diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-19 17:20:00 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-19 17:20:00 +0000 |
| commit | 8daa83a594a2e98f39d764422bfbdbc62c9efd44 (patch) | |
| tree | 4099e8021376c7d8c05bdf8503093d80e9c7bad0 /source3/libads | |
| parent | Initial commit. (diff) | |
| download | samba-8daa83a594a2e98f39d764422bfbdbc62c9efd44.tar.xz samba-8daa83a594a2e98f39d764422bfbdbc62c9efd44.zip | |
Adding upstream version 2:4.20.0+dfsg.upstream/2%4.20.0+dfsg
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'source3/libads')
27 files changed, 12229 insertions, 0 deletions
diff --git a/source3/libads/ads_ldap_protos.h b/source3/libads/ads_ldap_protos.h new file mode 100644 index 0000000..b063815 --- /dev/null +++ b/source3/libads/ads_ldap_protos.h @@ -0,0 +1,142 @@ +/* + Unix SMB/CIFS implementation. + ads (active directory) utility library + Copyright (C) Andrew Tridgell 2001 + Copyright (C) Remus Koos 2001 + Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002 + Copyright (C) Guenther Deschner 2005 + Copyright (C) Gerald Carter 2006 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#ifndef _LIBADS_ADS_LDAP_PROTOS_H_ +#define _LIBADS_ADS_LDAP_PROTOS_H_ + +#ifdef HAVE_LDAP_INIT_FD +int ldap_init_fd(ber_socket_t fd, int proto, char *uri, LDAP **ldp); +#endif + +/* + * Prototypes for ads + */ + +LDAP *ldap_open_with_timeout(const char *server, + struct sockaddr_storage *ss, + int port, unsigned int to); +void ads_msgfree(ADS_STRUCT *ads, LDAPMessage *msg); +char *ads_get_dn(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, LDAPMessage *msg); + +char *ads_pull_string(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, LDAPMessage *msg, + const char *field); +char **ads_pull_strings(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, + LDAPMessage *msg, const char *field, + size_t *num_values); +char **ads_pull_strings_range(ADS_STRUCT *ads, + TALLOC_CTX *mem_ctx, + LDAPMessage *msg, const char *field, + char **current_strings, + const char **next_attribute, + size_t *num_strings, + bool *more_strings); +bool ads_pull_uint32(ADS_STRUCT *ads, LDAPMessage *msg, const char *field, + uint32_t *v); +bool ads_pull_guid(ADS_STRUCT *ads, LDAPMessage *msg, struct GUID *guid); +bool ads_pull_sid(ADS_STRUCT *ads, LDAPMessage *msg, const char *field, + struct dom_sid *sid); +int ads_pull_sids(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, + LDAPMessage *msg, const char *field, struct dom_sid **sids); +bool ads_pull_sd(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, + LDAPMessage *msg, const char *field, struct security_descriptor **sd); +char *ads_pull_username(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, + LDAPMessage *msg); +ADS_STATUS ads_find_machine_acct(ADS_STRUCT *ads, LDAPMessage **res, + const char *machine); +ADS_STATUS ads_find_printer_on_server(ADS_STRUCT *ads, LDAPMessage **res, + const char *printer, + const char *servername); +ADS_STATUS ads_find_printers(ADS_STRUCT *ads, LDAPMessage **res); +ADS_STATUS ads_find_user_acct(ADS_STRUCT *ads, LDAPMessage **res, + const char *user); + +ADS_STATUS ads_do_search(ADS_STRUCT *ads, const char *bind_path, int scope, + const char *expr, + const char **attrs, LDAPMessage **res); +ADS_STATUS ads_search(ADS_STRUCT *ads, LDAPMessage **res, + const char *expr, const char **attrs); +ADS_STATUS ads_search_dn(ADS_STRUCT *ads, LDAPMessage **res, + const char *dn, const char **attrs); +ADS_STATUS ads_do_search_all_args(ADS_STRUCT *ads, const char *bind_path, + int scope, const char *expr, + const char **attrs, void *args, + LDAPMessage **res); +ADS_STATUS ads_do_search_all(ADS_STRUCT *ads, const char *bind_path, + int scope, const char *expr, + const char **attrs, LDAPMessage **res); +ADS_STATUS ads_do_search_retry(ADS_STRUCT *ads, const char *bind_path, + int scope, + const char *expr, + const char **attrs, LDAPMessage **res); +ADS_STATUS ads_search_retry(ADS_STRUCT *ads, LDAPMessage **res, + const char *expr, const char **attrs); +ADS_STATUS ads_search_retry_dn(ADS_STRUCT *ads, LDAPMessage **res, + const char *dn, + const char **attrs); +ADS_STATUS ads_search_retry_extended_dn_ranged(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, + const char *dn, + const char **attrs, + enum ads_extended_dn_flags flags, + char ***strings, + size_t *num_strings); +ADS_STATUS ads_search_retry_sid(ADS_STRUCT *ads, LDAPMessage **res, + const struct dom_sid *sid, + const char **attrs); + + +LDAPMessage *ads_first_entry(ADS_STRUCT *ads, LDAPMessage *res); +LDAPMessage *ads_next_entry(ADS_STRUCT *ads, LDAPMessage *res); +LDAPMessage *ads_first_message(ADS_STRUCT *ads, LDAPMessage *res); +LDAPMessage *ads_next_message(ADS_STRUCT *ads, LDAPMessage *res); +void ads_process_results(ADS_STRUCT *ads, LDAPMessage *res, + bool (*fn)(ADS_STRUCT *,char *, void **, void *), + void *data_area); +void ads_dump(ADS_STRUCT *ads, LDAPMessage *res); + +struct GROUP_POLICY_OBJECT; +ADS_STATUS ads_parse_gpo(ADS_STRUCT *ads, + TALLOC_CTX *mem_ctx, + LDAPMessage *res, + const char *gpo_dn, + struct GROUP_POLICY_OBJECT *gpo); +ADS_STATUS ads_search_retry_dn_sd_flags(ADS_STRUCT *ads, LDAPMessage **res, + uint32_t sd_flags, + const char *dn, + const char **attrs); +ADS_STATUS ads_do_search_all_sd_flags(ADS_STRUCT *ads, const char *bind_path, + int scope, const char *expr, + const char **attrs, uint32_t sd_flags, + LDAPMessage **res); +ADS_STATUS ads_get_tokensids(ADS_STRUCT *ads, + TALLOC_CTX *mem_ctx, + const char *dn, + struct dom_sid *user_sid, + struct dom_sid *primary_group_sid, + struct dom_sid **sids, + size_t *num_sids); +ADS_STATUS ads_get_joinable_ous(ADS_STRUCT *ads, + TALLOC_CTX *mem_ctx, + char ***ous, + size_t *num_ous); + +#endif /* _LIBADS_ADS_LDAP_PROTOS_H_ */ diff --git a/source3/libads/ads_proto.h b/source3/libads/ads_proto.h new file mode 100644 index 0000000..ceefcd6 --- /dev/null +++ b/source3/libads/ads_proto.h @@ -0,0 +1,229 @@ +/* + * Unix SMB/CIFS implementation. + * ads (active directory) utility library + * + * Copyright (C) Andrew Bartlett 2001 + * Copyright (C) Andrew Tridgell 2001 + * Copyright (C) Remus Koos (remuskoos@yahoo.com) 2001 + * Copyright (C) Alexey Kotovich 2002 + * Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002-2003 + * Copyright (C) Luke Howard 2003 + * Copyright (C) Guenther Deschner 2003-2008 + * Copyright (C) Rakesh Patel 2004 + * Copyright (C) Dan Perry 2004 + * Copyright (C) Jeremy Allison 2004 + * Copyright (C) Gerald Carter 2006 + * Copyright (C) Stefan Metzmacher 2007 + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + */ + +#ifndef _LIBADS_ADS_PROTO_H_ +#define _LIBADS_ADS_PROTO_H_ + +enum ads_sasl_state_e { + ADS_SASL_PLAIN = 0, + ADS_SASL_SIGN, + ADS_SASL_SEAL, +}; + +/* The following definitions come from libads/ads_struct.c */ + +ADS_STATUS ads_build_path(const char *realm, + const char *sep, + const char *field, + int reverse, + char **_path); +ADS_STATUS ads_build_dn(const char *realm, TALLOC_CTX *mem_ctx, char **_dn); +char *ads_build_domain(const char *dn); +ADS_STRUCT *ads_init(TALLOC_CTX *mem_ctx, + const char *realm, + const char *workgroup, + const char *ldap_server, + enum ads_sasl_state_e sasl_state); +bool ads_set_sasl_wrap_flags(ADS_STRUCT *ads, unsigned flags); + +/* The following definitions come from libads/disp_sec.c */ + +void ads_disp_sd(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct security_descriptor *sd); + +/* The following definitions come from libads/kerberos_keytab.c */ + +int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, + bool update_ads); +int ads_keytab_delete_entry(ADS_STRUCT *ads, const char *srvPrinc); +int ads_keytab_flush(ADS_STRUCT *ads); +int ads_keytab_create_default(ADS_STRUCT *ads); +int ads_keytab_list(const char *keytab_name); + +/* The following definitions come from libads/net_ads_setspn.c */ +bool ads_setspn_list(ADS_STRUCT *ads, const char *machine); +bool ads_setspn_add(ADS_STRUCT *ads, const char *machine_name, + const char * spn); +bool ads_setspn_delete(ADS_STRUCT *ads, const char *machine_name, + const char * spn); + +/* The following definitions come from libads/krb5_errs.c */ + +/* The following definitions come from libads/kerberos_util.c */ + +int ads_kinit_password(ADS_STRUCT *ads); + +/* The following definitions come from libads/ldap.c */ + +bool ads_sitename_match(ADS_STRUCT *ads); +bool ads_closest_dc(ADS_STRUCT *ads); +ADS_STATUS ads_connect(ADS_STRUCT *ads); +ADS_STATUS ads_connect_user_creds(ADS_STRUCT *ads); +void ads_zero_ldap(ADS_STRUCT *ads); +void ads_disconnect(ADS_STRUCT *ads); +ADS_STATUS ads_do_search_all_fn(ADS_STRUCT *ads, const char *bind_path, + int scope, const char *expr, const char **attrs, + bool (*fn)(ADS_STRUCT *, char *, void **, void *), + void *data_area); +char *ads_parent_dn(const char *dn); +ADS_MODLIST ads_init_mods(TALLOC_CTX *ctx); +ADS_STATUS ads_mod_str(TALLOC_CTX *ctx, ADS_MODLIST *mods, + const char *name, const char *val); +ADS_STATUS ads_mod_strlist(TALLOC_CTX *ctx, ADS_MODLIST *mods, + const char *name, const char **vals); +ADS_STATUS ads_gen_mod(ADS_STRUCT *ads, const char *mod_dn, ADS_MODLIST mods); +ADS_STATUS ads_gen_add(ADS_STRUCT *ads, const char *new_dn, ADS_MODLIST mods); +ADS_STATUS ads_del_dn(ADS_STRUCT *ads, char *del_dn); +char *ads_ou_string(ADS_STRUCT *ads, const char *org_unit); +char *ads_default_ou_string(ADS_STRUCT *ads, const char *wknguid); +ADS_STATUS ads_add_strlist(TALLOC_CTX *ctx, ADS_MODLIST *mods, + const char *name, const char **vals); +uint32_t ads_get_kvno(ADS_STRUCT *ads, const char *account_name); +uint32_t ads_get_machine_kvno(ADS_STRUCT *ads, const char *machine_name); + +bool ads_element_in_array(const char **el_array, size_t num_el, const char *el); + +ADS_STATUS ads_get_service_principal_names(TALLOC_CTX *mem_ctx, + ADS_STRUCT *ads, + const char *machine_name, + char ***spn_array, + size_t *num_spns); +ADS_STATUS ads_clear_service_principal_names(ADS_STRUCT *ads, const char *machine_name); +ADS_STATUS ads_add_service_principal_names(ADS_STRUCT *ads, const char *machine_name, + const char **spns); +ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, + const char *machine_name, + const char *machine_password, + const char *org_unit, + uint32_t etype_list, + const char *dns_domain_name); +ADS_STATUS ads_move_machine_acct(ADS_STRUCT *ads, const char *machine_name, + const char *org_unit, bool *moved); +int ads_count_replies(ADS_STRUCT *ads, void *res); +ADS_STATUS ads_USN(ADS_STRUCT *ads, uint32_t *usn); +ADS_STATUS ads_current_time(ADS_STRUCT *ads); +ADS_STATUS ads_domain_func_level(ADS_STRUCT *ads, uint32_t *val); +ADS_STATUS ads_domain_sid(ADS_STRUCT *ads, struct dom_sid *sid); +ADS_STATUS ads_site_dn(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, const char **site_name); +ADS_STATUS ads_site_dn_for_machine(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, const char *computer_name, const char **site_dn); +ADS_STATUS ads_upn_suffixes(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, char ***suffixes, size_t *num_suffixes); +ADS_STATUS ads_get_joinable_ous(ADS_STRUCT *ads, + TALLOC_CTX *mem_ctx, + char ***ous, + size_t *num_ous); +ADS_STATUS ads_get_sid_from_extended_dn(TALLOC_CTX *mem_ctx, + const char *extended_dn, + enum ads_extended_dn_flags flags, + struct dom_sid *sid); +char* ads_get_dnshostname( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name ); +ADS_STATUS ads_get_additional_dns_hostnames(TALLOC_CTX *mem_ctx, + ADS_STRUCT *ads, + const char *machine_name, + char ***hostnames_array, + size_t *num_hostnames); +char* ads_get_upn( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name ); +bool ads_has_samaccountname( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name ); +ADS_STATUS ads_join_realm(ADS_STRUCT *ads, const char *machine_name, + uint32_t account_type, const char *org_unit); +ADS_STATUS ads_leave_realm(ADS_STRUCT *ads, const char *hostname); +ADS_STATUS ads_find_samaccount(ADS_STRUCT *ads, + TALLOC_CTX *mem_ctx, + const char *samaccountname, + uint32_t *uac_ret, + const char **dn_ret); +ADS_STATUS ads_config_path(ADS_STRUCT *ads, + TALLOC_CTX *mem_ctx, + char **config_path); +const char *ads_get_extended_right_name_by_guid(ADS_STRUCT *ads, + const char *config_path, + TALLOC_CTX *mem_ctx, + const struct GUID *rights_guid); +ADS_STATUS ads_check_ou_dn(TALLOC_CTX *mem_ctx, + ADS_STRUCT *ads, + const char **account_ou); + +/* The following definitions come from libads/ldap_printer.c */ + +ADS_STATUS ads_mod_printer_entry(ADS_STRUCT *ads, char *prt_dn, + TALLOC_CTX *ctx, const ADS_MODLIST *mods); +ADS_STATUS ads_add_printer_entry(ADS_STRUCT *ads, char *prt_dn, + TALLOC_CTX *ctx, ADS_MODLIST *mods); +WERROR get_remote_printer_publishing_data(struct rpc_pipe_client *cli, + TALLOC_CTX *mem_ctx, + ADS_MODLIST *mods, + const char *printer); + +/* The following definitions come from libads/ldap_user.c */ + +ADS_STATUS ads_add_user_acct(ADS_STRUCT *ads, const char *user, + const char *container, const char *fullname); +ADS_STATUS ads_add_group_acct(ADS_STRUCT *ads, const char *group, + const char *container, const char *comment); + +/* The following definitions come from libads/ldap_utils.c */ + +ADS_STATUS ads_ranged_search(ADS_STRUCT *ads, + TALLOC_CTX *mem_ctx, + int scope, + const char *base, + const char *filter, + void *args, + const char *range_attr, + char ***strings, + size_t *num_strings); + +/* The following definitions come from libads/sasl.c */ + +ADS_STATUS ads_sasl_bind(ADS_STRUCT *ads); + +/* The following definitions come from libads/sasl_wrapping.c */ + +ADS_STATUS ads_setup_sasl_wrapping(struct ads_saslwrap *wrap, LDAP *ld, + const struct ads_saslwrap_ops *ops, + void *private_data); +void ndr_print_ads_saslwrap_struct(struct ndr_print *ndr, + const char *name, + const struct ads_saslwrap *r); + +/* The following definitions come from libads/util.c */ + +ADS_STATUS ads_change_trust_account_password(ADS_STRUCT *ads, char *host_principal); + +struct spn_struct { + const char *serviceclass; + const char *servicename; + const char *host; + int32_t port; +}; + +/* parse a windows style SPN, returns NULL if parsing fails */ +struct spn_struct *parse_spn(TALLOC_CTX *ctx, const char *srvprinc); + +#endif /* _LIBADS_ADS_PROTO_H_ */ diff --git a/source3/libads/ads_status.c b/source3/libads/ads_status.c new file mode 100644 index 0000000..7056994 --- /dev/null +++ b/source3/libads/ads_status.c @@ -0,0 +1,157 @@ +/* + Unix SMB/CIFS implementation. + ads (active directory) utility library + Copyright (C) Andrew Tridgell 2001 + Copyright (C) Remus Koos 2001 + Copyright (C) Andrew Bartlett 2001 + + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include "smb_krb5.h" +#include "system/gssapi.h" +#include "smb_ldap.h" +#include "libads/ads_status.h" + +/* + build a ADS_STATUS structure +*/ +ADS_STATUS ads_build_error(enum ads_error_type etype, + int rc, int minor_status) +{ + ADS_STATUS ret; + + if (etype == ENUM_ADS_ERROR_NT) { + DEBUG(0,("don't use ads_build_error with ENUM_ADS_ERROR_NT!\n")); + ret.err.rc = -1; + ret.error_type = ENUM_ADS_ERROR_SYSTEM; + ret.minor_status = 0; + return ret; + } + + ret.err.rc = rc; + ret.error_type = etype; + ret.minor_status = minor_status; + return ret; +} + +ADS_STATUS ads_build_nt_error(enum ads_error_type etype, + NTSTATUS nt_status) +{ + ADS_STATUS ret; + + if (etype != ENUM_ADS_ERROR_NT) { + DEBUG(0,("don't use ads_build_nt_error without ENUM_ADS_ERROR_NT!\n")); + ret.err.rc = -1; + ret.error_type = ENUM_ADS_ERROR_SYSTEM; + ret.minor_status = 0; + return ret; + } + ret.err.nt_status = nt_status; + ret.error_type = etype; + ret.minor_status = 0; + return ret; +} + +/* + do a rough conversion between ads error codes and NT status codes + we'll need to fill this in more +*/ +NTSTATUS ads_ntstatus(ADS_STATUS status) +{ + switch (status.error_type) { + case ENUM_ADS_ERROR_NT: + return status.err.nt_status; + case ENUM_ADS_ERROR_SYSTEM: + return map_nt_error_from_unix(status.err.rc); +#ifdef HAVE_LDAP + case ENUM_ADS_ERROR_LDAP: + if (status.err.rc == LDAP_SUCCESS) { + return NT_STATUS_OK; + } + if (status.err.rc == LDAP_TIMELIMIT_EXCEEDED) { + return NT_STATUS_IO_TIMEOUT; + } + return NT_STATUS_LDAP(status.err.rc); +#endif +#ifdef HAVE_KRB5 + case ENUM_ADS_ERROR_KRB5: + return krb5_to_nt_status(status.err.rc); +#endif + default: + break; + } + + if (ADS_ERR_OK(status)) { + return NT_STATUS_OK; + } + return NT_STATUS_UNSUCCESSFUL; +} + +/* + return a string for an error from a ads routine +*/ +const char *ads_errstr(ADS_STATUS status) +{ + switch (status.error_type) { + case ENUM_ADS_ERROR_SYSTEM: + return strerror(status.err.rc); +#ifdef HAVE_LDAP + case ENUM_ADS_ERROR_LDAP: + return ldap_err2string(status.err.rc); +#endif +#ifdef HAVE_KRB5 + case ENUM_ADS_ERROR_KRB5: + return error_message(status.err.rc); + case ENUM_ADS_ERROR_GSS: + { + char *ret; + uint32_t msg_ctx; + uint32_t minor; + gss_buffer_desc msg1, msg2; + + msg_ctx = 0; + + msg1.value = NULL; + msg2.value = NULL; + gss_display_status(&minor, status.err.rc, GSS_C_GSS_CODE, + GSS_C_NULL_OID, &msg_ctx, &msg1); + gss_display_status(&minor, status.minor_status, GSS_C_MECH_CODE, + GSS_C_NULL_OID, &msg_ctx, &msg2); + ret = talloc_asprintf(talloc_tos(), "%s : %s", + (char *)msg1.value, (char *)msg2.value); + SMB_ASSERT(ret != NULL); + gss_release_buffer(&minor, &msg1); + gss_release_buffer(&minor, &msg2); + return ret; + } +#endif + case ENUM_ADS_ERROR_NT: + return get_friendly_nt_error_msg(ads_ntstatus(status)); + default: + return "Unknown ADS error type!? (not compiled in?)"; + } +} + +#ifdef HAVE_KRB5 +NTSTATUS gss_err_to_ntstatus(uint32_t maj, uint32_t min) +{ + ADS_STATUS adss = ADS_ERROR_GSS(maj, min); + DEBUG(10,("gss_err_to_ntstatus: Error %s\n", + ads_errstr(adss) )); + return ads_ntstatus(adss); +} +#endif diff --git a/source3/libads/ads_status.h b/source3/libads/ads_status.h new file mode 100644 index 0000000..2ff4ef0 --- /dev/null +++ b/source3/libads/ads_status.h @@ -0,0 +1,68 @@ +/* + Unix SMB/CIFS implementation. + ads (active directory) utility library + Copyright (C) Andrew Tridgell 2001 + Copyright (C) Remus Koos 2001 + Copyright (C) Andrew Bartlett 2001 + + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#ifndef _LIBADS_ADS_STATUS_H_ +#define _LIBADS_ADS_STATUS_H_ + +/* there are 5 possible types of errors the ads subsystem can produce */ +enum ads_error_type {ENUM_ADS_ERROR_KRB5, ENUM_ADS_ERROR_GSS, + ENUM_ADS_ERROR_LDAP, ENUM_ADS_ERROR_SYSTEM, ENUM_ADS_ERROR_NT}; + +typedef struct { + enum ads_error_type error_type; + union err_state{ + int rc; + NTSTATUS nt_status; + } err; + /* For error_type = ENUM_ADS_ERROR_GSS minor_status describe GSS API error */ + /* Where rc represents major_status of GSS API error */ + int minor_status; +} ADS_STATUS; + +/* macros to simplify error returning */ +#define ADS_ERROR(rc) ADS_ERROR_LDAP(rc) +#define ADS_ERROR_LDAP(rc) ads_build_error(ENUM_ADS_ERROR_LDAP, rc, 0) +#define ADS_ERROR_SYSTEM(rc) ads_build_error(ENUM_ADS_ERROR_SYSTEM, rc?rc:EINVAL, 0) +#define ADS_ERROR_KRB5(rc) ads_build_error(ENUM_ADS_ERROR_KRB5, rc, 0) +#define ADS_ERROR_GSS(rc, minor) ads_build_error(ENUM_ADS_ERROR_GSS, rc, minor) +#define ADS_ERROR_NT(rc) ads_build_nt_error(ENUM_ADS_ERROR_NT,rc) + +#define ADS_ERR_OK(status) ((status.error_type == ENUM_ADS_ERROR_NT) ? NT_STATUS_IS_OK(status.err.nt_status):(status.err.rc == 0)) +#define ADS_SUCCESS ADS_ERROR(0) + +#define ADS_ERROR_HAVE_NO_MEMORY(x) do { \ + if (!(x)) {\ + return ADS_ERROR(LDAP_NO_MEMORY);\ + }\ +} while (0) + +/* The following definitions come from libads/ads_status.c */ + +ADS_STATUS ads_build_error(enum ads_error_type etype, + int rc, int minor_status); +ADS_STATUS ads_build_nt_error(enum ads_error_type etype, + NTSTATUS nt_status); +NTSTATUS ads_ntstatus(ADS_STATUS status); +const char *ads_errstr(ADS_STATUS status); +NTSTATUS gss_err_to_ntstatus(uint32_t maj, uint32_t min); + +#endif /* _LIBADS_ADS_STATUS_H_ */ diff --git a/source3/libads/ads_struct.c b/source3/libads/ads_struct.c new file mode 100644 index 0000000..97f84d1 --- /dev/null +++ b/source3/libads/ads_struct.c @@ -0,0 +1,239 @@ +/* + Unix SMB/CIFS implementation. + ads (active directory) utility library + Copyright (C) Andrew Tridgell 2001 + Copyright (C) Andrew Bartlett 2001 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include "ads.h" + +/* return a ldap dn path from a string, given separators and field name + caller must free +*/ +ADS_STATUS ads_build_path(const char *realm, + const char *sep, + const char *field, + int reverse, + char **_path) +{ + char *p, *r; + int numbits = 0; + char *ret; + int len; + char *saveptr; + + *_path = NULL; + + r = SMB_STRDUP(realm); + if (r == NULL) { + return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); + } + + for (p=r; *p; p++) { + if (strchr(sep, *p)) { + numbits++; + } + } + + len = (numbits+1)*(strlen(field)+1) + strlen(r) + 1; + + ret = (char *)SMB_MALLOC(len); + if (!ret) { + free(r); + return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); + } + + if (strlcpy(ret,field, len) >= len) { + /* Truncate ! */ + free(r); + free(ret); + return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); + } + p=strtok_r(r, sep, &saveptr); + if (p) { + if (strlcat(ret, p, len) >= len) { + free(r); + free(ret); + return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); + } + + while ((p=strtok_r(NULL, sep, &saveptr)) != NULL) { + int retval; + char *s = NULL; + if (reverse) + retval = asprintf(&s, "%s%s,%s", field, p, ret); + else + retval = asprintf(&s, "%s,%s%s", ret, field, p); + free(ret); + if (retval == -1) { + free(r); + return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); + } + ret = SMB_STRDUP(s); + free(s); + } + } + + free(r); + + *_path = ret; + + return ADS_ERROR_NT(NT_STATUS_OK); +} + +/* return a dn of the form "dc=AA,dc=BB,dc=CC" from a + realm of the form AA.BB.CC + caller must free +*/ +ADS_STATUS ads_build_dn(const char *realm, TALLOC_CTX *mem_ctx, char **_dn) +{ + ADS_STATUS status; + char *dn = NULL; + + status = ads_build_path(realm, ".", "dc=", 0, &dn); + if (!ADS_ERR_OK(status)) { + SAFE_FREE(dn); + return status; + } + + *_dn = talloc_strdup(mem_ctx, dn); + SAFE_FREE(dn); + if (*_dn == NULL) { + return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); + } + + return ADS_ERROR_NT(NT_STATUS_OK); +} + +/* return a DNS name in the for aa.bb.cc from the DN + "dc=AA,dc=BB,dc=CC". caller must free +*/ +char *ads_build_domain(const char *dn) +{ + char *dnsdomain = NULL; + + /* result should always be shorter than the DN */ + + if ( (dnsdomain = SMB_STRDUP( dn )) == NULL ) { + DEBUG(0,("ads_build_domain: malloc() failed!\n")); + return NULL; + } + + if (!strlower_m( dnsdomain )) { + SAFE_FREE(dnsdomain); + return NULL; + } + + all_string_sub( dnsdomain, "dc=", "", 0); + all_string_sub( dnsdomain, ",", ".", 0 ); + + return dnsdomain; +} + +static int ads_destructor(ADS_STRUCT *ads) +{ +#ifdef HAVE_LDAP + ads_disconnect(ads); +#endif + return 0; +} + +/* + initialise a ADS_STRUCT, ready for some ads_ ops +*/ +ADS_STRUCT *ads_init(TALLOC_CTX *mem_ctx, + const char *realm, + const char *workgroup, + const char *ldap_server, + enum ads_sasl_state_e sasl_state) +{ + ADS_STRUCT *ads = NULL; + int wrap_flags; + + ads = talloc_zero(mem_ctx, ADS_STRUCT); + if (ads == NULL) { + return NULL; + } + talloc_set_destructor(ads, ads_destructor); + +#ifdef HAVE_LDAP + ads_zero_ldap(ads); +#endif + + ads->server.realm = talloc_strdup(ads, realm); + if (realm != NULL && ads->server.realm == NULL) { + DBG_WARNING("Out of memory\n"); + TALLOC_FREE(ads); + return NULL; + } + + ads->server.workgroup = talloc_strdup(ads, workgroup); + if (workgroup != NULL && ads->server.workgroup == NULL) { + DBG_WARNING("Out of memory\n"); + TALLOC_FREE(ads); + return NULL; + } + + ads->server.ldap_server = talloc_strdup(ads, ldap_server); + if (ldap_server != NULL && ads->server.ldap_server == NULL) { + DBG_WARNING("Out of memory\n"); + TALLOC_FREE(ads); + return NULL; + } + + wrap_flags = lp_client_ldap_sasl_wrapping(); + if (wrap_flags == -1) { + wrap_flags = 0; + } + + switch (sasl_state) { + case ADS_SASL_PLAIN: + break; + case ADS_SASL_SIGN: + wrap_flags |= ADS_AUTH_SASL_SIGN; + break; + case ADS_SASL_SEAL: + wrap_flags |= ADS_AUTH_SASL_SEAL; + break; + } + + ads->auth.flags = wrap_flags; + + /* Start with the configured page size when the connection is new, + * we will drop it by half we get a timeout. */ + ads->config.ldap_page_size = lp_ldap_page_size(); + + return ads; +} + +/**************************************************************** +****************************************************************/ + +bool ads_set_sasl_wrap_flags(ADS_STRUCT *ads, unsigned flags) +{ + unsigned other_flags; + + if (!ads) { + return false; + } + + other_flags = ads->auth.flags & ~(ADS_AUTH_SASL_SIGN|ADS_AUTH_SASL_SEAL); + + ads->auth.flags = flags | other_flags; + + return true; +} diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c new file mode 100644 index 0000000..10adc3e --- /dev/null +++ b/source3/libads/authdata.c @@ -0,0 +1,323 @@ +/* + Unix SMB/CIFS implementation. + kerberos authorization data (PAC) utility library + Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003 + Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005 + Copyright (C) Andrew Tridgell 2001 + Copyright (C) Luke Howard 2002-2003 + Copyright (C) Stefan Metzmacher 2004-2005 + Copyright (C) Guenther Deschner 2005,2007,2008 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include "librpc/gen_ndr/ndr_krb5pac.h" +#include "smb_krb5.h" +#include "libads/kerberos_proto.h" +#include "auth/common_auth.h" +#include "lib/param/param.h" +#include "librpc/crypto/gse.h" +#include "auth/gensec/gensec.h" +#include "auth/gensec/gensec_internal.h" /* TODO: remove this */ +#include "../libcli/auth/spnego.h" +#include "lib/util/asn1.h" + +#ifdef HAVE_KRB5 + +#include "auth/kerberos/pac_utils.h" + +struct smb_krb5_context; + +/* + generate a krb5 GSS-API wrapper packet given a ticket +*/ +static DATA_BLOB spnego_gen_krb5_wrap( + TALLOC_CTX *ctx, const DATA_BLOB ticket, const uint8_t tok_id[2]) +{ + ASN1_DATA *data; + DATA_BLOB ret = data_blob_null; + + data = asn1_init(talloc_tos(), ASN1_MAX_TREE_DEPTH); + if (data == NULL) { + return data_blob_null; + } + + if (!asn1_push_tag(data, ASN1_APPLICATION(0))) goto err; + if (!asn1_write_OID(data, OID_KERBEROS5)) goto err; + + if (!asn1_write(data, tok_id, 2)) goto err; + if (!asn1_write(data, ticket.data, ticket.length)) goto err; + if (!asn1_pop_tag(data)) goto err; + + if (!asn1_extract_blob(data, ctx, &ret)) { + goto err; + } + + asn1_free(data); + data = NULL; + + err: + + if (data != NULL) { + if (asn1_has_error(data)) { + DEBUG(1, ("Failed to build krb5 wrapper at offset %d\n", + (int)asn1_current_ofs(data))); + } + + asn1_free(data); + } + + return ret; +} + +/* + * Given the username/password, do a kinit, store the ticket in + * cache_name if specified, and return the PAC_LOGON_INFO (the + * structure containing the important user information such as + * groups). + */ +NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, + const char *name, + const char *pass, + time_t time_offset, + time_t *expire_time, + time_t *renew_till_time, + const char *cache_name, + bool request_pac, + bool add_netbios_addr, + time_t renewable_time, + const char *impersonate_princ_s, + const char *local_service, + char **_canon_principal, + char **_canon_realm, + struct PAC_DATA_CTR **_pac_data_ctr) +{ + krb5_error_code ret; + NTSTATUS status = NT_STATUS_INVALID_PARAMETER; + DATA_BLOB tkt = data_blob_null; + DATA_BLOB tkt_wrapped = data_blob_null; + DATA_BLOB ap_rep = data_blob_null; + DATA_BLOB sesskey1 = data_blob_null; + const char *auth_princ = NULL; + const char *cc = "MEMORY:kerberos_return_pac"; + struct auth_session_info *session_info; + struct gensec_security *gensec_server_context; + const struct gensec_security_ops **backends; + struct gensec_settings *gensec_settings; + size_t idx = 0; + struct auth4_context *auth_context; + struct loadparm_context *lp_ctx; + struct PAC_DATA_CTR *pac_data_ctr = NULL; + char *canon_principal = NULL; + char *canon_realm = NULL; + + TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); + NT_STATUS_HAVE_NO_MEMORY(tmp_ctx); + + ZERO_STRUCT(tkt); + ZERO_STRUCT(ap_rep); + ZERO_STRUCT(sesskey1); + + if (!name || !pass) { + status = NT_STATUS_INVALID_PARAMETER; + goto out; + } + + if (_canon_principal != NULL) { + *_canon_principal = NULL; + } + + if (_canon_realm != NULL) { + *_canon_realm = NULL; + } + + if (cache_name) { + cc = cache_name; + } + + if (!strchr_m(name, '@')) { + auth_princ = talloc_asprintf(mem_ctx, "%s@%s", name, + lp_realm()); + } else { + auth_princ = name; + } + NT_STATUS_HAVE_NO_MEMORY(auth_princ); + + ret = kerberos_kinit_password_ext(auth_princ, + pass, + time_offset, + expire_time, + renew_till_time, + cc, + request_pac, + add_netbios_addr, + renewable_time, + tmp_ctx, + &canon_principal, + &canon_realm, + &status); + if (ret) { + DEBUG(1,("kinit failed for '%s' with: %s (%d)\n", + auth_princ, error_message(ret), ret)); + /* status already set */ + goto out; + } + + DEBUG(10,("got TGT for %s in %s\n", auth_princ, cc)); + if (expire_time) { + DEBUGADD(10,("\tvalid until: %s (%d)\n", + http_timestring(talloc_tos(), *expire_time), + (int)*expire_time)); + } + if (renew_till_time) { + DEBUGADD(10,("\trenewable till: %s (%d)\n", + http_timestring(talloc_tos(), *renew_till_time), + (int)*renew_till_time)); + } + + /* we cannot continue with krb5 when UF_DONT_REQUIRE_PREAUTH is set, + * in that case fallback to NTLM - gd */ + + if (expire_time && renew_till_time && + (*expire_time == 0) && (*renew_till_time == 0)) { + status = NT_STATUS_INVALID_LOGON_TYPE; + goto out; + } + + ret = ads_krb5_cli_get_ticket(mem_ctx, + local_service, + time_offset, + &tkt, + &sesskey1, + 0, + cc, + NULL, + impersonate_princ_s); + if (ret) { + DEBUG(1,("failed to get ticket for %s: %s\n", + local_service, error_message(ret))); + if (impersonate_princ_s) { + DEBUGADD(1,("tried S4U2SELF impersonation as: %s\n", + impersonate_princ_s)); + } + status = krb5_to_nt_status(ret); + goto out; + } + + /* wrap that up in a nice GSS-API wrapping */ + tkt_wrapped = spnego_gen_krb5_wrap(tmp_ctx, tkt, TOK_ID_KRB_AP_REQ); + if (tkt_wrapped.data == NULL) { + status = NT_STATUS_NO_MEMORY; + goto out; + } + + auth_context = auth4_context_for_PAC_DATA_CTR(tmp_ctx); + if (auth_context == NULL) { + status = NT_STATUS_NO_MEMORY; + goto out; + } + + lp_ctx = loadparm_init_s3(tmp_ctx, loadparm_s3_helpers()); + if (lp_ctx == NULL) { + status = NT_STATUS_INVALID_SERVER_STATE; + DEBUG(10, ("loadparm_init_s3 failed\n")); + goto out; + } + + gensec_settings = lpcfg_gensec_settings(tmp_ctx, lp_ctx); + if (gensec_settings == NULL) { + status = NT_STATUS_NO_MEMORY; + DEBUG(10, ("lpcfg_gensec_settings failed\n")); + goto out; + } + + backends = talloc_zero_array(gensec_settings, + const struct gensec_security_ops *, 2); + if (backends == NULL) { + status = NT_STATUS_NO_MEMORY; + goto out; + } + gensec_settings->backends = backends; + + gensec_init(); + + backends[idx++] = &gensec_gse_krb5_security_ops; + + status = gensec_server_start(tmp_ctx, gensec_settings, + auth_context, &gensec_server_context); + + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, (__location__ "Failed to start server-side GENSEC to validate a Kerberos ticket: %s\n", nt_errstr(status))); + goto out; + } + + talloc_unlink(tmp_ctx, lp_ctx); + talloc_unlink(tmp_ctx, gensec_settings); + talloc_unlink(tmp_ctx, auth_context); + + /* Session info is not complete, do not pass to auth log */ + gensec_want_feature(gensec_server_context, GENSEC_FEATURE_NO_AUTHZ_LOG); + + status = gensec_start_mech_by_oid(gensec_server_context, GENSEC_OID_KERBEROS5); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, (__location__ "Failed to start server-side GENSEC krb5 to validate a Kerberos ticket: %s\n", nt_errstr(status))); + goto out; + } + + /* Do a client-server update dance */ + status = gensec_update(gensec_server_context, tmp_ctx, tkt_wrapped, &ap_rep); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("gensec_update() failed: %s\n", nt_errstr(status))); + goto out; + } + + /* Now return the PAC information to the callers. We ignore + * the session_info and instead pick out the PAC via the + * private_data on the auth_context */ + status = gensec_session_info(gensec_server_context, tmp_ctx, &session_info); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Unable to obtain PAC via gensec_session_info\n")); + goto out; + } + + pac_data_ctr = auth4_context_get_PAC_DATA_CTR(auth_context, mem_ctx); + if (pac_data_ctr == NULL) { + DEBUG(1,("no PAC\n")); + status = NT_STATUS_INVALID_PARAMETER; + goto out; + } + + *_pac_data_ctr = talloc_move(mem_ctx, &pac_data_ctr); + if (_canon_principal != NULL) { + *_canon_principal = talloc_move(mem_ctx, &canon_principal); + } + if (_canon_realm != NULL) { + *_canon_realm = talloc_move(mem_ctx, &canon_realm); + } + +out: + talloc_free(tmp_ctx); + if (cc != cache_name) { + ads_kdestroy(cc); + } + + data_blob_free(&tkt); + data_blob_free(&ap_rep); + data_blob_free(&sesskey1); + + return status; +} + +#endif diff --git a/source3/libads/cldap.c b/source3/libads/cldap.c new file mode 100644 index 0000000..56c2537 --- /dev/null +++ b/source3/libads/cldap.c @@ -0,0 +1,453 @@ +/* + Samba Unix/Linux SMB client library + net ads cldap functions + Copyright (C) 2001 Andrew Tridgell (tridge@samba.org) + Copyright (C) 2003 Jim McDonough (jmcd@us.ibm.com) + Copyright (C) 2008 Guenther Deschner (gd@samba.org) + Copyright (C) 2009 Stefan Metzmacher (metze@samba.org) + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include "../libcli/cldap/cldap.h" +#include "../librpc/gen_ndr/ndr_netlogon.h" +#include "../lib/tsocket/tsocket.h" +#include "../lib/util/tevent_ntstatus.h" +#include "libads/cldap.h" + +struct cldap_multi_netlogon_state { + struct tevent_context *ev; + const struct tsocket_address * const *servers; + int num_servers; + const char *domain; + const char *hostname; + unsigned ntversion; + int min_servers; + + struct cldap_socket **cldap; + struct tevent_req **subreqs; + int num_sent; + int num_received; + int num_good_received; + struct cldap_netlogon *ios; + struct netlogon_samlogon_response **responses; +}; + +static void cldap_multi_netlogon_done(struct tevent_req *subreq); +static void cldap_multi_netlogon_next(struct tevent_req *subreq); + +/**************************************************************** +****************************************************************/ + +#define RETURN_ON_FALSE(x) if (!