature(gensec_server_context, GENSEC_FEATURE_NO_AUTHZ_LOG);
+
+ status = gensec_start_mech_by_oid(gensec_server_context, GENSEC_OID_KERBEROS5);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, (__location__ "Failed to start server-side GENSEC krb5 to validate a Kerberos ticket: %s\n", nt_errstr(status)));
+ goto out;
+ }
+
+ /* Do a client-server update dance */
+ status = gensec_update(gensec_server_context, tmp_ctx, tkt_wrapped, &ap_rep);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("gensec_update() failed: %s\n", nt_errstr(status)));
+ goto out;
+ }
+
+ /* Now return the PAC information to the callers. We ignore
+ * the session_info and instead pick out the PAC via the
+ * private_data on the auth_context */
+ status = gensec_session_info(gensec_server_context, tmp_ctx, &session_info);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("Unable to obtain PAC via gensec_session_info\n"));
+ goto out;
+ }
+
+ pac_data_ctr = auth4_context_get_PAC_DATA_CTR(auth_context, mem_ctx);
+ if (pac_data_ctr == NULL) {
+ DEBUG(1,("no PAC\n"));
+ status = NT_STATUS_INVALID_PARAMETER;
+ goto out;
+ }
+
+ *_pac_data_ctr = talloc_move(mem_ctx, &pac_data_ctr);
+ if (_canon_principal != NULL) {
+ *_canon_principal = talloc_move(mem_ctx, &canon_principal);
+ }
+ if (_canon_realm != NULL) {
+ *_canon_realm = talloc_move(mem_ctx, &canon_realm);
+ }
+
+out:
+ talloc_free(tmp_ctx);
+ if (cc != cache_name) {
+ ads_kdestroy(cc);
+ }
+
+ data_blob_free(&tkt);
+ data_blob_free(&ap_rep);
+ data_blob_free(&sesskey1);
+
+ return status;
+}
+
+#endif
diff --git a/source3/libads/cldap.c b/source3/libads/cldap.c
new file mode 100644
index 0000000..56c2537
--- /dev/null
+++ b/source3/libads/cldap.c
@@ -0,0 +1,453 @@
+/*
+ Samba Unix/Linux SMB client library
+ net ads cldap functions
+ Copyright (C) 2001 Andrew Tridgell (tridge@samba.org)
+ Copyright (C) 2003 Jim McDonough (jmcd@us.ibm.com)
+ Copyright (C) 2008 Guenther Deschner (gd@samba.org)
+ Copyright (C) 2009 Stefan Metzmacher (metze@samba.org)
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "../libcli/cldap/cldap.h"
+#include "../librpc/gen_ndr/ndr_netlogon.h"
+#include "../lib/tsocket/tsocket.h"
+#include "../lib/util/tevent_ntstatus.h"
+#include "libads/cldap.h"
+
+struct cldap_multi_netlogon_state {
+ struct tevent_context *ev;
+ const struct tsocket_address * const *servers;
+ int num_servers;
+ const char *domain;
+ const char *hostname;
+ unsigned ntversion;
+ int min_servers;
+
+ struct cldap_socket **cldap;
+ struct tevent_req **subreqs;
+ int num_sent;
+ int num_received;
+ int num_good_received;
+ struct cldap_netlogon *ios;
+ struct netlogon_samlogon_response **responses;
+};
+
+static void cldap_multi_netlogon_done(struct tevent_req *subreq);
+static void cldap_multi_netlogon_next(struct tevent_req *subreq);
+
+/****************************************************************
+****************************************************************/
+
+#define RETURN_ON_FALSE(x) if (!(x)) return false;
+
+bool check_cldap_reply_required_flags(uint32_t ret_flags,
+ uint32_t req_flags)
+{
+ if (req_flags == 0) {
+ return true;
+ }
+
+ if (req_flags & DS_PDC_REQUIRED)
+ RETURN_ON_FALSE(ret_flags & NBT_SERVER_PDC);
+
+ if (req_flags & DS_GC_SERVER_REQUIRED)
+ RETURN_ON_FALSE(ret_flags & NBT_SERVER_GC);
+
+ if (req_flags & DS_ONLY_LDAP_NEEDED)
+ RETURN_ON_FALSE(ret_flags & NBT_SERVER_LDAP);
+
+ if ((req_flags & DS_DIRECTORY_SERVICE_REQUIRED) ||
+ (req_flags & DS_DIRECTORY_SERVICE_PREFERRED))
+ RETURN_ON_FALSE(ret_flags & NBT_SERVER_DS);
+
+ if (req_flags & DS_KDC_REQUIRED)
+ RETURN_ON_FALSE(ret_flags & NBT_SERVER_KDC);
+
+ if (req_flags & DS_TIMESERV_REQUIRED)
+ RETURN_ON_FALSE(ret_flags & NBT_SERVER_TIMESERV);
+
+ if (req_flags & DS_WEB_SERVICE_REQUIRED)
+ RETURN_ON_FALSE(ret_flags & NBT_SERVER_ADS_WEB_SERVICE);
+
+ if (req_flags & DS_WRITABLE_REQUIRED)
+ RETURN_ON_FALSE(ret_flags & NBT_SERVER_WRITABLE);
+
+ if (req_flags & DS_DIRECTORY_SERVICE_6_REQUIRED)
+ RETURN_ON_FALSE(ret_flags & (NBT_SERVER_SELECT_SECRET_DOMAIN_6
+ |NBT_SERVER_FULL_SECRET_DOMAIN_6));
+
+ if (req_flags & DS_DIRECTORY_SERVICE_8_REQUIRED)
+ RETURN_ON_FALSE(ret_flags & NBT_SERVER_DS_8);
+
+ if (req_flags & DS_DIRECTORY_SERVICE_9_REQUIRED)
+ RETURN_ON_FALSE(ret_flags & NBT_SERVER_DS_9);
+
+ if (req_flags & DS_DIRECTORY_SERVICE_10_REQUIRED)
+ RETURN_ON_FALSE(ret_flags & NBT_SERVER_DS_10);
+
+ return true;
+}
+
+/*
+ * Do a parallel cldap ping to the servers. The first "min_servers"
+ * are fired directly, the remaining ones in 100msec intervals. If
+ * "min_servers" responses came in successfully, we immediately reply,
+ * not waiting for the remaining ones.
+ */
+
+struct tevent_req *cldap_multi_netlogon_send(
+ TALLOC_CTX *mem_ctx, struct tevent_context *ev,
+ const struct tsocket_address * const *servers, int num_servers,
+ const char *domain, const char *hostname, unsigned ntversion,
+ int min_servers)
+{
+ struct tevent_req *req, *subreq;
+ struct cldap_multi_netlogon_state *state;
+ int i;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct cldap_multi_netlogon_state);
+ if (req == NULL) {
+ return NULL;
+ }
+ state->ev = ev;
+ state->servers = servers;
+ state->num_servers = num_servers;
+ state->domain = domain;
+ state->hostname = hostname;
+ state->ntversion = ntversion;
+ state->min_servers = min_servers;
+
+ if (min_servers > num_servers) {
+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ return tevent_req_post(req, ev);
+ }
+
+ state->subreqs = talloc_zero_array(state,
+ struct tevent_req *,
+ num_servers);
+ if (tevent_req_nomem(state->subreqs, req)) {
+ return tevent_req_post(req, ev);
+ }
+
+ state->cldap = talloc_zero_array(state,
+ struct cldap_socket *,
+ num_servers);
+ if (tevent_req_nomem(state->cldap, req)) {
+ return tevent_req_post(req, ev);
+ }
+
+ state->responses = talloc_zero_array(state,
+ struct netlogon_samlogon_response *,
+ num_servers);
+ if (tevent_req_nomem(state->responses, req)) {
+ return tevent_req_post(req, ev);
+ }
+
+ state->ios = talloc_zero_array(state->responses,
+ struct cldap_netlogon,
+ num_servers);
+ if (tevent_req_nomem(state->ios, req)) {
+ return tevent_req_post(req, ev);
+ }
+
+ for (i=0; i<num_servers; i++) {
+ NTSTATUS status;
+
+ status = cldap_socket_init(state->cldap,
+ NULL, /* local_addr */
+ state->servers[i],
+ &state->cldap[i]);
+ if (!NT_STATUS_IS_OK(status)) {
+ /*
+ * Don't error out all sends just
+ * because one cldap_socket_init() failed.
+ * Log it here, and the cldap_netlogon_send()
+ * will catch it (with in.dest_address == NULL)
+ * and correctly error out in
+ * cldap_multi_netlogon_done(). This still allows
+ * the other requests to be concurrently sent.
+ */
+ DBG_NOTICE("cldap_socket_init failed for %s "
+ " error %s\n",
+ tsocket_address_string(state->servers[i],
+ req),
+ nt_errstr(status));
+ }
+
+ state->ios[i].in.dest_address = NULL;
+ state->ios[i].in.dest_port = 0;
+ state->ios[i].in.realm = domain;
+ state->ios[i].in.host = NULL;
+ state->ios[i].in.user = NULL;
+ state->ios[i].in.domain_guid = NULL;
+ state->ios[i].in.domain_sid = NULL;
+ state->ios[i].in.acct_control = 0;
+ state->ios[i].in.version = ntversion;
+ state->ios[i].in.map_response = false;
+ }
+
+ for (i=0; i<min_servers; i++) {
+ state->subreqs[i] = cldap_netlogon_send(state->subreqs,
+ state->ev,
+ state->cldap[i],
+ &state->ios[i]);
+ if (tevent_req_nomem(state->subreqs[i], req)) {
+ return tevent_req_post(req, ev);
+ }
+ tevent_req_set_callback(
+ state->subreqs[i], cldap_multi_netlogon_done, req);
+ }
+ state->num_sent = min_servers;
+
+ if (state->num_sent < state->num_servers) {
+ /*
+ * After 100 milliseconds fire the next one
+ */
+ subreq = tevent_wakeup_send(state, state->ev,
+ timeval_current_ofs(0, 100000));
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+ tevent_req_set_callback(subreq, cldap_multi_netlogon_next,
+ req);
+ }
+
+ return req;
+}
+
+static void cldap_multi_netlogon_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct cldap_multi_netlogon_state *state = tevent_req_data(
+ req, struct cldap_multi_netlogon_state);
+ NTSTATUS status;
+ struct netlogon_samlogon_response *response;
+ int i;
+
+ for (i=0; i<state->num_sent; i++) {
+ if (state->subreqs[i] == subreq) {
+ break;
+ }
+ }
+ if (i == state->num_sent) {
+ /*
+ * Got a response we did not fire...
+ */
+ tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
+ return;
+ }
+ state->subreqs[i] = NULL;
+
+ response = talloc_zero(state, struct netlogon_samlogon_response);
+ if (tevent_req_nomem(response, req)) {
+ return;
+ }
+
+ status = cldap_netlogon_recv(subreq, response,
+ &state->ios[i]);
+ TALLOC_FREE(subreq);
+ state->num_received += 1;
+
+ if (NT_STATUS_IS_OK(status)) {
+ *response = state->ios[i].out.netlogon;
+ state->responses[i] = talloc_move(state->responses,
+ &response);
+ state->num_good_received += 1;
+ }
+
+ if ((state->num_received == state->num_servers) ||
+ (state->num_good_received >= state->min_servers)) {
+ tevent_req_done(req);
+ return;
+ }
+}
+
+static void cldap_multi_netlogon_next(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct cldap_multi_netlogon_state *state = tevent_req_data(
+ req, struct cldap_multi_netlogon_state);
+ bool ret;
+
+ ret = tevent_wakeup_recv(subreq);
+ TALLOC_FREE(subreq);
+ if (!ret) {
+ tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
+ return;
+ }
+
+ subreq = cldap_netlogon_send(state->subreqs,
+ state->ev,
+ state->cldap[state->num_sent],
+ &state->ios[state->num_sent]);
+ if (tevent_req_nomem(subreq, req)) {
+ return;
+ }
+ tevent_req_set_callback(subreq, cldap_multi_netlogon_done, req);
+ state->subreqs[state->num_sent] = subreq;
+ state->num_sent += 1;
+
+ if (state->num_sent < state->num_servers) {
+ /*
+ * After 100 milliseconds fire the next one
+ */
+ subreq = tevent_wakeup_send(state, state->ev,
+ timeval_current_ofs(0, 100000));
+ if (tevent_req_nomem(subreq, req)) {
+ return;
+ }
+ tevent_req_set_callback(subreq, cldap_multi_netlogon_next,
+ req);
+ }
+}
+
+NTSTATUS cldap_multi_netlogon_recv(
+ struct tevent_req *req, TALLOC_CTX *mem_ctx,
+ struct netlogon_samlogon_response ***responses)
+{
+ struct cldap_multi_netlogon_state *state = tevent_req_data(
+ req, struct cldap_multi_netlogon_state);
+ NTSTATUS status;
+
+ if (tevent_req_is_nterror(req, &status) &&
+ !NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT)) {
+ return status;
+ }
+ /*
+ * If we timeout, give back what we have so far
+ */
+ *responses = talloc_move(mem_ctx, &state->responses);
+ return NT_STATUS_OK;
+}
+
+NTSTATUS cldap_multi_netlogon(
+ TALLOC_CTX *mem_ctx,
+ const struct tsocket_address * const *servers,
+ int num_servers,
+ const char *domain, const char *hostname, unsigned ntversion,
+ int min_servers, struct timeval timeout,
+ struct netlogon_samlogon_response ***responses)
+{
+ struct tevent_context *ev;
+ struct tevent_req *req;
+ NTSTATUS status = NT_STATUS_NO_MEMORY;
+
+ ev = samba_tevent_context_init(talloc_tos());
+ if (ev == NULL) {
+ goto fail;
+ }
+ req = cldap_multi_netlogon_send(
+ ev, ev, servers, num_servers, domain, hostname, ntversion,
+ min_servers);
+ if (req == NULL) {
+ goto fail;
+ }
+ if (!tevent_req_set_endtime(req, ev, timeout)) {
+ goto fail;
+ }
+ if (!tevent_req_poll_ntstatus(req, ev, &status)) {
+ goto fail;
+ }
+ status = cldap_multi_netlogon_recv(req, mem_ctx, responses);
+fail:
+ TALLOC_FREE(ev);
+ return status;
+}
+
+/*******************************************************************
+ do a cldap netlogon query. Always 389/udp
+*******************************************************************/
+
+bool ads_cldap_netlogon(TALLOC_CTX *mem_ctx,
+ struct sockaddr_storage *ss,
+ const char *realm,
+ uint32_t nt_version,
+ struct netlogon_samlogon_response **_reply)
+{
+ NTSTATUS status;
+ char addrstr[INET6_ADDRSTRLEN];
+ const char *dest_str;
+ struct tsocket_address *dest_addr;
+ const struct tsocket_address * const *dest_addrs;
+ struct netlogon_samlogon_response **responses = NULL;
+ int ret;
+
+ dest_str = print_sockaddr(addrstr, sizeof(addrstr), ss);
+
+ ret = tsocket_address_inet_from_strings(mem_ctx, "ip",
+ dest_str, LDAP_PORT,
+ &dest_addr);
+ if (ret != 0) {
+ status = map_nt_error_from_unix(errno);
+ DEBUG(2,("Failed to create cldap tsocket_address for %s - %s\n",
+ dest_str, nt_errstr(status)));
+ return false;
+ }
+
+ dest_addrs = (const struct tsocket_address * const *)&dest_addr;
+
+ status = cldap_multi_netlogon(talloc_tos(),
+ dest_addrs, 1,
+ realm, NULL,
+ nt_version, 1,
+ timeval_current_ofs(MAX(3,lp_ldap_timeout()/2), 0),
+ &responses);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(2, ("ads_cldap_netlogon: cldap_multi_netlogon "
+ "failed: %s\n", nt_errstr(status)));
+ return false;
+ }
+ if (responses == NULL || responses[0] == NULL) {
+ DEBUG(2, ("ads_cldap_netlogon: did not get a reply\n"));
+ TALLOC_FREE(responses);
+ return false;
+ }
+ *_reply = talloc_move(mem_ctx, &responses[0]);
+
+ return true;
+}
+
+/*******************************************************************
+ do a cldap netlogon query. Always 389/udp
+*******************************************************************/
+
+bool ads_cldap_netlogon_5(TALLOC_CTX *mem_ctx,
+ struct sockaddr_storage *ss,
+ const char *realm,
+ struct NETLOGON_SAM_LOGON_RESPONSE_EX *reply5)
+{
+ uint32_t nt_version = NETLOGON_NT_VERSION_5 | NETLOGON_NT_VERSION_5EX;
+ struct netlogon_samlogon_response *reply = NULL;
+ bool ret;
+
+ ret = ads_cldap_netlogon(mem_ctx, ss, realm, nt_version, &reply);
+ if (!ret) {
+ return false;
+ }
+
+ if (reply->ntver != NETLOGON_NT_VERSION_5EX) {
+ DEBUG(0,("ads_cldap_netlogon_5: nt_version mismatch: 0x%08x\n",
+ reply->ntver));
+ return false;
+ }
+
+ *reply5 = reply->data.nt5_ex;
+
+ return true;
+}
diff --git a/source3/libads/cldap.h b/source3/libads/cldap.h
new file mode 100644
index 0000000..7fa1bdf
--- /dev/null
+++ b/source3/libads/cldap.h
@@ -0,0 +1,60 @@
+/*
+ Samba Unix/Linux SMB client library
+ net ads cldap functions
+ Copyright (C) 2001 Andrew Tridgell (tridge@samba.org)
+ Copyright (C) 2003 Jim McDonough (jmcd@us.ibm.com)
+ Copyright (C) 2008 Guenther Deschner (gd@samba.org)
+ Copyright (C) 2009 Stefan Metzmacher (metze@samba.org)
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#ifndef _LIBADS_CLDAP_H_
+#define _LIBADS_CLDAP_H_
+
+#include "../libcli/netlogon/netlogon.h"
+
+/* The following definitions come from libads/cldap.c */
+
+bool check_cldap_reply_required_flags(uint32_t ret_flags,
+ uint32_t req_flags);
+
+struct tevent_req *cldap_multi_netlogon_send(
+ TALLOC_CTX *mem_ctx, struct tevent_context *ev,
+ const struct tsocket_address * const *servers,
+ int num_servers,
+ const char *domain, const char *hostname, unsigned ntversion,
+ int min_servers);
+NTSTATUS cldap_multi_netlogon_recv(
+ struct tevent_req *req, TALLOC_CTX *mem_ctx,
+ struct netlogon_samlogon_response ***responses);
+NTSTATUS cldap_multi_netlogon(
+ TALLOC_CTX *mem_ctx,
+ const struct tsocket_address * const *servers,
+ int num_servers,
+ const char *domain, const char *hostname, unsigned ntversion,
+ int min_servers, struct timeval timeout,
+ struct netlogon_samlogon_response ***responses);
+
+bool ads_cldap_netlogon(TALLOC_CTX *mem_ctx,
+ struct sockaddr_storage *ss,
+ const char *realm,
+ uint32_t nt_version,
+ struct netlogon_samlogon_response **reply);
+bool ads_cldap_netlogon_5(TALLOC_CTX *mem_ctx,
+ struct sockaddr_storage *ss,
+ const char *realm,
+ struct NETLOGON_SAM_LOGON_RESPONSE_EX *reply5);
+
+#endif /* _LIBADS_CLDAP_H_ */
diff --git a/source3/libads/disp_sec.c b/source3/libads/disp_sec.c
new file mode 100644
index 0000000..a193c5b
--- /dev/null
+++ b/source3/libads/disp_sec.c
@@ -0,0 +1,254 @@
+/*
+ Unix SMB/CIFS implementation.
+ Samba utility functions. ADS stuff
+ Copyright (C) Alexey Kotovich 2002
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "ads.h"
+#include "libads/ldap_schema.h"
+#include "../libcli/security/secace.h"
+#include "../librpc/ndr/libndr.h"
+#include "libcli/security/dom_sid.h"
+
+/* for ADS */
+#define SEC_RIGHTS_FULL_CTRL 0xf01ff
+
+#ifdef HAVE_LDAP
+
+static struct perm_mask_str {
+ uint32_t mask;
+ const char *str;
+} perms[] = {
+ {SEC_RIGHTS_FULL_CTRL, "[Full Control]"},
+
+ {SEC_ADS_LIST, "[List Contents]"},
+ {SEC_ADS_LIST_OBJECT, "[List Object]"},
+
+ {SEC_ADS_READ_PROP, "[Read All Properties]"},
+ {SEC_STD_READ_CONTROL, "[Read Permissions]"},
+
+ {SEC_ADS_SELF_WRITE, "[All validate writes]"},
+ {SEC_ADS_WRITE_PROP, "[Write All Properties]"},
+
+ {SEC_STD_WRITE_DAC, "[Modify Permissions]"},
+ {SEC_STD_WRITE_OWNER, "[Modify Owner]"},
+
+ {SEC_ADS_CREATE_CHILD, "[Create All Child Objects]"},
+
+ {SEC_STD_DELETE, "[Delete]"},
+ {SEC_ADS_DELETE_TREE, "[Delete Subtree]"},
+ {SEC_ADS_DELETE_CHILD, "[Delete All Child Objects]"},
+
+ {SEC_ADS_CONTROL_ACCESS, "[Change Password]"},
+ {SEC_ADS_CONTROL_ACCESS, "[Reset Password]"},
+
+ {0, 0}
+};
+
+/* convert a security permissions into a string */
+static void ads_disp_perms(uint32_t type)
+{
+ int i = 0;
+ int j = 0;
+
+ printf("Permissions: ");
+
+ if (type == SEC_RIGHTS_FULL_CTRL) {
+ printf("%s\n", perms[j].str);
+ return;
+ }
+
+ for (i = 0; i < 32; i++) {
+ if (type & ((uint32_t)1 << i)) {
+ for (j = 1; perms[j].str; j ++) {
+ if (perms[j].mask == (((unsigned) 1) << i)) {
+ printf("\n\t%s (0x%08x)", perms[j].str, perms[j].mask);
+ }
+ }
+ type &= ~(1 << i);
+ }
+ }
+
+ /* remaining bits get added on as-is */
+ if (type != 0) {
+ printf("[%08x]", type);
+ }
+ puts("");
+}
+
+static const char *ads_interprete_guid_from_object(ADS_STRUCT *ads,
+ TALLOC_CTX *mem_ctx,
+ const struct GUID *guid)
+{
+ const char *ret = NULL;
+
+ if (!ads || !mem_ctx) {
+ return NULL;
+ }
+
+ ret = ads_get_attrname_by_guid(ads, ads->config.schema_path,
+ mem_ctx, guid);
+ if (ret) {
+ return talloc_asprintf(mem_ctx, "LDAP attribute: \"%s\"", ret);
+ }
+
+ ret = ads_get_extended_right_name_by_guid(ads, ads->config.config_path,
+ mem_ctx, guid);
+
+ if (ret) {
+ return talloc_asprintf(mem_ctx, "Extended right: \"%s\"", ret);
+ }
+
+ return ret;
+}
+
+static void ads_disp_sec_ace_object(ADS_STRUCT *ads,
+ TALLOC_CTX *mem_ctx,
+ struct security_ace_object *object)
+{
+ if (object->flags & SEC_ACE_OBJECT_TYPE_PRESENT) {
+ printf("Object type: SEC_ACE_OBJECT_TYPE_PRESENT\n");
+ printf("Object GUID: %s (%s)\n", GUID_string(mem_ctx,
+ &object->type.type),
+ ads_interprete_guid_from_object(ads, mem_ctx,
+ &object->type.type));
+ }
+ if (object->flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT) {
+ printf("Object type: SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT\n");
+ printf("Object GUID: %s (%s)\n", GUID_string(mem_ctx,
+ &object->inherited_type.inherited_type),
+ ads_interprete_guid_from_object(ads, mem_ctx,
+ &object->inherited_type.inherited_type));
+ }
+}
+
+/* display ACE */
+static void ads_disp_ace(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct security_ace *sec_ace)
+{
+ const char *access_type = "UNKNOWN";
+ struct dom_sid_buf sidbuf;
+
+ if (!sec_ace_object(sec_ace->type)) {
+ printf("------- ACE (type: 0x%02x, flags: 0x%02x, size: 0x%02x, mask: 0x%x)\n",
+ sec_ace->type,
+ sec_ace->flags,
+ sec_ace->size,
+ sec_ace->access_mask);
+ } else {
+ printf("------- ACE (type: 0x%02x, flags: 0x%02x, size: 0x%02x, mask: 0x%x, object flags: 0x%x)\n",
+ sec_ace->type,
+ sec_ace->flags,
+ sec_ace->size,
+ sec_ace->access_mask,
+ sec_ace->object.object.flags);
+ }
+
+ if (sec_ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED) {
+ access_type = "ALLOWED";
+ } else if (sec_ace->type == SEC_ACE_TYPE_ACCESS_DENIED) {
+ access_type = "DENIED";
+ } else if (sec_ace->type == SEC_ACE_TYPE_SYSTEM_AUDIT) {
+ access_type = "SYSTEM AUDIT";
+ } else if (sec_ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT) {
+ access_type = "ALLOWED OBJECT";
+ } else if (sec_ace->type == SEC_ACE_TYPE_ACCESS_DENIED_OBJECT) {
+ access_type = "DENIED OBJECT";
+ } else if (sec_ace->type == SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT) {
+ access_type = "AUDIT OBJECT";
+ }
+
+ printf("access SID: %s\naccess type: %s\n",
+ dom_sid_str_buf(&sec_ace->trustee, &sidbuf),
+ access_type);
+
+ if (sec_ace_object(sec_ace->type)) {
+ ads_disp_sec_ace_object(ads, mem_ctx, &sec_ace->object.object);
+ }
+
+ ads_disp_perms(sec_ace->access_mask);
+}
+
+/* display ACL */
+static void ads_disp_acl(struct security_acl *sec_acl, const char *type)
+{
+ if (!sec_acl)
+ printf("------- (%s) ACL not present\n", type);
+ else {
+ printf("------- (%s) ACL (revision: %d, size: %d, number of ACEs: %d)\n",
+ type,
+ sec_acl->revision,
+ sec_acl->size,
+ sec_acl->num_aces);
+ }
+}
+
+/* display SD */
+void ads_disp_sd(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct security_descriptor *sd)
+{
+ uint32_t i;
+ char *tmp_path = NULL;
+ struct dom_sid_buf buf;
+
+ if (!sd) {
+ return;
+ }
+
+ if (ads && !ads->config.schema_path) {
+ if (ADS_ERR_OK(ads_schema_path(ads, mem_ctx, &tmp_path))) {
+ ads->config.schema_path = talloc_strdup(ads, tmp_path);
+ if (ads->config.schema_path == NULL) {
+ DBG_WARNING("Out of memory\n");
+ }
+ }
+ }
+
+ if (ads && !ads->config.config_path) {
+ if (ADS_ERR_OK(ads_config_path(ads, mem_ctx, &tmp_path))) {
+ ads->config.config_path = talloc_strdup(ads, tmp_path);
+ if (ads->config.config_path == NULL) {
+ DBG_WARNING("Out of memory\n");
+ }
+ }
+ }
+
+ printf("-------------- Security Descriptor (revision: %d, type: 0x%02x)\n",
+ sd->revision,
+ sd->type);
+
+ printf("owner SID: %s\n", sd->owner_sid ?
+ dom_sid_str_buf(sd->owner_sid, &buf) : "(null)");
+ printf("group SID: %s\n", sd->group_sid ?
+ dom_sid_str_buf(sd->group_sid, &buf) : "(null)");
+
+ ads_disp_acl(sd->sacl, "system");
+ if (sd->sacl) {
+ for (i = 0; i < sd->sacl->num_aces; i ++) {
+ ads_disp_ace(ads, mem_ctx, &sd->sacl->aces[i]);
+ }
+ }
+
+ ads_disp_acl(sd->dacl, "user");
+ if (sd->dacl) {
+ for (i = 0; i < sd->dacl->num_aces; i ++) {
+ ads_disp_ace(ads, mem_ctx, &sd->dacl->aces[i]);
+ }
+ }
+
+ printf("-------------- End Of Security Descriptor\n");
+}
+
+#endif
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
new file mode 100644
index 0000000..f76c566
--- /dev/null
+++ b/source3/libads/kerberos.c
@@ -0,0 +1,908 @@
+/*
+ Unix SMB/CIFS implementation.
+ kerberos utility library
+ Copyright (C) Andrew Tridgell 2001
+ Copyright (C) Remus Koos 2001
+ Copyright (C) Nalin Dahyabhai <nalin@redhat.com> 2004.
+ Copyright (C) Jeremy Allison 2004.
+ Copyright (C) Gerald Carter 2006.
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "libsmb/namequery.h"
+#include "system/filesys.h"
+#include "smb_krb5.h"
+#include "../librpc/gen_ndr/ndr_misc.h"
+#include "libads/kerberos_proto.h"
+#include "libads/cldap.h"
+#include "secrets.h"
+#include "../lib/tsocket/tsocket.h"
+#include "lib/util/asn1.h"
+
+#ifdef HAVE_KRB5
+
+#define LIBADS_CCACHE_NAME "MEMORY:libads"
+
+/*
+ we use a prompter to avoid a crash bug in the kerberos libs when
+ dealing with empty passwords
+ this prompter is just a string copy ...
+*/
+static krb5_error_code
+kerb_prompter(krb5_context ctx, void *data,
+ const char *name,
+ const char *banner,
+ int num_prompts,
+ krb5_prompt prompts[])
+{
+ if (num_prompts == 0) return 0;
+ if (num_prompts == 2) {
+ /*
+ * only heimdal has a prompt type and we need to deal with it here to
+ * avoid loops.
+ *
+ * removing the prompter completely is not an option as at least these
+ * versions would crash: heimdal-1.0.2 and heimdal-1.1. Later heimdal
+ * version have looping detection and return with a proper error code.
+ */
+
+#if defined(HAVE_KRB5_PROMPT_TYPE) /* Heimdal */
+ if (prompts[0].type == KRB5_PROMPT_TYPE_NEW_PASSWORD &&
+ prompts[1].type == KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN) {
+ /*
+ * We don't want to change passwords here. We're
+ * called from heimdal when the KDC returns
+ * KRB5KDC_ERR_KEY_EXPIRED, but at this point we don't
+ * have the chance to ask the user for a new
+ * password. If we return 0 (i.e. success), we will be
+ * spinning in the endless for-loop in
+ * change_password() in
+ * third_party/heimdal/lib/krb5/init_creds_pw.c
+ */
+ return KRB5KDC_ERR_KEY_EXPIRED;
+ }
+#elif defined(HAVE_KRB5_GET_PROMPT_TYPES) /* MIT */
+ krb5_prompt_type *prompt_types = NULL;
+
+ prompt_types = krb5_get_prompt_types(ctx);
+ if (prompt_types != NULL) {
+ if (prompt_types[0] == KRB5_PROMPT_TYPE_NEW_PASSWORD &&
+ prompt_types[1] == KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN) {
+ return KRB5KDC_ERR_KEY_EXP;
+ }
+ }
+#endif
+ }
+
+ memset(prompts[0].reply->data, '\0', prompts[0].reply->length);
+ if (prompts[0].reply->length > 0) {
+ if (data) {
+ strncpy((char *)prompts[0].reply->data, (const char *)data,
+ prompts[0].reply->length-1);
+ prompts[0].reply->length = strlen((const char *)prompts[0].reply->data);
+ } else {
+ prompts[0].reply->length = 0;
+ }
+ }
+ return 0;
+}
+
+/*
+ simulate a kinit, putting the tgt in the given cache location. If cache_name == NULL
+ place in default cache location.
+ remus@snapserver.com
+*/
+int kerberos_kinit_password_ext(const char *given_principal,
+ const char *password,
+ int time_offset,
+ time_t *expire_time,
+ time_t *renew_till_time,
+ const char *cache_name,
+ bool request_pac,
+ bool add_netbios_addr,
+ time_t renewable_time,
+ TALLOC_CTX *mem_ctx,
+ char **_canon_principal,
+ char **_canon_realm,
+ NTSTATUS *ntstatus)
+{
+ TALLOC_CTX *frame = talloc_stackframe();
+ krb5_context ctx = NULL;
+ krb5_error_code code = 0;
+ krb5_ccache cc = NULL;
+ krb5_principal me = NULL;
+ krb5_principal canon_princ = NULL;
+ krb5_creds my_creds;
+ krb5_get_init_creds_opt *opt = NULL;
+ smb_krb5_addresses *addr = NULL;
+ char *canon_principal = NULL;
+ char *canon_realm = NULL;
+
+ ZERO_STRUCT(my_creds);
+
+ code = smb_krb5_init_context_common(&ctx);
+ if (code != 0) {
+ DBG_ERR("kerberos init context failed (%s)\n",
+ error_message(code));
+ TALLOC_FREE(frame);
+ return code;
+ }
+
+ if (time_offset != 0) {
+ krb5_set_real_time(ctx, time(NULL) + time_offset, 0);
+ }
+
+ DBG_DEBUG("as %s using [%s] as ccache and config [%s]\n",
+ given_principal,
+ cache_name ? cache_name: krb5_cc_default_name(ctx),
+ getenv("KRB5_CONFIG"));
+
+ if ((code = krb5_cc_resolve(ctx, cache_name ? cache_name : krb5_cc_default_name(ctx), &cc))) {
+ goto out;
+ }
+
+ if ((code = smb_krb5_parse_name(ctx, given_principal, &me))) {
+ goto out;
+ }
+
+ if ((code = krb5_get_init_creds_opt_alloc(ctx, &opt))) {
+ goto out;
+ }
+
+ krb5_get_init_creds_opt_set_renew_life(opt, renewable_time);
+ krb5_get_init_creds_opt_set_forwardable(opt, True);
+
+ /* Turn on canonicalization for lower case realm support */
+#ifdef SAMBA4_USES_HEIMDAL
+ krb5_get_init_creds_opt_set_win2k(ctx, opt, true);
+ krb5_get_init_creds_opt_set_canonicalize(ctx, opt, true);
+#else /* MIT */
+ krb5_get_init_creds_opt_set_canonicalize(opt, true);
+#endif /* MIT */
+#if 0
+ /* insane testing */
+ krb5_get_init_creds_opt_set_tkt_life(opt, 60);
+#endif
+
+#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_PAC_REQUEST
+ if (request_pac) {
+ if ((code = krb5_get_init_creds_opt_set_pac_request(ctx, opt, (krb5_boolean)request_pac))) {
+ goto out;
+ }
+ }
+#endif
+ if (add_netbios_addr) {
+ if ((code = smb_krb5_gen_netbios_krb5_address(&addr,
+ lp_netbios_name()))) {
+ goto out;
+ }
+ krb5_get_init_creds_opt_set_address_list(opt, addr->addrs);
+ }
+
+ if ((code = krb5_get_init_creds_password(ctx, &my_creds, me, discard_const_p(char,password),
+ kerb_prompter, discard_const_p(char, password),
+ 0, NULL, opt))) {
+ goto out;
+ }
+
+ canon_princ = my_creds.client;
+
+ code = smb_krb5_unparse_name(frame,
+ ctx,
+ canon_princ,
+ &canon_principal);
+ if (code != 0) {
+ goto out;
+ }
+
+ DBG_DEBUG("%s mapped to %s\n", given_principal, canon_principal);
+
+ canon_realm = smb_krb5_principal_get_realm(frame, ctx, canon_princ);
+ if (canon_realm == NULL) {
+ code = ENOMEM;
+ goto out;
+ }
+
+ if ((code = krb5_cc_initialize(ctx, cc, canon_princ))) {
+ goto out;
+ }
+
+ if ((code = krb5_cc_store_cred(ctx, cc, &my_creds))) {
+ goto out;
+ }
+
+ if (expire_time) {
+ *expire_time = (time_t) my_creds.times.endtime;
+ }
+
+ if (renew_till_time) {
+ *renew_till_time = (time_t) my_creds.times.renew_till;
+ }
+
+ if (_canon_principal != NULL) {
+ *_canon_principal = talloc_move(mem_ctx, &canon_principal);
+ }
+ if (_canon_realm != NULL) {
+ *_canon_realm = talloc_move(mem_ctx, &canon_realm);
+ }
+ out:
+ if (ntstatus) {
+ /* fast path */
+ if (code == 0) {
+ *ntstatus = NT_STATUS_OK;
+ goto cleanup;
+ }
+
+ /* fall back to self-made-mapping */
+ *ntstatus = krb5_to_nt_status(code);
+ }
+
+ cleanup:
+ krb5_free_cred_contents(ctx, &my_creds);
+ if (me) {
+ krb5_free_principal(ctx, me);
+ }
+ if (addr) {
+ smb_krb5_free_addresses(ctx, addr);
+ }
+ if (opt) {
+ krb5_get_init_creds_opt_free(ctx, opt);
+ }
+ if (cc) {
+ krb5_cc_close(ctx, cc);
+ }
+ if (ctx) {
+ krb5_free_context(ctx);
+ }
+ TALLOC_FREE(frame);
+ return code;
+}
+
+int ads_kdestroy(const char *cc_name)
+{
+ krb5_error_code code;
+ krb5_context ctx = NULL;
+ krb5_ccache cc = NULL;
+
+ code = smb_krb5_init_context_common(&ctx);
+ if (code != 0) {
+ DBG_ERR("kerberos init context failed (%s)\n",
+ error_message(code));
+ return code;
+ }
+
+ if (!cc_name) {
+ if ((code = krb5_cc_default(ctx, &cc))) {
+ krb5_free_context(ctx);
+ return code;
+ }
+ } else {
+ if ((code = krb5_cc_resolve(ctx, cc_name, &cc))) {
+ DEBUG(3, ("ads_kdestroy: krb5_cc_resolve failed: %s\n",
+ error_message(code)));
+ krb5_free_context(ctx);
+ return code;
+ }
+ }
+
+ if ((code = krb5_cc_destroy (ctx, cc))) {
+ DEBUG(3, ("ads_kdestroy: krb5_cc_destroy failed: %s\n",
+ error_message(code)));
+ }
+
+ krb5_free_context (ctx);
+ return code;
+}
+
+int create_kerberos_key_from_string(krb5_context context,
+ krb5_principal host_princ,
+ krb5_principal salt_princ,
+ krb5_data *password,
+ krb5_keyblock *key,
+ krb5_enctype enctype,
+ bool no_salt)
+{
+ int ret;
+ /*
+ * Check if we've determined that the KDC is salting keys for this
+ * principal/enctype in a non-obvious way. If it is, try to match
+ * its behavior.
+ */
+ if (no_salt) {
+ KRB5_KEY_DATA(key) = (KRB5_KEY_DATA_CAST *)SMB_MALLOC(password->length);
+ if (!KRB5_KEY_DATA(key)) {
+ return ENOMEM;
+ }
+ memcpy(KRB5_KEY_DATA(key), password->data, password->length);
+ KRB5_KEY_LENGTH(key) = password->length;
+ KRB5_KEY_TYPE(key) = enctype;
+ return 0;
+ }
+ ret = smb_krb5_create_key_from_string(context,
+ salt_princ ? salt_princ : host_princ,
+ NULL,
+ password,
+ enctype,
+ key);
+ return ret;
+}
+
+/************************************************************************
+************************************************************************/
+
+int kerberos_kinit_password(const char *principal,
+ const char *password,
+ int time_offset,
+ const char *cache_name)
+{
+ return kerberos_kinit_password_ext(principal,
+ password,
+ time_offset,
+ 0,
+ 0,
+ cache_name,
+ False,
+ False,
+ 0,
+ NULL,
+ NULL,
+ NULL,
+ NULL);
+}
+
+/************************************************************************
+************************************************************************/
+
+/************************************************************************
+ Create a string list of available kdc's, possibly searching by sitename.
+ Does DNS queries.
+
+ If "sitename" is given, the DC's in that site are listed first.
+
+************************************************************************/
+
+static void add_sockaddr_unique(struct sockaddr_storage *addrs, size_t *num_addrs,
+ const struct sockaddr_storage *addr)
+{
+ size_t i;
+
+ for (i=0; i<*num_addrs; i++) {
+ if (sockaddr_equal((const struct sockaddr *)&addrs[i],
+ (const struct sockaddr *)addr)) {
+ return;
+ }
+ }
+ addrs[i] = *addr;
+ *num_addrs += 1;
+}
+
+/* print_canonical_sockaddr prints an ipv6 addr in the form of
+* [ipv6.addr]. This string, when put in a generated krb5.conf file is not
+* always properly dealt with by some older krb5 libraries. Adding the hard-coded
+* portnumber workarounds the issue. - gd */
+
+static char *print_canonical_sockaddr_with_port(TALLOC_CTX *mem_ctx,
+ const struct sockaddr_storage *pss)
+{
+ char *str = NULL;
+
+ str = print_canonical_sockaddr(mem_ctx, pss);
+ if (str == NULL) {
+ return NULL;
+ }
+
+ if (pss->ss_family != AF_INET6) {
+ return str;
+ }
+
+#if defined(HAVE_IPV6)
+ str = talloc_asprintf_append(str, ":88");
+#endif
+ return str;
+}
+
+static char *get_kdc_ip_string(char *mem_ctx,
+ const char *realm,
+ const char *sitename,
+ const struct sockaddr_storage *pss)
+{
+ TALLOC_CTX *frame = talloc_stackframe();
+ size_t i;
+ struct samba_sockaddr *ip_sa_site = NULL;
+ struct samba_sockaddr *ip_sa_nonsite = NULL;
+ struct samba_sockaddr sa = {0};
+ size_t count_site = 0;
+ size_t count_nonsite;
+ size_t num_dcs;
+ struct sockaddr_storage *dc_addrs = NULL;
+ struct tsocket_address **dc_addrs2 = NULL;
+ const struct tsocket_address * const *dc_addrs3 = NULL;
+ char *result = NULL;
+ struct netlogon_samlogon_response **responses = NULL;
+ NTSTATUS status;
+ bool ok;
+ char *kdc_str = NULL;
+ char *canon_sockaddr = NULL;
+
+ SMB_ASSERT(pss != NULL);
+
+ canon_sockaddr = print_canonical_sockaddr_with_port(frame, pss);
+ if (canon_sockaddr == NULL) {
+ goto out;
+ }
+
+ kdc_str = talloc_asprintf(frame,
+ "\t\tkdc = %s\n",
+ canon_sockaddr);
+ if (kdc_str == NULL) {
+ goto out;
+ }
+
+ ok = sockaddr_storage_to_samba_sockaddr(&sa, pss);
+ if (!ok) {
+ goto out;
+ }
+
+ /*
+ * First get the KDC's only in this site, the rest will be
+ * appended later
+ */
+
+ if (sitename) {
+ status = get_kdc_list(frame,
+ realm,
+ sitename,
+ &ip_sa_site,
+ &count_site);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_ERR("get_kdc_list fail %s\n",
+ nt_errstr(status));
+ goto out;
+ }
+ DBG_DEBUG("got %zu addresses from site %s search\n",
+ count_site,
+ sitename);
+ }
+
+ /* Get all KDC's. */
+
+ status = get_kdc_list(frame,
+ realm,
+ NULL,
+ &ip_sa_nonsite,
+ &count_nonsite);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_ERR("get_kdc_list (site-less) fail %s\n",
+ nt_errstr(status));
+ goto out;
+ }
+ DBG_DEBUG("got %zu addresses from site-less search\n", count_nonsite);
+
+ if (count_site + count_nonsite < count_site) {
+ /* Wrap check. */
+ DBG_ERR("get_kdc_list_talloc (site-less) fail wrap error\n");
+ goto out;
+ }
+
+
+ dc_addrs = talloc_array(talloc_tos(), struct sockaddr_storage,
+ count_site + count_nonsite);
+ if (dc_addrs == NULL) {
+ goto out;
+ }
+
+ num_dcs = 0;
+
+ for (i = 0; i < count_site; i++) {
+ if (!sockaddr_equal(&sa.u.sa, &ip_sa_site[i].u.sa)) {
+ add_sockaddr_unique(dc_addrs, &num_dcs,
+ &ip_sa_site[i].u.ss);
+ }
+ }
+
+ for (i = 0; i < count_nonsite; i++) {
+ if (!sockaddr_equal(&sa.u.sa, &ip_sa_nonsite[i].u.sa)) {
+ add_sockaddr_unique(dc_addrs, &num_dcs,
+ &ip_sa_nonsite[i].u.ss);
+ }
+ }
+
+ DBG_DEBUG("%zu additional KDCs to test\n", num_dcs);
+ if (num_dcs == 0) {
+ /*
+ * We do not have additional KDCs, but we have the one passed
+ * in via `pss`. So just use that one and leave.
+ */
+ result = talloc_move(mem_ctx, &kdc_str);
+ goto out;
+ }
+
+ dc_addrs2 = talloc_zero_array(talloc_tos(),
+ struct tsocket_address *,
+ num_dcs);
+ if (dc_addrs2 == NULL) {
+ goto out;
+ }
+
+ for (i=0; i<num_dcs; i++) {
+ char addr[INET6_ADDRSTRLEN];
+ int ret;
+
+ print_sockaddr(addr, sizeof(addr), &dc_addrs[i]);
+
+ ret = tsocket_address_inet_from_strings(dc_addrs2, "ip",
+ addr, LDAP_PORT,
+ &dc_addrs2[i]);
+ if (ret != 0) {
+ status = map_nt_error_from_unix(errno);
+ DEBUG(2,("Failed to create tsocket_address for %s - %s\n",
+ addr, nt_errstr(status)));
+ goto out;
+ }
+ }
+
+ dc_addrs3 = (const struct tsocket_address * const *)dc_addrs2;
+
+ status = cldap_multi_netlogon(talloc_tos(),
+ dc_addrs3, num_dcs,
+ realm, lp_netbios_name(),
+ NETLOGON_NT_VERSION_5 | NETLOGON_NT_VERSION_5EX,
+ MIN(num_dcs, 3), timeval_current_ofs(3, 0), &responses);
+ TALLOC_FREE(dc_addrs2);
+ dc_addrs3 = NULL;
+
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(10,("get_kdc_ip_string: cldap_multi_netlogon failed: "
+ "%s\n", nt_errstr(status)));
+ goto out;
+ }
+
+ for (i=0; i<num_dcs; i++) {
+ char *new_kdc_str;
+
+ if (responses[i] == NULL) {
+ continue;
+ }
+
+ /* Append to the string - inefficient but not done often. */
+ new_kdc_str = talloc_asprintf_append(
+ kdc_str,
+ "\t\tkdc = %s\n",
+ print_canonical_sockaddr_with_port(
+ mem_ctx, &dc_addrs[i]));
+ if (new_kdc_str == NULL) {
+ goto out;
+ }
+ kdc_str = new_kdc_str;
+ }
+
+ result = talloc_move(mem_ctx, &kdc_str);
+out:
+ if (result != NULL) {
+ DBG_DEBUG("Returning\n%s\n", result);
+ } else {
+ DBG_NOTICE("Failed to get KDC ip address\n");
+ }
+
+ TALLOC_FREE(frame);
+ return result;
+}
+
+/************************************************************************
+ Create a specific krb5.conf file in the private directory pointing
+ at a specific kdc for a realm. Keyed off domain name. Sets
+ KRB5_CONFIG environment variable to point to this file. Must be
+ run as root or will fail (which is a good thing :-).