(x)) return false; + +bool check_cldap_reply_required_flags(uint32_t ret_flags, + uint32_t req_flags) +{ + if (req_flags == 0) { + return true; + } + + if (req_flags & DS_PDC_REQUIRED) + RETURN_ON_FALSE(ret_flags & NBT_SERVER_PDC); + + if (req_flags & DS_GC_SERVER_REQUIRED) + RETURN_ON_FALSE(ret_flags & NBT_SERVER_GC); + + if (req_flags & DS_ONLY_LDAP_NEEDED) + RETURN_ON_FALSE(ret_flags & NBT_SERVER_LDAP); + + if ((req_flags & DS_DIRECTORY_SERVICE_REQUIRED) || + (req_flags & DS_DIRECTORY_SERVICE_PREFERRED)) + RETURN_ON_FALSE(ret_flags & NBT_SERVER_DS); + + if (req_flags & DS_KDC_REQUIRED) + RETURN_ON_FALSE(ret_flags & NBT_SERVER_KDC); + + if (req_flags & DS_TIMESERV_REQUIRED) + RETURN_ON_FALSE(ret_flags & NBT_SERVER_TIMESERV); + + if (req_flags & DS_WEB_SERVICE_REQUIRED) + RETURN_ON_FALSE(ret_flags & NBT_SERVER_ADS_WEB_SERVICE); + + if (req_flags & DS_WRITABLE_REQUIRED) + RETURN_ON_FALSE(ret_flags & NBT_SERVER_WRITABLE); + + if (req_flags & DS_DIRECTORY_SERVICE_6_REQUIRED) + RETURN_ON_FALSE(ret_flags & (NBT_SERVER_SELECT_SECRET_DOMAIN_6 + |NBT_SERVER_FULL_SECRET_DOMAIN_6)); + + if (req_flags & DS_DIRECTORY_SERVICE_8_REQUIRED) + RETURN_ON_FALSE(ret_flags & NBT_SERVER_DS_8); + + if (req_flags & DS_DIRECTORY_SERVICE_9_REQUIRED) + RETURN_ON_FALSE(ret_flags & NBT_SERVER_DS_9); + + if (req_flags & DS_DIRECTORY_SERVICE_10_REQUIRED) + RETURN_ON_FALSE(ret_flags & NBT_SERVER_DS_10); + + return true; +} + +/* + * Do a parallel cldap ping to the servers. The first "min_servers" + * are fired directly, the remaining ones in 100msec intervals. If + * "min_servers" responses came in successfully, we immediately reply, + * not waiting for the remaining ones. + */ + +struct tevent_req *cldap_multi_netlogon_send( + TALLOC_CTX *mem_ctx, struct tevent_context *ev, + const struct tsocket_address * const *servers, int num_servers, + const char *domain, const char *hostname, unsigned ntversion, + int min_servers) +{ + struct tevent_req *req, *subreq; + struct cldap_multi_netlogon_state *state; + int i; + + req = tevent_req_create(mem_ctx, &state, + struct cldap_multi_netlogon_state); + if (req == NULL) { + return NULL; + } + state->ev = ev; + state->servers = servers; + state->num_servers = num_servers; + state->domain = domain; + state->hostname = hostname; + state->ntversion = ntversion; + state->min_servers = min_servers; + + if (min_servers > num_servers) { + tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER); + return tevent_req_post(req, ev); + } + + state->subreqs = talloc_zero_array(state, + struct tevent_req *, + num_servers); + if (tevent_req_nomem(state->subreqs, req)) { + return tevent_req_post(req, ev); + } + + state->cldap = talloc_zero_array(state, + struct cldap_socket *, + num_servers); + if (tevent_req_nomem(state->cldap, req)) { + return tevent_req_post(req, ev); + } + + state->responses = talloc_zero_array(state, + struct netlogon_samlogon_response *, + num_servers); + if (tevent_req_nomem(state->responses, req)) { + return tevent_req_post(req, ev); + } + + state->ios = talloc_zero_array(state->responses, + struct cldap_netlogon, + num_servers); + if (tevent_req_nomem(state->ios, req)) { + return tevent_req_post(req, ev); + } + + for (i=0; i<num_servers; i++) { + NTSTATUS status; + + status = cldap_socket_init(state->cldap, + NULL, /* local_addr */ + state->servers[i], + &state->cldap[i]); + if (!NT_STATUS_IS_OK(status)) { + /* + * Don't error out all sends just + * because one cldap_socket_init() failed. + * Log it here, and the cldap_netlogon_send() + * will catch it (with in.dest_address == NULL) + * and correctly error out in + * cldap_multi_netlogon_done(). This still allows + * the other requests to be concurrently sent. + */ + DBG_NOTICE("cldap_socket_init failed for %s " + " error %s\n", + tsocket_address_string(state->servers[i], + req), + nt_errstr(status)); + } + + state->ios[i].in.dest_address = NULL; + state->ios[i].in.dest_port = 0; + state->ios[i].in.realm = domain; + state->ios[i].in.host = NULL; + state->ios[i].in.user = NULL; + state->ios[i].in.domain_guid = NULL; + state->ios[i].in.domain_sid = NULL; + state->ios[i].in.acct_control = 0; + state->ios[i].in.version = ntversion; + state->ios[i].in.map_response = false; + } + + for (i=0; i<min_servers; i++) { + state->subreqs[i] = cldap_netlogon_send(state->subreqs, + state->ev, + state->cldap[i], + &state->ios[i]); + if (tevent_req_nomem(state->subreqs[i], req)) { + return tevent_req_post(req, ev); + } + tevent_req_set_callback( + state->subreqs[i], cldap_multi_netlogon_done, req); + } + state->num_sent = min_servers; + + if (state->num_sent < state->num_servers) { + /* + * After 100 milliseconds fire the next one + */ + subreq = tevent_wakeup_send(state, state->ev, + timeval_current_ofs(0, 100000)); + if (tevent_req_nomem(subreq, req)) { + return tevent_req_post(req, ev); + } + tevent_req_set_callback(subreq, cldap_multi_netlogon_next, + req); + } + + return req; +} + +static void cldap_multi_netlogon_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data( + subreq, struct tevent_req); + struct cldap_multi_netlogon_state *state = tevent_req_data( + req, struct cldap_multi_netlogon_state); + NTSTATUS status; + struct netlogon_samlogon_response *response; + int i; + + for (i=0; i<state->num_sent; i++) { + if (state->subreqs[i] == subreq) { + break; + } + } + if (i == state->num_sent) { + /* + * Got a response we did not fire... + */ + tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR); + return; + } + state->subreqs[i] = NULL; + + response = talloc_zero(state, struct netlogon_samlogon_response); + if (tevent_req_nomem(response, req)) { + return; + } + + status = cldap_netlogon_recv(subreq, response, + &state->ios[i]); + TALLOC_FREE(subreq); + state->num_received += 1; + + if (NT_STATUS_IS_OK(status)) { + *response = state->ios[i].out.netlogon; + state->responses[i] = talloc_move(state->responses, + &response); + state->num_good_received += 1; + } + + if ((state->num_received == state->num_servers) || + (state->num_good_received >= state->min_servers)) { + tevent_req_done(req); + return; + } +} + +static void cldap_multi_netlogon_next(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data( + subreq, struct tevent_req); + struct cldap_multi_netlogon_state *state = tevent_req_data( + req, struct cldap_multi_netlogon_state); + bool ret; + + ret = tevent_wakeup_recv(subreq); + TALLOC_FREE(subreq); + if (!ret) { + tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR); + return; + } + + subreq = cldap_netlogon_send(state->subreqs, + state->ev, + state->cldap[state->num_sent], + &state->ios[state->num_sent]); + if (tevent_req_nomem(subreq, req)) { + return; + } + tevent_req_set_callback(subreq, cldap_multi_netlogon_done, req); + state->subreqs[state->num_sent] = subreq; + state->num_sent += 1; + + if (state->num_sent < state->num_servers) { + /* + * After 100 milliseconds fire the next one + */ + subreq = tevent_wakeup_send(state, state->ev, + timeval_current_ofs(0, 100000)); + if (tevent_req_nomem(subreq, req)) { + return; + } + tevent_req_set_callback(subreq, cldap_multi_netlogon_next, + req); + } +} + +NTSTATUS cldap_multi_netlogon_recv( + struct tevent_req *req, TALLOC_CTX *mem_ctx, + struct netlogon_samlogon_response ***responses) +{ + struct cldap_multi_netlogon_state *state = tevent_req_data( + req, struct cldap_multi_netlogon_state); + NTSTATUS status; + + if (tevent_req_is_nterror(req, &status) && + !NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT)) { + return status; + } + /* + * If we timeout, give back what we have so far + */ + *responses = talloc_move(mem_ctx, &state->responses); + return NT_STATUS_OK; +} + +NTSTATUS cldap_multi_netlogon( + TALLOC_CTX *mem_ctx, + const struct tsocket_address * const *servers, + int num_servers, + const char *domain, const char *hostname, unsigned ntversion, + int min_servers, struct timeval timeout, + struct netlogon_samlogon_response ***responses) +{ + struct tevent_context *ev; + struct tevent_req *req; + NTSTATUS status = NT_STATUS_NO_MEMORY; + + ev = samba_tevent_context_init(talloc_tos()); + if (ev == NULL) { + goto fail; + } + req = cldap_multi_netlogon_send( + ev, ev, servers, num_servers, domain, hostname, ntversion, + min_servers); + if (req == NULL) { + goto fail; + } + if (!tevent_req_set_endtime(req, ev, timeout)) { + goto fail; + } + if (!tevent_req_poll_ntstatus(req, ev, &status)) { + goto fail; + } + status = cldap_multi_netlogon_recv(req, mem_ctx, responses); +fail: + TALLOC_FREE(ev); + return status; +} + +/******************************************************************* + do a cldap netlogon query. Always 389/udp +*******************************************************************/ + +bool ads_cldap_netlogon(TALLOC_CTX *mem_ctx, + struct sockaddr_storage *ss, + const char *realm, + uint32_t nt_version, + struct netlogon_samlogon_response **_reply) +{ + NTSTATUS status; + char addrstr[INET6_ADDRSTRLEN]; + const char *dest_str; + struct tsocket_address *dest_addr; + const struct tsocket_address * const *dest_addrs; + struct netlogon_samlogon_response **responses = NULL; + int ret; + + dest_str = print_sockaddr(addrstr, sizeof(addrstr), ss); + + ret = tsocket_address_inet_from_strings(mem_ctx, "ip", + dest_str, LDAP_PORT, + &dest_addr); + if (ret != 0) { + status = map_nt_error_from_unix(errno); + DEBUG(2,("Failed to create cldap tsocket_address for %s - %s\n", + dest_str, nt_errstr(status))); + return false; + } + + dest_addrs = (const struct tsocket_address * const *)&dest_addr; + + status = cldap_multi_netlogon(talloc_tos(), + dest_addrs, 1, + realm, NULL, + nt_version, 1, + timeval_current_ofs(MAX(3,lp_ldap_timeout()/2), 0), + &responses); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(2, ("ads_cldap_netlogon: cldap_multi_netlogon " + "failed: %s\n", nt_errstr(status))); + return false; + } + if (responses == NULL || responses[0] == NULL) { + DEBUG(2, ("ads_cldap_netlogon: did not get a reply\n")); + TALLOC_FREE(responses); + return false; + } + *_reply = talloc_move(mem_ctx, &responses[0]); + + return true; +} + +/******************************************************************* + do a cldap netlogon query. Always 389/udp +*******************************************************************/ + +bool ads_cldap_netlogon_5(TALLOC_CTX *mem_ctx, + struct sockaddr_storage *ss, + const char *realm, + struct NETLOGON_SAM_LOGON_RESPONSE_EX *reply5) +{ + uint32_t nt_version = NETLOGON_NT_VERSION_5 | NETLOGON_NT_VERSION_5EX; + struct netlogon_samlogon_response *reply = NULL; + bool ret; + + ret = ads_cldap_netlogon(mem_ctx, ss, realm, nt_version, &reply); + if (!ret) { + return false; + } + + if (reply->ntver != NETLOGON_NT_VERSION_5EX) { + DEBUG(0,("ads_cldap_netlogon_5: nt_version mismatch: 0x%08x\n", + reply->ntver)); + return false; + } + + *reply5 = reply->data.nt5_ex; + + return true; +} diff --git a/source3/libads/cldap.h b/source3/libads/cldap.h new file mode 100644 index 0000000..7fa1bdf --- /dev/null +++ b/source3/libads/cldap.h @@ -0,0 +1,60 @@ +/* + Samba Unix/Linux SMB client library + net ads cldap functions + Copyright (C) 2001 Andrew Tridgell (tridge@samba.org) + Copyright (C) 2003 Jim McDonough (jmcd@us.ibm.com) + Copyright (C) 2008 Guenther Deschner (gd@samba.org) + Copyright (C) 2009 Stefan Metzmacher (metze@samba.org) + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#ifndef _LIBADS_CLDAP_H_ +#define _LIBADS_CLDAP_H_ + +#include "../libcli/netlogon/netlogon.h" + +/* The following definitions come from libads/cldap.c */ + +bool check_cldap_reply_required_flags(uint32_t ret_flags, + uint32_t req_flags); + +struct tevent_req *cldap_multi_netlogon_send( + TALLOC_CTX *mem_ctx, struct tevent_context *ev, + const struct tsocket_address * const *servers, + int num_servers, + const char *domain, const char *hostname, unsigned ntversion, + int min_servers); +NTSTATUS cldap_multi_netlogon_recv( + struct tevent_req *req, TALLOC_CTX *mem_ctx, + struct netlogon_samlogon_response ***responses); +NTSTATUS cldap_multi_netlogon( + TALLOC_CTX *mem_ctx, + const struct tsocket_address * const *servers, + int num_servers, + const char *domain, const char *hostname, unsigned ntversion, + int min_servers, struct timeval timeout, + struct netlogon_samlogon_response ***responses); + +bool ads_cldap_netlogon(TALLOC_CTX *mem_ctx, + struct sockaddr_storage *ss, + const char *realm, + uint32_t nt_version, + struct netlogon_samlogon_response **reply); +bool ads_cldap_netlogon_5(TALLOC_CTX *mem_ctx, + struct sockaddr_storage *ss, + const char *realm, + struct NETLOGON_SAM_LOGON_RESPONSE_EX *reply5); + +#endif /* _LIBADS_CLDAP_H_ */ diff --git a/source3/libads/disp_sec.c b/source3/libads/disp_sec.c new file mode 100644 index 0000000..a193c5b --- /dev/null +++ b/source3/libads/disp_sec.c @@ -0,0 +1,254 @@ +/* + Unix SMB/CIFS implementation. + Samba utility functions. ADS stuff + Copyright (C) Alexey Kotovich 2002 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include "ads.h" +#include "libads/ldap_schema.h" +#include "../libcli/security/secace.h" +#include "../librpc/ndr/libndr.h" +#include "libcli/security/dom_sid.h" + +/* for ADS */ +#define SEC_RIGHTS_FULL_CTRL 0xf01ff + +#ifdef HAVE_LDAP + +static struct perm_mask_str { + uint32_t mask; + const char *str; +} perms[] = { + {SEC_RIGHTS_FULL_CTRL, "[Full Control]"}, + + {SEC_ADS_LIST, "[List Contents]"}, + {SEC_ADS_LIST_OBJECT, "[List Object]"}, + + {SEC_ADS_READ_PROP, "[Read All Properties]"}, + {SEC_STD_READ_CONTROL, "[Read Permissions]"}, + + {SEC_ADS_SELF_WRITE, "[All validate writes]"}, + {SEC_ADS_WRITE_PROP, "[Write All Properties]"}, + + {SEC_STD_WRITE_DAC, "[Modify Permissions]"}, + {SEC_STD_WRITE_OWNER, "[Modify Owner]"}, + + {SEC_ADS_CREATE_CHILD, "[Create All Child Objects]"}, + + {SEC_STD_DELETE, "[Delete]"}, + {SEC_ADS_DELETE_TREE, "[Delete Subtree]"}, + {SEC_ADS_DELETE_CHILD, "[Delete All Child Objects]"}, + + {SEC_ADS_CONTROL_ACCESS, "[Change Password]"}, + {SEC_ADS_CONTROL_ACCESS, "[Reset Password]"}, + + {0, 0} +}; + +/* convert a security permissions into a string */ +static void ads_disp_perms(uint32_t type) +{ + int i = 0; + int j = 0; + + printf("Permissions: "); + + if (type == SEC_RIGHTS_FULL_CTRL) { + printf("%s\n", perms[j].str); + return; + } + + for (i = 0; i < 32; i++) { + if (type & ((uint32_t)1 << i)) { + for (j = 1; perms[j].str; j ++) { + if (perms[j].mask == (((unsigned) 1) << i)) { + printf("\n\t%s (0x%08x)", perms[j].str, perms[j].mask); + } + } + type &= ~(1 << i); + } + } + + /* remaining bits get added on as-is */ + if (type != 0) { + printf("[%08x]", type); + } + puts(""); +} + +static const char *ads_interprete_guid_from_object(ADS_STRUCT *ads, + TALLOC_CTX *mem_ctx, + const struct GUID *guid) +{ + const char *ret = NULL; + + if (!ads || !mem_ctx) { + return NULL; + } + + ret = ads_get_attrname_by_guid(ads, ads->config.schema_path, + mem_ctx, guid); + if (ret) { + return talloc_asprintf(mem_ctx, "LDAP attribute: \"%s\"", ret); + } + + ret = ads_get_extended_right_name_by_guid(ads, ads->config.config_path, + mem_ctx, guid); + + if (ret) { + return talloc_asprintf(mem_ctx, "Extended right: \"%s\"", ret); + } + + return ret; +} + +static void ads_disp_sec_ace_object(ADS_STRUCT *ads, + TALLOC_CTX *mem_ctx, + struct security_ace_object *object) +{ + if (object->flags & SEC_ACE_OBJECT_TYPE_PRESENT) { + printf("Object type: SEC_ACE_OBJECT_TYPE_PRESENT\n"); + printf("Object GUID: %s (%s)\n", GUID_string(mem_ctx, + &object->type.type), + ads_interprete_guid_from_object(ads, mem_ctx, + &object->type.type)); + } + if (object->flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT) { + printf("Object type: SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT\n"); + printf("Object GUID: %s (%s)\n", GUID_string(mem_ctx, + &object->inherited_type.inherited_type), + ads_interprete_guid_from_object(ads, mem_ctx, + &object->inherited_type.inherited_type)); + } +} + +/* display ACE */ +static void ads_disp_ace(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct security_ace *sec_ace) +{ + const char *access_type = "UNKNOWN"; + struct dom_sid_buf sidbuf; + + if (!sec_ace_object(sec_ace->type)) { + printf("------- ACE (type: 0x%02x, flags: 0x%02x, size: 0x%02x, mask: 0x%x)\n", + sec_ace->type, + sec_ace->flags, + sec_ace->size, + sec_ace->access_mask); + } else { + printf("------- ACE (type: 0x%02x, flags: 0x%02x, size: 0x%02x, mask: 0x%x, object flags: 0x%x)\n", + sec_ace->type, + sec_ace->flags, + sec_ace->size, + sec_ace->access_mask, + sec_ace->object.object.flags); + } + + if (sec_ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED) { + access_type = "ALLOWED"; + } else if (sec_ace->type == SEC_ACE_TYPE_ACCESS_DENIED) { + access_type = "DENIED"; + } else if (sec_ace->type == SEC_ACE_TYPE_SYSTEM_AUDIT) { + access_type = "SYSTEM AUDIT"; + } else if (sec_ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT) { + access_type = "ALLOWED OBJECT"; + } else if (sec_ace->type == SEC_ACE_TYPE_ACCESS_DENIED_OBJECT) { + access_type = "DENIED OBJECT"; + } else if (sec_ace->type == SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT) { + access_type = "AUDIT OBJECT"; + } + + printf("access SID: %s\naccess type: %s\n", + dom_sid_str_buf(&sec_ace->trustee, &sidbuf), + access_type); + + if (sec_ace_object(sec_ace->type)) { + ads_disp_sec_ace_object(ads, mem_ctx, &sec_ace->object.object); + } + + ads_disp_perms(sec_ace->access_mask); +} + +/* display ACL */ +static void ads_disp_acl(struct security_acl *sec_acl, const char *type) +{ + if (!sec_acl) + printf("------- (%s) ACL not present\n", type); + else { + printf("------- (%s) ACL (revision: %d, size: %d, number of ACEs: %d)\n", + type, + sec_acl->revision, + sec_acl->size, + sec_acl->num_aces); + } +} + +/* display SD */ +void ads_disp_sd(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct security_descriptor *sd) +{ + uint32_t i; + char *tmp_path = NULL; + struct dom_sid_buf buf; + + if (!sd) { + return; + } + + if (ads && !ads->config.schema_path) { + if (ADS_ERR_OK(ads_schema_path(ads, mem_ctx, &tmp_path))) { + ads->config.schema_path = talloc_strdup(ads, tmp_path); + if (ads->config.schema_path == NULL) { + DBG_WARNING("Out of memory\n"); + } + } + } + + if (ads && !ads->config.config_path) { + if (ADS_ERR_OK(ads_config_path(ads, mem_ctx, &tmp_path))) { + ads->config.config_path = talloc_strdup(ads, tmp_path); + if (ads->config.config_path == NULL) { + DBG_WARNING("Out of memory\n"); + } + } + } + + printf("-------------- Security Descriptor (revision: %d, type: 0x%02x)\n", + sd->revision, + sd->type); + + printf("owner SID: %s\n", sd->owner_sid ? + dom_sid_str_buf(sd->owner_sid, &buf) : "(null)"); + printf("group SID: %s\n", sd->group_sid ? + dom_sid_str_buf(sd->group_sid, &buf) : "(null)"); + + ads_disp_acl(sd->sacl, "system"); + if (sd->sacl) { + for (i = 0; i < sd->sacl->num_aces; i ++) { + ads_disp_ace(ads, mem_ctx, &sd->sacl->aces[i]); + } + } + + ads_disp_acl(sd->dacl, "user"); + if (sd->dacl) { + for (i = 0; i < sd->dacl->num_aces; i ++) { + ads_disp_ace(ads, mem_ctx, &sd->dacl->aces[i]); + } + } + + printf("-------------- End Of Security Descriptor\n"); +} + +#endif diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c new file mode 100644 index 0000000..f76c566 --- /dev/null +++ b/source3/libads/kerberos.c @@ -0,0 +1,908 @@ +/* + Unix SMB/CIFS implementation. + kerberos utility library + Copyright (C) Andrew Tridgell 2001 + Copyright (C) Remus Koos 2001 + Copyright (C) Nalin Dahyabhai <nalin@redhat.com> 2004. + Copyright (C) Jeremy Allison 2004. + Copyright (C) Gerald Carter 2006. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include "libsmb/namequery.h" +#include "system/filesys.h" +#include "smb_krb5.h" +#include "../librpc/gen_ndr/ndr_misc.h" +#include "libads/kerberos_proto.h" +#include "libads/cldap.h" +#include "secrets.h" +#include "../lib/tsocket/tsocket.h" +#include "lib/util/asn1.h" + +#ifdef HAVE_KRB5 + +#define LIBADS_CCACHE_NAME "MEMORY:libads" + +/* + we use a prompter to avoid a crash bug in the kerberos libs when + dealing with empty passwords + this prompter is just a string copy ... +*/ +static krb5_error_code +kerb_prompter(krb5_context ctx, void *data, + const char *name, + const char *banner, + int num_prompts, + krb5_prompt prompts[]) +{ + if (num_prompts == 0) return 0; + if (num_prompts == 2) { + /* + * only heimdal has a prompt type and we need to deal with it here to + * avoid loops. + * + * removing the prompter completely is not an option as at least these + * versions would crash: heimdal-1.0.2 and heimdal-1.1. Later heimdal + * version have looping detection and return with a proper error code. + */ + +#if defined(HAVE_KRB5_PROMPT_TYPE) /* Heimdal */ + if (prompts[0].type == KRB5_PROMPT_TYPE_NEW_PASSWORD && + prompts[1].type == KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN) { + /* + * We don't want to change passwords here. We're + * called from heimdal when the KDC returns + * KRB5KDC_ERR_KEY_EXPIRED, but at this point we don't + * have the chance to ask the user for a new + * password. If we return 0 (i.e. success), we will be + * spinning in the endless for-loop in + * change_password() in + * third_party/heimdal/lib/krb5/init_creds_pw.c + */ + return KRB5KDC_ERR_KEY_EXPIRED; + } +#elif defined(HAVE_KRB5_GET_PROMPT_TYPES) /* MIT */ + krb5_prompt_type *prompt_types = NULL; + + prompt_types = krb5_get_prompt_types(ctx); + if (prompt_types != NULL) { + if (prompt_types[0] == KRB5_PROMPT_TYPE_NEW_PASSWORD && + prompt_types[1] == KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN) { + return KRB5KDC_ERR_KEY_EXP; + } + } +#endif + } + + memset(prompts[0].reply->data, '\0', prompts[0].reply->length); + if (prompts[0].reply->length > 0) { + if (data) { + strncpy((char *)prompts[0].reply->data, (const char *)data, + prompts[0].reply->length-1); + prompts[0].reply->length = strlen((const char *)prompts[0].reply->data); + } else { + prompts[0].reply->length = 0; + } + } + return 0; +} + +/* + simulate a kinit, putting the tgt in the given cache location. If cache_name == NULL + place in default cache location. + remus@snapserver.com +*/ +int kerberos_kinit_password_ext(const char *given_principal, + const char *password, + int time_offset, + time_t *expire_time, + time_t *renew_till_time, + const char *cache_name, + bool request_pac, + bool add_netbios_addr, + time_t renewable_time, + TALLOC_CTX *mem_ctx, + char **_canon_principal, + char **_canon_realm, + NTSTATUS *ntstatus) +{ + TALLOC_CTX *frame = talloc_stackframe(); + krb5_context ctx = NULL; + krb5_error_code code = 0; + krb5_ccache cc = NULL; + krb5_principal me = NULL; + krb5_principal canon_princ = NULL; + krb5_creds my_creds; + krb5_get_init_creds_opt *opt = NULL; + smb_krb5_addresses *addr = NULL; + char *canon_principal = NULL; + char *canon_realm = NULL; + + ZERO_STRUCT(my_creds); + + code = smb_krb5_init_context_common(&ctx); + if (code != 0) { + DBG_ERR("kerberos init context failed (%s)\n", + error_message(code)); + TALLOC_FREE(frame); + return code; + } + + if (time_offset != 0) { + krb5_set_real_time(ctx, time(NULL) + time_offset, 0); + } + + DBG_DEBUG("as %s using [%s] as ccache and config [%s]\n", + given_principal, + cache_name ? cache_name: krb5_cc_default_name(ctx), + getenv("KRB5_CONFIG")); + + if ((code = krb5_cc_resolve(ctx, cache_name ? cache_name : krb5_cc_default_name(ctx), &cc))) { + goto out; + } + + if ((code = smb_krb5_parse_name(ctx, given_principal, &me))) { + goto out; + } + + if ((code = krb5_get_init_creds_opt_alloc(ctx, &opt))) { + goto out; + } + + krb5_get_init_creds_opt_set_renew_life(opt, renewable_time); + krb5_get_init_creds_opt_set_forwardable(opt, True); + + /* Turn on canonicalization for lower case realm support */ +#ifdef SAMBA4_USES_HEIMDAL + krb5_get_init_creds_opt_set_win2k(ctx, opt, true); + krb5_get_init_creds_opt_set_canonicalize(ctx, opt, true); +#else /* MIT */ + krb5_get_init_creds_opt_set_canonicalize(opt, true); +#endif /* MIT */ +#if 0 + /* insane testing */ + krb5_get_init_creds_opt_set_tkt_life(opt, 60); +#endif + +#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_PAC_REQUEST + if (request_pac) { + if ((code = krb5_get_init_creds_opt_set_pac_request(ctx, opt, (krb5_boolean)request_pac))) { + goto out; + } + } +#endif + if (add_netbios_addr) { + if ((code = smb_krb5_gen_netbios_krb5_address(&addr, + lp_netbios_name()))) { + goto out; + } + krb5_get_init_creds_opt_set_address_list(opt, addr->addrs); + } + + if ((code = krb5_get_init_creds_password(ctx, &my_creds, me, discard_const_p(char,password), + kerb_prompter, discard_const_p(char, password), + 0, NULL, opt))) { + goto out; + } + + canon_princ = my_creds.client; + + code = smb_krb5_unparse_name(frame, + ctx, + canon_princ, + &canon_principal); + if (code != 0) { + goto out; + } + + DBG_DEBUG("%s mapped to %s\n", given_principal, canon_principal); + + canon_realm = smb_krb5_principal_get_realm(frame, ctx, canon_princ); + if (canon_realm == NULL) { + code = ENOMEM; + goto out; + } + + if ((code = krb5_cc_initialize(ctx, cc, canon_princ))) { + goto out; + } + + if ((code = krb5_cc_store_cred(ctx, cc, &my_creds))) { + goto out; + } + + if (expire_time) { + *expire_time = (time_t) my_creds.times.endtime; + } + + if (renew_till_time) { + *renew_till_time = (time_t) my_creds.times.renew_till; + } + + if (_canon_principal != NULL) { + *_canon_principal = talloc_move(mem_ctx, &canon_principal); + } + if (_canon_realm != NULL) { + *_canon_realm = talloc_move(mem_ctx, &canon_realm); + } + out: + if (ntstatus) { + /* fast path */ + if (code == 0) { + *ntstatus = NT_STATUS_OK; + goto cleanup; + } + + /* fall back to self-made-mapping */ + *ntstatus = krb5_to_nt_status(code); + } + + cleanup: + krb5_free_cred_contents(ctx, &my_creds); + if (me) { + krb5_free_principal(ctx, me); + } + if (addr) { + smb_krb5_free_addresses(ctx, addr); + } + if (opt) { + krb5_get_init_creds_opt_free(ctx, opt); + } + if (cc) { + krb5_cc_close(ctx, cc); + } + if (ctx) { + krb5_free_context(ctx); + } + TALLOC_FREE(frame); + return code; +} + +int ads_kdestroy(const char *cc_name) +{ + krb5_error_code code; + krb5_context ctx = NULL; + krb5_ccache cc = NULL; + + code = smb_krb5_init_context_common(&ctx); + if (code != 0) { + DBG_ERR("kerberos init context failed (%s)\n", + error_message(code)); + return code; + } + + if (!cc_name) { + if ((code = krb5_cc_default(ctx, &cc))) { + krb5_free_context(ctx); + return code; + } + } else { + if ((code = krb5_cc_resolve(ctx, cc_name, &cc))) { + DEBUG(3, ("ads_kdestroy: krb5_cc_resolve failed: %s\n", + error_message(code))); + krb5_free_context(ctx); + return code; + } + } + + if ((code = krb5_cc_destroy (ctx, cc))) { + DEBUG(3, ("ads_kdestroy: krb5_cc_destroy failed: %s\n", + error_message(code))); + } + + krb5_free_context (ctx); + return code; +} + +int create_kerberos_key_from_string(krb5_context context, + krb5_principal host_princ, + krb5_principal salt_princ, + krb5_data *password, + krb5_keyblock *key, + krb5_enctype enctype, + bool no_salt) +{ + int ret; + /* + * Check if we've determined that the KDC is salting keys for this + * principal/enctype in a non-obvious way. If it is, try to match + * its behavior. + */ + if (no_salt) { + KRB5_KEY_DATA(key) = (KRB5_KEY_DATA_CAST *)SMB_MALLOC(password->length); + if (!KRB5_KEY_DATA(key)) { + return ENOMEM; + } + memcpy(KRB5_KEY_DATA(key), password->data, password->length); + KRB5_KEY_LENGTH(key) = password->length; + KRB5_KEY_TYPE(key) = enctype; + return 0; + } + ret = smb_krb5_create_key_from_string(context, + salt_princ ? salt_princ : host_princ, + NULL, + password, + enctype, + key); + return ret; +} + +/************************************************************************ +************************************************************************/ + +int kerberos_kinit_password(const char *principal, + const char *password, + int time_offset, + const char *cache_name) +{ + return kerberos_kinit_password_ext(principal, + password, + time_offset, + 0, + 0, + cache_name, + False, + False, + 0, + NULL, + NULL, + NULL, + NULL); +} + +/************************************************************************ +************************************************************************/ + +/************************************************************************ + Create a string list of available kdc's, possibly searching by sitename. + Does DNS queries. + + If "sitename" is given, the DC's in that site are listed first. + +************************************************************************/ + +static void add_sockaddr_unique(struct sockaddr_storage *addrs, size_t *num_addrs, + const struct sockaddr_storage *addr) +{ + size_t i; + + for (i=0; i<*num_addrs; i++) { + if (sockaddr_equal((const struct sockaddr *)&addrs[i], + (const struct sockaddr *)addr)) { + return; + } + } + addrs[i] = *addr; + *num_addrs += 1; +} + +/* print_canonical_sockaddr prints an ipv6 addr in the form of +* [ipv6.addr]. This string, when put in a generated krb5.conf file is not +* always properly dealt with by some older krb5 libraries. Adding the hard-coded +* portnumber workarounds the issue. - gd */ + +static char *print_canonical_sockaddr_with_port(TALLOC_CTX *mem_ctx, + const struct sockaddr_storage *pss) +{ + char *str = NULL; + + str = print_canonical_sockaddr(mem_ctx, pss); + if (str == NULL) { + return NULL; + } + + if (pss->ss_family != AF_INET6) { + return str; + } + +#if defined(HAVE_IPV6) + str = talloc_asprintf_append(str, ":88"); +#endif + return str; +} + +static char *get_kdc_ip_string(char *mem_ctx, + const char *realm, + const char *sitename, + const struct sockaddr_storage *pss) +{ + TALLOC_CTX *frame = talloc_stackframe(); + size_t i; + struct samba_sockaddr *ip_sa_site = NULL; + struct samba_sockaddr *ip_sa_nonsite = NULL; + struct samba_sockaddr sa = {0}; + size_t count_site = 0; + size_t count_nonsite; + size_t num_dcs; + struct sockaddr_storage *dc_addrs = NULL; + struct tsocket_address **dc_addrs2 = NULL; + const struct tsocket_address * const *dc_addrs3 = NULL; + char *result = NULL; + struct netlogon_samlogon_response **responses = NULL; + NTSTATUS status; + bool ok; + char *kdc_str = NULL; + char *canon_sockaddr = NULL; + + SMB_ASSERT(pss != NULL); + + canon_sockaddr = print_canonical_sockaddr_with_port(frame, pss); + if (canon_sockaddr == NULL) { + goto out; + } + + kdc_str = talloc_asprintf(frame, + "\t\tkdc = %s\n", + canon_sockaddr); + if (kdc_str == NULL) { + goto out; + } + + ok = sockaddr_storage_to_samba_sockaddr(&sa, pss); + if (!ok) { + goto out; + } + + /* + * First get the KDC's only in this site, the rest will be + * appended later + */ + + if (sitename) { + status = get_kdc_list(frame, + realm, + sitename, + &ip_sa_site, + &count_site); + if (!NT_STATUS_IS_OK(status)) { + DBG_ERR("get_kdc_list fail %s\n", + nt_errstr(status)); + goto out; + } + DBG_DEBUG("got %zu addresses from site %s search\n", + count_site, + sitename); + } + + /* Get all KDC's. */ + + status = get_kdc_list(frame, + realm, + NULL, + &ip_sa_nonsite, + &count_nonsite); + if (!NT_STATUS_IS_OK(status)) { + DBG_ERR("get_kdc_list (site-less) fail %s\n", + nt_errstr(status)); + goto out; + } + DBG_DEBUG("got %zu addresses from site-less search\n", count_nonsite); + + if (count_site + count_nonsite < count_site) { + /* Wrap check. */ + DBG_ERR("get_kdc_list_talloc (site-less) fail wrap error\n"); + goto out; + } + + + dc_addrs = talloc_array(talloc_tos(), struct sockaddr_storage, + count_site + count_nonsite); + if (dc_addrs == NULL) { + goto out; + } + + num_dcs = 0; + + for (i = 0; i < count_site; i++) { + if (!sockaddr_equal(&sa.u.sa, &ip_sa_site[i].u.sa)) { + add_sockaddr_unique(dc_addrs, &num_dcs, + &ip_sa_site[i].u.ss); + } + } + + for (i = 0; i < count_nonsite; i++) { + if (!sockaddr_equal(&sa.u.sa, &ip_sa_nonsite[i].u.sa)) { + add_sockaddr_unique(dc_addrs, &num_dcs, + &ip_sa_nonsite[i].u.ss); + } + } + + DBG_DEBUG("%zu additional KDCs to test\n", num_dcs); + if (num_dcs == 0) { + /* + * We do not have additional KDCs, but we have the one passed + * in via `pss`. So just use that one and leave. + */ + result = talloc_move(mem_ctx, &kdc_str); + goto out; + } + + dc_addrs2 = talloc_zero_array(talloc_tos(), + struct tsocket_address *, + num_dcs); + if (dc_addrs2 == NULL) { + goto out; + } + + for (i=0; i<num_dcs; i++) { + char addr[INET6_ADDRSTRLEN]; + int ret; + + print_sockaddr(addr, sizeof(addr), &dc_addrs[i]); + + ret = tsocket_address_inet_from_strings(dc_addrs2, "ip", + addr, LDAP_PORT, + &dc_addrs2[i]); + if (ret != 0) { + status = map_nt_error_from_unix(errno); + DEBUG(2,("Failed to create tsocket_address for %s - %s\n", + addr, nt_errstr(status))); + goto out; + } + } + + dc_addrs3 = (const struct tsocket_address * const *)dc_addrs2; + + status = cldap_multi_netlogon(talloc_tos(), + dc_addrs3, num_dcs, + realm, lp_netbios_name(), + NETLOGON_NT_VERSION_5 | NETLOGON_NT_VERSION_5EX, + MIN(num_dcs, 3), timeval_current_ofs(3, 0), &responses); + TALLOC_FREE(dc_addrs2); + dc_addrs3 = NULL; + + if (!NT_STATUS_IS_OK(status)) { + DEBUG(10,("get_kdc_ip_string: cldap_multi_netlogon failed: " + "%s\n", nt_errstr(status))); + goto out; + } + + for (i=0; i<num_dcs; i++) { + char *new_kdc_str; + + if (responses[i] == NULL) { + continue; + } + + /* Append to the string - inefficient but not done often. */ + new_kdc_str = talloc_asprintf_append( + kdc_str, + "\t\tkdc = %s\n", + print_canonical_sockaddr_with_port( + mem_ctx, &dc_addrs[i])); + if (new_kdc_str == NULL) { + goto out; + } + kdc_str = new_kdc_str; + } + + result = talloc_move(mem_ctx, &kdc_str); +out: + if (result != NULL) { + DBG_DEBUG("Returning\n%s\n", result); + } else { + DBG_NOTICE("Failed to get KDC ip address\n"); + } + + TALLOC_FREE(frame); + return result; +} + +/************************************************************************ + Create a specific krb5.conf file in the private directory pointing + at a specific kdc for a realm. Keyed off domain name. Sets + KRB5_CONFIG environment variable to point to this file. Must be + run as root or will fail (which is a good thing :-). +************************************************************************/ + +#if !defined(SAMBA4_USES_HEIMDAL) /* MIT version */ +static char *get_enctypes(TALLOC_CTX *mem_ctx) +{ + char *aes_enctypes = NULL; + const char *legacy_enctypes = ""; + char *enctypes = NULL; + + aes_enctypes = talloc_strdup(mem_ctx, ""); + if (aes_enctypes == NULL) { + goto done; + } + + if (lp_kerberos_encryption_types() == KERBEROS_ETYPES_ALL || + lp_kerberos_encryption_types() == KERBEROS_ETYPES_STRONG) { + aes_enctypes = talloc_asprintf_append( + aes_enctypes, "%s", "aes256-cts-hmac-sha1-96 "); + if (aes_enctypes == NULL) { + goto done; + } + aes_enctypes = talloc_asprintf_append( + aes_enctypes, "%s", "aes128-cts-hmac-sha1-96"); + if (aes_enctypes == NULL) { + goto done; + } + } + + if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_ALLOWED && + (lp_kerberos_encryption_types() == KERBEROS_ETYPES_ALL || + lp_kerberos_encryption_types() == KERBEROS_ETYPES_LEGACY)) { + legacy_enctypes = "RC4-HMAC"; + } + + enctypes = + talloc_asprintf(mem_ctx, "\tdefault_tgs_enctypes = %s %s\n" + "\tdefault_tkt_enctypes = %s %s\n" + "\tpreferred_enctypes = %s %s\n", + aes_enctypes, legacy_enctypes, aes_enctypes, + legacy_enctypes, aes_enctypes, legacy_enctypes); +done: + TALLOC_FREE(aes_enctypes); + return enctypes; +} +#else /* Heimdal version */ +static char *get_enctypes(TALLOC_CTX *mem_ctx) +{ + const char *aes_enctypes = ""; + const char *legacy_enctypes = ""; + char *enctypes = NULL; + + if (lp_kerberos_encryption_types() == KERBEROS_ETYPES_ALL || + lp_kerberos_encryption_types() == KERBEROS_ETYPES_STRONG) { + aes_enctypes = + "aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96"; + } + + if (lp_kerberos_encryption_types() == KERBEROS_ETYPES_ALL || + lp_kerberos_encryption_types() == KERBEROS_ETYPES_LEGACY) { + legacy_enctypes = "arcfour-hmac-md5"; + } + + enctypes = talloc_asprintf(mem_ctx, "\tdefault_etypes = %s %s\n", + aes_enctypes, legacy_enctypes); + + return enctypes; +} +#endif + +bool create_local_private_krb5_conf_for_domain(const char *realm, + const char *domain, + const char *sitename, + const struct sockaddr_storage *pss) +{ + char *dname; + char *tmpname = NULL; + char *fname = NULL; + char *file_contents = NULL; + char *kdc_ip_string = NULL; + size_t flen = 0; + ssize_t ret; + int fd; + char *realm_upper = NULL; + bool result = false; + char *enctypes = NULL; + const char *include_system_krb5 = ""; + mode_t mask; + + if (!lp_create_krb5_conf()) { + return false; + } + + if (realm == NULL) { + DEBUG(0, ("No realm has been specified! Do you really want to " + "join an Active Directory server?\n")); + return false; + } + + if (domain == NULL || pss == NULL) { + return false; + } + + dname = lock_path(talloc_tos(), "smb_krb5"); + if (!dname) { + return false; + } + if ((mkdir(dname, 0755)==-1) && (errno != EEXIST)) { + DEBUG(0,("create_local_private_krb5_conf_for_domain: " + "failed to create directory %s. Error was %s\n", + dname, strerror(errno) )); + goto done; + } + + tmpname = lock_path(talloc_tos(), "smb_tmp_krb5.XXXXXX"); + if (!tmpname) { + goto done; + } + + fname = talloc_asprintf(dname, "%s/krb5.conf.%s", dname, domain); + if (!fname) { + goto done; + } + + DEBUG(10,("create_local_private_krb5_conf_for_domain: fname = %s, realm = %s, domain = %s\n", + fname, realm, domain )); + + realm_upper = talloc_strdup(fname, realm); + if (!strupper_m(realm_upper)) { + goto done; + } + + kdc_ip_string = get_kdc_ip_string(dname, realm, sitename, pss); + if (!kdc_ip_string) { + goto done; + } + + enctypes = get_enctypes(fname); + if (enctypes == NULL) { + goto done; + } + +#if !defined(SAMBA4_USES_HEIMDAL) + if (lp_include_system_krb5_conf()) { + include_system_krb5 = "include /etc/krb5.conf"; + } +#endif + + /* + * We are setting 'dns_lookup_kdc' to true, because we want to lookup + * KDCs which are not configured via DNS SRV records, eg. if we do: + * + * net ads join -Uadmin@otherdomain + */ + file_contents = + talloc_asprintf(fname, + "[libdefaults]\n" + "\tdefault_realm = %s\n" + "%s" + "\tdns_lookup_realm = false\n" + "\tdns_lookup_kdc = true\n\n" + "[realms]\n\t%s = {\n" + "%s\t}\n" + "\t%s = {\n" + "%s\t}\n" + "%s\n", + realm_upper, + enctypes, + realm_upper, + kdc_ip_string, + domain, + kdc_ip_string, + include_system_krb5); + + if (!file_contents) { + goto done; + } + + flen = strlen(file_contents); + + mask = umask(S_IRWXO | S_IRWXG); + fd = mkstemp(tmpname); + umask(mask); + if (fd == -1) { + DBG_ERR("mkstemp failed, for file %s. Errno %s\n", + tmpname, + strerror(errno)); + goto done; + } + + if (fchmod(fd, 0644)==-1) { + DEBUG(0,("create_local_private_krb5_conf_for_domain: fchmod failed for %s." + " Errno %s\n", + tmpname, strerror(errno) )); + unlink(tmpname); + close(fd); + goto done; + } + + ret = write(fd, file_contents, flen); + if (flen != ret) { + DEBUG(0,("create_local_private_krb5_conf_for_domain: write failed," + " returned %d (should be %u). Errno %s\n", + (int)ret, (unsigned int)flen, strerror(errno) )); + unlink(tmpname); + close(fd); + goto done; + } + if (close(fd)==-1) { + DEBUG(0,("create_local_private_krb5_conf_for_domain: close failed." + " Errno %s\n", strerror(errno) )); + unlink(tmpname); + goto done; + } + + if (rename(tmpname, fname) == -1) { + DEBUG(0,("create_local_private_krb5_conf_for_domain: rename " + "of %s to %s failed. Errno %s\n", + tmpname, fname, strerror(errno) )); + unlink(tmpname); + goto done; + } + + DBG_INFO("wrote file %s with realm %s KDC list:\n%s\n", + fname, realm_upper, kdc_ip_string); + + /* Set the environment variable to this file. */ + setenv("KRB5_CONFIG", fname, 1); + + result = true; + +#if defined(OVERWRITE_SYSTEM_KRB5_CONF) + +#define SYSTEM_KRB5_CONF_PATH "/etc/krb5.conf" + /* Insanity, sheer insanity..... */ + + if (strequal(realm, lp_realm())) { + SMB_STRUCT_STAT sbuf; + + if (sys_lstat(SYSTEM_KRB5_CONF_PATH, &sbuf, false) == 0) { + if (S_ISLNK(sbuf.st_ex_mode) && sbuf.st_ex_size) { + int lret; + size_t alloc_size = sbuf.st_ex_size + 1; + char *linkpath = talloc_array(talloc_tos(), char, + alloc_size); + if (!linkpath) { + goto done; + } + lret = readlink(SYSTEM_KRB5_CONF_PATH, linkpath, + alloc_size - 1); + if (lret == -1) { + TALLOC_FREE(linkpath); + goto done; + } + linkpath[lret] = '\0'; + + if (strcmp(linkpath, fname) == 0) { + /* Symlink already exists. */ + TALLOC_FREE(linkpath); + goto done; + } + TALLOC_FREE(linkpath); + } + } + + /* Try and replace with a symlink. */ + if (symlink(fname, SYSTEM_KRB5_CONF_PATH) == -1) { + const char *newpath = SYSTEM_KRB5_CONF_PATH ".saved"; + if (errno != EEXIST) { + DEBUG(0,("create_local_private_krb5_conf_for_domain: symlink " + "of %s to %s failed. Errno %s\n", + fname, SYSTEM_KRB5_CONF_PATH, strerror(errno) )); + goto done; /* Not a fatal error. */ + } + + /* Yes, this is a race condition... too bad. */ + if (rename(SYSTEM_KRB5_CONF_PATH, newpath) == -1) { + DEBUG(0,("create_local_private_krb5_conf_for_domain: rename " + "of %s to %s failed. Errno %s\n", + SYSTEM_KRB5_CONF_PATH, newpath, + strerror(errno) )); + goto done; /* Not a fatal error. */ + } + + if (symlink(fname, SYSTEM_KRB5_CONF_PATH) == -1) { + DEBUG(0,("create_local_private_krb5_conf_for_domain: " + "forced symlink of %s to /etc/krb5.conf failed. Errno %s\n", + fname, strerror(errno) )); + goto done; /* Not a fatal error. */ + } + } + } +#endif + +done: + TALLOC_FREE(tmpname); + TALLOC_FREE(dname); + + return result; +} +#endif diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c new file mode 100644 index 0000000..466211a --- /dev/null +++ b/source3/libads/kerberos_keytab.c @@ -0,0 +1,1026 @@ +/* + Unix SMB/CIFS implementation. + kerberos keytab utility library + Copyright (C) Andrew Tridgell 2001 + Copyright (C) Remus Koos 2001 + Copyright (C) Luke Howard 2003 + Copyright (C) Jim McDonough (jmcd@us.ibm.com) 2003 + Copyright (C) Guenther Deschner 2003 + Copyright (C) Rakesh Patel 2004 + Copyright (C) Dan Perry 2004 + Copyright (C) Jeremy Allison 2004 + Copyright (C) Gerald Carter 2006 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include "smb_krb5.h" +#include "ads.h" +#include "secrets.h" + +#ifdef HAVE_KRB5 + +#ifdef HAVE_ADS + +/* This MAX_NAME_LEN is a constant defined in krb5.h */ +#ifndef MAX_KEYTAB_NAME_LEN +#define MAX_KEYTAB_NAME_LEN 1100 +#endif + +static krb5_error_code ads_keytab_open(krb5_context context, + krb5_keytab *keytab) +{ + char keytab_str[MAX_KEYTAB_NAME_LEN] = {0}; + const char *keytab_name = NULL; + krb5_error_code ret = 0; + + switch (lp_kerberos_method()) { + case KERBEROS_VERIFY_SYSTEM_KEYTAB: + case KERBEROS_VERIFY_SECRETS_AND_KEYTAB: + ret = krb5_kt_default_name(context, + keytab_str, + sizeof(keytab_str) - 2); + if (ret != 0) { + DBG_WARNING("Failed to get default keytab name\n"); + goto out; + } + keytab_name = keytab_str; + break; + case KERBEROS_VERIFY_DEDICATED_KEYTAB: + keytab_name = lp_dedicated_keytab_file(); + break; + default: + DBG_ERR("Invalid kerberos method set (%d)\n", + lp_kerberos_method()); + ret = KRB5_KT_BADNAME; + goto out; + } + + if (keytab_name == NULL || keytab_name[0] == '\0') { + DBG_ERR("Invalid keytab name\n"); + ret = KRB5_KT_BADNAME; + goto out; + } + + ret = smb_krb5_kt_open(context, keytab_name, true, keytab); + if (ret != 0) { + DBG_WARNING("smb_krb5_kt_open failed (%s)\n", + error_message(ret)); + goto out; + } + +out: + return ret; +} + +static bool fill_default_spns(TALLOC_CTX *ctx, const char *machine_name, + const char *my_fqdn, const char *spn, + const char ***spns) +{ + char *psp1, *psp2; + + if (*spns == NULL) { + *spns = talloc_zero_array(ctx, const char*, 3); + if (*spns == NULL) { + return false; + } + } + + psp1 = talloc_asprintf(ctx, + "%s/%s", + spn, + machine_name); + if (psp1 == NULL) { + return false; + } + + if (!strlower_m(&psp1[strlen(spn) + 1])) { + return false; + } + (*spns)[0] = psp1; + + psp2 = talloc_asprintf(ctx, + "%s/%s", + spn, + my_fqdn); + if (psp2 == NULL) { + return false; + } + + if (!strlower_m(&psp2[strlen(spn) + 1])) { + return false; + } + + (*spns)[1] = psp2; + + return true; +} + +static bool ads_set_machine_account_spns(TALLOC_CTX *ctx, + ADS_STRUCT *ads, + const char *service_or_spn, + const char *my_fqdn) +{ + const char **spn_names = NULL; + ADS_STATUS aderr; + struct spn_struct* spn_struct = NULL; + char *tmp = NULL; + + /* SPN should have '/' */ + tmp = strchr_m(service_or_spn, '/'); + if (tmp != NULL) { + spn_struct = parse_spn(ctx, service_or_spn); + if (spn_struct == NULL) { + return false; + } + } + + DBG_INFO("Attempting to add/update '%s'\n", service_or_spn); + + if (spn_struct != NULL) { + spn_names = talloc_zero_array(ctx, const char*, 2); + spn_names[0] = service_or_spn; + } else { + bool ok; + + ok = fill_default_spns(ctx, + lp_netbios_name(), + my_fqdn, + service_or_spn, + &spn_names); + if (!ok) { + return false; + } + } + aderr = ads_add_service_principal_names(ads, + lp_netbios_name(), + spn_names); + if (!ADS_ERR_OK(aderr)) { + DBG_WARNING("Failed to add service principal name.\n"); + return false; + } + + return true; +} + +/* + * Create kerberos principal(s) from SPN or service name. + */ +static bool service_or_spn_to_kerberos_princ(TALLOC_CTX *ctx, + const char *service_or_spn, + const char *my_fqdn, + char **p_princ_s, + char **p_short_princ_s) +{ + char *princ_s = NULL; + char *short_princ_s = NULL; + const char *service = service_or_spn; + const char *host = my_fqdn; + struct spn_struct* spn_struct = NULL; + char *tmp = NULL; + bool ok = true; + + /* SPN should have '/' */ + tmp = strchr_m(service_or_spn, '/'); + if (tmp != NULL) { + spn_struct = parse_spn(ctx, service_or_spn); + if (spn_struct == NULL) { + ok = false; + goto out; + } + } + if (spn_struct != NULL) { + service = spn_struct->serviceclass; + host = spn_struct->host; + } + princ_s = talloc_asprintf(ctx, "%s/%s@%s", + service, + host, lp_realm()); + if (princ_s == NULL) { + ok = false; + goto out; + } + + if (spn_struct == NULL) { + short_princ_s = talloc_asprintf(ctx, "%s/%s@%s", + service, lp_netbios_name(), + lp_realm()); + if (short_princ_s == NULL) { + ok = false; + goto out; + } + } + *p_princ_s = princ_s; + *p_short_princ_s = short_princ_s; +out: + return ok; +} + +static int add_kt_entry_etypes(krb5_context context, TALLOC_CTX *tmpctx, + ADS_STRUCT *ads, const char *salt_princ_s, + krb5_keytab keytab, krb5_kvno kvno, + const char *srvPrinc, const char *my_fqdn, + krb5_data *password, bool update_ads) +{ + krb5_error_code ret = 0; + char *princ_s = NULL; + char *short_princ_s = NULL; + krb5_enctype enctypes[4] = { + ENCTYPE_AES256_CTS_HMAC_SHA1_96, + ENCTYPE_AES128_CTS_HMAC_SHA1_96, + ENCTYPE_ARCFOUR_HMAC, + 0 + }; + size_t i; + + /* Construct our principal */ + if (strchr_m(srvPrinc, '@')) { + /* It's a fully-named principal. */ + princ_s = talloc_asprintf(tmpctx, "%s", srvPrinc); + if (!princ_s) { + ret = -1; + goto out; + } + } else if (srvPrinc[strlen(srvPrinc)-1] == '$') { + /* It's the machine account, as used by smbclient clients. */ + princ_s = talloc_asprintf(tmpctx, "%s@%s", + srvPrinc, lp_realm()); + if (!princ_s) { + ret = -1; + goto out; + } + } else { + /* It's a normal service principal. Add the SPN now so that we + * can obtain credentials for it and double-check the salt value + * used to generate the service's keys. */ + + if (!service_or_spn_to_kerberos_princ(tmpctx, + srvPrinc, + my_fqdn, + &princ_s, + &short_princ_s)) { + ret = -1; + goto out; + } + + /* According to http://support.microsoft.com/kb/326985/en-us, + certain principal names are automatically mapped to the + host/... principal in the AD account. + So only create these in the keytab, not in AD. --jerry */ + + if (update_ads && !strequal(srvPrinc, "cifs") && + !strequal(srvPrinc, "host")) { + if (!ads_set_machine_account_spns(tmpctx, + ads, + srvPrinc, + my_fqdn)) { + ret = -1; + goto out; + } + } + } + + for (i = 0; enctypes[i]; i++) { + + /* add the fqdn principal to the keytab */ + ret = smb_krb5_kt_add_entry(context, + keytab, + kvno, + princ_s, + salt_princ_s, + enctypes[i], + password, + false); /* no_salt */ + if (ret) { + DBG_WARNING("Failed to add entry to keytab\n"); + goto out; + } + + /* add the short principal name if we have one */ + if (short_princ_s) { + ret = smb_krb5_kt_add_entry(context, + keytab, + kvno, + short_princ_s, + salt_princ_s, + enctypes[i], + password, + false); /* no_salt */ + if (ret) { + DBG_WARNING("Failed to add short entry to keytab\n"); + goto out; + } + } + } +out: + return ret; +} + +/********************************************************************** + Adds a single service principal, i.e. 'host' to the system keytab +***********************************************************************/ + +int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads) +{ + krb5_error_code ret = 0; + krb5_context context = NULL; + krb5_keytab keytab = NULL; + krb5_data password; + krb5_kvno kvno; + char *salt_princ_s = NULL; + char *password_s = NULL; + char *my_fqdn; + TALLOC_CTX *tmpctx = NULL; + char **hostnames_array = NULL; + size_t num_hostnames = 0; + + ret = smb_krb5_init_context_common(&context); + if (ret) { + DBG_ERR("kerberos init context failed (%s)\n", + error_message(ret)); + return -1; + } + + ret = ads_keytab_open(context, &keytab); + if (ret != 0) { + goto out; + } + + /* retrieve the password */ + if (!secrets_init()) { + DBG_WARNING("secrets_init failed\n"); + ret = -1; + goto out; + } + password_s = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL); + if (!password_s) { + DBG_WARNING("failed to fetch machine password\n"); + ret = -1; + goto out; + } + ZERO_STRUCT(password); + password.data = password_s; + password.length = strlen(password_s); + + /* we need the dNSHostName value here */ + tmpctx = talloc_init(__location__); + if (!tmpctx) { + DBG_ERR("talloc_init() failed!\n"); + ret = -1; + goto out; + } + + my_fqdn = ads_get_dnshostname(ads, tmpctx, lp_netbios_name()); + if (!my_fqdn) { + DBG_ERR("unable to determine machine account's dns name in " + "AD!\n"); + ret = -1; + goto out; + } + + /* make sure we have a single instance of the computer account */ + if (!ads_has_samaccountname(ads, tmpctx, lp_netbios_name())) { + DBG_ERR("unable to determine machine account's short name in " + "AD!\n"); + ret = -1; + goto out; + } + + kvno = (krb5_kvno)ads_get_machine_kvno(ads, lp_netbios_name()); + if (kvno == -1) { + /* -1 indicates failure, everything else is OK */ + DBG_WARNING("ads_get_machine_kvno failed to determine the " + "system's kvno.\n"); + ret = -1; + goto out; + } + + salt_princ_s = kerberos_secrets_fetch_salt_princ(); + if (salt_princ_s == NULL) { + DBG_WARNING("kerberos_secrets_fetch_salt_princ() failed\n"); + ret = -1; + goto out; + } + + ret = add_kt_entry_etypes(context, tmpctx, ads, salt_princ_s, keytab, + kvno, srvPrinc, my_fqdn, &password, + update_ads); + if (ret != 0) { + goto out; + } + + if (ADS_ERR_OK(ads_get_additional_dns_hostnames(tmpctx, ads, + lp_netbios_name(), + &hostnames_array, + &num_hostnames))) { + size_t i; + + for (i = 0; i < num_hostnames; i++) { + + ret = add_kt_entry_etypes(context, tmpctx, ads, + salt_princ_s, keytab, + kvno, srvPrinc, + hostnames_array[i], + &password, update_ads); + if (ret != 0) { + goto out; + } + } + } + +out: + SAFE_FREE(salt_princ_s); + TALLOC_FREE(tmpctx); + + if (keytab) { + krb5_kt_close(context, keytab); + } + if (context) { + krb5_free_context(context); + } + return (int)ret; +} + +/********************************************************************** + Delete a single service principal, i.e. 'host' from the system keytab +***********************************************************************/ + +int ads_keytab_delete_entry(ADS_STRUCT *ads, const char *srvPrinc) +{ + TALLOC_CTX *frame = talloc_stackframe(); + krb5_error_code ret = 0; + krb5_context context = NULL; + krb5_keytab keytab = NULL; + char *princ_s = NULL; + krb5_principal princ = NULL; + char *short_princ_s = NULL; + krb5_principal short_princ = NULL; + bool ok; + + ret = smb_krb5_init_context_common(&context); + if (ret) { + DBG_ERR("kerberos init context failed (%s)\n", + error_message(ret)); + goto out; + } + + ret = ads_keytab_open(context, &keytab); + if (ret != 0) { + goto out; + } + + /* Construct our principal */ + if (strchr_m(srvPrinc, '@')) { + /* It's a fully-named principal. */ + princ_s = talloc_asprintf(frame, "%s", srvPrinc); + if (!princ_s) { + ret = -1; + goto out; + } + } else if (srvPrinc[strlen(srvPrinc)-1] == '$') { + /* It's the machine account, as used by smbclient clients. */ + princ_s = talloc_asprintf(frame, "%s@%s", + srvPrinc, lp_realm()); + if (!princ_s) { + ret = -1; + goto out; + } + } else { + /* + * It's a normal service principal. + */ + char *my_fqdn = NULL; + char *tmp = NULL; + + /* + * SPN should have '/' otherwise we + * need to fallback and find our dnshostname + */ + tmp = strchr_m(srvPrinc, '/'); + if (tmp == NULL) { + my_fqdn = ads_get_dnshostname(ads, frame, lp_netbios_name()); + if (!my_fqdn) { + DBG_ERR("unable to determine machine account's dns name in " + "AD!\n"); + ret = -1; + goto out; + } + } + + ok = service_or_spn_to_kerberos_princ(frame, + srvPrinc, + my_fqdn, + &princ_s, + &short_princ_s); + if (!ok) { + ret = -1; + goto out; + } + } + + ret = smb_krb5_parse_name(context, princ_s, &princ); + if (ret) { + DEBUG(1, (__location__ ": smb_krb5_parse_name(%s) " + "failed (%s)\n", princ_s, error_message(ret))); + goto out; + } + + if (short_princ_s != NULL) { + ret = smb_krb5_parse_name(context, short_princ_s, &short_princ); + if (ret) { + DEBUG(1, (__location__ ": smb_krb5_parse_name(%s) " + "failed (%s)\n", short_princ_s, error_message(ret))); + goto out; + } + } + + /* Seek and delete old keytab entries */ + ret = smb_krb5_kt_seek_and_delete_old_entries(context, + keytab, + false, /* keep_old_kvno */ + -1, + false, /* enctype_only */ + ENCTYPE_NULL, + princ_s, + princ, + false); /* flush */ + if (ret) { + goto out; + } + + if (short_princ_s == NULL) { + goto out; + } + + /* Seek and delete old keytab entries */ + ret = smb_krb5_kt_seek_and_delete_old_entries(context, + keytab, + false, /* keep_old_kvno */ + -1, + false, /* enctype_only */ + ENCTYPE_NULL, + short_princ_s, + short_princ, + false); /* flush */ + if (ret) { + goto out; + } + +out: + if (princ) { + krb5_free_principal(context, princ); + } + if (short_princ) { + krb5_free_principal(context, short_princ); + } + if (keytab) { + krb5_kt_close(context, keytab); + } + if (context) { + krb5_free_context(context); + } + TALLOC_FREE(frame); + return ret; +} + +/********************************************************************** + Flushes all entries from the system keytab. +***********************************************************************/ + +int ads_keytab_flush(ADS_STRUCT *ads) +{ + krb5_error_code ret = 0; + krb5_context context = NULL; + krb5_keytab keytab = NULL; + ADS_STATUS aderr; + + ret = smb_krb5_init_context_common(&context); + if (ret) { + DBG_ERR("kerberos init context failed (%s)\n", + error_message(ret)); + return ret; + } + + ret = ads_keytab_open(context, &keytab); + if (ret != 0) { + goto out; + } + + /* Seek and delete all old keytab entries */ + ret = smb_krb5_kt_seek_and_delete_old_entries(context, + keytab, + false, /* keep_old_kvno */ + -1, + false, /* enctype_only */ + ENCTYPE_NULL, + NULL, + NULL, + true); /* flush */ + if (ret) { + goto out; + } + + aderr = ads_clear_service_principal_names(ads, lp_netbios_name()); + if (!ADS_ERR_OK(aderr)) { + DEBUG(1, (__location__ ": Error while clearing service " + "principal listings in LDAP.\n")); + ret = -1; + goto out; + } + +out: + if (keytab) { + krb5_kt_close(context, keytab); + } + if (context) { + krb5_free_context(context); + } + return ret; +} + +/********************************************************************** + Adds all the required service principals to the system keytab. +***********************************************************************/ + +int ads_keytab_create_default(ADS_STRUCT *ads) +{ + krb5_error_code ret = 0; + krb5_context context = NULL; + krb5_keytab keytab = NULL; + krb5_kt_cursor cursor = {0}; + krb5_keytab_entry kt_entry = {0}; + krb5_kvno kvno; + size_t found = 0; + char *sam_account_name, *upn; + char **oldEntries = NULL, *princ_s[26]; + TALLOC_CTX *frame; + char *machine_name; + char **spn_array; + size_t num_spns; + size_t i; + bool ok = false; + ADS_STATUS status; + + ZERO_STRUCT(kt_entry); + ZERO_STRUCT(cursor); + + frame = talloc_stackframe(); + if (frame == NULL) { + ret = -1; + goto done; + } + + status = ads_get_service_principal_names(frame, + ads, + lp_netbios_name(), + &spn_array, + &num_spns); + if (!ADS_ERR_OK(status)) { + ret = -1; + goto done; + } + + for (i = 0; i < num_spns; i++) { + char *srv_princ; + char *p; + + srv_princ = strlower_talloc(frame, spn_array[i]); + if (srv_princ == NULL) { + ret = -1; + goto done; + } + + p = strchr_m(srv_princ, '/'); + if (p == NULL) { + continue; + } + p[0] = '\0'; + + /* Add the SPNs found on the DC */ + ret = ads_keytab_add_entry(ads, srv_princ, false); + if (ret != 0) { + DEBUG(1, ("ads_keytab_add_entry failed while " + "adding '%s' principal.\n", + spn_array[i])); + goto done; + } + } + +#if 0 /* don't create the CIFS/... keytab entries since no one except smbd + really needs them and we will fall back to verifying against + secrets.tdb */ + + ret = ads_keytab_add_entry(ads, "cifs", false)); + if (ret != 0 ) { + DEBUG(1, (__location__ ": ads_keytab_add_entry failed while " + "adding 'cifs'.\n")); + return ret; + } +#endif + + memset(princ_s, '\0', sizeof(princ_s)); + + ret = smb_krb5_init_context_common(&context); + if (ret) { + DBG_ERR("kerberos init context failed (%s)\n", + error_message(ret)); + goto done; + } + + machine_name = talloc_strdup(frame, lp_netbios_name()); + if (!machine_name) { + ret = -1; + goto done; + } + + /* now add the userPrincipalName and sAMAccountName entries */ + ok = ads_has_samaccountname(ads, frame, machine_name); + if (!ok) { + DEBUG(0, (__location__ ": unable to determine machine " + "account's name in AD!\n")); + ret = -1; + goto done; + } + + /* + * append '$' to netbios name so 'ads_keytab_add_entry' recognises + * it as a machine account rather than a service or Windows SPN. + */ + sam_account_name = talloc_asprintf(frame, "%s$",machine_name); + if (sam_account_name == NULL) { + ret = -1; + goto done; + } + /* upper case the sAMAccountName to make it easier for apps to + know what case to use in the keytab file */ + if (!strupper_m(sam_account_name)) { + ret = -1; + goto done; + } + + ret = ads_keytab_add_entry(ads, sam_account_name, false); + if (ret != 0) { + DEBUG(1, (__location__ ": ads_keytab_add_entry() failed " + "while adding sAMAccountName (%s)\n", + sam_account_name)); + goto done; + } + + /* remember that not every machine account will have a upn */ + upn = ads_get_upn(ads, frame, machine_name); + if (upn) { + ret = ads_keytab_add_entry(ads, upn, false); + if (ret != 0) { + DEBUG(1, (__location__ ": ads_keytab_add_entry() " + "failed while adding UPN (%s)\n", upn)); + goto done; + } + } + + /* Now loop through the keytab and update any other existing entries */ + kvno = (krb5_kvno)ads_get_machine_kvno(ads, machine_name); + if (kvno == (krb5_kvno)-1) { + DEBUG(1, (__location__ ": ads_get_machine_kvno() failed to " + "determine the system's kvno.\n")); + goto done; + } + + DEBUG(3, (__location__ ": Searching for keytab entries to preserve " + "and update.\n")); + + ret = ads_keytab_open(context, &keytab); + if (ret != 0) { + goto done; + } + + ret = krb5_kt_start_seq_get(context, keytab, &cursor); + if (ret != KRB5_KT_END && ret != ENOENT ) { + while ((ret = krb5_kt_next_entry(context, keytab, + &kt_entry, &cursor)) == 0) { + smb_krb5_kt_free_entry(context, &kt_entry); + ZERO_STRUCT(kt_entry); + found++; + } + } + krb5_kt_end_seq_get(context, keytab, &cursor); + ZERO_STRUCT(cursor); + + /* + * Hmmm. There is no "rewind" function for the keytab. This means we + * have a race condition where someone else could add entries after + * we've counted them. Re-open asap to minimise the race. JRA. + */ + DEBUG(3, (__location__ ": Found %zd entries in the keytab.\n", found)); + if (!found) { + goto done; + } + + oldEntries = talloc_zero_array(frame, char *, found + 1); + if (!oldEntries) { + DEBUG(1, (__location__ ": Failed to allocate space to store " + "the old keytab entries (talloc failed?).\n")); + ret = -1; + goto done; + } + + ret = krb5_kt_start_seq_get(context, keytab, &cursor); + if (ret == KRB5_KT_END || ret == ENOENT) { + krb5_kt_end_seq_get(context, keytab, &cursor); + ZERO_STRUCT(cursor); + goto done; + } + + while (krb5_kt_next_entry(context, keytab, &kt_entry, &cursor) == 0) { + if (kt_entry.vno != kvno) { + char *ktprinc = NULL; + char *p; + + /* This returns a malloc'ed string in ktprinc. */ + ret = smb_krb5_unparse_name(oldEntries, context, + kt_entry.principal, + &ktprinc); + if (ret) { + DEBUG(1, (__location__ + ": smb_krb5_unparse_name failed " + "(%s)\n", error_message(ret))); + goto done; + } + /* + * From looking at the krb5 source they don't seem to + * take locale or mb strings into account. + * Maybe this is because they assume utf8 ? + * In this case we may need to convert from utf8 to + * mb charset here ? JRA. + */ + p = strchr_m(ktprinc, '@'); + if (p) { + *p = '\0'; + } + + p = strchr_m(ktprinc, '/'); + if (p) { + *p = '\0'; + } + for (i = 0; i < found; i++) { + if (!oldEntries[i]) { + oldEntries[i] = ktprinc; + break; + } + if (!strcmp(oldEntries[i], ktprinc)) { + TALLOC_FREE(ktprinc); + break; + } + } + if (i == found) { + TALLOC_FREE(ktprinc); + } + } + smb_krb5_kt_free_entry(context, &kt_entry); + ZERO_STRUCT(kt_entry); + } + krb5_kt_end_seq_get(context, keytab, &cursor); + ZERO_STRUCT(cursor); + + ret = 0; + for (i = 0; oldEntries[i]; i++) { + ret |= ads_keytab_add_entry(ads, oldEntries[i], false); + TALLOC_FREE(oldEntries[i]); + } + +done: + TALLOC_FREE(oldEntries); + TALLOC_FREE(frame); + + if (context) { + if (!all_zero((uint8_t *)&kt_entry, sizeof(kt_entry))) { + smb_krb5_kt_free_entry(context, &kt_entry); + } + if (!all_zero((uint8_t *)&cursor, sizeof(cursor)) && keytab) { + krb5_kt_end_seq_get(context, keytab, &cursor); + } + if (keytab) { + krb5_kt_close(context, keytab); + } + krb5_free_context(context); + } + return ret; +} + +#endif /* HAVE_ADS */ + +/********************************************************************** + List system keytab. +***********************************************************************/ + +int ads_keytab_list(const char *keytab_name) +{ + krb5_error_code ret = 0; + krb5_context context = NULL; + krb5_keytab keytab = NULL; + krb5_kt_cursor cursor; + krb5_keytab_entry kt_entry; + + ZERO_STRUCT(kt_entry); + ZERO_STRUCT(cursor); + + ret = smb_krb5_init_context_common(&context); + if (ret) { + DBG_ERR("kerberos init context failed (%s)\n", + error_message(ret)); + return ret; + } + + if (keytab_name == NULL) { +#ifdef HAVE_ADS + ret = ads_keytab_open(context, &keytab); +#else + ret = ENOENT; +#endif + } else { + ret = smb_krb5_kt_open(context, keytab_name, False, &keytab); + } + if (ret) { + DEBUG(1, ("smb_krb5_kt_open failed (%s)\n", + error_message(ret))); + goto out; + } + + ret = krb5_kt_start_seq_get(context, keytab, &cursor); + if (ret) { + ZERO_STRUCT(cursor); + goto out; + } + + printf("Vno Type Principal\n"); + + while (krb5_kt_next_entry(context, keytab, &kt_entry, &cursor) == 0) { + + char *princ_s = NULL; + char *etype_s = NULL; + krb5_enctype enctype = 0; + + ret = smb_krb5_unparse_name(talloc_tos(), context, + kt_entry.principal, &princ_s); + if (ret) { + goto out; + } + + enctype = smb_krb5_kt_get_enctype_from_entry(&kt_entry); + + ret = smb_krb5_enctype_to_string(context, enctype, &etype_s); + if (ret && + (asprintf(&etype_s, "UNKNOWN: %d", enctype) == -1)) { + TALLOC_FREE(princ_s); + goto out; + } + + printf("%3d %-43s %s\n", kt_entry.vno, etype_s, princ_s); + + TALLOC_FREE(princ_s); + SAFE_FREE(etype_s); + + ret = smb_krb5_kt_free_entry(context, &kt_entry); + if (ret) { + goto out; + } + } + + ret = krb5_kt_end_seq_get(context, keytab, &cursor); + if (ret) { + goto out; + } + + /* Ensure we don't double free. */ + ZERO_STRUCT(kt_entry); + ZERO_STRUCT(cursor); +out: + + if (!all_zero((uint8_t *)&kt_entry, sizeof(kt_entry))) { + smb_krb5_kt_free_entry(context, &kt_entry); + } + if (!all_zero((uint8_t *)&cursor, sizeof(cursor)) && keytab) { + krb5_kt_end_seq_get(context, keytab, &cursor); + } + + if (keytab) { + krb5_kt_close(context, keytab); + } + if (context) { + krb5_free_context(context); + } + return ret; +} + +#endif /* HAVE_KRB5 */ diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h new file mode 100644 index 0000000..8073812 --- /dev/null +++ b/source3/libads/kerberos_proto.h @@ -0,0 +1,104 @@ +/* + * Unix SMB/CIFS implementation. + * kerberos utility library + * + * Copyright (C) Andrew Tridgell 2001 + * Copyright (C) Remus Koos (remuskoos@yahoo.com) 2001 + * Copyright (C) Luke Howard 2002-2003 + * Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003 + * Copyright (C) Guenther Deschner 2003-2008 + * Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005 + * Copyright (C) Jeremy Allison 2004,2007 + * Copyright (C) Stefan Metzmacher 2004-2005 + * Copyright (C) Nalin Dahyabhai <nalin@redhat.com> 2004 + * Copyright (C) Gerald Carter 2006 + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + */ + +#ifndef _LIBADS_KERBEROS_PROTO_H_ +#define _LIBADS_KERBEROS_PROTO_H_ + +#include "system/kerberos.h" + +struct PAC_DATA_CTR; + +#define DEFAULT_KRB5_PORT 88 + +#include "libads/ads_status.h" + +/* The following definitions come from libads/kerberos.c */ + +int kerberos_kinit_password_ext(const char *given_principal, + const char *password, + int time_offset, + time_t *expire_time, + time_t *renew_till_time, + const char *cache_name, + bool request_pac, + bool add_netbios_addr, + time_t renewable_time, + TALLOC_CTX *mem_ctx, + char **_canon_principal, + char **_canon_realm, + NTSTATUS *ntstatus); +int ads_kdestroy(const char *cc_name); + +int kerberos_kinit_password(const char *principal, + const char *password, + int time_offset, + const char *cache_name); +bool create_local_private_krb5_conf_for_domain(const char *realm, + const char *domain, + const char *sitename, + const struct sockaddr_storage *pss); + +/* The following definitions come from libads/authdata.c */ + +NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, + const char *name, + const char *pass, + time_t time_offset, + time_t *expire_time, + time_t *renew_till_time, + const char *cache_name, + bool request_pac, + bool add_netbios_addr, + time_t renewable_time, + const char *impersonate_princ_s, + const char *local_service, + char **_canon_principal, + char **_canon_realm, + struct PAC_DATA_CTR **pac_data_ctr); + +/* The following definitions come from libads/krb5_setpw.c */ + +ADS_STATUS ads_krb5_set_password(const char *kdc_host, const char *princ, + const char *newpw, int time_offset); +ADS_STATUS kerberos_set_password(const char *kpasswd_server, + const char *auth_principal, const char *auth_password, + const char *target_principal, const char *new_password, + int time_offset); + +#ifdef HAVE_KRB5 +int create_kerberos_key_from_string(krb5_context context, + krb5_principal host_princ, + krb5_principal salt_princ, + krb5_data *password, + krb5_keyblock *key, + krb5_enctype enctype, + bool no_salt); +#endif + +#endif /* _LIBADS_KERBEROS_PROTO_H_ */ diff --git a/source3/libads/kerberos_util.c b/source3/libads/kerberos_util.c new file mode 100644 index 0000000..bfe5382 --- /dev/null +++ b/source3/libads/kerberos_util.c @@ -0,0 +1,80 @@ +/* + Unix SMB/CIFS implementation. + krb5 set password implementation + Copyright (C) Andrew Tridgell 2001 + Copyright (C) Remus Koos 2001 (remuskoos@yahoo.com) + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include "smb_krb5.h" +#include "ads.h" +#include "lib/param/loadparm.h" + +#ifdef HAVE_KRB5 + +/* run kinit to setup our ccache */ +int ads_kinit_password(ADS_STRUCT *ads) +{ + char *s; + int ret; + const char *account_name; + fstring acct_name; + + if (ads->auth.password == NULL || ads->auth.password[0] == '\0') { + return KRB5_LIBOS_CANTREADPWD; + } + + if (ads->auth.flags & ADS_AUTH_USER_CREDS) { + account_name = ads->auth.user_name; + goto got_accountname; + } + + if ( IS_DC ) { + /* this will end up getting a ticket for DOMAIN@RUSTED.REA.LM */ + account_name = lp_workgroup(); + } else { + /* always use the sAMAccountName for security = domain */ + /* lp_netbios_name()$@REA.LM */ + if ( lp_security() == SEC_DOMAIN ) { + fstr_sprintf( acct_name, "%s$", lp_netbios_name() ); + account_name = acct_name; + } + else + /* This looks like host/lp_netbios_name()@REA.LM */ + account_name = ads->auth.user_name; + } + + got_accountname: + if (asprintf(&s, "%s@%s", account_name, ads->auth.realm) == -1) { + return KRB5_CC_NOMEM; + } + + ret = kerberos_kinit_password_ext(s, ads->auth.password, + ads->auth.time_offset, + &ads->auth.tgt_expire, NULL, + ads->auth.ccache_name, false, false, + ads->auth.renewable, + NULL, NULL, NULL, NULL); + + if (ret) { + DEBUG(0,("kerberos_kinit_password %s failed: %s\n", + s, error_message(ret))); + } + SAFE_FREE(s); + return ret; +} + +#endif diff --git a/source3/libads/krb5_setpw.c b/source3/libads/krb5_setpw.c new file mode 100644 index 0000000..dda8857 --- /dev/null +++ b/source3/libads/krb5_setpw.c @@ -0,0 +1,329 @@ +/* + Unix SMB/CIFS implementation. + krb5 set password implementation + Copyright (C) Andrew Tridgell 2001 + Copyright (C) Remus Koos 2001 (remuskoos@yahoo.com) + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include "smb_krb5.h" +#include "libads/kerberos_proto.h" +#include "../lib/util/asn1.h" + +#ifdef HAVE_KRB5 + +/* Those are defined by kerberos-set-passwd-02.txt and are probably + * not supported by M$ implementation */ +#define KRB5_KPASSWD_POLICY_REJECT 8 +#define KRB5_KPASSWD_BAD_PRINCIPAL 9 +#define KRB5_KPASSWD_ETYPE_NOSUPP 10 + +/* + * we've got to be able to distinguish KRB_ERRORs from other + * requests - valid response for CHPW v2 replies. + */ + +static krb5_error_code kpasswd_err_to_krb5_err(krb5_error_code res_code) +{ + switch (res_code) { + case KRB5_KPASSWD_ACCESSDENIED: + return KRB5KDC_ERR_BADOPTION; + case KRB5_KPASSWD_INITIAL_FLAG_NEEDED: + return KRB5KDC_ERR_BADOPTION; + /* return KV5M_ALT_METHOD; MIT-only define */ + case KRB5_KPASSWD_ETYPE_NOSUPP: + return KRB5KDC_ERR_ETYPE_NOSUPP; + case KRB5_KPASSWD_BAD_PRINCIPAL: + return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; + case KRB5_KPASSWD_POLICY_REJECT: + case KRB5_KPASSWD_SOFTERROR: + return KRB5KDC_ERR_POLICY; + default: + return KRB5KRB_ERR_GENERIC; + } +} + +ADS_STATUS ads_krb5_set_password(const char *kdc_host, const char *principal, + const char *newpw, int time_offset) +{ + + ADS_STATUS aret; + krb5_error_code ret = 0; + krb5_context context = NULL; + krb5_principal princ = NULL; + krb5_ccache ccache = NULL; + int result_code; + krb5_data result_code_string = { 0 }; + krb5_data result_string = { 0 }; + + ret = smb_krb5_init_context_common(&context); + if (ret) { + DBG_ERR("kerberos init context failed (%s)\n", + error_message(ret)); + return ADS_ERROR_KRB5(ret); + } + + if (principal) { + ret = smb_krb5_parse_name(context, principal, &princ); + if (ret) { + krb5_free_context(context); + DEBUG(1, ("Failed to parse %s (%s)\n", principal, + error_message(ret))); + return ADS_ERROR_KRB5(ret); + } + } + + if (time_offset != 0) { + krb5_set_real_time(context, time(NULL) + time_offset, 0); + } + + ret = krb5_cc_default(context, &ccache); + if (ret) { + krb5_free_principal(context, princ); + krb5_free_context(context); + DEBUG(1,("Failed to get default creds (%s)\n", error_message(ret))); + return ADS_ERROR_KRB5(ret); + } + + ret = krb5_set_password_using_ccache(context, + ccache, + discard_const_p(char, newpw), + princ, + &result_code, + &result_code_string, + &result_string); + if (ret) { + DEBUG(1, ("krb5_set_password failed (%s)\n", error_message(ret))); + aret = ADS_ERROR_KRB5(ret); + goto done; + } + + if (result_code != KRB5_KPASSWD_SUCCESS) { + ret = kpasswd_err_to_krb5_err(result_code); + DEBUG(1, ("krb5_set_password failed (%s)\n", error_message(ret))); + aret = ADS_ERROR_KRB5(ret); + goto done; + } + + aret = ADS_SUCCESS; + + done: + smb_krb5_free_data_contents(context, &result_code_string); + smb_krb5_free_data_contents(context, &result_string); + krb5_free_principal(context, princ); + krb5_cc_close(context, ccache); + krb5_free_context(context); + + return aret; +} + +/* + we use a prompter to avoid a crash bug in the kerberos libs when + dealing with empty passwords + this prompter is just a string copy ... +*/ +static krb5_error_code +kerb_prompter(krb5_context ctx, void *data, + const char *name, + const char *banner, + int num_prompts, + krb5_prompt prompts[]) +{ + if (num_prompts == 0) return 0; + + memset(prompts[0].reply->data, 0, prompts[0].reply->length); + if (prompts[0].reply->length > 0) { + if (data) { + strncpy((char *)prompts[0].reply->data, + (const char *)data, + prompts[0].reply->length-1); + prompts[0].reply->length = strlen((const char *)prompts[0].reply->data); + } else { + prompts[0].reply->length = 0; + } + } + return 0; +} + +static ADS_STATUS ads_krb5_chg_password(const char *kdc_host, + const char *principal, + const char *oldpw, + const char *newpw, + int time_offset) +{ + ADS_STATUS aret; + krb5_error_code ret; + krb5_context context = NULL; + krb5_principal princ; + krb5_get_init_creds_opt *opts = NULL; + krb5_creds creds; + char *chpw_princ = NULL, *password; + char *realm = NULL; + int result_code; + krb5_data result_code_string = { 0 }; + krb5_data result_string = { 0 }; + smb_krb5_addresses *addr = NULL; + + ret = smb_krb5_init_context_common(&context); + if (ret) { + DBG_ERR("kerberos init context failed (%s)\n", + error_message(ret)); + return ADS_ERROR_KRB5(ret); + } + + if ((ret = smb_krb5_parse_name(context, principal, &princ))) { + krb5_free_context(context); + DEBUG(1,("Failed to parse %s (%s)\n", principal, error_message(ret))); + return ADS_ERROR_KRB5(ret); + } + + ret = krb5_get_init_creds_opt_alloc(context, &opts); + if (ret != 0) { + krb5_free_context(context); + DBG_WARNING("krb5_get_init_creds_opt_alloc failed: %s\n", + error_message(ret)); + return ADS_ERROR_KRB5(ret); + } + + krb5_get_init_creds_opt_set_tkt_life(opts, 5 * 60); + krb5_get_init_creds_opt_set_renew_life(opts, 0); + krb5_get_init_creds_opt_set_forwardable(opts, 0); + krb5_get_init_creds_opt_set_proxiable(opts, 0); +#ifdef SAMBA4_USES_HEIMDAL + krb5_get_init_creds_opt_set_win2k(context, opts, true); + krb5_get_init_creds_opt_set_canonicalize(context, opts, true); +#else /* MIT */ +#if 0 + /* + * FIXME + * + * Due to an upstream MIT Kerberos bug, this feature is not + * not working. Affection versions (2019-10-09): <= 1.17 + * + * Reproducer: + * kinit -C aDmInIsTrAtOr@ACME.COM -S kadmin/changepw@ACME.COM + * + * This is NOT a problem if the service is a krbtgt. + * + * https://bugzilla.samba.org/show_bug.cgi?id=14155 + */ + krb5_get_init_creds_opt_set_canonicalize(opts, true); +#endif +#endif /* MIT */ + + /* note that heimdal will fill in the local addresses if the addresses + * in the creds_init_opt are all empty and then later fail with invalid + * address, sending our local netbios krb5 address - just like windows + * - avoids this - gd */ + ret = smb_krb5_gen_netbios_krb5_address(&addr, lp_netbios_name()); + if (ret) { + krb5_free_principal(context, princ); + krb5_get_init_creds_opt_free(context, opts); + krb5_free_context(context); + return ADS_ERROR_KRB5(ret); + } + krb5_get_init_creds_opt_set_address_list(opts, addr->addrs); + + realm = smb_krb5_principal_get_realm(NULL, context, princ); + + /* We have to obtain an INITIAL changepw ticket for changing password */ + if (asprintf(&chpw_princ, "kadmin/changepw@%s", realm) == -1) { + krb5_free_principal(context, princ); + krb5_get_init_creds_opt_free(context, opts); + smb_krb5_free_addresses(context, addr); + krb5_free_context(context); + TALLOC_FREE(realm); + DEBUG(1, ("ads_krb5_chg_password: asprintf fail\n")); + return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); + } + + TALLOC_FREE(realm); + password = SMB_STRDUP(oldpw); + ret = krb5_get_init_creds_password(context, &creds, princ, password, + kerb_prompter, NULL, + 0, chpw_princ, opts); + krb5_get_init_creds_opt_free(context, opts); + smb_krb5_free_addresses(context, addr); + SAFE_FREE(chpw_princ); + SAFE_FREE(password); + + if (ret) { + if (ret == KRB5KRB_AP_ERR_BAD_INTEGRITY) { + DEBUG(1,("Password incorrect while getting initial ticket\n")); + } else { + DEBUG(1,("krb5_get_init_creds_password failed (%s)\n", error_message(ret))); + } + krb5_free_principal(context, princ); + krb5_free_context(context); + return ADS_ERROR_KRB5(ret); + } + + ret = krb5_set_password(context, + &creds, + discard_const_p(char, newpw), + NULL, + &result_code, + &result_code_string, + &result_string); + + if (ret) { + DEBUG(1, ("krb5_change_password failed (%s)\n", error_message(ret))); + aret = ADS_ERROR_KRB5(ret); + goto done; + } + + if (result_code != KRB5_KPASSWD_SUCCESS) { + ret = kpasswd_err_to_krb5_err(result_code); + DEBUG(1, ("krb5_change_password failed (%s)\n", error_message(ret))); + aret = ADS_ERROR_KRB5(ret); + goto done; + } + + aret = ADS_SUCCESS; + + done: + smb_krb5_free_data_contents(context, &result_code_string); + smb_krb5_free_data_contents(context, &result_string); + krb5_free_principal(context, princ); + krb5_free_context(context); + + return aret; +} + +ADS_STATUS kerberos_set_password(const char *kpasswd_server, + const char *auth_principal, + const char *auth_password, + const char *target_principal, + const char *new_password, int time_offset) +{ + int ret; + + if ((ret = kerberos_kinit_password(auth_principal, auth_password, time_offset, NULL))) { + DEBUG(1,("Failed kinit for principal %s (%s)\n", auth_principal, error_message(ret))); + return ADS_ERROR_KRB5(ret); + } + + if (!strcmp(auth_principal, target_principal)) { + return ads_krb5_chg_password(kpasswd_server, target_principal, + auth_password, new_password, + time_offset); + } else { + return ads_krb5_set_password(kpasswd_server, target_principal, + new_password, time_offset); + } +} + +#endif diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c new file mode 100644 index 0000000..b5139e5 --- /dev/null +++ b/source3/libads/ldap.c @@ -0,0 +1,4684 @@ +/* + Unix SMB/CIFS implementation. + ads (active directory) utility library + Copyright (C) Andrew Tridgell 2001 + Copyright (C) Remus Koos 2001 + Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002 + Copyright (C) Guenther Deschner 2005 + Copyright (C) Gerald Carter 2006 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include "ads.h" +#include "libads/sitename_cache.h" +#include "libads/cldap.h" +#include "../lib/tsocket/tsocket.h" +#include "../lib/addns/dnsquery.h" +#include "../libds/common/flags.h" +#include "smbldap.h" +#include "../libcli/security/security.h" +#include "../librpc/gen_ndr/netlogon.h" +#include "lib/param/loadparm.h" +#include "libsmb/namequery.h" +#include "../librpc/gen_ndr/ndr_ads.h" + +#ifdef HAVE_LDAP + +/** + * @file ldap.c + * @brief basic ldap client-side routines for ads server communications + * + * The routines contained here should do the necessary ldap calls for + * ads setups. + * + * Important note: attribute names passed into ads_ routines must + * already be in UTF-8 format. We do not convert them because in almost + * all cases, they are just ascii (which is represented with the same + * codepoints in UTF-8). This may have to change at some point + **/ + + +#define LDAP_SERVER_TREE_DELETE_OID "1.2.840.113556.1.4.805" + +static SIG_ATOMIC_T gotalarm; + +/*************************************************************** + Signal function to tell us we timed out. +****************************************************************/ + +static void gotalarm_sig(int signum) +{ + gotalarm = 1; +} + + LDAP *ldap_open_with_timeout(const char *server, + struct sockaddr_storage *ss, + int port, unsigned int to) +{ + LDAP *ldp = NULL; + int ldap_err; + char *uri; + + DEBUG(10, ("Opening connection to LDAP server '%s:%d', timeout " + "%u seconds\n", server, port, to)); + + if (to) { + /* Setup timeout */ + gotalarm = 0; + CatchSignal(SIGALRM, gotalarm_sig); + alarm(to); + /* End setup timeout. */ + } + + if ( strchr_m(server, ':') ) { + /* IPv6 URI */ + uri = talloc_asprintf(talloc_tos(), "ldap://[%s]:%u", server, port); + } else { + /* IPv4 URI */ + uri = talloc_asprintf(talloc_tos(), "ldap://%s:%u", server, port); + } + if (uri == NULL) { + return NULL; + } + +#ifdef HAVE_LDAP_INIT_FD + { + int fd = -1; + NTSTATUS status = NT_STATUS_UNSUCCESSFUL; + unsigned timeout_ms = 1000 * to; + + status = open_socket_out(ss, port, timeout_ms, &fd); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(3, ("open_socket_out: failed to open socket\n")); + return NULL; + } + +/* define LDAP_PROTO_TCP from openldap.h if required */ +#ifndef LDAP_PROTO_TCP +#define LDAP_PROTO_TCP 1 +#endif + ldap_err = ldap_init_fd(fd, LDAP_PROTO_TCP, uri, &ldp); + } +#elif defined(HAVE_LDAP_INITIALIZE) + ldap_err = ldap_initialize(&ldp, uri); +#else + ldp = ldap_open(server, port); + if (ldp != NULL) { + ldap_err = LDAP_SUCCESS; + } else { + ldap_err = LDAP_OTHER; + } +#endif + if (ldap_err != LDAP_SUCCESS) { + DEBUG(2,("Could not initialize connection for LDAP server '%s': %s\n", + uri, ldap_err2string(ldap_err))); + } else { + DEBUG(10, ("Initialized connection for LDAP server '%s'\n", uri)); + } + + if (to) { + /* Teardown timeout. */ + alarm(0); + CatchSignal(SIGALRM, SIG_IGN); + } + + return ldp; +} + +static int ldap_search_with_timeout(LDAP *ld, + LDAP_CONST char *base, + int scope, + LDAP_CONST char *filter, + char **attrs, + int attrsonly, + LDAPControl **sctrls, + LDAPControl **cctrls, + int sizelimit, + LDAPMessage **res ) +{ + int to = lp_ldap_timeout(); + struct timeval timeout; + struct timeval *timeout_ptr = NULL; + int result; + + /* Setup timeout for the ldap_search_ext_s call - local and remote. */ + gotalarm = 0; + + if (to) { + timeout.tv_sec = to; + timeout.tv_usec = 0; + timeout_ptr = &timeout; + + /* Setup alarm timeout. */ + CatchSignal(SIGALRM, gotalarm_sig); + /* Make the alarm time one second beyond + the timeout we're setting for the + remote search timeout, to allow that + to fire in preference. */ + alarm(to+1); + /* End setup timeout. */ + } + + + result = ldap_search_ext_s(ld, base, scope, filter, attrs, + attrsonly, sctrls, cctrls, timeout_ptr, + sizelimit, res); + + if (to) { + /* Teardown alarm timeout. */ + CatchSignal(SIGALRM, SIG_IGN); + alarm(0); + } + + if (gotalarm != 0) + return LDAP_TIMELIMIT_EXCEEDED; + + /* + * A bug in OpenLDAP means ldap_search_ext_s can return + * LDAP_SUCCESS but with a NULL res pointer. Cope with + * this. See bug #6279 for details. JRA. + */ + + if (*res == NULL) { + return LDAP_TIMELIMIT_EXCEEDED; + } + + return result; +} + +/********************************************** + Do client and server sitename match ? +**********************************************/ + +bool ads_sitename_match(ADS_STRUCT *ads) +{ + if (ads->config.server_site_name == NULL && + ads->config.client_site_name == NULL ) { + DEBUG(10,("ads_sitename_match: both null\n")); + return True; + } + if (ads->config.server_site_name && + ads->config.client_site_name && + strequal(ads->config.server_site_name, + ads->config.client_site_name)) { + DEBUG(10,("ads_sitename_match: name %s match\n", ads->config.server_site_name)); + return True; + } + DEBUG(10,("ads_sitename_match: no match between server: %s and client: %s\n", + ads->config.server_site_name ? ads->config.server_site_name : "NULL", + ads->config.client_site_name ? ads->config.client_site_name : "NULL")); + return False; +} + +/********************************************** + Is this the closest DC ? +**********************************************/ + +bool ads_closest_dc(ADS_STRUCT *ads) +{ + if (ads->config.flags & NBT_SERVER_CLOSEST) { + DEBUG(10,("ads_closest_dc: NBT_SERVER_CLOSEST flag set\n")); + return True; + } + + /* not sure if this can ever happen */ + if (ads_sitename_match(ads)) { + DEBUG(10,("ads_closest_dc: NBT_SERVER_CLOSEST flag not set but sites match\n")); + return True; + } + + if (ads->config.client_site_name == NULL) { + DEBUG(10,("ads_closest_dc: client belongs to no site\n")); + return True; + } + + DEBUG(10,("ads_closest_dc: %s is not the closest DC\n", + ads->config.ldap_server_name)); + + return False; +} + +static bool ads_fill_cldap_reply(ADS_STRUCT *ads, + bool gc, + const struct sockaddr_storage *ss, + const struct NETLOGON_SAM_LOGON_RESPONSE_EX *cldap_reply) +{ + TALLOC_CTX *frame = talloc_stackframe(); + bool ret = false; + char addr[INET6_ADDRSTRLEN]; + ADS_STATUS status; + char *dn; + + print_sockaddr(addr, sizeof(addr), ss); + + /* Check the CLDAP reply flags */ + + if (!(cldap_reply->server_type & NBT_SERVER_LDAP)) { + DBG_WARNING("%s's CLDAP reply says it is not an LDAP server!\n", + addr); + ret = false; + goto out; + } + + /* Fill in the ads->config values */ + + ADS_TALLOC_CONST_FREE(ads->config.realm); + ADS_TALLOC_CONST_FREE(ads->config.bind_path); + ADS_TALLOC_CONST_FREE(ads->config.ldap_server_name); + ADS_TALLOC_CONST_FREE(ads->config.server_site_name); + ADS_TALLOC_CONST_FREE(ads->config.client_site_name); + ADS_TALLOC_CONST_FREE(ads->server.workgroup); + + if (!check_cldap_reply_required_flags(cldap_reply->server_type, + ads->config.flags)) { + ret = false; + goto out; + } + + ads->config.ldap_server_name = talloc_strdup(ads, + cldap_reply->pdc_dns_name); + if (ads->config.ldap_server_name == NULL) { + DBG_WARNING("Out of memory\n"); + ret = false; + goto out; + } + + ads->config.realm = talloc_asprintf_strupper_m(ads, + "%s", + cldap_reply->dns_domain); + if (ads->config.realm == NULL) { + DBG_WARNING("Out of memory\n"); + ret = false; + goto out; + } + + status = ads_build_dn(ads->config.realm, ads, &dn); + if (!ADS_ERR_OK(status)) { + DBG_DEBUG("Failed to build bind path: %s\n", + ads_errstr(status)); + ret = false; + goto out; + } + ads->config.bind_path = dn; + + if (*cldap_reply->server_site) { + ads->config.server_site_name = + talloc_strdup(ads, cldap_reply->server_site); + if (ads->config.server_site_name == NULL) { + DBG_WARNING("Out of memory\n"); + ret = false; + goto out; + } + } + + if (*cldap_reply->client_site) { + ads->config.client_site_name = + talloc_strdup(ads, cldap_reply->client_site); + if (ads->config.client_site_name == NULL) { + DBG_WARNING("Out of memory\n"); + ret = false; + goto out; + } + } + + ads->server.workgroup = talloc_strdup(ads, cldap_reply->domain_name); + if (ads->server.workgroup == NULL) { + DBG_WARNING("Out of memory\n"); + ret = false; + goto out; + } + + ads->ldap.port = gc ? LDAP_GC_PORT : LDAP_PORT; + ads->ldap.ss = *ss; + + /* Store our site name. */ + sitename_store(cldap_reply->domain_name, cldap_reply->client_site); + sitename_store(cldap_reply->dns_domain, cldap_reply->client_site); + + /* Leave this until last so that the flags are not clobbered */ + ads->config.flags = cldap_reply->server_type; + + ret = true; + + out: + + TALLOC_FREE(frame); + return ret; +} + +/* + try a connection to a given ldap server, returning True and setting the servers IP + in the ads struct if successful + */ +static bool ads_try_connect(ADS_STRUCT *ads, bool gc, + struct sockaddr_storage *ss) +{ + struct NETLOGON_SAM_LOGON_RESPONSE_EX cldap_reply = {}; + TALLOC_CTX *frame = talloc_stackframe(); + bool ok; + char addr[INET6_ADDRSTRLEN] = { 0, }; + + if (ss == NULL) { + TALLOC_FREE(frame); + return false; + } + + print_sockaddr(addr, sizeof(addr), ss); + + DBG_INFO("ads_try_connect: sending CLDAP request to %s (realm: %s)\n", + addr, ads->server.realm); + + ok = ads_cldap_netlogon_5(frame, ss, ads->server.realm, &cldap_reply); + if (!ok) { + DBG_NOTICE("ads_cldap_netlogon_5(%s, %s) failed.\n", + addr, ads->server.realm); + TALLOC_FREE(frame); + return false; + } + + ok = ads_fill_cldap_reply(ads, gc, ss, &cldap_reply); + if (!ok) { + DBG_NOTICE("ads_fill_cldap_reply(%s, %s) failed.\n", + addr, ads->server.realm); + TALLOC_FREE(frame); + return false; + } + + TALLOC_FREE(frame); + return true; +} + +/********************************************************************** + send a cldap ping to list of servers, one at a time, until one of + them answers it's an ldap server. Record success in the ADS_STRUCT. + Take note of and update negative connection cache. +**********************************************************************/ + +static NTSTATUS cldap_ping_list(ADS_STRUCT *ads, + const char *domain, + struct samba_sockaddr *sa_list, + size_t count) +{ + TALLOC_CTX *frame = talloc_stackframe(); + struct timeval endtime = timeval_current_ofs(MAX(3,lp_ldap_timeout()/2), 0); + uint32_t nt_version = NETLOGON_NT_VERSION_5 | NETLOGON_NT_VERSION_5EX; + struct tsocket_address **ts_list = NULL; + const struct tsocket_address * const *ts_list_const = NULL; + struct samba_sockaddr **req_sa_list = NULL; + struct netlogon_samlogon_response **responses = NULL; + size_t num_requests = 0; + NTSTATUS status; + size_t i; + bool ok = false; + bool retry; + + ts_list = talloc_zero_array(frame, + struct tsocket_address *, + count); + if (ts_list == NULL) { + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; + } + + req_sa_list = talloc_zero_array(frame, + struct samba_sockaddr *, + count); + if (req_sa_list == NULL) { + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; + } + +again: + /* + * The retry loop is bound by the timeout + */ + retry = false; + num_requests = 0; + + for (i = 0; i < count; i++) { + char server[INET6_ADDRSTRLEN]; + int ret; + + if (is_zero_addr(&sa_list[i].u.ss)) { + continue; + } + + print_sockaddr(server, sizeof(server), &sa_list[i].u.ss); + + status = check_negative_conn_cache(domain, server); + if (!NT_STATUS_IS_OK(status)) { + continue; + } + + ret = tsocket_address_inet_from_strings(ts_list, "ip", + server, LDAP_PORT, + &ts_list[num_requests]); + if (ret != 0) { + status = map_nt_error_from_unix(errno); + DBG_WARNING("Failed to create tsocket_address for %s - %s\n", + server, nt_errstr(status)); + TALLOC_FREE(frame); + return status; + } + + req_sa_list[num_requests] = &sa_list[i]; + num_requests += 1; + } + + DBG_DEBUG("Try to create %zu netlogon connections for domain '%s' " + "(provided count of addresses was %zu).\n", + num_requests, + domain, + count); + + if (num_requests == 0) { + status = NT_STATUS_NO_LOGON_SERVERS; + DBG_WARNING("domain[%s] num_requests[%zu] for count[%zu] - %s\n", + domain, num_requests, count, nt_errstr(status)); + TALLOC_FREE(frame); + return status; + } + + ts_list_const = (const struct tsocket_address * const *)ts_list; + + status = cldap_multi_netlogon(frame, + ts_list_const, num_requests, + ads->server.realm, NULL, + nt_version, + 1, endtime, &responses); + if (!NT_STATUS_IS_OK(status)) { + DBG_WARNING("cldap_multi_netlogon(realm=%s, num_requests=%zu) " + "for count[%zu] - %s\n", + ads->server.realm, + num_requests, count, + nt_errstr(status)); + TALLOC_FREE(frame); + return NT_STATUS_NO_LOGON_SERVERS; + } + + for (i = 0; i < num_requests; i++) { + struct NETLOGON_SAM_LOGON_RESPONSE_EX *cldap_reply = NULL; + char server[INET6_ADDRSTRLEN]; + + if (responses[i] == NULL) { + continue; + } + + print_sockaddr(server, sizeof(server), &req_sa_list[i]->u.ss); + + if (responses[i]->ntver != NETLOGON_NT_VERSION_5EX) { + DBG_NOTICE("realm=[%s] nt_version mismatch: 0x%08x for %s\n", + ads->server.realm, + responses[i]->ntver, server); + continue; + } + + cldap_reply = &responses[i]->data.nt5_ex; + + /* Returns ok only if it matches the correct server type */ + ok = ads_fill_cldap_reply(ads, + false, + &req_sa_list[i]->u.ss, + cldap_reply); + if (ok) { + DBG_DEBUG("realm[%s]: selected %s => %s\n", + ads->server.realm, + server, cldap_reply->pdc_dns_name); + if (CHECK_DEBUGLVL(DBGLVL_DEBUG)) { + NDR_PRINT_DEBUG(NETLOGON_SAM_LOGON_RESPONSE_EX, + cldap_reply); + } + TALLOC_FREE(frame); + return NT_STATUS_OK; + } + + DBG_NOTICE("realm[%s] server %s %s - not usable\n", + ads->server.realm, + server, cldap_reply->pdc_dns_name); + if (CHECK_DEBUGLVL(DBGLVL_NOTICE)) { + NDR_PRINT_DEBUG(NETLOGON_SAM_LOGON_RESPONSE_EX, + cldap_reply); + } + add_failed_connection_entry(domain, server, + NT_STATUS_CLIENT_SERVER_PARAMETERS_INVALID); + retry = true; + } + + if (retry) { + bool expired; + + expired = timeval_expired(&endtime); + if (!expired) { + goto again; + } + } + + /* keep track of failures as all were not suitable */ + for (i = 0; i < num_requests; i++) { + char server[INET6_ADDRSTRLEN]; + + print_sockaddr(server, sizeof(server), &req_sa_list[i]->u.ss); + + add_failed_connection_entry(domain, server, + NT_STATUS_UNSUCCESSFUL); + } + + status = NT_STATUS_NO_LOGON_SERVERS; + DBG_WARNING("realm[%s] no valid response " + "num_requests[%zu] for count[%zu] - %s\n", + ads->server.realm, + num_requests, count, nt_errstr(status)); + TALLOC_FREE(frame); + return NT_STATUS_NO_LOGON_SERVERS; +} + +/*************************************************************************** + resolve a name and perform an "ldap ping" using NetBIOS and related methods +****************************************************************************/ + +static NTSTATUS resolve_and_ping_netbios(ADS_STRUCT *ads, + const char *domain, const char *realm) +{ + size_t i; + size_t count = 0; + struct samba_sockaddr *sa_list = NULL; + NTSTATUS status; + + DEBUG(6, ("resolve_and_ping_netbios: (cldap) looking for domain '%s'\n", + domain)); + + status = get_sorted_dc_list(talloc_tos(), + domain, + NULL, + &sa_list, + &count, + false); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + /* remove servers which are known to be dead based on + the corresponding DNS method */ + if (*realm) { + for (i = 0; i < count; ++i) { + char server[INET6_ADDRSTRLEN]; + + print_sockaddr(server, sizeof(server), &sa_list[i].u.ss); + + if(!NT_STATUS_IS_OK( + check_negative_conn_cache(realm, server))) { + /* Ensure we add the workgroup name for this + IP address as negative too. */ + add_failed_connection_entry( + domain, server, + NT_STATUS_UNSUCCESSFUL); + } + } + } + + status = cldap_ping_list(ads, domain, sa_list, count); + + TALLOC_FREE(sa_list); + + return status; +} + + +/********************************************************************** + resolve a name and perform an "ldap ping" using DNS +**********************************************************************/ + +static NTSTATUS resolve_and_ping_dns(ADS_STRUCT *ads, const char *sitename, + const char *realm) +{ + size_t count = 0; + struct samba_sockaddr *sa_list = NULL; + NTSTATUS status; + + DEBUG(6, ("resolve_and_ping_dns: (cldap) looking for realm '%s'\n", + realm)); + + status = get_sorted_dc_list(talloc_tos(), + realm, + sitename, + &sa_list, + &count, + true); + if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(sa_list); + return status; + } + + status = cldap_ping_list(ads, realm, sa_list, count); + + TALLOC_FREE(sa_list); + + return status; +} + +/********************************************************************** + Try to find an AD dc using our internal name resolution routines + Try the realm first and then the workgroup name if netbios is not + disabled +**********************************************************************/ + +static NTSTATUS ads_find_dc(ADS_STRUCT *ads) +{ + const char *c_domain = ""; + const char *c_realm; + bool use_own_domain = False; + char *sitename = NULL; + NTSTATUS status = NT_STATUS_UNSUCCESSFUL; + bool ok = false; + + /* if the realm and workgroup are both empty, assume they are ours */ + + /* realm */ + c_realm = ads->server.realm; + + if (c_realm == NULL) + c_realm = ""; + + if (!*c_realm) { + /* special case where no realm and no workgroup means our own */ + if ( !ads->server.workgroup || !*ads->server.workgroup ) { + use_own_domain = True; + c_realm = lp_realm(); + } + } + + if (!lp_disable_netbios()) { + if (use_own_domain) { + c_domain = lp_workgroup(); + } else { + c_domain = ads->server.workgroup; + if (!*c_realm && (!c_domain || !*c_domain)) { + c_domain = lp_workgroup(); + } + } + + if (!c_domain) { + c_domain = ""; + } + } + + if (!*c_realm && !*c_domain) { + DEBUG(0, ("ads_find_dc: no realm or workgroup! Don't know " + "what to do\n")); + return NT_STATUS_INVALID_PARAMETER; /* rather need MISSING_PARAMETER ... */ + } + + /* + * In case of LDAP we use get_dc_name() as that + * creates the custom krb5.conf file + */ + if (!(ads->auth.flags & ADS_AUTH_NO_BIND)) { + fstring srv_name; + struct sockaddr_storage ip_out; + + DEBUG(6, ("ads_find_dc: (ldap) looking for realm '%s'" + " and falling back to domain '%s'\n", + c_realm, c_domain)); + + ok = get_dc_name(c_domain, c_realm, srv_name, &ip_out); + if (ok) { + if (is_zero_addr(&ip_out)) { + return NT_STATUS_NO_LOGON_SERVERS; + } + + /* + * we call ads_try_connect() to fill in the + * ads->config details + */ + ok = ads_try_connect(ads, false, &ip_out); + if (ok) { + return NT_STATUS_OK; + } + } + + return NT_STATUS_NO_LOGON_SERVERS; + } + + if (*c_realm) { + sitename = sitename_fetch(talloc_tos(), c_realm); + status = resolve_and_ping_dns(ads, sitename, c_realm); + + if (NT_STATUS_IS_OK(status)) { + TALLOC_FREE(sitename); + return status; + } + + /* In case we failed to contact one of our closest DC on our + * site we + * need to try to find another DC, retry with a site-less SRV + * DNS query + * - Guenther */ + + if (sitename) { + DEBUG(3, ("ads_find_dc: failed to find a valid DC on " + "our site (%s), Trying to find another DC " + "for realm '%s' (domain '%s')\n", + sitename, c_realm, c_domain)); + namecache_delete(c_realm, 0x1C); + status = + resolve_and_ping_dns(ads, NULL, c_realm); + + if (NT_STATUS_IS_OK(status)) { + TALLOC_FREE(sitename); + return status; + } + } + + TALLOC_FREE(sitename); + } + + /* try netbios as fallback - if permitted, + or if configuration specifically requests it */ + if (*c_domain) { + if (*c_realm) { + DEBUG(3, ("ads_find_dc: falling back to netbios " + "name resolution for domain '%s' (realm '%s')\n", + c_domain, c_realm)); + } + + status = resolve_and_ping_netbios(ads, c_domain, c_realm); + if (NT_STATUS_IS_OK(status)) { + return status; + } + } + + DEBUG(1, ("ads_find_dc: " + "name resolution for realm '%s' (domain '%s') failed: %s\n", + c_realm, c_domain, nt_errstr(status))); + return status; +} +/** + * Connect to the LDAP server + * @param ads Pointer to an existing ADS_STRUCT + * @return status of connection + **/ +ADS_STATUS ads_connect(ADS_STRUCT *ads) +{ + int version = LDAP_VERSION3; + ADS_STATUS status; + NTSTATUS ntstatus; + char addr[INET6_ADDRSTRLEN]; + struct sockaddr_storage existing_ss; + + zero_sockaddr(&existing_ss); + + /* + * ads_connect can be passed in a reused ADS_STRUCT + * with an existing non-zero ads->ldap.ss IP address + * that was stored by going through ads_find_dc() + * if ads->server.ldap_server was NULL. + * + * If ads->server.ldap_server is still NULL but + * the target address isn't the zero address, then + * store that address off off before zeroing out + * ads->ldap so we don't keep doing multiple calls + * to ads_find_dc() in the reuse case. + * + * If a caller wants a clean ADS_STRUCT they + * will TALLOC_FREE it and allocate a new one + * by calling ads_init(), which ensures + * ads->ldap.ss is a properly zero'ed out valid IP + * address. + */ + if (ads->server.ldap_server == NULL && !is_zero_addr(&ads->ldap.ss)) { + /* Save off the address we previously found by ads_find_dc(). */ + existing_ss = ads->ldap.ss; + } + + ads_zero_ldap(ads); + ZERO_STRUCT(ads->ldap_wrap_data); + ads->ldap.last_attempt = time_mono(NULL); + ads->ldap_wrap_data.wrap_type = ADS_SASLWRAP_TYPE_PLAIN; + + /* try with a user specified server */ + + if (DEBUGLEVEL >= 11) { + char *s = NDR_PRINT_STRUCT_STRING(talloc_tos(), ads_struct, ads); + DEBUG(11,("ads_connect: entering\n")); + DEBUGADD(11,("%s\n", s)); + TALLOC_FREE(s); + } + + if (ads->server.ldap_server) { + bool ok = false; + struct sockaddr_storage ss; + + DBG_DEBUG("Resolving name of LDAP server '%s'.\n", + ads->server.ldap_server); + ok = resolve_name(ads->server.ldap_server, &ss, 0x20, true); + if (!ok) { + DEBUG(5,("ads_connect: unable to resolve name %s\n", + ads->server.ldap_server)); + status = ADS_ERROR_NT(NT_STATUS_NOT_FOUND); + goto out; + } + + if (is_zero_addr(&ss)) { + status = ADS_ERROR_NT(NT_STATUS_NOT_FOUND); + goto out; + } + + ok = ads_try_connect(ads, ads->server.gc, &ss); + if (ok) { + goto got_connection; + } + + /* The choice of which GC use is handled one level up in + ads_connect_gc(). If we continue on from here with + ads_find_dc() we will get GC searches on port 389 which + doesn't work. --jerry */ + + if (ads->server.gc == true) { + return ADS_ERROR(LDAP_OPERATIONS_ERROR); + } + + if (ads->server.no_fallback) { + status = ADS_ERROR_NT(NT_STATUS_NOT_FOUND); + goto out; + } + } + + if (!is_zero_addr(&existing_ss)) { + /* We saved off who we should talk to. */ + bool ok = ads_try_connect(ads, + ads->server.gc, + &existing_ss); + if (ok) { + goto got_connection; + } + /* + * Keep trying to find a server and fall through + * into ads_find_dc() again. + */ + DBG_DEBUG("Failed to connect to DC via LDAP server IP address, " + "trying to find another DC.\n"); + } + + ntstatus = ads_find_dc(ads); + if (NT_STATUS_IS_OK(ntstatus)) { + goto got_connection; + } + + status = ADS_ERROR_NT(ntstatus); + goto out; + +got_connection: + + print_sockaddr(addr, sizeof(addr), &ads->ldap.ss); + DEBUG(3,("Successfully contacted LDAP server %s\n", addr)); + + if (!ads->auth.user_name) { + /* Must use the userPrincipalName value here or sAMAccountName + and not servicePrincipalName; found by Guenther Deschner */ + ads->auth.user_name = talloc_asprintf(ads, + "%s$", + lp_netbios_name()); + if (ads->auth.user_name == NULL) { + DBG_ERR("talloc_asprintf failed\n"); + status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY); + goto out; + } + } + + if (ads->auth.realm == NULL) { + ads->auth.realm = talloc_strdup(ads, ads->config.realm); + if (ads->auth.realm == NULL) { + status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY); + goto out; + } + } + + if (!ads->auth.kdc_server) { + print_sockaddr(addr, sizeof(addr), &ads->ldap.ss); + ads->auth.kdc_server = talloc_strdup(ads, addr); + if (ads->auth.kdc_server == NULL) { + status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY); + goto out; + } + } + + /* If the caller() requested no LDAP bind, then we are done */ + + if (ads->auth.flags & ADS_AUTH_NO_BIND) { + status = ADS_SUCCESS; + goto out; + } + + ads->ldap_wrap_data.mem_ctx = talloc_init("ads LDAP connection memory"); + if (!ads->ldap_wrap_data.mem_ctx) { + status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY); + goto out; + } + + /* Otherwise setup the TCP LDAP session */ + + ads->ldap.ld = ldap_open_with_timeout(ads->config.ldap_server_name, + &ads->ldap.ss, + ads->ldap.port, lp_ldap_timeout()); + if (ads->ldap.ld == NULL) { + status = ADS_ERROR(LDAP_OPERATIONS_ERROR); + goto out; + } + DEBUG(3,("Connected to LDAP server %s\n", ads->config.ldap_server_name)); + + /* cache the successful connection for workgroup and realm */ + if (ads_closest_dc(ads)) { + saf_store( ads->server.workgroup, ads->config.ldap_server_name); + saf_store( ads->server.realm, ads->config.ldap_server_name); + } + + ldap_set_option(ads->ldap.ld, LDAP_OPT_PROTOCOL_VERSION, &version); + + /* fill in the current time and offsets */ + + status = ads_current_time( ads ); + if ( !ADS_ERR_OK(status) ) { + goto out; + } + + /* Now do the bind */ + + if (ads->auth.flags & ADS_AUTH_ANON_BIND) { + status = ADS_ERROR(ldap_simple_bind_s(ads->ldap.ld, NULL, NULL)); + goto out; + } + + if (ads->auth.flags & ADS_AUTH_SIMPLE_BIND) { + status = ADS_ERROR(ldap_simple_bind_s(ads->ldap.ld, ads->auth.user_name, ads->auth.password)); + goto out; + } + + status = ads_sasl_bind(ads); + + out: + if (DEBUGLEVEL >= 11) { + char *s = NDR_PRINT_STRUCT_STRING(talloc_tos(), ads_struct, ads); + DEBUG(11,("ads_connect: leaving with: %s\n", + ads_errstr(status))); + DEBUGADD(11,("%s\n", s)); + TALLOC_FREE(s); + } + + return status; +} + +/** + * Connect to the LDAP server using given credentials + * @param ads Pointer to an existing ADS_STRUCT + * @return status of connection + **/ +ADS_STATUS ads_connect_user_creds(ADS_STRUCT *ads) +{ + ads->auth.flags |= ADS_AUTH_USER_CREDS; + + return ads_connect(ads); +} + +/** + * Zero out the internal ads->ldap struct and initialize the address to zero IP. + * @param ads Pointer to an existing ADS_STRUCT + * + * Sets the ads->ldap.ss to a valid + * zero ip address that can be detected by + * our is_zero_addr() function. Otherwise + * it is left as AF_UNSPEC (0). + **/ +void ads_zero_ldap(ADS_STRUCT *ads) +{ + ZERO_STRUCT(ads->ldap); + /* + * Initialize the sockaddr_storage so we can use + * sockaddr test functions against it. + */ + zero_sockaddr(&ads->ldap.ss); +} + +/** + * Disconnect the LDAP server + * @param ads Pointer to an existing ADS_STRUCT + **/ +void ads_disconnect(ADS_STRUCT *ads) +{ + if (ads->ldap.ld) { + ldap_unbind(ads->ldap.ld); + ads->ldap.ld = NULL; + } + if (ads->ldap_wrap_data.wrap_ops && + ads->ldap_wrap_data.wrap_ops->disconnect) { + ads->ldap_wrap_data.wrap_ops->disconnect(&ads->ldap_wrap_data); + } + if (ads->ldap_wrap_data.mem_ctx) { + talloc_free(ads->ldap_wrap_data.mem_ctx); + } + ads_zero_ldap(ads); + ZERO_STRUCT(ads->ldap_wrap_data); +} + +/* + Duplicate a struct berval into talloc'ed memory + */ +static struct berval *dup_berval(TALLOC_CTX *ctx, const struct berval *in_val) +{ + struct berval *value; + + if (!in_val) return NULL; + + value = talloc_zero(ctx, struct berval); + if (value == NULL) + return NULL; + if (in_val->bv_len == 0) return value; + + value->bv_len = in_val->bv_len; + value->bv_val = (char *)talloc_memdup(ctx, in_val->bv_val, + in_val->bv_len); + return value; +} + +/* + Make a values list out of an array of (struct berval *) + */ +static struct berval **ads_dup_values(TALLOC_CTX *ctx, + const struct berval **in_vals) +{ + struct berval **values; + int i; + + if (!in_vals) return NULL; + for (i=0; in_vals[i]; i++) + ; /* count values */ + values = talloc_zero_array(ctx, struct berval *, i+1); + if (!values) return NULL; + + for (i=0; in_vals[i]; i++) { + values[i] = dup_berval(ctx, in_vals[i]); + } + return values; +} + +/* + UTF8-encode a values list out of an array of (char *) + */ +static char **ads_push_strvals(TALLOC_CTX *ctx, const char **in_vals) +{ + char **values; + int i; + size_t size; + + if (!in_vals) return NULL; + for (i=0; in_vals[i]; i++) + ; /* count values */ + values = talloc_zero_array(ctx, char *, i+1); + if (!values) return NULL; + + for (i=0; in_vals[i]; i++) { + if (!push_utf8_talloc(ctx, &values[i], in_vals[i], &size)) { + TALLOC_FREE(values); + return NULL; + } + } + return values; +} + +/* + Pull a (char *) array out of a UTF8-encoded values list + */ +static char **ads_pull_strvals(TALLOC_CTX *ctx, const char **in_vals) +{ + char **values; + int i; + size_t converted_size; + + if (!in_vals) return NULL; + for (i=0; in_vals[i]; i++) + ; /* count values */ + values = talloc_zero_array(ctx, char *, i+1); + if (!values) return NULL; + + for (i=0; in_vals[i]; i++) { + if (!pull_utf8_talloc(ctx, &values[i], in_vals[i], + &converted_size)) { + DEBUG(0,("ads_pull_strvals: pull_utf8_talloc failed: " + "%s\n", strerror(errno))); + } + } + return values; +} + +/** + * Do a search with paged results. cookie must be null on the first + * call, and then returned on each subsequent call. It will be null + * again when the entire search is complete + * @param ads connection to ads server + * @param bind_path Base dn for the search + * @param scope Scope of search (LDAP_SCOPE_BASE | LDAP_SCOPE_ONE | LDAP_SCOPE_SUBTREE) + * @param expr Search expression - specified in local charset + * @param attrs Attributes to retrieve - specified in utf8 or ascii + * @param res ** which will contain results - free res* with ads_msgfree() + * @param count Number of entries retrieved on this page + * @param cookie The paged results cookie to be returned on subsequent calls + * @return status of search + **/ +static ADS_STATUS ads_do_paged_search_args(ADS_STRUCT *ads, + const char *bind_path, + int scope, const char *expr, + const char **attrs, void *args, + LDAPMessage **res, + int *count, struct berval **cookie) +{ + int rc, i, version; + char *utf8_expr, *utf8_path, **search_attrs = NULL; + size_t converted_size; + LDAPControl PagedResults, NoReferrals, ExternalCtrl, *controls[4], **rcontrols; + BerElement *cookie_be = NULL; + struct berval *cookie_bv= NULL; + BerElement *ext_be = NULL; + struct berval *ext_bv= NULL; + + TALLOC_CTX *ctx; + ads_control *external_control = (ads_control *) args; + + *res = NULL; + + if (!(ctx = talloc_init("ads_do_paged_search_args"))) + return ADS_ERROR(LDAP_NO_MEMORY); + + /* 0 means the conversion worked but the result was empty + so we only fail if it's -1. In any case, it always + at least nulls out the dest */ + if (!push_utf8_talloc(ctx, &utf8_expr, expr, &converted_size) || + !push_utf8_talloc(ctx, &utf8_path, bind_path, &converted_size)) + { + rc = LDAP_NO_MEMORY; + goto done; + } + + if (!attrs || !(*attrs)) + search_attrs = NULL; + else { + /* This would be the utf8-encoded version...*/ + /* if (!(search_attrs = ads_push_strvals(ctx, attrs))) */ + if (!(search_attrs = str_list_copy(talloc_tos(), attrs))) { + rc = LDAP_NO_MEMORY; + goto done; + } + } + + /* Paged results only available on ldap v3 or later */ + ldap_get_option(ads->ldap.ld, LDAP_OPT_PROTOCOL_VERSION, &version); + if (version < LDAP_VERSION3) { + rc = LDAP_NOT_SUPPORTED; + goto done; + } + + cookie_be = ber_alloc_t(LBER_USE_DER); + if (*cookie) { + ber_printf(cookie_be, "{iO}", (ber_int_t) ads->config.ldap_page_size, *cookie); + ber_bvfree(*cookie); /* don't need it from last time */ + *cookie = NULL; + } else { + ber_printf(cookie_be, "{io}", (ber_int_t) ads->config.ldap_page_size, "", 0); + } + ber_flatten(cookie_be, &cookie_bv); + PagedResults.ldctl_oid = discard_const_p(char, ADS_PAGE_CTL_OID); + PagedResults.ldctl_iscritical = (char) 1; + PagedResults.ldctl_value.bv_len = cookie_bv->bv_len; + PagedResults.ldctl_value.bv_val = cookie_bv->bv_val; + + NoReferrals.ldctl_oid = discard_const_p(char, ADS_NO_REFERRALS_OID); + NoReferrals.ldctl_iscritical = (char) 0; + NoReferrals.ldctl_value.bv_len = 0; + NoReferrals.ldctl_value.bv_val = discard_const_p(char, ""); + + if (external_control && + (strequal(external_control->control, ADS_EXTENDED_DN_OID) || + strequal(external_control->control, ADS_SD_FLAGS_OID))) { + + ExternalCtrl.ldctl_oid = discard_const_p(char, external_control->control); + ExternalCtrl.ldctl_iscritical = (char) external_control->critical; + + /* win2k does not accept a ldctl_value being passed in */ + + if (external_control->val != 0) { + + if ((ext_be = ber_alloc_t(LBER_USE_DER)) == NULL ) { + rc = LDAP_NO_MEMORY; + goto done; + } + + if ((ber_printf(ext_be, "{i}", (ber_int_t) external_control->val)) == -1) { + rc = LDAP_NO_MEMORY; + goto done; + } + if ((ber_flatten(ext_be, &ext_bv)) == -1) { + rc = LDAP_NO_MEMORY; + goto done; + } + + ExternalCtrl.ldctl_value.bv_len = ext_bv->bv_len; + ExternalCtrl.ldctl_value.bv_val = ext_bv->bv_val; + + } else { + ExternalCtrl.ldctl_value.bv_len = 0; + ExternalCtrl.ldctl_value.bv_val = NULL; + } + + controls[0] = &NoReferrals; + controls[1] = &PagedResults; + controls[2] = &ExternalCtrl; + controls[3] = NULL; + + } else { + controls[0] = &NoReferrals; + controls[1] = &PagedResults; + controls[2] = NULL; + } + + /* we need to disable referrals as the openldap libs don't + handle them and paged results at the same time. Using them + together results in the result record containing the server + page control being removed from the result list (tridge/jmcd) + + leaving this in despite the control that says don't generate + referrals, in case the server doesn't support it (jmcd) + */ + ldap_set_option(ads->ldap.ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF); + + rc = ldap_search_with_timeout(ads->ldap.ld, utf8_path, scope, utf8_expr, + search_attrs, 0, controls, + NULL, LDAP_NO_LIMIT, + (LDAPMessage **)res); + + ber_free(cookie_be, 1); + ber_bvfree(cookie_bv); + + if (rc) { + DEBUG(3,("ads_do_paged_search_args: ldap_search_with_timeout(%s) -> %s\n", expr, + ldap_err2string(rc))); + if (rc == LDAP_OTHER) { + char *ldap_errmsg; + int ret; + + ret = ldap_parse_result(ads->ldap.ld, + *res, + NULL, + NULL, + &ldap_errmsg, + NULL, + NULL, + 0); + if (ret == LDAP_SUCCESS) { + DEBUG(3, ("ldap_search_with_timeout(%s) " + "error: %s\n", expr, ldap_errmsg)); + ldap_memfree(ldap_errmsg); + } + } + goto done; + } + + rc = ldap_parse_result(ads->ldap.ld, *res, NULL, NULL, NULL, + NULL, &rcontrols, 0); + + if (!rcontrols) { + goto done; + } + + for (i=0; rcontrols[i]; i++) { + if (strcmp(ADS_PAGE_CTL_OID, rcontrols[i]->ldctl_oid) == 0) { + cookie_be = ber_init(&rcontrols[i]->ldctl_value); + ber_scanf(cookie_be,"{iO}", (ber_int_t *) count, + &cookie_bv); + /* the berval is the cookie, but must be freed when + it is all done */ + if (cookie_bv->bv_len) /* still more to do */ + *cookie=ber_bvdup(cookie_bv); + else + *cookie=NULL; + ber_bvfree(cookie_bv); + ber_free(cookie_be, 1); + break; + } + } + ldap_controls_free(rcontrols); + +done: + talloc_destroy(ctx); + + if (ext_be) { + ber_free(ext_be, 1); + } + + if (ext_bv) { + ber_bvfree(ext_bv); + } + + if (rc != LDAP_SUCCESS && *res != NULL) { + ads_msgfree(ads, *res); + *res = NULL; + } + + /* if/when we decide to utf8-encode attrs, take out this next line */ + TALLOC_FREE(search_attrs); + + return ADS_ERROR(rc); +} + +static ADS_STATUS ads_do_paged_search(ADS_STRUCT *ads, const char *bind_path, + int scope, const char *expr, + const char **attrs, LDAPMessage **res, + int *count, struct berval **cookie) +{ + return ads_do_paged_search_args(ads, bind_path, scope, expr, attrs, NULL, res, count, cookie); +} + + +/** + * Get all results for a search. This uses ads_do_paged_search() to return + * all entries in a large search. + * @param ads connection to ads server + * @param bind_path Base dn for the search + * @param scope Scope of search (LDAP_SCOPE_BASE | LDAP_SCOPE_ONE | LDAP_SCOPE_SUBTREE) + * @param expr Search expression + * @param attrs Attributes to retrieve + * @param res ** which will contain results - free res* with ads_msgfree() + * @return status of search + **/ + ADS_STATUS ads_do_search_all_args(ADS_STRUCT *ads, const char *bind_path, + int scope, const char *expr, + const char **attrs, void *args, + LDAPMessage **res) +{ + struct berval *cookie = NULL; + int count = 0; + ADS_STATUS status; + + *res = NULL; + status = ads_do_paged_search_args(ads, bind_path, scope, expr, attrs, args, res, + &count, &cookie); + + if (!ADS_ERR_OK(status)) + return status; + +#ifdef HAVE_LDAP_ADD_RESULT_ENTRY + while (cookie) { + LDAPMessage *res2 = NULL; + LDAPMessage *msg, *next; + + status = ads_do_paged_search_args(ads, bind_path, scope, expr, + attrs, args, &res2, &count, &cookie); + if (!ADS_ERR_OK(status)) { + break; + } + + /* this relies on the way that ldap_add_result_entry() works internally. I hope + that this works on all ldap libs, but I have only tested with openldap */ + for (msg = ads_first_message(ads, res2); msg; msg = next) { + next = ads_next_message(ads, msg); + ldap_add_result_entry((LDAPMessage **)res, msg); + } + /* note that we do not free res2, as the memory is now + part of the main returned list */ + } +#else + DEBUG(0, ("no ldap_add_result_entry() support in LDAP libs!\n")); + status = ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL); +#endif + + return status; +} + + ADS_STATUS ads_do_search_all(ADS_STRUCT *ads, const char *bind_path, + int scope, const char *expr, + const char **attrs, LDAPMessage **res) +{ + return ads_do_search_all_args(ads, bind_path, scope, expr, attrs, NULL, res); +} + + ADS_STATUS ads_do_search_all_sd_flags(ADS_STRUCT *ads, const char *bind_path, + int scope, const char *expr, + const char **attrs, uint32_t sd_flags, + LDAPMessage **res) +{ + ads_control args; + + args.control = ADS_SD_FLAGS_OID; + args.val = sd_flags; + args.critical = True; + + return ads_do_search_all_args(ads, bind_path, scope, expr, attrs, &args, res); +} + + +/** + * Run a function on all results for a search. Uses ads_do_paged_search() and + * runs the function as each page is returned, using ads_process_results() + * @param ads connection to ads server + * @param bind_path Base dn for the search + * @param scope Scope of search (LDAP_SCOPE_BASE | LDAP_SCOPE_ONE | LDAP_SCOPE_SUBTREE) + * @param expr Search expression - specified in local charset + * @param attrs Attributes to retrieve - specified in UTF-8 or ascii + * @param fn Function which takes attr name, values list, and data_area + * @param data_area Pointer which is passed to function on each call + * @return status of search + **/ +ADS_STATUS ads_do_search_all_fn(ADS_STRUCT *ads, const char *bind_path, + int scope, const char *expr, const char **attrs, + bool (*fn)(ADS_STRUCT *, char *, void **, void *), + void *data_area) +{ + struct berval *cookie = NULL; + int count = 0; + ADS_STATUS status; + LDAPMessage *res; + + status = ads_do_paged_search(ads, bind_path, scope, expr, attrs, &res, + &count, &cookie); + + if (!ADS_ERR_OK(status)) return status; + + ads_process_results(ads, res, fn, data_area); + ads_msgfree(ads, res); + + while (cookie) { + status = ads_do_paged_search(ads, bind_path, scope, expr, attrs, + &res, &count, &cookie); + + if (!ADS_ERR_OK(status)) break; + + ads_process_results(ads, res, fn, data_area); + ads_msgfree(ads, res); + } + + return status; +} + +/** + * Do a search with a timeout. + * @param ads connection to ads server + * @param bind_path Base dn for the search + * @param scope Scope of search (LDAP_SCOPE_BASE | LDAP_SCOPE_ONE | LDAP_SCOPE_SUBTREE) + * @param expr Search expression + * @param attrs Attributes to retrieve + * @param res ** which will contain results - free res* with ads_msgfree() + * @return status of search + **/ + ADS_STATUS ads_do_search(ADS_STRUCT *ads, const char *bind_path, int scope, + const char *expr, + const char **attrs, LDAPMessage **res) +{ + int rc; + char *utf8_expr, *utf8_path, **search_attrs = NULL; + size_t converted_size; + TALLOC_CTX *ctx; + + *res = NULL; + if (!(ctx = talloc_init("ads_do_search"))) { + DEBUG(1,("ads_do_search: talloc_init() failed!\n")); + return ADS_ERROR(LDAP_NO_MEMORY); + } + + /* 0 means the conversion worked but the result was empty + so we only fail if it's negative. In any case, it always + at least nulls out the dest */ + if (!push_utf8_talloc(ctx, &utf8_expr, expr, &converted_size) || + !push_utf8_talloc(ctx, &utf8_path, bind_path, &converted_size)) + { + DEBUG(1,("ads_do_search: push_utf8_talloc() failed!\n")); + rc = LDAP_NO_MEMORY; + goto done; + } + + if (!attrs || !(*attrs)) + search_attrs = NULL; + else { + /* This would be the utf8-encoded version...*/ + /* if (!(search_attrs = ads_push_strvals(ctx, attrs))) */ + if (!(search_attrs = str_list_copy(talloc_tos(), attrs))) + { + DEBUG(1,("ads_do_search: str_list_copy() failed!\n")); + rc = LDAP_NO_MEMORY; + goto done; + } + } + + /* see the note in ads_do_paged_search - we *must* disable referrals */ + ldap_set_option(ads->ldap.ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF); + + rc = ldap_search_with_timeout(ads->ldap.ld, utf8_path, scope, utf8_expr, + search_attrs, 0, NULL, NULL, + LDAP_NO_LIMIT, + (LDAPMessage **)res); + + if (rc == LDAP_SIZELIMIT_EXCEEDED) { + DEBUG(3,("Warning! sizelimit exceeded in ldap. Truncating.\n")); + rc = 0; + } + + done: + talloc_destroy(ctx); + /* if/when we decide to utf8-encode attrs, take out this next line */ + TALLOC_FREE(search_attrs); + return ADS_ERROR(rc); +} +/** + * Do a general ADS search + * @param ads connection to ads server + * @param res ** which will contain results - free res* with ads_msgfree() + * @param expr Search expression + * @param attrs Attributes to retrieve + * @return status of search + **/ + ADS_STATUS ads_search(ADS_STRUCT *ads, LDAPMessage **res, + const char *expr, const char **attrs) +{ + return ads_do_search(ads, ads->config.bind_path, LDAP_SCOPE_SUBTREE, + expr, attrs, res); +} + +/** + * Do a search on a specific DistinguishedName + * @param ads connection to ads server + * @param res ** which will contain results - free res* with ads_msgfree() + * @param dn DistinguishedName to search + * @param attrs Attributes to retrieve + * @return status of search + **/ + ADS_STATUS ads_search_dn(ADS_STRUCT *ads, LDAPMessage **res, + const char *dn, const char **attrs) +{ + return ads_do_search(ads, dn, LDAP_SCOPE_BASE, "(objectclass=*)", + attrs, res); +} + +/** + * Free up memory from a ads_search + * @param ads connection to ads server + * @param msg Search results to free + **/ + void ads_msgfree(ADS_STRUCT *ads, LDAPMessage *msg) +{ + if (!msg) return; + ldap_msgfree(msg); +} + +/** + * Get a dn from search results + * @param ads connection to ads server + * @param msg Search result + * @return dn string + **/ + char *ads_get_dn(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, LDAPMessage *msg) +{ + char *utf8_dn, *unix_dn; + size_t converted_size; + + utf8_dn = ldap_get_dn(ads->ldap.ld, msg); + + if (!utf8_dn) { + DEBUG (5, ("ads_get_dn: ldap_get_dn failed\n")); + return NULL; + } + + if (!pull_utf8_talloc(mem_ctx, &unix_dn, utf8_dn, &converted_size)) { + DEBUG(0,("ads_get_dn: string conversion failure utf8 [%s]\n", + utf8_dn )); + return NULL; + } + ldap_memfree(utf8_dn); + return unix_dn; +} + +/** + * Get the parent from a dn + * @param dn the dn to return the parent from + * @return parent dn string + **/ +char *ads_parent_dn(const char *dn) +{ + char *p; + + if (dn == NULL) { + return NULL; + } + + p = strchr(dn, ','); + + if (p == NULL) { + return NULL; + } + + return p+1; +} + +/** + * Find a machine account given a hostname + * @param ads connection to ads server + * @param res ** which will contain results - free res* with ads_msgfree() + * @param host Hostname to search for + * @return status of search + **/ + ADS_STATUS ads_find_machine_acct(ADS_STRUCT *ads, LDAPMessage **res, + const char *machine) +{ + ADS_STATUS status; + char *expr; + const char *attrs[] = { + /* This is how Windows checks for machine accounts */ + "objectClass", + "SamAccountName", + "userAccountControl", + "DnsHostName", + "ServicePrincipalName", + "userPrincipalName", + "unicodePwd", + + /* Additional attributes Samba checks */ + "msDS-AdditionalDnsHostName", + "msDS-SupportedEncryptionTypes", + "nTSecurityDescriptor", + "objectSid", + + NULL + }; + TALLOC_CTX *frame = talloc_stackframe(); + + *res = NULL; + + /* the easiest way to find a machine account anywhere in the tree + is to look for hostname$ */ + expr = talloc_asprintf(frame, "(samAccountName=%s$)", machine); + if (expr == NULL) { + status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY); + goto done; + } + + status = ads_search(ads, res, expr, attrs); + if (ADS_ERR_OK(status)) { + if (ads_count_replies(ads, *res) != 1) { + status = ADS_ERROR_LDAP(LDAP_NO_SUCH_OBJECT); + } + } + +done: + TALLOC_FREE(frame); + return status; +} + +/** + * Initialize a list of mods to be used in a modify request + * @param ctx An initialized TALLOC_CTX + * @return allocated ADS_MODLIST + **/ +ADS_MODLIST ads_init_mods(TALLOC_CTX *ctx) +{ +#define ADS_MODLIST_ALLOC_SIZE 10 + LDAPMod **mods; + + if ((mods = talloc_zero_array(ctx, LDAPMod *, ADS_MODLIST_ALLOC_SIZE + 1))) + /* -1 is safety to make sure we don't go over the end. + need to reset it to NULL before doing ldap modify */ + mods[ADS_MODLIST_ALLOC_SIZE] = (LDAPMod *) -1; + + return (ADS_MODLIST)mods; +} + + +/* + add an attribute to the list, with values list already constructed +*/ +static ADS_STATUS ads_modlist_add(TALLOC_CTX *ctx, ADS_MODLIST *mods, + int mod_op, const char *name, + const void *_invals) +{ + int curmod; + LDAPMod **modlist = (LDAPMod **) *mods; + struct berval **ber_values = NULL; + char **char_values = NULL; + + if (!_invals) { + mod_op = LDAP_MOD_DELETE; + } else { + if (mod_op & LDAP_MOD_BVALUES) { + const struct berval **b; + b = discard_const_p(const struct berval *, _invals); + ber_values = ads_dup_values(ctx, b); + } else { + const char **c; + c = discard_const_p(const char *, _invals); + char_values = ads_push_strvals(ctx, c); + } + } + + /* find the first empty slot */ + for (curmod=0; modlist[curmod] && modlist[curmod] != (LDAPMod *) -1; + curmod++); + if (modlist[curmod] == (LDAPMod *) -1) { + if (!(modlist = talloc_realloc(ctx, modlist, LDAPMod *, + curmod+ADS_MODLIST_ALLOC_SIZE+1))) + return ADS_ERROR(LDAP_NO_MEMORY); + memset(&modlist[curmod], 0, + ADS_MODLIST_ALLOC_SIZE*sizeof(LDAPMod *)); + modlist[curmod+ADS_MODLIST_ALLOC_SIZE] = (LDAPMod *) -1; + *mods = (ADS_MODLIST)modlist; + } + + if (!(modlist[curmod] = talloc_zero(ctx, LDAPMod))) + return ADS_ERROR(LDAP_NO_MEMORY); + modlist[curmod]->mod_type = talloc_strdup(ctx, name); + if (mod_op & LDAP_MOD_BVALUES) { + modlist[curmod]->mod_bvalues = ber_values; + } else if (mod_op & LDAP_MOD_DELETE) { + modlist[curmod]->mod_values = NULL; + } else { + modlist[curmod]->mod_values = char_values; + } + + modlist[curmod]->mod_op = mod_op; + return ADS_ERROR(LDAP_SUCCESS); +} + +/** + * Add a single string value to a mod list + * @param ctx An initialized TALLOC_CTX + * @param mods An initialized ADS_MODLIST + * @param name The attribute name to add + * @param val The value to add - NULL means DELETE + * @return ADS STATUS indicating success of add + **/ +ADS_STATUS ads_mod_str(TALLOC_CTX *ctx, ADS_MODLIST *mods, + const char *name, const char *val) +{ + const char *values[2]; + + values[0] = val; + values[1] = NULL; + + if (!val) + return ads_modlist_add(ctx, mods, LDAP_MOD_DELETE, name, NULL); + return ads_modlist_add(ctx, mods, LDAP_MOD_REPLACE, name, values); +} + +/** + * Add an array of string values to a mod list + * @param ctx An initialized TALLOC_CTX + * @param mods An initialized ADS_MODLIST + * @param name The attribute name to add + * @param vals The array of string values to add - NULL means DELETE + * @return ADS STATUS indicating success of add + **/ +ADS_STATUS ads_mod_strlist(TALLOC_CTX *ctx, ADS_MODLIST *mods, + const char *name, const char **vals) +{ + if (!vals) + return ads_modlist_add(ctx, mods, LDAP_MOD_DELETE, name, NULL); + return ads_modlist_add(ctx, mods, LDAP_MOD_REPLACE, + name, (const void **) vals); +} + +/** + * Add a single ber-encoded value to a mod list + * @param ctx An initialized TALLOC_CTX + * @param mods An initialized ADS_MODLIST + * @param name The attribute name to add + * @param val The value to add - NULL means DELETE + * @return ADS STATUS indicating success of add + **/ +static ADS_STATUS ads_mod_ber(TALLOC_CTX *ctx, ADS_MODLIST *mods, + const char *name, const struct berval *val) +{ + const struct berval *values[2]; + + values[0] = val; + values[1] = NULL; + if (!val) + return ads_modlist_add(ctx, mods, LDAP_MOD_DELETE, name, NULL); + return ads_modlist_add(ctx, mods, LDAP_MOD_REPLACE|LDAP_MOD_BVALUES, + name, (const void **) values); +} + +static void ads_print_error(int ret, LDAP *ld) +{ + if (ret != 0) { + char *ld_error = NULL; + ldap_get_option(ld, LDAP_OPT_ERROR_STRING, &ld_error); + DBG_ERR("AD LDAP ERROR: %d (%s): %s\n", + ret, + ldap_err2string(ret), + ld_error); + SAFE_FREE(ld_error); + } +} + +/** + * Perform an ldap modify + * @param ads connection to ads server + * @param mod_dn DistinguishedName to modify + * @param mods list of modifications to perform + * @return status of modify + **/ +ADS_STATUS ads_gen_mod(ADS_STRUCT *ads, const char *mod_dn, ADS_MODLIST mods) +{ + int ret,i; + char *utf8_dn = NULL; + size_t converted_size; + /* + this control is needed to modify that contains a currently + non-existent attribute (but allowable for the object) to run + */ + LDAPControl PermitModify = { + discard_const_p(char, ADS_PERMIT_MODIFY_OID), + {0, NULL}, + (char) 1}; + LDAPControl *controls[2]; + + DBG_INFO("AD LDAP: Modifying %s\n", mod_dn); + + controls[0] = &PermitModify; + controls[1] = NULL; + + if (!push_utf8_talloc(talloc_tos(), &utf8_dn, mod_dn, &converted_size)) { + return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); + } + + /* find the end of the list, marked by NULL or -1 */ + for(i=0;(mods[i]!=0)&&(mods[i]!=(LDAPMod *) -1);i++); + /* make sure the end of the list is NULL */ + mods[i] = NULL; + ret = ldap_modify_ext_s(ads->ldap.ld, utf8_dn, + (LDAPMod **) mods, controls, NULL); + ads_print_error(ret, ads->ldap.ld); + TALLOC_FREE(utf8_dn); + return ADS_ERROR(ret); +} + +/** + * Perform an ldap add + * @param ads connection to ads server + * @param new_dn DistinguishedName to add + * @param mods list of attributes and values for DN + * @return status of add + **/ +ADS_STATUS ads_gen_add(ADS_STRUCT *ads, const char *new_dn, ADS_MODLIST mods) +{ + int ret, i; + char *utf8_dn = NULL; + size_t converted_size; + + DBG_INFO("AD LDAP: Adding %s\n", new_dn); + + if (!push_utf8_talloc(talloc_tos(), &utf8_dn, new_dn, &converted_size)) { + DEBUG(1, ("ads_gen_add: push_utf8_talloc failed!\n")); + return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); + } + + /* find the end of the list, marked by NULL or -1 */ + for(i=0;(mods[i]!=0)&&(mods[i]!=(LDAPMod *) -1);i++); + /* make sure the end of the list is NULL */ + mods[i] = NULL; + + ret = ldap_add_ext_s(ads->ldap.ld, utf8_dn, (LDAPMod**)mods, NULL, NULL); + ads_print_error(ret, ads->ldap.ld); + TALLOC_FREE(utf8_dn); + return ADS_ERROR(ret); +} + +/** + * Delete a DistinguishedName + * @param ads connection to ads server + * @param new_dn DistinguishedName to delete + * @return status of delete + **/ +ADS_STATUS ads_del_dn(ADS_STRUCT *ads, char *del_dn) +{ + int ret; + char *utf8_dn = NULL; + size_t converted_size; + if (!push_utf8_talloc(talloc_tos(), &utf8_dn, del_dn, &converted_size)) { + DEBUG(1, ("ads_del_dn: push_utf8_talloc failed!\n")); + return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); + } + + DBG_INFO("AD LDAP: Deleting %s\n", del_dn); + + ret = ldap_delete_s(ads->ldap.ld, utf8_dn); + ads_print_error(ret, ads->ldap.ld); + TALLOC_FREE(utf8_dn); + return ADS_ERROR(ret); +} + +/** + * Build an org unit string + * if org unit is Computers or blank then assume a container, otherwise + * assume a / separated list of organisational units. + * jmcd: '\' is now used for escapes so certain chars can be in the ou (e.g. #) + * @param ads connection to ads server + * @param org_unit Organizational unit + * @return org unit string - caller must free + **/ +char *ads_ou_string(ADS_STRUCT *ads, const char *org_unit) +{ + ADS_STATUS status; + char *ret = NULL; + char *dn = NULL; + + if (!org_unit || !*org_unit) { + + ret = ads_default_ou_string(ads, DS_GUID_COMPUTERS_CONTAINER); + + /* samba4 might not yet respond to a wellknownobject-query */ + return ret ? ret : SMB_STRDUP("cn=Computers"); + } + + if (strequal(org_unit, "Computers")) { + return SMB_STRDUP("cn=Computers"); + } + + /* jmcd: removed "\\" from the separation chars, because it is + needed as an escape for chars like '#' which are valid in an + OU name */ + status = ads_build_path(org_unit, "/", "ou=", 1, &dn); + if (!ADS_ERR_OK(status)) { + return NULL; + } + + return dn; +} + +/** + * Get a org unit string for a well-known GUID + * @param ads connection to ads server + * @param wknguid Well known GUID + * @return org unit string - caller must free + **/ +char *ads_default_ou_string(ADS_STRUCT *ads, const char *wknguid) +{ + ADS_STATUS status; + LDAPMessage *res = NULL; + char *base, *wkn_dn = NULL, *ret = NULL, **wkn_dn_exp = NULL, + **bind_dn_exp = NULL; + const char *attrs[] = {"distinguishedName", NULL}; + int new_ln, wkn_ln, bind_ln, i; + + if (wknguid == NULL) { + return NULL; + } + + if (asprintf(&base, "<WKGUID=%s,%s>", wknguid, ads->config.bind_path ) == -1) { + DEBUG(1, ("asprintf failed!\n")); + return NULL; + } + + status = ads_search_dn(ads, &res, base, attrs); + if (!ADS_ERR_OK(status)) { + DEBUG(1,("Failed while searching for: %s\n", base)); + goto out; + } + + if (ads_count_replies(ads, res) != 1) { + goto out; + } + + /* substitute the bind-path from the well-known-guid-search result */ + wkn_dn = ads_get_dn(ads, talloc_tos(), res); + if (!wkn_dn) { + goto out; + } + + wkn_dn_exp = ldap_explode_dn(wkn_dn, 0); + if (!wkn_dn_exp) { + goto out; + } + + bind_dn_exp = ldap_explode_dn(ads->config.bind_path, 0); + if (!bind_dn_exp) { + goto out; + } + + for (wkn_ln=0; wkn_dn_exp[wkn_ln]; wkn_ln++) + ; + for (bind_ln=0; bind_dn_exp[bind_ln]; bind_ln++) + ; + + new_ln = wkn_ln - bind_ln; + + ret = SMB_STRDUP(wkn_dn_exp[0]); + if (!ret) { + goto out; + } + + for (i=1; i < new_ln; i++) { + char *s = NULL; + + if (asprintf(&s, "%s,%s", ret, wkn_dn_exp[i]) == -1) { + SAFE_FREE(ret); + goto out; + } + + SAFE_FREE(ret); + ret = SMB_STRDUP(s); + free(s); + if (!ret) { + goto out; + } + } + + out: + SAFE_FREE(base); + ads_msgfree(ads, res); + TALLOC_FREE(wkn_dn); + if (wkn_dn_exp) { + ldap_value_free(wkn_dn_exp); + } + if (bind_dn_exp) { + ldap_value_free(bind_dn_exp); + } + + return ret; +} + +/** + * Adds (appends) an item to an attribute array, rather then + * replacing the whole list + * @param ctx An initialized TALLOC_CTX + * @param mods An initialized ADS_MODLIST + * @param name name of the ldap attribute to append to + * @param vals an array of values to add + * @return status of addition + **/ + +ADS_STATUS ads_add_strlist(TALLOC_CTX *ctx, ADS_MODLIST *mods, + const char *name, const char **vals) +{ + return ads_modlist_add(ctx, mods, LDAP_MOD_ADD, name, + (const void *) vals); +} + +/** + * Determines the an account's current KVNO via an LDAP lookup + * @param ads An initialized ADS_STRUCT + * @param account_name the NT samaccountname. + * @return the kvno for the account, or -1 in case of a failure. + **/ + +uint32_t ads_get_kvno(ADS_STRUCT *ads, const char *account_name) +{ + LDAPMessage *res = NULL; + uint32_t kvno = (uint32_t)-1; /* -1 indicates a failure */ + char *filter; + const char *attrs[] = {"msDS-KeyVersionNumber", NULL}; + char *dn_string = NULL; + ADS_STATUS ret; + + DEBUG(5,("ads_get_kvno: Searching for account %s\n", account_name)); + if (asprintf(&filter, "(samAccountName=%s)", account_name) == -1) { + return kvno; + } + ret = ads_search(ads, &res, filter, attrs); + SAFE_FREE(filter); + if (!ADS_ERR_OK(ret) || (ads_count_replies(ads, res) != 1)) { + DEBUG(1,("ads_get_kvno: Account for %s not found.\n", account_name)); + ads_msgfree(ads, res); + return kvno; + } + + dn_string = ads_get_dn(ads, talloc_tos(), res); + if (!dn_string) { + DEBUG(0,("ads_get_kvno: out of memory.\n")); + ads_msgfree(ads, res); + return kvno; + } + DEBUG(5,("ads_get_kvno: Using: %s\n", dn_string)); + TALLOC_FREE(dn_string); + + /* --------------------------------------------------------- + * 0 is returned as a default KVNO from this point on... + * This is done because Windows 2000 does not support key + * version numbers. Chances are that a failure in the next + * step is simply due to Windows 2000 being used for a + * domain controller. */ + kvno = 0; + + if (!ads_pull_uint32(ads, res, "msDS-KeyVersionNumber", &kvno)) { + DEBUG(3,("ads_get_kvno: Error Determining KVNO!\n")); + DEBUG(3,("ads_get_kvno: Windows 2000 does not support KVNO's, so this may be normal.\n")); + ads_msgfree(ads, res); + return kvno; + } + + /* Success */ + DEBUG(5,("ads_get_kvno: Looked Up KVNO of: %d\n", kvno)); + ads_msgfree(ads, res); + return kvno; +} + +/** + * Determines the computer account's current KVNO via an LDAP lookup + * @param ads An initialized ADS_STRUCT + * @param machine_name the NetBIOS name of the computer, which is used to identify the computer account. + * @return the kvno for the computer account, or -1 in case of a failure. + **/ + +uint32_t ads_get_machine_kvno(ADS_STRUCT *ads, const char *machine_name) +{ + char *computer_account = NULL; + uint32_t kvno = -1; + + if (asprintf(&computer_account, "%s$", machine_name) < 0) { + return kvno; + } + + kvno = ads_get_kvno(ads, computer_account); + free(computer_account); + + return kvno; +} + +/** + * This clears out all registered spn's for a given hostname + * @param ads An initialized ADS_STRUCT + * @param machine_name the NetBIOS name of the computer. + * @return 0 upon success, non-zero otherwise. + **/ + +ADS_STATUS ads_clear_service_principal_names(ADS_STRUCT *ads, const char *machine_name) +{ + TALLOC_CTX *ctx; + LDAPMessage *res = NULL; + ADS_MODLIST mods; + const char *servicePrincipalName[1] = {NULL}; + ADS_STATUS ret; + char *dn_string = NULL; + + ret = ads_find_machine_acct(ads, &res, machine_name); + if (!ADS_ERR_OK(ret)) { + DEBUG(5,("ads_clear_service_principal_names: WARNING: Host Account for %s not found... skipping operation.\n", machine_name)); + DEBUG(5,("ads_clear_service_principal_names: WARNING: Service Principals for %s have NOT been cleared.\n", machine_name)); + ads_msgfree(ads, res); + return ret; + } + + DEBUG(5,("ads_clear_service_principal_names: Host account for %s found\n", machine_name)); + ctx = talloc_init("ads_clear_service_principal_names"); + if (!ctx) { + ads_msgfree(ads, res); + return ADS_ERROR(LDAP_NO_MEMORY); + } + + if (!(mods = ads_init_mods(ctx))) { + talloc_destroy(ctx); + ads_msgfree(ads, res); + return ADS_ERROR(LDAP_NO_MEMORY); + } + ret = ads_mod_strlist(ctx, &mods, "servicePrincipalName", servicePrincipalName); + if (!ADS_ERR_OK(ret)) { + DEBUG(1,("ads_clear_service_principal_names: Error creating strlist.\n")); + ads_msgfree(ads, res); + talloc_destroy(ctx); + return ret; + } + dn_string = ads_get_dn(ads, talloc_tos(), res); + if (!dn_string) { + talloc_destroy(ctx); + ads_msgfree(ads, res); + return ADS_ERROR(LDAP_NO_MEMORY); + } + ret = ads_gen_mod(ads, dn_string, mods); + TALLOC_FREE(dn_string); + if (!ADS_ERR_OK(ret)) { + DEBUG(1,("ads_clear_service_principal_names: Error: Updating Service Principals for machine %s in LDAP\n", + machine_name)); + ads_msgfree(ads, res); + talloc_destroy(ctx); + return ret; + } + + ads_msgfree(ads, res); + talloc_destroy(ctx); + return ret; +} + +/** + * @brief Search for an element in a string array. + * + * @param[in] el_array The string array to search. + * + * @param[in] num_el The number of elements in the string array. + * + * @param[in] el The string to search. + * + * @return True if found, false if not. + */ +bool ads_element_in_array(const char **el_array, size_t num_el, const char *el) +{ + size_t i; + + if (el_array == NULL || num_el == 0 || el == NULL) { + return false; + } + + for (i = 0; i < num_el && el_array[i] != NULL; i++) { + int cmp; + + cmp = strcasecmp_m(el_array[i], el); + if (cmp == 0) { + return true; + } + } + + return false; +} + +/** + * @brief This gets the service principal names of an existing computer account. + * + * @param[in] mem_ctx The memory context to use to allocate the spn array. + * + * @param[in] ads The ADS context to use. + * + * @param[in] machine_name The NetBIOS name of the computer, which is used to + * identify the computer account. + * + * @param[in] spn_array A pointer to store the array for SPNs. + * + * @param[in] num_spns The number of principals stored in the array. + * + * @return 0 on success, or a ADS error if a failure occurred. + */ +ADS_STATUS ads_get_service_principal_names(TALLOC_CTX *mem_ctx, + ADS_STRUCT *ads, + const char *machine_name, + char ***spn_array, + size_t *num_spns) +{ + ADS_STATUS status; + LDAPMessage *res = NULL; + int count; + + status = ads_find_machine_acct(ads, + &res, + machine_name); + if (!ADS_ERR_OK(status)) { + DEBUG(1,("Host Account for %s not found... skipping operation.\n", + machine_name)); + return status; + } + + count = ads_count_replies(ads, res); + if (count != 1) { + status = ADS_ERROR(LDAP_NO_SUCH_OBJECT); + goto done; + } + + *spn_array = ads_pull_strings(ads, + mem_ctx, + res, + "servicePrincipalName", + num_spns); + if (*spn_array == NULL) { + DEBUG(1, ("Host account for %s does not have service principal " + "names.\n", + machine_name)); + status = ADS_ERROR(LDAP_NO_SUCH_OBJECT); + goto done; + } + +done: + ads_msgfree(ads, res); + + return status; +} + +/** + * This adds a service principal name to an existing computer account + * (found by hostname) in AD. + * @param ads An initialized ADS_STRUCT + * @param machine_name the NetBIOS name of the computer, which is used to identify the computer account. + * @param spns An array or strings for the service principals to add, + * i.e. 'cifs/machine_name', 'http/machine.full.domain.com' etc. + * @return 0 upon success, or non-zero if a failure occurs + **/ + +ADS_STATUS ads_add_service_principal_names(ADS_STRUCT *ads, + const char *machine_name, + const char **spns) +{ + ADS_STATUS ret; + TALLOC_CTX *ctx; + LDAPMessage *res = NULL; + ADS_MODLIST mods; + char *dn_string = NULL; + const char **servicePrincipalName = spns; + + ret = ads_find_machine_acct(ads, &res, machine_name); + if (!ADS_ERR_OK(ret)) { + DEBUG(1,("ads_add_service_principal_name: WARNING: Host Account for %s not found... skipping operation.\n", + machine_name)); + DEBUG(1,("ads_add_service_principal_name: WARNING: Service Principals have NOT been added.\n")); + ads_msgfree(ads, res); + return ret; + } + + DEBUG(1,("ads_add_service_principal_name: Host account for %s found\n", machine_name)); + if (!(ctx = talloc_init("ads_add_service_principal_name"))) { + ads_msgfree(ads, res); + return ADS_ERROR(LDAP_NO_MEMORY); + } + + DEBUG(5,("ads_add_service_principal_name: INFO: " + "Adding %s to host %s\n", + spns[0] ? "N/A" : spns[0], machine_name)); + + + DEBUG(5,("ads_add_service_principal_name: INFO: " + "Adding %s to host %s\n", + spns[1] ? "N/A" : spns[1], machine_name)); + + if ( (mods = ads_init_mods(ctx)) == NULL ) { + ret = ADS_ERROR(LDAP_NO_MEMORY); + goto out; + } + + ret = ads_add_strlist(ctx, + &mods, + "servicePrincipalName", + servicePrincipalName); + if (!ADS_ERR_OK(ret)) { + DEBUG(1,("ads_add_service_principal_name: Error: Updating Service Principals in LDAP\n")); + goto out; + } + + if ( (dn_string = ads_get_dn(ads, ctx, res)) == NULL ) { + ret = ADS_ERROR(LDAP_NO_MEMORY); + goto out; + } + + ret = ads_gen_mod(ads, dn_string, mods); + if (!ADS_ERR_OK(ret)) { + DEBUG(1,("ads_add_service_principal_name: Error: Updating Service Principals in LDAP\n")); + goto out; + } + + out: + TALLOC_FREE( ctx ); + ads_msgfree(ads, res); + return ret; +} + +static uint32_t ads_get_acct_ctrl(ADS_STRUCT *ads, + LDAPMessage *msg) +{ + uint32_t acct_ctrl = 0; + bool ok; + + ok = ads_pull_uint32(ads, msg, "userAccountControl", &acct_ctrl); + if (!ok) { + return 0; + } + + return acct_ctrl; +} + +static ADS_STATUS ads_change_machine_acct(ADS_STRUCT *ads, + LDAPMessage *msg, + const struct berval *machine_pw_val) +{ + ADS_MODLIST mods; + ADS_STATUS ret; + TALLOC_CTX *frame = talloc_stackframe(); + uint32_t acct_control; + char *control_str = NULL; + const char *attrs[] = { + "objectSid", + NULL + }; + LDAPMessage *res = NULL; + char *dn = NULL; + + dn = ads_get_dn(ads, frame, msg); + if (dn == NULL) { + ret = ADS_ERROR(LDAP_NO_MEMORY); + goto done; + } + + acct_control = ads_get_acct_ctrl(ads, msg); + if (acct_control == 0) { + ret = ADS_ERROR(LDAP_NO_RESULTS_RETURNED); + goto done; + } + + /* + * Changing the password, disables the account. So we need to change the + * userAccountControl flags to enable it again. + */ + mods = ads_init_mods(frame); + if (mods == NULL) { + ret = ADS_ERROR_LDAP(LDAP_NO_MEMORY); + goto done; + } + + ads_mod_ber(frame, &mods, "unicodePwd", machine_pw_val); + + ret = ads_gen_mod(ads, dn, mods); + if (!ADS_ERR_OK(ret)) { + goto done; + } + TALLOC_FREE(mods); + + /* + * To activate the account, we need to disable and enable it. + */ + acct_control |= UF_ACCOUNTDISABLE; + + control_str = talloc_asprintf(frame, "%u", acct_control); + if (control_str == NULL) { + ret = ADS_ERROR(LDAP_NO_MEMORY); + goto done; + } + + mods = ads_init_mods(frame); + if (mods == NULL) { + ret = ADS_ERROR_LDAP(LDAP_NO_MEMORY); + goto done; + } + + ads_mod_str(frame, &mods, "userAccountControl", control_str); + + ret = ads_gen_mod(ads, dn, mods); + if (!ADS_ERR_OK(ret)) { + goto done; + } + TALLOC_FREE(mods); + TALLOC_FREE(control_str); + + /* + * Enable the account again. + */ + acct_control &= ~UF_ACCOUNTDISABLE; + + control_str = talloc_asprintf(frame, "%u", acct_control); + if (control_str == NULL) { + ret = ADS_ERROR(LDAP_NO_MEMORY); + goto done; + } + + mods = ads_init_mods(frame); + if (mods == NULL) { + ret = ADS_ERROR_LDAP(LDAP_NO_MEMORY); + goto done; + } + + ads_mod_str(frame, &mods, "userAccountControl", control_str); + + ret = ads_gen_mod(ads, dn, mods); + if (!ADS_ERR_OK(ret)) { + goto done; + } + TALLOC_FREE(mods); + TALLOC_FREE(control_str); + + ret = ads_search_dn(ads, &res, dn, attrs); + ads_msgfree(ads, res); + +done: + talloc_free(frame); + + return ret; +} + +/** + * adds a machine account to the ADS server + * @param ads An initialized ADS_STRUCT + * @param machine_name - the NetBIOS machine name of this account. + * @param account_type A number indicating the type of account to create + * @param org_unit The LDAP path in which to place this account + * @return 0 upon success, or non-zero otherwise +**/ + +ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, + const char *machine_name, + const char *machine_password, + const char *org_unit, + uint32_t etype_list, + const char *dns_domain_name) +{ + ADS_STATUS ret; + char *samAccountName = NULL; + char *controlstr = NULL; + TALLOC_CTX *ctx = NULL; + ADS_MODLIST mods; + char *machine_escaped = NULL; + char *dns_hostname = NULL; + char *new_dn = NULL; + char *utf8_pw = NULL; + size_t utf8_pw_len = 0; + char *utf16_pw = NULL; + size_t utf16_pw_len = 0; + struct berval machine_pw_val; + bool ok; + const char **spn_array = NULL; + size_t num_spns = 0; + const char *spn_prefix[] = { + "HOST", + "RestrictedKrbHost", + }; + size_t i; + LDAPMessage *res = NULL; + uint32_t acct_control = UF_WORKSTATION_TRUST_ACCOUNT; + + ctx = talloc_init("ads_add_machine_acct"); + if (ctx == NULL) { + return ADS_ERROR(LDAP_NO_MEMORY); + } + + machine_escaped = escape_rdn_val_string_alloc(machine_name); + if (machine_escaped == NULL) { + ret = ADS_ERROR(LDAP_NO_MEMORY); + goto done; + } + + utf8_pw = talloc_asprintf(ctx, "\"%s\"", machine_password); + if (utf8_pw == NULL) { + ret = ADS_ERROR(LDAP_NO_MEMORY); + goto done; + } + utf8_pw_len = strlen(utf8_pw); + + ok = convert_string_talloc(ctx, + CH_UTF8, CH_UTF16MUNGED, + utf8_pw, utf8_pw_len, + (void *)&utf16_pw, &utf16_pw_len); + if (!ok) { + ret = ADS_ERROR(LDAP_NO_MEMORY); + goto done; + } + + machine_pw_val = (struct berval) { + .bv_val = utf16_pw, + .bv_len = utf16_pw_len, + }; + + /* Check if the machine account already exists. */ + ret = ads_find_machine_acct(ads, &res, machine_escaped); + if (ADS_ERR_OK(ret)) { + /* Change the machine account password */ + ret = ads_change_machine_acct(ads, res, &machine_pw_val); + ads_msgfree(ads, res); + + goto done; + } + ads_msgfree(ads, res); + + new_dn = talloc_asprintf(ctx, "cn=%s,%s", machine_escaped, org_unit); + if (new_dn == NULL) { + ret = ADS_ERROR(LDAP_NO_MEMORY); + goto done; + } + + /* Create machine account */ + + samAccountName = talloc_asprintf(ctx, "%s$", machine_name); + if (samAccountName == NULL) { + ret = ADS_ERROR(LDAP_NO_MEMORY); + goto done; + } + + dns_hostname = talloc_asprintf(ctx, + "%s.