+************************************************************************/
+
+#if !defined(SAMBA4_USES_HEIMDAL) /* MIT version */
+static char *get_enctypes(TALLOC_CTX *mem_ctx)
+{
+ char *aes_enctypes = NULL;
+ const char *legacy_enctypes = "";
+ char *enctypes = NULL;
+
+ aes_enctypes = talloc_strdup(mem_ctx, "");
+ if (aes_enctypes == NULL) {
+ goto done;
+ }
+
+ if (lp_kerberos_encryption_types() == KERBEROS_ETYPES_ALL ||
+ lp_kerberos_encryption_types() == KERBEROS_ETYPES_STRONG) {
+ aes_enctypes = talloc_asprintf_append(
+ aes_enctypes, "%s", "aes256-cts-hmac-sha1-96 ");
+ if (aes_enctypes == NULL) {
+ goto done;
+ }
+ aes_enctypes = talloc_asprintf_append(
+ aes_enctypes, "%s", "aes128-cts-hmac-sha1-96");
+ if (aes_enctypes == NULL) {
+ goto done;
+ }
+ }
+
+ if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_ALLOWED &&
+ (lp_kerberos_encryption_types() == KERBEROS_ETYPES_ALL ||
+ lp_kerberos_encryption_types() == KERBEROS_ETYPES_LEGACY)) {
+ legacy_enctypes = "RC4-HMAC";
+ }
+
+ enctypes =
+ talloc_asprintf(mem_ctx, "\tdefault_tgs_enctypes = %s %s\n"
+ "\tdefault_tkt_enctypes = %s %s\n"
+ "\tpreferred_enctypes = %s %s\n",
+ aes_enctypes, legacy_enctypes, aes_enctypes,
+ legacy_enctypes, aes_enctypes, legacy_enctypes);
+done:
+ TALLOC_FREE(aes_enctypes);
+ return enctypes;
+}
+#else /* Heimdal version */
+static char *get_enctypes(TALLOC_CTX *mem_ctx)
+{
+ const char *aes_enctypes = "";
+ const char *legacy_enctypes = "";
+ char *enctypes = NULL;
+
+ if (lp_kerberos_encryption_types() == KERBEROS_ETYPES_ALL ||
+ lp_kerberos_encryption_types() == KERBEROS_ETYPES_STRONG) {
+ aes_enctypes =
+ "aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96";
+ }
+
+ if (lp_kerberos_encryption_types() == KERBEROS_ETYPES_ALL ||
+ lp_kerberos_encryption_types() == KERBEROS_ETYPES_LEGACY) {
+ legacy_enctypes = "arcfour-hmac-md5";
+ }
+
+ enctypes = talloc_asprintf(mem_ctx, "\tdefault_etypes = %s %s\n",
+ aes_enctypes, legacy_enctypes);
+
+ return enctypes;
+}
+#endif
+
+bool create_local_private_krb5_conf_for_domain(const char *realm,
+ const char *domain,
+ const char *sitename,
+ const struct sockaddr_storage *pss)
+{
+ char *dname;
+ char *tmpname = NULL;
+ char *fname = NULL;
+ char *file_contents = NULL;
+ char *kdc_ip_string = NULL;
+ size_t flen = 0;
+ ssize_t ret;
+ int fd;
+ char *realm_upper = NULL;
+ bool result = false;
+ char *enctypes = NULL;
+ const char *include_system_krb5 = "";
+ mode_t mask;
+
+ if (!lp_create_krb5_conf()) {
+ return false;
+ }
+
+ if (realm == NULL) {
+ DEBUG(0, ("No realm has been specified! Do you really want to "
+ "join an Active Directory server?\n"));
+ return false;
+ }
+
+ if (domain == NULL || pss == NULL) {
+ return false;
+ }
+
+ dname = lock_path(talloc_tos(), "smb_krb5");
+ if (!dname) {
+ return false;
+ }
+ if ((mkdir(dname, 0755)==-1) && (errno != EEXIST)) {
+ DEBUG(0,("create_local_private_krb5_conf_for_domain: "
+ "failed to create directory %s. Error was %s\n",
+ dname, strerror(errno) ));
+ goto done;
+ }
+
+ tmpname = lock_path(talloc_tos(), "smb_tmp_krb5.XXXXXX");
+ if (!tmpname) {
+ goto done;
+ }
+
+ fname = talloc_asprintf(dname, "%s/krb5.conf.%s", dname, domain);
+ if (!fname) {
+ goto done;
+ }
+
+ DEBUG(10,("create_local_private_krb5_conf_for_domain: fname = %s, realm = %s, domain = %s\n",
+ fname, realm, domain ));
+
+ realm_upper = talloc_strdup(fname, realm);
+ if (!strupper_m(realm_upper)) {
+ goto done;
+ }
+
+ kdc_ip_string = get_kdc_ip_string(dname, realm, sitename, pss);
+ if (!kdc_ip_string) {
+ goto done;
+ }
+
+ enctypes = get_enctypes(fname);
+ if (enctypes == NULL) {
+ goto done;
+ }
+
+#if !defined(SAMBA4_USES_HEIMDAL)
+ if (lp_include_system_krb5_conf()) {
+ include_system_krb5 = "include /etc/krb5.conf";
+ }
+#endif
+
+ /*
+ * We are setting 'dns_lookup_kdc' to true, because we want to lookup
+ * KDCs which are not configured via DNS SRV records, eg. if we do:
+ *
+ * net ads join -Uadmin@otherdomain
+ */
+ file_contents =
+ talloc_asprintf(fname,
+ "[libdefaults]\n"
+ "\tdefault_realm = %s\n"
+ "%s"
+ "\tdns_lookup_realm = false\n"
+ "\tdns_lookup_kdc = true\n\n"
+ "[realms]\n\t%s = {\n"
+ "%s\t}\n"
+ "\t%s = {\n"
+ "%s\t}\n"
+ "%s\n",
+ realm_upper,
+ enctypes,
+ realm_upper,
+ kdc_ip_string,
+ domain,
+ kdc_ip_string,
+ include_system_krb5);
+
+ if (!file_contents) {
+ goto done;
+ }
+
+ flen = strlen(file_contents);
+
+ mask = umask(S_IRWXO | S_IRWXG);
+ fd = mkstemp(tmpname);
+ umask(mask);
+ if (fd == -1) {
+ DBG_ERR("mkstemp failed, for file %s. Errno %s\n",
+ tmpname,
+ strerror(errno));
+ goto done;
+ }
+
+ if (fchmod(fd, 0644)==-1) {
+ DEBUG(0,("create_local_private_krb5_conf_for_domain: fchmod failed for %s."
+ " Errno %s\n",
+ tmpname, strerror(errno) ));
+ unlink(tmpname);
+ close(fd);
+ goto done;
+ }
+
+ ret = write(fd, file_contents, flen);
+ if (flen != ret) {
+ DEBUG(0,("create_local_private_krb5_conf_for_domain: write failed,"
+ " returned %d (should be %u). Errno %s\n",
+ (int)ret, (unsigned int)flen, strerror(errno) ));
+ unlink(tmpname);
+ close(fd);
+ goto done;
+ }
+ if (close(fd)==-1) {
+ DEBUG(0,("create_local_private_krb5_conf_for_domain: close failed."
+ " Errno %s\n", strerror(errno) ));
+ unlink(tmpname);
+ goto done;
+ }
+
+ if (rename(tmpname, fname) == -1) {
+ DEBUG(0,("create_local_private_krb5_conf_for_domain: rename "
+ "of %s to %s failed. Errno %s\n",
+ tmpname, fname, strerror(errno) ));
+ unlink(tmpname);
+ goto done;
+ }
+
+ DBG_INFO("wrote file %s with realm %s KDC list:\n%s\n",
+ fname, realm_upper, kdc_ip_string);
+
+ /* Set the environment variable to this file. */
+ setenv("KRB5_CONFIG", fname, 1);
+
+ result = true;
+
+#if defined(OVERWRITE_SYSTEM_KRB5_CONF)
+
+#define SYSTEM_KRB5_CONF_PATH "/etc/krb5.conf"
+ /* Insanity, sheer insanity..... */
+
+ if (strequal(realm, lp_realm())) {
+ SMB_STRUCT_STAT sbuf;
+
+ if (sys_lstat(SYSTEM_KRB5_CONF_PATH, &sbuf, false) == 0) {
+ if (S_ISLNK(sbuf.st_ex_mode) && sbuf.st_ex_size) {
+ int lret;
+ size_t alloc_size = sbuf.st_ex_size + 1;
+ char *linkpath = talloc_array(talloc_tos(), char,
+ alloc_size);
+ if (!linkpath) {
+ goto done;
+ }
+ lret = readlink(SYSTEM_KRB5_CONF_PATH, linkpath,
+ alloc_size - 1);
+ if (lret == -1) {
+ TALLOC_FREE(linkpath);
+ goto done;
+ }
+ linkpath[lret] = '\0';
+
+ if (strcmp(linkpath, fname) == 0) {
+ /* Symlink already exists. */
+ TALLOC_FREE(linkpath);
+ goto done;
+ }
+ TALLOC_FREE(linkpath);
+ }
+ }
+
+ /* Try and replace with a symlink. */
+ if (symlink(fname, SYSTEM_KRB5_CONF_PATH) == -1) {
+ const char *newpath = SYSTEM_KRB5_CONF_PATH ".saved";
+ if (errno != EEXIST) {
+ DEBUG(0,("create_local_private_krb5_conf_for_domain: symlink "
+ "of %s to %s failed. Errno %s\n",
+ fname, SYSTEM_KRB5_CONF_PATH, strerror(errno) ));
+ goto done; /* Not a fatal error. */
+ }
+
+ /* Yes, this is a race condition... too bad. */
+ if (rename(SYSTEM_KRB5_CONF_PATH, newpath) == -1) {
+ DEBUG(0,("create_local_private_krb5_conf_for_domain: rename "
+ "of %s to %s failed. Errno %s\n",
+ SYSTEM_KRB5_CONF_PATH, newpath,
+ strerror(errno) ));
+ goto done; /* Not a fatal error. */
+ }
+
+ if (symlink(fname, SYSTEM_KRB5_CONF_PATH) == -1) {
+ DEBUG(0,("create_local_private_krb5_conf_for_domain: "
+ "forced symlink of %s to /etc/krb5.conf failed. Errno %s\n",
+ fname, strerror(errno) ));
+ goto done; /* Not a fatal error. */
+ }
+ }
+ }
+#endif
+
+done:
+ TALLOC_FREE(tmpname);
+ TALLOC_FREE(dname);
+
+ return result;
+}
+#endif
diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
new file mode 100644
index 0000000..466211a
--- /dev/null
+++ b/source3/libads/kerberos_keytab.c
@@ -0,0 +1,1026 @@
+/*
+ Unix SMB/CIFS implementation.
+ kerberos keytab utility library
+ Copyright (C) Andrew Tridgell 2001
+ Copyright (C) Remus Koos 2001
+ Copyright (C) Luke Howard 2003
+ Copyright (C) Jim McDonough (jmcd@us.ibm.com) 2003
+ Copyright (C) Guenther Deschner 2003
+ Copyright (C) Rakesh Patel 2004
+ Copyright (C) Dan Perry 2004
+ Copyright (C) Jeremy Allison 2004
+ Copyright (C) Gerald Carter 2006
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "smb_krb5.h"
+#include "ads.h"
+#include "secrets.h"
+
+#ifdef HAVE_KRB5
+
+#ifdef HAVE_ADS
+
+/* This MAX_NAME_LEN is a constant defined in krb5.h */
+#ifndef MAX_KEYTAB_NAME_LEN
+#define MAX_KEYTAB_NAME_LEN 1100
+#endif
+
+static krb5_error_code ads_keytab_open(krb5_context context,
+ krb5_keytab *keytab)
+{
+ char keytab_str[MAX_KEYTAB_NAME_LEN] = {0};
+ const char *keytab_name = NULL;
+ krb5_error_code ret = 0;
+
+ switch (lp_kerberos_method()) {
+ case KERBEROS_VERIFY_SYSTEM_KEYTAB:
+ case KERBEROS_VERIFY_SECRETS_AND_KEYTAB:
+ ret = krb5_kt_default_name(context,
+ keytab_str,
+ sizeof(keytab_str) - 2);
+ if (ret != 0) {
+ DBG_WARNING("Failed to get default keytab name\n");
+ goto out;
+ }
+ keytab_name = keytab_str;
+ break;
+ case KERBEROS_VERIFY_DEDICATED_KEYTAB:
+ keytab_name = lp_dedicated_keytab_file();
+ break;
+ default:
+ DBG_ERR("Invalid kerberos method set (%d)\n",
+ lp_kerberos_method());
+ ret = KRB5_KT_BADNAME;
+ goto out;
+ }
+
+ if (keytab_name == NULL || keytab_name[0] == '\0') {
+ DBG_ERR("Invalid keytab name\n");
+ ret = KRB5_KT_BADNAME;
+ goto out;
+ }
+
+ ret = smb_krb5_kt_open(context, keytab_name, true, keytab);
+ if (ret != 0) {
+ DBG_WARNING("smb_krb5_kt_open failed (%s)\n",
+ error_message(ret));
+ goto out;
+ }
+
+out:
+ return ret;
+}
+
+static bool fill_default_spns(TALLOC_CTX *ctx, const char *machine_name,
+ const char *my_fqdn, const char *spn,
+ const char ***spns)
+{
+ char *psp1, *psp2;
+
+ if (*spns == NULL) {
+ *spns = talloc_zero_array(ctx, const char*, 3);
+ if (*spns == NULL) {
+ return false;
+ }
+ }
+
+ psp1 = talloc_asprintf(ctx,
+ "%s/%s",
+ spn,
+ machine_name);
+ if (psp1 == NULL) {
+ return false;
+ }
+
+ if (!strlower_m(&psp1[strlen(spn) + 1])) {
+ return false;
+ }
+ (*spns)[0] = psp1;
+
+ psp2 = talloc_asprintf(ctx,
+ "%s/%s",
+ spn,
+ my_fqdn);
+ if (psp2 == NULL) {
+ return false;
+ }
+
+ if (!strlower_m(&psp2[strlen(spn) + 1])) {
+ return false;
+ }
+
+ (*spns)[1] = psp2;
+
+ return true;
+}
+
+static bool ads_set_machine_account_spns(TALLOC_CTX *ctx,
+ ADS_STRUCT *ads,
+ const char *service_or_spn,
+ const char *my_fqdn)
+{
+ const char **spn_names = NULL;
+ ADS_STATUS aderr;
+ struct spn_struct* spn_struct = NULL;
+ char *tmp = NULL;
+
+ /* SPN should have '/' */
+ tmp = strchr_m(service_or_spn, '/');
+ if (tmp != NULL) {
+ spn_struct = parse_spn(ctx, service_or_spn);
+ if (spn_struct == NULL) {
+ return false;
+ }
+ }
+
+ DBG_INFO("Attempting to add/update '%s'\n", service_or_spn);
+
+ if (spn_struct != NULL) {
+ spn_names = talloc_zero_array(ctx, const char*, 2);
+ spn_names[0] = service_or_spn;
+ } else {
+ bool ok;
+
+ ok = fill_default_spns(ctx,
+ lp_netbios_name(),
+ my_fqdn,
+ service_or_spn,
+ &spn_names);
+ if (!ok) {
+ return false;
+ }
+ }
+ aderr = ads_add_service_principal_names(ads,
+ lp_netbios_name(),
+ spn_names);
+ if (!ADS_ERR_OK(aderr)) {
+ DBG_WARNING("Failed to add service principal name.\n");
+ return false;
+ }
+
+ return true;
+}
+
+/*
+ * Create kerberos principal(s) from SPN or service name.
+ */
+static bool service_or_spn_to_kerberos_princ(TALLOC_CTX *ctx,
+ const char *service_or_spn,
+ const char *my_fqdn,
+ char **p_princ_s,
+ char **p_short_princ_s)
+{
+ char *princ_s = NULL;
+ char *short_princ_s = NULL;
+ const char *service = service_or_spn;
+ const char *host = my_fqdn;
+ struct spn_struct* spn_struct = NULL;
+ char *tmp = NULL;
+ bool ok = true;
+
+ /* SPN should have '/' */
+ tmp = strchr_m(service_or_spn, '/');
+ if (tmp != NULL) {
+ spn_struct = parse_spn(ctx, service_or_spn);
+ if (spn_struct == NULL) {
+ ok = false;
+ goto out;
+ }
+ }
+ if (spn_struct != NULL) {
+ service = spn_struct->serviceclass;
+ host = spn_struct->host;
+ }
+ princ_s = talloc_asprintf(ctx, "%s/%s@%s",
+ service,
+ host, lp_realm());
+ if (princ_s == NULL) {
+ ok = false;
+ goto out;
+ }
+
+ if (spn_struct == NULL) {
+ short_princ_s = talloc_asprintf(ctx, "%s/%s@%s",
+ service, lp_netbios_name(),
+ lp_realm());
+ if (short_princ_s == NULL) {
+ ok = false;
+ goto out;
+ }
+ }
+ *p_princ_s = princ_s;
+ *p_short_princ_s = short_princ_s;
+out:
+ return ok;
+}
+
+static int add_kt_entry_etypes(krb5_context context, TALLOC_CTX *tmpctx,
+ ADS_STRUCT *ads, const char *salt_princ_s,
+ krb5_keytab keytab, krb5_kvno kvno,
+ const char *srvPrinc, const char *my_fqdn,
+ krb5_data *password, bool update_ads)
+{
+ krb5_error_code ret = 0;
+ char *princ_s = NULL;
+ char *short_princ_s = NULL;
+ krb5_enctype enctypes[4] = {
+ ENCTYPE_AES256_CTS_HMAC_SHA1_96,
+ ENCTYPE_AES128_CTS_HMAC_SHA1_96,
+ ENCTYPE_ARCFOUR_HMAC,
+ 0
+ };
+ size_t i;
+
+ /* Construct our principal */
+ if (strchr_m(srvPrinc, '@')) {
+ /* It's a fully-named principal. */
+ princ_s = talloc_asprintf(tmpctx, "%s", srvPrinc);
+ if (!princ_s) {
+ ret = -1;
+ goto out;
+ }
+ } else if (srvPrinc[strlen(srvPrinc)-1] == '$') {
+ /* It's the machine account, as used by smbclient clients. */
+ princ_s = talloc_asprintf(tmpctx, "%s@%s",
+ srvPrinc, lp_realm());
+ if (!princ_s) {
+ ret = -1;
+ goto out;
+ }
+ } else {
+ /* It's a normal service principal. Add the SPN now so that we
+ * can obtain credentials for it and double-check the salt value
+ * used to generate the service's keys. */
+
+ if (!service_or_spn_to_kerberos_princ(tmpctx,
+ srvPrinc,
+ my_fqdn,
+ &princ_s,
+ &short_princ_s)) {
+ ret = -1;
+ goto out;
+ }
+
+ /* According to http://support.microsoft.com/kb/326985/en-us,
+ certain principal names are automatically mapped to the
+ host/... principal in the AD account.
+ So only create these in the keytab, not in AD. --jerry */
+
+ if (update_ads && !strequal(srvPrinc, "cifs") &&
+ !strequal(srvPrinc, "host")) {
+ if (!ads_set_machine_account_spns(tmpctx,
+ ads,
+ srvPrinc,
+ my_fqdn)) {
+ ret = -1;
+ goto out;
+ }
+ }
+ }
+
+ for (i = 0; enctypes[i]; i++) {
+
+ /* add the fqdn principal to the keytab */
+ ret = smb_krb5_kt_add_entry(context,
+ keytab,
+ kvno,
+ princ_s,
+ salt_princ_s,
+ enctypes[i],
+ password,
+ false); /* no_salt */
+ if (ret) {
+ DBG_WARNING("Failed to add entry to keytab\n");
+ goto out;
+ }
+
+ /* add the short principal name if we have one */
+ if (short_princ_s) {
+ ret = smb_krb5_kt_add_entry(context,
+ keytab,
+ kvno,
+ short_princ_s,
+ salt_princ_s,
+ enctypes[i],
+ password,
+ false); /* no_salt */
+ if (ret) {
+ DBG_WARNING("Failed to add short entry to keytab\n");
+ goto out;
+ }
+ }
+ }
+out:
+ return ret;
+}
+
+/**********************************************************************
+ Adds a single service principal, i.e. 'host' to the system keytab
+***********************************************************************/
+
+int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads)
+{
+ krb5_error_code ret = 0;
+ krb5_context context = NULL;
+ krb5_keytab keytab = NULL;
+ krb5_data password;
+ krb5_kvno kvno;
+ char *salt_princ_s = NULL;
+ char *password_s = NULL;
+ char *my_fqdn;
+ TALLOC_CTX *tmpctx = NULL;
+ char **hostnames_array = NULL;
+ size_t num_hostnames = 0;
+
+ ret = smb_krb5_init_context_common(&context);
+ if (ret) {
+ DBG_ERR("kerberos init context failed (%s)\n",
+ error_message(ret));
+ return -1;
+ }
+
+ ret = ads_keytab_open(context, &keytab);
+ if (ret != 0) {
+ goto out;
+ }
+
+ /* retrieve the password */
+ if (!secrets_init()) {
+ DBG_WARNING("secrets_init failed\n");
+ ret = -1;
+ goto out;
+ }
+ password_s = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
+ if (!password_s) {
+ DBG_WARNING("failed to fetch machine password\n");
+ ret = -1;
+ goto out;
+ }
+ ZERO_STRUCT(password);
+ password.data = password_s;
+ password.length = strlen(password_s);
+
+ /* we need the dNSHostName value here */
+ tmpctx = talloc_init(__location__);
+ if (!tmpctx) {
+ DBG_ERR("talloc_init() failed!\n");
+ ret = -1;
+ goto out;
+ }
+
+ my_fqdn = ads_get_dnshostname(ads, tmpctx, lp_netbios_name());
+ if (!my_fqdn) {
+ DBG_ERR("unable to determine machine account's dns name in "
+ "AD!\n");
+ ret = -1;
+ goto out;
+ }
+
+ /* make sure we have a single instance of the computer account */
+ if (!ads_has_samaccountname(ads, tmpctx, lp_netbios_name())) {
+ DBG_ERR("unable to determine machine account's short name in "
+ "AD!\n");
+ ret = -1;
+ goto out;
+ }
+
+ kvno = (krb5_kvno)ads_get_machine_kvno(ads, lp_netbios_name());
+ if (kvno == -1) {
+ /* -1 indicates failure, everything else is OK */
+ DBG_WARNING("ads_get_machine_kvno failed to determine the "
+ "system's kvno.\n");
+ ret = -1;
+ goto out;
+ }
+
+ salt_princ_s = kerberos_secrets_fetch_salt_princ();
+ if (salt_princ_s == NULL) {
+ DBG_WARNING("kerberos_secrets_fetch_salt_princ() failed\n");
+ ret = -1;
+ goto out;
+ }
+
+ ret = add_kt_entry_etypes(context, tmpctx, ads, salt_princ_s, keytab,
+ kvno, srvPrinc, my_fqdn, &password,
+ update_ads);
+ if (ret != 0) {
+ goto out;
+ }
+
+ if (ADS_ERR_OK(ads_get_additional_dns_hostnames(tmpctx, ads,
+ lp_netbios_name(),
+ &hostnames_array,
+ &num_hostnames))) {
+ size_t i;
+
+ for (i = 0; i < num_hostnames; i++) {
+
+ ret = add_kt_entry_etypes(context, tmpctx, ads,
+ salt_princ_s, keytab,
+ kvno, srvPrinc,
+ hostnames_array[i],
+ &password, update_ads);
+ if (ret != 0) {
+ goto out;
+ }
+ }
+ }
+
+out:
+ SAFE_FREE(salt_princ_s);
+ TALLOC_FREE(tmpctx);
+
+ if (keytab) {
+ krb5_kt_close(context, keytab);
+ }
+ if (context) {
+ krb5_free_context(context);
+ }
+ return (int)ret;
+}
+
+/**********************************************************************
+ Delete a single service principal, i.e. 'host' from the system keytab
+***********************************************************************/
+
+int ads_keytab_delete_entry(ADS_STRUCT *ads, const char *srvPrinc)
+{
+ TALLOC_CTX *frame = talloc_stackframe();
+ krb5_error_code ret = 0;
+ krb5_context context = NULL;
+ krb5_keytab keytab = NULL;
+ char *princ_s = NULL;
+ krb5_principal princ = NULL;
+ char *short_princ_s = NULL;
+ krb5_principal short_princ = NULL;
+ bool ok;
+
+ ret = smb_krb5_init_context_common(&context);
+ if (ret) {
+ DBG_ERR("kerberos init context failed (%s)\n",
+ error_message(ret));
+ goto out;
+ }
+
+ ret = ads_keytab_open(context, &keytab);
+ if (ret != 0) {
+ goto out;
+ }
+
+ /* Construct our principal */
+ if (strchr_m(srvPrinc, '@')) {
+ /* It's a fully-named principal. */
+ princ_s = talloc_asprintf(frame, "%s", srvPrinc);
+ if (!princ_s) {
+ ret = -1;
+ goto out;
+ }
+ } else if (srvPrinc[strlen(srvPrinc)-1] == '$') {
+ /* It's the machine account, as used by smbclient clients. */
+ princ_s = talloc_asprintf(frame, "%s@%s",
+ srvPrinc, lp_realm());
+ if (!princ_s) {
+ ret = -1;
+ goto out;
+ }
+ } else {
+ /*
+ * It's a normal service principal.
+ */
+ char *my_fqdn = NULL;
+ char *tmp = NULL;
+
+ /*
+ * SPN should have '/' otherwise we
+ * need to fallback and find our dnshostname
+ */
+ tmp = strchr_m(srvPrinc, '/');
+ if (tmp == NULL) {
+ my_fqdn = ads_get_dnshostname(ads, frame, lp_netbios_name());
+ if (!my_fqdn) {
+ DBG_ERR("unable to determine machine account's dns name in "
+ "AD!\n");
+ ret = -1;
+ goto out;
+ }
+ }
+
+ ok = service_or_spn_to_kerberos_princ(frame,
+ srvPrinc,
+ my_fqdn,
+ &princ_s,
+ &short_princ_s);
+ if (!ok) {
+ ret = -1;
+ goto out;
+ }
+ }
+
+ ret = smb_krb5_parse_name(context, princ_s, &princ);
+ if (ret) {
+ DEBUG(1, (__location__ ": smb_krb5_parse_name(%s) "
+ "failed (%s)\n", princ_s, error_message(ret)));
+ goto out;
+ }
+
+ if (short_princ_s != NULL) {
+ ret = smb_krb5_parse_name(context, short_princ_s, &short_princ);
+ if (ret) {
+ DEBUG(1, (__location__ ": smb_krb5_parse_name(%s) "
+ "failed (%s)\n", short_princ_s, error_message(ret)));
+ goto out;
+ }
+ }
+
+ /* Seek and delete old keytab entries */
+ ret = smb_krb5_kt_seek_and_delete_old_entries(context,
+ keytab,
+ false, /* keep_old_kvno */
+ -1,
+ false, /* enctype_only */
+ ENCTYPE_NULL,
+ princ_s,
+ princ,
+ false); /* flush */
+ if (ret) {
+ goto out;
+ }
+
+ if (short_princ_s == NULL) {
+ goto out;
+ }
+
+ /* Seek and delete old keytab entries */
+ ret = smb_krb5_kt_seek_and_delete_old_entries(context,
+ keytab,
+ false, /* keep_old_kvno */
+ -1,
+ false, /* enctype_only */
+ ENCTYPE_NULL,
+ short_princ_s,
+ short_princ,
+ false); /* flush */
+ if (ret) {
+ goto out;
+ }
+
+out:
+ if (princ) {
+ krb5_free_principal(context, princ);
+ }
+ if (short_princ) {
+ krb5_free_principal(context, short_princ);
+ }
+ if (keytab) {
+ krb5_kt_close(context, keytab);
+ }
+ if (context) {
+ krb5_free_context(context);
+ }
+ TALLOC_FREE(frame);
+ return ret;
+}
+
+/**********************************************************************
+ Flushes all entries from the system keytab.
+***********************************************************************/
+
+int ads_keytab_flush(ADS_STRUCT *ads)
+{
+ krb5_error_code ret = 0;
+ krb5_context context = NULL;
+ krb5_keytab keytab = NULL;
+ ADS_STATUS aderr;
+
+ ret = smb_krb5_init_context_common(&context);
+ if (ret) {
+ DBG_ERR("kerberos init context failed (%s)\n",
+ error_message(ret));
+ return ret;
+ }
+
+ ret = ads_keytab_open(context, &keytab);
+ if (ret != 0) {
+ goto out;
+ }
+
+ /* Seek and delete all old keytab entries */
+ ret = smb_krb5_kt_seek_and_delete_old_entries(context,
+ keytab,
+ false, /* keep_old_kvno */
+ -1,
+ false, /* enctype_only */
+ ENCTYPE_NULL,
+ NULL,
+ NULL,
+ true); /* flush */
+ if (ret) {
+ goto out;
+ }
+
+ aderr = ads_clear_service_principal_names(ads, lp_netbios_name());
+ if (!ADS_ERR_OK(aderr)) {
+ DEBUG(1, (__location__ ": Error while clearing service "
+ "principal listings in LDAP.\n"));
+ ret = -1;
+ goto out;
+ }
+
+out:
+ if (keytab) {
+ krb5_kt_close(context, keytab);
+ }
+ if (context) {
+ krb5_free_context(context);
+ }
+ return ret;
+}
+
+/**********************************************************************
+ Adds all the required service principals to the system keytab.
+***********************************************************************/
+
+int ads_keytab_create_default(ADS_STRUCT *ads)
+{
+ krb5_error_code ret = 0;
+ krb5_context context = NULL;
+ krb5_keytab keytab = NULL;
+ krb5_kt_cursor cursor = {0};
+ krb5_keytab_entry kt_entry = {0};
+ krb5_kvno kvno;
+ size_t found = 0;
+ char *sam_account_name, *upn;
+ char **oldEntries = NULL, *princ_s[26];
+ TALLOC_CTX *frame;
+ char *machine_name;
+ char **spn_array;
+ size_t num_spns;
+ size_t i;
+ bool ok = false;
+ ADS_STATUS status;
+
+ ZERO_STRUCT(kt_entry);
+ ZERO_STRUCT(cursor);
+
+ frame = talloc_stackframe();
+ if (frame == NULL) {
+ ret = -1;
+ goto done;
+ }
+
+ status = ads_get_service_principal_names(frame,
+ ads,
+ lp_netbios_name(),
+ &spn_array,
+ &num_spns);
+ if (!ADS_ERR_OK(status)) {
+ ret = -1;
+ goto done;
+ }
+
+ for (i = 0; i < num_spns; i++) {
+ char *srv_princ;
+ char *p;
+
+ srv_princ = strlower_talloc(frame, spn_array[i]);
+ if (srv_princ == NULL) {
+ ret = -1;
+ goto done;
+ }
+
+ p = strchr_m(srv_princ, '/');
+ if (p == NULL) {
+ continue;
+ }
+ p[0] = '\0';
+
+ /* Add the SPNs found on the DC */
+ ret = ads_keytab_add_entry(ads, srv_princ, false);
+ if (ret != 0) {
+ DEBUG(1, ("ads_keytab_add_entry failed while "
+ "adding '%s' principal.\n",
+ spn_array[i]));
+ goto done;
+ }
+ }
+
+#if 0 /* don't create the CIFS/... keytab entries since no one except smbd
+ really needs them and we will fall back to verifying against
+ secrets.tdb */
+
+ ret = ads_keytab_add_entry(ads, "cifs", false));
+ if (ret != 0 ) {
+ DEBUG(1, (__location__ ": ads_keytab_add_entry failed while "
+ "adding 'cifs'.\n"));
+ return ret;
+ }
+#endif
+
+ memset(princ_s, '\0', sizeof(princ_s));
+
+ ret = smb_krb5_init_context_common(&context);
+ if (ret) {
+ DBG_ERR("kerberos init context failed (%s)\n",
+ error_message(ret));
+ goto done;
+ }
+
+ machine_name = talloc_strdup(frame, lp_netbios_name());
+ if (!machine_name) {
+ ret = -1;
+ goto done;
+ }
+
+ /* now add the userPrincipalName and sAMAccountName entries */
+ ok = ads_has_samaccountname(ads, frame, machine_name);
+ if (!ok) {
+ DEBUG(0, (__location__ ": unable to determine machine "
+ "account's name in AD!\n"));
+ ret = -1;
+ goto done;
+ }
+
+ /*
+ * append '$' to netbios name so 'ads_keytab_add_entry' recognises
+ * it as a machine account rather than a service or Windows SPN.
+ */
+ sam_account_name = talloc_asprintf(frame, "%s$",machine_name);
+ if (sam_account_name == NULL) {
+ ret = -1;
+ goto done;
+ }
+ /* upper case the sAMAccountName to make it easier for apps to
+ know what case to use in the keytab file */
+ if (!strupper_m(sam_account_name)) {
+ ret = -1;
+ goto done;
+ }
+
+ ret = ads_keytab_add_entry(ads, sam_account_name, false);
+ if (ret != 0) {
+ DEBUG(1, (__location__ ": ads_keytab_add_entry() failed "
+ "while adding sAMAccountName (%s)\n",
+ sam_account_name));
+ goto done;
+ }
+
+ /* remember that not every machine account will have a upn */
+ upn = ads_get_upn(ads, frame, machine_name);
+ if (upn) {
+ ret = ads_keytab_add_entry(ads, upn, false);
+ if (ret != 0) {
+ DEBUG(1, (__location__ ": ads_keytab_add_entry() "
+ "failed while adding UPN (%s)\n", upn));
+ goto done;
+ }
+ }
+
+ /* Now loop through the keytab and update any other existing entries */
+ kvno = (krb5_kvno)ads_get_machine_kvno(ads, machine_name);
+ if (kvno == (krb5_kvno)-1) {
+ DEBUG(1, (__location__ ": ads_get_machine_kvno() failed to "
+ "determine the system's kvno.\n"));
+ goto done;
+ }
+
+ DEBUG(3, (__location__ ": Searching for keytab entries to preserve "
+ "and update.\n"));
+
+ ret = ads_keytab_open(context, &keytab);
+ if (ret != 0) {
+ goto done;
+ }
+
+ ret = krb5_kt_start_seq_get(context, keytab, &cursor);
+ if (ret != KRB5_KT_END && ret != ENOENT ) {
+ while ((ret = krb5_kt_next_entry(context, keytab,
+ &kt_entry, &cursor)) == 0) {
+ smb_krb5_kt_free_entry(context, &kt_entry);
+ ZERO_STRUCT(kt_entry);
+ found++;
+ }
+ }
+ krb5_kt_end_seq_get(context, keytab, &cursor);
+ ZERO_STRUCT(cursor);
+
+ /*
+ * Hmmm. There is no "rewind" function for the keytab. This means we
+ * have a race condition where someone else could add entries after
+ * we've counted them. Re-open asap to minimise the race. JRA.
+ */
+ DEBUG(3, (__location__ ": Found %zd entries in the keytab.\n", found));
+ if (!found) {
+ goto done;
+ }
+
+ oldEntries = talloc_zero_array(frame, char *, found + 1);
+ if (!oldEntries) {
+ DEBUG(1, (__location__ ": Failed to allocate space to store "
+ "the old keytab entries (talloc failed?).\n"));
+ ret = -1;
+ goto done;
+ }
+
+ ret = krb5_kt_start_seq_get(context, keytab, &cursor);
+ if (ret == KRB5_KT_END || ret == ENOENT) {
+ krb5_kt_end_seq_get(context, keytab, &cursor);
+ ZERO_STRUCT(cursor);
+ goto done;
+ }
+
+ while (krb5_kt_next_entry(context, keytab, &kt_entry, &cursor) == 0) {
+ if (kt_entry.vno != kvno) {
+ char *ktprinc = NULL;
+ char *p;
+
+ /* This returns a malloc'ed string in ktprinc. */
+ ret = smb_krb5_unparse_name(oldEntries, context,
+ kt_entry.principal,
+ &ktprinc);
+ if (ret) {
+ DEBUG(1, (__location__
+ ": smb_krb5_unparse_name failed "
+ "(%s)\n", error_message(ret)));
+ goto done;
+ }
+ /*
+ * From looking at the krb5 source they don't seem to
+ * take locale or mb strings into account.
+ * Maybe this is because they assume utf8 ?
+ * In this case we may need to convert from utf8 to
+ * mb charset here ? JRA.
+ */
+ p = strchr_m(ktprinc, '@');
+ if (p) {
+ *p = '\0';
+ }
+
+ p = strchr_m(ktprinc, '/');
+ if (p) {
+ *p = '\0';
+ }
+ for (i = 0; i < found; i++) {
+ if (!oldEntries[i]) {
+ oldEntries[i] = ktprinc;
+ break;
+ }
+ if (!strcmp(oldEntries[i], ktprinc)) {
+ TALLOC_FREE(ktprinc);
+ break;
+ }
+ }
+ if (i == found) {
+ TALLOC_FREE(ktprinc);
+ }
+ }
+ smb_krb5_kt_free_entry(context, &kt_entry);
+ ZERO_STRUCT(kt_entry);
+ }
+ krb5_kt_end_seq_get(context, keytab, &cursor);
+ ZERO_STRUCT(cursor);
+
+ ret = 0;
+ for (i = 0; oldEntries[i]; i++) {
+ ret |= ads_keytab_add_entry(ads, oldEntries[i], false);
+ TALLOC_FREE(oldEntries[i]);
+ }
+
+done:
+ TALLOC_FREE(oldEntries);
+ TALLOC_FREE(frame);
+
+ if (context) {
+ if (!all_zero((uint8_t *)&kt_entry, sizeof(kt_entry))) {
+ smb_krb5_kt_free_entry(context, &kt_entry);
+ }
+ if (!all_zero((uint8_t *)&cursor, sizeof(cursor)) && keytab) {
+ krb5_kt_end_seq_get(context, keytab, &cursor);
+ }
+ if (keytab) {
+ krb5_kt_close(context, keytab);
+ }
+ krb5_free_context(context);
+ }
+ return ret;
+}
+
+#endif /* HAVE_ADS */
+
+/**********************************************************************
+ List system keytab.
+***********************************************************************/
+
+int ads_keytab_list(const char *keytab_name)
+{
+ krb5_error_code ret = 0;
+ krb5_context context = NULL;
+ krb5_keytab keytab = NULL;
+ krb5_kt_cursor cursor;
+ krb5_keytab_entry kt_entry;
+
+ ZERO_STRUCT(kt_entry);
+ ZERO_STRUCT(cursor);
+
+ ret = smb_krb5_init_context_common(&context);
+ if (ret) {
+ DBG_ERR("kerberos init context failed (%s)\n",
+ error_message(ret));
+ return ret;
+ }
+
+ if (keytab_name == NULL) {
+#ifdef HAVE_ADS
+ ret = ads_keytab_open(context, &keytab);
+#else
+ ret = ENOENT;
+#endif
+ } else {
+ ret = smb_krb5_kt_open(context, keytab_name, False, &keytab);
+ }
+ if (ret) {
+ DEBUG(1, ("smb_krb5_kt_open failed (%s)\n",
+ error_message(ret)));
+ goto out;
+ }
+
+ ret = krb5_kt_start_seq_get(context, keytab, &cursor);
+ if (ret) {
+ ZERO_STRUCT(cursor);
+ goto out;
+ }
+
+ printf("Vno Type Principal\n");
+
+ while (krb5_kt_next_entry(context, keytab, &kt_entry, &cursor) == 0) {
+
+ char *princ_s = NULL;
+ char *etype_s = NULL;
+ krb5_enctype enctype = 0;
+
+ ret = smb_krb5_unparse_name(talloc_tos(), context,
+ kt_entry.principal, &princ_s);
+ if (ret) {
+ goto out;
+ }
+
+ enctype = smb_krb5_kt_get_enctype_from_entry(&kt_entry);
+
+ ret = smb_krb5_enctype_to_string(context, enctype, &etype_s);
+ if (ret &&
+ (asprintf(&etype_s, "UNKNOWN: %d", enctype) == -1)) {
+ TALLOC_FREE(princ_s);
+ goto out;
+ }
+
+ printf("%3d %-43s %s\n", kt_entry.vno, etype_s, princ_s);
+
+ TALLOC_FREE(princ_s);
+ SAFE_FREE(etype_s);
+
+ ret = smb_krb5_kt_free_entry(context, &kt_entry);
+ if (ret) {
+ goto out;
+ }
+ }
+
+ ret = krb5_kt_end_seq_get(context, keytab, &cursor);
+ if (ret) {
+ goto out;
+ }
+
+ /* Ensure we don't double free. */
+ ZERO_STRUCT(kt_entry);
+ ZERO_STRUCT(cursor);
+out:
+
+ if (!all_zero((uint8_t *)&kt_entry, sizeof(kt_entry))) {
+ smb_krb5_kt_free_entry(context, &kt_entry);
+ }
+ if (!all_zero((uint8_t *)&cursor, sizeof(cursor)) && keytab) {
+ krb5_kt_end_seq_get(context, keytab, &cursor);
+ }
+
+ if (keytab) {
+ krb5_kt_close(context, keytab);
+ }
+ if (context) {
+ krb5_free_context(context);
+ }
+ return ret;
+}
+
+#endif /* HAVE_KRB5 */
diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h
new file mode 100644
index 0000000..8073812
--- /dev/null
+++ b/source3/libads/kerberos_proto.h
@@ -0,0 +1,104 @@
+/*
+ * Unix SMB/CIFS implementation.
+ * kerberos utility library
+ *
+ * Copyright (C) Andrew Tridgell 2001
+ * Copyright (C) Remus Koos (remuskoos@yahoo.com) 2001
+ * Copyright (C) Luke Howard 2002-2003
+ * Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003
+ * Copyright (C) Guenther Deschner 2003-2008
+ * Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
+ * Copyright (C) Jeremy Allison 2004,2007
+ * Copyright (C) Stefan Metzmacher 2004-2005
+ * Copyright (C) Nalin Dahyabhai <nalin@redhat.com> 2004
+ * Copyright (C) Gerald Carter 2006
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef _LIBADS_KERBEROS_PROTO_H_
+#define _LIBADS_KERBEROS_PROTO_H_
+
+#include "system/kerberos.h"
+
+struct PAC_DATA_CTR;
+
+#define DEFAULT_KRB5_PORT 88
+
+#include "libads/ads_status.h"
+
+/* The following definitions come from libads/kerberos.c */
+
+int kerberos_kinit_password_ext(const char *given_principal,
+ const char *password,
+ int time_offset,
+ time_t *expire_time,
+ time_t *renew_till_time,
+ const char *cache_name,
+ bool request_pac,
+ bool add_netbios_addr,
+ time_t renewable_time,
+ TALLOC_CTX *mem_ctx,
+ char **_canon_principal,
+ char **_canon_realm,
+ NTSTATUS *ntstatus);
+int ads_kdestroy(const char *cc_name);
+
+int kerberos_kinit_password(const char *principal,
+ const char *password,
+ int time_offset,
+ const char *cache_name);
+bool create_local_private_krb5_conf_for_domain(const char *realm,
+ const char *domain,
+ const char *sitename,
+ const struct sockaddr_storage *pss);
+
+/* The following definitions come from libads/authdata.c */
+
+NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
+ const char *name,
+ const char *pass,
+ time_t time_offset,
+ time_t *expire_time,
+ time_t *renew_till_time,
+ const char *cache_name,
+ bool request_pac,
+ bool add_netbios_addr,
+ time_t renewable_time,
+ const char *impersonate_princ_s,
+ const char *local_service,
+ char **_canon_principal,
+ char **_canon_realm,
+ struct PAC_DATA_CTR **pac_data_ctr);
+
+/* The following definitions come from libads/krb5_setpw.c */
+
+ADS_STATUS ads_krb5_set_password(const char *kdc_host, const char *princ,
+ const char *newpw, int time_offset);
+ADS_STATUS kerberos_set_password(const char *kpasswd_server,
+ const char *auth_principal, const char *auth_password,
+ const char *target_principal, const char *new_password,
+ int time_offset);
+
+#ifdef HAVE_KRB5
+int create_kerberos_key_from_string(krb5_context context,
+ krb5_principal host_princ,
+ krb5_principal salt_princ,
+ krb5_data *password,
+ krb5_keyblock *key,
+ krb5_enctype enctype,
+ bool no_salt);
+#endif
+
+#endif /* _LIBADS_KERBEROS_PROTO_H_ */
diff --git a/source3/libads/kerberos_util.c b/source3/libads/kerberos_util.c
new file mode 100644
index 0000000..bfe5382
--- /dev/null
+++ b/source3/libads/kerberos_util.c
@@ -0,0 +1,80 @@
+/*
+ Unix SMB/CIFS implementation.
+ krb5 set password implementation
+ Copyright (C) Andrew Tridgell 2001
+ Copyright (C) Remus Koos 2001 (remuskoos@yahoo.com)
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "smb_krb5.h"
+#include "ads.h"
+#include "lib/param/loadparm.h"
+
+#ifdef HAVE_KRB5
+
+/* run kinit to setup our ccache */
+int ads_kinit_password(ADS_STRUCT *ads)
+{
+ char *s;
+ int ret;
+ const char *account_name;
+ fstring acct_name;
+
+ if (ads->auth.password == NULL || ads->auth.password[0] == '\0') {
+ return KRB5_LIBOS_CANTREADPWD;
+ }
+
+ if (ads->auth.flags & ADS_AUTH_USER_CREDS) {
+ account_name = ads->auth.user_name;
+ goto got_accountname;
+ }
+
+ if ( IS_DC ) {
+ /* this will end up getting a ticket for DOMAIN@RUSTED.REA.LM */
+ account_name = lp_workgroup();
+ } else {
+ /* always use the sAMAccountName for security = domain */
+ /* lp_netbios_name()$@REA.LM */
+ if ( lp_security() == SEC_DOMAIN ) {
+ fstr_sprintf( acct_name, "%s$", lp_netbios_name() );
+ account_name = acct_name;
+ }
+ else
+ /* This looks like host/lp_netbios_name()@REA.LM */
+ account_name = ads->auth.user_name;
+ }
+
+ got_accountname:
+ if (asprintf(&s, "%s@%s", account_name, ads->auth.realm) == -1) {
+ return KRB5_CC_NOMEM;
+ }
+
+ ret = kerberos_kinit_password_ext(s, ads->auth.password,
+ ads->auth.time_offset,
+ &ads->auth.tgt_expire, NULL,
+ ads->auth.ccache_name, false, false,
+ ads->auth.renewable,
+ NULL, NULL, NULL, NULL);
+
+ if (ret) {
+ DEBUG(0,("kerberos_kinit_password %s failed: %s\n",
+ s, error_message(ret)));
+ }
+ SAFE_FREE(s);
+ return ret;
+}
+
+#endif
diff --git a/source3/libads/krb5_setpw.c b/source3/libads/krb5_setpw.c
new file mode 100644
index 0000000..dda8857
--- /dev/null
+++ b/source3/libads/krb5_setpw.c
@@ -0,0 +1,329 @@
+/*
+ Unix SMB/CIFS implementation.
+ krb5 set password implementation
+ Copyright (C) Andrew Tridgell 2001
+ Copyright (C) Remus Koos 2001 (remuskoos@yahoo.com)
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "smb_krb5.h"
+#include "libads/kerberos_proto.h"
+#include "../lib/util/asn1.h"
+
+#ifdef HAVE_KRB5
+
+/* Those are defined by kerberos-set-passwd-02.txt and are probably
+ * not supported by M$ implementation */
+#define KRB5_KPASSWD_POLICY_REJECT 8
+#define KRB5_KPASSWD_BAD_PRINCIPAL 9
+#define KRB5_KPASSWD_ETYPE_NOSUPP 10
+
+/*
+ * we've got to be able to distinguish KRB_ERRORs from other
+ * requests - valid response for CHPW v2 replies.
+ */
+
+static krb5_error_code kpasswd_err_to_krb5_err(krb5_error_code res_code)
+{
+ switch (res_code) {
+ case KRB5_KPASSWD_ACCESSDENIED:
+ return KRB5KDC_ERR_BADOPTION;
+ case KRB5_KPASSWD_INITIAL_FLAG_NEEDED:
+ return KRB5KDC_ERR_BADOPTION;
+ /* return KV5M_ALT_METHOD; MIT-only define */
+ case KRB5_KPASSWD_ETYPE_NOSUPP:
+ return KRB5KDC_ERR_ETYPE_NOSUPP;
+ case KRB5_KPASSWD_BAD_PRINCIPAL:
+ return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
+ case KRB5_KPASSWD_POLICY_REJECT:
+ case KRB5_KPASSWD_SOFTERROR:
+ return KRB5KDC_ERR_POLICY;
+ default:
+ return KRB5KRB_ERR_GENERIC;
+ }
+}
+
+ADS_STATUS ads_krb5_set_password(const char *kdc_host, const char *principal,
+ const char *newpw, int time_offset)
+{
+
+ ADS_STATUS aret;
+ krb5_error_code ret = 0;
+ krb5_context context = NULL;
+ krb5_principal princ = NULL;
+ krb5_ccache ccache = NULL;
+ int result_code;
+ krb5_data result_code_string = { 0 };
+ krb5_data result_string = { 0 };
+
+ ret = smb_krb5_init_context_common(&context);
+ if (ret) {
+ DBG_ERR("kerberos init context failed (%s)\n",
+ error_message(ret));
+ return ADS_ERROR_KRB5(ret);
+ }
+
+ if (principal) {
+ ret = smb_krb5_parse_name(context, principal, &princ);
+ if (ret) {
+ krb5_free_context(context);
+ DEBUG(1, ("Failed to parse %s (%s)\n", principal,
+ error_message(ret)));
+ return ADS_ERROR_KRB5(ret);
+ }
+ }
+
+ if (time_offset != 0) {
+ krb5_set_real_time(context, time(NULL) + time_offset, 0);
+ }
+
+ ret = krb5_cc_default(context, &ccache);
+ if (ret) {
+ krb5_free_principal(context, princ);
+ krb5_free_context(context);
+ DEBUG(1,("Failed to get default creds (%s)\n", error_message(ret)));
+ return ADS_ERROR_KRB5(ret);
+ }
+
+ ret = krb5_set_password_using_ccache(context,
+ ccache,
+ discard_const_p(char, newpw),
+ princ,
+ &result_code,
+ &result_code_string,
+ &result_string);
+ if (ret) {
+ DEBUG(1, ("krb5_set_password failed (%s)\n", error_message(ret)));
+ aret = ADS_ERROR_KRB5(ret);
+ goto done;
+ }
+
+ if (result_code != KRB5_KPASSWD_SUCCESS) {
+ ret = kpasswd_err_to_krb5_err(result_code);
+ DEBUG(1, ("krb5_set_password failed (%s)\n", error_message(ret)));
+ aret = ADS_ERROR_KRB5(ret);
+ goto done;
+ }
+
+ aret = ADS_SUCCESS;
+
+ done:
+ smb_krb5_free_data_contents(context, &result_code_string);
+ smb_krb5_free_data_contents(context, &result_string);
+ krb5_free_principal(context, princ);
+ krb5_cc_close(context, ccache);
+ krb5_free_context(context);
+
+ return aret;
+}
+
+/*
+ we use a prompter to avoid a crash bug in the kerberos libs when
+ dealing with empty passwords
+ this prompter is just a string copy ...
+*/
+static krb5_error_code
+kerb_prompter(krb5_context ctx, void *data,
+ const char *name,
+ const char *banner,
+ int num_prompts,
+ krb5_prompt prompts[])
+{
+ if (num_prompts == 0) return 0;
+
+ memset(prompts[0].reply->data, 0, prompts[0].reply->length);
+ if (prompts[0].reply->length > 0) {
+ if (data) {
+ strncpy((char *)prompts[0].reply->data,
+ (const char *)data,
+ prompts[0].reply->length-1);
+ prompts[0].reply->length = strlen((const char *)prompts[0].reply->data);
+ } else {
+ prompts[0].reply->length = 0;
+ }
+ }
+ return 0;
+}
+
+static ADS_STATUS ads_krb5_chg_password(const char *kdc_host,
+ const char *principal,
+ const char *oldpw,
+ const char *newpw,
+ int time_offset)
+{
+ ADS_STATUS aret;
+ krb5_error_code ret;
+ krb5_context context = NULL;
+ krb5_principal princ;
+ krb5_get_init_creds_opt *opts = NULL;
+ krb5_creds creds;
+ char *chpw_princ = NULL, *password;
+ char *realm = NULL;
+ int result_code;
+ krb5_data result_code_string = { 0 };
+ krb5_data result_string = { 0 };
+ smb_krb5_addresses *addr = NULL;
+
+ ret = smb_krb5_init_context_common(&context);
+ if (ret) {
+ DBG_ERR("kerberos init context failed (%s)\n",
+ error_message(ret));
+ return ADS_ERROR_KRB5(ret);
+ }
+
+ if ((ret = smb_krb5_parse_name(context, principal, &princ))) {
+ krb5_free_context(context);
+ DEBUG(1,("Failed to parse %s (%s)\n", principal, error_message(ret)));
+ return ADS_ERROR_KRB5(ret);
+ }
+
+ ret = krb5_get_init_creds_opt_alloc(context, &opts);
+ if (ret != 0) {
+ krb5_free_context(context);
+ DBG_WARNING("krb5_get_init_creds_opt_alloc failed: %s\n",
+ error_message(ret));
+ return ADS_ERROR_KRB5(ret);
+ }
+
+ krb5_get_init_creds_opt_set_tkt_life(opts, 5 * 60);
+ krb5_get_init_creds_opt_set_renew_life(opts, 0);
+ krb5_get_init_creds_opt_set_forwardable(opts, 0);
+ krb5_get_init_creds_opt_set_proxiable(opts, 0);
+#ifdef SAMBA4_USES_HEIMDAL
+ krb5_get_init_creds_opt_set_win2k(context, opts, true);
+ krb5_get_init_creds_opt_set_canonicalize(context, opts, true);
+#else /* MIT */
+#if 0
+ /*
+ * FIXME
+ *
+ * Due to an upstream MIT Kerberos bug, this feature is not
+ * not working. Affection versions (2019-10-09): <= 1.17
+ *
+ * Reproducer:
+ * kinit -C aDmInIsTrAtOr@ACME.COM -S kadmin/changepw@ACME.COM
+ *
+ * This is NOT a problem if the service is a krbtgt.
+ *
+ * https://bugzilla.samba.org/show_bug.cgi?id=14155
+ */
+ krb5_get_init_creds_opt_set_canonicalize(opts, true);
+#endif
+#endif /* MIT */
+
+ /* note that heimdal will fill in the local addresses if the addresses
+ * in the creds_init_opt are all empty and then later fail with invalid
+ * address, sending our local netbios krb5 address - just like windows
+ * - avoids this - gd */
+ ret = smb_krb5_gen_netbios_krb5_address(&addr, lp_netbios_name());
+ if (ret) {
+ krb5_free_principal(context, princ);
+ krb5_get_init_creds_opt_free(context, opts);
+ krb5_free_context(context);
+ return ADS_ERROR_KRB5(ret);
+ }
+ krb5_get_init_creds_opt_set_address_list(opts, addr->addrs);
+
+ realm = smb_krb5_principal_get_realm(NULL, context, princ);
+
+ /* We have to obtain an INITIAL changepw ticket for changing password */
+ if (asprintf(&chpw_princ, "kadmin/changepw@%s", realm) == -1) {
+ krb5_free_principal(context, princ);
+ krb5_get_init_creds_opt_free(context, opts);
+ smb_krb5_free_addresses(context, addr);
+ krb5_free_context(context);
+ TALLOC_FREE(realm);
+ DEBUG(1, ("ads_krb5_chg_password: asprintf fail\n"));
+ return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
+ }
+
+ TALLOC_FREE(realm);
+ password = SMB_STRDUP(oldpw);
+ ret = krb5_get_init_creds_password(context, &creds, princ, password,
+ kerb_prompter, NULL,
+ 0, chpw_princ, opts);
+ krb5_get_init_creds_opt_free(context, opts);
+ smb_krb5_free_addresses(context, addr);
+ SAFE_FREE(chpw_princ);
+ SAFE_FREE(password);
+
+ if (ret) {
+ if (ret == KRB5KRB_AP_ERR_BAD_INTEGRITY) {
+ DEBUG(1,("Password incorrect while getting initial ticket\n"));
+ } else {
+ DEBUG(1,("krb5_get_init_creds_password failed (%s)\n", error_message(ret)));
+ }
+ krb5_free_principal(context, princ);
+ krb5_free_context(context);
+ return ADS_ERROR_KRB5(ret);
+ }
+
+ ret = krb5_set_password(context,
+ &creds,
+ discard_const_p(char, newpw),
+ NULL,
+ &result_code,
+ &result_code_string,
+ &result_string);
+
+ if (ret) {
+ DEBUG(1, ("krb5_change_password failed (%s)\n", error_message(ret)));
+ aret = ADS_ERROR_KRB5(ret);
+ goto done;
+ }
+
+ if (result_code != KRB5_KPASSWD_SUCCESS) {
+ ret = kpasswd_err_to_krb5_err(result_code);
+ DEBUG(1, ("krb5_change_password failed (%s)\n", error_message(ret)));
+ aret = ADS_ERROR_KRB5(ret);
+ goto done;
+ }
+
+ aret = ADS_SUCCESS;
+
+ done:
+ smb_krb5_free_data_contents(context, &result_code_string);
+ smb_krb5_free_data_contents(context, &result_string);
+ krb5_free_principal(context, princ);
+ krb5_free_context(context);
+
+ return aret;
+}
+
+ADS_STATUS kerberos_set_password(const char *kpasswd_server,
+ const char *auth_principal,
+ const char *auth_password,
+ const char *target_principal,
+ const char *new_password, int time_offset)
+{
+ int ret;
+
+ if ((ret = kerberos_kinit_password(auth_principal, auth_password, time_offset, NULL))) {
+ DEBUG(1,("Failed kinit for principal %s (%s)\n", auth_principal, error_message(ret)));
+ return ADS_ERROR_KRB5(ret);
+ }
+
+ if (!strcmp(auth_principal, target_principal)) {
+ return ads_krb5_chg_password(kpasswd_server, target_principal,
+ auth_password, new_password,
+ time_offset);
+ } else {
+ return ads_krb5_set_password(kpasswd_server, target_principal,
+ new_password, time_offset);
+ }
+}
+
+#endif
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
new file mode 100644
index 0000000..b5139e5
--- /dev/null
+++ b/source3/libads/ldap.c
@@ -0,0 +1,4684 @@
+/*
+ Unix SMB/CIFS implementation.
+ ads (active directory) utility library
+ Copyright (C) Andrew Tridgell 2001
+ Copyright (C) Remus Koos 2001
+ Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002
+ Copyright (C) Guenther Deschner 2005
+ Copyright (C) Gerald Carter 2006
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "ads.h"
+#include "libads/sitename_cache.h"
+#include "libads/cldap.h"
+#include "../lib/tsocket/tsocket.h"
+#include "../lib/addns/dnsquery.h"
+#include "../libds/common/flags.h"
+#include "smbldap.h"
+#include "../libcli/security/security.h"
+#include "../librpc/gen_ndr/netlogon.h"
+#include "lib/param/loadparm.h"
+#include "libsmb/namequery.h"
+#include "../librpc/gen_ndr/ndr_ads.h"
+
+#ifdef HAVE_LDAP
+
+/**
+ * @file ldap.c
+ * @brief basic ldap client-side routines for ads server communications
+ *
+ * The routines contained here should do the necessary ldap calls for
+ * ads setups.
+ *
+ * Important note: attribute names passed into ads_ routines must
+ * already be in UTF-8 format. We do not convert them because in almost
+ * all cases, they are just ascii (which is represented with the same
+ * codepoints in UTF-8). This may have to change at some point
+ **/
+
+
+#define LDAP_SERVER_TREE_DELETE_OID "1.2.840.113556.1.4.805"
+
+static SIG_ATOMIC_T gotalarm;
+
+/***************************************************************
+ Signal function to tell us we timed out.
+****************************************************************/
+
+static void gotalarm_sig(int signum)
+{
+ gotalarm = 1;
+}
+
+ LDAP *ldap_open_with_timeout(const char *server,
+ struct sockaddr_storage *ss,
+ int port, unsigned int to)
+{
+ LDAP *ldp = NULL;
+ int ldap_err;
+ char *uri;
+
+ DEBUG(10, ("Opening connection to LDAP server '%s:%d', timeout "
+ "%u seconds\n", server, port, to));
+
+ if (to) {
+ /* Setup timeout */
+ gotalarm = 0;
+ CatchSignal(SIGALRM, gotalarm_sig);
+ alarm(to);
+ /* End setup timeout. */
+ }
+
+ if ( strchr_m(server, ':') ) {
+ /* IPv6 URI */
+ uri = talloc_asprintf(talloc_tos(), "ldap://[%s]:%u", server, port);
+ } else {
+ /* IPv4 URI */
+ uri = talloc_asprintf(talloc_tos(), "ldap://%s:%u", server, port);
+ }
+ if (uri == NULL) {
+ return NULL;
+ }
+
+#ifdef HAVE_LDAP_INIT_FD
+ {
+ int fd = -1;
+ NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
+ unsigned timeout_ms = 1000 * to;
+
+ status = open_socket_out(ss, port, timeout_ms, &fd);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(3, ("open_socket_out: failed to open socket\n"));
+ return NULL;
+ }
+
+/* define LDAP_PROTO_TCP from openldap.h if required */
+#ifndef LDAP_PROTO_TCP
+#define LDAP_PROTO_TCP 1
+#endif
+ ldap_err = ldap_init_fd(fd, LDAP_PROTO_TCP, uri, &ldp);
+ }
+#elif defined(HAVE_LDAP_INITIALIZE)
+ ldap_err = ldap_initialize(&ldp, uri);
+#else
+ ldp = ldap_open(server, port);
+ if (ldp != NULL) {
+ ldap_err = LDAP_SUCCESS;
+ } else {
+ ldap_err = LDAP_OTHER;
+ }
+#endif
+ if (ldap_err != LDAP_SUCCESS) {
+ DEBUG(2,("Could not initialize connection for LDAP server '%s': %s\n",
+ uri, ldap_err2string(ldap_err)));
+ } else {
+ DEBUG(10, ("Initialized connection for LDAP server '%s'\n", uri));
+ }
+
+ if (to) {
+ /* Teardown timeout. */
+ alarm(0);
+ CatchSignal(SIGALRM, SIG_IGN);
+ }
+
+ return ldp;
+}
+
+static int ldap_search_with_timeout(LDAP *ld,
+ LDAP_CONST char *base,
+ int scope,
+ LDAP_CONST char *filter,
+ char **attrs,
+ int attrsonly,
+ LDAPControl **sctrls,
+ LDAPControl **cctrls,
+ int sizelimit,
+ LDAPMessage **res )
+{
+ int to = lp_ldap_timeout();
+ struct timeval timeout;
+ struct timeval *timeout_ptr = NULL;
+ int result;
+
+ /* Setup timeout for the ldap_search_ext_s call - local and remote. */
+ gotalarm = 0;
+
+ if (to) {
+ timeout.tv_sec = to;
+ timeout.tv_usec = 0;
+ timeout_ptr = &timeout;
+
+ /* Setup alarm timeout. */
+ CatchSignal(SIGALRM, gotalarm_sig);
+ /* Make the alarm time one second beyond
+ the timeout we're setting for the
+ remote search timeout, to allow that
+ to fire in preference. */
+ alarm(to+1);
+ /* End setup timeout. */
+ }
+
+
+ result = ldap_search_ext_s(ld, base, scope, filter, attrs,
+ attrsonly, sctrls, cctrls, timeout_ptr,
+ sizelimit, res);
+
+ if (to) {
+ /* Teardown alarm timeout. */
+ CatchSignal(SIGALRM, SIG_IGN);
+ alarm(0);
+ }
+
+ if (gotalarm != 0)
+ return LDAP_TIMELIMIT_EXCEEDED;
+
+ /*
+ * A bug in OpenLDAP means ldap_search_ext_s can return
+ * LDAP_SUCCESS but with a NULL res pointer. Cope with
+ * this. See bug #6279 for details. JRA.
+ */
+
+ if (*res == NULL) {
+ return LDAP_TIMELIMIT_EXCEEDED;
+ }
+
+ return result;
+}
+
+/**********************************************
+ Do client and server sitename match ?
+**********************************************/
+
+bool ads_sitename_match(ADS_STRUCT *ads)
+{
+ if (ads->config.server_site_name == NULL &&
+ ads->config.client_site_name == NULL ) {
+ DEBUG(10,("ads_sitename_match: both null\n"));
+ return True;
+ }
+ if (ads->config.server_site_name &&
+ ads->config.client_site_name &&
+ strequal(ads->config.server_site_name,
+ ads->config.client_site_name)) {
+ DEBUG(10,("ads_sitename_match: name %s match\n", ads->config.server_site_name));
+ return True;
+ }
+ DEBUG(10,("ads_sitename_match: no match between server: %s and client: %s\n",
+ ads->config.server_site_name ? ads->config.server_site_name : "NULL",
+ ads->config.client_site_name ? ads->config.client_site_name : "NULL"));
+ return False;
+}
+
+/**********************************************
+ Is this the closest DC ?
+**********************************************/
+
+bool ads_closest_dc(ADS_STRUCT *ads)
+{
+ if (ads->config.flags & NBT_SERVER_CLOSEST) {
+ DEBUG(10,("ads_closest_dc: NBT_SERVER_CLOSEST flag set\n"));
+ return True;
+ }
+
+ /* not sure if this can ever happen */
+ if (ads_sitename_match(ads)) {
+ DEBUG(10,("ads_closest_dc: NBT_SERVER_CLOSEST flag not set but sites match\n"));
+ return True;
+ }
+
+ if (ads->config.client_site_name == NULL) {
+ DEBUG(10,("ads_closest_dc: client belongs to no site\n"));
+ return True;
+ }
+
+ DEBUG(10,("ads_closest_dc: %s is not the closest DC\n",
+ ads->config.ldap_server_name));
+
+ return False;
+}
+
+static bool ads_fill_cldap_reply(ADS_STRUCT *ads,
+ bool gc,
+ const struct sockaddr_storage *ss,
+ const struct NETLOGON_SAM_LOGON_RESPONSE_EX *cldap_reply)
+{
+ TALLOC_CTX *frame = talloc_stackframe();
+ bool ret = false;
+ char addr[INET6_ADDRSTRLEN];
+ ADS_STATUS status;
+ char *dn;
+
+ print_sockaddr(addr, sizeof(addr), ss);
+
+ /* Check the CLDAP reply flags */
+
+ if (!(cldap_reply->server_type & NBT_SERVER_LDAP)) {
+ DBG_WARNING("%s's CLDAP reply says it is not an LDAP server!\n",
+ addr);
+ ret = false;
+ goto out;
+ }
+
+ /* Fill in the ads->config values */
+
+ ADS_TALLOC_CONST_FREE(ads->config.realm);
+ ADS_TALLOC_CONST_FREE(ads->config.bind_path);
+ ADS_TALLOC_CONST_FREE(ads->config.ldap_server_name);
+ ADS_TALLOC_CONST_FREE(ads->config.server_site_name);
+ ADS_TALLOC_CONST_FREE(ads->config.client_site_name);
+ ADS_TALLOC_CONST_FREE(ads->server.workgroup);
+
+ if (!check_cldap_reply_required_flags(cldap_reply->server_type,
+ ads->config.flags)) {
+ ret = false;
+ goto out;
+ }
+
+ ads->config.ldap_server_name = talloc_strdup(ads,
+ cldap_reply->pdc_dns_name);
+ if (ads->config.ldap_server_name == NULL) {
+ DBG_WARNING("Out of memory\n");
+ ret = false;
+ goto out;
+ }
+
+ ads->config.realm = talloc_asprintf_strupper_m(ads,
+ "%s",
+ cldap_reply->dns_domain);
+ if (ads->config.realm == NULL) {
+ DBG_WARNING("Out of memory\n");
+ ret = false;
+ goto out;
+ }
+
+ status = ads_build_dn(ads->config.realm, ads, &dn);
+ if (!ADS_ERR_OK(status)) {
+ DBG_DEBUG("Failed to build bind path: %s\n",
+ ads_errstr(status));
+ ret = false;
+ goto out;
+ }
+ ads->config.bind_path = dn;
+
+ if (*cldap_reply->server_site) {
+ ads->config.server_site_name =
+ talloc_strdup(ads, cldap_reply->server_site);
+ if (ads->config.server_site_name == NULL) {
+ DBG_WARNING("Out of memory\n");
+ ret = false;
+ goto out;
+ }
+ }
+
+ if (*cldap_reply->client_site) {
+ ads->config.client_site_name =
+ talloc_strdup(ads, cldap_reply->client_site);
+ if (ads->config.client_site_name == NULL) {
+ DBG_WARNING("Out of memory\n");
+ ret = false;
+ goto out;
+ }
+ }
+
+ ads->server.workgroup = talloc_strdup(ads, cldap_reply->domain_name);
+ if (ads->server.workgroup == NULL) {
+ DBG_WARNING("Out of memory\n");
+ ret = false;
+ goto out;
+ }
+
+ ads->ldap.port = gc ? LDAP_GC_PORT : LDAP_PORT;
+ ads->ldap.ss = *ss;
+
+ /* Store our site name. */
+ sitename_store(cldap_reply->domain_name, cldap_reply->client_site);
+ sitename_store(cldap_reply->dns_domain, cldap_reply->client_site);
+
+ /* Leave this until last so that the flags are not clobbered */
+ ads->config.flags = cldap_reply->server_type;
+
+ ret = true;
+
+ out:
+
+ TALLOC_FREE(frame);
+ return ret;
+}
+
+/*
+ try a connection to a given ldap server, returning True and setting the servers IP
+ in the ads struct if successful
+ */
+static bool ads_try_connect(ADS_STRUCT *ads, bool gc,
+ struct sockaddr_storage *ss)
+{
+ struct NETLOGON_SAM_LOGON_RESPONSE_EX cldap_reply = {};
+ TALLOC_CTX *frame = talloc_stackframe();
+ bool ok;
+ char addr[INET6_ADDRSTRLEN] = { 0, };
+
+ if (ss == NULL) {
+ TALLOC_FREE(frame);
+ return false;
+ }
+
+ print_sockaddr(addr, sizeof(addr), ss);
+
+ DBG_INFO("ads_try_connect: sending CLDAP request to %s (realm: %s)\n",
+ addr, ads->server.realm);
+
+ ok = ads_cldap_netlogon_5(frame, ss, ads->server.realm, &cldap_reply);
+ if (!ok) {
+ DBG_NOTICE("ads_cldap_netlogon_5(%s, %s) failed.\n",
+ addr, ads->server.realm);
+ TALLOC_FREE(frame);
+ return false;
+ }
+
+ ok = ads_fill_cldap_reply(ads, gc, ss, &cldap_reply);
+ if (!ok) {
+ DBG_NOTICE("ads_fill_cldap_reply(%s, %s) failed.\n",
+ addr, ads->server.realm);
+ TALLOC_FREE(frame);
+ return false;
+ }
+
+ TALLOC_FREE(frame);
+ return true;
+}
+
+/**********************************************************************
+ send a cldap ping to list of servers, one at a time, until one of
+ them answers it's an ldap server. Record success in the ADS_STRUCT.
+ Take note of and update negative connection cache.
+**********************************************************************/
+
+static NTSTATUS cldap_ping_list(ADS_STRUCT *ads,
+ const char *domain,
+ struct samba_sockaddr *sa_list,
+ size_t count)
+{
+ TALLOC_CTX *frame = talloc_stackframe();
+ struct timeval endtime = timeval_current_ofs(MAX(3,lp_ldap_timeout()/2), 0);
+ uint32_t nt_version = NETLOGON_NT_VERSION_5 | NETLOGON_NT_VERSION_5EX;
+ struct tsocket_address **ts_list = NULL;
+ const struct tsocket_address * const *ts_list_const = NULL;
+ struct samba_sockaddr **req_sa_list = NULL;
+ struct netlogon_samlogon_response **responses = NULL;
+ size_t num_requests = 0;
+ NTSTATUS status;
+ size_t i;
+ bool ok = false;
+ bool retry;
+
+ ts_list = talloc_zero_array(frame,
+ struct tsocket_address *,
+ count);
+ if (ts_list == NULL) {
+ TALLOC_FREE(frame);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ req_sa_list = talloc_zero_array(frame,
+ struct samba_sockaddr *,
+ count);
+ if (req_sa_list == NULL) {
+ TALLOC_FREE(frame);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+again:
+ /*
+ * The retry loop is bound by the timeout
+ */
+ retry = false;
+ num_requests = 0;
+
+ for (i = 0; i < count; i++) {
+ char server[INET6_ADDRSTRLEN];
+ int ret;
+
+ if (is_zero_addr(&sa_list[i].u.ss)) {
+ continue;
+ }
+
+ print_sockaddr(server, sizeof(server), &sa_list[i].u.ss);
+
+ status = check_negative_conn_cache(domain, server);
+ if (!NT_STATUS_IS_OK(status)) {
+ continue;
+ }
+
+ ret = tsocket_address_inet_from_strings(ts_list, "ip",
+ server, LDAP_PORT,
+ &ts_list[num_requests]);
+ if (ret != 0) {
+ status = map_nt_error_from_unix(errno);
+ DBG_WARNING("Failed to create tsocket_address for %s - %s\n",
+ server, nt_errstr(status));
+ TALLOC_FREE(frame);
+ return status;
+ }
+
+ req_sa_list[num_requests] = &sa_list[i];
+ num_requests += 1;
+ }
+
+ DBG_DEBUG("Try to create %zu netlogon connections for domain '%s' "
+ "(provided count of addresses was %zu).\n",
+ num_requests,
+ domain,
+ count);
+
+ if (num_requests == 0) {
+ status = NT_STATUS_NO_LOGON_SERVERS;
+ DBG_WARNING("domain[%s] num_requests[%zu] for count[%zu] - %s\n",
+ domain, num_requests, count, nt_errstr(status));
+ TALLOC_FREE(frame);
+ return status;
+ }
+
+ ts_list_const = (const struct tsocket_address * const *)ts_list;
+
+ status = cldap_multi_netlogon(frame,
+ ts_list_const, num_requests,
+ ads->server.realm, NULL,
+ nt_version,
+ 1, endtime, &responses);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_WARNING("cldap_multi_netlogon(realm=%s, num_requests=%zu) "
+ "for count[%zu] - %s\n",
+ ads->server.realm,
+ num_requests, count,
+ nt_errstr(status));
+ TALLOC_FREE(frame);
+ return NT_STATUS_NO_LOGON_SERVERS;
+ }
+
+ for (i = 0; i < num_requests; i++) {
+ struct NETLOGON_SAM_LOGON_RESPONSE_EX *cldap_reply = NULL;
+ char server[INET6_ADDRSTRLEN];
+
+ if (responses[i] == NULL) {
+ continue;
+ }
+
+ print_sockaddr(server, sizeof(server), &req_sa_list[i]->u.ss);
+
+ if (responses[i]->ntver != NETLOGON_NT_VERSION_5EX) {
+ DBG_NOTICE("realm=[%s] nt_version mismatch: 0x%08x for %s\n",
+ ads->server.realm,
+ responses[i]->ntver, server);
+ continue;
+ }
+
+ cldap_reply = &responses[i]->data.nt5_ex;
+
+ /* Returns ok only if it matches the correct server type */
+ ok = ads_fill_cldap_reply(ads,
+ false,
+ &req_sa_list[i]->u.ss,
+ cldap_reply);
+ if (ok) {
+ DBG_DEBUG("realm[%s]: selected %s => %s\n",
+ ads->server.realm,
+ server, cldap_reply->pdc_dns_name);
+ if (CHECK_DEBUGLVL(DBGLVL_DEBUG)) {
+ NDR_PRINT_DEBUG(NETLOGON_SAM_LOGON_RESPONSE_EX,
+ cldap_reply);
+ }
+ TALLOC_FREE(frame);
+ return NT_STATUS_OK;
+ }
+
+ DBG_NOTICE("realm[%s] server %s %s - not usable\n",
+ ads->server.realm,
+ server, cldap_reply->pdc_dns_name);
+ if (CHECK_DEBUGLVL(DBGLVL_NOTICE)) {
+ NDR_PRINT_DEBUG(NETLOGON_SAM_LOGON_RESPONSE_EX,
+ cldap_reply);
+ }
+ add_failed_connection_entry(domain, server,
+ NT_STATUS_CLIENT_SERVER_PARAMETERS_INVALID);
+ retry = true;
+ }
+
+ if (retry) {
+ bool expired;
+
+ expired = timeval_expired(&endtime);
+ if (!expired) {
+ goto again;
+ }
+ }
+
+ /* keep track of failures as all were not suitable */
+ for (i = 0; i < num_requests; i++) {
+ char server[INET6_ADDRSTRLEN];
+
+ print_sockaddr(server, sizeof(server), &req_sa_list[i]->u.ss);
+
+ add_failed_connection_entry(domain, server,
+ NT_STATUS_UNSUCCESSFUL);
+ }
+
+ status = NT_STATUS_NO_LOGON_SERVERS;
+ DBG_WARNING("realm[%s] no valid response "
+ "num_requests[%zu] for count[%zu] - %s\n",
+ ads->server.realm,
+ num_requests, count, nt_errstr(status));
+ TALLOC_FREE(frame);
+ return NT_STATUS_NO_LOGON_SERVERS;
+}
+
+/***************************************************************************
+ resolve a name and perform an "ldap ping" using NetBIOS and related methods
+****************************************************************************/
+
+static NTSTATUS resolve_and_ping_netbios(ADS_STRUCT *ads,
+ const char *domain, const char *realm)
+{
+ size_t i;
+ size_t count = 0;
+ struct samba_sockaddr *sa_list = NULL;
+ NTSTATUS status;
+
+ DEBUG(6, ("resolve_and_ping_netbios: (cldap) looking for domain '%s'\n",
+ domain));
+
+ status = get_sorted_dc_list(talloc_tos(),
+ domain,
+ NULL,
+ &sa_list,
+ &count,
+ false);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ /* remove servers which are known to be dead based on
+ the corresponding DNS method */
+ if (*realm) {
+ for (i = 0; i < count; ++i) {
+ char server[INET6_ADDRSTRLEN];
+
+ print_sockaddr(server, sizeof(server), &sa_list[i].u.ss);
+
+ if(!NT_STATUS_IS_OK(
+ check_negative_conn_cache(realm, server))) {
+ /* Ensure we add the workgroup name for this
+ IP address as negative too. */
+ add_failed_connection_entry(
+ domain, server,
+ NT_STATUS_UNSUCCESSFUL);
+ }
+ }
+ }
+
+ status = cldap_ping_list(ads, domain, sa_list, count);
+
+ TALLOC_FREE(sa_list);
+
+ return status;
+}
+
+
+/**********************************************************************
+ resolve a name and perform an "ldap ping" using DNS
+**********************************************************************/
+
+static NTSTATUS resolve_and_ping_dns(ADS_STRUCT *ads, const char *sitename,
+ const char *realm)
+{
+ size_t count = 0;
+ struct samba_sockaddr *sa_list = NULL;
+ NTSTATUS status;
+
+ DEBUG(6, ("resolve_and_ping_dns: (cldap) looking for realm '%s'\n",
+ realm));
+
+ status = get_sorted_dc_list(talloc_tos(),
+ realm,
+ sitename,
+ &sa_list,
+ &count,
+ true);
+ if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(sa_list);
+ return status;
+ }
+
+ status = cldap_ping_list(ads, realm, sa_list, count);
+
+ TALLOC_FREE(sa_list);
+
+ return status;
+}
+
+/**********************************************************************
+ Try to find an AD dc using our internal name resolution routines
+ Try the realm first and then the workgroup name if netbios is not
+ disabled
+**********************************************************************/
+
+static NTSTATUS ads_find_dc(ADS_STRUCT *ads)
+{
+ const char *c_domain = "";
+ const char *c_realm;
+ bool use_own_domain = False;
+ char *sitename = NULL;
+ NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
+ bool ok = false;
+
+ /* if the realm and workgroup are both empty, assume they are ours */
+
+ /* realm */
+ c_realm = ads->server.realm;
+
+ if (c_realm == NULL)
+ c_realm = "";
+
+ if (!*c_realm) {
+ /* special case where no realm and no workgroup means our own */
+ if ( !ads->server.workgroup || !*ads->server.workgroup ) {
+ use_own_domain = True;
+ c_realm = lp_realm();
+ }
+ }
+
+ if (!lp_disable_netbios()) {
+ if (use_own_domain) {
+ c_domain = lp_workgroup();
+ } else {
+ c_domain = ads->server.workgroup;
+ if (!*c_realm && (!c_domain || !*c_domain)) {
+ c_domain = lp_workgroup();
+ }
+ }
+
+ if (!c_domain) {
+ c_domain = "";
+ }
+ }
+
+ if (!*c_realm && !*c_domain) {
+ DEBUG(0, ("ads_find_dc: no realm or workgroup! Don't know "
+ "what to do\n"));
+ return NT_STATUS_INVALID_PARAMETER; /* rather need MISSING_PARAMETER ... */
+ }
+
+ /*
+ * In case of LDAP we use get_dc_name() as that
+ * creates the custom krb5.conf file
+ */
+ if (!(ads->auth.flags & ADS_AUTH_NO_BIND)) {
+ fstring srv_name;
+ struct sockaddr_storage ip_out;
+
+ DEBUG(6, ("ads_find_dc: (ldap) looking for realm '%s'"
+ " and falling back to domain '%s'\n",
+ c_realm, c_domain));
+
+ ok = get_dc_name(c_domain, c_realm, srv_name, &ip_out);
+ if (ok) {
+ if (is_zero_addr(&ip_out)) {
+ return NT_STATUS_NO_LOGON_SERVERS;
+ }
+
+ /*
+ * we call ads_try_connect() to fill in the
+ * ads->config details
+ */
+ ok = ads_try_connect(ads, false, &ip_out);
+ if (ok) {
+ return NT_STATUS_OK;
+ }
+ }
+
+ return NT_STATUS_NO_LOGON_SERVERS;
+ }
+
+ if (*c_realm) {
+ sitename = sitename_fetch(talloc_tos(), c_realm);
+ status = resolve_and_ping_dns(ads, sitename, c_realm);
+
+ if (NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(sitename);
+ return status;
+ }
+
+ /* In case we failed to contact one of our closest DC on our
+ * site we
+ * need to try to find another DC, retry with a site-less SRV
+ * DNS query
+ * - Guenther */
+
+ if (sitename) {
+ DEBUG(3, ("ads_find_dc: failed to find a valid DC on "
+ "our site (%s), Trying to find another DC "
+ "for realm '%s' (domain '%s')\n",
+ sitename, c_realm, c_domain));
+ namecache_delete(c_realm, 0x1C);
+ status =
+ resolve_and_ping_dns(ads, NULL, c_realm);
+
+ if (NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(sitename);
+ return status;
+ }
+ }
+
+ TALLOC_FREE(sitename);
+ }
+
+ /* try netbios as fallback - if permitted,
+ or if configuration specifically requests it */
+ if (*c_domain) {
+ if (*c_realm) {
+ DEBUG(3, ("ads_find_dc: falling back to netbios "
+ "name resolution for domain '%s' (realm '%s')\n",
+ c_domain, c_realm));
+ }
+
+ status = resolve_and_ping_netbios(ads, c_domain, c_realm);
+ if (NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ }
+
+ DEBUG(1, ("ads_find_dc: "
+ "name resolution for realm '%s' (domain '%s') failed: %s\n",
+ c_realm, c_domain, nt_errstr(status)));
+ return status;
+}
+/**
+ * Connect to the LDAP server
+ * @param ads Pointer to an existing ADS_STRUCT
+ * @return status of connection
+ **/
+ADS_STATUS ads_connect(ADS_STRUCT *ads)
+{
+ int version = LDAP_VERSION3;
+ ADS_STATUS status;
+ NTSTATUS ntstatus;
+ char addr[INET6_ADDRSTRLEN];
+ struct sockaddr_storage existing_ss;
+
+ zero_sockaddr(&existing_ss);
+
+ /*
+ * ads_connect can be passed in a reused ADS_STRUCT
+ * with an existing non-zero ads->ldap.ss IP address
+ * that was stored by going through ads_find_dc()
+ * if ads->server.ldap_server was NULL.
+ *
+ * If ads->server.ldap_server is still NULL but
+ * the target address isn't the zero address, then
+ * store that address off off before zeroing out
+ * ads->ldap so we don't keep doing multiple calls
+ * to ads_find_dc() in the reuse case.
+ *
+ * If a caller wants a clean ADS_STRUCT they
+ * will TALLOC_FREE it and allocate a new one
+ * by calling ads_init(), which ensures
+ * ads->ldap.ss is a properly zero'ed out valid IP
+ * address.
+ */
+ if (ads->server.ldap_server == NULL && !is_zero_addr(&ads->ldap.ss)) {
+ /* Save off the address we previously found by ads_find_dc(). */
+ existing_ss = ads->ldap.ss;
+ }
+
+ ads_zero_ldap(ads);
+ ZERO_STRUCT(ads->ldap_wrap_data);
+ ads->ldap.last_attempt = time_mono(NULL);
+ ads->ldap_wrap_data.wrap_type = ADS_SASLWRAP_TYPE_PLAIN;
+
+ /* try with a user specified server */
+
+ if (DEBUGLEVEL >= 11) {
+ char *s = NDR_PRINT_STRUCT_STRING(talloc_tos(), ads_struct, ads);
+ DEBUG(11,("ads_connect: entering\n"));
+ DEBUGADD(11,("%s\n", s));
+ TALLOC_FREE(s);
+ }
+
+ if (ads->server.ldap_server) {
+ bool ok = false;
+ struct sockaddr_storage ss;
+
+ DBG_DEBUG("Resolving name of LDAP server '%s'.\n",
+ ads->server.ldap_server);
+ ok = resolve_name(ads->server.ldap_server, &ss, 0x20, true);
+ if (!ok) {
+ DEBUG(5,("ads_connect: unable to resolve name %s\n",
+ ads->server.ldap_server));
+ status = ADS_ERROR_NT(NT_STATUS_NOT_FOUND);
+ goto out;
+ }
+
+ if (is_zero_addr(&ss)) {
+ status = ADS_ERROR_NT(NT_STATUS_NOT_FOUND);
+ goto out;
+ }
+
+ ok = ads_try_connect(ads, ads->server.gc, &ss);
+ if (ok) {
+ goto got_connection;
+ }
+
+ /* The choice of which GC use is handled one level up in
+ ads_connect_gc(). If we continue on from here with
+ ads_find_dc() we will get GC searches on port 389 which
+ doesn't work. --jerry */
+
+ if (ads->server.gc == true) {
+ return ADS_ERROR(LDAP_OPERATIONS_ERROR);
+ }
+
+ if (ads->server.no_fallback) {
+ status = ADS_ERROR_NT(NT_STATUS_NOT_FOUND);
+ goto out;
+ }
+ }
+
+ if (!is_zero_addr(&existing_ss)) {
+ /* We saved off who we should talk to. */
+ bool ok = ads_try_connect(ads,
+ ads->server.gc,
+ &existing_ss);
+ if (ok) {
+ goto got_connection;
+ }
+ /*
+ * Keep trying to find a server and fall through
+ * into ads_find_dc() again.
+ */
+ DBG_DEBUG("Failed to connect to DC via LDAP server IP address, "
+ "trying to find another DC.\n");
+ }
+
+ ntstatus = ads_find_dc(ads);
+ if (NT_STATUS_IS_OK(ntstatus)) {
+ goto got_connection;
+ }
+
+ status = ADS_ERROR_NT(ntstatus);
+ goto out;
+
+got_connection:
+
+ print_sockaddr(addr, sizeof(addr), &ads->ldap.ss);
+ DEBUG(3,("Successfully contacted LDAP server %s\n", addr));
+
+ if (!ads->auth.user_name) {
+ /* Must use the userPrincipalName value here or sAMAccountName
+ and not servicePrincipalName; found by Guenther Deschner */
+ ads->auth.user_name = talloc_asprintf(ads,
+ "%s$",
+ lp_netbios_name());
+ if (ads->auth.user_name == NULL) {
+ DBG_ERR("talloc_asprintf failed\n");
+ status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
+ goto out;
+ }
+ }
+
+ if (ads->auth.realm == NULL) {
+ ads->auth.realm = talloc_strdup(ads, ads->config.realm);
+ if (ads->auth.realm == NULL) {
+ status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
+ goto out;
+ }
+ }
+
+ if (!ads->auth.kdc_server) {
+ print_sockaddr(addr, sizeof(addr), &ads->ldap.ss);
+ ads->auth.kdc_server = talloc_strdup(ads, addr);
+ if (ads->auth.kdc_server == NULL) {
+ status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
+ goto out;
+ }
+ }
+
+ /* If the caller() requested no LDAP bind, then we are done */
+
+ if (ads->auth.flags & ADS_AUTH_NO_BIND) {
+ status = ADS_SUCCESS;
+ goto out;
+ }
+
+ ads->ldap_wrap_data.mem_ctx = talloc_init("ads LDAP connection memory");
+ if (!ads->ldap_wrap_data.mem_ctx) {
+ status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
+ goto out;
+ }
+
+ /* Otherwise setup the TCP LDAP session */
+
+ ads->ldap.ld = ldap_open_with_timeout(ads->config.ldap_server_name,
+ &ads->ldap.ss,
+ ads->ldap.port, lp_ldap_timeout());
+ if (ads->ldap.ld == NULL) {
+ status = ADS_ERROR(LDAP_OPERATIONS_ERROR);
+ goto out;
+ }
+ DEBUG(3,("Connected to LDAP server %s\n", ads->config.ldap_server_name));
+
+ /* cache the successful connection for workgroup and realm */
+ if (ads_closest_dc(ads)) {
+ saf_store( ads->server.workgroup, ads->config.ldap_server_name);
+ saf_store( ads->server.realm, ads->config.ldap_server_name);
+ }
+
+ ldap_set_option(ads->ldap.ld, LDAP_OPT_PROTOCOL_VERSION, &version);
+
+ /* fill in the current time and offsets */
+
+ status = ads_current_time( ads );
+ if ( !ADS_ERR_OK(status) ) {
+ goto out;
+ }
+
+ /* Now do the bind */
+
+ if (ads->auth.flags & ADS_AUTH_ANON_BIND) {
+ status = ADS_ERROR(ldap_simple_bind_s(ads->ldap.ld, NULL, NULL));
+ goto out;
+ }
+
+ if (ads->auth.flags & ADS_AUTH_SIMPLE_BIND) {
+ status = ADS_ERROR(ldap_simple_bind_s(ads->ldap.ld, ads->auth.user_name, ads->auth.password));
+ goto out;
+ }
+
+ status = ads_sasl_bind(ads);
+
+ out:
+ if (DEBUGLEVEL >= 11) {
+ char *s = NDR_PRINT_STRUCT_STRING(talloc_tos(), ads_struct, ads);
+ DEBUG(11,("ads_connect: leaving with: %s\n",
+ ads_errstr(status)));
+ DEBUGADD(11,("%s\n", s));
+ TALLOC_FREE(s);
+ }
+
+ return status;
+}
+
+/**
+ * Connect to the LDAP server using given credentials
+ * @param ads Pointer to an existing ADS_STRUCT
+ * @return status of connection
+ **/
+ADS_STATUS ads_connect_user_creds(ADS_STRUCT *ads)
+{
+ ads->auth.flags |= ADS_AUTH_USER_CREDS;
+
+ return ads_connect(ads);
+}
+
+/**
+ * Zero out the internal ads->ldap struct and initialize the address to zero IP.