%s", + machine_name, + dns_domain_name); + if (dns_hostname == NULL) { + ret = ADS_ERROR(LDAP_NO_MEMORY); + goto done; + } + + /* Add dns_hostname SPNs */ + for (i = 0; i < ARRAY_SIZE(spn_prefix); i++) { + char *spn = talloc_asprintf(ctx, + "%s/%s", + spn_prefix[i], + dns_hostname); + if (spn == NULL) { + ret = ADS_ERROR(LDAP_NO_MEMORY); + goto done; + } + + ok = add_string_to_array(ctx, + spn, + &spn_array, + &num_spns); + if (!ok) { + ret = ADS_ERROR(LDAP_NO_MEMORY); + goto done; + } + } + + /* Add machine_name SPNs */ + for (i = 0; i < ARRAY_SIZE(spn_prefix); i++) { + char *spn = talloc_asprintf(ctx, + "%s/%s", + spn_prefix[i], + machine_name); + if (spn == NULL) { + ret = ADS_ERROR(LDAP_NO_MEMORY); + goto done; + } + + ok = add_string_to_array(ctx, + spn, + &spn_array, + &num_spns); + if (!ok) { + ret = ADS_ERROR(LDAP_NO_MEMORY); + goto done; + } + } + + /* Make sure to NULL terminate the array */ + spn_array = talloc_realloc(ctx, spn_array, const char *, num_spns + 1); + if (spn_array == NULL) { + ret = ADS_ERROR(LDAP_NO_MEMORY); + goto done; + } + spn_array[num_spns] = NULL; + + controlstr = talloc_asprintf(ctx, "%u", acct_control); + if (controlstr == NULL) { + ret = ADS_ERROR(LDAP_NO_MEMORY); + goto done; + } + + mods = ads_init_mods(ctx); + if (mods == NULL) { + ret = ADS_ERROR(LDAP_NO_MEMORY); + goto done; + } + + ads_mod_str(ctx, &mods, "objectClass", "Computer"); + ads_mod_str(ctx, &mods, "SamAccountName", samAccountName); + ads_mod_str(ctx, &mods, "userAccountControl", controlstr); + ads_mod_str(ctx, &mods, "DnsHostName", dns_hostname); + ads_mod_strlist(ctx, &mods, "ServicePrincipalName", spn_array); + ads_mod_ber(ctx, &mods, "unicodePwd", &machine_pw_val); + + ret = ads_gen_add(ads, new_dn, mods); + +done: + SAFE_FREE(machine_escaped); + talloc_destroy(ctx); + + return ret; +} + +/** + * move a machine account to another OU on the ADS server + * @param ads - An initialized ADS_STRUCT + * @param machine_name - the NetBIOS machine name of this account. + * @param org_unit - The LDAP path in which to place this account + * @param moved - whether we moved the machine account (optional) + * @return 0 upon success, or non-zero otherwise +**/ + +ADS_STATUS ads_move_machine_acct(ADS_STRUCT *ads, const char *machine_name, + const char *org_unit, bool *moved) +{ + ADS_STATUS rc; + int ldap_status; + LDAPMessage *res = NULL; + char *filter = NULL; + char *computer_dn = NULL; + char *parent_dn; + char *computer_rdn = NULL; + bool need_move = False; + + if (asprintf(&filter, "(samAccountName=%s$)", machine_name) == -1) { + rc = ADS_ERROR(LDAP_NO_MEMORY); + goto done; + } + + /* Find pre-existing machine */ + rc = ads_search(ads, &res, filter, NULL); + if (!ADS_ERR_OK(rc)) { + goto done; + } + + computer_dn = ads_get_dn(ads, talloc_tos(), res); + if (!computer_dn) { + rc = ADS_ERROR(LDAP_NO_MEMORY); + goto done; + } + + parent_dn = ads_parent_dn(computer_dn); + if (strequal(parent_dn, org_unit)) { + goto done; + } + + need_move = True; + + if (asprintf(&computer_rdn, "CN=%s", machine_name) == -1) { + rc = ADS_ERROR(LDAP_NO_MEMORY); + goto done; + } + + ldap_status = ldap_rename_s(ads->ldap.ld, computer_dn, computer_rdn, + org_unit, 1, NULL, NULL); + rc = ADS_ERROR(ldap_status); + +done: + ads_msgfree(ads, res); + SAFE_FREE(filter); + TALLOC_FREE(computer_dn); + SAFE_FREE(computer_rdn); + + if (!ADS_ERR_OK(rc)) { + need_move = False; + } + + if (moved) { + *moved = need_move; + } + + return rc; +} + +/* + dump a binary result from ldap +*/ +static void dump_binary(ADS_STRUCT *ads, const char *field, struct berval **values) +{ + size_t i; + for (i=0; values[i]; i++) { + ber_len_t j; + printf("%s: ", field); + for (j=0; j<values[i]->bv_len; j++) { + printf("%02X", (unsigned char)values[i]->bv_val[j]); + } + printf("\n"); + } +} + +static void dump_guid(ADS_STRUCT *ads, const char *field, struct berval **values) +{ + int i; + for (i=0; values[i]; i++) { + NTSTATUS status; + DATA_BLOB in = data_blob_const(values[i]->bv_val, values[i]->bv_len); + struct GUID guid; + + status = GUID_from_ndr_blob(&in, &guid); + if (NT_STATUS_IS_OK(status)) { + printf("%s: %s\n", field, GUID_string(talloc_tos(), &guid)); + } else { + printf("%s: INVALID GUID\n", field); + } + } +} + +/* + dump a sid result from ldap +*/ +static void dump_sid(ADS_STRUCT *ads, const char *field, struct berval **values) +{ + int i; + for (i=0; values[i]; i++) { + ssize_t ret; + struct dom_sid sid; + struct dom_sid_buf tmp; + ret = sid_parse((const uint8_t *)values[i]->bv_val, + values[i]->bv_len, &sid); + if (ret == -1) { + return; + } + printf("%s: %s\n", field, dom_sid_str_buf(&sid, &tmp)); + } +} + +/* + dump ntSecurityDescriptor +*/ +static void dump_sd(ADS_STRUCT *ads, const char *filed, struct berval **values) +{ + TALLOC_CTX *frame = talloc_stackframe(); + struct security_descriptor *psd; + NTSTATUS status; + + status = unmarshall_sec_desc(talloc_tos(), (uint8_t *)values[0]->bv_val, + values[0]->bv_len, &psd); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("unmarshall_sec_desc failed: %s\n", + nt_errstr(status))); + TALLOC_FREE(frame); + return; + } + + if (psd) { + ads_disp_sd(ads, talloc_tos(), psd); + } + + TALLOC_FREE(frame); +} + +/* + dump a string result from ldap +*/ +static void dump_string(const char *field, char **values) +{ + int i; + for (i=0; values[i]; i++) { + printf("%s: %s\n", field, values[i]); + } +} + +/* + dump a field from LDAP on stdout + used for debugging +*/ + +static bool ads_dump_field(ADS_STRUCT *ads, char *field, void **values, void *data_area) +{ + const struct { + const char *name; + bool string; + void (*handler)(ADS_STRUCT *, const char *, struct berval **); + } handlers[] = { + {"objectGUID", False, dump_guid}, + {"netbootGUID", False, dump_guid}, + {"nTSecurityDescriptor", False, dump_sd}, + {"dnsRecord", False, dump_binary}, + {"objectSid", False, dump_sid}, + {"tokenGroups", False, dump_sid}, + {"tokenGroupsNoGCAcceptable", False, dump_sid}, + {"tokengroupsGlobalandUniversal", False, dump_sid}, + {"mS-DS-CreatorSID", False, dump_sid}, + {"msExchMailboxGuid", False, dump_guid}, + {NULL, True, NULL} + }; + int i; + + if (!field) { /* must be end of an entry */ + printf("\n"); + return False; + } + + for (i=0; handlers[i].name; i++) { + if (strcasecmp_m(handlers[i].name, field) == 0) { + if (!values) /* first time, indicate string or not */ + return handlers[i].string; + handlers[i].handler(ads, field, (struct berval **) values); + break; + } + } + if (!handlers[i].name) { + if (!values) /* first time, indicate string conversion */ + return True; + dump_string(field, (char **)values); + } + return False; +} + +/** + * Dump a result from LDAP on stdout + * used for debugging + * @param ads connection to ads server + * @param res Results to dump + **/ + + void ads_dump(ADS_STRUCT *ads, LDAPMessage *res) +{ + ads_process_results(ads, res, ads_dump_field, NULL); +} + +/** + * Walk through results, calling a function for each entry found. + * The function receives a field name, a berval * array of values, + * and a data area passed through from the start. The function is + * called once with null for field and values at the end of each + * entry. + * @param ads connection to ads server + * @param res Results to process + * @param fn Function for processing each result + * @param data_area user-defined area to pass to function + **/ + void ads_process_results(ADS_STRUCT *ads, LDAPMessage *res, + bool (*fn)(ADS_STRUCT *, char *, void **, void *), + void *data_area) +{ + LDAPMessage *msg; + TALLOC_CTX *ctx; + size_t converted_size; + + if (!(ctx = talloc_init("ads_process_results"))) + return; + + for (msg = ads_first_entry(ads, res); msg; + msg = ads_next_entry(ads, msg)) { + char *utf8_field; + BerElement *b; + + for (utf8_field=ldap_first_attribute(ads->ldap.ld, + (LDAPMessage *)msg,&b); + utf8_field; + utf8_field=ldap_next_attribute(ads->ldap.ld, + (LDAPMessage *)msg,b)) { + struct berval **ber_vals; + char **str_vals; + char **utf8_vals; + char *field; + bool string; + + if (!pull_utf8_talloc(ctx, &field, utf8_field, + &converted_size)) + { + DEBUG(0,("ads_process_results: " + "pull_utf8_talloc failed: %s\n", + strerror(errno))); + } + + string = fn(ads, field, NULL, data_area); + + if (string) { + const char **p; + + utf8_vals = ldap_get_values(ads->ldap.ld, + (LDAPMessage *)msg, field); + p = discard_const_p(const char *, utf8_vals); + str_vals = ads_pull_strvals(ctx, p); + fn(ads, field, (void **) str_vals, data_area); + ldap_value_free(utf8_vals); + } else { + ber_vals = ldap_get_values_len(ads->ldap.ld, + (LDAPMessage *)msg, field); + fn(ads, field, (void **) ber_vals, data_area); + + ldap_value_free_len(ber_vals); + } + ldap_memfree(utf8_field); + } + ber_free(b, 0); + talloc_free_children(ctx); + fn(ads, NULL, NULL, data_area); /* completed an entry */ + + } + talloc_destroy(ctx); +} + +/** + * count how many replies are in a LDAPMessage + * @param ads connection to ads server + * @param res Results to count + * @return number of replies + **/ +int ads_count_replies(ADS_STRUCT *ads, void *res) +{ + return ldap_count_entries(ads->ldap.ld, (LDAPMessage *)res); +} + +/** + * pull the first entry from a ADS result + * @param ads connection to ads server + * @param res Results of search + * @return first entry from result + **/ + LDAPMessage *ads_first_entry(ADS_STRUCT *ads, LDAPMessage *res) +{ + return ldap_first_entry(ads->ldap.ld, res); +} + +/** + * pull the next entry from a ADS result + * @param ads connection to ads server + * @param res Results of search + * @return next entry from result + **/ + LDAPMessage *ads_next_entry(ADS_STRUCT *ads, LDAPMessage *res) +{ + return ldap_next_entry(ads->ldap.ld, res); +} + +/** + * pull the first message from a ADS result + * @param ads connection to ads server + * @param res Results of search + * @return first message from result + **/ + LDAPMessage *ads_first_message(ADS_STRUCT *ads, LDAPMessage *res) +{ + return ldap_first_message(ads->ldap.ld, res); +} + +/** + * pull the next message from a ADS result + * @param ads connection to ads server + * @param res Results of search + * @return next message from result + **/ + LDAPMessage *ads_next_message(ADS_STRUCT *ads, LDAPMessage *res) +{ + return ldap_next_message(ads->ldap.ld, res); +} + +/** + * pull a single string from a ADS result + * @param ads connection to ads server + * @param mem_ctx TALLOC_CTX to use for allocating result string + * @param msg Results of search + * @param field Attribute to retrieve + * @return Result string in talloc context + **/ + char *ads_pull_string(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, LDAPMessage *msg, + const char *field) +{ + char **values; + char *ret = NULL; + char *ux_string; + size_t converted_size; + + values = ldap_get_values(ads->ldap.ld, msg, field); + if (!values) + return NULL; + + if (values[0] && pull_utf8_talloc(mem_ctx, &ux_string, values[0], + &converted_size)) + { + ret = ux_string; + } + ldap_value_free(values); + return ret; +} + +/** + * pull an array of strings from a ADS result + * @param ads connection to ads server + * @param mem_ctx TALLOC_CTX to use for allocating result string + * @param msg Results of search + * @param field Attribute to retrieve + * @return Result strings in talloc context + **/ + char **ads_pull_strings(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, + LDAPMessage *msg, const char *field, + size_t *num_values) +{ + char **values; + char **ret = NULL; + size_t i, converted_size; + + values = ldap_get_values(ads->ldap.ld, msg, field); + if (!values) + return NULL; + + *num_values = ldap_count_values(values); + + ret = talloc_array(mem_ctx, char *, *num_values + 1); + if (!ret) { + ldap_value_free(values); + return NULL; + } + + for (i=0;i<*num_values;i++) { + if (!pull_utf8_talloc(mem_ctx, &ret[i], values[i], + &converted_size)) + { + ldap_value_free(values); + return NULL; + } + } + ret[i] = NULL; + + ldap_value_free(values); + return ret; +} + +/** + * pull an array of strings from a ADS result + * (handle large multivalue attributes with range retrieval) + * @param ads connection to ads server + * @param mem_ctx TALLOC_CTX to use for allocating result string + * @param msg Results of search + * @param field Attribute to retrieve + * @param current_strings strings returned by a previous call to this function + * @param next_attribute The next query should ask for this attribute + * @param num_values How many values did we get this time? + * @param more_values Are there more values to get? + * @return Result strings in talloc context + **/ + char **ads_pull_strings_range(ADS_STRUCT *ads, + TALLOC_CTX *mem_ctx, + LDAPMessage *msg, const char *field, + char **current_strings, + const char **next_attribute, + size_t *num_strings, + bool *more_strings) +{ + char *attr; + char *expected_range_attrib, *range_attr = NULL; + BerElement *ptr = NULL; + char **strings; + char **new_strings; + size_t num_new_strings; + unsigned long int range_start; + unsigned long int range_end; + + /* we might have been given the whole lot anyway */ + if ((strings = ads_pull_strings(ads, mem_ctx, msg, field, num_strings))) { + *more_strings = False; + return strings; + } + + expected_range_attrib = talloc_asprintf(mem_ctx, "%s;Range=", field); + + /* look for Range result */ + for (attr = ldap_first_attribute(ads->ldap.ld, (LDAPMessage *)msg, &ptr); + attr; + attr = ldap_next_attribute(ads->ldap.ld, (LDAPMessage *)msg, ptr)) { + /* we ignore the fact that this is utf8, as all attributes are ascii... */ + if (strnequal(attr, expected_range_attrib, strlen(expected_range_attrib))) { + range_attr = attr; + break; + } + ldap_memfree(attr); + } + if (!range_attr) { + ber_free(ptr, 0); + /* nothing here - this field is just empty */ + *more_strings = False; + return NULL; + } + + if (sscanf(&range_attr[strlen(expected_range_attrib)], "%lu-%lu", + &range_start, &range_end) == 2) { + *more_strings = True; + } else { + if (sscanf(&range_attr[strlen(expected_range_attrib)], "%lu-*", + &range_start) == 1) { + *more_strings = False; + } else { + DEBUG(1, ("ads_pull_strings_range: Cannot parse Range attribute (%s)\n", + range_attr)); + ldap_memfree(range_attr); + *more_strings = False; + return NULL; + } + } + + if ((*num_strings) != range_start) { + DEBUG(1, ("ads_pull_strings_range: Range attribute (%s) doesn't start at %u, but at %lu" + " - aborting range retrieval\n", + range_attr, (unsigned int)(*num_strings) + 1, range_start)); + ldap_memfree(range_attr); + *more_strings = False; + return NULL; + } + + new_strings = ads_pull_strings(ads, mem_ctx, msg, range_attr, &num_new_strings); + + if (*more_strings && ((*num_strings + num_new_strings) != (range_end + 1))) { + DEBUG(1, ("ads_pull_strings_range: Range attribute (%s) tells us we have %lu " + "strings in this bunch, but we only got %lu - aborting range retrieval\n", + range_attr, (unsigned long int)range_end - range_start + 1, + (unsigned long int)num_new_strings)); + ldap_memfree(range_attr); + *more_strings = False; + return NULL; + } + + strings = talloc_realloc(mem_ctx, current_strings, char *, + *num_strings + num_new_strings); + + if (strings == NULL) { + ldap_memfree(range_attr); + *more_strings = False; + return NULL; + } + + if (new_strings && num_new_strings) { + memcpy(&strings[*num_strings], new_strings, + sizeof(*new_strings) * num_new_strings); + } + + (*num_strings) += num_new_strings; + + if (*more_strings) { + *next_attribute = talloc_asprintf(mem_ctx, + "%s;range=%d-*", + field, + (int)*num_strings); + + if (!*next_attribute) { + DEBUG(1, ("talloc_asprintf for next attribute failed!\n")); + ldap_memfree(range_attr); + *more_strings = False; + return NULL; + } + } + + ldap_memfree(range_attr); + + return strings; +} + +/** + * pull a single uint32_t from a ADS result + * @param ads connection to ads server + * @param msg Results of search + * @param field Attribute to retrieve + * @param v Pointer to int to store result + * @return boolean indicating success +*/ + bool ads_pull_uint32(ADS_STRUCT *ads, LDAPMessage *msg, const char *field, + uint32_t *v) +{ + char **values; + + values = ldap_get_values(ads->ldap.ld, msg, field); + if (!values) + return False; + if (!values[0]) { + ldap_value_free(values); + return False; + } + + *v = atoi(values[0]); + ldap_value_free(values); + return True; +} + +/** + * pull a single objectGUID from an ADS result + * @param ads connection to ADS server + * @param msg results of search + * @param guid 37-byte area to receive text guid + * @return boolean indicating success + **/ + bool ads_pull_guid(ADS_STRUCT *ads, LDAPMessage *msg, struct GUID *guid) +{ + DATA_BLOB blob; + NTSTATUS status; + + if (!smbldap_talloc_single_blob(talloc_tos(), ads->ldap.ld, msg, "objectGUID", + &blob)) { + return false; + } + + status = GUID_from_ndr_blob(&blob, guid); + talloc_free(blob.data); + return NT_STATUS_IS_OK(status); +} + + +/** + * pull a single struct dom_sid from a ADS result + * @param ads connection to ads server + * @param msg Results of search + * @param field Attribute to retrieve + * @param sid Pointer to sid to store result + * @return boolean indicating success +*/ + bool ads_pull_sid(ADS_STRUCT *ads, LDAPMessage *msg, const char *field, + struct dom_sid *sid) +{ + return smbldap_pull_sid(ads->ldap.ld, msg, field, sid); +} + +/** + * pull an array of struct dom_sids from a ADS result + * @param ads connection to ads server + * @param mem_ctx TALLOC_CTX for allocating sid array + * @param msg Results of search + * @param field Attribute to retrieve + * @param sids pointer to sid array to allocate + * @return the count of SIDs pulled + **/ + int ads_pull_sids(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, + LDAPMessage *msg, const char *field, struct dom_sid **sids) +{ + struct berval **values; + int count, i; + + values = ldap_get_values_len(ads->ldap.ld, msg, field); + + if (!values) + return 0; + + for (i=0; values[i]; i++) + /* nop */ ; + + if (i) { + (*sids) = talloc_array(mem_ctx, struct dom_sid, i); + if (!(*sids)) { + ldap_value_free_len(values); + return 0; + } + } else { + (*sids) = NULL; + } + + count = 0; + for (i=0; values[i]; i++) { + ssize_t ret; + ret = sid_parse((const uint8_t *)values[i]->bv_val, + values[i]->bv_len, &(*sids)[count]); + if (ret != -1) { + struct dom_sid_buf buf; + DBG_DEBUG("pulling SID: %s\n", + dom_sid_str_buf(&(*sids)[count], &buf)); + count++; + } + } + + ldap_value_free_len(values); + return count; +} + +/** + * pull a struct security_descriptor from a ADS result + * @param ads connection to ads server + * @param mem_ctx TALLOC_CTX for allocating sid array + * @param msg Results of search + * @param field Attribute to retrieve + * @param sd Pointer to *struct security_descriptor to store result (talloc()ed) + * @return boolean indicating success +*/ + bool ads_pull_sd(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, + LDAPMessage *msg, const char *field, + struct security_descriptor **sd) +{ + struct berval **values; + bool ret = true; + + values = ldap_get_values_len(ads->ldap.ld, msg, field); + + if (!values) return false; + + if (values[0]) { + NTSTATUS status; + status = unmarshall_sec_desc(mem_ctx, + (uint8_t *)values[0]->bv_val, + values[0]->bv_len, sd); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("unmarshall_sec_desc failed: %s\n", + nt_errstr(status))); + ret = false; + } + } + + ldap_value_free_len(values); + return ret; +} + +/* + * in order to support usernames longer than 21 characters we need to + * use both the sAMAccountName and the userPrincipalName attributes + * It seems that not all users have the userPrincipalName attribute set + * + * @param ads connection to ads server + * @param mem_ctx TALLOC_CTX for allocating sid array + * @param msg Results of search + * @return the username + */ + char *ads_pull_username(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, + LDAPMessage *msg) +{ +#if 0 /* JERRY */ + char *ret, *p; + + /* lookup_name() only works on the sAMAccountName to + returning the username portion of userPrincipalName + breaks winbindd_getpwnam() */ + + ret = ads_pull_string(ads, mem_ctx, msg, "userPrincipalName"); + if (ret && (p = strchr_m(ret, '@'))) { + *p = 0; + return ret; + } +#endif + return ads_pull_string(ads, mem_ctx, msg, "sAMAccountName"); +} + + +/** + * find the update serial number - this is the core of the ldap cache + * @param ads connection to ads server + * @param ads connection to ADS server + * @param usn Pointer to retrieved update serial number + * @return status of search + **/ +ADS_STATUS ads_USN(ADS_STRUCT *ads, uint32_t *usn) +{ + const char *attrs[] = {"highestCommittedUSN", NULL}; + ADS_STATUS status; + LDAPMessage *res; + + status = ads_do_search_retry(ads, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res); + if (!ADS_ERR_OK(status)) + return status; + + if (ads_count_replies(ads, res) != 1) { + ads_msgfree(ads, res); + return ADS_ERROR(LDAP_NO_RESULTS_RETURNED); + } + + if (!ads_pull_uint32(ads, res, "highestCommittedUSN", usn)) { + ads_msgfree(ads, res); + return ADS_ERROR(LDAP_NO_SUCH_ATTRIBUTE); + } + + ads_msgfree(ads, res); + return ADS_SUCCESS; +} + +/* parse a ADS timestring - typical string is + '20020917091222.0Z0' which means 09:12.22 17th September + 2002, timezone 0 */ +static time_t ads_parse_time(const char *str) +{ + struct tm tm; + + ZERO_STRUCT(tm); + + if (sscanf(str, "%4d%2d%2d%2d%2d%2d", + &tm.tm_year, &tm.tm_mon, &tm.tm_mday, + &tm.tm_hour, &tm.tm_min, &tm.tm_sec) != 6) { + return 0; + } + tm.tm_year -= 1900; + tm.tm_mon -= 1; + + return timegm(&tm); +} + +/******************************************************************** +********************************************************************/ + +ADS_STATUS ads_current_time(ADS_STRUCT *ads) +{ + const char *attrs[] = {"currentTime", NULL}; + ADS_STATUS status; + LDAPMessage *res; + char *timestr; + TALLOC_CTX *tmp_ctx = talloc_stackframe(); + ADS_STRUCT *ads_s = ads; + + /* establish a new ldap tcp session if necessary */ + + if ( !ads->ldap.ld ) { + /* + * ADS_STRUCT may be being reused after a + * DC lookup, so ads->ldap.ss may already have a + * good address. If not, re-initialize the passed-in + * ADS_STRUCT with the given server.XXXX parameters. + * + * Note that this doesn't depend on + * ads->server.ldap_server != NULL, + * as the case where ads->server.ldap_server==NULL and + * ads->ldap.ss != zero_address is precisely the DC + * lookup case where ads->ldap.ss was found by going + * through ads_find_dc() again we want to avoid repeating. + */ + if (is_zero_addr(&ads->ldap.ss)) { + ads_s = ads_init(tmp_ctx, + ads->server.realm, + ads->server.workgroup, + ads->server.ldap_server, + ADS_SASL_PLAIN ); + if (ads_s == NULL) { + status = ADS_ERROR(LDAP_NO_MEMORY); + goto done; + } + } + + /* + * Reset ads->config.flags as it can contain the flags + * returned by the previous CLDAP ping when reusing the struct. + */ + ads_s->config.flags = 0; + + ads_s->auth.flags = ADS_AUTH_ANON_BIND; + status = ads_connect( ads_s ); + if ( !ADS_ERR_OK(status)) + goto done; + } + + status = ads_do_search(ads_s, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res); + if (!ADS_ERR_OK(status)) { + goto done; + } + + timestr = ads_pull_string(ads_s, tmp_ctx, res, "currentTime"); + if (!timestr) { + ads_msgfree(ads_s, res); + status = ADS_ERROR(LDAP_NO_RESULTS_RETURNED); + goto done; + } + + /* but save the time and offset in the original ADS_STRUCT */ + + ads->config.current_time = ads_parse_time(timestr); + + if (ads->config.current_time != 0) { + ads->auth.time_offset = ads->config.current_time - time(NULL); + DEBUG(4,("KDC time offset is %d seconds\n", ads->auth.time_offset)); + } + + ads_msgfree(ads, res); + + status = ADS_SUCCESS; + +done: + TALLOC_FREE(tmp_ctx); + + return status; +} + +/******************************************************************** +********************************************************************/ + +ADS_STATUS ads_domain_func_level(ADS_STRUCT *ads, uint32_t *val) +{ + TALLOC_CTX *tmp_ctx = talloc_stackframe(); + const char *attrs[] = {"domainFunctionality", NULL}; + ADS_STATUS status; + LDAPMessage *res; + ADS_STRUCT *ads_s = ads; + + *val = DS_DOMAIN_FUNCTION_2000; + + /* establish a new ldap tcp session if necessary */ + + if ( !ads->ldap.ld ) { + /* + * ADS_STRUCT may be being reused after a + * DC lookup, so ads->ldap.ss may already have a + * good address. If not, re-initialize the passed-in + * ADS_STRUCT with the given server.XXXX parameters. + * + * Note that this doesn't depend on + * ads->server.ldap_server != NULL, + * as the case where ads->server.ldap_server==NULL and + * ads->ldap.ss != zero_address is precisely the DC + * lookup case where ads->ldap.ss was found by going + * through ads_find_dc() again we want to avoid repeating. + */ + if (is_zero_addr(&ads->ldap.ss)) { + ads_s = ads_init(tmp_ctx, + ads->server.realm, + ads->server.workgroup, + ads->server.ldap_server, + ADS_SASL_PLAIN ); + if (ads_s == NULL ) { + status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY); + goto done; + } + } + + /* + * Reset ads->config.flags as it can contain the flags + * returned by the previous CLDAP ping when reusing the struct. + */ + ads_s->config.flags = 0; + + ads_s->auth.flags = ADS_AUTH_ANON_BIND; + status = ads_connect( ads_s ); + if ( !ADS_ERR_OK(status)) + goto done; + } + + /* If the attribute does not exist assume it is a Windows 2000 + functional domain */ + + status = ads_do_search(ads_s, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res); + if (!ADS_ERR_OK(status)) { + if ( status.err.rc == LDAP_NO_SUCH_ATTRIBUTE ) { + status = ADS_SUCCESS; + } + goto done; + } + + if ( !ads_pull_uint32(ads_s, res, "domainFunctionality", val) ) { + DEBUG(5,("ads_domain_func_level: Failed to pull the domainFunctionality attribute.\n")); + } + DEBUG(3,("ads_domain_func_level: %d\n", *val)); + + + ads_msgfree(ads_s, res); + +done: + TALLOC_FREE(tmp_ctx); + + return status; +} + +/** + * find the domain sid for our domain + * @param ads connection to ads server + * @param sid Pointer to domain sid + * @return status of search + **/ +ADS_STATUS ads_domain_sid(ADS_STRUCT *ads, struct dom_sid *sid) +{ + const char *attrs[] = {"objectSid", NULL}; + LDAPMessage *res; + ADS_STATUS rc; + + rc = ads_do_search_retry(ads, ads->config.bind_path, LDAP_SCOPE_BASE, "(objectclass=*)", + attrs, &res); + if (!ADS_ERR_OK(rc)) return rc; + if (!ads_pull_sid(ads, res, "objectSid", sid)) { + ads_msgfree(ads, res); + return ADS_ERROR_SYSTEM(ENOENT); + } + ads_msgfree(ads, res); + + return ADS_SUCCESS; +} + +/** + * find our site name + * @param ads connection to ads server + * @param mem_ctx Pointer to talloc context + * @param site_name Pointer to the sitename + * @return status of search + **/ +ADS_STATUS ads_site_dn(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, const char **site_name) +{ + ADS_STATUS status; + LDAPMessage *res; + const char *dn, *service_name; + const char *attrs[] = { "dsServiceName", NULL }; + + status = ads_do_search(ads, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res); + if (!ADS_ERR_OK(status)) { + return status; + } + + service_name = ads_pull_string(ads, mem_ctx, res, "dsServiceName"); + if (service_name == NULL) { + ads_msgfree(ads, res); + return ADS_ERROR(LDAP_NO_RESULTS_RETURNED); + } + + ads_msgfree(ads, res); + + /* go up three levels */ + dn = ads_parent_dn(ads_parent_dn(ads_parent_dn(service_name))); + if (dn == NULL) { + return ADS_ERROR(LDAP_NO_MEMORY); + } + + *site_name = talloc_strdup(mem_ctx, dn); + if (*site_name == NULL) { + return ADS_ERROR(LDAP_NO_MEMORY); + } + + return status; + /* + dsServiceName: CN=NTDS Settings,CN=W2K3DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ber,DC=suse,DC=de + */ +} + +/** + * find the site dn where a machine resides + * @param ads connection to ads server + * @param mem_ctx Pointer to talloc context + * @param computer_name name of the machine + * @param site_name Pointer to the sitename + * @return status of search + **/ +ADS_STATUS ads_site_dn_for_machine(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, const char *computer_name, const char **site_dn) +{ + ADS_STATUS status; + LDAPMessage *res; + const char *parent, *filter; + char *config_context = NULL; + char *dn; + + /* shortcut a query */ + if (strequal(computer_name, ads->config.ldap_server_name)) { + return ads_site_dn(ads, mem_ctx, site_dn); + } + + status = ads_config_path(ads, mem_ctx, &config_context); + if (!ADS_ERR_OK(status)) { + return status; + } + + filter = talloc_asprintf(mem_ctx, "(cn=%s)", computer_name); + if (filter == NULL) { + return ADS_ERROR(LDAP_NO_MEMORY); + } + + status = ads_do_search(ads, config_context, LDAP_SCOPE_SUBTREE, + filter, NULL, &res); + if (!ADS_ERR_OK(status)) { + return status; + } + + if (ads_count_replies(ads, res) != 1) { + ads_msgfree(ads, res); + return ADS_ERROR(LDAP_NO_SUCH_OBJECT); + } + + dn = ads_get_dn(ads, mem_ctx, res); + if (dn == NULL) { + ads_msgfree(ads, res); + return ADS_ERROR(LDAP_NO_MEMORY); + } + + /* go up three levels */ + parent = ads_parent_dn(ads_parent_dn(ads_parent_dn(dn))); + if (parent == NULL) { + ads_msgfree(ads, res); + TALLOC_FREE(dn); + return ADS_ERROR(LDAP_NO_MEMORY); + } + + *site_dn = talloc_strdup(mem_ctx, parent); + if (*site_dn == NULL) { + ads_msgfree(ads, res); + TALLOC_FREE(dn); + return ADS_ERROR(LDAP_NO_MEMORY); + } + + TALLOC_FREE(dn); + ads_msgfree(ads, res); + + return status; +} + +/** + * get the upn suffixes for a domain + * @param ads connection to ads server + * @param mem_ctx Pointer to talloc context + * @param suffixes Pointer to an array of suffixes + * @param num_suffixes Pointer to the number of suffixes + * @return status of search + **/ +ADS_STATUS ads_upn_suffixes(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, char ***suffixes, size_t *num_suffixes) +{ + ADS_STATUS status; + LDAPMessage *res; + const char *base; + char *config_context = NULL; + const char *attrs[] = { "uPNSuffixes", NULL }; + + status = ads_config_path(ads, mem_ctx, &config_context); + if (!ADS_ERR_OK(status)) { + return status; + } + + base = talloc_asprintf(mem_ctx, "cn=Partitions,%s", config_context); + if (base == NULL) { + return ADS_ERROR(LDAP_NO_MEMORY); + } + + status = ads_search_dn(ads, &res, base, attrs); + if (!ADS_ERR_OK(status)) { + return status; + } + + if (ads_count_replies(ads, res) != 1) { + ads_msgfree(ads, res); + return ADS_ERROR(LDAP_NO_SUCH_OBJECT); + } + + (*suffixes) = ads_pull_strings(ads, mem_ctx, res, "uPNSuffixes", num_suffixes); + if ((*suffixes) == NULL) { + ads_msgfree(ads, res); + return ADS_ERROR(LDAP_NO_MEMORY); + } + + ads_msgfree(ads, res); + + return status; +} + +/** + * get the joinable ous for a domain + * @param ads connection to ads server + * @param mem_ctx Pointer to talloc context + * @param ous Pointer to an array of ous + * @param num_ous Pointer to the number of ous + * @return status of search + **/ +ADS_STATUS ads_get_joinable_ous(ADS_STRUCT *ads, + TALLOC_CTX *mem_ctx, + char ***ous, + size_t *num_ous) +{ + ADS_STATUS status; + LDAPMessage *res = NULL; + LDAPMessage *msg = NULL; + const char *attrs[] = { "dn", NULL }; + int count = 0; + + status = ads_search(ads, &res, + "(|(objectClass=domain)(objectclass=organizationalUnit))", + attrs); + if (!ADS_ERR_OK(status)) { + return status; + } + + count = ads_count_replies(ads, res); + if (count < 1) { + ads_msgfree(ads, res); + return ADS_ERROR(LDAP_NO_RESULTS_RETURNED); + } + + for (msg = ads_first_entry(ads, res); msg; + msg = ads_next_entry(ads, msg)) { + const char **p = discard_const_p(const char *, *ous); + char *dn = NULL; + + dn = ads_get_dn(ads, talloc_tos(), msg); + if (!dn) { + ads_msgfree(ads, res); + return ADS_ERROR(LDAP_NO_MEMORY); + } + + if (!add_string_to_array(mem_ctx, dn, &p, num_ous)) { + TALLOC_FREE(dn); + ads_msgfree(ads, res); + return ADS_ERROR(LDAP_NO_MEMORY); + } + + TALLOC_FREE(dn); + *ous = discard_const_p(char *, p); + } + + ads_msgfree(ads, res); + + return status; +} + + +/** + * pull a struct dom_sid from an extended dn string + * @param mem_ctx TALLOC_CTX + * @param extended_dn string + * @param flags string type of extended_dn + * @param sid pointer to a struct dom_sid + * @return NT_STATUS_OK on success, + * NT_INVALID_PARAMETER on error, + * NT_STATUS_NOT_FOUND if no SID present + **/ +ADS_STATUS ads_get_sid_from_extended_dn(TALLOC_CTX *mem_ctx, + const char *extended_dn, + enum ads_extended_dn_flags flags, + struct dom_sid *sid) +{ + char *p, *q, *dn; + + if (!extended_dn) { + return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER); + } + + /* otherwise extended_dn gets stripped off */ + if ((dn = talloc_strdup(mem_ctx, extended_dn)) == NULL) { + return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER); + } + /* + * ADS_EXTENDED_DN_HEX_STRING: + * <GUID=238e1963cb390f4bb032ba0105525a29>;<SID=010500000000000515000000bb68c8fd6b61b427572eb04556040000>;CN=gd,OU=berlin,OU=suse,DC=ber,DC=suse,DC=de + * + * ADS_EXTENDED_DN_STRING (only with w2k3): + * <GUID=63198e23-39cb-4b0f-b032-ba0105525a29>;<SID=S-1-5-21-4257769659-666132843-1169174103-1110>;CN=gd,OU=berlin,OU=suse,DC=ber,DC=suse,DC=de + * + * Object with no SID, such as an Exchange Public Folder + * <GUID=28907fb4bdf6854993e7f0a10b504e7c>;CN=public,CN=Microsoft Exchange System Objects,DC=sd2k3ms,DC=west,DC=isilon,DC=com + */ + + p = strchr(dn, ';'); + if (!p) { + return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER); + } + + if (strncmp(p, ";<SID=", strlen(";<SID=")) != 0) { + DEBUG(5,("No SID present in extended dn\n")); + return ADS_ERROR_NT(NT_STATUS_NOT_FOUND); + } + + p += strlen(";<SID="); + + q = strchr(p, '>'); + if (!q) { + return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER); + } + + *q = '\0'; + + DEBUG(100,("ads_get_sid_from_extended_dn: sid string is %s\n", p)); + + switch (flags) { + + case ADS_EXTENDED_DN_STRING: + if (!string_to_sid(sid, p)) { + return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER); + } + break; + case ADS_EXTENDED_DN_HEX_STRING: { + ssize_t ret; + fstring buf; + size_t buf_len; + + buf_len = strhex_to_str(buf, sizeof(buf), p, strlen(p)); + if (buf_len == 0) { + return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER); + } + + ret = sid_parse((const uint8_t *)buf, buf_len, sid); + if (ret == -1) { + DEBUG(10,("failed to parse sid\n")); + return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER); + } + break; + } + default: + DEBUG(10,("unknown extended dn format\n")); + return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER); + } + + return ADS_ERROR_NT(NT_STATUS_OK); +} + +/******************************************************************** +********************************************************************/ + +char* ads_get_dnshostname( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name ) +{ + LDAPMessage *res = NULL; + ADS_STATUS status; + int count = 0; + char *name = NULL; + + status = ads_find_machine_acct(ads, &res, machine_name); + if (!ADS_ERR_OK(status)) { + DEBUG(0,("ads_get_dnshostname: Failed to find account for %s\n", + lp_netbios_name())); + goto out; + } + + if ( (count = ads_count_replies(ads, res)) != 1 ) { + DEBUG(1,("ads_get_dnshostname: %d entries returned!\n", count)); + goto out; + } + + if ( (name = ads_pull_string(ads, ctx, res, "dNSHostName")) == NULL ) { + DEBUG(0,("ads_get_dnshostname: No dNSHostName attribute!\n")); + } + +out: + ads_msgfree(ads, res); + + return name; +} + +/******************************************************************** +********************************************************************/ + +static char **get_addl_hosts(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, + LDAPMessage *msg, size_t *num_values) +{ + const char *field = "msDS-AdditionalDnsHostName"; + struct berval **values = NULL; + char **ret = NULL; + size_t i, converted_size; + + /* + * Windows DC implicitly adds a short name for each FQDN added to + * msDS-AdditionalDnsHostName, but it comes with a strange binary + * suffix "\0$" which we should ignore (see bug #14406). + */ + + values = ldap_get_values_len(ads->ldap.ld, msg, field); + if (values == NULL) { + return NULL; + } + + *num_values = ldap_count_values_len(values); + + ret = talloc_array(mem_ctx, char *, *num_values + 1); + if (ret == NULL) { + ldap_value_free_len(values); + return NULL; + } + + for (i = 0; i < *num_values; i++) { + ret[i] = NULL; + if (!convert_string_talloc(mem_ctx, CH_UTF8, CH_UNIX, + values[i]->bv_val, + strnlen(values[i]->bv_val, + values[i]->bv_len), + &ret[i], &converted_size)) { + ldap_value_free_len(values); + return NULL; + } + } + ret[i] = NULL; + + ldap_value_free_len(values); + return ret; +} + +ADS_STATUS ads_get_additional_dns_hostnames(TALLOC_CTX *mem_ctx, + ADS_STRUCT *ads, + const char *machine_name, + char ***hostnames_array, + size_t *num_hostnames) +{ + ADS_STATUS status; + LDAPMessage *res = NULL; + int count; + + status = ads_find_machine_acct(ads, + &res, + machine_name); + if (!ADS_ERR_OK(status)) { + DEBUG(1,("Host Account for %s not found... skipping operation.\n", + machine_name)); + return status; + } + + count = ads_count_replies(ads, res); + if (count != 1) { + status = ADS_ERROR(LDAP_NO_SUCH_OBJECT); + goto done; + } + + *hostnames_array = get_addl_hosts(ads, mem_ctx, res, num_hostnames); + if (*hostnames_array == NULL) { + DEBUG(1, ("Host account for %s does not have msDS-AdditionalDnsHostName.\n", + machine_name)); + status = ADS_ERROR(LDAP_NO_SUCH_OBJECT); + goto done; + } + +done: + ads_msgfree(ads, res); + + return status; +} + +/******************************************************************** +********************************************************************/ + +char* ads_get_upn( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name ) +{ + LDAPMessage *res = NULL; + ADS_STATUS status; + int count = 0; + char *name = NULL; + + status = ads_find_machine_acct(ads, &res, machine_name); + if (!ADS_ERR_OK(status)) { + DEBUG(0,("ads_get_upn: Failed to find account for %s\n", + lp_netbios_name())); + goto out; + } + + if ( (count = ads_count_replies(ads, res)) != 1 ) { + DEBUG(1,("ads_get_upn: %d entries returned!\n", count)); + goto out; + } + + if ( (name = ads_pull_string(ads, ctx, res, "userPrincipalName")) == NULL ) { + DEBUG(2,("ads_get_upn: No userPrincipalName attribute!