+ * @param ads Pointer to an existing ADS_STRUCT
+ *
+ * Sets the ads->ldap.ss to a valid
+ * zero ip address that can be detected by
+ * our is_zero_addr() function. Otherwise
+ * it is left as AF_UNSPEC (0).
+ **/
+void ads_zero_ldap(ADS_STRUCT *ads)
+{
+ ZERO_STRUCT(ads->ldap);
+ /*
+ * Initialize the sockaddr_storage so we can use
+ * sockaddr test functions against it.
+ */
+ zero_sockaddr(&ads->ldap.ss);
+}
+
+/**
+ * Disconnect the LDAP server
+ * @param ads Pointer to an existing ADS_STRUCT
+ **/
+void ads_disconnect(ADS_STRUCT *ads)
+{
+ if (ads->ldap.ld) {
+ ldap_unbind(ads->ldap.ld);
+ ads->ldap.ld = NULL;
+ }
+ if (ads->ldap_wrap_data.wrap_ops &&
+ ads->ldap_wrap_data.wrap_ops->disconnect) {
+ ads->ldap_wrap_data.wrap_ops->disconnect(&ads->ldap_wrap_data);
+ }
+ if (ads->ldap_wrap_data.mem_ctx) {
+ talloc_free(ads->ldap_wrap_data.mem_ctx);
+ }
+ ads_zero_ldap(ads);
+ ZERO_STRUCT(ads->ldap_wrap_data);
+}
+
+/*
+ Duplicate a struct berval into talloc'ed memory
+ */
+static struct berval *dup_berval(TALLOC_CTX *ctx, const struct berval *in_val)
+{
+ struct berval *value;
+
+ if (!in_val) return NULL;
+
+ value = talloc_zero(ctx, struct berval);
+ if (value == NULL)
+ return NULL;
+ if (in_val->bv_len == 0) return value;
+
+ value->bv_len = in_val->bv_len;
+ value->bv_val = (char *)talloc_memdup(ctx, in_val->bv_val,
+ in_val->bv_len);
+ return value;
+}
+
+/*
+ Make a values list out of an array of (struct berval *)
+ */
+static struct berval **ads_dup_values(TALLOC_CTX *ctx,
+ const struct berval **in_vals)
+{
+ struct berval **values;
+ int i;
+
+ if (!in_vals) return NULL;
+ for (i=0; in_vals[i]; i++)
+ ; /* count values */
+ values = talloc_zero_array(ctx, struct berval *, i+1);
+ if (!values) return NULL;
+
+ for (i=0; in_vals[i]; i++) {
+ values[i] = dup_berval(ctx, in_vals[i]);
+ }
+ return values;
+}
+
+/*
+ UTF8-encode a values list out of an array of (char *)
+ */
+static char **ads_push_strvals(TALLOC_CTX *ctx, const char **in_vals)
+{
+ char **values;
+ int i;
+ size_t size;
+
+ if (!in_vals) return NULL;
+ for (i=0; in_vals[i]; i++)
+ ; /* count values */
+ values = talloc_zero_array(ctx, char *, i+1);
+ if (!values) return NULL;
+
+ for (i=0; in_vals[i]; i++) {
+ if (!push_utf8_talloc(ctx, &values[i], in_vals[i], &size)) {
+ TALLOC_FREE(values);
+ return NULL;
+ }
+ }
+ return values;
+}
+
+/*
+ Pull a (char *) array out of a UTF8-encoded values list
+ */
+static char **ads_pull_strvals(TALLOC_CTX *ctx, const char **in_vals)
+{
+ char **values;
+ int i;
+ size_t converted_size;
+
+ if (!in_vals) return NULL;
+ for (i=0; in_vals[i]; i++)
+ ; /* count values */
+ values = talloc_zero_array(ctx, char *, i+1);
+ if (!values) return NULL;
+
+ for (i=0; in_vals[i]; i++) {
+ if (!pull_utf8_talloc(ctx, &values[i], in_vals[i],
+ &converted_size)) {
+ DEBUG(0,("ads_pull_strvals: pull_utf8_talloc failed: "
+ "%s\n", strerror(errno)));
+ }
+ }
+ return values;
+}
+
+/**
+ * Do a search with paged results. cookie must be null on the first
+ * call, and then returned on each subsequent call. It will be null
+ * again when the entire search is complete
+ * @param ads connection to ads server
+ * @param bind_path Base dn for the search
+ * @param scope Scope of search (LDAP_SCOPE_BASE | LDAP_SCOPE_ONE | LDAP_SCOPE_SUBTREE)
+ * @param expr Search expression - specified in local charset
+ * @param attrs Attributes to retrieve - specified in utf8 or ascii
+ * @param res ** which will contain results - free res* with ads_msgfree()
+ * @param count Number of entries retrieved on this page
+ * @param cookie The paged results cookie to be returned on subsequent calls
+ * @return status of search
+ **/
+static ADS_STATUS ads_do_paged_search_args(ADS_STRUCT *ads,
+ const char *bind_path,
+ int scope, const char *expr,
+ const char **attrs, void *args,
+ LDAPMessage **res,
+ int *count, struct berval **cookie)
+{
+ int rc, i, version;
+ char *utf8_expr, *utf8_path, **search_attrs = NULL;
+ size_t converted_size;
+ LDAPControl PagedResults, NoReferrals, ExternalCtrl, *controls[4], **rcontrols;
+ BerElement *cookie_be = NULL;
+ struct berval *cookie_bv= NULL;
+ BerElement *ext_be = NULL;
+ struct berval *ext_bv= NULL;
+
+ TALLOC_CTX *ctx;
+ ads_control *external_control = (ads_control *) args;
+
+ *res = NULL;
+
+ if (!(ctx = talloc_init("ads_do_paged_search_args")))
+ return ADS_ERROR(LDAP_NO_MEMORY);
+
+ /* 0 means the conversion worked but the result was empty
+ so we only fail if it's -1. In any case, it always
+ at least nulls out the dest */
+ if (!push_utf8_talloc(ctx, &utf8_expr, expr, &converted_size) ||
+ !push_utf8_talloc(ctx, &utf8_path, bind_path, &converted_size))
+ {
+ rc = LDAP_NO_MEMORY;
+ goto done;
+ }
+
+ if (!attrs || !(*attrs))
+ search_attrs = NULL;
+ else {
+ /* This would be the utf8-encoded version...*/
+ /* if (!(search_attrs = ads_push_strvals(ctx, attrs))) */
+ if (!(search_attrs = str_list_copy(talloc_tos(), attrs))) {
+ rc = LDAP_NO_MEMORY;
+ goto done;
+ }
+ }
+
+ /* Paged results only available on ldap v3 or later */
+ ldap_get_option(ads->ldap.ld, LDAP_OPT_PROTOCOL_VERSION, &version);
+ if (version < LDAP_VERSION3) {
+ rc = LDAP_NOT_SUPPORTED;
+ goto done;
+ }
+
+ cookie_be = ber_alloc_t(LBER_USE_DER);
+ if (*cookie) {
+ ber_printf(cookie_be, "{iO}", (ber_int_t) ads->config.ldap_page_size, *cookie);
+ ber_bvfree(*cookie); /* don't need it from last time */
+ *cookie = NULL;
+ } else {
+ ber_printf(cookie_be, "{io}", (ber_int_t) ads->config.ldap_page_size, "", 0);
+ }
+ ber_flatten(cookie_be, &cookie_bv);
+ PagedResults.ldctl_oid = discard_const_p(char, ADS_PAGE_CTL_OID);
+ PagedResults.ldctl_iscritical = (char) 1;
+ PagedResults.ldctl_value.bv_len = cookie_bv->bv_len;
+ PagedResults.ldctl_value.bv_val = cookie_bv->bv_val;
+
+ NoReferrals.ldctl_oid = discard_const_p(char, ADS_NO_REFERRALS_OID);
+ NoReferrals.ldctl_iscritical = (char) 0;
+ NoReferrals.ldctl_value.bv_len = 0;
+ NoReferrals.ldctl_value.bv_val = discard_const_p(char, "");
+
+ if (external_control &&
+ (strequal(external_control->control, ADS_EXTENDED_DN_OID) ||
+ strequal(external_control->control, ADS_SD_FLAGS_OID))) {
+
+ ExternalCtrl.ldctl_oid = discard_const_p(char, external_control->control);
+ ExternalCtrl.ldctl_iscritical = (char) external_control->critical;
+
+ /* win2k does not accept a ldctl_value being passed in */
+
+ if (external_control->val != 0) {
+
+ if ((ext_be = ber_alloc_t(LBER_USE_DER)) == NULL ) {
+ rc = LDAP_NO_MEMORY;
+ goto done;
+ }
+
+ if ((ber_printf(ext_be, "{i}", (ber_int_t) external_control->val)) == -1) {
+ rc = LDAP_NO_MEMORY;
+ goto done;
+ }
+ if ((ber_flatten(ext_be, &ext_bv)) == -1) {
+ rc = LDAP_NO_MEMORY;
+ goto done;
+ }
+
+ ExternalCtrl.ldctl_value.bv_len = ext_bv->bv_len;
+ ExternalCtrl.ldctl_value.bv_val = ext_bv->bv_val;
+
+ } else {
+ ExternalCtrl.ldctl_value.bv_len = 0;
+ ExternalCtrl.ldctl_value.bv_val = NULL;
+ }
+
+ controls[0] = &NoReferrals;
+ controls[1] = &PagedResults;
+ controls[2] = &ExternalCtrl;
+ controls[3] = NULL;
+
+ } else {
+ controls[0] = &NoReferrals;
+ controls[1] = &PagedResults;
+ controls[2] = NULL;
+ }
+
+ /* we need to disable referrals as the openldap libs don't
+ handle them and paged results at the same time. Using them
+ together results in the result record containing the server
+ page control being removed from the result list (tridge/jmcd)
+
+ leaving this in despite the control that says don't generate
+ referrals, in case the server doesn't support it (jmcd)
+ */
+ ldap_set_option(ads->ldap.ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF);
+
+ rc = ldap_search_with_timeout(ads->ldap.ld, utf8_path, scope, utf8_expr,
+ search_attrs, 0, controls,
+ NULL, LDAP_NO_LIMIT,
+ (LDAPMessage **)res);
+
+ ber_free(cookie_be, 1);
+ ber_bvfree(cookie_bv);
+
+ if (rc) {
+ DEBUG(3,("ads_do_paged_search_args: ldap_search_with_timeout(%s) -> %s\n", expr,
+ ldap_err2string(rc)));
+ if (rc == LDAP_OTHER) {
+ char *ldap_errmsg;
+ int ret;
+
+ ret = ldap_parse_result(ads->ldap.ld,
+ *res,
+ NULL,
+ NULL,
+ &ldap_errmsg,
+ NULL,
+ NULL,
+ 0);
+ if (ret == LDAP_SUCCESS) {
+ DEBUG(3, ("ldap_search_with_timeout(%s) "
+ "error: %s\n", expr, ldap_errmsg));
+ ldap_memfree(ldap_errmsg);
+ }
+ }
+ goto done;
+ }
+
+ rc = ldap_parse_result(ads->ldap.ld, *res, NULL, NULL, NULL,
+ NULL, &rcontrols, 0);
+
+ if (!rcontrols) {
+ goto done;
+ }
+
+ for (i=0; rcontrols[i]; i++) {
+ if (strcmp(ADS_PAGE_CTL_OID, rcontrols[i]->ldctl_oid) == 0) {
+ cookie_be = ber_init(&rcontrols[i]->ldctl_value);
+ ber_scanf(cookie_be,"{iO}", (ber_int_t *) count,
+ &cookie_bv);
+ /* the berval is the cookie, but must be freed when
+ it is all done */
+ if (cookie_bv->bv_len) /* still more to do */
+ *cookie=ber_bvdup(cookie_bv);
+ else
+ *cookie=NULL;
+ ber_bvfree(cookie_bv);
+ ber_free(cookie_be, 1);
+ break;
+ }
+ }
+ ldap_controls_free(rcontrols);
+
+done:
+ talloc_destroy(ctx);
+
+ if (ext_be) {
+ ber_free(ext_be, 1);
+ }
+
+ if (ext_bv) {
+ ber_bvfree(ext_bv);
+ }
+
+ if (rc != LDAP_SUCCESS && *res != NULL) {
+ ads_msgfree(ads, *res);
+ *res = NULL;
+ }
+
+ /* if/when we decide to utf8-encode attrs, take out this next line */
+ TALLOC_FREE(search_attrs);
+
+ return ADS_ERROR(rc);
+}
+
+static ADS_STATUS ads_do_paged_search(ADS_STRUCT *ads, const char *bind_path,
+ int scope, const char *expr,
+ const char **attrs, LDAPMessage **res,
+ int *count, struct berval **cookie)
+{
+ return ads_do_paged_search_args(ads, bind_path, scope, expr, attrs, NULL, res, count, cookie);
+}
+
+
+/**
+ * Get all results for a search. This uses ads_do_paged_search() to return
+ * all entries in a large search.
+ * @param ads connection to ads server
+ * @param bind_path Base dn for the search
+ * @param scope Scope of search (LDAP_SCOPE_BASE | LDAP_SCOPE_ONE | LDAP_SCOPE_SUBTREE)
+ * @param expr Search expression
+ * @param attrs Attributes to retrieve
+ * @param res ** which will contain results - free res* with ads_msgfree()
+ * @return status of search
+ **/
+ ADS_STATUS ads_do_search_all_args(ADS_STRUCT *ads, const char *bind_path,
+ int scope, const char *expr,
+ const char **attrs, void *args,
+ LDAPMessage **res)
+{
+ struct berval *cookie = NULL;
+ int count = 0;
+ ADS_STATUS status;
+
+ *res = NULL;
+ status = ads_do_paged_search_args(ads, bind_path, scope, expr, attrs, args, res,
+ &count, &cookie);
+
+ if (!ADS_ERR_OK(status))
+ return status;
+
+#ifdef HAVE_LDAP_ADD_RESULT_ENTRY
+ while (cookie) {
+ LDAPMessage *res2 = NULL;
+ LDAPMessage *msg, *next;
+
+ status = ads_do_paged_search_args(ads, bind_path, scope, expr,
+ attrs, args, &res2, &count, &cookie);
+ if (!ADS_ERR_OK(status)) {
+ break;
+ }
+
+ /* this relies on the way that ldap_add_result_entry() works internally. I hope
+ that this works on all ldap libs, but I have only tested with openldap */
+ for (msg = ads_first_message(ads, res2); msg; msg = next) {
+ next = ads_next_message(ads, msg);
+ ldap_add_result_entry((LDAPMessage **)res, msg);
+ }
+ /* note that we do not free res2, as the memory is now
+ part of the main returned list */
+ }
+#else
+ DEBUG(0, ("no ldap_add_result_entry() support in LDAP libs!\n"));
+ status = ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
+#endif
+
+ return status;
+}
+
+ ADS_STATUS ads_do_search_all(ADS_STRUCT *ads, const char *bind_path,
+ int scope, const char *expr,
+ const char **attrs, LDAPMessage **res)
+{
+ return ads_do_search_all_args(ads, bind_path, scope, expr, attrs, NULL, res);
+}
+
+ ADS_STATUS ads_do_search_all_sd_flags(ADS_STRUCT *ads, const char *bind_path,
+ int scope, const char *expr,
+ const char **attrs, uint32_t sd_flags,
+ LDAPMessage **res)
+{
+ ads_control args;
+
+ args.control = ADS_SD_FLAGS_OID;
+ args.val = sd_flags;
+ args.critical = True;
+
+ return ads_do_search_all_args(ads, bind_path, scope, expr, attrs, &args, res);
+}
+
+
+/**
+ * Run a function on all results for a search. Uses ads_do_paged_search() and
+ * runs the function as each page is returned, using ads_process_results()
+ * @param ads connection to ads server
+ * @param bind_path Base dn for the search
+ * @param scope Scope of search (LDAP_SCOPE_BASE | LDAP_SCOPE_ONE | LDAP_SCOPE_SUBTREE)
+ * @param expr Search expression - specified in local charset
+ * @param attrs Attributes to retrieve - specified in UTF-8 or ascii
+ * @param fn Function which takes attr name, values list, and data_area
+ * @param data_area Pointer which is passed to function on each call
+ * @return status of search
+ **/
+ADS_STATUS ads_do_search_all_fn(ADS_STRUCT *ads, const char *bind_path,
+ int scope, const char *expr, const char **attrs,
+ bool (*fn)(ADS_STRUCT *, char *, void **, void *),
+ void *data_area)
+{
+ struct berval *cookie = NULL;
+ int count = 0;
+ ADS_STATUS status;
+ LDAPMessage *res;
+
+ status = ads_do_paged_search(ads, bind_path, scope, expr, attrs, &res,
+ &count, &cookie);
+
+ if (!ADS_ERR_OK(status)) return status;
+
+ ads_process_results(ads, res, fn, data_area);
+ ads_msgfree(ads, res);
+
+ while (cookie) {
+ status = ads_do_paged_search(ads, bind_path, scope, expr, attrs,
+ &res, &count, &cookie);
+
+ if (!ADS_ERR_OK(status)) break;
+
+ ads_process_results(ads, res, fn, data_area);
+ ads_msgfree(ads, res);
+ }
+
+ return status;
+}
+
+/**
+ * Do a search with a timeout.
+ * @param ads connection to ads server
+ * @param bind_path Base dn for the search
+ * @param scope Scope of search (LDAP_SCOPE_BASE | LDAP_SCOPE_ONE | LDAP_SCOPE_SUBTREE)
+ * @param expr Search expression
+ * @param attrs Attributes to retrieve
+ * @param res ** which will contain results - free res* with ads_msgfree()
+ * @return status of search
+ **/
+ ADS_STATUS ads_do_search(ADS_STRUCT *ads, const char *bind_path, int scope,
+ const char *expr,
+ const char **attrs, LDAPMessage **res)
+{
+ int rc;
+ char *utf8_expr, *utf8_path, **search_attrs = NULL;
+ size_t converted_size;
+ TALLOC_CTX *ctx;
+
+ *res = NULL;
+ if (!(ctx = talloc_init("ads_do_search"))) {
+ DEBUG(1,("ads_do_search: talloc_init() failed!\n"));
+ return ADS_ERROR(LDAP_NO_MEMORY);
+ }
+
+ /* 0 means the conversion worked but the result was empty
+ so we only fail if it's negative. In any case, it always
+ at least nulls out the dest */
+ if (!push_utf8_talloc(ctx, &utf8_expr, expr, &converted_size) ||
+ !push_utf8_talloc(ctx, &utf8_path, bind_path, &converted_size))
+ {
+ DEBUG(1,("ads_do_search: push_utf8_talloc() failed!\n"));
+ rc = LDAP_NO_MEMORY;
+ goto done;
+ }
+
+ if (!attrs || !(*attrs))
+ search_attrs = NULL;
+ else {
+ /* This would be the utf8-encoded version...*/
+ /* if (!(search_attrs = ads_push_strvals(ctx, attrs))) */
+ if (!(search_attrs = str_list_copy(talloc_tos(), attrs)))
+ {
+ DEBUG(1,("ads_do_search: str_list_copy() failed!\n"));
+ rc = LDAP_NO_MEMORY;
+ goto done;
+ }
+ }
+
+ /* see the note in ads_do_paged_search - we *must* disable referrals */
+ ldap_set_option(ads->ldap.ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF);
+
+ rc = ldap_search_with_timeout(ads->ldap.ld, utf8_path, scope, utf8_expr,
+ search_attrs, 0, NULL, NULL,
+ LDAP_NO_LIMIT,
+ (LDAPMessage **)res);
+
+ if (rc == LDAP_SIZELIMIT_EXCEEDED) {
+ DEBUG(3,("Warning! sizelimit exceeded in ldap. Truncating.\n"));
+ rc = 0;
+ }
+
+ done:
+ talloc_destroy(ctx);
+ /* if/when we decide to utf8-encode attrs, take out this next line */
+ TALLOC_FREE(search_attrs);
+ return ADS_ERROR(rc);
+}
+/**
+ * Do a general ADS search
+ * @param ads connection to ads server
+ * @param res ** which will contain results - free res* with ads_msgfree()
+ * @param expr Search expression
+ * @param attrs Attributes to retrieve
+ * @return status of search
+ **/
+ ADS_STATUS ads_search(ADS_STRUCT *ads, LDAPMessage **res,
+ const char *expr, const char **attrs)
+{
+ return ads_do_search(ads, ads->config.bind_path, LDAP_SCOPE_SUBTREE,
+ expr, attrs, res);
+}
+
+/**
+ * Do a search on a specific DistinguishedName
+ * @param ads connection to ads server
+ * @param res ** which will contain results - free res* with ads_msgfree()
+ * @param dn DistinguishedName to search
+ * @param attrs Attributes to retrieve
+ * @return status of search
+ **/
+ ADS_STATUS ads_search_dn(ADS_STRUCT *ads, LDAPMessage **res,
+ const char *dn, const char **attrs)
+{
+ return ads_do_search(ads, dn, LDAP_SCOPE_BASE, "(objectclass=*)",
+ attrs, res);
+}
+
+/**
+ * Free up memory from a ads_search
+ * @param ads connection to ads server
+ * @param msg Search results to free
+ **/
+ void ads_msgfree(ADS_STRUCT *ads, LDAPMessage *msg)
+{
+ if (!msg) return;
+ ldap_msgfree(msg);
+}
+
+/**
+ * Get a dn from search results
+ * @param ads connection to ads server
+ * @param msg Search result
+ * @return dn string
+ **/
+ char *ads_get_dn(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, LDAPMessage *msg)
+{
+ char *utf8_dn, *unix_dn;
+ size_t converted_size;
+
+ utf8_dn = ldap_get_dn(ads->ldap.ld, msg);
+
+ if (!utf8_dn) {
+ DEBUG (5, ("ads_get_dn: ldap_get_dn failed\n"));
+ return NULL;
+ }
+
+ if (!pull_utf8_talloc(mem_ctx, &unix_dn, utf8_dn, &converted_size)) {
+ DEBUG(0,("ads_get_dn: string conversion failure utf8 [%s]\n",
+ utf8_dn ));
+ return NULL;
+ }
+ ldap_memfree(utf8_dn);
+ return unix_dn;
+}
+
+/**
+ * Get the parent from a dn
+ * @param dn the dn to return the parent from
+ * @return parent dn string
+ **/
+char *ads_parent_dn(const char *dn)
+{
+ char *p;
+
+ if (dn == NULL) {
+ return NULL;
+ }
+
+ p = strchr(dn, ',');
+
+ if (p == NULL) {
+ return NULL;
+ }
+
+ return p+1;
+}
+
+/**
+ * Find a machine account given a hostname
+ * @param ads connection to ads server
+ * @param res ** which will contain results - free res* with ads_msgfree()
+ * @param host Hostname to search for
+ * @return status of search
+ **/
+ ADS_STATUS ads_find_machine_acct(ADS_STRUCT *ads, LDAPMessage **res,
+ const char *machine)
+{
+ ADS_STATUS status;
+ char *expr;
+ const char *attrs[] = {
+ /* This is how Windows checks for machine accounts */
+ "objectClass",
+ "SamAccountName",
+ "userAccountControl",
+ "DnsHostName",
+ "ServicePrincipalName",
+ "userPrincipalName",
+ "unicodePwd",
+
+ /* Additional attributes Samba checks */
+ "msDS-AdditionalDnsHostName",
+ "msDS-SupportedEncryptionTypes",
+ "nTSecurityDescriptor",
+ "objectSid",
+
+ NULL
+ };
+ TALLOC_CTX *frame = talloc_stackframe();
+
+ *res = NULL;
+
+ /* the easiest way to find a machine account anywhere in the tree
+ is to look for hostname$ */
+ expr = talloc_asprintf(frame, "(samAccountName=%s$)", machine);
+ if (expr == NULL) {
+ status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
+ goto done;
+ }
+
+ status = ads_search(ads, res, expr, attrs);
+ if (ADS_ERR_OK(status)) {
+ if (ads_count_replies(ads, *res) != 1) {
+ status = ADS_ERROR_LDAP(LDAP_NO_SUCH_OBJECT);
+ }
+ }
+
+done:
+ TALLOC_FREE(frame);
+ return status;
+}
+
+/**
+ * Initialize a list of mods to be used in a modify request
+ * @param ctx An initialized TALLOC_CTX
+ * @return allocated ADS_MODLIST
+ **/
+ADS_MODLIST ads_init_mods(TALLOC_CTX *ctx)
+{
+#define ADS_MODLIST_ALLOC_SIZE 10
+ LDAPMod **mods;
+
+ if ((mods = talloc_zero_array(ctx, LDAPMod *, ADS_MODLIST_ALLOC_SIZE + 1)))
+ /* -1 is safety to make sure we don't go over the end.
+ need to reset it to NULL before doing ldap modify */
+ mods[ADS_MODLIST_ALLOC_SIZE] = (LDAPMod *) -1;
+
+ return (ADS_MODLIST)mods;
+}
+
+
+/*
+ add an attribute to the list, with values list already constructed
+*/
+static ADS_STATUS ads_modlist_add(TALLOC_CTX *ctx, ADS_MODLIST *mods,
+ int mod_op, const char *name,
+ const void *_invals)
+{
+ int curmod;
+ LDAPMod **modlist = (LDAPMod **) *mods;
+ struct berval **ber_values = NULL;
+ char **char_values = NULL;
+
+ if (!_invals) {
+ mod_op = LDAP_MOD_DELETE;
+ } else {
+ if (mod_op & LDAP_MOD_BVALUES) {
+ const struct berval **b;
+ b = discard_const_p(const struct berval *, _invals);
+ ber_values = ads_dup_values(ctx, b);
+ } else {
+ const char **c;
+ c = discard_const_p(const char *, _invals);
+ char_values = ads_push_strvals(ctx, c);
+ }
+ }
+
+ /* find the first empty slot */
+ for (curmod=0; modlist[curmod] && modlist[curmod] != (LDAPMod *) -1;
+ curmod++);
+ if (modlist[curmod] == (LDAPMod *) -1) {
+ if (!(modlist = talloc_realloc(ctx, modlist, LDAPMod *,
+ curmod+ADS_MODLIST_ALLOC_SIZE+1)))
+ return ADS_ERROR(LDAP_NO_MEMORY);
+ memset(&modlist[curmod], 0,
+ ADS_MODLIST_ALLOC_SIZE*sizeof(LDAPMod *));
+ modlist[curmod+ADS_MODLIST_ALLOC_SIZE] = (LDAPMod *) -1;
+ *mods = (ADS_MODLIST)modlist;
+ }
+
+ if (!(modlist[curmod] = talloc_zero(ctx, LDAPMod)))
+ return ADS_ERROR(LDAP_NO_MEMORY);
+ modlist[curmod]->mod_type = talloc_strdup(ctx, name);
+ if (mod_op & LDAP_MOD_BVALUES) {
+ modlist[curmod]->mod_bvalues = ber_values;
+ } else if (mod_op & LDAP_MOD_DELETE) {
+ modlist[curmod]->mod_values = NULL;
+ } else {
+ modlist[curmod]->mod_values = char_values;
+ }
+
+ modlist[curmod]->mod_op = mod_op;
+ return ADS_ERROR(LDAP_SUCCESS);
+}
+
+/**
+ * Add a single string value to a mod list
+ * @param ctx An initialized TALLOC_CTX
+ * @param mods An initialized ADS_MODLIST
+ * @param name The attribute name to add
+ * @param val The value to add - NULL means DELETE
+ * @return ADS STATUS indicating success of add
+ **/
+ADS_STATUS ads_mod_str(TALLOC_CTX *ctx, ADS_MODLIST *mods,
+ const char *name, const char *val)
+{
+ const char *values[2];
+
+ values[0] = val;
+ values[1] = NULL;
+
+ if (!val)
+ return ads_modlist_add(ctx, mods, LDAP_MOD_DELETE, name, NULL);
+ return ads_modlist_add(ctx, mods, LDAP_MOD_REPLACE, name, values);
+}
+
+/**
+ * Add an array of string values to a mod list
+ * @param ctx An initialized TALLOC_CTX
+ * @param mods An initialized ADS_MODLIST
+ * @param name The attribute name to add
+ * @param vals The array of string values to add - NULL means DELETE
+ * @return ADS STATUS indicating success of add
+ **/
+ADS_STATUS ads_mod_strlist(TALLOC_CTX *ctx, ADS_MODLIST *mods,
+ const char *name, const char **vals)
+{
+ if (!vals)
+ return ads_modlist_add(ctx, mods, LDAP_MOD_DELETE, name, NULL);
+ return ads_modlist_add(ctx, mods, LDAP_MOD_REPLACE,
+ name, (const void **) vals);
+}
+
+/**
+ * Add a single ber-encoded value to a mod list
+ * @param ctx An initialized TALLOC_CTX
+ * @param mods An initialized ADS_MODLIST
+ * @param name The attribute name to add
+ * @param val The value to add - NULL means DELETE
+ * @return ADS STATUS indicating success of add
+ **/
+static ADS_STATUS ads_mod_ber(TALLOC_CTX *ctx, ADS_MODLIST *mods,
+ const char *name, const struct berval *val)
+{
+ const struct berval *values[2];
+
+ values[0] = val;
+ values[1] = NULL;
+ if (!val)
+ return ads_modlist_add(ctx, mods, LDAP_MOD_DELETE, name, NULL);
+ return ads_modlist_add(ctx, mods, LDAP_MOD_REPLACE|LDAP_MOD_BVALUES,
+ name, (const void **) values);
+}
+
+static void ads_print_error(int ret, LDAP *ld)
+{
+ if (ret != 0) {
+ char *ld_error = NULL;
+ ldap_get_option(ld, LDAP_OPT_ERROR_STRING, &ld_error);
+ DBG_ERR("AD LDAP ERROR: %d (%s): %s\n",
+ ret,
+ ldap_err2string(ret),
+ ld_error);
+ SAFE_FREE(ld_error);
+ }
+}
+
+/**
+ * Perform an ldap modify
+ * @param ads connection to ads server
+ * @param mod_dn DistinguishedName to modify
+ * @param mods list of modifications to perform
+ * @return status of modify
+ **/
+ADS_STATUS ads_gen_mod(ADS_STRUCT *ads, const char *mod_dn, ADS_MODLIST mods)
+{
+ int ret,i;
+ char *utf8_dn = NULL;
+ size_t converted_size;
+ /*
+ this control is needed to modify that contains a currently
+ non-existent attribute (but allowable for the object) to run
+ */
+ LDAPControl PermitModify = {
+ discard_const_p(char, ADS_PERMIT_MODIFY_OID),
+ {0, NULL},
+ (char) 1};
+ LDAPControl *controls[2];
+
+ DBG_INFO("AD LDAP: Modifying %s\n", mod_dn);
+
+ controls[0] = &PermitModify;
+ controls[1] = NULL;
+
+ if (!push_utf8_talloc(talloc_tos(), &utf8_dn, mod_dn, &converted_size)) {
+ return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
+ }
+
+ /* find the end of the list, marked by NULL or -1 */
+ for(i=0;(mods[i]!=0)&&(mods[i]!=(LDAPMod *) -1);i++);
+ /* make sure the end of the list is NULL */
+ mods[i] = NULL;
+ ret = ldap_modify_ext_s(ads->ldap.ld, utf8_dn,
+ (LDAPMod **) mods, controls, NULL);
+ ads_print_error(ret, ads->ldap.ld);
+ TALLOC_FREE(utf8_dn);
+ return ADS_ERROR(ret);
+}
+
+/**
+ * Perform an ldap add
+ * @param ads connection to ads server
+ * @param new_dn DistinguishedName to add
+ * @param mods list of attributes and values for DN
+ * @return status of add
+ **/
+ADS_STATUS ads_gen_add(ADS_STRUCT *ads, const char *new_dn, ADS_MODLIST mods)
+{
+ int ret, i;
+ char *utf8_dn = NULL;
+ size_t converted_size;
+
+ DBG_INFO("AD LDAP: Adding %s\n", new_dn);
+
+ if (!push_utf8_talloc(talloc_tos(), &utf8_dn, new_dn, &converted_size)) {
+ DEBUG(1, ("ads_gen_add: push_utf8_talloc failed!\n"));
+ return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
+ }
+
+ /* find the end of the list, marked by NULL or -1 */
+ for(i=0;(mods[i]!=0)&&(mods[i]!=(LDAPMod *) -1);i++);
+ /* make sure the end of the list is NULL */
+ mods[i] = NULL;
+
+ ret = ldap_add_ext_s(ads->ldap.ld, utf8_dn, (LDAPMod**)mods, NULL, NULL);
+ ads_print_error(ret, ads->ldap.ld);
+ TALLOC_FREE(utf8_dn);
+ return ADS_ERROR(ret);
+}
+
+/**
+ * Delete a DistinguishedName
+ * @param ads connection to ads server
+ * @param new_dn DistinguishedName to delete
+ * @return status of delete
+ **/
+ADS_STATUS ads_del_dn(ADS_STRUCT *ads, char *del_dn)
+{
+ int ret;
+ char *utf8_dn = NULL;
+ size_t converted_size;
+ if (!push_utf8_talloc(talloc_tos(), &utf8_dn, del_dn, &converted_size)) {
+ DEBUG(1, ("ads_del_dn: push_utf8_talloc failed!\n"));
+ return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
+ }
+
+ DBG_INFO("AD LDAP: Deleting %s\n", del_dn);
+
+ ret = ldap_delete_s(ads->ldap.ld, utf8_dn);
+ ads_print_error(ret, ads->ldap.ld);
+ TALLOC_FREE(utf8_dn);
+ return ADS_ERROR(ret);
+}
+
+/**
+ * Build an org unit string
+ * if org unit is Computers or blank then assume a container, otherwise
+ * assume a / separated list of organisational units.
+ * jmcd: '\' is now used for escapes so certain chars can be in the ou (e.g. #)
+ * @param ads connection to ads server
+ * @param org_unit Organizational unit
+ * @return org unit string - caller must free
+ **/
+char *ads_ou_string(ADS_STRUCT *ads, const char *org_unit)
+{
+ ADS_STATUS status;
+ char *ret = NULL;
+ char *dn = NULL;
+
+ if (!org_unit || !*org_unit) {
+
+ ret = ads_default_ou_string(ads, DS_GUID_COMPUTERS_CONTAINER);
+
+ /* samba4 might not yet respond to a wellknownobject-query */
+ return ret ? ret : SMB_STRDUP("cn=Computers");
+ }
+
+ if (strequal(org_unit, "Computers")) {
+ return SMB_STRDUP("cn=Computers");
+ }
+
+ /* jmcd: removed "\\" from the separation chars, because it is
+ needed as an escape for chars like '#' which are valid in an
+ OU name */
+ status = ads_build_path(org_unit, "/", "ou=", 1, &dn);
+ if (!ADS_ERR_OK(status)) {
+ return NULL;
+ }
+
+ return dn;
+}
+
+/**
+ * Get a org unit string for a well-known GUID
+ * @param ads connection to ads server
+ * @param wknguid Well known GUID
+ * @return org unit string - caller must free
+ **/
+char *ads_default_ou_string(ADS_STRUCT *ads, const char *wknguid)
+{
+ ADS_STATUS status;
+ LDAPMessage *res = NULL;
+ char *base, *wkn_dn = NULL, *ret = NULL, **wkn_dn_exp = NULL,
+ **bind_dn_exp = NULL;
+ const char *attrs[] = {"distinguishedName", NULL};
+ int new_ln, wkn_ln, bind_ln, i;
+
+ if (wknguid == NULL) {
+ return NULL;
+ }
+
+ if (asprintf(&base, "<WKGUID=%s,%s>", wknguid, ads->config.bind_path ) == -1) {
+ DEBUG(1, ("asprintf failed!\n"));
+ return NULL;
+ }
+
+ status = ads_search_dn(ads, &res, base, attrs);
+ if (!ADS_ERR_OK(status)) {
+ DEBUG(1,("Failed while searching for: %s\n", base));
+ goto out;
+ }
+
+ if (ads_count_replies(ads, res) != 1) {
+ goto out;
+ }
+
+ /* substitute the bind-path from the well-known-guid-search result */
+ wkn_dn = ads_get_dn(ads, talloc_tos(), res);
+ if (!wkn_dn) {
+ goto out;
+ }
+
+ wkn_dn_exp = ldap_explode_dn(wkn_dn, 0);
+ if (!wkn_dn_exp) {
+ goto out;
+ }
+
+ bind_dn_exp = ldap_explode_dn(ads->config.bind_path, 0);
+ if (!bind_dn_exp) {
+ goto out;
+ }
+
+ for (wkn_ln=0; wkn_dn_exp[wkn_ln]; wkn_ln++)
+ ;
+ for (bind_ln=0; bind_dn_exp[bind_ln]; bind_ln++)
+ ;
+
+ new_ln = wkn_ln - bind_ln;
+
+ ret = SMB_STRDUP(wkn_dn_exp[0]);
+ if (!ret) {
+ goto out;
+ }
+
+ for (i=1; i < new_ln; i++) {
+ char *s = NULL;
+
+ if (asprintf(&s, "%s,%s", ret, wkn_dn_exp[i]) == -1) {
+ SAFE_FREE(ret);
+ goto out;
+ }
+
+ SAFE_FREE(ret);
+ ret = SMB_STRDUP(s);
+ free(s);
+ if (!ret) {
+ goto out;
+ }
+ }
+
+ out:
+ SAFE_FREE(base);
+ ads_msgfree(ads, res);
+ TALLOC_FREE(wkn_dn);
+ if (wkn_dn_exp) {
+ ldap_value_free(wkn_dn_exp);
+ }
+ if (bind_dn_exp) {
+ ldap_value_free(bind_dn_exp);
+ }
+
+ return ret;
+}
+
+/**
+ * Adds (appends) an item to an attribute array, rather then
+ * replacing the whole list
+ * @param ctx An initialized TALLOC_CTX
+ * @param mods An initialized ADS_MODLIST
+ * @param name name of the ldap attribute to append to
+ * @param vals an array of values to add
+ * @return status of addition
+ **/
+
+ADS_STATUS ads_add_strlist(TALLOC_CTX *ctx, ADS_MODLIST *mods,
+ const char *name, const char **vals)
+{
+ return ads_modlist_add(ctx, mods, LDAP_MOD_ADD, name,
+ (const void *) vals);
+}
+
+/**
+ * Determines the an account's current KVNO via an LDAP lookup
+ * @param ads An initialized ADS_STRUCT
+ * @param account_name the NT samaccountname.
+ * @return the kvno for the account, or -1 in case of a failure.
+ **/
+
+uint32_t ads_get_kvno(ADS_STRUCT *ads, const char *account_name)
+{
+ LDAPMessage *res = NULL;
+ uint32_t kvno = (uint32_t)-1; /* -1 indicates a failure */
+ char *filter;
+ const char *attrs[] = {"msDS-KeyVersionNumber", NULL};
+ char *dn_string = NULL;
+ ADS_STATUS ret;
+
+ DEBUG(5,("ads_get_kvno: Searching for account %s\n", account_name));
+ if (asprintf(&filter, "(samAccountName=%s)", account_name) == -1) {
+ return kvno;
+ }
+ ret = ads_search(ads, &res, filter, attrs);
+ SAFE_FREE(filter);
+ if (!ADS_ERR_OK(ret) || (ads_count_replies(ads, res) != 1)) {
+ DEBUG(1,("ads_get_kvno: Account for %s not found.\n", account_name));
+ ads_msgfree(ads, res);
+ return kvno;
+ }
+
+ dn_string = ads_get_dn(ads, talloc_tos(), res);
+ if (!dn_string) {
+ DEBUG(0,("ads_get_kvno: out of memory.\n"));
+ ads_msgfree(ads, res);
+ return kvno;
+ }
+ DEBUG(5,("ads_get_kvno: Using: %s\n", dn_string));
+ TALLOC_FREE(dn_string);
+
+ /* ---------------------------------------------------------
+ * 0 is returned as a default KVNO from this point on...
+ * This is done because Windows 2000 does not support key
+ * version numbers. Chances are that a failure in the next
+ * step is simply due to Windows 2000 being used for a
+ * domain controller. */
+ kvno = 0;
+
+ if (!ads_pull_uint32(ads, res, "msDS-KeyVersionNumber", &kvno)) {
+ DEBUG(3,("ads_get_kvno: Error Determining KVNO!\n"));
+ DEBUG(3,("ads_get_kvno: Windows 2000 does not support KVNO's, so this may be normal.\n"));
+ ads_msgfree(ads, res);
+ return kvno;
+ }
+
+ /* Success */
+ DEBUG(5,("ads_get_kvno: Looked Up KVNO of: %d\n", kvno));
+ ads_msgfree(ads, res);
+ return kvno;
+}
+
+/**
+ * Determines the computer account's current KVNO via an LDAP lookup
+ * @param ads An initialized ADS_STRUCT
+ * @param machine_name the NetBIOS name of the computer, which is used to identify the computer account.
+ * @return the kvno for the computer account, or -1 in case of a failure.
+ **/
+
+uint32_t ads_get_machine_kvno(ADS_STRUCT *ads, const char *machine_name)
+{
+ char *computer_account = NULL;
+ uint32_t kvno = -1;
+
+ if (asprintf(&computer_account, "%s$", machine_name) < 0) {
+ return kvno;
+ }
+
+ kvno = ads_get_kvno(ads, computer_account);
+ free(computer_account);
+
+ return kvno;
+}
+
+/**
+ * This clears out all registered spn's for a given hostname
+ * @param ads An initialized ADS_STRUCT
+ * @param machine_name the NetBIOS name of the computer.
+ * @return 0 upon success, non-zero otherwise.
+ **/
+
+ADS_STATUS ads_clear_service_principal_names(ADS_STRUCT *ads, const char *machine_name)
+{
+ TALLOC_CTX *ctx;
+ LDAPMessage *res = NULL;
+ ADS_MODLIST mods;
+ const char *servicePrincipalName[1] = {NULL};
+ ADS_STATUS ret;
+ char *dn_string = NULL;
+
+ ret = ads_find_machine_acct(ads, &res, machine_name);
+ if (!ADS_ERR_OK(ret)) {
+ DEBUG(5,("ads_clear_service_principal_names: WARNING: Host Account for %s not found... skipping operation.\n", machine_name));
+ DEBUG(5,("ads_clear_service_principal_names: WARNING: Service Principals for %s have NOT been cleared.\n", machine_name));
+ ads_msgfree(ads, res);
+ return ret;
+ }
+
+ DEBUG(5,("ads_clear_service_principal_names: Host account for %s found\n", machine_name));
+ ctx = talloc_init("ads_clear_service_principal_names");
+ if (!ctx) {
+ ads_msgfree(ads, res);
+ return ADS_ERROR(LDAP_NO_MEMORY);
+ }
+
+ if (!(mods = ads_init_mods(ctx))) {
+ talloc_destroy(ctx);
+ ads_msgfree(ads, res);
+ return ADS_ERROR(LDAP_NO_MEMORY);
+ }
+ ret = ads_mod_strlist(ctx, &mods, "servicePrincipalName", servicePrincipalName);
+ if (!ADS_ERR_OK(ret)) {
+ DEBUG(1,("ads_clear_service_principal_names: Error creating strlist.\n"));
+ ads_msgfree(ads, res);
+ talloc_destroy(ctx);
+ return ret;
+ }
+ dn_string = ads_get_dn(ads, talloc_tos(), res);
+ if (!dn_string) {
+ talloc_destroy(ctx);
+ ads_msgfree(ads, res);
+ return ADS_ERROR(LDAP_NO_MEMORY);
+ }
+ ret = ads_gen_mod(ads, dn_string, mods);
+ TALLOC_FREE(dn_string);
+ if (!ADS_ERR_OK(ret)) {
+ DEBUG(1,("ads_clear_service_principal_names: Error: Updating Service Principals for machine %s in LDAP\n",
+ machine_name));
+ ads_msgfree(ads, res);
+ talloc_destroy(ctx);
+ return ret;
+ }
+
+ ads_msgfree(ads, res);
+ talloc_destroy(ctx);
+ return ret;
+}
+
+/**
+ * @brief Search for an element in a string array.
+ *
+ * @param[in] el_array The string array to search.
+ *
+ * @param[in] num_el The number of elements in the string array.
+ *
+ * @param[in] el The string to search.
+ *
+ * @return True if found, false if not.
+ */
+bool ads_element_in_array(const char **el_array, size_t num_el, const char *el)
+{
+ size_t i;
+
+ if (el_array == NULL || num_el == 0 || el == NULL) {
+ return false;
+ }
+
+ for (i = 0; i < num_el && el_array[i] != NULL; i++) {
+ int cmp;
+
+ cmp = strcasecmp_m(el_array[i], el);
+ if (cmp == 0) {
+ return true;
+ }
+ }
+
+ return false;
+}
+
+/**
+ * @brief This gets the service principal names of an existing computer account.
+ *
+ * @param[in] mem_ctx The memory context to use to allocate the spn array.
+ *
+ * @param[in] ads The ADS context to use.
+ *
+ * @param[in] machine_name The NetBIOS name of the computer, which is used to
+ * identify the computer account.
+ *
+ * @param[in] spn_array A pointer to store the array for SPNs.
+ *
+ * @param[in] num_spns The number of principals stored in the array.
+ *
+ * @return 0 on success, or a ADS error if a failure occurred.
+ */
+ADS_STATUS ads_get_service_principal_names(TALLOC_CTX *mem_ctx,
+ ADS_STRUCT *ads,
+ const char *machine_name,
+ char ***spn_array,
+ size_t *num_spns)
+{
+ ADS_STATUS status;
+ LDAPMessage *res = NULL;
+ int count;
+
+ status = ads_find_machine_acct(ads,
+ &res,
+ machine_name);
+ if (!ADS_ERR_OK(status)) {
+ DEBUG(1,("Host Account for %s not found... skipping operation.\n",
+ machine_name));
+ return status;
+ }
+
+ count = ads_count_replies(ads, res);
+ if (count != 1) {
+ status = ADS_ERROR(LDAP_NO_SUCH_OBJECT);
+ goto done;
+ }
+
+ *spn_array = ads_pull_strings(ads,
+ mem_ctx,
+ res,
+ "servicePrincipalName",
+ num_spns);
+ if (*spn_array == NULL) {
+ DEBUG(1, ("Host account for %s does not have service principal "
+ "names.\n",
+ machine_name));
+ status = ADS_ERROR(LDAP_NO_SUCH_OBJECT);
+ goto done;
+ }
+
+done:
+ ads_msgfree(ads, res);
+
+ return status;
+}
+
+/**
+ * This adds a service principal name to an existing computer account
+ * (found by hostname) in AD.
+ * @param ads An initialized ADS_STRUCT
+ * @param machine_name the NetBIOS name of the computer, which is used to identify the computer account.
+ * @param spns An array or strings for the service principals to add,
+ * i.e. 'cifs/machine_name', 'http/machine.full.domain.com' etc.
+ * @return 0 upon success, or non-zero if a failure occurs
+ **/
+
+ADS_STATUS ads_add_service_principal_names(ADS_STRUCT *ads,
+ const char *machine_name,
+ const char **spns)
+{
+ ADS_STATUS ret;
+ TALLOC_CTX *ctx;
+ LDAPMessage *res = NULL;
+ ADS_MODLIST mods;
+ char *dn_string = NULL;
+ const char **servicePrincipalName = spns;
+
+ ret = ads_find_machine_acct(ads, &res, machine_name);
+ if (!ADS_ERR_OK(ret)) {
+ DEBUG(1,("ads_add_service_principal_name: WARNING: Host Account for %s not found... skipping operation.\n",
+ machine_name));
+ DEBUG(1,("ads_add_service_principal_name: WARNING: Service Principals have NOT been added.\n"));
+ ads_msgfree(ads, res);
+ return ret;
+ }
+
+ DEBUG(1,("ads_add_service_principal_name: Host account for %s found\n", machine_name));
+ if (!(ctx = talloc_init("ads_add_service_principal_name"))) {
+ ads_msgfree(ads, res);
+ return ADS_ERROR(LDAP_NO_MEMORY);
+ }
+
+ DEBUG(5,("ads_add_service_principal_name: INFO: "
+ "Adding %s to host %s\n",
+ spns[0] ? "N/A" : spns[0], machine_name));
+
+
+ DEBUG(5,("ads_add_service_principal_name: INFO: "
+ "Adding %s to host %s\n",
+ spns[1] ? "N/A" : spns[1], machine_name));
+
+ if ( (mods = ads_init_mods(ctx)) == NULL ) {
+ ret = ADS_ERROR(LDAP_NO_MEMORY);
+ goto out;
+ }
+
+ ret = ads_add_strlist(ctx,
+ &mods,
+ "servicePrincipalName",
+ servicePrincipalName);
+ if (!ADS_ERR_OK(ret)) {
+ DEBUG(1,("ads_add_service_principal_name: Error: Updating Service Principals in LDAP\n"));
+ goto out;
+ }
+
+ if ( (dn_string = ads_get_dn(ads, ctx, res)) == NULL ) {
+ ret = ADS_ERROR(LDAP_NO_MEMORY);
+ goto out;
+ }
+
+ ret = ads_gen_mod(ads, dn_string, mods);
+ if (!ADS_ERR_OK(ret)) {
+ DEBUG(1,("ads_add_service_principal_name: Error: Updating Service Principals in LDAP\n"));
+ goto out;
+ }
+
+ out:
+ TALLOC_FREE( ctx );
+ ads_msgfree(ads, res);
+ return ret;
+}
+
+static uint32_t ads_get_acct_ctrl(ADS_STRUCT *ads,
+ LDAPMessage *msg)
+{
+ uint32_t acct_ctrl = 0;
+ bool ok;
+
+ ok = ads_pull_uint32(ads, msg, "userAccountControl", &acct_ctrl);
+ if (!ok) {
+ return 0;
+ }
+
+ return acct_ctrl;
+}
+
+static ADS_STATUS ads_change_machine_acct(ADS_STRUCT *ads,
+ LDAPMessage *msg,
+ const struct berval *machine_pw_val)
+{
+ ADS_MODLIST mods;
+ ADS_STATUS ret;
+ TALLOC_CTX *frame = talloc_stackframe();
+ uint32_t acct_control;
+ char *control_str = NULL;
+ const char *attrs[] = {
+ "objectSid",
+ NULL
+ };
+ LDAPMessage *res = NULL;
+ char *dn = NULL;
+
+ dn = ads_get_dn(ads, frame, msg);
+ if (dn == NULL) {
+ ret = ADS_ERROR(LDAP_NO_MEMORY);
+ goto done;
+ }
+
+ acct_control = ads_get_acct_ctrl(ads, msg);
+ if (acct_control == 0) {
+ ret = ADS_ERROR(LDAP_NO_RESULTS_RETURNED);
+ goto done;
+ }
+
+ /*
+ * Changing the password, disables the account. So we need to change the
+ * userAccountControl flags to enable it again.
+ */
+ mods = ads_init_mods(frame);
+ if (mods == NULL) {
+ ret = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+ goto done;
+ }
+
+ ads_mod_ber(frame, &mods, "unicodePwd", machine_pw_val);
+
+ ret = ads_gen_mod(ads, dn, mods);
+ if (!ADS_ERR_OK(ret)) {
+ goto done;
+ }
+ TALLOC_FREE(mods);
+
+ /*
+ * To activate the account, we need to disable and enable it.
+ */
+ acct_control |= UF_ACCOUNTDISABLE;
+
+ control_str = talloc_asprintf(frame, "%u", acct_control);
+ if (control_str == NULL) {
+ ret = ADS_ERROR(LDAP_NO_MEMORY);
+ goto done;
+ }
+
+ mods = ads_init_mods(frame);
+ if (mods == NULL) {
+ ret = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+ goto done;
+ }
+
+ ads_mod_str(frame, &mods, "userAccountControl", control_str);
+
+ ret = ads_gen_mod(ads, dn, mods);
+ if (!ADS_ERR_OK(ret)) {
+ goto done;
+ }
+ TALLOC_FREE(mods);
+ TALLOC_FREE(control_str);
+
+ /*
+ * Enable the account again.
+ */
+ acct_control &= ~UF_ACCOUNTDISABLE;
+
+ control_str = talloc_asprintf(frame, "%u", acct_control);
+ if (control_str == NULL) {
+ ret = ADS_ERROR(LDAP_NO_MEMORY);
+ goto done;
+ }
+
+ mods = ads_init_mods(frame);
+ if (mods == NULL) {
+ ret = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+ goto done;
+ }
+
+ ads_mod_str(frame, &mods, "userAccountControl", control_str);
+
+ ret = ads_gen_mod(ads, dn, mods);
+ if (!ADS_ERR_OK(ret)) {
+ goto done;
+ }
+ TALLOC_FREE(mods);
+ TALLOC_FREE(control_str);
+
+ ret = ads_search_dn(ads, &res, dn, attrs);
+ ads_msgfree(ads, res);
+
+done:
+ talloc_free(frame);
+
+ return ret;
+}
+
+/**
+ * adds a machine account to the ADS server
+ * @param ads An initialized ADS_STRUCT
+ * @param machine_name - the NetBIOS machine name of this account.
+ * @param account_type A number indicating the type of account to create
+ * @param org_unit The LDAP path in which to place this account
+ * @return 0 upon success, or non-zero otherwise
+**/
+
+ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads,
+ const char *machine_name,
+ const char *machine_password,
+ const char *org_unit,
+ uint32_t etype_list,
+ const char *dns_domain_name)
+{
+ ADS_STATUS ret;
+ char *samAccountName = NULL;
+ char *controlstr = NULL;
+ TALLOC_CTX *ctx = NULL;
+ ADS_MODLIST mods;
+ char *machine_escaped = NULL;
+ char *dns_hostname = NULL;
+ char *new_dn = NULL;
+ char *utf8_pw = NULL;
+ size_t utf8_pw_len = 0;
+ char *utf16_pw = NULL;
+ size_t utf16_pw_len = 0;
+ struct berval machine_pw_val;
+ bool ok;
+ const char **spn_array = NULL;
+ size_t num_spns = 0;
+ const char *spn_prefix[] = {
+ "HOST",
+ "RestrictedKrbHost",
+ };
+ size_t i;
+ LDAPMessage *res = NULL;
+ uint32_t acct_control = UF_WORKSTATION_TRUST_ACCOUNT;
+
+ ctx = talloc_init("ads_add_machine_acct");
+ if (ctx == NULL) {
+ return ADS_ERROR(LDAP_NO_MEMORY);
+ }
+
+ machine_escaped = escape_rdn_val_string_alloc(machine_name);
+ if (machine_escaped == NULL) {
+ ret = ADS_ERROR(LDAP_NO_MEMORY);
+ goto done;
+ }
+
+ utf8_pw = talloc_asprintf(ctx, "\"%s\"", machine_password);
+ if (utf8_pw == NULL) {
+ ret = ADS_ERROR(LDAP_NO_MEMORY);
+ goto done;
+ }
+ utf8_pw_len = strlen(utf8_pw);
+
+ ok = convert_string_talloc(ctx,
+ CH_UTF8, CH_UTF16MUNGED,
+ utf8_pw, utf8_pw_len,
+ (void *)&utf16_pw, &utf16_pw_len);
+ if (!ok) {
+ ret = ADS_ERROR(LDAP_NO_MEMORY);
+ goto done;
+ }
+
+ machine_pw_val = (struct berval) {
+ .bv_val = utf16_pw,
+ .bv_len = utf16_pw_len,
+ };
+
+ /* Check if the machine account already exists. */
+ ret = ads_find_machine_acct(ads, &res, machine_escaped);
+ if (ADS_ERR_OK(ret)) {
+ /* Change the machine account password */
+ ret = ads_change_machine_acct(ads, res, &machine_pw_val);
+ ads_msgfree(ads, res);
+
+ goto done;
+ }
+ ads_msgfree(ads, res);
+
+ new_dn = talloc_asprintf(ctx, "cn=%s,%s", machine_escaped, org_unit);
+ if (new_dn == NULL) {
+ ret = ADS_ERROR(LDAP_NO_MEMORY);
+ goto done;
+ }
+
+ /* Create machine account */
+
+ samAccountName = talloc_asprintf(ctx, "%s$", machine_name);
+ if (samAccountName == NULL) {
+ ret = ADS_ERROR(LDAP_NO_MEMORY);
+ goto done;
+ }
+
+ dns_hostname = talloc_asprintf(ctx,
+ "%s.%s",
+ machine_name,
+ dns_domain_name);
+ if (dns_hostname == NULL) {
+ ret = ADS_ERROR(LDAP_NO_MEMORY);
+ goto done;
+ }
+
+ /* Add dns_hostname SPNs */
+ for (i = 0; i < ARRAY_SIZE(spn_prefix); i++) {
+ char *spn = talloc_asprintf(ctx,
+ "%s/%s",
+ spn_prefix[i],
+ dns_hostname);
+ if (spn == NULL) {
+ ret = ADS_ERROR(LDAP_NO_MEMORY);
+ goto done;
+ }
+
+ ok = add_string_to_array(ctx,
+ spn,
+ &spn_array,
+ &num_spns);
+ if (!ok) {
+ ret = ADS_ERROR(LDAP_NO_MEMORY);
+ goto done;
+ }
+ }
+
+ /* Add machine_name SPNs */
+ for (i = 0; i < ARRAY_SIZE(spn_prefix); i++) {
+ char *spn = talloc_asprintf(ctx,
+ "%s/%s",
+ spn_prefix[i],
+ machine_name);
+ if (spn == NULL) {
+ ret = ADS_ERROR(LDAP_NO_MEMORY);
+ goto done;
+ }
+
+ ok = add_string_to_array(ctx,
+ spn,
+ &spn_array,
+ &num_spns);
+ if (!ok) {
+ ret = ADS_ERROR(LDAP_NO_MEMORY);
+ goto done;
+ }
+ }
+
+ /* Make sure to NULL terminate the array */
+ spn_array = talloc_realloc(ctx, spn_array, const char *, num_spns + 1);
+ if (spn_array == NULL) {
+ ret = ADS_ERROR(LDAP_NO_MEMORY);
+ goto done;
+ }
+ spn_array[num_spns] = NULL;
+
+ controlstr = talloc_asprintf(ctx, "%u", acct_control);
+ if (controlstr == NULL) {
+ ret = ADS_ERROR(LDAP_NO_MEMORY);
+ goto done;
+ }
+
+ mods = ads_init_mods(ctx);
+ if (mods == NULL) {
+ ret = ADS_ERROR(LDAP_NO_MEMORY);
+ goto done;
+ }
+
+ ads_mod_str(ctx, &mods, "objectClass", "Computer");
+ ads_mod_str(ctx, &mods, "SamAccountName", samAccountName);
+ ads_mod_str(ctx, &mods, "userAccountControl", controlstr);
+ ads_mod_str(ctx, &mods, "DnsHostName", dns_hostname);
+ ads_mod_strlist(ctx, &mods, "ServicePrincipalName", spn_array);
+ ads_mod_ber(ctx, &mods, "unicodePwd", &machine_pw_val);
+
+ ret = ads_gen_add(ads, new_dn, mods);
+
+done:
+ SAFE_FREE(machine_escaped);
+ talloc_destroy(ctx);
+
+ return ret;
+}
+
+/**
+ * move a machine account to another OU on the ADS server
+ * @param ads - An initialized ADS_STRUCT
+ * @param machine_name - the NetBIOS machine name of this account.
+ * @param org_unit - The LDAP path in which to place this account
+ * @param moved - whether we moved the machine account (optional)
+ * @return 0 upon success, or non-zero otherwise
+**/
+
+ADS_STATUS ads_move_machine_acct(ADS_STRUCT *ads, const char *machine_name,
+ const char *org_unit, bool *moved)
+{
+ ADS_STATUS rc;
+ int ldap_status;
+ LDAPMessage *res = NULL;
+ char *filter = NULL;
+ char *computer_dn = NULL;
+ char *parent_dn;
+ char *computer_rdn = NULL;
+ bool need_move = False;
+
+ if (asprintf(&filter, "(samAccountName=%s$)", machine_name) == -1) {
+ rc = ADS_ERROR(LDAP_NO_MEMORY);
+ goto done;
+ }
+
+ /* Find pre-existing machine */
+ rc = ads_search(ads, &res, filter, NULL);
+ if (!ADS_ERR_OK(rc)) {
+ goto done;
+ }
+
+ computer_dn = ads_get_dn(ads, talloc_tos(), res);
+ if (!computer_dn) {
+ rc = ADS_ERROR(LDAP_NO_MEMORY);
+ goto done;
+ }
+
+ parent_dn = ads_parent_dn(computer_dn);
+ if (strequal(parent_dn, org_unit)) {
+ goto done;
+ }
+
+ need_move = True;
+
+ if (asprintf(&computer_rdn, "CN=%s", machine_name) == -1) {
+ rc = ADS_ERROR(LDAP_NO_MEMORY);
+ goto done;
+ }
+
+ ldap_status = ldap_rename_s(ads->ldap.ld, computer_dn, computer_rdn,
+ org_unit, 1, NULL, NULL);
+ rc = ADS_ERROR(ldap_status);
+
+done:
+ ads_msgfree(ads, res);
+ SAFE_FREE(filter);
+ TALLOC_FREE(computer_dn);
+ SAFE_FREE(computer_rdn);
+
+ if (!ADS_ERR_OK(rc)) {
+ need_move = False;
+ }
+
+ if (moved) {
+ *moved = need_move;
+ }
+
+ return rc;
+}
+
+/*
+ dump a binary result from ldap
+*/
+static void dump_binary(ADS_STRUCT *ads, const char *field, struct berval **values)
+{
+ size_t i;
+ for (i=0; values[i]; i++) {
+ ber_len_t j;
+ printf("%s: ", field);
+ for (j=0; j<values[i]->bv_len; j++) {
+ printf("%02X", (unsigned char)values[i]->bv_val[j]);
+ }
+ printf("\n");
+ }
+}
+
+static void dump_guid(ADS_STRUCT *ads, const char *field, struct berval **values)
+{
+ int i;
+ for (i=0; values[i]; i++) {
+ NTSTATUS status;
+ DATA_BLOB in = data_blob_const(values[i]->bv_val, values[i]->bv_len);
+ struct GUID guid;
+
+ status = GUID_from_ndr_blob(&in, &guid);
+ if (NT_STATUS_IS_OK(status)) {
+ printf("%s: %s\n", field, GUID_string(talloc_tos(), &guid));
+ } else {
+ printf("%s: INVALID GUID\n", field);
+ }
+ }
+}
+
+/*
+ dump a sid result from ldap
+*/
+static void dump_sid(ADS_STRUCT *ads, const char *field, struct berval **values)
+{
+ int i;
+ for (i=0; values[i]; i++) {
+ ssize_t ret;
+ struct dom_sid sid;
+ struct dom_sid_buf tmp;
+ ret = sid_parse((const uint8_t *)values[i]->bv_val,
+ values[i]->bv_len, &sid);
+ if (ret == -1) {
+ return;
+ }
+ printf("%s: %s\n", field, dom_sid_str_buf(&sid, &tmp));
+ }
+}
+
+/*
+ dump ntSecurityDescriptor
+*/
+static void dump_sd(ADS_STRUCT *ads, const char *filed, struct berval **values)
+{
+ TALLOC_CTX *frame = talloc_stackframe();
+ struct security_descriptor *psd;
+ NTSTATUS status;
+
+ status = unmarshall_sec_desc(talloc_tos(), (uint8_t *)values[0]->bv_val,
+ values[0]->bv_len, &psd);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("unmarshall_sec_desc failed: %s\n",
+ nt_errstr(status)));
+ TALLOC_FREE(frame);
+ return;
+ }
+
+ if (psd) {
+ ads_disp_sd(ads, talloc_tos(), psd);
+ }
+
+ TALLOC_FREE(frame);
+}
+
+/*
+ dump a string result from ldap
+*/
+static void dump_string(const char *field, char **values)
+{
+ int i;
+ for (i=0; values[i]; i++) {
+ printf("%s: %s\n", field, values[i]);
+ }
+}
+
+/*
+ dump a field from LDAP on stdout
+ used for debugging
+*/
+
+static bool ads_dump_field(ADS_STRUCT *ads, char *field, void **values, void *data_area)
+{
+ const struct {
+ const char *name;
+ bool string;
+ void (*handler)(ADS_STRUCT *, const char *, struct berval **);
+ } handlers[] = {
+ {"objectGUID", False, dump_guid},
+ {"netbootGUID", False, dump_guid},
+ {"nTSecurityDescriptor", False, dump_sd},
+ {"dnsRecord", False, dump_binary},
+ {"objectSid", False, dump_sid},
+ {"tokenGroups", False, dump_sid},
+ {"tokenGroupsNoGCAcceptable", False, dump_sid},
+ {"tokengroupsGlobalandUniversal", False, dump_sid},
+ {"mS-DS-CreatorSID", False, dump_sid},
+ {"msExchMailboxGuid", False, dump_guid},
+ {NULL, True, NULL}
+ };
+ int i;
+
+ if (!field) { /* must be end of an entry */
+ printf("\n");
+ return False;
+ }
+
+ for (i=0; handlers[i].name; i++) {
+ if (strcasecmp_m(handlers[i].name, field) == 0) {
+ if (!values) /* first time, indicate string or not */
+ return handlers[i].string;
+ handlers[i].handler(ads, field, (struct berval **) values);
+ break;
+ }
+ }
+ if (!handlers[i].name) {
+ if (!values) /* first time, indicate string conversion */
+ return True;
+ dump_string(field, (char **)values);
+ }
+ return False;
+}
+
+/**
+ * Dump a result from LDAP on stdout
+ * used for debugging
+ * @param ads connection to ads server
+ * @param res Results to dump
+ **/
+
+ void ads_dump(ADS_STRUCT *ads, LDAPMessage *res)
+{
+ ads_process_results(ads, res, ads_dump_field, NULL);
+}
+
+/**
+ * Walk through results, calling a function for each entry found.
+ * The function receives a field name, a berval * array of values,
+ * and a data area passed through from the start. The function is
+ * called once with null for field and values at the end of each
+ * entry.
+ * @param ads connection to ads server
+ * @param res Results to process
+ * @param fn Function for processing each result
+ * @param data_area user-defined area to pass to function
+ **/
+ void ads_process_results(ADS_STRUCT *ads, LDAPMessage *res,
+ bool (*fn)(ADS_STRUCT *, char *, void **, void *),
+ void *data_area)
+{
+ LDAPMessage *msg;
+ TALLOC_CTX *ctx;
+ size_t converted_size;
+
+ if (!(ctx = talloc_init("ads_process_results")))
+ return;
+
+ for (msg = ads_first_entry(ads, res); msg;
+ msg = ads_next_entry(ads, msg)) {
+ char *utf8_field;
+ BerElement *b;
+
+ for (utf8_field=ldap_first_attribute(ads->ldap.ld,
+ (LDAPMessage *)msg,&b);
+ utf8_field;
+ utf8_field=ldap_next_attribute(ads->ldap.ld,
+ (LDAPMessage *)msg,b)) {
+ struct berval **ber_vals;
+ char **str_vals;
+ char **utf8_vals;
+ char *field;
+ bool string;
+
+ if (!pull_utf8_talloc(ctx, &field, utf8_field,
+ &converted_size))
+ {
+ DEBUG(0,("ads_process_results: "
+ "pull_utf8_talloc failed: %s\n",
+ strerror(errno)));
+ }
+
+ string = fn(ads, field, NULL, data_area);
+
+ if (string) {
+ const char **p;
+
+ utf8_vals = ldap_get_values(ads->ldap.ld,
+ (LDAPMessage *)msg, field);
+ p = discard_const_p(const char *, utf8_vals);
+ str_vals = ads_pull_strvals(ctx, p);
+ fn(ads, field, (void **) str_vals, data_area);
+ ldap_value_free(utf8_vals);
+ } else {
+ ber_vals = ldap_get_values_len(ads->ldap.ld,
+ (LDAPMessage *)msg, field);
+ fn(ads, field, (void **) ber_vals, data_area);
+
+ ldap_value_free_len(ber_vals);
+ }
+ ldap_memfree(utf8_field);
+ }
+ ber_free(b, 0);
+ talloc_free_children(ctx);
+ fn(ads, NULL, NULL, data_area); /* completed an entry */
+
+ }
+ talloc_destroy(ctx);
+}
+
+/**
+ * count how many replies are in a LDAPMessage
+ * @param ads connection to ads server
+ * @param res Results to count
+ * @return number of replies
+ **/
+int ads_count_replies(ADS_STRUCT *ads, void *res)
+{
+ return ldap_count_entries(ads->ldap.ld, (LDAPMessage *)res);
+}
+
+/**
+ * pull the first entry from a ADS result
+ * @param ads connection to ads server
+ * @param res Results of search
+ * @return first entry from result
+ **/
+ LDAPMessage *ads_first_entry(ADS_STRUCT *ads, LDAPMessage *res)
+{
+ return ldap_first_entry(ads->ldap.ld, res);
+}
+
+/**
+ * pull the next entry from a ADS result
+ * @param ads connection to ads server
+ * @param res Results of search
+ * @return next entry from result
+ **/
+ LDAPMessage *ads_next_entry(ADS_STRUCT *ads, LDAPMessage *res)
+{
+ return ldap_next_entry(ads->ldap.ld, res);
+}
+
+/**
+ * pull the first message from a ADS result
+ * @param ads connection to ads server
+ * @param res Results of search
+ * @return first message from result
+ **/
+ LDAPMessage *ads_first_message(ADS_STRUCT *ads, LDAPMessage *res)
+{
+ return ldap_first_message(ads->ldap.ld, res);
+}
+
+/**
+ * pull the next message from a ADS result
+ * @param ads connection to ads server
+ * @param res Results of search
+ * @return next message from result
+ **/
+ LDAPMessage *ads_next_message(ADS_STRUCT *ads, LDAPMessage *res)
+{
+ return ldap_next_message(ads->ldap.ld, res);
+}
+
+/**
+ * pull a single string from a ADS result
+ * @param ads connection to ads server
+ * @param mem_ctx TALLOC_CTX to use for allocating result string
+ * @param msg Results of search
+ * @param field Attribute to retrieve
+ * @return Result string in talloc context
+ **/
+ char *ads_pull_string(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, LDAPMessage *msg,
+ const char *field)
+{
+ char **values;
+ char *ret = NULL;
+ char *ux_string;
+ size_t converted_size;
+
+ values = ldap_get_values(ads->ldap.ld, msg, field);
+ if (!values)
+ return NULL;
+
+ if (values[0] && pull_utf8_talloc(mem_ctx, &ux_string, values[0],
+ &converted_size))
+ {
+ ret = ux_string;
+ }
+ ldap_value_free(values);
+ return ret;
+}
+
+/**
+ * pull an array of strings from a ADS result
+ * @param ads connection to ads server
+ * @param mem_ctx TALLOC_CTX to use for allocating result string
+ * @param msg Results of search
+ * @param field Attribute to retrieve
+ * @return Result strings in talloc context
+ **/
+ char **ads_pull_strings(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx,
+ LDAPMessage *msg, const char *field,
+ size_t *num_values)
+{
+ char **values;
+ char **ret = NULL;
+ size_t i, converted_size;
+
+ values = ldap_get_values(ads->ldap.ld, msg, field);
+ if (!values)
+ return NULL;
+
+ *num_values = ldap_count_values(values);
+
+ ret = talloc_array(mem_ctx, char *, *num_values + 1);
+ if (!ret) {
+ ldap_value_free(values);
+ return NULL;
+ }
+
+ for (i=0;i<*num_values;i++) {
+ if (!pull_utf8_talloc(mem_ctx, &ret[i], values[i],
+ &converted_size))
+ {
+ ldap_value_free(values);
+ return NULL;
+ }
+ }
+ ret[i] = NULL;
+
+ ldap_value_free(values);
+ return ret;
+}
+
+/**
+ * pull an array of strings from a ADS result
+ * (handle large multivalue attributes with range retrieval)
+ * @param ads connection to ads server
+ * @param mem_ctx TALLOC_CTX to use for allocating result string
+ * @param msg Results of search
+ * @param field Attribute to retrieve
+ * @param current_strings strings returned by a previous call to this function
+ * @param next_attribute The next query should ask for this attribute
+ * @param num_values How many values did we get this time?
+ * @param more_values Are there more values to get?
+ * @return Result strings in talloc context
+ **/
+ char **ads_pull_strings_range(ADS_STRUCT *ads,
+ TALLOC_CTX *mem_ctx,
+ LDAPMessage *msg, const char *field,
+ char **current_strings,
+ const char **next_attribute,
+ size_t *num_strings,
+ bool *more_strings)
+{
+ char *attr;
+ char *expected_range_attrib, *range_attr = NULL;
+ BerElement *ptr = NULL;
+ char **strings;
+ char **new_strings;
+ size_t num_new_strings;
+ unsigned long int range_start;
+ unsigned long int range_end;
+
+ /* we might have been given the whole lot anyway */
+ if ((strings = ads_pull_strings(ads, mem_ctx, msg, field, num_strings))) {
+ *more_strings = False;
+ return strings;
+ }
+
+ expected_range_attrib = talloc_asprintf(mem_ctx, "%s;Range=", field);
+
+ /* look for Range result */
+ for (attr = ldap_first_attribute(ads->ldap.ld, (LDAPMessage *)msg, &ptr);
+ attr;
+ attr = ldap_next_attribute(ads->ldap.ld, (LDAPMessage *)msg, ptr)) {
+ /* we ignore the fact that this is utf8, as all attributes are ascii... */
+ if (strnequal(attr, expected_range_attrib, strlen(expected_range_attrib))) {
+ range_attr = attr;
+ break;
+ }
+ ldap_memfree(attr);
+ }
+ if (!range_attr) {
+ ber_free(ptr, 0);
+ /* nothing here - this field is just empty */
+ *more_strings = False;
+ return NULL;
+ }
+
+ if (sscanf(&range_attr[strlen(expected_range_attrib)], "%lu-%lu",
+ &range_start, &range_end) == 2) {
+ *more_strings = True;
+ } else {
+ if (sscanf(&range_attr[strlen(expected_range_attrib)], "%lu-*",
+ &range_start) == 1) {
+ *more_strings = False;
+ } else {
+ DEBUG(1, ("ads_pull_strings_range: Cannot parse Range attribute (%s)\n",
+ range_attr));
+ ldap_memfree(range_attr);
+ *more_strings = False;
+ return NULL;
+ }
+ }
+
+ if ((*num_strings) != range_start) {
+ DEBUG(1, ("ads_pull_strings_range: Range attribute (%s) doesn't start at %u, but at %lu"
+ " - aborting range retrieval\n",
+ range_attr, (unsigned int)(*num_strings) + 1, range_start));
+ ldap_memfree(range_attr);
+ *more_strings = False;
+ return NULL;
+ }
+
+ new_strings = ads_pull_strings(ads, mem_ctx, msg, range_attr, &num_new_strings);
+
+ if (*more_strings && ((*num_strings + num_new_strings) != (range_end + 1))) {
+ DEBUG(1, ("ads_pull_strings_range: Range attribute (%s) tells us we have %lu "
+ "strings in this bunch, but we only got %lu - aborting range retrieval\n",
+ range_attr, (unsigned long int)range_end - range_start + 1,
+ (unsigned long int)num_new_strings));
+ ldap_memfree(range_attr);
+ *more_strings = False;
+ return NULL;
+ }
+
+ strings = talloc_realloc(mem_ctx, current_strings, char *,
+ *num_strings + num_new_strings);
+
+ if (strings == NULL) {
+ ldap_memfree(range_attr);
+ *more_strings = False;
+ return NULL;
+ }
+
+ if (new_strings && num_new_strings) {
+ memcpy(&strings[*num_strings], new_strings,
+ sizeof(*new_strings) * num_new_strings);
+ }
+
+ (*num_strings) += num_new_strings;
+
+ if (*more_strings) {
+ *next_attribute = talloc_asprintf(mem_ctx,
+ "%s;range=%d-*",
+ field,
+ (int)*num_strings);
+
+ if (!*next_attribute) {
+ DEBUG(1, ("talloc_asprintf for next attribute failed!\n"));
+ ldap_memfree(range_attr);
+ *more_strings = False;
+ return NULL;
+ }
+ }
+
+ ldap_memfree(range_attr);
+
+ return strings;
+}
+
+/**
+ * pull a single uint32_t from a ADS result
+ * @param ads connection to ads server
+ * @param msg Results of search
+ * @param field Attribute to retrieve
+ * @param v Pointer to int to store result
+ * @return boolean indicating success
+*/
+ bool ads_pull_uint32(ADS_STRUCT *ads, LDAPMessage *msg, const char *field,
+ uint32_t *v)
+{
+ char **values;
+
+ values = ldap_get_values(ads->ldap.ld, msg, field);
+ if (!values)
+ return False;
+ if (!values[0]) {
+ ldap_value_free(values);
+ return False;
+ }
+
+ *v = atoi(values[0]);
+ ldap_value_free(values);
+ return True;
+}
+
+/**
+ * pull a single objectGUID from an ADS result
+ * @param ads connection to ADS server
+ * @param msg results of search
+ * @param guid 37-byte area to receive text guid
+ * @return boolean indicating success
+ **/
+ bool ads_pull_guid(ADS_STRUCT *ads, LDAPMessage *msg, struct GUID *guid)
+{
+ DATA_BLOB blob;
+ NTSTATUS status;
+
+ if (!smbldap_talloc_single_blob(talloc_tos(), ads->ldap.ld, msg, "objectGUID",
+ &blob)) {
+ return false;
+ }
+
+ status = GUID_from_ndr_blob(&blob, guid);
+ talloc_free(blob.data);
+ return NT_STATUS_IS_OK(status);
+}
+
+
+/**
+ * pull a single struct dom_sid from a ADS result
+ * @param ads connection to ads server
+ * @param msg Results of search
+ * @param field Attribute to retrieve
+ * @param sid Pointer to sid to store result
+ * @return boolean indicating success
+*/
+ bool ads_pull_sid(ADS_STRUCT *ads, LDAPMessage *msg, const char *field,
+ struct dom_sid *sid)
+{
+ return smbldap_pull_sid(ads->ldap.ld, msg, field, sid);
+}
+
+/**
+ * pull an array of struct dom_sids from a ADS result
+ * @param ads connection to ads server
+ * @param mem_ctx TALLOC_CTX for allocating sid array
+ * @param msg Results of search
+ * @param field Attribute to retrieve
+ * @param sids pointer to sid array to allocate
+ * @return the count of SIDs pulled
+ **/
+ int ads_pull_sids(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx,
+ LDAPMessage *msg, const char *field, struct dom_sid **sids)
+{
+ struct berval **values;
+ int count, i;
+
+ values = ldap_get_values_len(ads->ldap.ld, msg, field);
+
+ if (!values)
+ return 0;
+
+ for (i=0; values[i]; i++)
+ /* nop */ ;
+
+ if (i) {
+ (*sids) = talloc_array(mem_ctx, struct dom_sid, i);
+ if (!(*sids)) {
+ ldap_value_free_len(values);
+ return 0;
+ }
+ } else {
+ (*sids) = NULL;
+ }
+
+ count = 0;
+ for (i=0; values[i]; i++) {
+ ssize_t ret;
+ ret = sid_parse((const uint8_t *)values[i]->bv_val,
+ values[i]->bv_len, &(*sids)[count]);
+ if (ret != -1) {
+ struct dom_sid_buf buf;
+ DBG_DEBUG("pulling SID: %s\n",
+ dom_sid_str_buf(&(*sids)[count], &buf));
+ count++;
+ }
+ }
+
+ ldap_value_free_len(values);
+ return count;
+}
+
+/**
+ * pull a struct security_descriptor from a ADS result
+ * @param ads connection to ads server
+ * @param mem_ctx TALLOC_CTX for allocating sid array
+ * @param msg Results of search
+ * @param field Attribute to retrieve
+ * @param sd Pointer to *struct security_descriptor to store result (talloc()ed)
+ * @return boolean indicating success
+*/
+ bool ads_pull_sd(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx,
+ LDAPMessage *msg, const char *field,
+ struct security_descriptor **sd)
+{
+ struct berval **values;
+ bool ret = true;
+
+ values = ldap_get_values_len(ads->ldap.ld, msg, field);
+
+ if (!values) return false;
+
+ if (values[0]) {
+ NTSTATUS status;
+ status = unmarshall_sec_desc(mem_ctx,
+ (uint8_t *)values[0]->bv_val,
+ values[0]->bv_len, sd);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("unmarshall_sec_desc failed: %s\n",
+ nt_errstr(status)));
+ ret = false;
+ }
+ }
+
+ ldap_value_free_len(values);
+ return ret;
+}
+
+/*
+ * in order to support usernames longer than 21 characters we need to
+ * use both the sAMAccountName and the userPrincipalName attributes
+ * It seems that not all users have the userPrincipalName attribute set
+ *
+ * @param ads connection to ads server
+ * @param mem_ctx TALLOC_CTX for allocating sid array
+ * @param msg Results of search
+ * @return the username
+ */
+ char *ads_pull_username(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx,
+ LDAPMessage *msg)
+{
+#if 0 /* JERRY */
+ char *ret, *p;
+
+ /* lookup_name() only works on the sAMAccountName to
+ returning the username portion of userPrincipalName
+ breaks winbindd_getpwnam() */
+
+ ret = ads_pull_string(ads, mem_ctx, msg, "userPrincipalName");
+ if (ret && (p = strchr_m(ret, '@'))) {
+ *p = 0;
+ return ret;
+ }
+#endif
+ return ads_pull_string(ads, mem_ctx, msg, "sAMAccountName");
+}
+
+
+/**
+ * find the update serial number - this is the core of the ldap cache
+ * @param ads connection to ads server
+ * @param ads connection to ADS server
+ * @param usn Pointer to retrieved update serial number
+ * @return status of search
+ **/
+ADS_STATUS ads_USN(ADS_STRUCT *ads, uint32_t *usn)
+{
+ const char *attrs[] = {"highestCommittedUSN", NULL};
+ ADS_STATUS status;
+ LDAPMessage *res;
+
+ status = ads_do_search_retry(ads, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res);
+ if (!ADS_ERR_OK(status))
+ return status;
+
+ if (ads_count_replies(ads, res) != 1) {
+ ads_msgfree(ads, res);
+ return ADS_ERROR(LDAP_NO_RESULTS_RETURNED);
+ }
+
+ if (!ads_pull_uint32(ads, res, "highestCommittedUSN", usn)) {
+ ads_msgfree(ads, res);
+ return ADS_ERROR(LDAP_NO_SUCH_ATTRIBUTE);
+ }
+
+ ads_msgfree(ads, res);
+ return ADS_SUCCESS;
+}
+
+/* parse a ADS timestring - typical string is
+ '20020917091222.0Z0' which means 09:12.22 17th September
+ 2002, timezone 0 */
+static time_t ads_parse_time(const char *str)
+{
+ struct tm tm;
+
+ ZERO_STRUCT(tm);
+
+ if (sscanf(str, "%4d%2d%2d%2d%2d%2d",
+ &tm.tm_year, &tm.tm_mon, &tm.tm_mday,
+ &tm.tm_hour, &tm.tm_min, &tm.tm_sec) != 6) {
+ return 0;
+ }
+ tm.tm_year -= 1900;
+ tm.tm_mon -= 1;
+
+ return timegm(&tm);
+}
+
+/********************************************************************
+********************************************************************/
+
+ADS_STATUS ads_current_time(ADS_STRUCT *ads)
+{
+ const char *attrs[] = {"currentTime", NULL};
+ ADS_STATUS status;
+ LDAPMessage *res;
+ char *timestr;
+ TALLOC_CTX *tmp_ctx = talloc_stackframe();
+ ADS_STRUCT *ads_s = ads;
+
+ /* establish a new ldap tcp session if necessary */
+
+ if ( !ads->ldap.ld ) {
+ /*
+ * ADS_STRUCT may be being reused after a
+ * DC lookup, so ads->ldap.ss may already have a
+ * good address. If not, re-initialize the passed-in
+ * ADS_STRUCT with the given server.XXXX parameters.
+ *
+ * Note that this doesn't depend on
+ * ads->server.ldap_server != NULL,
+ * as the case where ads->server.ldap_server==NULL and
+ * ads->ldap.ss != zero_address is precisely the DC
+ * lookup case where ads->ldap.ss was found by going
+ * through ads_find_dc() again we want to avoid repeating.
+ */
+ if (is_zero_addr(&ads->ldap.ss)) {
+ ads_s = ads_init(tmp_ctx,
+ ads->server.realm,
+ ads->server.workgroup,
+ ads->server.ldap_server,
+ ADS_SASL_PLAIN );
+ if (ads_s == NULL) {
+ status = ADS_ERROR(LDAP_NO_MEMORY);
+ goto done;
+ }
+ }
+
+ /*
+ * Reset ads->config.flags as it can contain the flags
+ * returned by the previous CLDAP ping when reusing the struct.
+ */
+ ads_s->config.flags = 0;
+
+ ads_s->auth.flags = ADS_AUTH_ANON_BIND;
+ status = ads_connect( ads_s );
+ if ( !ADS_ERR_OK(status))
+ goto done;
+ }
+
+ status = ads_do_search(ads_s, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res);
+ if (!ADS_ERR_OK(status)) {
+ goto done;
+ }
+
+ timestr = ads_pull_string(ads_s, tmp_ctx, res, "currentTime");
+ if (!timestr) {
+ ads_msgfree(ads_s, res);
+ status = ADS_ERROR(LDAP_NO_RESULTS_RETURNED);
+ goto done;
+ }
+
+ /* but save the time and offset in the original ADS_STRUCT */
+
+ ads->config.current_time = ads_parse_time(timestr);
+
+ if (ads->config.current_time != 0) {
+ ads->auth.time_offset = ads->config.current_time - time(NULL);
+ DEBUG(4,("KDC time offset is %d seconds\n", ads->auth.time_offset));
+ }
+
+ ads_msgfree(ads, res);
+
+ status = ADS_SUCCESS;
+
+done:
+ TALLOC_FREE(tmp_ctx);
+
+ return status;
+}
+
+/********************************************************************
+********************************************************************/
+
+ADS_STATUS ads_domain_func_level(ADS_STRUCT *ads, uint32_t *val)
+{
+ TALLOC_CTX *tmp_ctx = talloc_stackframe();
+ const char *attrs[] = {"domainFunctionality", NULL};
+ ADS_STATUS status;
+ LDAPMessage *res;
+ ADS_STRUCT *ads_s = ads;
+
+ *val = DS_DOMAIN_FUNCTION_2000;
+
+ /* establish a new ldap tcp session if necessary */
+
+ if ( !ads->ldap.ld ) {
+ /*
+ * ADS_STRUCT may be being reused after a
+ * DC lookup, so ads->ldap.ss may already have a
+ * good address. If not, re-initialize the passed-in
+ * ADS_STRUCT with the given server.XXXX parameters.
+ *
+ * Note that this doesn't depend on
+ * ads->server.ldap_server != NULL,
+ * as the case where ads->server.ldap_server==NULL and
+ * ads->ldap.ss != zero_address is precisely the DC
+ * lookup case where ads->ldap.ss was found by going
+ * through ads_find_dc() again we want to avoid repeating.
+ */
+ if (is_zero_addr(&ads->ldap.ss)) {
+ ads_s = ads_init(tmp_ctx,
+ ads->server.realm,
+ ads->server.workgroup,
+ ads->server.ldap_server,
+ ADS_SASL_PLAIN );
+ if (ads_s == NULL ) {
+ status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
+ goto done;
+ }
+ }
+
+ /*
+ * Reset ads->config.flags as it can contain the flags
+ * returned by the previous CLDAP ping when reusing the struct.