\n")); + } + +out: + ads_msgfree(ads, res); + + return name; +} + +/******************************************************************** +********************************************************************/ + +bool ads_has_samaccountname( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name ) +{ + LDAPMessage *res = NULL; + ADS_STATUS status; + int count = 0; + char *name = NULL; + bool ok = false; + + status = ads_find_machine_acct(ads, &res, machine_name); + if (!ADS_ERR_OK(status)) { + DEBUG(0,("ads_has_samaccountname: Failed to find account for %s\n", + lp_netbios_name())); + goto out; + } + + if ( (count = ads_count_replies(ads, res)) != 1 ) { + DEBUG(1,("ads_has_samaccountname: %d entries returned!\n", count)); + goto out; + } + + if ( (name = ads_pull_string(ads, ctx, res, "sAMAccountName")) == NULL ) { + DEBUG(0,("ads_has_samaccountname: No sAMAccountName attribute!\n")); + } + +out: + ads_msgfree(ads, res); + if (name != NULL) { + ok = (strlen(name) > 0); + } + TALLOC_FREE(name); + return ok; +} + +#if 0 + + SAVED CODE - we used to join via ldap - remember how we did this. JRA. + +/** + * Join a machine to a realm + * Creates the machine account and sets the machine password + * @param ads connection to ads server + * @param machine name of host to add + * @param org_unit Organizational unit to place machine in + * @return status of join + **/ +ADS_STATUS ads_join_realm(ADS_STRUCT *ads, const char *machine_name, + uint32_t account_type, const char *org_unit) +{ + ADS_STATUS status; + LDAPMessage *res = NULL; + char *machine; + + /* machine name must be lowercase */ + machine = SMB_STRDUP(machine_name); + strlower_m(machine); + + /* + status = ads_find_machine_acct(ads, (void **)&res, machine); + if (ADS_ERR_OK(status) && ads_count_replies(ads, res) == 1) { + DEBUG(0, ("Host account for %s already exists - deleting old account\n", machine)); + status = ads_leave_realm(ads, machine); + if (!ADS_ERR_OK(status)) { + DEBUG(0, ("Failed to delete host '%s' from the '%s' realm.\n", + machine, ads->config.realm)); + return status; + } + } + */ + status = ads_add_machine_acct(ads, machine, account_type, org_unit); + if (!ADS_ERR_OK(status)) { + DEBUG(0, ("ads_join_realm: ads_add_machine_acct failed (%s): %s\n", machine, ads_errstr(status))); + SAFE_FREE(machine); + return status; + } + + status = ads_find_machine_acct(ads, (void **)(void *)&res, machine); + if (!ADS_ERR_OK(status)) { + DEBUG(0, ("ads_join_realm: Host account test failed for machine %s\n", machine)); + SAFE_FREE(machine); + return status; + } + + SAFE_FREE(machine); + ads_msgfree(ads, res); + + return status; +} +#endif + +/** + * Delete a machine from the realm + * @param ads connection to ads server + * @param hostname Machine to remove + * @return status of delete + **/ +ADS_STATUS ads_leave_realm(ADS_STRUCT *ads, const char *hostname) +{ + ADS_STATUS status; + void *msg; + LDAPMessage *res; + char *hostnameDN, *host; + int rc; + LDAPControl ldap_control; + LDAPControl * pldap_control[2] = {NULL, NULL}; + + pldap_control[0] = &ldap_control; + memset(&ldap_control, 0, sizeof(LDAPControl)); + ldap_control.ldctl_oid = discard_const_p(char, LDAP_SERVER_TREE_DELETE_OID); + + /* hostname must be lowercase */ + host = SMB_STRDUP(hostname); + if (!strlower_m(host)) { + SAFE_FREE(host); + return ADS_ERROR_SYSTEM(EINVAL); + } + + status = ads_find_machine_acct(ads, &res, host); + if (!ADS_ERR_OK(status)) { + DEBUG(0, ("Host account for %s does not exist.\n", host)); + SAFE_FREE(host); + return status; + } + + msg = ads_first_entry(ads, res); + if (!msg) { + SAFE_FREE(host); + return ADS_ERROR_SYSTEM(ENOENT); + } + + hostnameDN = ads_get_dn(ads, talloc_tos(), (LDAPMessage *)msg); + if (hostnameDN == NULL) { + SAFE_FREE(host); + return ADS_ERROR_SYSTEM(ENOENT); + } + + rc = ldap_delete_ext_s(ads->ldap.ld, hostnameDN, pldap_control, NULL); + if (rc) { + DEBUG(3,("ldap_delete_ext_s failed with error code %d\n", rc)); + }else { + DEBUG(3,("ldap_delete_ext_s succeeded with error code %d\n", rc)); + } + + if (rc != LDAP_SUCCESS) { + const char *attrs[] = { "cn", NULL }; + LDAPMessage *msg_sub; + + /* we only search with scope ONE, we do not expect any further + * objects to be created deeper */ + + status = ads_do_search_retry(ads, hostnameDN, + LDAP_SCOPE_ONELEVEL, + "(objectclass=*)", attrs, &res); + + if (!ADS_ERR_OK(status)) { + SAFE_FREE(host); + TALLOC_FREE(hostnameDN); + return status; + } + + for (msg_sub = ads_first_entry(ads, res); msg_sub; + msg_sub = ads_next_entry(ads, msg_sub)) { + + char *dn = NULL; + + if ((dn = ads_get_dn(ads, talloc_tos(), msg_sub)) == NULL) { + SAFE_FREE(host); + TALLOC_FREE(hostnameDN); + return ADS_ERROR(LDAP_NO_MEMORY); + } + + status = ads_del_dn(ads, dn); + if (!ADS_ERR_OK(status)) { + DEBUG(3,("failed to delete dn %s: %s\n", dn, ads_errstr(status))); + SAFE_FREE(host); + TALLOC_FREE(dn); + TALLOC_FREE(hostnameDN); + return status; + } + + TALLOC_FREE(dn); + } + + /* there should be no subordinate objects anymore */ + status = ads_do_search_retry(ads, hostnameDN, + LDAP_SCOPE_ONELEVEL, + "(objectclass=*)", attrs, &res); + + if (!ADS_ERR_OK(status) || ( (ads_count_replies(ads, res)) > 0 ) ) { + SAFE_FREE(host); + TALLOC_FREE(hostnameDN); + return status; + } + + /* delete hostnameDN now */ + status = ads_del_dn(ads, hostnameDN); + if (!ADS_ERR_OK(status)) { + SAFE_FREE(host); + DEBUG(3,("failed to delete dn %s: %s\n", hostnameDN, ads_errstr(status))); + TALLOC_FREE(hostnameDN); + return status; + } + } + + TALLOC_FREE(hostnameDN); + + status = ads_find_machine_acct(ads, &res, host); + if ((status.error_type == ENUM_ADS_ERROR_LDAP) && + (status.err.rc != LDAP_NO_SUCH_OBJECT)) { + DEBUG(3, ("Failed to remove host account.\n")); + SAFE_FREE(host); + return status; + } + + SAFE_FREE(host); + return ADS_SUCCESS; +} + +/** + * pull all token-sids from an LDAP dn + * @param ads connection to ads server + * @param mem_ctx TALLOC_CTX for allocating sid array + * @param dn of LDAP object + * @param user_sid pointer to struct dom_sid (objectSid) + * @param primary_group_sid pointer to struct dom_sid (self composed) + * @param sids pointer to sid array to allocate + * @param num_sids counter of SIDs pulled + * @return status of token query + **/ + ADS_STATUS ads_get_tokensids(ADS_STRUCT *ads, + TALLOC_CTX *mem_ctx, + const char *dn, + struct dom_sid *user_sid, + struct dom_sid *primary_group_sid, + struct dom_sid **sids, + size_t *num_sids) +{ + ADS_STATUS status; + LDAPMessage *res = NULL; + int count = 0; + size_t tmp_num_sids; + struct dom_sid *tmp_sids; + struct dom_sid tmp_user_sid; + struct dom_sid tmp_primary_group_sid; + uint32_t pgid; + const char *attrs[] = { + "objectSid", + "tokenGroups", + "primaryGroupID", + NULL + }; + + status = ads_search_retry_dn(ads, &res, dn, attrs); + if (!ADS_ERR_OK(status)) { + return status; + } + + count = ads_count_replies(ads, res); + if (count != 1) { + ads_msgfree(ads, res); + return ADS_ERROR_LDAP(LDAP_NO_SUCH_OBJECT); + } + + if (!ads_pull_sid(ads, res, "objectSid", &tmp_user_sid)) { + ads_msgfree(ads, res); + return ADS_ERROR_LDAP(LDAP_NO_MEMORY); + } + + if (!ads_pull_uint32(ads, res, "primaryGroupID", &pgid)) { + ads_msgfree(ads, res); + return ADS_ERROR_LDAP(LDAP_NO_MEMORY); + } + + { + /* hack to compose the primary group sid without knowing the + * domsid */ + + struct dom_sid domsid; + + sid_copy(&domsid, &tmp_user_sid); + + if (!sid_split_rid(&domsid, NULL)) { + ads_msgfree(ads, res); + return ADS_ERROR_LDAP(LDAP_NO_MEMORY); + } + + if (!sid_compose(&tmp_primary_group_sid, &domsid, pgid)) { + ads_msgfree(ads, res); + return ADS_ERROR_LDAP(LDAP_NO_MEMORY); + } + } + + tmp_num_sids = ads_pull_sids(ads, mem_ctx, res, "tokenGroups", &tmp_sids); + + if (tmp_num_sids == 0 || !tmp_sids) { + ads_msgfree(ads, res); + return ADS_ERROR_LDAP(LDAP_NO_MEMORY); + } + + if (num_sids) { + *num_sids = tmp_num_sids; + } + + if (sids) { + *sids = tmp_sids; + } + + if (user_sid) { + *user_sid = tmp_user_sid; + } + + if (primary_group_sid) { + *primary_group_sid = tmp_primary_group_sid; + } + + DEBUG(10,("ads_get_tokensids: returned %d sids\n", (int)tmp_num_sids + 2)); + + ads_msgfree(ads, res); + return ADS_ERROR_LDAP(LDAP_SUCCESS); +} + +/** + * Find a sAMAccountName in LDAP + * @param ads connection to ads server + * @param mem_ctx TALLOC_CTX for allocating sid array + * @param samaccountname to search + * @param uac_ret uint32_t pointer userAccountControl attribute value + * @param dn_ret pointer to dn + * @return status of token query + **/ +ADS_STATUS ads_find_samaccount(ADS_STRUCT *ads, + TALLOC_CTX *mem_ctx, + const char *samaccountname, + uint32_t *uac_ret, + const char **dn_ret) +{ + ADS_STATUS status; + const char *attrs[] = { "userAccountControl", NULL }; + const char *filter; + LDAPMessage *res = NULL; + char *dn = NULL; + uint32_t uac = 0; + + filter = talloc_asprintf(mem_ctx, "(&(objectclass=user)(sAMAccountName=%s))", + samaccountname); + if (filter == NULL) { + status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY); + goto out; + } + + status = ads_do_search_all(ads, ads->config.bind_path, + LDAP_SCOPE_SUBTREE, + filter, attrs, &res); + + if (!ADS_ERR_OK(status)) { + goto out; + } + + if (ads_count_replies(ads, res) != 1) { + status = ADS_ERROR(LDAP_NO_RESULTS_RETURNED); + goto out; + } + + dn = ads_get_dn(ads, talloc_tos(), res); + if (dn == NULL) { + status = ADS_ERROR(LDAP_NO_MEMORY); + goto out; + } + + if (!ads_pull_uint32(ads, res, "userAccountControl", &uac)) { + status = ADS_ERROR(LDAP_NO_SUCH_ATTRIBUTE); + goto out; + } + + if (uac_ret) { + *uac_ret = uac; + } + + if (dn_ret) { + *dn_ret = talloc_strdup(mem_ctx, dn); + if (!*dn_ret) { + status = ADS_ERROR(LDAP_NO_MEMORY); + goto out; + } + } + out: + TALLOC_FREE(dn); + ads_msgfree(ads, res); + + return status; +} + +/** + * find our configuration path + * @param ads connection to ads server + * @param mem_ctx Pointer to talloc context + * @param config_path Pointer to the config path + * @return status of search + **/ +ADS_STATUS ads_config_path(ADS_STRUCT *ads, + TALLOC_CTX *mem_ctx, + char **config_path) +{ + ADS_STATUS status; + LDAPMessage *res = NULL; + const char *config_context = NULL; + const char *attrs[] = { "configurationNamingContext", NULL }; + + status = ads_do_search(ads, "", LDAP_SCOPE_BASE, + "(objectclass=*)", attrs, &res); + if (!ADS_ERR_OK(status)) { + return status; + } + + config_context = ads_pull_string(ads, mem_ctx, res, + "configurationNamingContext"); + ads_msgfree(ads, res); + if (!config_context) { + return ADS_ERROR(LDAP_NO_MEMORY); + } + + if (config_path) { + *config_path = talloc_strdup(mem_ctx, config_context); + if (!*config_path) { + return ADS_ERROR(LDAP_NO_MEMORY); + } + } + + return ADS_ERROR(LDAP_SUCCESS); +} + +/** + * find the displayName of an extended right + * @param ads connection to ads server + * @param config_path The config path + * @param mem_ctx Pointer to talloc context + * @param GUID struct of the rightsGUID + * @return status of search + **/ +const char *ads_get_extended_right_name_by_guid(ADS_STRUCT *ads, + const char *config_path, + TALLOC_CTX *mem_ctx, + const struct GUID *rights_guid) +{ + ADS_STATUS rc; + LDAPMessage *res = NULL; + char *expr = NULL; + const char *attrs[] = { "displayName", NULL }; + const char *result = NULL; + const char *path; + + if (!ads || !mem_ctx || !rights_guid) { + goto done; + } + + expr = talloc_asprintf(mem_ctx, "(rightsGuid=%s)", + GUID_string(mem_ctx, rights_guid)); + if (!expr) { + goto done; + } + + path = talloc_asprintf(mem_ctx, "cn=Extended-Rights,%s", config_path); + if (!path) { + goto done; + } + + rc = ads_do_search_retry(ads, path, LDAP_SCOPE_SUBTREE, + expr, attrs, &res); + if (!ADS_ERR_OK(rc)) { + goto done; + } + + if (ads_count_replies(ads, res) != 1) { + goto done; + } + + result = ads_pull_string(ads, mem_ctx, res, "displayName"); + + done: + ads_msgfree(ads, res); + return result; +} + +/** + * verify or build and verify an account ou + * @param mem_ctx Pointer to talloc context + * @param ads connection to ads server + * @param account_ou + * @return status of search + **/ + +ADS_STATUS ads_check_ou_dn(TALLOC_CTX *mem_ctx, + ADS_STRUCT *ads, + const char **account_ou) +{ + char **exploded_dn; + const char *name; + char *ou_string; + + if (account_ou == NULL) { + return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER); + } + + if (*account_ou != NULL) { + exploded_dn = ldap_explode_dn(*account_ou, 0); + if (exploded_dn) { + ldap_value_free(exploded_dn); + return ADS_SUCCESS; + } + } + + ou_string = ads_ou_string(ads, *account_ou); + if (!ou_string) { + return ADS_ERROR_LDAP(LDAP_INVALID_DN_SYNTAX); + } + + name = talloc_asprintf(mem_ctx, "%s,%s", ou_string, + ads->config.bind_path); + SAFE_FREE(ou_string); + + if (!name) { + return ADS_ERROR_LDAP(LDAP_NO_MEMORY); + } + + exploded_dn = ldap_explode_dn(name, 0); + if (!exploded_dn) { + return ADS_ERROR_LDAP(LDAP_INVALID_DN_SYNTAX); + } + ldap_value_free(exploded_dn); + + *account_ou = name; + return ADS_SUCCESS; +} + +#endif diff --git a/source3/libads/ldap_printer.c b/source3/libads/ldap_printer.c new file mode 100644 index 0000000..e610893 --- /dev/null +++ b/source3/libads/ldap_printer.c @@ -0,0 +1,361 @@ +/* + Unix SMB/CIFS implementation. + ads (active directory) printer utility library + Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include "ads.h" +#include "rpc_client/rpc_client.h" +#include "../librpc/gen_ndr/ndr_spoolss_c.h" +#include "rpc_client/cli_spoolss.h" +#include "registry.h" +#include "libcli/registry/util_reg.h" + +#ifdef HAVE_ADS + +/* + find a printer given the name and the hostname + Note that results "res" may be allocated on return so that the + results can be used. It should be freed using ads_msgfree. +*/ + ADS_STATUS ads_find_printer_on_server(ADS_STRUCT *ads, LDAPMessage **res, + const char *printer, + const char *servername) +{ + ADS_STATUS status; + char *srv_dn, **srv_cn, *s = NULL; + const char *attrs[] = {"*", "nTSecurityDescriptor", NULL}; + + status = ads_find_machine_acct(ads, res, servername); + if (!ADS_ERR_OK(status)) { + DEBUG(1, ("ads_find_printer_on_server: cannot find host %s in ads\n", + servername)); + return status; + } + if (ads_count_replies(ads, *res) != 1) { + ads_msgfree(ads, *res); + *res = NULL; + return ADS_ERROR(LDAP_NO_SUCH_OBJECT); + } + srv_dn = ldap_get_dn(ads->ldap.ld, *res); + if (srv_dn == NULL) { + ads_msgfree(ads, *res); + *res = NULL; + return ADS_ERROR(LDAP_NO_MEMORY); + } + srv_cn = ldap_explode_dn(srv_dn, 1); + if (srv_cn == NULL) { + ldap_memfree(srv_dn); + ads_msgfree(ads, *res); + *res = NULL; + return ADS_ERROR(LDAP_INVALID_DN_SYNTAX); + } + ads_msgfree(ads, *res); + *res = NULL; + + if (asprintf(&s, "(cn=%s-%s)", srv_cn[0], printer) == -1) { + ldap_memfree(srv_dn); + return ADS_ERROR(LDAP_NO_MEMORY); + } + status = ads_search(ads, res, s, attrs); + + ldap_memfree(srv_dn); + ldap_value_free(srv_cn); + SAFE_FREE(s); + return status; +} + + ADS_STATUS ads_find_printers(ADS_STRUCT *ads, LDAPMessage **res) +{ + const char *ldap_expr; + const char *attrs[] = { "objectClass", "printerName", "location", "driverName", + "serverName", "description", NULL }; + + /* For the moment only display all printers */ + + ldap_expr = "(&(!(showInAdvancedViewOnly=TRUE))(uncName=*)" + "(objectCategory=printQueue))"; + + return ads_search(ads, res, ldap_expr, attrs); +} + +/* + modify a printer entry in the directory +*/ +ADS_STATUS ads_mod_printer_entry(ADS_STRUCT *ads, char *prt_dn, + TALLOC_CTX *ctx, const ADS_MODLIST *mods) +{ + return ads_gen_mod(ads, prt_dn, *mods); +} + +/* + add a printer to the directory +*/ +ADS_STATUS ads_add_printer_entry(ADS_STRUCT *ads, char *prt_dn, + TALLOC_CTX *ctx, ADS_MODLIST *mods) +{ + ads_mod_str(ctx, mods, "objectClass", "printQueue"); + return ads_gen_add(ads, prt_dn, *mods); +} + +/* + map a REG_SZ to an ldap mod +*/ +static bool map_sz(TALLOC_CTX *ctx, ADS_MODLIST *mods, + const char *name, struct registry_value *value) +{ + const char *str_value = NULL; + ADS_STATUS status; + + if (value->type != REG_SZ) + return false; + + if (value->data.length && value->data.data) { + if (!pull_reg_sz(ctx, &value->data, &str_value)) { + return false; + } + status = ads_mod_str(ctx, mods, name, str_value); + return ADS_ERR_OK(status); + } + return true; +} + +/* + map a REG_DWORD to an ldap mod +*/ +static bool map_dword(TALLOC_CTX *ctx, ADS_MODLIST *mods, + const char *name, struct registry_value *value) +{ + char *str_value = NULL; + ADS_STATUS status; + + if (value->type != REG_DWORD) { + return false; + } + if (value->data.length != sizeof(uint32_t)) { + return false; + } + str_value = talloc_asprintf(ctx, "%d", IVAL(value->data.data, 0)); + if (!str_value) { + return false; + } + status = ads_mod_str(ctx, mods, name, str_value); + return ADS_ERR_OK(status); +} + +/* + map a boolean REG_BINARY to an ldap mod +*/ +static bool map_bool(TALLOC_CTX *ctx, ADS_MODLIST *mods, + const char *name, struct registry_value *value) +{ + const char *str_value; + ADS_STATUS status; + + if (value->type != REG_BINARY) { + return false; + } + if (value->data.length != 1) { + return false; + } + + str_value = *value->data.data ? "TRUE" : "FALSE"; + + status = ads_mod_str(ctx, mods, name, str_value); + return ADS_ERR_OK(status); +} + +/* + map a REG_MULTI_SZ to an ldap mod +*/ +static bool map_multi_sz(TALLOC_CTX *ctx, ADS_MODLIST *mods, + const char *name, struct registry_value *value) +{ + const char **str_values = NULL; + ADS_STATUS status; + + if (value->type != REG_MULTI_SZ) { + return false; + } + + if (value->data.length && value->data.data) { + if (!pull_reg_multi_sz(ctx, &value->data, &str_values)) { + return false; + } + status = ads_mod_strlist(ctx, mods, name, str_values); + return ADS_ERR_OK(status); + } + return true; +} + +struct valmap_to_ads { + const char *valname; + bool (*fn)(TALLOC_CTX *, ADS_MODLIST *, const char *, struct registry_value *); +}; + +/* + map a REG_SZ to an ldap mod +*/ +static void map_regval_to_ads(TALLOC_CTX *ctx, ADS_MODLIST *mods, + const char *name, struct registry_value *value) +{ + const struct valmap_to_ads map[] = { + {SPOOL_REG_ASSETNUMBER, map_sz}, + {SPOOL_REG_BYTESPERMINUTE, map_dword}, + {SPOOL_REG_DEFAULTPRIORITY, map_dword}, + {SPOOL_REG_DESCRIPTION, map_sz}, + {SPOOL_REG_DRIVERNAME, map_sz}, + {SPOOL_REG_DRIVERVERSION, map_dword}, + {SPOOL_REG_FLAGS, map_dword}, + {SPOOL_REG_LOCATION, map_sz}, + {SPOOL_REG_OPERATINGSYSTEM, map_sz}, + {SPOOL_REG_OPERATINGSYSTEMHOTFIX, map_sz}, + {SPOOL_REG_OPERATINGSYSTEMSERVICEPACK, map_sz}, + {SPOOL_REG_OPERATINGSYSTEMVERSION, map_sz}, + {SPOOL_REG_PORTNAME, map_multi_sz}, + {SPOOL_REG_PRINTATTRIBUTES, map_dword}, + {SPOOL_REG_PRINTBINNAMES, map_multi_sz}, + {SPOOL_REG_PRINTCOLLATE, map_bool}, + {SPOOL_REG_PRINTCOLOR, map_bool}, + {SPOOL_REG_PRINTDUPLEXSUPPORTED, map_bool}, + {SPOOL_REG_PRINTENDTIME, map_dword}, + {SPOOL_REG_PRINTFORMNAME, map_sz}, + {SPOOL_REG_PRINTKEEPPRINTEDJOBS, map_bool}, + {SPOOL_REG_PRINTLANGUAGE, map_multi_sz}, + {SPOOL_REG_PRINTMACADDRESS, map_sz}, + {SPOOL_REG_PRINTMAXCOPIES, map_sz}, + {SPOOL_REG_PRINTMAXRESOLUTIONSUPPORTED, map_dword}, + {SPOOL_REG_PRINTMAXXEXTENT, map_dword}, + {SPOOL_REG_PRINTMAXYEXTENT, map_dword}, + {SPOOL_REG_PRINTMEDIAREADY, map_multi_sz}, + {SPOOL_REG_PRINTMEDIASUPPORTED, map_multi_sz}, + {SPOOL_REG_PRINTMEMORY, map_dword}, + {SPOOL_REG_PRINTMINXEXTENT, map_dword}, + {SPOOL_REG_PRINTMINYEXTENT, map_dword}, + {SPOOL_REG_PRINTNETWORKADDRESS, map_sz}, + {SPOOL_REG_PRINTNOTIFY, map_sz}, + {SPOOL_REG_PRINTNUMBERUP, map_dword}, + {SPOOL_REG_PRINTORIENTATIONSSUPPORTED, map_multi_sz}, + {SPOOL_REG_PRINTOWNER, map_sz}, + {SPOOL_REG_PRINTPAGESPERMINUTE, map_dword}, + {SPOOL_REG_PRINTRATE, map_dword}, + {SPOOL_REG_PRINTRATEUNIT, map_sz}, + {SPOOL_REG_PRINTSEPARATORFILE, map_sz}, + {SPOOL_REG_PRINTSHARENAME, map_sz}, + {SPOOL_REG_PRINTSPOOLING, map_sz}, + {SPOOL_REG_PRINTSTAPLINGSUPPORTED, map_bool}, + {SPOOL_REG_PRINTSTARTTIME, map_dword}, + {SPOOL_REG_PRINTSTATUS, map_sz}, + {SPOOL_REG_PRIORITY, map_dword}, + {SPOOL_REG_SERVERNAME, map_sz}, + {SPOOL_REG_SHORTSERVERNAME, map_sz}, + {SPOOL_REG_UNCNAME, map_sz}, + {SPOOL_REG_URL, map_sz}, + {SPOOL_REG_VERSIONNUMBER, map_dword}, + {NULL, NULL} + }; + int i; + + for (i=0; map[i].valname; i++) { + if (strcasecmp_m(map[i].valname, name) == 0) { + if (!map[i].fn(ctx, mods, name, value)) { + DEBUG(5, ("Add of value %s to modlist failed\n", name)); + } else { + DEBUG(7, ("Mapped value %s\n", name)); + } + } + } +} + + +WERROR get_remote_printer_publishing_data(struct rpc_pipe_client *cli, + TALLOC_CTX *mem_ctx, + ADS_MODLIST *mods, + const char *printer) +{ + struct dcerpc_binding_handle *b = cli->binding_handle; + WERROR result; + char *printername; + struct spoolss_PrinterEnumValues *info; + uint32_t count; + uint32_t i; + struct policy_handle pol; + WERROR werr; + + if ((asprintf(&printername, "%s\\%s", cli->srv_name_slash, printer) == -1)) { + DEBUG(3, ("Insufficient memory\n")); + return WERR_NOT_ENOUGH_MEMORY; + } + + result = rpccli_spoolss_openprinter_ex(cli, mem_ctx, + printername, + SEC_FLAG_MAXIMUM_ALLOWED, + &pol); + if (!W_ERROR_IS_OK(result)) { + DEBUG(3, ("Unable to open printer %s, error is %s.\n", + printername, win_errstr(result))); + SAFE_FREE(printername); + return result; + } + + result = rpccli_spoolss_enumprinterdataex(cli, mem_ctx, &pol, + SPOOL_DSDRIVER_KEY, + 0, + &count, + &info); + + if (!W_ERROR_IS_OK(result)) { + DEBUG(3, ("Unable to do enumdataex on %s, error is %s.\n", + printername, win_errstr(result))); + } else { + /* Have the data we need now, so start building */ + for (i=0; i < count; i++) { + struct registry_value v; + v.type = info[i].type; + v.data = *info[i].data; + + map_regval_to_ads(mem_ctx, mods, info[i].value_name, &v); + } + } + + result = rpccli_spoolss_enumprinterdataex(cli, mem_ctx, &pol, + SPOOL_DSSPOOLER_KEY, + 0, + &count, + &info); + if (!W_ERROR_IS_OK(result)) { + DEBUG(3, ("Unable to do enumdataex on %s, error is %s.\n", + printername, win_errstr(result))); + } else { + for (i=0; i < count; i++) { + struct registry_value v; + v.type = info[i].type; + v.data = *info[i].data; + + map_regval_to_ads(mem_ctx, mods, info[i].value_name, &v); + } + } + + ads_mod_str(mem_ctx, mods, SPOOL_REG_PRINTERNAME, printer); + + dcerpc_spoolss_ClosePrinter(b, mem_ctx, &pol, &werr); + SAFE_FREE(printername); + + return result; +} + +#endif diff --git a/source3/libads/ldap_schema.c b/source3/libads/ldap_schema.c new file mode 100644 index 0000000..d2f486e --- /dev/null +++ b/source3/libads/ldap_schema.c @@ -0,0 +1,354 @@ +/* + Unix SMB/CIFS implementation. + ads (active directory) utility library + Copyright (C) Guenther Deschner 2005-2007 + Copyright (C) Gerald (Jerry) Carter 2006 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include "ads.h" +#include "libads/ldap_schema.h" +#include "libads/ldap_schema_oids.h" +#include "../libcli/ldap/ldap_ndr.h" + +#ifdef HAVE_LDAP + +static ADS_STATUS ads_get_attrnames_by_oids(ADS_STRUCT *ads, + TALLOC_CTX *mem_ctx, + const char *schema_path, + const char **OIDs, + size_t num_OIDs, + char ***OIDs_out, char ***names, + size_t *count) +{ + ADS_STATUS status; + LDAPMessage *res = NULL; + LDAPMessage *msg; + char *expr = NULL; + const char *attrs[] = { "lDAPDisplayName", "attributeId", NULL }; + int i = 0, p = 0; + + if (!ads || !mem_ctx || !names || !count || !OIDs || !OIDs_out) { + return ADS_ERROR(LDAP_PARAM_ERROR); + } + + if (num_OIDs == 0 || OIDs[0] == NULL) { + return ADS_ERROR_NT(NT_STATUS_NONE_MAPPED); + } + + expr = talloc_asprintf(mem_ctx, "(|"); + + for (i=0; i<num_OIDs; i++) { + talloc_asprintf_addbuf(&expr, "(attributeId=%s)", OIDs[i]); + } + + talloc_asprintf_addbuf(&expr, ")"); + if (expr == NULL) { + return ADS_ERROR(LDAP_NO_MEMORY); + } + + status = ads_do_search_retry(ads, schema_path, + LDAP_SCOPE_SUBTREE, expr, attrs, &res); + if (!ADS_ERR_OK(status)) { + return status; + } + + *count = ads_count_replies(ads, res); + if (*count == 0 || !res) { + status = ADS_ERROR_NT(NT_STATUS_NONE_MAPPED); + goto out; + } + + if (((*names) = talloc_array(mem_ctx, char *, *count)) == NULL) { + status = ADS_ERROR(LDAP_NO_MEMORY); + goto out; + } + if (((*OIDs_out) = talloc_array(mem_ctx, char *, *count)) == NULL) { + status = ADS_ERROR(LDAP_NO_MEMORY); + goto out; + } + + for (msg = ads_first_entry(ads, res); msg != NULL; + msg = ads_next_entry(ads, msg)) { + + (*names)[p] = ads_pull_string(ads, mem_ctx, msg, + "lDAPDisplayName"); + (*OIDs_out)[p] = ads_pull_string(ads, mem_ctx, msg, + "attributeId"); + if (((*names)[p] == NULL) || ((*OIDs_out)[p] == NULL)) { + status = ADS_ERROR(LDAP_NO_MEMORY); + goto out; + } + + p++; + } + + if (*count < num_OIDs) { + status = ADS_ERROR_NT(STATUS_SOME_UNMAPPED); + goto out; + } + + status = ADS_ERROR(LDAP_SUCCESS); +out: + ads_msgfree(ads, res); + + return status; +} + +const char *ads_get_attrname_by_guid(ADS_STRUCT *ads, + const char *schema_path, + TALLOC_CTX *mem_ctx, + const struct GUID *schema_guid) +{ + ADS_STATUS rc; + LDAPMessage *res = NULL; + char *expr = NULL; + const char *attrs[] = { "lDAPDisplayName", NULL }; + const char *result = NULL; + char *guid_bin = NULL; + + if (!ads || !mem_ctx || !schema_guid) { + goto done; + } + + guid_bin = ldap_encode_ndr_GUID(mem_ctx, schema_guid); + if (!guid_bin) { + goto done; + } + + expr = talloc_asprintf(mem_ctx, "(schemaIDGUID=%s)", guid_bin); + if (!expr) { + goto done; + } + + rc = ads_do_search_retry(ads, schema_path, LDAP_SCOPE_SUBTREE, + expr, attrs, &res); + if (!ADS_ERR_OK(rc)) { + goto done; + } + + if (ads_count_replies(ads, res) != 1) { + goto done; + } + + result = ads_pull_string(ads, mem_ctx, res, "lDAPDisplayName"); + + done: + TALLOC_FREE(guid_bin); + ads_msgfree(ads, res); + return result; + +} + +/********************************************************************* +*********************************************************************/ + +ADS_STATUS ads_schema_path(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, char **schema_path) +{ + ADS_STATUS status; + LDAPMessage *res; + const char *schema; + const char *attrs[] = { "schemaNamingContext", NULL }; + + status = ads_do_search(ads, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res); + if (!ADS_ERR_OK(status)) { + return status; + } + + if ( (schema = ads_pull_string(ads, mem_ctx, res, "schemaNamingContext")) == NULL ) { + ads_msgfree(ads, res); + return ADS_ERROR(LDAP_NO_RESULTS_RETURNED); + } + + if ( (*schema_path = talloc_strdup(mem_ctx, schema)) == NULL ) { + ads_msgfree(ads, res); + return ADS_ERROR(LDAP_NO_MEMORY); + } + + ads_msgfree(ads, res); + + return status; +} + +/** + * Check for "Services for Unix" or rfc2307 Schema and load some attributes into the ADS_STRUCT + * @param ads connection to ads server + * @param enum mapping type + * @return ADS_STATUS status of search (False if one or more attributes couldn't be + * found in Active Directory) + **/ +ADS_STATUS ads_check_posix_schema_mapping(TALLOC_CTX *mem_ctx, + ADS_STRUCT *ads, + enum wb_posix_mapping map_type, + struct posix_schema **s ) +{ + TALLOC_CTX *ctx = NULL; + ADS_STATUS status; + char **oids_out, **names_out; + size_t num_names; + char *schema_path = NULL; + int i; + struct posix_schema *schema = NULL; + + const char *oids_sfu[] = { ADS_ATTR_SFU_UIDNUMBER_OID, + ADS_ATTR_SFU_GIDNUMBER_OID, + ADS_ATTR_SFU_HOMEDIR_OID, + ADS_ATTR_SFU_SHELL_OID, + ADS_ATTR_SFU_GECOS_OID, + ADS_ATTR_SFU_UID_OID }; + + const char *oids_sfu20[] = { ADS_ATTR_SFU20_UIDNUMBER_OID, + ADS_ATTR_SFU20_GIDNUMBER_OID, + ADS_ATTR_SFU20_HOMEDIR_OID, + ADS_ATTR_SFU20_SHELL_OID, + ADS_ATTR_SFU20_GECOS_OID, + ADS_ATTR_SFU20_UID_OID }; + + const char *oids_rfc2307[] = { ADS_ATTR_RFC2307_UIDNUMBER_OID, + ADS_ATTR_RFC2307_GIDNUMBER_OID, + ADS_ATTR_RFC2307_HOMEDIR_OID, + ADS_ATTR_RFC2307_SHELL_OID, + ADS_ATTR_RFC2307_GECOS_OID, + ADS_ATTR_RFC2307_UID_OID }; + + DEBUG(10,("ads_check_posix_schema_mapping for schema mode: %d\n", map_type)); + + switch (map_type) { + + case WB_POSIX_MAP_TEMPLATE: + case WB_POSIX_MAP_UNIXINFO: + DEBUG(10,("ads_check_posix_schema_mapping: nothing to do\n")); + return ADS_ERROR(LDAP_SUCCESS); + + case WB_POSIX_MAP_SFU: + case WB_POSIX_MAP_SFU20: + case WB_POSIX_MAP_RFC2307: + break; + + default: + DEBUG(0,("ads_check_posix_schema_mapping: " + "unknown enum %d\n", map_type)); + return ADS_ERROR(LDAP_PARAM_ERROR); + } + + if ( (ctx = talloc_init("ads_check_posix_schema_mapping")) == NULL ) { + return ADS_ERROR(LDAP_NO_MEMORY); + } + + if ( (schema = talloc(mem_ctx, struct posix_schema)) == NULL ) { + TALLOC_FREE( ctx ); + return ADS_ERROR(LDAP_NO_MEMORY); + } + + status = ads_schema_path(ads, ctx, &schema_path); + if (!ADS_ERR_OK(status)) { + DEBUG(3,("ads_check_posix_mapping: Unable to retrieve schema DN!\n")); + goto done; + } + + switch (map_type) { + case WB_POSIX_MAP_SFU: + status = ads_get_attrnames_by_oids(ads, ctx, schema_path, oids_sfu, + ARRAY_SIZE(oids_sfu), + &oids_out, &names_out, &num_names); + break; + case WB_POSIX_MAP_SFU20: + status = ads_get_attrnames_by_oids(ads, ctx, schema_path, oids_sfu20, + ARRAY_SIZE(oids_sfu20), + &oids_out, &names_out, &num_names); + break; + case WB_POSIX_MAP_RFC2307: + status = ads_get_attrnames_by_oids(ads, ctx, schema_path, oids_rfc2307, + ARRAY_SIZE(oids_rfc2307), + &oids_out, &names_out, &num_names); + break; + default: + status = ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER); + break; + } + + if (!ADS_ERR_OK(status)) { + DEBUG(3,("ads_check_posix_schema_mapping: failed %s\n", + ads_errstr(status))); + goto done; + } + + for (i=0; i<num_names; i++) { + + DEBUGADD(10,("\tOID %s has name: %s\n", oids_out[i], names_out[i])); + + if (strequal(ADS_ATTR_RFC2307_UIDNUMBER_OID, oids_out[i]) || + strequal(ADS_ATTR_SFU_UIDNUMBER_OID, oids_out[i]) || + strequal(ADS_ATTR_SFU20_UIDNUMBER_OID, oids_out[i])) { + schema->posix_uidnumber_attr = talloc_strdup(schema, names_out[i]); + continue; + } + + if (strequal(ADS_ATTR_RFC2307_GIDNUMBER_OID, oids_out[i]) || + strequal(ADS_ATTR_SFU_GIDNUMBER_OID, oids_out[i]) || + strequal(ADS_ATTR_SFU20_GIDNUMBER_OID, oids_out[i])) { + schema->posix_gidnumber_attr = talloc_strdup(schema, names_out[i]); + continue; + } + + if (strequal(ADS_ATTR_RFC2307_HOMEDIR_OID, oids_out[i]) || + strequal(ADS_ATTR_SFU_HOMEDIR_OID, oids_out[i]) || + strequal(ADS_ATTR_SFU20_HOMEDIR_OID, oids_out[i])) { + schema->posix_homedir_attr = talloc_strdup(schema, names_out[i]); + continue; + } + + if (strequal(ADS_ATTR_RFC2307_SHELL_OID, oids_out[i]) || + strequal(ADS_ATTR_SFU_SHELL_OID, oids_out[i]) || + strequal(ADS_ATTR_SFU20_SHELL_OID, oids_out[i])) { + schema->posix_shell_attr = talloc_strdup(schema, names_out[i]); + continue; + } + + if (strequal(ADS_ATTR_RFC2307_GECOS_OID, oids_out[i]) || + strequal(ADS_ATTR_SFU_GECOS_OID, oids_out[i]) || + strequal(ADS_ATTR_SFU20_GECOS_OID, oids_out[i])) { + schema->posix_gecos_attr = talloc_strdup(schema, names_out[i]); + } + + if (strequal(ADS_ATTR_RFC2307_UID_OID, oids_out[i]) || + strequal(ADS_ATTR_SFU_UID_OID, oids_out[i]) || + strequal(ADS_ATTR_SFU20_UID_OID, oids_out[i])) { + schema->posix_uid_attr = talloc_strdup(schema, names_out[i]); + } + } + + if (!schema->posix_uidnumber_attr || + !schema->posix_gidnumber_attr || + !schema->posix_homedir_attr || + !schema->posix_shell_attr || + !schema->posix_gecos_attr) { + status = ADS_ERROR(LDAP_NO_MEMORY); + TALLOC_FREE( schema ); + goto done; + } + + *s = schema; + + status = ADS_ERROR(LDAP_SUCCESS); + +done: + TALLOC_FREE(ctx); + + return status; +} + +#endif diff --git a/source3/libads/ldap_schema.h b/source3/libads/ldap_schema.h new file mode 100644 index 0000000..f36d3e0 --- /dev/null +++ b/source3/libads/ldap_schema.h @@ -0,0 +1,57 @@ +/* + Unix SMB/CIFS implementation. + ads (active directory) utility library + Copyright (C) Guenther Deschner 2005-2007 + Copyright (C) Gerald (Jerry) Carter 2006 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#ifndef _LIBADS_LDAP_SCHEMA_H_ +#define _LIBADS_LDAP_SCHEMA_H_ + +/* used to remember the names of the posix attributes in AD */ +/* see the rfc2307 & sfu nss backends */ + +struct posix_schema { + char *posix_homedir_attr; + char *posix_shell_attr; + char *posix_uidnumber_attr; + char *posix_gidnumber_attr; + char *posix_gecos_attr; + char *posix_uid_attr; +}; + +enum wb_posix_mapping { + WB_POSIX_MAP_UNKNOWN = -1, + WB_POSIX_MAP_TEMPLATE = 0, + WB_POSIX_MAP_SFU = 1, + WB_POSIX_MAP_SFU20 = 2, + WB_POSIX_MAP_RFC2307 = 3, + WB_POSIX_MAP_UNIXINFO = 4 +}; + +/* The following definitions come from libads/ldap_schema.c */ + +const char *ads_get_attrname_by_guid(ADS_STRUCT *ads, + const char *schema_path, + TALLOC_CTX *mem_ctx, + const struct GUID *schema_guid); +ADS_STATUS ads_schema_path(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, char **schema_path); +ADS_STATUS ads_check_posix_schema_mapping(TALLOC_CTX *mem_ctx, + ADS_STRUCT *ads, + enum wb_posix_mapping map_type, + struct posix_schema **s ) ; + +#endif /* _LIBADS_LDAP_SCHEMA_H_ */ diff --git a/source3/libads/ldap_schema_oids.h b/source3/libads/ldap_schema_oids.h new file mode 100644 index 0000000..cb17b3c --- /dev/null +++ b/source3/libads/ldap_schema_oids.h @@ -0,0 +1,49 @@ +/* + Unix SMB/CIFS implementation. + ads (active directory) utility library + Copyright (C) Guenther Deschner 2005-2007 + Copyright (C) Gerald (Jerry) Carter 2006 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#ifndef _LIBADS_LDAP_SCHEMA_OIDS_H_ +#define _LIBADS_LDAP_SCHEMA_OIDS_H_ + +/* ldap attribute oids (Services for Unix 3.0, 3.5) */ +#define ADS_ATTR_SFU_UIDNUMBER_OID "1.2.840.113556.1.6.18.1.310" +#define ADS_ATTR_SFU_GIDNUMBER_OID "1.2.840.113556.1.6.18.1.311" +#define ADS_ATTR_SFU_HOMEDIR_OID "1.2.840.113556.1.6.18.1.344" +#define ADS_ATTR_SFU_SHELL_OID "1.2.840.113556.1.6.18.1.312" +#define ADS_ATTR_SFU_GECOS_OID "1.2.840.113556.1.6.18.1.337" +#define ADS_ATTR_SFU_UID_OID "1.2.840.113556.1.6.18.1.309" + +/* ldap attribute oids (Services for Unix 2.0) */ +#define ADS_ATTR_SFU20_UIDNUMBER_OID "1.2.840.113556.1.4.7000.187.70" +#define ADS_ATTR_SFU20_GIDNUMBER_OID "1.2.840.113556.1.4.7000.187.71" +#define ADS_ATTR_SFU20_HOMEDIR_OID "1.2.840.113556.1.4.7000.187.106" +#define ADS_ATTR_SFU20_SHELL_OID "1.2.840.113556.1.4.7000.187.72" +#define ADS_ATTR_SFU20_GECOS_OID "1.2.840.113556.1.4.7000.187.97" +#define ADS_ATTR_SFU20_UID_OID "1.2.840.113556.1.4.7000.187.102" + + +/* ldap attribute oids (RFC2307) */ +#define ADS_ATTR_RFC2307_UIDNUMBER_OID "1.3.6.1.1.1.1.0" +#define ADS_ATTR_RFC2307_GIDNUMBER_OID "1.3.6.1.1.1.1.1" +#define ADS_ATTR_RFC2307_HOMEDIR_OID "1.3.6.1.1.1.1.3" +#define ADS_ATTR_RFC2307_SHELL_OID "1.3.6.1.1.1.1.4" +#define ADS_ATTR_RFC2307_GECOS_OID "1.3.6.1.1.1.1.2" +#define ADS_ATTR_RFC2307_UID_OID "0.9.2342.19200300.100.1.1" + +#endif diff --git a/source3/libads/ldap_user.c b/source3/libads/ldap_user.c new file mode 100644 index 0000000..5542100 --- /dev/null +++ b/source3/libads/ldap_user.c @@ -0,0 +1,132 @@ +/* + Unix SMB/CIFS implementation. + ads (active directory) utility library + Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include "ads.h" +#include "../libds/common/flags.h" + +#ifdef HAVE_ADS + +/* + find a user account +*/ + ADS_STATUS ads_find_user_acct(ADS_STRUCT *ads, LDAPMessage **res, + const char *user) +{ + ADS_STATUS status; + char *ldap_exp; + const char *attrs[] = {"*", NULL}; + char *escaped_user = escape_ldap_string(talloc_tos(), user); + if (!escaped_user) { + return ADS_ERROR(LDAP_NO_MEMORY); + } + + if (asprintf(&ldap_exp, "(samAccountName=%s)", escaped_user) == -1) { + TALLOC_FREE(escaped_user); + return ADS_ERROR(LDAP_NO_MEMORY); + } + status = ads_search(ads, res, ldap_exp, attrs); + SAFE_FREE(ldap_exp); + TALLOC_FREE(escaped_user); + return status; +} + +ADS_STATUS ads_add_user_acct(ADS_STRUCT *ads, const char *user, + const char *container, const char *fullname) +{ + TALLOC_CTX *ctx; + ADS_MODLIST mods; + ADS_STATUS status; + const char *upn, *new_dn, *name, *controlstr; + char *name_escaped = NULL; + const char *objectClass[] = {"top", "person", "organizationalPerson", + "user", NULL}; + + if (fullname && *fullname) name = fullname; + else name = user; + + if (!(ctx = talloc_init("ads_add_user_acct"))) + return ADS_ERROR(LDAP_NO_MEMORY); + + status = ADS_ERROR(LDAP_NO_MEMORY); + + if (!(upn = talloc_asprintf(ctx, "%s@%s", user, ads->config.realm))) + goto done; + if (!(name_escaped = escape_rdn_val_string_alloc(name))) + goto done; + if (!(new_dn = talloc_asprintf(ctx, "cn=%s,%s,%s", name_escaped, container, + ads->config.bind_path))) + goto done; + if (!(controlstr = talloc_asprintf(ctx, "%u", (UF_NORMAL_ACCOUNT | UF_ACCOUNTDISABLE)))) + goto done; + if (!(mods = ads_init_mods(ctx))) + goto done; + + ads_mod_str(ctx, &mods, "cn", name); + ads_mod_strlist(ctx, &mods, "objectClass", objectClass); + ads_mod_str(ctx, &mods, "userPrincipalName", upn); + ads_mod_str(ctx, &mods, "name", name); + ads_mod_str(ctx, &mods, "displayName", name); + ads_mod_str(ctx, &mods, "sAMAccountName", user); + ads_mod_str(ctx, &mods, "userAccountControl", controlstr); + status = ads_gen_add(ads, new_dn, mods); + + done: + SAFE_FREE(name_escaped); + talloc_destroy(ctx); + return status; +} + +ADS_STATUS ads_add_group_acct(ADS_STRUCT *ads, const char *group, + const char *container, const char *comment) +{ + TALLOC_CTX *ctx; + ADS_MODLIST mods; + ADS_STATUS status; + char *new_dn; + char *name_escaped = NULL; + const char *objectClass[] = {"top", "group", NULL}; + + if (!