+ */
+ ads_s->config.flags = 0;
+
+ ads_s->auth.flags = ADS_AUTH_ANON_BIND;
+ status = ads_connect( ads_s );
+ if ( !ADS_ERR_OK(status))
+ goto done;
+ }
+
+ /* If the attribute does not exist assume it is a Windows 2000
+ functional domain */
+
+ status = ads_do_search(ads_s, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res);
+ if (!ADS_ERR_OK(status)) {
+ if ( status.err.rc == LDAP_NO_SUCH_ATTRIBUTE ) {
+ status = ADS_SUCCESS;
+ }
+ goto done;
+ }
+
+ if ( !ads_pull_uint32(ads_s, res, "domainFunctionality", val) ) {
+ DEBUG(5,("ads_domain_func_level: Failed to pull the domainFunctionality attribute.\n"));
+ }
+ DEBUG(3,("ads_domain_func_level: %d\n", *val));
+
+
+ ads_msgfree(ads_s, res);
+
+done:
+ TALLOC_FREE(tmp_ctx);
+
+ return status;
+}
+
+/**
+ * find the domain sid for our domain
+ * @param ads connection to ads server
+ * @param sid Pointer to domain sid
+ * @return status of search
+ **/
+ADS_STATUS ads_domain_sid(ADS_STRUCT *ads, struct dom_sid *sid)
+{
+ const char *attrs[] = {"objectSid", NULL};
+ LDAPMessage *res;
+ ADS_STATUS rc;
+
+ rc = ads_do_search_retry(ads, ads->config.bind_path, LDAP_SCOPE_BASE, "(objectclass=*)",
+ attrs, &res);
+ if (!ADS_ERR_OK(rc)) return rc;
+ if (!ads_pull_sid(ads, res, "objectSid", sid)) {
+ ads_msgfree(ads, res);
+ return ADS_ERROR_SYSTEM(ENOENT);
+ }
+ ads_msgfree(ads, res);
+
+ return ADS_SUCCESS;
+}
+
+/**
+ * find our site name
+ * @param ads connection to ads server
+ * @param mem_ctx Pointer to talloc context
+ * @param site_name Pointer to the sitename
+ * @return status of search
+ **/
+ADS_STATUS ads_site_dn(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, const char **site_name)
+{
+ ADS_STATUS status;
+ LDAPMessage *res;
+ const char *dn, *service_name;
+ const char *attrs[] = { "dsServiceName", NULL };
+
+ status = ads_do_search(ads, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res);
+ if (!ADS_ERR_OK(status)) {
+ return status;
+ }
+
+ service_name = ads_pull_string(ads, mem_ctx, res, "dsServiceName");
+ if (service_name == NULL) {
+ ads_msgfree(ads, res);
+ return ADS_ERROR(LDAP_NO_RESULTS_RETURNED);
+ }
+
+ ads_msgfree(ads, res);
+
+ /* go up three levels */
+ dn = ads_parent_dn(ads_parent_dn(ads_parent_dn(service_name)));
+ if (dn == NULL) {
+ return ADS_ERROR(LDAP_NO_MEMORY);
+ }
+
+ *site_name = talloc_strdup(mem_ctx, dn);
+ if (*site_name == NULL) {
+ return ADS_ERROR(LDAP_NO_MEMORY);
+ }
+
+ return status;
+ /*
+ dsServiceName: CN=NTDS Settings,CN=W2K3DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ber,DC=suse,DC=de
+ */
+}
+
+/**
+ * find the site dn where a machine resides
+ * @param ads connection to ads server
+ * @param mem_ctx Pointer to talloc context
+ * @param computer_name name of the machine
+ * @param site_name Pointer to the sitename
+ * @return status of search
+ **/
+ADS_STATUS ads_site_dn_for_machine(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, const char *computer_name, const char **site_dn)
+{
+ ADS_STATUS status;
+ LDAPMessage *res;
+ const char *parent, *filter;
+ char *config_context = NULL;
+ char *dn;
+
+ /* shortcut a query */
+ if (strequal(computer_name, ads->config.ldap_server_name)) {
+ return ads_site_dn(ads, mem_ctx, site_dn);
+ }
+
+ status = ads_config_path(ads, mem_ctx, &config_context);
+ if (!ADS_ERR_OK(status)) {
+ return status;
+ }
+
+ filter = talloc_asprintf(mem_ctx, "(cn=%s)", computer_name);
+ if (filter == NULL) {
+ return ADS_ERROR(LDAP_NO_MEMORY);
+ }
+
+ status = ads_do_search(ads, config_context, LDAP_SCOPE_SUBTREE,
+ filter, NULL, &res);
+ if (!ADS_ERR_OK(status)) {
+ return status;
+ }
+
+ if (ads_count_replies(ads, res) != 1) {
+ ads_msgfree(ads, res);
+ return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
+ }
+
+ dn = ads_get_dn(ads, mem_ctx, res);
+ if (dn == NULL) {
+ ads_msgfree(ads, res);
+ return ADS_ERROR(LDAP_NO_MEMORY);
+ }
+
+ /* go up three levels */
+ parent = ads_parent_dn(ads_parent_dn(ads_parent_dn(dn)));
+ if (parent == NULL) {
+ ads_msgfree(ads, res);
+ TALLOC_FREE(dn);
+ return ADS_ERROR(LDAP_NO_MEMORY);
+ }
+
+ *site_dn = talloc_strdup(mem_ctx, parent);
+ if (*site_dn == NULL) {
+ ads_msgfree(ads, res);
+ TALLOC_FREE(dn);
+ return ADS_ERROR(LDAP_NO_MEMORY);
+ }
+
+ TALLOC_FREE(dn);
+ ads_msgfree(ads, res);
+
+ return status;
+}
+
+/**
+ * get the upn suffixes for a domain
+ * @param ads connection to ads server
+ * @param mem_ctx Pointer to talloc context
+ * @param suffixes Pointer to an array of suffixes
+ * @param num_suffixes Pointer to the number of suffixes
+ * @return status of search
+ **/
+ADS_STATUS ads_upn_suffixes(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, char ***suffixes, size_t *num_suffixes)
+{
+ ADS_STATUS status;
+ LDAPMessage *res;
+ const char *base;
+ char *config_context = NULL;
+ const char *attrs[] = { "uPNSuffixes", NULL };
+
+ status = ads_config_path(ads, mem_ctx, &config_context);
+ if (!ADS_ERR_OK(status)) {
+ return status;
+ }
+
+ base = talloc_asprintf(mem_ctx, "cn=Partitions,%s", config_context);
+ if (base == NULL) {
+ return ADS_ERROR(LDAP_NO_MEMORY);
+ }
+
+ status = ads_search_dn(ads, &res, base, attrs);
+ if (!ADS_ERR_OK(status)) {
+ return status;
+ }
+
+ if (ads_count_replies(ads, res) != 1) {
+ ads_msgfree(ads, res);
+ return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
+ }
+
+ (*suffixes) = ads_pull_strings(ads, mem_ctx, res, "uPNSuffixes", num_suffixes);
+ if ((*suffixes) == NULL) {
+ ads_msgfree(ads, res);
+ return ADS_ERROR(LDAP_NO_MEMORY);
+ }
+
+ ads_msgfree(ads, res);
+
+ return status;
+}
+
+/**
+ * get the joinable ous for a domain
+ * @param ads connection to ads server
+ * @param mem_ctx Pointer to talloc context
+ * @param ous Pointer to an array of ous
+ * @param num_ous Pointer to the number of ous
+ * @return status of search
+ **/
+ADS_STATUS ads_get_joinable_ous(ADS_STRUCT *ads,
+ TALLOC_CTX *mem_ctx,
+ char ***ous,
+ size_t *num_ous)
+{
+ ADS_STATUS status;
+ LDAPMessage *res = NULL;
+ LDAPMessage *msg = NULL;
+ const char *attrs[] = { "dn", NULL };
+ int count = 0;
+
+ status = ads_search(ads, &res,
+ "(|(objectClass=domain)(objectclass=organizationalUnit))",
+ attrs);
+ if (!ADS_ERR_OK(status)) {
+ return status;
+ }
+
+ count = ads_count_replies(ads, res);
+ if (count < 1) {
+ ads_msgfree(ads, res);
+ return ADS_ERROR(LDAP_NO_RESULTS_RETURNED);
+ }
+
+ for (msg = ads_first_entry(ads, res); msg;
+ msg = ads_next_entry(ads, msg)) {
+ const char **p = discard_const_p(const char *, *ous);
+ char *dn = NULL;
+
+ dn = ads_get_dn(ads, talloc_tos(), msg);
+ if (!dn) {
+ ads_msgfree(ads, res);
+ return ADS_ERROR(LDAP_NO_MEMORY);
+ }
+
+ if (!add_string_to_array(mem_ctx, dn, &p, num_ous)) {
+ TALLOC_FREE(dn);
+ ads_msgfree(ads, res);
+ return ADS_ERROR(LDAP_NO_MEMORY);
+ }
+
+ TALLOC_FREE(dn);
+ *ous = discard_const_p(char *, p);
+ }
+
+ ads_msgfree(ads, res);
+
+ return status;
+}
+
+
+/**
+ * pull a struct dom_sid from an extended dn string
+ * @param mem_ctx TALLOC_CTX
+ * @param extended_dn string
+ * @param flags string type of extended_dn
+ * @param sid pointer to a struct dom_sid
+ * @return NT_STATUS_OK on success,
+ * NT_INVALID_PARAMETER on error,
+ * NT_STATUS_NOT_FOUND if no SID present
+ **/
+ADS_STATUS ads_get_sid_from_extended_dn(TALLOC_CTX *mem_ctx,
+ const char *extended_dn,
+ enum ads_extended_dn_flags flags,
+ struct dom_sid *sid)
+{
+ char *p, *q, *dn;
+
+ if (!extended_dn) {
+ return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
+ }
+
+ /* otherwise extended_dn gets stripped off */
+ if ((dn = talloc_strdup(mem_ctx, extended_dn)) == NULL) {
+ return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
+ }
+ /*
+ * ADS_EXTENDED_DN_HEX_STRING:
+ * <GUID=238e1963cb390f4bb032ba0105525a29>;<SID=010500000000000515000000bb68c8fd6b61b427572eb04556040000>;CN=gd,OU=berlin,OU=suse,DC=ber,DC=suse,DC=de
+ *
+ * ADS_EXTENDED_DN_STRING (only with w2k3):
+ * <GUID=63198e23-39cb-4b0f-b032-ba0105525a29>;<SID=S-1-5-21-4257769659-666132843-1169174103-1110>;CN=gd,OU=berlin,OU=suse,DC=ber,DC=suse,DC=de
+ *
+ * Object with no SID, such as an Exchange Public Folder
+ * <GUID=28907fb4bdf6854993e7f0a10b504e7c>;CN=public,CN=Microsoft Exchange System Objects,DC=sd2k3ms,DC=west,DC=isilon,DC=com
+ */
+
+ p = strchr(dn, ';');
+ if (!p) {
+ return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
+ }
+
+ if (strncmp(p, ";<SID=", strlen(";<SID=")) != 0) {
+ DEBUG(5,("No SID present in extended dn\n"));
+ return ADS_ERROR_NT(NT_STATUS_NOT_FOUND);
+ }
+
+ p += strlen(";<SID=");
+
+ q = strchr(p, '>');
+ if (!q) {
+ return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
+ }
+
+ *q = '\0';
+
+ DEBUG(100,("ads_get_sid_from_extended_dn: sid string is %s\n", p));
+
+ switch (flags) {
+
+ case ADS_EXTENDED_DN_STRING:
+ if (!string_to_sid(sid, p)) {
+ return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
+ }
+ break;
+ case ADS_EXTENDED_DN_HEX_STRING: {
+ ssize_t ret;
+ fstring buf;
+ size_t buf_len;
+
+ buf_len = strhex_to_str(buf, sizeof(buf), p, strlen(p));
+ if (buf_len == 0) {
+ return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
+ }
+
+ ret = sid_parse((const uint8_t *)buf, buf_len, sid);
+ if (ret == -1) {
+ DEBUG(10,("failed to parse sid\n"));
+ return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
+ }
+ break;
+ }
+ default:
+ DEBUG(10,("unknown extended dn format\n"));
+ return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
+ }
+
+ return ADS_ERROR_NT(NT_STATUS_OK);
+}
+
+/********************************************************************
+********************************************************************/
+
+char* ads_get_dnshostname( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name )
+{
+ LDAPMessage *res = NULL;
+ ADS_STATUS status;
+ int count = 0;
+ char *name = NULL;
+
+ status = ads_find_machine_acct(ads, &res, machine_name);
+ if (!ADS_ERR_OK(status)) {
+ DEBUG(0,("ads_get_dnshostname: Failed to find account for %s\n",
+ lp_netbios_name()));
+ goto out;
+ }
+
+ if ( (count = ads_count_replies(ads, res)) != 1 ) {
+ DEBUG(1,("ads_get_dnshostname: %d entries returned!\n", count));
+ goto out;
+ }
+
+ if ( (name = ads_pull_string(ads, ctx, res, "dNSHostName")) == NULL ) {
+ DEBUG(0,("ads_get_dnshostname: No dNSHostName attribute!\n"));
+ }
+
+out:
+ ads_msgfree(ads, res);
+
+ return name;
+}
+
+/********************************************************************
+********************************************************************/
+
+static char **get_addl_hosts(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx,
+ LDAPMessage *msg, size_t *num_values)
+{
+ const char *field = "msDS-AdditionalDnsHostName";
+ struct berval **values = NULL;
+ char **ret = NULL;
+ size_t i, converted_size;
+
+ /*
+ * Windows DC implicitly adds a short name for each FQDN added to
+ * msDS-AdditionalDnsHostName, but it comes with a strange binary
+ * suffix "\0$" which we should ignore (see bug #14406).
+ */
+
+ values = ldap_get_values_len(ads->ldap.ld, msg, field);
+ if (values == NULL) {
+ return NULL;
+ }
+
+ *num_values = ldap_count_values_len(values);
+
+ ret = talloc_array(mem_ctx, char *, *num_values + 1);
+ if (ret == NULL) {
+ ldap_value_free_len(values);
+ return NULL;
+ }
+
+ for (i = 0; i < *num_values; i++) {
+ ret[i] = NULL;
+ if (!convert_string_talloc(mem_ctx, CH_UTF8, CH_UNIX,
+ values[i]->bv_val,
+ strnlen(values[i]->bv_val,
+ values[i]->bv_len),
+ &ret[i], &converted_size)) {
+ ldap_value_free_len(values);
+ return NULL;
+ }
+ }
+ ret[i] = NULL;
+
+ ldap_value_free_len(values);
+ return ret;
+}
+
+ADS_STATUS ads_get_additional_dns_hostnames(TALLOC_CTX *mem_ctx,
+ ADS_STRUCT *ads,
+ const char *machine_name,
+ char ***hostnames_array,
+ size_t *num_hostnames)
+{
+ ADS_STATUS status;
+ LDAPMessage *res = NULL;
+ int count;
+
+ status = ads_find_machine_acct(ads,
+ &res,
+ machine_name);
+ if (!ADS_ERR_OK(status)) {
+ DEBUG(1,("Host Account for %s not found... skipping operation.\n",
+ machine_name));
+ return status;
+ }
+
+ count = ads_count_replies(ads, res);
+ if (count != 1) {
+ status = ADS_ERROR(LDAP_NO_SUCH_OBJECT);
+ goto done;
+ }
+
+ *hostnames_array = get_addl_hosts(ads, mem_ctx, res, num_hostnames);
+ if (*hostnames_array == NULL) {
+ DEBUG(1, ("Host account for %s does not have msDS-AdditionalDnsHostName.\n",
+ machine_name));
+ status = ADS_ERROR(LDAP_NO_SUCH_OBJECT);
+ goto done;
+ }
+
+done:
+ ads_msgfree(ads, res);
+
+ return status;
+}
+
+/********************************************************************
+********************************************************************/
+
+char* ads_get_upn( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name )
+{
+ LDAPMessage *res = NULL;
+ ADS_STATUS status;
+ int count = 0;
+ char *name = NULL;
+
+ status = ads_find_machine_acct(ads, &res, machine_name);
+ if (!ADS_ERR_OK(status)) {
+ DEBUG(0,("ads_get_upn: Failed to find account for %s\n",
+ lp_netbios_name()));
+ goto out;
+ }
+
+ if ( (count = ads_count_replies(ads, res)) != 1 ) {
+ DEBUG(1,("ads_get_upn: %d entries returned!\n", count));
+ goto out;
+ }
+
+ if ( (name = ads_pull_string(ads, ctx, res, "userPrincipalName")) == NULL ) {
+ DEBUG(2,("ads_get_upn: No userPrincipalName attribute!\n"));
+ }
+
+out:
+ ads_msgfree(ads, res);
+
+ return name;
+}
+
+/********************************************************************
+********************************************************************/
+
+bool ads_has_samaccountname( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name )
+{
+ LDAPMessage *res = NULL;
+ ADS_STATUS status;
+ int count = 0;
+ char *name = NULL;
+ bool ok = false;
+
+ status = ads_find_machine_acct(ads, &res, machine_name);
+ if (!ADS_ERR_OK(status)) {
+ DEBUG(0,("ads_has_samaccountname: Failed to find account for %s\n",
+ lp_netbios_name()));
+ goto out;
+ }
+
+ if ( (count = ads_count_replies(ads, res)) != 1 ) {
+ DEBUG(1,("ads_has_samaccountname: %d entries returned!\n", count));
+ goto out;
+ }
+
+ if ( (name = ads_pull_string(ads, ctx, res, "sAMAccountName")) == NULL ) {
+ DEBUG(0,("ads_has_samaccountname: No sAMAccountName attribute!\n"));
+ }
+
+out:
+ ads_msgfree(ads, res);
+ if (name != NULL) {
+ ok = (strlen(name) > 0);
+ }
+ TALLOC_FREE(name);
+ return ok;
+}
+
+#if 0
+
+ SAVED CODE - we used to join via ldap - remember how we did this. JRA.
+
+/**
+ * Join a machine to a realm
+ * Creates the machine account and sets the machine password
+ * @param ads connection to ads server
+ * @param machine name of host to add
+ * @param org_unit Organizational unit to place machine in
+ * @return status of join
+ **/
+ADS_STATUS ads_join_realm(ADS_STRUCT *ads, const char *machine_name,
+ uint32_t account_type, const char *org_unit)
+{
+ ADS_STATUS status;
+ LDAPMessage *res = NULL;
+ char *machine;
+
+ /* machine name must be lowercase */
+ machine = SMB_STRDUP(machine_name);
+ strlower_m(machine);
+
+ /*
+ status = ads_find_machine_acct(ads, (void **)&res, machine);
+ if (ADS_ERR_OK(status) && ads_count_replies(ads, res) == 1) {
+ DEBUG(0, ("Host account for %s already exists - deleting old account\n", machine));
+ status = ads_leave_realm(ads, machine);
+ if (!ADS_ERR_OK(status)) {
+ DEBUG(0, ("Failed to delete host '%s' from the '%s' realm.\n",
+ machine, ads->config.realm));
+ return status;
+ }
+ }
+ */
+ status = ads_add_machine_acct(ads, machine, account_type, org_unit);
+ if (!ADS_ERR_OK(status)) {
+ DEBUG(0, ("ads_join_realm: ads_add_machine_acct failed (%s): %s\n", machine, ads_errstr(status)));
+ SAFE_FREE(machine);
+ return status;
+ }
+
+ status = ads_find_machine_acct(ads, (void **)(void *)&res, machine);
+ if (!ADS_ERR_OK(status)) {
+ DEBUG(0, ("ads_join_realm: Host account test failed for machine %s\n", machine));
+ SAFE_FREE(machine);
+ return status;
+ }
+
+ SAFE_FREE(machine);
+ ads_msgfree(ads, res);
+
+ return status;
+}
+#endif
+
+/**
+ * Delete a machine from the realm
+ * @param ads connection to ads server
+ * @param hostname Machine to remove
+ * @return status of delete
+ **/
+ADS_STATUS ads_leave_realm(ADS_STRUCT *ads, const char *hostname)
+{
+ ADS_STATUS status;
+ void *msg;
+ LDAPMessage *res;
+ char *hostnameDN, *host;
+ int rc;
+ LDAPControl ldap_control;
+ LDAPControl * pldap_control[2] = {NULL, NULL};
+
+ pldap_control[0] = &ldap_control;
+ memset(&ldap_control, 0, sizeof(LDAPControl));
+ ldap_control.ldctl_oid = discard_const_p(char, LDAP_SERVER_TREE_DELETE_OID);
+
+ /* hostname must be lowercase */
+ host = SMB_STRDUP(hostname);
+ if (!strlower_m(host)) {
+ SAFE_FREE(host);
+ return ADS_ERROR_SYSTEM(EINVAL);
+ }
+
+ status = ads_find_machine_acct(ads, &res, host);
+ if (!ADS_ERR_OK(status)) {
+ DEBUG(0, ("Host account for %s does not exist.\n", host));
+ SAFE_FREE(host);
+ return status;
+ }
+
+ msg = ads_first_entry(ads, res);
+ if (!msg) {
+ SAFE_FREE(host);
+ return ADS_ERROR_SYSTEM(ENOENT);
+ }
+
+ hostnameDN = ads_get_dn(ads, talloc_tos(), (LDAPMessage *)msg);
+ if (hostnameDN == NULL) {
+ SAFE_FREE(host);
+ return ADS_ERROR_SYSTEM(ENOENT);
+ }
+
+ rc = ldap_delete_ext_s(ads->ldap.ld, hostnameDN, pldap_control, NULL);
+ if (rc) {
+ DEBUG(3,("ldap_delete_ext_s failed with error code %d\n", rc));
+ }else {
+ DEBUG(3,("ldap_delete_ext_s succeeded with error code %d\n", rc));
+ }
+
+ if (rc != LDAP_SUCCESS) {
+ const char *attrs[] = { "cn", NULL };
+ LDAPMessage *msg_sub;
+
+ /* we only search with scope ONE, we do not expect any further
+ * objects to be created deeper */
+
+ status = ads_do_search_retry(ads, hostnameDN,
+ LDAP_SCOPE_ONELEVEL,
+ "(objectclass=*)", attrs, &res);
+
+ if (!ADS_ERR_OK(status)) {
+ SAFE_FREE(host);
+ TALLOC_FREE(hostnameDN);
+ return status;
+ }
+
+ for (msg_sub = ads_first_entry(ads, res); msg_sub;
+ msg_sub = ads_next_entry(ads, msg_sub)) {
+
+ char *dn = NULL;
+
+ if ((dn = ads_get_dn(ads, talloc_tos(), msg_sub)) == NULL) {
+ SAFE_FREE(host);
+ TALLOC_FREE(hostnameDN);
+ return ADS_ERROR(LDAP_NO_MEMORY);
+ }
+
+ status = ads_del_dn(ads, dn);
+ if (!ADS_ERR_OK(status)) {
+ DEBUG(3,("failed to delete dn %s: %s\n", dn, ads_errstr(status)));
+ SAFE_FREE(host);
+ TALLOC_FREE(dn);
+ TALLOC_FREE(hostnameDN);
+ return status;
+ }
+
+ TALLOC_FREE(dn);
+ }
+
+ /* there should be no subordinate objects anymore */
+ status = ads_do_search_retry(ads, hostnameDN,
+ LDAP_SCOPE_ONELEVEL,
+ "(objectclass=*)", attrs, &res);
+
+ if (!ADS_ERR_OK(status) || ( (ads_count_replies(ads, res)) > 0 ) ) {
+ SAFE_FREE(host);
+ TALLOC_FREE(hostnameDN);
+ return status;
+ }
+
+ /* delete hostnameDN now */
+ status = ads_del_dn(ads, hostnameDN);
+ if (!ADS_ERR_OK(status)) {
+ SAFE_FREE(host);
+ DEBUG(3,("failed to delete dn %s: %s\n", hostnameDN, ads_errstr(status)));
+ TALLOC_FREE(hostnameDN);
+ return status;
+ }
+ }
+
+ TALLOC_FREE(hostnameDN);
+
+ status = ads_find_machine_acct(ads, &res, host);
+ if ((status.error_type == ENUM_ADS_ERROR_LDAP) &&
+ (status.err.rc != LDAP_NO_SUCH_OBJECT)) {
+ DEBUG(3, ("Failed to remove host account.\n"));
+ SAFE_FREE(host);
+ return status;
+ }
+
+ SAFE_FREE(host);
+ return ADS_SUCCESS;
+}
+
+/**
+ * pull all token-sids from an LDAP dn
+ * @param ads connection to ads server
+ * @param mem_ctx TALLOC_CTX for allocating sid array
+ * @param dn of LDAP object
+ * @param user_sid pointer to struct dom_sid (objectSid)
+ * @param primary_group_sid pointer to struct dom_sid (self composed)
+ * @param sids pointer to sid array to allocate
+ * @param num_sids counter of SIDs pulled
+ * @return status of token query
+ **/
+ ADS_STATUS ads_get_tokensids(ADS_STRUCT *ads,
+ TALLOC_CTX *mem_ctx,
+ const char *dn,
+ struct dom_sid *user_sid,
+ struct dom_sid *primary_group_sid,
+ struct dom_sid **sids,
+ size_t *num_sids)
+{
+ ADS_STATUS status;
+ LDAPMessage *res = NULL;
+ int count = 0;
+ size_t tmp_num_sids;
+ struct dom_sid *tmp_sids;
+ struct dom_sid tmp_user_sid;
+ struct dom_sid tmp_primary_group_sid;
+ uint32_t pgid;
+ const char *attrs[] = {
+ "objectSid",
+ "tokenGroups",
+ "primaryGroupID",
+ NULL
+ };
+
+ status = ads_search_retry_dn(ads, &res, dn, attrs);
+ if (!ADS_ERR_OK(status)) {
+ return status;
+ }
+
+ count = ads_count_replies(ads, res);
+ if (count != 1) {
+ ads_msgfree(ads, res);
+ return ADS_ERROR_LDAP(LDAP_NO_SUCH_OBJECT);
+ }
+
+ if (!ads_pull_sid(ads, res, "objectSid", &tmp_user_sid)) {
+ ads_msgfree(ads, res);
+ return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+ }
+
+ if (!ads_pull_uint32(ads, res, "primaryGroupID", &pgid)) {
+ ads_msgfree(ads, res);
+ return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+ }
+
+ {
+ /* hack to compose the primary group sid without knowing the
+ * domsid */
+
+ struct dom_sid domsid;
+
+ sid_copy(&domsid, &tmp_user_sid);
+
+ if (!sid_split_rid(&domsid, NULL)) {
+ ads_msgfree(ads, res);
+ return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+ }
+
+ if (!sid_compose(&tmp_primary_group_sid, &domsid, pgid)) {
+ ads_msgfree(ads, res);
+ return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+ }
+ }
+
+ tmp_num_sids = ads_pull_sids(ads, mem_ctx, res, "tokenGroups", &tmp_sids);
+
+ if (tmp_num_sids == 0 || !tmp_sids) {
+ ads_msgfree(ads, res);
+ return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+ }
+
+ if (num_sids) {
+ *num_sids = tmp_num_sids;
+ }
+
+ if (sids) {
+ *sids = tmp_sids;
+ }
+
+ if (user_sid) {
+ *user_sid = tmp_user_sid;
+ }
+
+ if (primary_group_sid) {
+ *primary_group_sid = tmp_primary_group_sid;
+ }
+
+ DEBUG(10,("ads_get_tokensids: returned %d sids\n", (int)tmp_num_sids + 2));
+
+ ads_msgfree(ads, res);
+ return ADS_ERROR_LDAP(LDAP_SUCCESS);
+}
+
+/**
+ * Find a sAMAccountName in LDAP
+ * @param ads connection to ads server
+ * @param mem_ctx TALLOC_CTX for allocating sid array
+ * @param samaccountname to search
+ * @param uac_ret uint32_t pointer userAccountControl attribute value
+ * @param dn_ret pointer to dn
+ * @return status of token query
+ **/
+ADS_STATUS ads_find_samaccount(ADS_STRUCT *ads,
+ TALLOC_CTX *mem_ctx,
+ const char *samaccountname,
+ uint32_t *uac_ret,
+ const char **dn_ret)
+{
+ ADS_STATUS status;
+ const char *attrs[] = { "userAccountControl", NULL };
+ const char *filter;
+ LDAPMessage *res = NULL;
+ char *dn = NULL;
+ uint32_t uac = 0;
+
+ filter = talloc_asprintf(mem_ctx, "(&(objectclass=user)(sAMAccountName=%s))",
+ samaccountname);
+ if (filter == NULL) {
+ status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
+ goto out;
+ }
+
+ status = ads_do_search_all(ads, ads->config.bind_path,
+ LDAP_SCOPE_SUBTREE,
+ filter, attrs, &res);
+
+ if (!ADS_ERR_OK(status)) {
+ goto out;
+ }
+
+ if (ads_count_replies(ads, res) != 1) {
+ status = ADS_ERROR(LDAP_NO_RESULTS_RETURNED);
+ goto out;
+ }
+
+ dn = ads_get_dn(ads, talloc_tos(), res);
+ if (dn == NULL) {
+ status = ADS_ERROR(LDAP_NO_MEMORY);
+ goto out;
+ }
+
+ if (!ads_pull_uint32(ads, res, "userAccountControl", &uac)) {
+ status = ADS_ERROR(LDAP_NO_SUCH_ATTRIBUTE);
+ goto out;
+ }
+
+ if (uac_ret) {
+ *uac_ret = uac;
+ }
+
+ if (dn_ret) {
+ *dn_ret = talloc_strdup(mem_ctx, dn);
+ if (!*dn_ret) {
+ status = ADS_ERROR(LDAP_NO_MEMORY);
+ goto out;
+ }
+ }
+ out:
+ TALLOC_FREE(dn);
+ ads_msgfree(ads, res);
+
+ return status;
+}
+
+/**
+ * find our configuration path
+ * @param ads connection to ads server
+ * @param mem_ctx Pointer to talloc context
+ * @param config_path Pointer to the config path
+ * @return status of search
+ **/
+ADS_STATUS ads_config_path(ADS_STRUCT *ads,
+ TALLOC_CTX *mem_ctx,
+ char **config_path)
+{
+ ADS_STATUS status;
+ LDAPMessage *res = NULL;
+ const char *config_context = NULL;
+ const char *attrs[] = { "configurationNamingContext", NULL };
+
+ status = ads_do_search(ads, "", LDAP_SCOPE_BASE,
+ "(objectclass=*)", attrs, &res);
+ if (!ADS_ERR_OK(status)) {
+ return status;
+ }
+
+ config_context = ads_pull_string(ads, mem_ctx, res,
+ "configurationNamingContext");
+ ads_msgfree(ads, res);
+ if (!config_context) {
+ return ADS_ERROR(LDAP_NO_MEMORY);
+ }
+
+ if (config_path) {
+ *config_path = talloc_strdup(mem_ctx, config_context);
+ if (!*config_path) {
+ return ADS_ERROR(LDAP_NO_MEMORY);
+ }
+ }
+
+ return ADS_ERROR(LDAP_SUCCESS);
+}
+
+/**
+ * find the displayName of an extended right
+ * @param ads connection to ads server
+ * @param config_path The config path
+ * @param mem_ctx Pointer to talloc context
+ * @param GUID struct of the rightsGUID
+ * @return status of search
+ **/
+const char *ads_get_extended_right_name_by_guid(ADS_STRUCT *ads,
+ const char *config_path,
+ TALLOC_CTX *mem_ctx,
+ const struct GUID *rights_guid)
+{
+ ADS_STATUS rc;
+ LDAPMessage *res = NULL;
+ char *expr = NULL;
+ const char *attrs[] = { "displayName", NULL };
+ const char *result = NULL;
+ const char *path;
+
+ if (!ads || !mem_ctx || !rights_guid) {
+ goto done;
+ }
+
+ expr = talloc_asprintf(mem_ctx, "(rightsGuid=%s)",
+ GUID_string(mem_ctx, rights_guid));
+ if (!expr) {
+ goto done;
+ }
+
+ path = talloc_asprintf(mem_ctx, "cn=Extended-Rights,%s", config_path);
+ if (!path) {
+ goto done;
+ }
+
+ rc = ads_do_search_retry(ads, path, LDAP_SCOPE_SUBTREE,
+ expr, attrs, &res);
+ if (!ADS_ERR_OK(rc)) {
+ goto done;
+ }
+
+ if (ads_count_replies(ads, res) != 1) {
+ goto done;
+ }
+
+ result = ads_pull_string(ads, mem_ctx, res, "displayName");
+
+ done:
+ ads_msgfree(ads, res);
+ return result;
+}
+
+/**
+ * verify or build and verify an account ou
+ * @param mem_ctx Pointer to talloc context
+ * @param ads connection to ads server
+ * @param account_ou
+ * @return status of search
+ **/
+
+ADS_STATUS ads_check_ou_dn(TALLOC_CTX *mem_ctx,
+ ADS_STRUCT *ads,
+ const char **account_ou)
+{
+ char **exploded_dn;
+ const char *name;
+ char *ou_string;
+
+ if (account_ou == NULL) {
+ return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
+ }
+
+ if (*account_ou != NULL) {
+ exploded_dn = ldap_explode_dn(*account_ou, 0);
+ if (exploded_dn) {
+ ldap_value_free(exploded_dn);
+ return ADS_SUCCESS;
+ }
+ }
+
+ ou_string = ads_ou_string(ads, *account_ou);
+ if (!ou_string) {
+ return ADS_ERROR_LDAP(LDAP_INVALID_DN_SYNTAX);
+ }
+
+ name = talloc_asprintf(mem_ctx, "%s,%s", ou_string,
+ ads->config.bind_path);
+ SAFE_FREE(ou_string);
+
+ if (!name) {
+ return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+ }
+
+ exploded_dn = ldap_explode_dn(name, 0);
+ if (!exploded_dn) {
+ return ADS_ERROR_LDAP(LDAP_INVALID_DN_SYNTAX);
+ }
+ ldap_value_free(exploded_dn);
+
+ *account_ou = name;
+ return ADS_SUCCESS;
+}
+
+#endif
diff --git a/source3/libads/ldap_printer.c b/source3/libads/ldap_printer.c
new file mode 100644
index 0000000..e610893
--- /dev/null
+++ b/source3/libads/ldap_printer.c
@@ -0,0 +1,361 @@
+/*
+ Unix SMB/CIFS implementation.
+ ads (active directory) printer utility library
+ Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "ads.h"
+#include "rpc_client/rpc_client.h"
+#include "../librpc/gen_ndr/ndr_spoolss_c.h"
+#include "rpc_client/cli_spoolss.h"
+#include "registry.h"
+#include "libcli/registry/util_reg.h"
+
+#ifdef HAVE_ADS
+
+/*
+ find a printer given the name and the hostname
+ Note that results "res" may be allocated on return so that the
+ results can be used. It should be freed using ads_msgfree.
+*/
+ ADS_STATUS ads_find_printer_on_server(ADS_STRUCT *ads, LDAPMessage **res,
+ const char *printer,
+ const char *servername)
+{
+ ADS_STATUS status;
+ char *srv_dn, **srv_cn, *s = NULL;
+ const char *attrs[] = {"*", "nTSecurityDescriptor", NULL};
+
+ status = ads_find_machine_acct(ads, res, servername);
+ if (!ADS_ERR_OK(status)) {
+ DEBUG(1, ("ads_find_printer_on_server: cannot find host %s in ads\n",
+ servername));
+ return status;
+ }
+ if (ads_count_replies(ads, *res) != 1) {
+ ads_msgfree(ads, *res);
+ *res = NULL;
+ return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
+ }
+ srv_dn = ldap_get_dn(ads->ldap.ld, *res);
+ if (srv_dn == NULL) {
+ ads_msgfree(ads, *res);
+ *res = NULL;
+ return ADS_ERROR(LDAP_NO_MEMORY);
+ }
+ srv_cn = ldap_explode_dn(srv_dn, 1);
+ if (srv_cn == NULL) {
+ ldap_memfree(srv_dn);
+ ads_msgfree(ads, *res);
+ *res = NULL;
+ return ADS_ERROR(LDAP_INVALID_DN_SYNTAX);
+ }
+ ads_msgfree(ads, *res);
+ *res = NULL;
+
+ if (asprintf(&s, "(cn=%s-%s)", srv_cn[0], printer) == -1) {
+ ldap_memfree(srv_dn);
+ return ADS_ERROR(LDAP_NO_MEMORY);
+ }
+ status = ads_search(ads, res, s, attrs);
+
+ ldap_memfree(srv_dn);
+ ldap_value_free(srv_cn);
+ SAFE_FREE(s);
+ return status;
+}
+
+ ADS_STATUS ads_find_printers(ADS_STRUCT *ads, LDAPMessage **res)
+{
+ const char *ldap_expr;
+ const char *attrs[] = { "objectClass", "printerName", "location", "driverName",
+ "serverName", "description", NULL };
+
+ /* For the moment only display all printers */
+
+ ldap_expr = "(&(!(showInAdvancedViewOnly=TRUE))(uncName=*)"
+ "(objectCategory=printQueue))";
+
+ return ads_search(ads, res, ldap_expr, attrs);
+}
+
+/*
+ modify a printer entry in the directory
+*/
+ADS_STATUS ads_mod_printer_entry(ADS_STRUCT *ads, char *prt_dn,
+ TALLOC_CTX *ctx, const ADS_MODLIST *mods)
+{
+ return ads_gen_mod(ads, prt_dn, *mods);
+}
+
+/*
+ add a printer to the directory
+*/
+ADS_STATUS ads_add_printer_entry(ADS_STRUCT *ads, char *prt_dn,
+ TALLOC_CTX *ctx, ADS_MODLIST *mods)
+{
+ ads_mod_str(ctx, mods, "objectClass", "printQueue");
+ return ads_gen_add(ads, prt_dn, *mods);
+}
+
+/*
+ map a REG_SZ to an ldap mod
+*/
+static bool map_sz(TALLOC_CTX *ctx, ADS_MODLIST *mods,
+ const char *name, struct registry_value *value)
+{
+ const char *str_value = NULL;
+ ADS_STATUS status;
+
+ if (value->type != REG_SZ)
+ return false;
+
+ if (value->data.length && value->data.data) {
+ if (!pull_reg_sz(ctx, &value->data, &str_value)) {
+ return false;
+ }
+ status = ads_mod_str(ctx, mods, name, str_value);
+ return ADS_ERR_OK(status);
+ }
+ return true;
+}
+
+/*
+ map a REG_DWORD to an ldap mod
+*/
+static bool map_dword(TALLOC_CTX *ctx, ADS_MODLIST *mods,
+ const char *name, struct registry_value *value)
+{
+ char *str_value = NULL;
+ ADS_STATUS status;
+
+ if (value->type != REG_DWORD) {
+ return false;
+ }
+ if (value->data.length != sizeof(uint32_t)) {
+ return false;
+ }
+ str_value = talloc_asprintf(ctx, "%d", IVAL(value->data.data, 0));
+ if (!str_value) {
+ return false;
+ }
+ status = ads_mod_str(ctx, mods, name, str_value);
+ return ADS_ERR_OK(status);
+}
+
+/*
+ map a boolean REG_BINARY to an ldap mod
+*/
+static bool map_bool(TALLOC_CTX *ctx, ADS_MODLIST *mods,
+ const char *name, struct registry_value *value)
+{
+ const char *str_value;
+ ADS_STATUS status;
+
+ if (value->type != REG_BINARY) {
+ return false;
+ }
+ if (value->data.length != 1) {
+ return false;
+ }
+
+ str_value = *value->data.data ? "TRUE" : "FALSE";
+
+ status = ads_mod_str(ctx, mods, name, str_value);
+ return ADS_ERR_OK(status);
+}
+
+/*
+ map a REG_MULTI_SZ to an ldap mod
+*/
+static bool map_multi_sz(TALLOC_CTX *ctx, ADS_MODLIST *mods,
+ const char *name, struct registry_value *value)
+{
+ const char **str_values = NULL;
+ ADS_STATUS status;
+
+ if (value->type != REG_MULTI_SZ) {
+ return false;
+ }
+
+ if (value->data.length && value->data.data) {
+ if (!pull_reg_multi_sz(ctx, &value->data, &str_values)) {
+ return false;
+ }
+ status = ads_mod_strlist(ctx, mods, name, str_values);
+ return ADS_ERR_OK(status);
+ }
+ return true;
+}
+
+struct valmap_to_ads {
+ const char *valname;
+ bool (*fn)(TALLOC_CTX *, ADS_MODLIST *, const char *, struct registry_value *);
+};
+
+/*
+ map a REG_SZ to an ldap mod
+*/
+static void map_regval_to_ads(TALLOC_CTX *ctx, ADS_MODLIST *mods,
+ const char *name, struct registry_value *value)
+{
+ const struct valmap_to_ads map[] = {
+ {SPOOL_REG_ASSETNUMBER, map_sz},
+ {SPOOL_REG_BYTESPERMINUTE, map_dword},
+ {SPOOL_REG_DEFAULTPRIORITY, map_dword},
+ {SPOOL_REG_DESCRIPTION, map_sz},
+ {SPOOL_REG_DRIVERNAME, map_sz},
+ {SPOOL_REG_DRIVERVERSION, map_dword},
+ {SPOOL_REG_FLAGS, map_dword},
+ {SPOOL_REG_LOCATION, map_sz},
+ {SPOOL_REG_OPERATINGSYSTEM, map_sz},
+ {SPOOL_REG_OPERATINGSYSTEMHOTFIX, map_sz},
+ {SPOOL_REG_OPERATINGSYSTEMSERVICEPACK, map_sz},
+ {SPOOL_REG_OPERATINGSYSTEMVERSION, map_sz},
+ {SPOOL_REG_PORTNAME, map_multi_sz},
+ {SPOOL_REG_PRINTATTRIBUTES, map_dword},
+ {SPOOL_REG_PRINTBINNAMES, map_multi_sz},
+ {SPOOL_REG_PRINTCOLLATE, map_bool},
+ {SPOOL_REG_PRINTCOLOR, map_bool},
+ {SPOOL_REG_PRINTDUPLEXSUPPORTED, map_bool},
+ {SPOOL_REG_PRINTENDTIME, map_dword},
+ {SPOOL_REG_PRINTFORMNAME, map_sz},
+ {SPOOL_REG_PRINTKEEPPRINTEDJOBS, map_bool},
+ {SPOOL_REG_PRINTLANGUAGE, map_multi_sz},
+ {SPOOL_REG_PRINTMACADDRESS, map_sz},
+ {SPOOL_REG_PRINTMAXCOPIES, map_sz},
+ {SPOOL_REG_PRINTMAXRESOLUTIONSUPPORTED, map_dword},
+ {SPOOL_REG_PRINTMAXXEXTENT, map_dword},
+ {SPOOL_REG_PRINTMAXYEXTENT, map_dword},
+ {SPOOL_REG_PRINTMEDIAREADY, map_multi_sz},
+ {SPOOL_REG_PRINTMEDIASUPPORTED, map_multi_sz},
+ {SPOOL_REG_PRINTMEMORY, map_dword},
+ {SPOOL_REG_PRINTMINXEXTENT, map_dword},
+ {SPOOL_REG_PRINTMINYEXTENT, map_dword},
+ {SPOOL_REG_PRINTNETWORKADDRESS, map_sz},
+ {SPOOL_REG_PRINTNOTIFY, map_sz},
+ {SPOOL_REG_PRINTNUMBERUP, map_dword},
+ {SPOOL_REG_PRINTORIENTATIONSSUPPORTED, map_multi_sz},
+ {SPOOL_REG_PRINTOWNER, map_sz},
+ {SPOOL_REG_PRINTPAGESPERMINUTE, map_dword},
+ {SPOOL_REG_PRINTRATE, map_dword},
+ {SPOOL_REG_PRINTRATEUNIT, map_sz},
+ {SPOOL_REG_PRINTSEPARATORFILE, map_sz},
+ {SPOOL_REG_PRINTSHARENAME, map_sz},
+ {SPOOL_REG_PRINTSPOOLING, map_sz},
+ {SPOOL_REG_PRINTSTAPLINGSUPPORTED, map_bool},
+ {SPOOL_REG_PRINTSTARTTIME, map_dword},
+ {SPOOL_REG_PRINTSTATUS, map_sz},
+ {SPOOL_REG_PRIORITY, map_dword},
+ {SPOOL_REG_SERVERNAME, map_sz},
+ {SPOOL_REG_SHORTSERVERNAME, map_sz},
+ {SPOOL_REG_UNCNAME, map_sz},
+ {SPOOL_REG_URL, map_sz},
+ {SPOOL_REG_VERSIONNUMBER, map_dword},
+ {NULL, NULL}
+ };
+ int i;
+
+ for (i=0; map[i].valname; i++) {
+ if (strcasecmp_m(map[i].valname, name) == 0) {
+ if (!map[i].fn(ctx, mods, name, value)) {
+ DEBUG(5, ("Add of value %s to modlist failed\n", name));
+ } else {
+ DEBUG(7, ("Mapped value %s\n", name));
+ }
+ }
+ }
+}
+
+
+WERROR get_remote_printer_publishing_data(struct rpc_pipe_client *cli,
+ TALLOC_CTX *mem_ctx,
+ ADS_MODLIST *mods,
+ const char *printer)
+{
+ struct dcerpc_binding_handle *b = cli->binding_handle;
+ WERROR result;
+ char *printername;
+ struct spoolss_PrinterEnumValues *info;
+ uint32_t count;
+ uint32_t i;
+ struct policy_handle pol;
+ WERROR werr;
+
+ if ((asprintf(&printername, "%s\\%s", cli->srv_name_slash, printer) == -1)) {
+ DEBUG(3, ("Insufficient memory\n"));
+ return WERR_NOT_ENOUGH_MEMORY;
+ }
+
+ result = rpccli_spoolss_openprinter_ex(cli, mem_ctx,
+ printername,
+ SEC_FLAG_MAXIMUM_ALLOWED,
+ &pol);
+ if (!W_ERROR_IS_OK(result)) {
+ DEBUG(3, ("Unable to open printer %s, error is %s.\n",
+ printername, win_errstr(result)));
+ SAFE_FREE(printername);
+ return result;
+ }
+
+ result = rpccli_spoolss_enumprinterdataex(cli, mem_ctx, &pol,
+ SPOOL_DSDRIVER_KEY,
+ 0,
+ &count,
+ &info);
+
+ if (!W_ERROR_IS_OK(result)) {
+ DEBUG(3, ("Unable to do enumdataex on %s, error is %s.\n",
+ printername, win_errstr(result)));
+ } else {
+ /* Have the data we need now, so start building */
+ for (i=0; i < count; i++) {
+ struct registry_value v;
+ v.type = info[i].type;
+ v.data = *info[i].data;
+
+ map_regval_to_ads(mem_ctx, mods, info[i].value_name, &v);
+ }
+ }
+
+ result = rpccli_spoolss_enumprinterdataex(cli, mem_ctx, &pol,
+ SPOOL_DSSPOOLER_KEY,
+ 0,
+ &count,
+ &info);
+ if (!W_ERROR_IS_OK(result)) {
+ DEBUG(3, ("Unable to do enumdataex on %s, error is %s.\n",
+ printername, win_errstr(result)));
+ } else {
+ for (i=0; i < count; i++) {
+ struct registry_value v;
+ v.type = info[i].type;
+ v.data = *info[i].data;
+
+ map_regval_to_ads(mem_ctx, mods, info[i].value_name, &v);
+ }
+ }
+
+ ads_mod_str(mem_ctx, mods, SPOOL_REG_PRINTERNAME, printer);
+
+ dcerpc_spoolss_ClosePrinter(b, mem_ctx, &pol, &werr);
+ SAFE_FREE(printername);
+
+ return result;
+}
+
+#endif
diff --git a/source3/libads/ldap_schema.c b/source3/libads/ldap_schema.c
new file mode 100644
index 0000000..d2f486e
--- /dev/null
+++ b/source3/libads/ldap_schema.c
@@ -0,0 +1,354 @@
+/*
+ Unix SMB/CIFS implementation.
+ ads (active directory) utility library
+ Copyright (C) Guenther Deschner 2005-2007
+ Copyright (C) Gerald (Jerry) Carter 2006
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "ads.h"
+#include "libads/ldap_schema.h"
+#include "libads/ldap_schema_oids.h"
+#include "../libcli/ldap/ldap_ndr.h"
+
+#ifdef HAVE_LDAP
+
+static ADS_STATUS ads_get_attrnames_by_oids(ADS_STRUCT *ads,
+ TALLOC_CTX *mem_ctx,
+ const char *schema_path,
+ const char **OIDs,
+ size_t num_OIDs,
+ char ***OIDs_out, char ***names,
+ size_t *count)
+{
+ ADS_STATUS status;
+ LDAPMessage *res = NULL;
+ LDAPMessage *msg;
+ char *expr = NULL;
+ const char *attrs[] = { "lDAPDisplayName", "attributeId", NULL };
+ int i = 0, p = 0;
+
+ if (!ads || !mem_ctx || !names || !count || !OIDs || !OIDs_out) {
+ return ADS_ERROR(LDAP_PARAM_ERROR);
+ }
+
+ if (num_OIDs == 0 || OIDs[0] == NULL) {
+ return ADS_ERROR_NT(NT_STATUS_NONE_MAPPED);
+ }
+
+ expr = talloc_asprintf(mem_ctx, "(|");
+
+ for (i=0; i<num_OIDs; i++) {
+ talloc_asprintf_addbuf(&expr, "(attributeId=%s)", OIDs[i]);
+ }
+
+ talloc_asprintf_addbuf(&expr, ")");
+ if (expr == NULL) {
+ return ADS_ERROR(LDAP_NO_MEMORY);
+ }
+
+ status = ads_do_search_retry(ads, schema_path,
+ LDAP_SCOPE_SUBTREE, expr, attrs, &res);
+ if (!ADS_ERR_OK(status)) {
+ return status;
+ }
+
+ *count = ads_count_replies(ads, res);
+ if (*count == 0 || !res) {
+ status = ADS_ERROR_NT(NT_STATUS_NONE_MAPPED);
+ goto out;
+ }
+
+ if (((*names) = talloc_array(mem_ctx, char *, *count)) == NULL) {
+ status = ADS_ERROR(LDAP_NO_MEMORY);
+ goto out;
+ }
+ if (((*OIDs_out) = talloc_array(mem_ctx, char *, *count)) == NULL) {
+ status = ADS_ERROR(LDAP_NO_MEMORY);
+ goto out;
+ }
+
+ for (msg = ads_first_entry(ads, res); msg != NULL;
+ msg = ads_next_entry(ads, msg)) {
+
+ (*names)[p] = ads_pull_string(ads, mem_ctx, msg,
+ "lDAPDisplayName");
+ (*OIDs_out)[p] = ads_pull_string(ads, mem_ctx, msg,
+ "attributeId");
+ if (((*names)[p] == NULL) || ((*OIDs_out)[p] == NULL)) {
+ status = ADS_ERROR(LDAP_NO_MEMORY);
+ goto out;
+ }
+
+ p++;
+ }
+
+ if (*count < num_OIDs) {
+ status = ADS_ERROR_NT(STATUS_SOME_UNMAPPED);
+ goto out;
+ }
+
+ status = ADS_ERROR(LDAP_SUCCESS);
+out:
+ ads_msgfree(ads, res);
+
+ return status;
+}
+
+const char *ads_get_attrname_by_guid(ADS_STRUCT *ads,
+ const char *schema_path,
+ TALLOC_CTX *mem_ctx,
+ const struct GUID *schema_guid)
+{
+ ADS_STATUS rc;
+ LDAPMessage *res = NULL;
+ char *expr = NULL;
+ const char *attrs[] = { "lDAPDisplayName", NULL };
+ const char *result = NULL;
+ char *guid_bin = NULL;
+
+ if (!ads || !mem_ctx || !schema_guid) {
+ goto done;
+ }
+
+ guid_bin = ldap_encode_ndr_GUID(mem_ctx, schema_guid);
+ if (!guid_bin) {
+ goto done;
+ }
+
+ expr = talloc_asprintf(mem_ctx, "(schemaIDGUID=%s)", guid_bin);
+ if (!expr) {
+ goto done;
+ }
+
+ rc = ads_do_search_retry(ads, schema_path, LDAP_SCOPE_SUBTREE,
+ expr, attrs, &res);
+ if (!ADS_ERR_OK(rc)) {
+ goto done;
+ }
+
+ if (ads_count_replies(ads, res) != 1) {
+ goto done;
+ }
+
+ result = ads_pull_string(ads, mem_ctx, res, "lDAPDisplayName");
+
+ done:
+ TALLOC_FREE(guid_bin);
+ ads_msgfree(ads, res);
+ return result;
+
+}
+
+/*********************************************************************
+*********************************************************************/
+
+ADS_STATUS ads_schema_path(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, char **schema_path)
+{
+ ADS_STATUS status;
+ LDAPMessage *res;
+ const char *schema;
+ const char *attrs[] = { "schemaNamingContext", NULL };
+
+ status = ads_do_search(ads, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res);
+ if (!ADS_ERR_OK(status)) {
+ return status;
+ }
+
+ if ( (schema = ads_pull_string(ads, mem_ctx, res, "schemaNamingContext")) == NULL ) {
+ ads_msgfree(ads, res);
+ return ADS_ERROR(LDAP_NO_RESULTS_RETURNED);
+ }
+
+ if ( (*schema_path = talloc_strdup(mem_ctx, schema)) == NULL ) {
+ ads_msgfree(ads, res);
+ return ADS_ERROR(LDAP_NO_MEMORY);
+ }
+
+ ads_msgfree(ads, res);
+
+ return status;
+}
+
+/**
+ * Check for "Services for Unix" or rfc2307 Schema and load some attributes into the ADS_STRUCT
+ * @param ads connection to ads server
+ * @param enum mapping type
+ * @return ADS_STATUS status of search (False if one or more attributes couldn't be
+ * found in Active Directory)
+ **/
+ADS_STATUS ads_check_posix_schema_mapping(TALLOC_CTX *mem_ctx,
+ ADS_STRUCT *ads,
+ enum wb_posix_mapping map_type,
+ struct posix_schema **s )
+{
+ TALLOC_CTX *ctx = NULL;
+ ADS_STATUS status;
+ char **oids_out, **names_out;
+ size_t num_names;
+ char *schema_path = NULL;
+ int i;
+ struct posix_schema *schema = NULL;
+
+ const char *oids_sfu[] = { ADS_ATTR_SFU_UIDNUMBER_OID,
+ ADS_ATTR_SFU_GIDNUMBER_OID,
+ ADS_ATTR_SFU_HOMEDIR_OID,
+ ADS_ATTR_SFU_SHELL_OID,
+ ADS_ATTR_SFU_GECOS_OID,
+ ADS_ATTR_SFU_UID_OID };
+
+ const char *oids_sfu20[] = { ADS_ATTR_SFU20_UIDNUMBER_OID,
+ ADS_ATTR_SFU20_GIDNUMBER_OID,
+ ADS_ATTR_SFU20_HOMEDIR_OID,
+ ADS_ATTR_SFU20_SHELL_OID,
+ ADS_ATTR_SFU20_GECOS_OID,
+ ADS_ATTR_SFU20_UID_OID };
+
+ const char *oids_rfc2307[] = { ADS_ATTR_RFC2307_UIDNUMBER_OID,
+ ADS_ATTR_RFC2307_GIDNUMBER_OID,
+ ADS_ATTR_RFC2307_HOMEDIR_OID,
+ ADS_ATTR_RFC2307_SHELL_OID,
+ ADS_ATTR_RFC2307_GECOS_OID,
+ ADS_ATTR_RFC2307_UID_OID };
+
+ DEBUG(10,("ads_check_posix_schema_mapping for schema mode: %d\n", map_type));
+
+ switch (map_type) {
+
+ case WB_POSIX_MAP_TEMPLATE:
+ case WB_POSIX_MAP_UNIXINFO:
+ DEBUG(10,("ads_check_posix_schema_mapping: nothing to do\n"));
+ return ADS_ERROR(LDAP_SUCCESS);
+
+ case WB_POSIX_MAP_SFU:
+ case WB_POSIX_MAP_SFU20:
+ case WB_POSIX_MAP_RFC2307:
+ break;
+
+ default:
+ DEBUG(0,("ads_check_posix_schema_mapping: "
+ "unknown enum %d\n", map_type));
+ return ADS_ERROR(LDAP_PARAM_ERROR);
+ }
+
+ if ( (ctx = talloc_init("ads_check_posix_schema_mapping")) == NULL ) {
+ return ADS_ERROR(LDAP_NO_MEMORY);
+ }
+
+ if ( (schema = talloc(mem_ctx, struct posix_schema)) == NULL ) {
+ TALLOC_FREE( ctx );
+ return ADS_ERROR(LDAP_NO_MEMORY);
+ }
+
+ status = ads_schema_path(ads, ctx, &schema_path);
+ if (!ADS_ERR_OK(status)) {
+ DEBUG(3,("ads_check_posix_mapping: Unable to retrieve schema DN!\n"));
+ goto done;
+ }
+
+ switch (map_type) {
+ case WB_POSIX_MAP_SFU:
+ status = ads_get_attrnames_by_oids(ads, ctx, schema_path, oids_sfu,
+ ARRAY_SIZE(oids_sfu),
+ &oids_out, &names_out, &num_names);
+ break;
+ case WB_POSIX_MAP_SFU20:
+ status = ads_get_attrnames_by_oids(ads, ctx, schema_path, oids_sfu20,
+ ARRAY_SIZE(oids_sfu20),
+ &oids_out, &names_out, &num_names);
+ break;
+ case WB_POSIX_MAP_RFC2307:
+ status = ads_get_attrnames_by_oids(ads, ctx, schema_path, oids_rfc2307,
+ ARRAY_SIZE(oids_rfc2307),
+ &oids_out, &names_out, &num_names);
+ break;
+ default:
+ status = ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
+ break;
+ }
+
+ if (!ADS_ERR_OK(status)) {
+ DEBUG(3,("ads_check_posix_schema_mapping: failed %s\n",
+ ads_errstr(status)));
+ goto done;
+ }
+
+ for (i=0; i<num_names; i++) {
+
+ DEBUGADD(10,("\tOID %s has name: %s\n", oids_out[i], names_out[i]));
+
+ if (strequal(ADS_ATTR_RFC2307_UIDNUMBER_OID, oids_out[i]) ||
+ strequal(ADS_ATTR_SFU_UIDNUMBER_OID, oids_out[i]) ||
+ strequal(ADS_ATTR_SFU20_UIDNUMBER_OID, oids_out[i])) {
+ schema->posix_uidnumber_attr = talloc_strdup(schema, names_out[i]);
+ continue;
+ }
+
+ if (strequal(ADS_ATTR_RFC2307_GIDNUMBER_OID, oids_out[i]) ||
+ strequal(ADS_ATTR_SFU_GIDNUMBER_OID, oids_out[i]) ||
+ strequal(ADS_ATTR_SFU20_GIDNUMBER_OID, oids_out[i])) {
+ schema->posix_gidnumber_attr = talloc_strdup(schema, names_out[i]);
+ continue;
+ }
+
+ if (strequal(ADS_ATTR_RFC2307_HOMEDIR_OID, oids_out[i]) ||
+ strequal(ADS_ATTR_SFU_HOMEDIR_OID, oids_out[i]) ||
+ strequal(ADS_ATTR_SFU20_HOMEDIR_OID, oids_out[i])) {
+ schema->posix_homedir_attr = talloc_strdup(schema, names_out[i]);
+ continue;
+ }
+
+ if (strequal(ADS_ATTR_RFC2307_SHELL_OID, oids_out[i]) ||
+ strequal(ADS_ATTR_SFU_SHELL_OID, oids_out[i]) ||
+ strequal(ADS_ATTR_SFU20_SHELL_OID, oids_out[i])) {
+ schema->posix_shell_attr = talloc_strdup(schema, names_out[i]);
+ continue;
+ }
+
+ if (strequal(ADS_ATTR_RFC2307_GECOS_OID, oids_out[i]) ||
+ strequal(ADS_ATTR_SFU_GECOS_OID, oids_out[i]) ||
+ strequal(ADS_ATTR_SFU20_GECOS_OID, oids_out[i])) {
+ schema->posix_gecos_attr = talloc_strdup(schema, names_out[i]);
+ }
+
+ if (strequal(ADS_ATTR_RFC2307_UID_OID, oids_out[i]) ||
+ strequal(ADS_ATTR_SFU_UID_OID, oids_out[i]) ||
+ strequal(ADS_ATTR_SFU20_UID_OID, oids_out[i])) {
+ schema->posix_uid_attr = talloc_strdup(schema, names_out[i]);
+ }
+ }
+
+ if (!schema->posix_uidnumber_attr ||
+ !schema->posix_gidnumber_attr ||
+ !schema->posix_homedir_attr ||
+ !schema->posix_shell_attr ||
+ !schema->posix_gecos_attr) {
+ status = ADS_ERROR(LDAP_NO_MEMORY);
+ TALLOC_FREE( schema );
+ goto done;
+ }
+
+ *s = schema;
+
+ status = ADS_ERROR(LDAP_SUCCESS);
+
+done:
+ TALLOC_FREE(ctx);
+
+ return status;
+}
+
+#endif
diff --git a/source3/libads/ldap_schema.h b/source3/libads/ldap_schema.h
new file mode 100644
index 0000000..f36d3e0
--- /dev/null
+++ b/source3/libads/ldap_schema.h
@@ -0,0 +1,57 @@
+/*
+ Unix SMB/CIFS implementation.
+ ads (active directory) utility library
+ Copyright (C) Guenther Deschner 2005-2007
+ Copyright (C) Gerald (Jerry) Carter 2006
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#ifndef _LIBADS_LDAP_SCHEMA_H_
+#define _LIBADS_LDAP_SCHEMA_H_
+
+/* used to remember the names of the posix attributes in AD */
+/* see the rfc2307 & sfu nss backends */
+
+struct posix_schema {
+ char *posix_homedir_attr;
+ char *posix_shell_attr;
+ char *posix_uidnumber_attr;
+ char *posix_gidnumber_attr;
+ char *posix_gecos_attr;
+ char *posix_uid_attr;
+};
+
+enum wb_posix_mapping {
+ WB_POSIX_MAP_UNKNOWN = -1,
+ WB_POSIX_MAP_TEMPLATE = 0,
+ WB_POSIX_MAP_SFU = 1,
+ WB_POSIX_MAP_SFU20 = 2,
+ WB_POSIX_MAP_RFC2307 = 3,
+ WB_POSIX_MAP_UNIXINFO = 4
+};
+
+/* The following definitions come from libads/ldap_schema.c */
+
+const char *ads_get_attrname_by_guid(ADS_STRUCT *ads,
+ const char *schema_path,
+ TALLOC_CTX *mem_ctx,
+ const struct GUID *schema_guid);
+ADS_STATUS ads_schema_path(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, char **schema_path);
+ADS_STATUS ads_check_posix_schema_mapping(TALLOC_CTX *mem_ctx,
+ ADS_STRUCT *ads,
+ enum wb_posix_mapping map_type,
+ struct posix_schema **s ) ;
+
+#endif /* _LIBADS_LDAP_SCHEMA_H_ */
diff --git a/source3/libads/ldap_schema_oids.h b/source3/libads/ldap_schema_oids.h
new file mode 100644
index 0000000..cb17b3c
--- /dev/null
+++ b/source3/libads/ldap_schema_oids.h
@@ -0,0 +1,49 @@
+/*
+ Unix SMB/CIFS implementation.
+ ads (active directory) utility library
+ Copyright (C) Guenther Deschner 2005-2007
+ Copyright (C) Gerald (Jerry) Carter 2006
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#ifndef _LIBADS_LDAP_SCHEMA_OIDS_H_
+#define _LIBADS_LDAP_SCHEMA_OIDS_H_
+
+/* ldap attribute oids (Services for Unix 3.0, 3.5) */
+#define ADS_ATTR_SFU_UIDNUMBER_OID "1.2.840.113556.1.6.18.1.310"
+#define ADS_ATTR_SFU_GIDNUMBER_OID "1.2.840.113556.1.6.18.1.311"
+#define ADS_ATTR_SFU_HOMEDIR_OID "1.2.840.113556.1.6.18.1.344"
+#define ADS_ATTR_SFU_SHELL_OID "1.2.840.113556.1.6.18.1.312"
+#define ADS_ATTR_SFU_GECOS_OID "1.2.840.113556.1.6.18.1.337"
+#define ADS_ATTR_SFU_UID_OID "1.2.840.113556.1.6.18.1.309"
+
+/* ldap attribute oids (Services for Unix 2.0) */
+#define ADS_ATTR_SFU20_UIDNUMBER_OID "1.2.840.113556.1.4.7000.187.70"
+#define ADS_ATTR_SFU20_GIDNUMBER_OID "1.2.840.113556.1.4.7000.187.71"
+#define ADS_ATTR_SFU20_HOMEDIR_OID "1.2.840.113556.1.4.7000.187.106"
+#define ADS_ATTR_SFU20_SHELL_OID "1.2.840.113556.1.4.7000.187.72"
+#define ADS_ATTR_SFU20_GECOS_OID "1.2.840.113556.1.4.7000.187.97"
+#define ADS_ATTR_SFU20_UID_OID "1.2.840.113556.1.4.7000.187.102"
+
+
+/* ldap attribute oids (RFC2307) */
+#define ADS_ATTR_RFC2307_UIDNUMBER_OID "1.3.6.1.1.1.1.0"
+#define ADS_ATTR_RFC2307_GIDNUMBER_OID "1.3.6.1.1.1.1.1"
+#define ADS_ATTR_RFC2307_HOMEDIR_OID "1.3.6.1.1.1.1.3"
+#define ADS_ATTR_RFC2307_SHELL_OID "1.3.6.1.1.1.1.4"
+#define ADS_ATTR_RFC2307_GECOS_OID "1.3.6.1.1.1.1.2"
+#define ADS_ATTR_RFC2307_UID_OID "0.9.2342.19200300.100.1.1"
+
+#endif
diff --git a/source3/libads/ldap_user.c b/source3/libads/ldap_user.c
new file mode 100644
index 0000000..5542100
--- /dev/null
+++ b/source3/libads/ldap_user.c
@@ -0,0 +1,132 @@
+/*
+ Unix SMB/CIFS implementation.
+ ads (active directory) utility library
+ Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "ads.h"
+#include "../libds/common/flags.h"
+
+#ifdef HAVE_ADS
+
+/*
+ find a user account
+*/
+ ADS_STATUS ads_find_user_acct(ADS_STRUCT *ads, LDAPMessage **res,
+ const char *user)
+{
+ ADS_STATUS status;
+ char *ldap_exp;
+ const char *attrs[] = {"*", NULL};
+ char *escaped_user = escape_ldap_string(talloc_tos(), user);
+ if (!escaped_user) {
+ return ADS_ERROR(LDAP_NO_MEMORY);
+ }
+
+ if (asprintf(&ldap_exp, "(samAccountName=%s)", escaped_user) == -1) {
+ TALLOC_FREE(escaped_user);
+ return ADS_ERROR(LDAP_NO_MEMORY);
+ }
+ status = ads_search(ads, res, ldap_exp, attrs);
+ SAFE_FREE(ldap_exp);
+ TALLOC_FREE(escaped_user);
+ return status;
+}
+
+ADS_STATUS ads_add_user_acct(ADS_STRUCT *ads, const char *user,
+ const char *container, const char *fullname)
+{
+ TALLOC_CTX *ctx;
+ ADS_MODLIST mods;
+ ADS_STATUS status;
+ const char *upn, *new_dn, *name, *controlstr;
+ char *name_escaped = NULL;
+ const char *objectClass[] = {"top", "person", "organizationalPerson",
+ "user", NULL};
+
+ if (fullname && *fullname) name = fullname;
+ else name = user;
+
+ if (!(ctx = talloc_init("ads_add_user_acct")))
+ return ADS_ERROR(LDAP_NO_MEMORY);
+
+ status = ADS_ERROR(LDAP_NO_MEMORY);
+
+ if (!(upn = talloc_asprintf(ctx, "%s@%s", user, ads->config.realm)))
+ goto done;
+ if (!(name_escaped = escape_rdn_val_string_alloc(name)))
+ goto done;
+ if (!(new_dn = talloc_asprintf(ctx, "cn=%s,%s,%s", name_escaped, container,
+ ads->config.bind_path)))
+ goto done;
+ if (!(controlstr = talloc_asprintf(ctx, "%u", (UF_NORMAL_ACCOUNT | UF_ACCOUNTDISABLE))))
+ goto done;
+ if (!(mods = ads_init_mods(ctx)))
+ goto done;
+
+ ads_mod_str(ctx, &mods, "cn", name);
+ ads_mod_strlist(ctx, &mods, "objectClass", objectClass);
+ ads_mod_str(ctx, &mods, "userPrincipalName", upn);
+ ads_mod_str(ctx, &mods, "name", name);
+ ads_mod_str(ctx, &mods, "displayName", name);
+ ads_mod_str(ctx, &mods, "sAMAccountName", user);
+ ads_mod_str(ctx, &mods, "userAccountControl", controlstr);
+ status = ads_gen_add(ads, new_dn, mods);
+
+ done:
+ SAFE_FREE(name_escaped);
+ talloc_destroy(ctx);
+ return status;
+}
+
+ADS_STATUS ads_add_group_acct(ADS_STRUCT *ads, const char *group,
+ const char *container, const char *comment)
+{
+ TALLOC_CTX *ctx;
+ ADS_MODLIST mods;
+ ADS_STATUS status;
+ char *new_dn;
+ char *name_escaped = NULL;
+ const char *objectClass[] = {"top", "group", NULL};
+
+ if (!(ctx = talloc_init("ads_add_group_acct")))
+ return ADS_ERROR(LDAP_NO_MEMORY);
+
+ status = ADS_ERROR(LDAP_NO_MEMORY);
+
+ if (!(name_escaped = escape_rdn_val_string_alloc(group)))
+ goto done;
+ if (!(new_dn = talloc_asprintf(ctx, "cn=%s,%s,%s", name_escaped, container,
+ ads->config.bind_path)))
+ goto done;
+ if (!(mods = ads_init_mods(ctx)))
+ goto done;
+
+ ads_mod_str(ctx, &mods, "cn", group);
+ ads_mod_strlist(ctx, &mods, "objectClass",objectClass);
+ ads_mod_str(ctx, &mods, "name", group);
+ if (comment && *comment)
+ ads_mod_str(ctx, &mods, "description", comment);
+ ads_mod_str(ctx, &mods, "sAMAccountName", group);
+ status = ads_gen_add(ads, new_dn, mods);
+
+ done:
+ SAFE_FREE(name_escaped);
+ talloc_destroy(ctx);
+ return status;
+}
+#endif
diff --git a/source3/libads/ldap_utils.c b/source3/libads/ldap_utils.c
new file mode 100644
index 0000000..c08f046
--- /dev/null
+++ b/source3/libads/ldap_utils.c
@@ -0,0 +1,389 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ Some Helpful wrappers on LDAP
+
+ Copyright (C) Andrew Tridgell 2001
+ Copyright (C) Guenther Deschner 2006,2007
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "ads.h"
+#include "lib/param/loadparm.h"
+
+#ifdef HAVE_LDAP
+
+static ADS_STATUS ads_ranged_search_internal(ADS_STRUCT *ads,
+ TALLOC_CTX *mem_ctx,
+ int scope,
+ const char *base,
+ const char *filter,
+ const char **attrs,
+ void *args,
+ const char *range_attr,
+ char ***strings,
+ size_t *num_strings,
+ uint32_t *first_usn,
+ int *num_retries,
+ bool *more_values);
+
+/*
+ a wrapper around ldap_search_s that retries depending on the error code
+ this is supposed to catch dropped connections and auto-reconnect
+*/
+static ADS_STATUS ads_do_search_retry_internal(ADS_STRUCT *ads, const char *bind_path, int scope,
+ const char *expr,
+ const char **attrs, void *args,
+ LDAPMessage **res)
+{
+ ADS_STATUS status;
+ int count = 3;
+ char *bp;
+
+ *res = NULL;
+
+ if (!ads->ldap.ld &&
+ time_mono(NULL) - ads->ldap.last_attempt < ADS_RECONNECT_TIME) {
+ return ADS_ERROR(LDAP_SERVER_DOWN);
+ }
+
+ bp = SMB_STRDUP(bind_path);
+
+ if (!bp) {
+ return ADS_ERROR(LDAP_NO_MEMORY);
+ }
+
+ *res = NULL;
+
+ /* when binding anonymously, we cannot use the paged search LDAP
+ * control - Guenther */
+
+ if (ads->auth.flags & ADS_AUTH_ANON_BIND) {
+ status = ads_do_search(ads, bp, scope, expr, attrs, res);
+ } else {
+ status = ads_do_search_all_args(ads, bp, scope, expr, attrs, args, res);
+ }
+ if (ADS_ERR_OK(status)) {
+ DEBUG(5,("Search for %s in <%s> gave %d replies\n",
+ expr, bp, ads_count_replies(ads, *res)));
+ SAFE_FREE(bp);
+ return status;
+ }
+
+ while (--count) {
+
+ if (NT_STATUS_EQUAL(ads_ntstatus(status), NT_STATUS_IO_TIMEOUT) &&
+ ads->config.ldap_page_size >= (lp_ldap_page_size() / 4) &&
+ lp_ldap_page_size() > 4) {
+ int new_page_size = (ads->config.ldap_page_size / 2);
+ DEBUG(1, ("Reducing LDAP page size from %d to %d due to IO_TIMEOUT\n",
+ ads->config.ldap_page_size, new_page_size));
+ ads->config.ldap_page_size = new_page_size;
+ }
+
+ if (*res)
+ ads_msgfree(ads, *res);
+ *res = NULL;
+
+ DEBUG(3,("Reopening ads connection to realm '%s' after error %s\n",
+ ads->config.realm, ads_errstr(status)));
+
+ ads_disconnect(ads);
+ status = ads_connect(ads);
+
+ if (!ADS_ERR_OK(status)) {
+ DEBUG(1,("ads_search_retry: failed to reconnect (%s)\n",
+ ads_errstr(status)));
+ /*
+ * We need to keep the ads pointer
+ * from being freed here as we don't own it and
+ * callers depend on it being around.
+ */
+ ads_disconnect(ads);
+ SAFE_FREE(bp);
+ return status;
+ }
+
+ *res = NULL;
+
+ /* when binding anonymously, we cannot use the paged search LDAP
+ * control - Guenther */
+
+ if (ads->auth.flags & ADS_AUTH_ANON_BIND) {
+ status = ads_do_search(ads, bp, scope, expr, attrs, res);
+ } else {
+ status = ads_do_search_all_args(ads, bp, scope, expr, attrs, args, res);
+ }
+
+ if (ADS_ERR_OK(status)) {
+ DEBUG(5,("Search for filter: %s, base: %s gave %d replies\n",
+ expr, bp, ads_count_replies(ads, *res)));
+ SAFE_FREE(bp);
+ return status;
+ }
+ }
+ SAFE_FREE(bp);
+
+ if (!ADS_ERR_OK(status)) {
+ DEBUG(1,("ads reopen failed after error %s\n",
+ ads_errstr(status)));
+ }
+ return status;
+}
+
+ ADS_STATUS ads_do_search_retry(ADS_STRUCT *ads, const char *bind_path,
+ int scope, const char *expr,
+ const char **attrs, LDAPMessage **res)
+{
+ return ads_do_search_retry_internal(ads, bind_path, scope, expr, attrs, NULL, res);
+}
+
+static ADS_STATUS ads_do_search_retry_args(ADS_STRUCT *ads, const char *bind_path,
+ int scope, const char *expr,
+ const char **attrs, void *args,
+ LDAPMessage **res)
+{
+ return ads_do_search_retry_internal(ads, bind_path, scope, expr, attrs, args, res);
+}
+
+
+ ADS_STATUS ads_search_retry(ADS_STRUCT *ads, LDAPMessage **res,
+ const char *expr, const char **attrs)
+{
+ return ads_do_search_retry(ads, ads->config.bind_path, LDAP_SCOPE_SUBTREE,
+ expr, attrs, res);
+}
+
+ ADS_STATUS ads_search_retry_dn(ADS_STRUCT *ads, LDAPMessage **res,
+ const char *dn,
+ const char **attrs)
+{
+ return ads_do_search_retry(ads, dn, LDAP_SCOPE_BASE,
+ "(objectclass=*)", attrs, res);
+}
+
+ ADS_STATUS ads_search_retry_dn_sd_flags(ADS_STRUCT *ads, LDAPMessage **res,
+ uint32_t sd_flags,
+ const char *dn,
+ const char **attrs)
+{
+ ads_control args;
+
+ args.control = ADS_SD_FLAGS_OID;
+ args.val = sd_flags;
+ args.critical = True;
+
+ return ads_do_search_retry_args(ads, dn, LDAP_SCOPE_BASE,
+ "(objectclass=*)", attrs, &args, res);
+}
+
+ ADS_STATUS ads_search_retry_extended_dn_ranged(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx,
+ const char *dn,
+ const char **attrs,
+ enum ads_extended_dn_flags flags,
+ char ***strings,
+ size_t *num_strings)
+{
+ ads_control args;
+
+ args.control = ADS_EXTENDED_DN_OID;
+ args.val = flags;
+ args.critical = True;
+
+ /* we can only range process one attribute */
+ if (!attrs || !attrs[0] || attrs[1]) {
+ return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
+ }
+
+ return ads_ranged_search(ads, mem_ctx, LDAP_SCOPE_BASE, dn,
+ "(objectclass=*)", &args, attrs[0],
+ strings, num_strings);
+
+}
+
+ ADS_STATUS ads_search_retry_sid(ADS_STRUCT *ads, LDAPMessage **res,
+ const struct dom_sid *sid,
+ const char **attrs)
+{
+ char *dn, *sid_string;
+ ADS_STATUS status;
+
+ sid_string = sid_binstring_hex_talloc(talloc_tos(), sid);
+ if (sid_string == NULL) {
+ return ADS_ERROR(LDAP_NO_MEMORY);
+ }
+
+ if (!asprintf(&dn, "<SID=%s>", sid_string)) {
+ TALLOC_FREE(sid_string);
+ return ADS_ERROR(LDAP_NO_MEMORY);
+ }
+
+ status = ads_do_search_retry(ads, dn, LDAP_SCOPE_BASE,
+ "(objectclass=*)", attrs, res);
+ SAFE_FREE(dn);
+ TALLOC_FREE(sid_string);
+ return status;
+}
+
+ADS_STATUS ads_ranged_search(ADS_STRUCT *ads,
+ TALLOC_CTX *mem_ctx,
+ int scope,
+ const char *base,
+ const char *filter,
+ void *args,
+ const char *range_attr,
+ char ***strings,
+ size_t *num_strings)
+{
+ ADS_STATUS status;
+ uint32_t first_usn;
+ int num_retries = 0;
+ const char **attrs;
+ bool more_values = False;
+
+ *num_strings = 0;
+ *strings = NULL;
+
+ attrs = talloc_array(mem_ctx, const char *, 3);
+ ADS_ERROR_HAVE_NO_MEMORY(attrs);
+
+ attrs[0] = talloc_strdup(mem_ctx, range_attr);
+ attrs[1] = talloc_strdup(mem_ctx, "usnChanged");
+ attrs[2] = NULL;
+
+ ADS_ERROR_HAVE_NO_MEMORY(attrs[0]);
+ ADS_ERROR_HAVE_NO_MEMORY(attrs[1]);
+
+ do {
+ status = ads_ranged_search_internal(ads, mem_ctx,
+ scope, base, filter,
+ attrs, args, range_attr,
+ strings, num_strings,
+ &first_usn, &num_retries,
+ &more_values);
+
+ if (NT_STATUS_EQUAL(STATUS_MORE_ENTRIES, ads_ntstatus(status))) {
+ continue;
+ }
+
+ if (!ADS_ERR_OK(status)) {
+ *num_strings = 0;
+ strings = NULL;
+ goto done;
+ }
+
+ } while (more_values);
+
+ done:
+ DEBUG(10,("returning with %d strings\n", (int)*num_strings));
+
+ return status;
+}
+
+static ADS_STATUS ads_ranged_search_internal(ADS_STRUCT *ads,
+ TALLOC_CTX *mem_ctx,
+ int scope,
+ const char *base,
+ const char *filter,
+ const char **attrs,
+ void *args,
+ const char *range_attr,
+ char ***strings,
+ size_t *num_strings,
+ uint32_t *first_usn,
+ int *num_retries,
+ bool *more_values)
+{
+ LDAPMessage *res = NULL;
+ ADS_STATUS status;
+ int count;
+ uint32_t current_usn;
+
+ DEBUG(10, ("Searching for attrs[0] = %s, attrs[1] = %s\n", attrs[0], attrs[1]));
+
+ *more_values = False;
+
+ status = ads_do_search_retry_internal(ads, base, scope, filter, attrs, args, &res);
+
+ if (!ADS_ERR_OK(status)) {
+ DEBUG(1,("ads_search: %s\n",
+ ads_errstr(status)));
+ return status;
+ }
+
+ if (!res) {
+ return ADS_ERROR(LDAP_NO_MEMORY);
+ }
+
+ count = ads_count_replies(ads, res);
+ if (count == 0) {
+ ads_msgfree(ads, res);
+ return ADS_ERROR(LDAP_SUCCESS);
+ }
+
+ if (*num_strings == 0) {
+ if (!ads_pull_uint32(ads, res, "usnChanged", first_usn)) {
+ DEBUG(1, ("could not pull first usnChanged!\n"));
+ ads_msgfree(ads, res);
+ return ADS_ERROR(LDAP_NO_MEMORY);
+ }
+ }
+
+ if (!ads_pull_uint32(ads, res, "usnChanged", &current_usn)) {
+ DEBUG(1, ("could not pull current usnChanged!\n"));
+ ads_msgfree(ads, res);
+ return ADS_ERROR(LDAP_NO_MEMORY);
+ }
+
+ if (*first_usn != current_usn) {
+ DEBUG(5, ("USN on this record changed"
+ " - restarting search\n"));
+ if (*num_retries < 5) {
+ (*num_retries)++;
+ *num_strings = 0;
+ ads_msgfree(ads, res);
+ return ADS_ERROR_NT(STATUS_MORE_ENTRIES);
+ } else {
+ DEBUG(5, ("USN on this record changed"
+ " - restarted search too many times, aborting!\n"));
+ ads_msgfree(ads, res);
+ return ADS_ERROR(LDAP_NO_MEMORY);
+ }
+ }
+
+ *strings = ads_pull_strings_range(ads, mem_ctx, res,
+ range_attr,
+ *strings,
+ &attrs[0],
+ num_strings,
+ more_values);
+
+ ads_msgfree(ads, res);
+
+ /* paranoia checks */
+ if (*strings == NULL && *more_values) {
+ DEBUG(0,("no strings found but more values???\n"));
+ return ADS_ERROR(LDAP_NO_MEMORY);
+ }
+ if (*num_strings == 0 && *more_values) {
+ DEBUG(0,("no strings found but more values???\n"));
+ return ADS_ERROR(LDAP_NO_MEMORY);
+ }
+
+ return (*more_values) ? ADS_ERROR_NT(STATUS_MORE_ENTRIES) : ADS_ERROR(LDAP_SUCCESS);
+}
+
+#endif
diff --git a/source3/libads/net_ads_setspn.c b/source3/libads/net_ads_setspn.c
new file mode 100644
index 0000000..b163184
--- /dev/null
+++ b/source3/libads/net_ads_setspn.c
@@ -0,0 +1,229 @@
+/*
+ Unix SMB/CIFS implementation.
+ net ads setspn routines
+ Copyright (C) Noel Power 2018
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "ads.h"
+
+#ifdef HAVE_ADS
+bool ads_setspn_list(ADS_STRUCT *ads, const char *machine_name)
+{
+ size_t i = 0;
+ TALLOC_CTX *frame = NULL;
+ char **spn_array = NULL;
+ size_t num_spns = 0;
+ bool ok = false;
+ ADS_STATUS status;
+
+ frame = talloc_stackframe();
+ status = ads_get_service_principal_names(frame,
+ ads,
+ machine_name,
+ &spn_array,
+ &num_spns);
+ if (!ADS_ERR_OK(status)) {
+ goto done;
+ }
+
+ d_printf("Registered SPNs for %s\n", machine_name);
+ for (i = 0; i < num_spns; i++) {
+ d_printf("\t%s\n", spn_array[i]);
+ }
+
+ ok = true;
+done:
+ TALLOC_FREE(frame);
+ return ok;
+}
+
+/* returns true if spn exists in spn_array (match is NOT case-sensitive) */
+static bool find_spn_in_spnlist(TALLOC_CTX *ctx,
+ const char *spn,
+ char **spn_array,
+ size_t num_spns)
+{
+ char *lc_spn = NULL;
+ size_t i = 0;
+
+ lc_spn = strlower_talloc(ctx, spn);
+ if (lc_spn == NULL) {
+ DBG_ERR("Out of memory, lowercasing %s.\n",
+ spn);
+ return false;
+ }
+
+ for (i = 0; i < num_spns; i++) {
+ char *lc_spn_attr = strlower_talloc(ctx, spn_array[i]);
+ if (lc_spn_attr == NULL) {
+ DBG_ERR("Out of memory, lowercasing %s.\n",
+ spn_array[i]);
+ return false;
+ }
+
+ if (strequal(lc_spn, lc_spn_attr)) {
+ return true;
+ }
+ }
+
+ return false;
+}
+
+bool ads_setspn_add(ADS_STRUCT *ads, const char *machine_name, const char * spn)
+{
+ bool ret = false;
+ TALLOC_CTX *frame = NULL;
+ ADS_STATUS status;
+ struct spn_struct *spn_struct = NULL;
+ const char *spns[2] = {NULL, NULL};
+ char **existing_spns = NULL;
+ size_t num_spns = 0;
+ bool found = false;
+
+ frame = talloc_stackframe();
+ spns[0] = spn;
+ spn_struct = parse_spn(frame, spn);
+ if (spn_struct == NULL) {
+ goto done;
+ }
+
+ status = ads_get_service_principal_names(frame,
+ ads,
+ machine_name,
+ &existing_spns,
+ &num_spns);
+
+ if (!ADS_ERR_OK(status)) {
+ goto done;
+ }
+
+ found = find_spn_in_spnlist(frame, spn, existing_spns, num_spns);
+ if (found) {
+ d_printf("Duplicate SPN found, aborting operation.\n");
+ goto done;
+ }
+
+ d_printf("Registering SPN %s for object %s\n", spn, machine_name);
+ status = ads_add_service_principal_names(ads, machine_name, spns);
+ if (!ADS_ERR_OK(status)) {
+ goto done;
+ }
+ ret = true;
+ d_printf("Updated object\n");
+done:
+ TALLOC_FREE(frame);
+ return ret;
+}
+
+bool ads_setspn_delete(ADS_STRUCT *ads,
+ const char *machine_name,
+ const char * spn)
+{
+ size_t i = 0, j = 0;
+ TALLOC_CTX *frame = NULL;
+ char **spn_array = NULL;
+ const char **new_spn_array = NULL;
+ char *lc_spn = NULL;
+ size_t num_spns = 0;
+ ADS_STATUS status;
+ ADS_MODLIST mods;
+ bool ok = false;
+ LDAPMessage *res = NULL;
+
+ frame = talloc_stackframe();
+
+ lc_spn = strlower_talloc(frame, spn);
+ if (lc_spn == NULL) {
+ DBG_ERR("Out of memory, lowercasing %s.\n", spn);
+ goto done;
+ }
+
+ status = ads_find_machine_acct(ads,
+ &res,
+ machine_name);
+ if (!ADS_ERR_OK(status)) {
+ goto done;
+ }
+
+ status = ads_get_service_principal_names(frame,
+ ads,
+ machine_name,
+ &spn_array,
+ &num_spns);
+ if (!ADS_ERR_OK(status)) {
+ goto done;
+ }
+
+ new_spn_array = talloc_zero_array(frame, const char*, num_spns + 1);
+ if (!new_spn_array) {
+ DBG_ERR("Out of memory, failed to allocate array.\n");
+ goto done;
+ }
+
+ /*
+ * create new spn list to write to object (excluding the spn to
+ * be deleted).
+ */
+ for (i = 0, j = 0; i < num_spns; i++) {
+ /*
+ * windows setspn.exe deletes matching spn in a case
+ * insensitive way.
+ */
+ char *lc_spn_attr = strlower_talloc(frame, spn_array[i]);
+ if (lc_spn_attr == NULL) {
+ DBG_ERR("Out of memory, lowercasing %s.\n",
+ spn_array[i]);
+ goto done;
+ }
+
+ if (!strequal(lc_spn, lc_spn_attr)) {
+ new_spn_array[j++] = spn_array[i];
+ }
+ }
+
+ /* found and removed spn */
+ if (j < num_spns) {
+ char *dn = NULL;
+ mods = ads_init_mods(frame);
+ if (mods == NULL) {
+ goto done;
+ }
+ d_printf("Unregistering SPN %s for %s\n", spn, machine_name);
+ status = ads_mod_strlist(frame, &mods, "servicePrincipalName", new_spn_array);
+ if (!ADS_ERR_OK(status)) {
+ goto done;
+ }
+
+ dn = ads_get_dn(ads, frame, res);
+ if (dn == NULL ) {
+ goto done;
+ }
+
+ status = ads_gen_mod(ads, dn, mods);
+ if (!ADS_ERR_OK(status)) {
+ goto done;
+ }
+ }
+ d_printf("Updated object\n");
+
+ ok = true;
+done:
+ TALLOC_FREE(frame);
+ return ok;
+}
+
+#endif /* HAVE_ADS */
diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
new file mode 100644
index 0000000..5ae8b99
--- /dev/null
+++ b/source3/libads/sasl.c
@@ -0,0 +1,855 @@
+/*
+ Unix SMB/CIFS implementation.
+ ads sasl code
+ Copyright (C) Andrew Tridgell 2001
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "../libcli/auth/spnego.h"
+#include "auth/credentials/credentials.h"
+#include "auth/gensec/gensec.h"
+#include "auth_generic.h"
+#include "ads.h"
+#include "smb_krb5.h"
+#include "system/gssapi.h"
+#include "lib/param/loadparm.h"
+#include "krb5_env.h"
+#include "lib/util/asn1.h"
+
+#ifdef HAVE_LDAP
+
+static ADS_STATUS ads_sasl_gensec_wrap(struct ads_saslwrap *wrap,
+ uint8_t *buf, uint32_t len)
+{
+ struct gensec_security *gensec_security =
+ talloc_get_type_abort(wrap->wrap_private_data,
+ struct gensec_security);
+ NTSTATUS nt_status;
+ DATA_BLOB unwrapped, wrapped;
+ TALLOC_CTX *frame = talloc_stackframe();
+
+ unwrapped = data_blob_const(buf, len);
+
+ nt_status = gensec_wrap(gensec_security, frame, &unwrapped, &wrapped);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ TALLOC_FREE(frame);
+ return ADS_ERROR_NT(nt_status);
+ }
+
+ if ((wrap->out.size - 4) < wrapped.length) {
+ TALLOC_FREE(frame);
+ return ADS_ERROR_NT(NT_STATUS_INTERNAL_ERROR);
+ }
+
+ /* copy the wrapped blob to the right location */
+ memcpy(wrap->out.buf + 4, wrapped.data, wrapped.length);
+
+ /* set how many bytes must be written to the underlying socket */
+ wrap->out.left = 4 + wrapped.length;
+
+ TALLOC_FREE(frame);
+
+ return ADS_SUCCESS;
+}
+
+static ADS_STATUS ads_sasl_gensec_unwrap(struct ads_saslwrap *wrap)
+{
+ struct gensec_security *gensec_security =
+ talloc_get_type_abort(wrap->wrap_private_data,
+ struct gensec_security);
+ NTSTATUS nt_status;
+ DATA_BLOB unwrapped, wrapped;
+ TALLOC_CTX *frame = talloc_stackframe();
+
+ wrapped = data_blob_const(wrap->in.buf + 4, wrap->in.ofs - 4);
+
+ nt_status = gensec_unwrap(gensec_security, frame, &wrapped, &unwrapped);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ TALLOC_FREE(frame);
+ return ADS_ERROR_NT(nt_status);
+ }
+
+ if (wrapped.length < unwrapped.length) {
+ TALLOC_FREE(frame);
+ return ADS_ERROR_NT(NT_STATUS_INTERNAL_ERROR);
+ }
+
+ /* copy the wrapped blob to the right location */
+ memcpy(wrap->in.buf + 4, unwrapped.data, unwrapped.length);
+
+ /* set how many bytes must be written to the underlying socket */
+ wrap->in.left = unwrapped.length;
+ wrap->in.ofs = 4;
+
+ TALLOC_FREE(frame);
+
+ return ADS_SUCCESS;
+}
+
+static void ads_sasl_gensec_disconnect(struct ads_saslwrap *wrap)
+{
+ struct gensec_security *gensec_security =
+ talloc_get_type_abort(wrap->wrap_private_data,
+ struct gensec_security);
+
+ TALLOC_FREE(gensec_security);
+
+ wrap->wrap_ops = NULL;
+ wrap->wrap_private_data = NULL;
+}
+
+static const struct ads_saslwrap_ops ads_sasl_gensec_ops = {
+ .name = "gensec",
+ .wrap = ads_sasl_gensec_wrap,
+ .unwrap = ads_sasl_gensec_unwrap,
+ .disconnect = ads_sasl_gensec_disconnect
+};
+
+/*
+ perform a LDAP/SASL/SPNEGO/{NTLMSSP,KRB5} bind (just how many layers can
+ we fit on one socket??)
+*/
+static ADS_STATUS ads_sasl_spnego_gensec_bind(ADS_STRUCT *ads,
+ const char *sasl,
+ enum credentials_use_kerberos krb5_state,
+ const char *target_service,
+ const char *target_hostname,
+ const DATA_BLOB server_blob)
+{
+ DATA_BLOB blob_in = data_blob_null;
+ DATA_BLOB blob_out = data_blob_null;
+ int rc;
+ NTSTATUS nt_status;
+ ADS_STATUS status;
+ struct auth_generic_state *auth_generic_state;
+ bool use_spnego_principal = lp_client_use_spnego_principal();
+ const char *sasl_list[] = { sasl, NULL };
+ NTTIME end_nt_time;
+ struct ads_saslwrap *wrap = &ads->ldap_wrap_data;
+
+ nt_status = auth_generic_client_prepare(NULL, &auth_generic_state);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return ADS_ERROR_NT(nt_status);
+ }
+
+ if (!NT_STATUS_IS_OK(nt_status = auth_generic_set_username(auth_generic_state, ads->auth.user_name))) {
+ return ADS_ERROR_NT(nt_status);
+ }
+ if (!NT_STATUS_IS_OK(nt_status = auth_generic_set_domain(auth_generic_state, ads->auth.realm))) {
+ return ADS_ERROR_NT(nt_status);
+ }
+ if (!NT_STATUS_IS_OK(nt_status = auth_generic_set_password(auth_generic_state, ads->auth.password))) {
+ return ADS_ERROR_NT(nt_status);
+ }
+
+ if (server_blob.length == 0) {
+ use_spnego_principal = false;
+ }
+
+ if (krb5_state == CRED_USE_KERBEROS_DISABLED) {
+ use_spnego_principal = false;
+ }
+
+ cli_credentials_set_kerberos_state(auth_generic_state->credentials,
+ krb5_state,
+ CRED_SPECIFIED);
+
+ if (target_service != NULL) {
+ nt_status = gensec_set_target_service(
+ auth_generic_state->gensec_security,
+ target_service);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return ADS_ERROR_NT(nt_status);
+ }
+ }
+
+ if (target_hostname != NULL) {
+ nt_status = gensec_set_target_hostname(
+ auth_generic_state->gensec_security,
+ target_hostname);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return ADS_ERROR_NT(nt_status);
+ }
+ }
+
+ if (target_service != NULL && target_hostname != NULL) {
+ use_spnego_principal = false;
+ }
+
+ switch (wrap->wrap_type) {
+ case ADS_SASLWRAP_TYPE_SEAL:
+ gensec_want_feature(auth_generic_state->gensec_security, GENSEC_FEATURE_SIGN);
+ gensec_want_feature(auth_generic_state->gensec_security, GENSEC_FEATURE_SEAL);
+ break;
+ case ADS_SASLWRAP_TYPE_SIGN:
+ if (ads->auth.flags & ADS_AUTH_SASL_FORCE) {
+ gensec_want_feature(auth_generic_state->gensec_security, GENSEC_FEATURE_SIGN);
+ } else {
+ /*
+ * windows servers are broken with sign only,
+ * so we let the NTLMSSP backend to seal here,
+ * via GENSEC_FEATURE_LDAP_STYLE.
+ */
+ gensec_want_feature(auth_generic_state->gensec_security, GENSEC_FEATURE_SIGN);
+ gensec_want_feature(auth_generic_state->gensec_security, GENSEC_FEATURE_LDAP_STYLE);
+ }
+ break;
+ case ADS_SASLWRAP_TYPE_PLAIN:
+ break;
+ }
+
+ nt_status = auth_generic_client_start_by_sasl(auth_generic_state,
+ sasl_list);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return ADS_ERROR_NT(nt_status);
+ }
+
+ rc = LDAP_SASL_BIND_IN_PROGRESS;
+ if (use_spnego_principal) {
+ blob_in = data_blob_dup_talloc(talloc_tos(), server_blob);
+ if (blob_in.length == 0) {
+ TALLOC_FREE(auth_generic_state);
+ return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
+ }
+ } else {
+ blob_in = data_blob_null;
+ }
+ blob_out = data_blob_null;
+
+ while (true) {
+ struct berval cred, *scred = NULL;
+
+ nt_status = gensec_update(auth_generic_state->gensec_security,
+ talloc_tos(), blob_in, &blob_out);
+ data_blob_free(&blob_in);
+ if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)
+ && !NT_STATUS_IS_OK(nt_status))
+ {
+ TALLOC_FREE(auth_generic_state);
+ data_blob_free(&blob_out);
+ return ADS_ERROR_NT(nt_status);
+ }
+
+ if (NT_STATUS_IS_OK(nt_status) && rc == 0 && blob_out.length == 0) {
+ break;
+ }
+
+ cred.bv_val = (char *)blob_out.data;
+ cred.bv_len = blob_out.length;
+ scred = NULL;
+ rc = ldap_sasl_bind_s(ads->ldap.ld, NULL, sasl, &cred, NULL, NULL, &scred);
+ data_blob_free(&blob_out);
+ if ((rc != LDAP_SASL_BIND_IN_PROGRESS) && (rc != 0)) {
+ if (scred) {
+ ber_bvfree(scred);
+ }
+
+ TALLOC_FREE(auth_generic_state);
+ return ADS_ERROR(rc);
+ }
+ if (scred) {
+ blob_in = data_blob_talloc(talloc_tos(),
+ scred->bv_val,
+ scred->bv_len);
+ if (blob_in.length != scred->bv_len) {
+ ber_bvfree(scred);
+ TALLOC_FREE(auth_generic_state);
+ return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
+ }
+ ber_bvfree(scred);
+ } else {
+ blob_in = data_blob_null;
+ }
+ if (NT_STATUS_IS_OK(nt_status) && rc == 0 && blob_in.length == 0) {
+ break;
+ }
+ }
+
+ data_blob_free(&blob_in);
+ data_blob_free(&blob_out);
+
+ if (wrap->wrap_type >= ADS_SASLWRAP_TYPE_SEAL) {
+ bool ok;
+
+ ok = gensec_have_feature(auth_generic_state->gensec_security,
+ GENSEC_FEATURE_SEAL);
+ if (!ok) {
+ DEBUG(0,("The gensec feature sealing request, but unavailable\n"));
+ TALLOC_FREE(auth_generic_state);
+ return ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE);
+ }
+
+ ok = gensec_have_feature(auth_generic_state->gensec_security,
+ GENSEC_FEATURE_SIGN);
+ if (!ok) {
+ DEBUG(0,("The gensec feature signing request, but unavailable\n"));
+ TALLOC_FREE(auth_generic_state);
+ return ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE);
+ }
+
+ } else if (wrap->wrap_type >= ADS_SASLWRAP_TYPE_SIGN) {
+ bool ok;
+
+ ok = gensec_have_feature(auth_generic_state->gensec_security,
+ GENSEC_FEATURE_SIGN);
+ if (!ok) {
+ DEBUG(0,("The gensec feature signing request, but unavailable\n"));
+ TALLOC_FREE(auth_generic_state);
+ return ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE);
+ }
+ }
+
+ ads->auth.tgs_expire = LONG_MAX;
+ end_nt_time = gensec_expire_time(auth_generic_state->gensec_security);
+ if (end_nt_time != GENSEC_EXPIRE_TIME_INFINITY) {
+ struct timeval tv;
+ nttime_to_timeval(&tv, end_nt_time);
+ ads->auth.tgs_expire = tv.tv_sec;
+ }
+
+ if (wrap->wrap_type > ADS_SASLWRAP_TYPE_PLAIN) {
+ size_t max_wrapped =
+ gensec_max_wrapped_size(auth_generic_state->gensec_security);
+ wrap->out.max_unwrapped =
+ gensec_max_input_size(auth_generic_state->gensec_security);
+
+ wrap->out.sig_size = max_wrapped - wrap->out.max_unwrapped;
+ /*
+ * Note that we have to truncate this to 0x2C
+ * (taken from a capture with LDAP unbind), as the
+ * signature size is not constant for Kerberos with
+ * arcfour-hmac-md5.
+ */
+ wrap->in.min_wrapped = MIN(wrap->out.sig_size, 0x2C);
+ wrap->in.max_wrapped = ADS_SASL_WRAPPING_IN_MAX_WRAPPED;
+ status = ads_setup_sasl_wrapping(wrap, ads->ldap.ld,
+ &ads_sasl_gensec_ops,
+ auth_generic_state->gensec_security);
+ if (!ADS_ERR_OK(status)) {
+ DEBUG(0, ("ads_setup_sasl_wrapping() failed: %s\n",
+ ads_errstr(status)));
+ TALLOC_FREE(auth_generic_state);
+ return status;
+ }
+ /* Only keep the gensec_security element around long-term */
+ talloc_steal(NULL, auth_generic_state->gensec_security);
+ }
+ TALLOC_FREE(auth_generic_state);
+
+ return ADS_ERROR(rc);
+}
+
+#ifdef HAVE_KRB5
+struct ads_service_principal {
+ char *service;
+ char *hostname;
+ char *string;
+};
+
+static void ads_free_service_principal(struct ads_service_principal *p)
+{
+ SAFE_FREE(p->service);
+ SAFE_FREE(p->hostname);
+ SAFE_FREE(p->string);
+ ZERO_STRUCTP(p);
+}
+
+static ADS_STATUS ads_guess_target(ADS_STRUCT *ads,
+ char **service,
+ char **hostname,
+ char **principal)
+{
+ ADS_STATUS status = ADS_ERROR(LDAP_NO_MEMORY);
+ char *princ = NULL;
+ TALLOC_CTX *frame;
+ char *server = NULL;
+ char *realm = NULL;
+ int rc;
+
+ frame = talloc_stackframe();
+ if (frame == NULL) {
+ return ADS_ERROR(LDAP_NO_MEMORY);
+ }
+
+ if (ads->server.realm && ads->server.ldap_server) {
+ server = strlower_talloc(frame, ads->server.ldap_server);
+ if (server == NULL) {
+ goto out;
+ }
+
+ realm = strupper_talloc(frame, ads->server.realm);
+ if (realm == NULL) {
+ goto out;
+ }
+
+ /*
+ * If we got a name which is bigger than a NetBIOS name,
+ * but isn't a FQDN, create one.
+ */
+ if (strlen(server) > 15 && strstr(server, ".") == NULL) {
+ char *dnsdomain;
+
+ dnsdomain = strlower_talloc(frame, ads->server.realm);
+ if (dnsdomain == NULL) {
+ goto out;
+ }
+
+ server = talloc_asprintf(frame,
+ "%s.%s",
+ server, dnsdomain);
+ if (server == NULL) {
+ goto out;
+ }
+ }
+ } else if (ads->config.realm && ads->config.ldap_server_name) {
+ server = strlower_talloc(frame, ads->config.ldap_server_name);
+ if (server == NULL) {
+ goto out;
+ }
+
+ realm = strupper_talloc(frame, ads->config.realm);
+ if (realm == NULL) {
+ goto out;
+ }
+
+ /*
+ * If we got a name which is bigger than a NetBIOS name,
+ * but isn't a FQDN, create one.
+ */
+ if (strlen(server) > 15 && strstr(server, ".") == NULL) {
+ char *dnsdomain;
+
+ dnsdomain = strlower_talloc(frame, ads->server.realm);
+ if (dnsdomain == NULL) {
+ goto out;
+ }
+
+ server = talloc_asprintf(frame,
+ "%s.%s",
+ server, dnsdomain);
+ if (server == NULL) {
+ goto out;
+ }
+ }
+ }
+
+ if (server == NULL || realm == NULL) {
+ goto out;
+ }
+
+ *service = SMB_STRDUP("ldap");
+ if (*service == NULL) {
+ status = ADS_ERROR(LDAP_PARAM_ERROR);
+ goto out;
+ }
+ *hostname = SMB_STRDUP(server);
+ if (*hostname == NULL) {
+ SAFE_FREE(*service);
+ status = ADS_ERROR(LDAP_PARAM_ERROR);
+ goto out;
+ }
+ rc = asprintf(&princ, "ldap/%s@%s", server, realm);
+ if (rc == -1 || princ == NULL) {
+ SAFE_FREE(*service);
+ SAFE_FREE(*hostname);
+ status = ADS_ERROR(LDAP_PARAM_ERROR);
+ goto out;
+ }
+
+ *principal = princ;
+
+ status = ADS_SUCCESS;
+out:
+ TALLOC_FREE(frame);
+ return status;
+}
+
+static ADS_STATUS ads_generate_service_principal(ADS_STRUCT *ads,
+ struct ads_service_principal *p)
+{
+ ADS_STATUS status;
+
+ ZERO_STRUCTP(p);
+
+ status = ads_guess_target(ads,
+ &p->service,
+ &p->hostname,
+ &p->string);
+ if (!ADS_ERR_OK(status)) {
+ return status;
+ }
+
+ return ADS_SUCCESS;
+}
+
+#endif /* HAVE_KRB5 */
+
+/*
+ parse a negTokenInit packet giving a GUID, a list of supported
+ OIDs (the mechanisms) and a principal name string
+*/
+static bool spnego_parse_negTokenInit(TALLOC_CTX *ctx,
+ DATA_BLOB blob,
+ char *OIDs[ASN1_MAX_OIDS],
+ char **principal,
+ DATA_BLOB *secblob)
+{
+ int i;
+ bool ret = false;
+ ASN1_DATA *data;
+
+ for (i = 0; i < ASN1_MAX_OIDS; i++) {
+ OIDs[i] = NULL;
+ }
+
+ if (principal) {
+ *principal = NULL;
+ }
+ if (secblob) {
+ *secblob = data_blob_null;
+ }
+
+ data = asn1_init(talloc_tos(), ASN1_MAX_TREE_DEPTH);
+ if (data == NULL) {
+ return false;
+ }
+
+ if (!asn1_load(data, blob)) goto err;
+
+ if (!asn1_start_tag(data,ASN1_APPLICATION(0))) goto err;
+
+ if (!asn1_check_OID(data,OID_SPNEGO)) goto err;
+
+ /* negTokenInit [0] NegTokenInit */
+ if (!asn1_start_tag(data,ASN1_CONTEXT(0))) goto err;
+ if (!asn1_start_tag(data,ASN1_SEQUENCE(0))) goto err;
+
+ /* mechTypes [0] MechTypeList OPTIONAL */
+
+ /* Not really optional, we depend on this to decide
+ * what mechanisms we have to work with. */
+
+ if (!asn1_start_tag(data,ASN1_CONTEXT(0))) goto err;
+ if (!asn1_start_tag(data,ASN1_SEQUENCE(0))) goto err;
+ for (i=0; asn1_tag_remaining(data) > 0 && i < ASN1_MAX_OIDS-1; i++) {
+ if (!asn1_read_OID(data,ctx, &OIDs[i])) {
+ goto err;
+ }
+ if (asn1_has_error(data)) {
+ goto err;
+ }
+ }
+ OIDs[i] = NULL;
+ if (!asn1_end_tag(data)) goto err;
+ if (!asn1_end_tag(data)) goto err;
+
+ /*
+ Win7 + Live Sign-in Assistant attaches a mechToken
+ ASN1_CONTEXT(2) to the negTokenInit packet
+ which breaks our negotiation if we just assume
+ the next tag is ASN1_CONTEXT(3).
+ */
+
+ if (asn1_peek_tag(data, ASN1_CONTEXT(1))) {
+ uint8_t flags;
+
+ /* reqFlags [1] ContextFlags OPTIONAL */
+ if (!asn1_start_tag(data, ASN1_CONTEXT(1))) goto err;
+ if (!asn1_start_tag(data, ASN1_BIT_STRING)) goto err;
+ while (asn1_tag_remaining(data) > 0) {
+ if (!asn1_read_uint8(data, &flags)) goto err;
+ }
+ if (!asn1_end_tag(data)) goto err;
+ if (!asn1_end_tag(data)) goto err;
+ }
+
+ if (asn1_peek_tag(data, ASN1_CONTEXT(2))) {
+ DATA_BLOB sblob = data_blob_null;
+ /* mechToken [2] OCTET STRING OPTIONAL */
+ if (!asn1_start_tag(data, ASN1_CONTEXT(2))) goto err;
+ if (!asn1_read_OctetString(data, ctx, &sblob)) goto err;
+ if (!asn1_end_tag(data)) {
+ data_blob_free(&sblob);
+ goto err;
+ }
+ if (secblob) {
+ *secblob = sblob;
+ } else {
+ data_blob_free(&sblob);
+ }
+ }
+
+ if (asn1_peek_tag(data, ASN1_CONTEXT(3))) {
+ char *princ = NULL;
+ /* mechListMIC [3] OCTET STRING OPTIONAL */
+ if (!asn1_start_tag(data, ASN1_CONTEXT(3))) goto err;
+ if (!asn1_start_tag(data, ASN1_SEQUENCE(0))) goto err;
+ if (!asn1_start_tag(data, ASN1_CONTEXT(0))) goto err;
+ if (!asn1_read_GeneralString(data, ctx, &princ)) goto err;
+ if (!asn1_end_tag(data)) goto err;
+ if (!asn1_end_tag(data)) goto err;
+ if (!asn1_end_tag(data)) goto err;
+ if (principal) {
+ *principal = princ;
+ } else {
+ TALLOC_FREE(princ);
+ }
+ }
+
+ if (!asn1_end_tag(data)) goto err;
+ if (!asn1_end_tag(data)) goto err;
+
+ if (!asn1_end_tag(data)) goto err;
+
+ ret = !asn1_has_error(data);
+
+ err:
+
+ if (asn1_has_error(data)) {
+ int j;
+ if (principal) {
+ TALLOC_FREE(*principal);
+ }
+ if (secblob) {
+ data_blob_free(secblob);
+ }
+ for(j = 0; j < i && j < ASN1_MAX_OIDS-1; j++) {
+ TALLOC_FREE(OIDs[j]);
+ }
+ }
+
+ asn1_free(data);
+ return ret;
+}
+
+/*
+ this performs a SASL/SPNEGO bind
+*/
+static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
+{
+ TALLOC_CTX *frame = talloc_stackframe();
+ struct ads_service_principal p = {0};
+ struct berval *scred=NULL;
+ int rc, i;
+ ADS_STATUS status;
+ DATA_BLOB blob = data_blob_null;
+ char *given_principal = NULL;
+ char *OIDs[ASN1_MAX_OIDS];
+#ifdef HAVE_KRB5
+ bool got_kerberos_mechanism = False;
+#endif
+ const char *mech = NULL;
+
+ rc = ldap_sasl_bind_s(ads->ldap.ld, NULL, "GSS-SPNEGO", NULL, NULL, NULL, &scred);
+
+ if (rc != LDAP_SASL_BIND_IN_PROGRESS) {
+ status = ADS_ERROR(rc);
+ goto done;
+ }
+
+ blob = data_blob(scred->bv_val, scred->bv_len);
+
+ ber_bvfree(scred);
+
+#if 0
+ file_save("sasl_spnego.dat", blob.data, blob.length);
+#endif
+
+ /* the server sent us the first part of the SPNEGO exchange in the negprot
+ reply */
+ if (!spnego_parse_negTokenInit(talloc_tos(), blob, OIDs, &given_principal, NULL) ||
+ OIDs[0] == NULL) {
+ status = ADS_ERROR(LDAP_OPERATIONS_ERROR);
+ goto done;
+ }
+ TALLOC_FREE(given_principal);
+
+ /* make sure the server understands kerberos */
+ for (i=0;OIDs[i];i++) {
+ DEBUG(3,("ads_sasl_spnego_bind: got OID=%s\n", OIDs[i]));
+#ifdef HAVE_KRB5
+ if (strcmp(OIDs[i], OID_KERBEROS5_OLD) == 0 ||
+ strcmp(OIDs[i], OID_KERBEROS5) == 0) {
+ got_kerberos_mechanism = True;
+ }
+#endif
+ talloc_free(OIDs[i]);
+ }
+
+ status = ads_generate_service_principal(ads, &p);
+ if (!ADS_ERR_OK(status)) {
+ goto done;
+ }
+
+#ifdef HAVE_KRB5
+ if (!(ads->auth.flags & ADS_AUTH_DISABLE_KERBEROS) &&
+ got_kerberos_mechanism)
+ {
+ mech = "KRB5";
+
+ if (ads->auth.password == NULL ||
+ ads->auth.password[0] == '\0')
+ {
+
+ status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO",
+ CRED_USE_KERBEROS_REQUIRED,
+ p.service, p.hostname,
+ blob);
+ if (ADS_ERR_OK(status)) {
+ ads_free_service_principal(&p);
+ goto done;
+ }
+
+ DEBUG(10,("ads_sasl_spnego_gensec_bind(KRB5) failed with: %s, "
+ "calling kinit\n", ads_errstr(status)));
+ }
+
+ status = ADS_ERROR_KRB5(ads_kinit_password(ads));
+
+ if (ADS_ERR_OK(status)) {
+ status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO",
+ CRED_USE_KERBEROS_REQUIRED,
+ p.service, p.hostname,
+ blob);
+ if (!ADS_ERR_OK(status)) {
+ DBG_ERR("kinit succeeded but "
+ "SPNEGO bind with Kerberos failed "
+ "for %s/%s - user[%s], realm[%s]: %s\n",
+ p.service, p.hostname,
+ ads->auth.user_name,
+ ads->auth.realm,
+ ads_errstr(status));
+ }
+ }
+
+ /* only fallback to NTLMSSP if allowed */
+ if (ADS_ERR_OK(status) ||
+ !(ads->auth.flags & ADS_AUTH_ALLOW_NTLMSSP)) {
+ goto done;
+ }
+
+ DBG_WARNING("SASL bind with Kerberos failed "
+ "for %s/%s - user[%s], realm[%s]: %s, "
+ "try to fallback to NTLMSSP\n",
+ p.service, p.hostname,
+ ads->auth.user_name,
+ ads->auth.realm,
+ ads_errstr(status));
+ }
+#endif
+
+ /* lets do NTLMSSP ... this has the big advantage that we don't need
+ to sync clocks, and we don't rely on special versions of the krb5
+ library for HMAC_MD4 encryption */
+ mech = "NTLMSSP";
+
+ if (!(ads->auth.flags & ADS_AUTH_ALLOW_NTLMSSP)) {
+ DBG_WARNING("We can't use NTLMSSP, it is not allowed.\n");
+ status = ADS_ERROR_NT(NT_STATUS_NETWORK_CREDENTIAL_CONFLICT);
+ goto done;
+ }
+
+ if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED) {
+ DBG_WARNING("We can't fallback to NTLMSSP, weak crypto is"
+ " disallowed.\n");
+ status = ADS_ERROR_NT(NT_STATUS_NETWORK_CREDENTIAL_CONFLICT);
+ goto done;
+ }
+
+ status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO",
+ CRED_USE_KERBEROS_DISABLED,
+ p.service, p.hostname,
+ data_blob_null);
+done:
+ if (!ADS_ERR_OK(status)) {
+ DEBUG(1,("ads_sasl_spnego_gensec_bind(%s) failed "
+ "for %s/%s with user[%s] realm=[%s]: %s\n", mech,
+ p.service, p.hostname,
+ ads->auth.user_name,
+ ads->auth.realm,
+ ads_errstr(status)));
+ }
+ ads_free_service_principal(&p);
+ TALLOC_FREE(frame);
+ if (blob.data != NULL) {
+ data_blob_free(&blob);
+ }
+ return status;
+}
+
+/* mapping between SASL mechanisms and functions */
+static struct {
+ const char *name;
+ ADS_STATUS (*fn)(ADS_STRUCT *);
+} sasl_mechanisms[] = {
+ {"GSS-SPNEGO", ads_sasl_spnego_bind},
+ {NULL, NULL}
+};
+
+ADS_STATUS ads_sasl_bind(ADS_STRUCT *ads)
+{
+ const char *attrs[] = {"supportedSASLMechanisms", NULL};
+ char **values;
+ ADS_STATUS status;
+ int i, j;
+ LDAPMessage *res;
+ struct ads_saslwrap *wrap = &ads->ldap_wrap_data;
+
+ /* get a list of supported SASL mechanisms */
+ status = ads_do_search(ads, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res);
+ if (!ADS_ERR_OK(status)) return status;
+
+ values = ldap_get_values(ads->ldap.ld, res, "supportedSASLMechanisms");
+
+ if (ads->auth.flags & ADS_AUTH_SASL_SEAL) {
+ wrap->wrap_type = ADS_SASLWRAP_TYPE_SEAL;
+ } else if (ads->auth.flags & ADS_AUTH_SASL_SIGN) {
+ wrap->wrap_type = ADS_SASLWRAP_TYPE_SIGN;
+ } else {
+ wrap->wrap_type = ADS_SASLWRAP_TYPE_PLAIN;
+ }
+
+ /* try our supported mechanisms in order */
+ for (i=0;sasl_mechanisms[i].name;i++) {
+ /* see if the server supports it */
+ for (j=0;values && values[j];j++) {
+ if (strcmp(values[j], sasl_mechanisms[i].name) == 0) {
+ DEBUG(4,("Found SASL mechanism %s\n", values[j]));
+retry:
+ status = sasl_mechanisms[i].fn(ads);
+ if (status.error_type == ENUM_ADS_ERROR_LDAP &&
+ status.err.rc == LDAP_STRONG_AUTH_REQUIRED &&
+ wrap->wrap_type == ADS_SASLWRAP_TYPE_PLAIN)
+ {
+ DEBUG(3,("SASL bin got LDAP_STRONG_AUTH_REQUIRED "
+ "retrying with signing enabled\n"));
+ wrap->wrap_type = ADS_SASLWRAP_TYPE_SIGN;
+ goto retry;
+ }
+ ldap_value_free(values);
+ ldap_msgfree(res);
+ return status;
+ }
+ }
+ }
+
+ ldap_value_free(values);
+ ldap_msgfree(res);
+ return ADS_ERROR(LDAP_AUTH_METHOD_NOT_SUPPORTED);
+}
+
+#endif /* HAVE_LDAP */
+
diff --git a/source3/libads/sasl_wrapping.c b/source3/libads/sasl_wrapping.c
new file mode 100644
index 0000000..7a58765
--- /dev/null
+++ b/source3/libads/sasl_wrapping.c
@@ -0,0 +1,351 @@
+/*
+ Unix SMB/CIFS implementation.
+ ads sasl wrapping code
+ Copyright (C) Stefan Metzmacher 2007
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "ads.h"
+
+void ndr_print_ads_saslwrap_struct(struct ndr_print *ndr, const char *name, const struct ads_saslwrap *r)
+{
+ ndr_print_struct(ndr, name, "saslwrap");
+ ndr->depth++;
+ ndr_print_uint16(ndr, "wrap_type", r->wrap_type);
+#ifdef HAVE_LDAP_SASL_WRAPPING
+ ndr_print_ptr(ndr, "sbiod", r->sbiod);
+#endif /* HAVE_LDAP_SASL_WRAPPING */
+ ndr_print_ptr(ndr, "mem_ctx", r->mem_ctx);
+ ndr_print_ptr(ndr, "wrap_ops", r->wrap_ops);
+ ndr_print_ptr(ndr, "wrap_private_data", r->wrap_private_data);
+ ndr_print_struct(ndr, name, "in");
+ ndr->depth++;
+ ndr_print_uint32(ndr, "ofs", r->in.ofs);
+ ndr_print_uint32(ndr, "needed", r->in.needed);
+ ndr_print_uint32(ndr, "left", r->in.left);
+ ndr_print_uint32(ndr, "max_wrapped", r->in.max_wrapped);
+ ndr_print_uint32(ndr, "min_wrapped", r->in.min_wrapped);
+ ndr_print_uint32(ndr, "size", r->in.size);
+ ndr_print_array_uint8(ndr, "buf", r->in.buf, r->in.size);
+ ndr->depth--;
+ ndr_print_struct(ndr, name, "out");
+ ndr->depth++;
+ ndr_print_uint32(ndr, "ofs", r->out.ofs);
+ ndr_print_uint32(ndr, "left", r->out.left);
+ ndr_print_uint32(ndr, "max_unwrapped", r->out.max_unwrapped);
+ ndr_print_uint32(ndr, "sig_size", r->out.sig_size);
+ ndr_print_uint32(ndr, "size", r->out.size);
+ ndr_print_array_uint8(ndr, "buf", r->out.buf, r->out.size);
+ ndr->depth--;
+}
+
+#ifdef HAVE_LDAP_SASL_WRAPPING
+
+static int ads_saslwrap_setup(Sockbuf_IO_Desc *sbiod, void *arg)
+{
+ struct ads_saslwrap *wrap = (struct ads_saslwrap *)arg;
+
+ wrap->sbiod = (struct Sockbuf_IO_Desc *)sbiod;
+
+ sbiod->sbiod_pvt = wrap;
+
+ return 0;
+}
+
+static int ads_saslwrap_remove(Sockbuf_IO_Desc *sbiod)
+{
+ return 0;
+}
+
+static ber_slen_t ads_saslwrap_prepare_inbuf(struct ads_saslwrap *wrap)
+{
+ wrap->in.ofs = 0;
+ wrap->in.needed = 0;
+ wrap->in.left = 0;
+ wrap->in.size = 4 + wrap->in.min_wrapped;
+ wrap->in.buf = talloc_array(wrap->mem_ctx,
+ uint8_t, wrap->in.size);
+ if (!wrap->in.buf) {
+ return -1;
+ }
+
+ return 0;
+}
+
+static ber_slen_t ads_saslwrap_grow_inbuf(struct ads_saslwrap *wrap)
+{
+ if (wrap->in.size == (4 + wrap->in.needed)) {
+ return 0;
+ }
+
+ wrap->in.size = 4 + wrap->in.needed;
+ wrap->in.buf = talloc_realloc(wrap->mem_ctx,
+ wrap->in.buf,
+ uint8_t, wrap->in.size);
+ if (!wrap->in.buf) {
+ return -1;
+ }
+
+ return 0;
+}
+
+static void ads_saslwrap_shrink_inbuf(struct ads_saslwrap *wrap)
+{
+ talloc_free(wrap->in.buf);
+
+ wrap->in.buf = NULL;
+ wrap->in.size = 0;
+ wrap->in.ofs = 0;
+ wrap->in.needed = 0;
+ wrap->in.left = 0;
+}
+
+static ber_slen_t ads_saslwrap_read(Sockbuf_IO_Desc *sbiod,
+ void *buf, ber_len_t len)
+{
+ struct ads_saslwrap *wrap =
+ (struct ads_saslwrap *)sbiod->sbiod_pvt;
+ ber_slen_t ret;
+
+ /* If ofs < 4 it means we don't have read the length header yet */
+ if (wrap->in.ofs < 4) {
+ ret = ads_saslwrap_prepare_inbuf(wrap);
+ if (ret < 0) return ret;
+
+ ret = LBER_SBIOD_READ_NEXT(sbiod,
+ wrap->in.buf + wrap->in.ofs,
+ 4 - wrap->in.ofs);
+ if (ret <= 0) return ret;
+ wrap->in.ofs += ret;
+
+ if (wrap->in.ofs < 4) goto eagain;
+
+ wrap->in.needed = RIVAL(wrap->in.buf, 0);
+ if (wrap->in.needed > wrap->in.max_wrapped) {
+ errno = EINVAL;
+ return -1;
+ }
+ if (wrap->in.needed < wrap->in.min_wrapped) {
+ errno = EINVAL;
+ return -1;
+ }
+
+ ret = ads_saslwrap_grow_inbuf(wrap);
+ if (ret < 0) return ret;
+ }
+
+ /*
+ * if there's more data needed from the remote end,
+ * we need to read more
+ */
+ if (wrap->in.needed > 0) {
+ ret = LBER_SBIOD_READ_NEXT(sbiod,
+ wrap->in.buf + wrap->in.ofs,
+ wrap->in.needed);
+ if (ret <= 0) return ret;
+ wrap->in.ofs += ret;
+ wrap->in.needed -= ret;
+
+ if (wrap->in.needed > 0) goto eagain;
+ }
+
+ /*
+ * if we have a complete packet and have not yet unwrapped it
+ * we need to call the mech specific unwrap() hook
+ */
+ if (wrap->in.needed == 0 && wrap->in.left == 0) {
+ ADS_STATUS status;
+ status = wrap->wrap_ops->unwrap(wrap);
+ if (!ADS_ERR_OK(status)) {
+ errno = EACCES;
+ return -1;
+ }
+ }
+
+ /*
+ * if we have unwrapped data give it to the caller
+ */
+ if (wrap->in.left > 0) {
+ ret = MIN(wrap->in.left, len);
+ memcpy(buf, wrap->in.buf + wrap->in.ofs, ret);
+ wrap->in.ofs += ret;
+ wrap->in.left -= ret;
+
+ /*
+ * if no more is left shrink the inbuf,
+ * this will trigger reading a new SASL packet
+ * from the remote stream in the next call
+ */
+ if (wrap->in.left == 0) {
+ ads_saslwrap_shrink_inbuf(wrap);
+ }
+
+ return ret;
+ }
+
+ /*
+ * if we don't have anything for the caller yet,
+ * tell him to ask again
+ */
+eagain:
+ errno = EAGAIN;
+ return -1;
+}
+
+static ber_slen_t ads_saslwrap_prepare_outbuf(struct ads_saslwrap *wrap,
+ uint32_t len)
+{
+ wrap->out.ofs = 0;
+ wrap->out.left = 0;
+ wrap->out.size = 4 + wrap->out.sig_size + len;
+ wrap->out.buf = talloc_array(wrap->mem_ctx,
+ uint8_t, wrap->out.size);
+ if (!wrap->out.buf) {
+ return -1;
+ }
+
+ return 0;
+}
+
+static void ads_saslwrap_shrink_outbuf(struct ads_saslwrap *wrap)
+{
+ talloc_free(wrap->out.buf);
+
+ wrap->out.buf = NULL;
+ wrap->out.size = 0;
+ wrap->out.ofs = 0;
+ wrap->out.left = 0;
+}
+
+static ber_slen_t ads_saslwrap_write(Sockbuf_IO_Desc *sbiod,
+ void *buf, ber_len_t len)
+{
+ struct ads_saslwrap *wrap =
+ (struct ads_saslwrap *)sbiod->sbiod_pvt;
+ ber_slen_t ret, rlen;
+
+ /* if the buffer is empty, we need to wrap in incoming buffer */
+ if (wrap->out.left == 0) {
+ ADS_STATUS status;
+
+ if (len == 0) {
+ errno = EINVAL;
+ return -1;
+ }
+
+ rlen = MIN(len, wrap->out.max_unwrapped);
+
+ ret = ads_saslwrap_prepare_outbuf(wrap, rlen);
+ if (ret < 0) return ret;
+
+ status = wrap->wrap_ops->wrap(wrap, (uint8_t *)buf, rlen);
+ if (!ADS_ERR_OK(status)) {
+ errno = EACCES;
+ return -1;
+ }
+
+ RSIVAL(wrap->out.buf, 0, wrap->out.left - 4);
+ } else {
+ rlen = -1;
+ }
+
+ ret = LBER_SBIOD_WRITE_NEXT(sbiod,
+ wrap->out.buf + wrap->out.ofs,
+ wrap->out.left);
+ if (ret <= 0) return ret;
+ wrap->out.ofs += ret;
+ wrap->out.left -= ret;
+
+ if (wrap->out.left == 0) {
+ ads_saslwrap_shrink_outbuf(wrap);
+ }
+
+ if (rlen > 0) return rlen;
+
+ errno = EAGAIN;
+ return -1;
+}
+
+static int ads_saslwrap_ctrl(Sockbuf_IO_Desc *sbiod, int opt, void *arg)
+{
+ struct ads_saslwrap *wrap =
+ (struct ads_saslwrap *)sbiod->sbiod_pvt;
+ int ret;
+
+ switch (opt) {
+ case LBER_SB_OPT_DATA_READY:
+ if (wrap->in.left > 0) {
+ return 1;
+ }
+ ret = LBER_SBIOD_CTRL_NEXT(sbiod, opt, arg);
+ break;
+ default:
+ ret = LBER_SBIOD_CTRL_NEXT(sbiod, opt, arg);
+ break;
+ }
+
+ return ret;
+}
+
+static int ads_saslwrap_close(Sockbuf_IO_Desc *sbiod)
+{
+ return 0;
+}
+
+static const Sockbuf_IO ads_saslwrap_sockbuf_io = {
+ ads_saslwrap_setup, /* sbi_setup */
+ ads_saslwrap_remove, /* sbi_remove */
+ ads_saslwrap_ctrl, /* sbi_ctrl */
+ ads_saslwrap_read, /* sbi_read */
+ ads_saslwrap_write, /* sbi_write */
+ ads_saslwrap_close /* sbi_close */
+};
+
+ADS_STATUS ads_setup_sasl_wrapping(struct ads_saslwrap *wrap, LDAP *ld,
+ const struct ads_saslwrap_ops *ops,
+ void *private_data)
+{
+ ADS_STATUS status;
+ Sockbuf *sb;
+ Sockbuf_IO *io = discard_const_p(Sockbuf_IO, &ads_saslwrap_sockbuf_io);
+ int rc;
+
+ rc = ldap_get_option(ld, LDAP_OPT_SOCKBUF, &sb);
+ status = ADS_ERROR_LDAP(rc);
+ if (!ADS_ERR_OK(status)) {
+ return status;
+ }
+
+ /* setup the real wrapping callbacks */
+ rc = ber_sockbuf_add_io(sb, io, LBER_SBIOD_LEVEL_TRANSPORT, wrap);
+ status = ADS_ERROR_LDAP(rc);
+ if (!ADS_ERR_OK(status)) {
+ return status;
+ }
+
+ wrap->wrap_ops = discard_const(ops);
+ wrap->wrap_private_data = private_data;
+
+ return ADS_SUCCESS;
+}
+#else
+ADS_STATUS ads_setup_sasl_wrapping(struct ads_saslwrap *wrap, LDAP *ld,
+ const struct ads_saslwrap_ops *ops,
+ void *private_data)
+{
+ return ADS_ERROR_NT(NT_STATUS_NOT_SUPPORTED);
+}
+#endif /* HAVE_LDAP_SASL_WRAPPING */
diff --git a/source3/libads/sitename_cache.c b/source3/libads/sitename_cache.c
new file mode 100644
index 0000000..4bf2ca7
--- /dev/null
+++ b/source3/libads/sitename_cache.c
@@ -0,0 +1,132 @@
+/*
+ Unix SMB/CIFS implementation.
+ DNS utility library
+ Copyright (C) Gerald (Jerry) Carter 2006.
+ Copyright (C) Jeremy Allison 2007.
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "libads/sitename_cache.h"
+#include "lib/gencache.h"
+
+/****************************************************************************
+ Store and fetch the AD client sitename.
+****************************************************************************/
+
+#define SITENAME_KEY "AD_SITENAME/DOMAIN/%s"
+
+static char *sitename_key(TALLOC_CTX *mem_ctx, const char *realm)
+{
+ char *keystr = talloc_asprintf_strupper_m(
+ mem_ctx, SITENAME_KEY, realm);
+ return keystr;
+}
+
+
+/****************************************************************************
+ Store the AD client sitename.
+ We store indefinitely as every new CLDAP query will re-write this.
+****************************************************************************/
+
+bool sitename_store(const char *realm, const char *sitename)
+{
+ time_t expire;
+ bool ret = False;
+ char *key;
+
+ if (!realm || (strlen(realm) == 0)) {
+ DEBUG(0,("sitename_store: no realm\n"));
+ return False;
+ }
+
+ key = sitename_key(talloc_tos(), realm);
+
+ if (!sitename || (sitename && !*sitename)) {
+ DEBUG(5,("sitename_store: deleting empty sitename!\n"));
+ ret = gencache_del(key);
+ TALLOC_FREE(key);
+ return ret;
+ }
+
+ expire = get_time_t_max(); /* Store indefinitely. */
+
+ DEBUG(10,("sitename_store: realm = [%s], sitename = [%s], expire = [%u]\n",
+ realm, sitename, (unsigned int)expire ));
+
+ ret = gencache_set( key, sitename, expire );
+ TALLOC_FREE(key);
+ return ret;
+}
+
+/****************************************************************************
+ Fetch the AD client sitename.
+ Caller must free.
+****************************************************************************/
+
+char *sitename_fetch(TALLOC_CTX *mem_ctx, const char *realm)
+{
+ char *sitename = NULL;
+ time_t timeout;
+ bool ret = False;
+ const char *query_realm;
+ char *key;
+
+ if (!realm || (strlen(realm) == 0)) {
+ query_realm = lp_realm();
+ } else {
+ query_realm = realm;
+ }
+
+ key = sitename_key(talloc_tos(), query_realm);
+
+ ret = gencache_get( key, mem_ctx, &sitename, &timeout );
+ TALLOC_FREE(key);
+ if ( !ret ) {
+ DBG_INFO("No stored sitename for realm '%s'\n", query_realm);
+ } else {
+ DBG_INFO("Returning sitename for realm '%s': \"%s\"\n",
+ query_realm, sitename);
+ }
+ return sitename;
+}
+
+/****************************************************************************
+ Did the sitename change ?
+****************************************************************************/
+
+bool stored_sitename_changed(const char *realm, const char *sitename)
+{
+ bool ret = False;
+
+ char *new_sitename;
+
+ if (!realm || (strlen(realm) == 0)) {
+ DEBUG(0,("stored_sitename_changed: no realm\n"));
+ return False;
+ }
+
+ new_sitename = sitename_fetch(talloc_tos(), realm);
+
+ if (sitename && new_sitename && !strequal(sitename, new_sitename)) {
+ ret = True;
+ } else if ((sitename && !new_sitename) ||
+ (!sitename && new_sitename)) {
+ ret = True;
+ }
+ TALLOC_FREE(new_sitename);
+ return ret;
+}
+
diff --git a/source3/libads/sitename_cache.h b/source3/libads/sitename_cache.h
new file mode 100644
index 0000000..9044964
--- /dev/null
+++ b/source3/libads/sitename_cache.h
@@ -0,0 +1,28 @@
+/*
+ Unix SMB/CIFS implementation.
+ DNS utility library
+ Copyright (C) Gerald (Jerry) Carter 2006.
+ Copyright (C) Jeremy Allison 2007.
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#ifndef _LIBADS_SITENAME_CACHE_H_
+#define _LIBADS_SITENAME_CACHE_H_
+
+bool sitename_store(const char *realm, const char *sitename);
+char *sitename_fetch(TALLOC_CTX *mem_ctx, const char *realm);
+bool stored_sitename_changed(const char *realm, const char *sitename);
+
+#endif /* _LIBADS_SITENAME_CACHE_H_ */
diff --git a/source3/libads/util.c b/source3/libads/util.c
new file mode 100644
index 0000000..a1e33fd
--- /dev/null
+++ b/source3/libads/util.c
@@ -0,0 +1,236 @@
+/*
+ Unix SMB/CIFS implementation.
+ krb5 set password implementation
+ Copyright (C) Remus Koos 2001 (remuskoos@yahoo.com)
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "ads.h"
+#include "secrets.h"
+#include "librpc/gen_ndr/ndr_secrets.h"
+
+#ifdef HAVE_KRB5
+ADS_STATUS ads_change_trust_account_password(ADS_STRUCT *ads, char *host_principal)
+{
+ const char *password = NULL;
+ const char *new_password = NULL;
+ ADS_STATUS ret;
+ const char *domain = lp_workgroup();
+ struct secrets_domain_info1 *info = NULL;
+ struct secrets_domain_info1_change *prev = NULL;
+ const DATA_BLOB *cleartext_blob = NULL;
+ DATA_BLOB pw_blob = data_blob_null;
+ DATA_BLOB new_pw_blob = data_blob_null;
+ NTSTATUS status;
+ struct timeval tv = timeval_current();
+ NTTIME now = timeval_to_nttime(&tv);
+ int role = lp_server_role();
+ bool ok;
+
+ if (role != ROLE_DOMAIN_MEMBER) {
+ DBG_ERR("Machine account password change only supported on a DOMAIN_MEMBER.\n");
+ return ADS_ERROR_NT(NT_STATUS_INVALID_SERVER_STATE);
+ }
+
+ new_password = trust_pw_new_value(talloc_tos(), SEC_CHAN_WKSTA, SEC_ADS);
+ if (new_password == NULL) {
+ ret = ADS_ERROR_SYSTEM(errno);
+ DEBUG(1,("Failed to generate machine password\n"));
+ return ret;
+ }
+
+ status = secrets_prepare_password_change(domain,
+ ads->auth.kdc_server,
+ new_password,
+ talloc_tos(),
+ &info, &prev);
+ if (!NT_STATUS_IS_OK(status)) {
+ return ADS_ERROR_NT(status);
+ }
+ if (prev != NULL) {
+ status = NT_STATUS_REQUEST_NOT_ACCEPTED;
+ secrets_failed_password_change("localhost",
+ status,
+ NT_STATUS_NOT_COMMITTED,
+ info);
+ return ADS_ERROR_NT(status);
+ }
+
+ cleartext_blob = &info->password->cleartext_blob;
+ ok = convert_string_talloc(talloc_tos(), CH_UTF16MUNGED, CH_UNIX,
+ cleartext_blob->data,
+ cleartext_blob->length,
+ (void **)&pw_blob.data,
+ &pw_blob.length);
+ if (!ok) {
+ status = NT_STATUS_UNMAPPABLE_CHARACTER;
+ if (errno == ENOMEM) {
+ status = NT_STATUS_NO_MEMORY;
+ }
+ DBG_ERR("convert_string_talloc(CH_UTF16MUNGED, CH_UNIX) "
+ "failed for password of %s - %s\n",
+ domain, nt_errstr(status));
+ return ADS_ERROR_NT(status);
+ }
+ password = (const char *)pw_blob.data;
+
+ cleartext_blob = &info->next_change->password->cleartext_blob;
+ ok = convert_string_talloc(talloc_tos(), CH_UTF16MUNGED, CH_UNIX,
+ cleartext_blob->data,
+ cleartext_blob->length,
+ (void **)&new_pw_blob.data,
+ &new_pw_blob.length);
+ if (!ok) {
+ status = NT_STATUS_UNMAPPABLE_CHARACTER;
+ if (errno == ENOMEM) {
+ status = NT_STATUS_NO_MEMORY;
+ }
+ DBG_ERR("convert_string_talloc(CH_UTF16MUNGED, CH_UNIX) "
+ "failed for new_password of %s - %s\n",
+ domain, nt_errstr(status));
+ secrets_failed_password_change("localhost",
+ status,
+ NT_STATUS_NOT_COMMITTED,
+ info);
+ return ADS_ERROR_NT(status);
+ }
+ talloc_keep_secret(new_pw_blob.data);
+ new_password = (const char *)new_pw_blob.data;
+
+ ret = kerberos_set_password(ads->auth.kdc_server, host_principal, password, host_principal, new_password, ads->auth.time_offset);
+
+ if (!ADS_ERR_OK(ret)) {
+ status = ads_ntstatus(ret);
+ DBG_ERR("kerberos_set_password(%s, %s) "
+ "failed for new_password of %s - %s\n",
+ ads->auth.kdc_server, host_principal,
+ domain, nt_errstr(status));
+ secrets_failed_password_change(ads->auth.kdc_server,
+ NT_STATUS_NOT_COMMITTED,
+ status,
+ info);
+ return ret;
+ }
+
+ status = secrets_finish_password_change(ads->auth.kdc_server, now, info);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1,("Failed to save machine password\n"));
+ return ADS_ERROR_NT(status);
+ }
+
+ return ADS_SUCCESS;
+}
+#endif
+
+/**
+* @brief Parses windows style SPN service/host:port/servicename
+* serviceclass - A string that identifies the general class of service
+* e.g. 'http'
+* host - A netbios name or fully-qualified DNS name
+* port - An optional TCP or UDP port number
+* servicename - An optional distinguished name, GUID, DNS name or
+* DNS name of an SRV or MX record. (not needed for host
+* based services)
+*
+* @param[in] ctx - Talloc context.
+* @param[in] srvprinc - The service principal
+*
+* @return - struct spn_struct containing the fields parsed or NULL
+* if srvprinc could not be parsed.
+*/
+struct spn_struct *parse_spn(TALLOC_CTX *ctx, const char *srvprinc)
+{
+ struct spn_struct * result = NULL;
+ char *tmp = NULL;
+ char *port_str = NULL;
+ char *host_str = NULL;
+
+ result = talloc_zero(ctx, struct spn_struct);
+ if (result == NULL) {
+ DBG_ERR("Out of memory\n");
+ return NULL;
+ }
+
+ result->serviceclass = talloc_strdup(result, srvprinc);
+ if (result->serviceclass == NULL) {
+ DBG_ERR("Out of memory\n");
+ goto fail;
+ }
+ result->port = -1;
+
+ tmp = strchr_m(result->serviceclass, '/');
+ if (tmp == NULL) {
+ /* illegal */
+ DBG_ERR("Failed to parse spn %s, no host definition\n",
+ srvprinc);
+ goto fail;
+ }
+
+ /* terminate service principal */
+ *tmp = '\0';
+ tmp++;
+ host_str = tmp;
+
+ tmp = strchr_m(host_str, ':');
+ if (tmp != NULL) {
+ *tmp = '\0';
+ tmp++;
+ port_str = tmp;
+ } else {
+ tmp = host_str;
+ }
+
+ tmp = strchr_m(tmp, '/');
+ if (tmp != NULL) {
+ *tmp = '\0';
+ tmp++;
+ result->servicename = tmp;
+ }
+
+ if (strlen(host_str) == 0) {
+ /* illegal */
+ DBG_ERR("Failed to parse spn %s, illegal host definition\n",
+ srvprinc);
+ goto fail;
+ }
+ result->host = host_str;
+
+ if (result->servicename != NULL && (strlen(result->servicename) == 0)) {
+ DBG_ERR("Failed to parse spn %s, empty servicename "
+ "definition\n", srvprinc);
+ goto fail;
+ }
+ if (port_str != NULL) {
+ if (strlen(port_str) == 0) {
+ DBG_ERR("Failed to parse spn %s, empty port "
+ "definition\n", srvprinc);
+ goto fail;
+ }
+ result->port = (int32_t)strtol(port_str, NULL, 10);
+ if (result->port <= 0
+ || result->port > 65535
+ || errno == ERANGE) {
+ DBG_ERR("Failed to parse spn %s, port number "
+ "conversion failed\n", srvprinc);
+ errno = 0;
+ goto fail;
+ }
+ }
+ return result;
+fail:
+ TALLOC_FREE(result);
+ return NULL;
+}