(ctx = talloc_init("ads_add_group_acct"))) + return ADS_ERROR(LDAP_NO_MEMORY); + + status = ADS_ERROR(LDAP_NO_MEMORY); + + if (!(name_escaped = escape_rdn_val_string_alloc(group))) + goto done; + if (!(new_dn = talloc_asprintf(ctx, "cn=%s,%s,%s", name_escaped, container, + ads->config.bind_path))) + goto done; + if (!(mods = ads_init_mods(ctx))) + goto done; + + ads_mod_str(ctx, &mods, "cn", group); + ads_mod_strlist(ctx, &mods, "objectClass",objectClass); + ads_mod_str(ctx, &mods, "name", group); + if (comment && *comment) + ads_mod_str(ctx, &mods, "description", comment); + ads_mod_str(ctx, &mods, "sAMAccountName", group); + status = ads_gen_add(ads, new_dn, mods); + + done: + SAFE_FREE(name_escaped); + talloc_destroy(ctx); + return status; +} +#endif diff --git a/source3/libads/ldap_utils.c b/source3/libads/ldap_utils.c new file mode 100644 index 0000000..c08f046 --- /dev/null +++ b/source3/libads/ldap_utils.c @@ -0,0 +1,389 @@ +/* + Unix SMB/CIFS implementation. + + Some Helpful wrappers on LDAP + + Copyright (C) Andrew Tridgell 2001 + Copyright (C) Guenther Deschner 2006,2007 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include "ads.h" +#include "lib/param/loadparm.h" + +#ifdef HAVE_LDAP + +static ADS_STATUS ads_ranged_search_internal(ADS_STRUCT *ads, + TALLOC_CTX *mem_ctx, + int scope, + const char *base, + const char *filter, + const char **attrs, + void *args, + const char *range_attr, + char ***strings, + size_t *num_strings, + uint32_t *first_usn, + int *num_retries, + bool *more_values); + +/* + a wrapper around ldap_search_s that retries depending on the error code + this is supposed to catch dropped connections and auto-reconnect +*/ +static ADS_STATUS ads_do_search_retry_internal(ADS_STRUCT *ads, const char *bind_path, int scope, + const char *expr, + const char **attrs, void *args, + LDAPMessage **res) +{ + ADS_STATUS status; + int count = 3; + char *bp; + + *res = NULL; + + if (!ads->ldap.ld && + time_mono(NULL) - ads->ldap.last_attempt < ADS_RECONNECT_TIME) { + return ADS_ERROR(LDAP_SERVER_DOWN); + } + + bp = SMB_STRDUP(bind_path); + + if (!bp) { + return ADS_ERROR(LDAP_NO_MEMORY); + } + + *res = NULL; + + /* when binding anonymously, we cannot use the paged search LDAP + * control - Guenther */ + + if (ads->auth.flags & ADS_AUTH_ANON_BIND) { + status = ads_do_search(ads, bp, scope, expr, attrs, res); + } else { + status = ads_do_search_all_args(ads, bp, scope, expr, attrs, args, res); + } + if (ADS_ERR_OK(status)) { + DEBUG(5,("Search for %s in <%s> gave %d replies\n", + expr, bp, ads_count_replies(ads, *res))); + SAFE_FREE(bp); + return status; + } + + while (--count) { + + if (NT_STATUS_EQUAL(ads_ntstatus(status), NT_STATUS_IO_TIMEOUT) && + ads->config.ldap_page_size >= (lp_ldap_page_size() / 4) && + lp_ldap_page_size() > 4) { + int new_page_size = (ads->config.ldap_page_size / 2); + DEBUG(1, ("Reducing LDAP page size from %d to %d due to IO_TIMEOUT\n", + ads->config.ldap_page_size, new_page_size)); + ads->config.ldap_page_size = new_page_size; + } + + if (*res) + ads_msgfree(ads, *res); + *res = NULL; + + DEBUG(3,("Reopening ads connection to realm '%s' after error %s\n", + ads->config.realm, ads_errstr(status))); + + ads_disconnect(ads); + status = ads_connect(ads); + + if (!ADS_ERR_OK(status)) { + DEBUG(1,("ads_search_retry: failed to reconnect (%s)\n", + ads_errstr(status))); + /* + * We need to keep the ads pointer + * from being freed here as we don't own it and + * callers depend on it being around. + */ + ads_disconnect(ads); + SAFE_FREE(bp); + return status; + } + + *res = NULL; + + /* when binding anonymously, we cannot use the paged search LDAP + * control - Guenther */ + + if (ads->auth.flags & ADS_AUTH_ANON_BIND) { + status = ads_do_search(ads, bp, scope, expr, attrs, res); + } else { + status = ads_do_search_all_args(ads, bp, scope, expr, attrs, args, res); + } + + if (ADS_ERR_OK(status)) { + DEBUG(5,("Search for filter: %s, base: %s gave %d replies\n", + expr, bp, ads_count_replies(ads, *res))); + SAFE_FREE(bp); + return status; + } + } + SAFE_FREE(bp); + + if (!ADS_ERR_OK(status)) { + DEBUG(1,("ads reopen failed after error %s\n", + ads_errstr(status))); + } + return status; +} + + ADS_STATUS ads_do_search_retry(ADS_STRUCT *ads, const char *bind_path, + int scope, const char *expr, + const char **attrs, LDAPMessage **res) +{ + return ads_do_search_retry_internal(ads, bind_path, scope, expr, attrs, NULL, res); +} + +static ADS_STATUS ads_do_search_retry_args(ADS_STRUCT *ads, const char *bind_path, + int scope, const char *expr, + const char **attrs, void *args, + LDAPMessage **res) +{ + return ads_do_search_retry_internal(ads, bind_path, scope, expr, attrs, args, res); +} + + + ADS_STATUS ads_search_retry(ADS_STRUCT *ads, LDAPMessage **res, + const char *expr, const char **attrs) +{ + return ads_do_search_retry(ads, ads->config.bind_path, LDAP_SCOPE_SUBTREE, + expr, attrs, res); +} + + ADS_STATUS ads_search_retry_dn(ADS_STRUCT *ads, LDAPMessage **res, + const char *dn, + const char **attrs) +{ + return ads_do_search_retry(ads, dn, LDAP_SCOPE_BASE, + "(objectclass=*)", attrs, res); +} + + ADS_STATUS ads_search_retry_dn_sd_flags(ADS_STRUCT *ads, LDAPMessage **res, + uint32_t sd_flags, + const char *dn, + const char **attrs) +{ + ads_control args; + + args.control = ADS_SD_FLAGS_OID; + args.val = sd_flags; + args.critical = True; + + return ads_do_search_retry_args(ads, dn, LDAP_SCOPE_BASE, + "(objectclass=*)", attrs, &args, res); +} + + ADS_STATUS ads_search_retry_extended_dn_ranged(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, + const char *dn, + const char **attrs, + enum ads_extended_dn_flags flags, + char ***strings, + size_t *num_strings) +{ + ads_control args; + + args.control = ADS_EXTENDED_DN_OID; + args.val = flags; + args.critical = True; + + /* we can only range process one attribute */ + if (!attrs || !attrs[0] || attrs[1]) { + return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER); + } + + return ads_ranged_search(ads, mem_ctx, LDAP_SCOPE_BASE, dn, + "(objectclass=*)", &args, attrs[0], + strings, num_strings); + +} + + ADS_STATUS ads_search_retry_sid(ADS_STRUCT *ads, LDAPMessage **res, + const struct dom_sid *sid, + const char **attrs) +{ + char *dn, *sid_string; + ADS_STATUS status; + + sid_string = sid_binstring_hex_talloc(talloc_tos(), sid); + if (sid_string == NULL) { + return ADS_ERROR(LDAP_NO_MEMORY); + } + + if (!asprintf(&dn, "<SID=%s>", sid_string)) { + TALLOC_FREE(sid_string); + return ADS_ERROR(LDAP_NO_MEMORY); + } + + status = ads_do_search_retry(ads, dn, LDAP_SCOPE_BASE, + "(objectclass=*)", attrs, res); + SAFE_FREE(dn); + TALLOC_FREE(sid_string); + return status; +} + +ADS_STATUS ads_ranged_search(ADS_STRUCT *ads, + TALLOC_CTX *mem_ctx, + int scope, + const char *base, + const char *filter, + void *args, + const char *range_attr, + char ***strings, + size_t *num_strings) +{ + ADS_STATUS status; + uint32_t first_usn; + int num_retries = 0; + const char **attrs; + bool more_values = False; + + *num_strings = 0; + *strings = NULL; + + attrs = talloc_array(mem_ctx, const char *, 3); + ADS_ERROR_HAVE_NO_MEMORY(attrs); + + attrs[0] = talloc_strdup(mem_ctx, range_attr); + attrs[1] = talloc_strdup(mem_ctx, "usnChanged"); + attrs[2] = NULL; + + ADS_ERROR_HAVE_NO_MEMORY(attrs[0]); + ADS_ERROR_HAVE_NO_MEMORY(attrs[1]); + + do { + status = ads_ranged_search_internal(ads, mem_ctx, + scope, base, filter, + attrs, args, range_attr, + strings, num_strings, + &first_usn, &num_retries, + &more_values); + + if (NT_STATUS_EQUAL(STATUS_MORE_ENTRIES, ads_ntstatus(status))) { + continue; + } + + if (!ADS_ERR_OK(status)) { + *num_strings = 0; + strings = NULL; + goto done; + } + + } while (more_values); + + done: + DEBUG(10,("returning with %d strings\n", (int)*num_strings)); + + return status; +} + +static ADS_STATUS ads_ranged_search_internal(ADS_STRUCT *ads, + TALLOC_CTX *mem_ctx, + int scope, + const char *base, + const char *filter, + const char **attrs, + void *args, + const char *range_attr, + char ***strings, + size_t *num_strings, + uint32_t *first_usn, + int *num_retries, + bool *more_values) +{ + LDAPMessage *res = NULL; + ADS_STATUS status; + int count; + uint32_t current_usn; + + DEBUG(10, ("Searching for attrs[0] = %s, attrs[1] = %s\n", attrs[0], attrs[1])); + + *more_values = False; + + status = ads_do_search_retry_internal(ads, base, scope, filter, attrs, args, &res); + + if (!ADS_ERR_OK(status)) { + DEBUG(1,("ads_search: %s\n", + ads_errstr(status))); + return status; + } + + if (!res) { + return ADS_ERROR(LDAP_NO_MEMORY); + } + + count = ads_count_replies(ads, res); + if (count == 0) { + ads_msgfree(ads, res); + return ADS_ERROR(LDAP_SUCCESS); + } + + if (*num_strings == 0) { + if (!ads_pull_uint32(ads, res, "usnChanged", first_usn)) { + DEBUG(1, ("could not pull first usnChanged!\n")); + ads_msgfree(ads, res); + return ADS_ERROR(LDAP_NO_MEMORY); + } + } + + if (!ads_pull_uint32(ads, res, "usnChanged", ¤t_usn)) { + DEBUG(1, ("could not pull current usnChanged!\n")); + ads_msgfree(ads, res); + return ADS_ERROR(LDAP_NO_MEMORY); + } + + if (*first_usn != current_usn) { + DEBUG(5, ("USN on this record changed" + " - restarting search\n")); + if (*num_retries < 5) { + (*num_retries)++; + *num_strings = 0; + ads_msgfree(ads, res); + return ADS_ERROR_NT(STATUS_MORE_ENTRIES); + } else { + DEBUG(5, ("USN on this record changed" + " - restarted search too many times, aborting!\n")); + ads_msgfree(ads, res); + return ADS_ERROR(LDAP_NO_MEMORY); + } + } + + *strings = ads_pull_strings_range(ads, mem_ctx, res, + range_attr, + *strings, + &attrs[0], + num_strings, + more_values); + + ads_msgfree(ads, res); + + /* paranoia checks */ + if (*strings == NULL && *more_values) { + DEBUG(0,("no strings found but more values???\n")); + return ADS_ERROR(LDAP_NO_MEMORY); + } + if (*num_strings == 0 && *more_values) { + DEBUG(0,("no strings found but more values???\n")); + return ADS_ERROR(LDAP_NO_MEMORY); + } + + return (*more_values) ? ADS_ERROR_NT(STATUS_MORE_ENTRIES) : ADS_ERROR(LDAP_SUCCESS); +} + +#endif diff --git a/source3/libads/net_ads_setspn.c b/source3/libads/net_ads_setspn.c new file mode 100644 index 0000000..b163184 --- /dev/null +++ b/source3/libads/net_ads_setspn.c @@ -0,0 +1,229 @@ +/* + Unix SMB/CIFS implementation. + net ads setspn routines + Copyright (C) Noel Power 2018 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include "ads.h" + +#ifdef HAVE_ADS +bool ads_setspn_list(ADS_STRUCT *ads, const char *machine_name) +{ + size_t i = 0; + TALLOC_CTX *frame = NULL; + char **spn_array = NULL; + size_t num_spns = 0; + bool ok = false; + ADS_STATUS status; + + frame = talloc_stackframe(); + status = ads_get_service_principal_names(frame, + ads, + machine_name, + &spn_array, + &num_spns); + if (!ADS_ERR_OK(status)) { + goto done; + } + + d_printf("Registered SPNs for %s\n", machine_name); + for (i = 0; i < num_spns; i++) { + d_printf("\t%s\n", spn_array[i]); + } + + ok = true; +done: + TALLOC_FREE(frame); + return ok; +} + +/* returns true if spn exists in spn_array (match is NOT case-sensitive) */ +static bool find_spn_in_spnlist(TALLOC_CTX *ctx, + const char *spn, + char **spn_array, + size_t num_spns) +{ + char *lc_spn = NULL; + size_t i = 0; + + lc_spn = strlower_talloc(ctx, spn); + if (lc_spn == NULL) { + DBG_ERR("Out of memory, lowercasing %s.\n", + spn); + return false; + } + + for (i = 0; i < num_spns; i++) { + char *lc_spn_attr = strlower_talloc(ctx, spn_array[i]); + if (lc_spn_attr == NULL) { + DBG_ERR("Out of memory, lowercasing %s.\n", + spn_array[i]); + return false; + } + + if (strequal(lc_spn, lc_spn_attr)) { + return true; + } + } + + return false; +} + +bool ads_setspn_add(ADS_STRUCT *ads, const char *machine_name, const char * spn) +{ + bool ret = false; + TALLOC_CTX *frame = NULL; + ADS_STATUS status; + struct spn_struct *spn_struct = NULL; + const char *spns[2] = {NULL, NULL}; + char **existing_spns = NULL; + size_t num_spns = 0; + bool found = false; + + frame = talloc_stackframe(); + spns[0] = spn; + spn_struct = parse_spn(frame, spn); + if (spn_struct == NULL) { + goto done; + } + + status = ads_get_service_principal_names(frame, + ads, + machine_name, + &existing_spns, + &num_spns); + + if (!ADS_ERR_OK(status)) { + goto done; + } + + found = find_spn_in_spnlist(frame, spn, existing_spns, num_spns); + if (found) { + d_printf("Duplicate SPN found, aborting operation.\n"); + goto done; + } + + d_printf("Registering SPN %s for object %s\n", spn, machine_name); + status = ads_add_service_principal_names(ads, machine_name, spns); + if (!ADS_ERR_OK(status)) { + goto done; + } + ret = true; + d_printf("Updated object\n"); +done: + TALLOC_FREE(frame); + return ret; +} + +bool ads_setspn_delete(ADS_STRUCT *ads, + const char *machine_name, + const char * spn) +{ + size_t i = 0, j = 0; + TALLOC_CTX *frame = NULL; + char **spn_array = NULL; + const char **new_spn_array = NULL; + char *lc_spn = NULL; + size_t num_spns = 0; + ADS_STATUS status; + ADS_MODLIST mods; + bool ok = false; + LDAPMessage *res = NULL; + + frame = talloc_stackframe(); + + lc_spn = strlower_talloc(frame, spn); + if (lc_spn == NULL) { + DBG_ERR("Out of memory, lowercasing %s.\n", spn); + goto done; + } + + status = ads_find_machine_acct(ads, + &res, + machine_name); + if (!ADS_ERR_OK(status)) { + goto done; + } + + status = ads_get_service_principal_names(frame, + ads, + machine_name, + &spn_array, + &num_spns); + if (!ADS_ERR_OK(status)) { + goto done; + } + + new_spn_array = talloc_zero_array(frame, const char*, num_spns + 1); + if (!new_spn_array) { + DBG_ERR("Out of memory, failed to allocate array.\n"); + goto done; + } + + /* + * create new spn list to write to object (excluding the spn to + * be deleted). + */ + for (i = 0, j = 0; i < num_spns; i++) { + /* + * windows setspn.exe deletes matching spn in a case + * insensitive way. + */ + char *lc_spn_attr = strlower_talloc(frame, spn_array[i]); + if (lc_spn_attr == NULL) { + DBG_ERR("Out of memory, lowercasing %s.\n", + spn_array[i]); + goto done; + } + + if (!strequal(lc_spn, lc_spn_attr)) { + new_spn_array[j++] = spn_array[i]; + } + } + + /* found and removed spn */ + if (j < num_spns) { + char *dn = NULL; + mods = ads_init_mods(frame); + if (mods == NULL) { + goto done; + } + d_printf("Unregistering SPN %s for %s\n", spn, machine_name); + status = ads_mod_strlist(frame, &mods, "servicePrincipalName", new_spn_array); + if (!ADS_ERR_OK(status)) { + goto done; + } + + dn = ads_get_dn(ads, frame, res); + if (dn == NULL ) { + goto done; + } + + status = ads_gen_mod(ads, dn, mods); + if (!ADS_ERR_OK(status)) { + goto done; + } + } + d_printf("Updated object\n"); + + ok = true; +done: + TALLOC_FREE(frame); + return ok; +} + +#endif /* HAVE_ADS */ diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c new file mode 100644 index 0000000..5ae8b99 --- /dev/null +++ b/source3/libads/sasl.c @@ -0,0 +1,855 @@ +/* + Unix SMB/CIFS implementation. + ads sasl code + Copyright (C) Andrew Tridgell 2001 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include "../libcli/auth/spnego.h" +#include "auth/credentials/credentials.h" +#include "auth/gensec/gensec.h" +#include "auth_generic.h" +#include "ads.h" +#include "smb_krb5.h" +#include "system/gssapi.h" +#include "lib/param/loadparm.h" +#include "krb5_env.h" +#include "lib/util/asn1.h" + +#ifdef HAVE_LDAP + +static ADS_STATUS ads_sasl_gensec_wrap(struct ads_saslwrap *wrap, + uint8_t *buf, uint32_t len) +{ + struct gensec_security *gensec_security = + talloc_get_type_abort(wrap->wrap_private_data, + struct gensec_security); + NTSTATUS nt_status; + DATA_BLOB unwrapped, wrapped; + TALLOC_CTX *frame = talloc_stackframe(); + + unwrapped = data_blob_const(buf, len); + + nt_status = gensec_wrap(gensec_security, frame, &unwrapped, &wrapped); + if (!NT_STATUS_IS_OK(nt_status)) { + TALLOC_FREE(frame); + return ADS_ERROR_NT(nt_status); + } + + if ((wrap->out.size - 4) < wrapped.length) { + TALLOC_FREE(frame); + return ADS_ERROR_NT(NT_STATUS_INTERNAL_ERROR); + } + + /* copy the wrapped blob to the right location */ + memcpy(wrap->out.buf + 4, wrapped.data, wrapped.length); + + /* set how many bytes must be written to the underlying socket */ + wrap->out.left = 4 + wrapped.length; + + TALLOC_FREE(frame); + + return ADS_SUCCESS; +} + +static ADS_STATUS ads_sasl_gensec_unwrap(struct ads_saslwrap *wrap) +{ + struct gensec_security *gensec_security = + talloc_get_type_abort(wrap->wrap_private_data, + struct gensec_security); + NTSTATUS nt_status; + DATA_BLOB unwrapped, wrapped; + TALLOC_CTX *frame = talloc_stackframe(); + + wrapped = data_blob_const(wrap->in.buf + 4, wrap->in.ofs - 4); + + nt_status = gensec_unwrap(gensec_security, frame, &wrapped, &unwrapped); + if (!NT_STATUS_IS_OK(nt_status)) { + TALLOC_FREE(frame); + return ADS_ERROR_NT(nt_status); + } + + if (wrapped.length < unwrapped.length) { + TALLOC_FREE(frame); + return ADS_ERROR_NT(NT_STATUS_INTERNAL_ERROR); + } + + /* copy the wrapped blob to the right location */ + memcpy(wrap->in.buf + 4, unwrapped.data, unwrapped.length); + + /* set how many bytes must be written to the underlying socket */ + wrap->in.left = unwrapped.length; + wrap->in.ofs = 4; + + TALLOC_FREE(frame); + + return ADS_SUCCESS; +} + +static void ads_sasl_gensec_disconnect(struct ads_saslwrap *wrap) +{ + struct gensec_security *gensec_security = + talloc_get_type_abort(wrap->wrap_private_data, + struct gensec_security); + + TALLOC_FREE(gensec_security); + + wrap->wrap_ops = NULL; + wrap->wrap_private_data = NULL; +} + +static const struct ads_saslwrap_ops ads_sasl_gensec_ops = { + .name = "gensec", + .wrap = ads_sasl_gensec_wrap, + .unwrap = ads_sasl_gensec_unwrap, + .disconnect = ads_sasl_gensec_disconnect +}; + +/* + perform a LDAP/SASL/SPNEGO/{NTLMSSP,KRB5} bind (just how many layers can + we fit on one socket??) +*/ +static ADS_STATUS ads_sasl_spnego_gensec_bind(ADS_STRUCT *ads, + const char *sasl, + enum credentials_use_kerberos krb5_state, + const char *target_service, + const char *target_hostname, + const DATA_BLOB server_blob) +{ + DATA_BLOB blob_in = data_blob_null; + DATA_BLOB blob_out = data_blob_null; + int rc; + NTSTATUS nt_status; + ADS_STATUS status; + struct auth_generic_state *auth_generic_state; + bool use_spnego_principal = lp_client_use_spnego_principal(); + const char *sasl_list[] = { sasl, NULL }; + NTTIME end_nt_time; + struct ads_saslwrap *wrap = &ads->ldap_wrap_data; + + nt_status = auth_generic_client_prepare(NULL, &auth_generic_state); + if (!NT_STATUS_IS_OK(nt_status)) { + return ADS_ERROR_NT(nt_status); + } + + if (!NT_STATUS_IS_OK(nt_status = auth_generic_set_username(auth_generic_state, ads->auth.user_name))) { + return ADS_ERROR_NT(nt_status); + } + if (!NT_STATUS_IS_OK(nt_status = auth_generic_set_domain(auth_generic_state, ads->auth.realm))) { + return ADS_ERROR_NT(nt_status); + } + if (!NT_STATUS_IS_OK(nt_status = auth_generic_set_password(auth_generic_state, ads->auth.password))) { + return ADS_ERROR_NT(nt_status); + } + + if (server_blob.length == 0) { + use_spnego_principal = false; + } + + if (krb5_state == CRED_USE_KERBEROS_DISABLED) { + use_spnego_principal = false; + } + + cli_credentials_set_kerberos_state(auth_generic_state->credentials, + krb5_state, + CRED_SPECIFIED); + + if (target_service != NULL) { + nt_status = gensec_set_target_service( + auth_generic_state->gensec_security, + target_service); + if (!NT_STATUS_IS_OK(nt_status)) { + return ADS_ERROR_NT(nt_status); + } + } + + if (target_hostname != NULL) { + nt_status = gensec_set_target_hostname( + auth_generic_state->gensec_security, + target_hostname); + if (!NT_STATUS_IS_OK(nt_status)) { + return ADS_ERROR_NT(nt_status); + } + } + + if (target_service != NULL && target_hostname != NULL) { + use_spnego_principal = false; + } + + switch (wrap->wrap_type) { + case ADS_SASLWRAP_TYPE_SEAL: + gensec_want_feature(auth_generic_state->gensec_security, GENSEC_FEATURE_SIGN); + gensec_want_feature(auth_generic_state->gensec_security, GENSEC_FEATURE_SEAL); + break; + case ADS_SASLWRAP_TYPE_SIGN: + if (ads->auth.flags & ADS_AUTH_SASL_FORCE) { + gensec_want_feature(auth_generic_state->gensec_security, GENSEC_FEATURE_SIGN); + } else { + /* + * windows servers are broken with sign only, + * so we let the NTLMSSP backend to seal here, + * via GENSEC_FEATURE_LDAP_STYLE. + */ + gensec_want_feature(auth_generic_state->gensec_security, GENSEC_FEATURE_SIGN); + gensec_want_feature(auth_generic_state->gensec_security, GENSEC_FEATURE_LDAP_STYLE); + } + break; + case ADS_SASLWRAP_TYPE_PLAIN: + break; + } + + nt_status = auth_generic_client_start_by_sasl(auth_generic_state, + sasl_list); + if (!NT_STATUS_IS_OK(nt_status)) { + return ADS_ERROR_NT(nt_status); + } + + rc = LDAP_SASL_BIND_IN_PROGRESS; + if (use_spnego_principal) { + blob_in = data_blob_dup_talloc(talloc_tos(), server_blob); + if (blob_in.length == 0) { + TALLOC_FREE(auth_generic_state); + return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); + } + } else { + blob_in = data_blob_null; + } + blob_out = data_blob_null; + + while (true) { + struct berval cred, *scred = NULL; + + nt_status = gensec_update(auth_generic_state->gensec_security, + talloc_tos(), blob_in, &blob_out); + data_blob_free(&blob_in); + if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED) + && !NT_STATUS_IS_OK(nt_status)) + { + TALLOC_FREE(auth_generic_state); + data_blob_free(&blob_out); + return ADS_ERROR_NT(nt_status); + } + + if (NT_STATUS_IS_OK(nt_status) && rc == 0 && blob_out.length == 0) { + break; + } + + cred.bv_val = (char *)blob_out.data; + cred.bv_len = blob_out.length; + scred = NULL; + rc = ldap_sasl_bind_s(ads->ldap.ld, NULL, sasl, &cred, NULL, NULL, &scred); + data_blob_free(&blob_out); + if ((rc != LDAP_SASL_BIND_IN_PROGRESS) && (rc != 0)) { + if (scred) { + ber_bvfree(scred); + } + + TALLOC_FREE(auth_generic_state); + return ADS_ERROR(rc); + } + if (scred) { + blob_in = data_blob_talloc(talloc_tos(), + scred->bv_val, + scred->bv_len); + if (blob_in.length != scred->bv_len) { + ber_bvfree(scred); + TALLOC_FREE(auth_generic_state); + return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); + } + ber_bvfree(scred); + } else { + blob_in = data_blob_null; + } + if (NT_STATUS_IS_OK(nt_status) && rc == 0 && blob_in.length == 0) { + break; + } + } + + data_blob_free(&blob_in); + data_blob_free(&blob_out); + + if (wrap->wrap_type >= ADS_SASLWRAP_TYPE_SEAL) { + bool ok; + + ok = gensec_have_feature(auth_generic_state->gensec_security, + GENSEC_FEATURE_SEAL); + if (!ok) { + DEBUG(0,("The gensec feature sealing request, but unavailable\n")); + TALLOC_FREE(auth_generic_state); + return ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE); + } + + ok = gensec_have_feature(auth_generic_state->gensec_security, + GENSEC_FEATURE_SIGN); + if (!ok) { + DEBUG(0,("The gensec feature signing request, but unavailable\n")); + TALLOC_FREE(auth_generic_state); + return ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE); + } + + } else if (wrap->wrap_type >= ADS_SASLWRAP_TYPE_SIGN) { + bool ok; + + ok = gensec_have_feature(auth_generic_state->gensec_security, + GENSEC_FEATURE_SIGN); + if (!ok) { + DEBUG(0,("The gensec feature signing request, but unavailable\n")); + TALLOC_FREE(auth_generic_state); + return ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE); + } + } + + ads->auth.tgs_expire = LONG_MAX; + end_nt_time = gensec_expire_time(auth_generic_state->gensec_security); + if (end_nt_time != GENSEC_EXPIRE_TIME_INFINITY) { + struct timeval tv; + nttime_to_timeval(&tv, end_nt_time); + ads->auth.tgs_expire = tv.tv_sec; + } + + if (wrap->wrap_type > ADS_SASLWRAP_TYPE_PLAIN) { + size_t max_wrapped = + gensec_max_wrapped_size(auth_generic_state->gensec_security); + wrap->out.max_unwrapped = + gensec_max_input_size(auth_generic_state->gensec_security); + + wrap->out.sig_size = max_wrapped - wrap->out.max_unwrapped; + /* + * Note that we have to truncate this to 0x2C + * (taken from a capture with LDAP unbind), as the + * signature size is not constant for Kerberos with + * arcfour-hmac-md5. + */ + wrap->in.min_wrapped = MIN(wrap->out.sig_size, 0x2C); + wrap->in.max_wrapped = ADS_SASL_WRAPPING_IN_MAX_WRAPPED; + status = ads_setup_sasl_wrapping(wrap, ads->ldap.ld, + &ads_sasl_gensec_ops, + auth_generic_state->gensec_security); + if (!ADS_ERR_OK(status)) { + DEBUG(0, ("ads_setup_sasl_wrapping() failed: %s\n", + ads_errstr(status))); + TALLOC_FREE(auth_generic_state); + return status; + } + /* Only keep the gensec_security element around long-term */ + talloc_steal(NULL, auth_generic_state->gensec_security); + } + TALLOC_FREE(auth_generic_state); + + return ADS_ERROR(rc); +} + +#ifdef HAVE_KRB5 +struct ads_service_principal { + char *service; + char *hostname; + char *string; +}; + +static void ads_free_service_principal(struct ads_service_principal *p) +{ + SAFE_FREE(p->service); + SAFE_FREE(p->hostname); + SAFE_FREE(p->string); + ZERO_STRUCTP(p); +} + +static ADS_STATUS ads_guess_target(ADS_STRUCT *ads, + char **service, + char **hostname, + char **principal) +{ + ADS_STATUS status = ADS_ERROR(LDAP_NO_MEMORY); + char *princ = NULL; + TALLOC_CTX *frame; + char *server = NULL; + char *realm = NULL; + int rc; + + frame = talloc_stackframe(); + if (frame == NULL) { + return ADS_ERROR(LDAP_NO_MEMORY); + } + + if (ads->server.realm && ads->server.ldap_server) { + server = strlower_talloc(frame, ads->server.ldap_server); + if (server == NULL) { + goto out; + } + + realm = strupper_talloc(frame, ads->server.realm); + if (realm == NULL) { + goto out; + } + + /* + * If we got a name which is bigger than a NetBIOS name, + * but isn't a FQDN, create one. + */ + if (strlen(server) > 15 && strstr(server, ".") == NULL) { + char *dnsdomain; + + dnsdomain = strlower_talloc(frame, ads->server.realm); + if (dnsdomain == NULL) { + goto out; + } + + server = talloc_asprintf(frame, + "%s.%s", + server, dnsdomain); + if (server == NULL) { + goto out; + } + } + } else if (ads->config.realm && ads->config.ldap_server_name) { + server = strlower_talloc(frame, ads->config.ldap_server_name); + if (server == NULL) { + goto out; + } + + realm = strupper_talloc(frame, ads->config.realm); + if (realm == NULL) { + goto out; + } + + /* + * If we got a name which is bigger than a NetBIOS name, + * but isn't a FQDN, create one. + */ + if (strlen(server) > 15 && strstr(server, ".") == NULL) { + char *dnsdomain; + + dnsdomain = strlower_talloc(frame, ads->server.realm); + if (dnsdomain == NULL) { + goto out; + } + + server = talloc_asprintf(frame, + "%s.%s", + server, dnsdomain); + if (server == NULL) { + goto out; + } + } + } + + if (server == NULL || realm == NULL) { + goto out; + } + + *service = SMB_STRDUP("ldap"); + if (*service == NULL) { + status = ADS_ERROR(LDAP_PARAM_ERROR); + goto out; + } + *hostname = SMB_STRDUP(server); + if (*hostname == NULL) { + SAFE_FREE(*service); + status = ADS_ERROR(LDAP_PARAM_ERROR); + goto out; + } + rc = asprintf(&princ, "ldap/%s@%s", server, realm); + if (rc == -1 || princ == NULL) { + SAFE_FREE(*service); + SAFE_FREE(*hostname); + status = ADS_ERROR(LDAP_PARAM_ERROR); + goto out; + } + + *principal = princ; + + status = ADS_SUCCESS; +out: + TALLOC_FREE(frame); + return status; +} + +static ADS_STATUS ads_generate_service_principal(ADS_STRUCT *ads, + struct ads_service_principal *p) +{ + ADS_STATUS status; + + ZERO_STRUCTP(p); + + status = ads_guess_target(ads, + &p->service, + &p->hostname, + &p->string); + if (!ADS_ERR_OK(status)) { + return status; + } + + return ADS_SUCCESS; +} + +#endif /* HAVE_KRB5 */ + +/* + parse a negTokenInit packet giving a GUID, a list of supported + OIDs (the mechanisms) and a principal name string +*/ +static bool spnego_parse_negTokenInit(TALLOC_CTX *ctx, + DATA_BLOB blob, + char *OIDs[ASN1_MAX_OIDS], + char **principal, + DATA_BLOB *secblob) +{ + int i; + bool ret = false; + ASN1_DATA *data; + + for (i = 0; i < ASN1_MAX_OIDS; i++) { + OIDs[i] = NULL; + } + + if (principal) { + *principal = NULL; + } + if (secblob) { + *secblob = data_blob_null; + } + + data = asn1_init(talloc_tos(), ASN1_MAX_TREE_DEPTH); + if (data == NULL) { + return false; + } + + if (!asn1_load(data, blob)) goto err; + + if (!asn1_start_tag(data,ASN1_APPLICATION(0))) goto err; + + if (!asn1_check_OID(data,OID_SPNEGO)) goto err; + + /* negTokenInit [0] NegTokenInit */ + if (!asn1_start_tag(data,ASN1_CONTEXT(0))) goto err; + if (!asn1_start_tag(data,ASN1_SEQUENCE(0))) goto err; + + /* mechTypes [0] MechTypeList OPTIONAL */ + + /* Not really optional, we depend on this to decide + * what mechanisms we have to work with. */ + + if (!asn1_start_tag(data,ASN1_CONTEXT(0))) goto err; + if (!asn1_start_tag(data,ASN1_SEQUENCE(0))) goto err; + for (i=0; asn1_tag_remaining(data) > 0 && i < ASN1_MAX_OIDS-1; i++) { + if (!asn1_read_OID(data,ctx, &OIDs[i])) { + goto err; + } + if (asn1_has_error(data)) { + goto err; + } + } + OIDs[i] = NULL; + if (!asn1_end_tag(data)) goto err; + if (!asn1_end_tag(data)) goto err; + + /* + Win7 + Live Sign-in Assistant attaches a mechToken + ASN1_CONTEXT(2) to the negTokenInit packet + which breaks our negotiation if we just assume + the next tag is ASN1_CONTEXT(3). + */ + + if (asn1_peek_tag(data, ASN1_CONTEXT(1))) { + uint8_t flags; + + /* reqFlags [1] ContextFlags OPTIONAL */ + if (!asn1_start_tag(data, ASN1_CONTEXT(1))) goto err; + if (!asn1_start_tag(data, ASN1_BIT_STRING)) goto err; + while (asn1_tag_remaining(data) > 0) { + if (!asn1_read_uint8(data, &flags)) goto err; + } + if (!asn1_end_tag(data)) goto err; + if (!asn1_end_tag(data)) goto err; + } + + if (asn1_peek_tag(data, ASN1_CONTEXT(2))) { + DATA_BLOB sblob = data_blob_null; + /* mechToken [2] OCTET STRING OPTIONAL */ + if (!asn1_start_tag(data, ASN1_CONTEXT(2))) goto err; + if (!asn1_read_OctetString(data, ctx, &sblob)) goto err; + if (!asn1_end_tag(data)) { + data_blob_free(&sblob); + goto err; + } + if (secblob) { + *secblob = sblob; + } else { + data_blob_free(&sblob); + } + } + + if (asn1_peek_tag(data, ASN1_CONTEXT(3))) { + char *princ = NULL; + /* mechListMIC [3] OCTET STRING OPTIONAL */ + if (!asn1_start_tag(data, ASN1_CONTEXT(3))) goto err; + if (!asn1_start_tag(data, ASN1_SEQUENCE(0))) goto err; + if (!asn1_start_tag(data, ASN1_CONTEXT(0))) goto err; + if (!asn1_read_GeneralString(data, ctx, &princ)) goto err; + if (!asn1_end_tag(data)) goto err; + if (!asn1_end_tag(data)) goto err; + if (!asn1_end_tag(data)) goto err; + if (principal) { + *principal = princ; + } else { + TALLOC_FREE(princ); + } + } + + if (!asn1_end_tag(data)) goto err; + if (!asn1_end_tag(data)) goto err; + + if (!asn1_end_tag(data)) goto err; + + ret = !asn1_has_error(data); + + err: + + if (asn1_has_error(data)) { + int j; + if (principal) { + TALLOC_FREE(*principal); + } + if (secblob) { + data_blob_free(secblob); + } + for(j = 0; j < i && j < ASN1_MAX_OIDS-1; j++) { + TALLOC_FREE(OIDs[j]); + } + } + + asn1_free(data); + return ret; +} + +/* + this performs a SASL/SPNEGO bind +*/ +static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) +{ + TALLOC_CTX *frame = talloc_stackframe(); + struct ads_service_principal p = {0}; + struct berval *scred=NULL; + int rc, i; + ADS_STATUS status; + DATA_BLOB blob = data_blob_null; + char *given_principal = NULL; + char *OIDs[ASN1_MAX_OIDS]; +#ifdef HAVE_KRB5 + bool got_kerberos_mechanism = False; +#endif + const char *mech = NULL; + + rc = ldap_sasl_bind_s(ads->ldap.ld, NULL, "GSS-SPNEGO", NULL, NULL, NULL, &scred); + + if (rc != LDAP_SASL_BIND_IN_PROGRESS) { + status = ADS_ERROR(rc); + goto done; + } + + blob = data_blob(scred->bv_val, scred->bv_len); + + ber_bvfree(scred); + +#if 0 + file_save("sasl_spnego.dat", blob.data, blob.length); +#endif + + /* the server sent us the first part of the SPNEGO exchange in the negprot + reply */ + if (!spnego_parse_negTokenInit(talloc_tos(), blob, OIDs, &given_principal, NULL) || + OIDs[0] == NULL) { + status = ADS_ERROR(LDAP_OPERATIONS_ERROR); + goto done; + } + TALLOC_FREE(given_principal); + + /* make sure the server understands kerberos */ + for (i=0;OIDs[i];i++) { + DEBUG(3,("ads_sasl_spnego_bind: got OID=%s\n", OIDs[i])); +#ifdef HAVE_KRB5 + if (strcmp(OIDs[i], OID_KERBEROS5_OLD) == 0 || + strcmp(OIDs[i], OID_KERBEROS5) == 0) { + got_kerberos_mechanism = True; + } +#endif + talloc_free(OIDs[i]); + } + + status = ads_generate_service_principal(ads, &p); + if (!ADS_ERR_OK(status)) { + goto done; + } + +#ifdef HAVE_KRB5 + if (!(ads->auth.flags & ADS_AUTH_DISABLE_KERBEROS) && + got_kerberos_mechanism) + { + mech = "KRB5"; + + if (ads->auth.password == NULL || + ads->auth.password[0] == '\0') + { + + status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO", + CRED_USE_KERBEROS_REQUIRED, + p.service, p.hostname, + blob); + if (ADS_ERR_OK(status)) { + ads_free_service_principal(&p); + goto done; + } + + DEBUG(10,("ads_sasl_spnego_gensec_bind(KRB5) failed with: %s, " + "calling kinit\n", ads_errstr(status))); + } + + status = ADS_ERROR_KRB5(ads_kinit_password(ads)); + + if (ADS_ERR_OK(status)) { + status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO", + CRED_USE_KERBEROS_REQUIRED, + p.service, p.hostname, + blob); + if (!ADS_ERR_OK(status)) { + DBG_ERR("kinit succeeded but " + "SPNEGO bind with Kerberos failed " + "for %s/%s - user[%s], realm[%s]: %s\n", + p.service, p.hostname, + ads->auth.user_name, + ads->auth.realm, + ads_errstr(status)); + } + } + + /* only fallback to NTLMSSP if allowed */ + if (ADS_ERR_OK(status) || + !(ads->auth.flags & ADS_AUTH_ALLOW_NTLMSSP)) { + goto done; + } + + DBG_WARNING("SASL bind with Kerberos failed " + "for %s/%s - user[%s], realm[%s]: %s, " + "try to fallback to NTLMSSP\n", + p.service, p.hostname, + ads->auth.user_name, + ads->auth.realm, + ads_errstr(status)); + } +#endif + + /* lets do NTLMSSP ... this has the big advantage that we don't need + to sync clocks, and we don't rely on special versions of the krb5 + library for HMAC_MD4 encryption */ + mech = "NTLMSSP"; + + if (!(ads->auth.flags & ADS_AUTH_ALLOW_NTLMSSP)) { + DBG_WARNING("We can't use NTLMSSP, it is not allowed.\n"); + status = ADS_ERROR_NT(NT_STATUS_NETWORK_CREDENTIAL_CONFLICT); + goto done; + } + + if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED) { + DBG_WARNING("We can't fallback to NTLMSSP, weak crypto is" + " disallowed.\n"); + status = ADS_ERROR_NT(NT_STATUS_NETWORK_CREDENTIAL_CONFLICT); + goto done; + } + + status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO", + CRED_USE_KERBEROS_DISABLED, + p.service, p.hostname, + data_blob_null); +done: + if (!ADS_ERR_OK(status)) { + DEBUG(1,("ads_sasl_spnego_gensec_bind(%s) failed " + "for %s/%s with user[%s] realm=[%s]: %s\n", mech, + p.service, p.hostname, + ads->auth.user_name, + ads->auth.realm, + ads_errstr(status))); + } + ads_free_service_principal(&p); + TALLOC_FREE(frame); + if (blob.data != NULL) { + data_blob_free(&blob); + } + return status; +} + +/* mapping between SASL mechanisms and functions */ +static struct { + const char *name; + ADS_STATUS (*fn)(ADS_STRUCT *); +} sasl_mechanisms[] = { + {"GSS-SPNEGO", ads_sasl_spnego_bind}, + {NULL, NULL} +}; + +ADS_STATUS ads_sasl_bind(ADS_STRUCT *ads) +{ + const char *attrs[] = {"supportedSASLMechanisms", NULL}; + char **values; + ADS_STATUS status; + int i, j; + LDAPMessage *res; + struct ads_saslwrap *wrap = &ads->ldap_wrap_data; + + /* get a list of supported SASL mechanisms */ + status = ads_do_search(ads, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res); + if (!ADS_ERR_OK(status)) return status; + + values = ldap_get_values(ads->ldap.ld, res, "supportedSASLMechanisms"); + + if (ads->auth.flags & ADS_AUTH_SASL_SEAL) { + wrap->wrap_type = ADS_SASLWRAP_TYPE_SEAL; + } else if (ads->auth.flags & ADS_AUTH_SASL_SIGN) { + wrap->wrap_type = ADS_SASLWRAP_TYPE_SIGN; + } else { + wrap->wrap_type = ADS_SASLWRAP_TYPE_PLAIN; + } + + /* try our supported mechanisms in order */ + for (i=0;sasl_mechanisms[i].name;i++) { + /* see if the server supports it */ + for (j=0;values && values[j];j++) { + if (strcmp(values[j], sasl_mechanisms[i].name) == 0) { + DEBUG(4,("Found SASL mechanism %s\n", values[j])); +retry: + status = sasl_mechanisms[i].fn(ads); + if (status.error_type == ENUM_ADS_ERROR_LDAP && + status.err.rc == LDAP_STRONG_AUTH_REQUIRED && + wrap->wrap_type == ADS_SASLWRAP_TYPE_PLAIN) + { + DEBUG(3,("SASL bin got LDAP_STRONG_AUTH_REQUIRED " + "retrying with signing enabled\n")); + wrap->wrap_type = ADS_SASLWRAP_TYPE_SIGN; + goto retry; + } + ldap_value_free(values); + ldap_msgfree(res); + return status; + } + } + } + + ldap_value_free(values); + ldap_msgfree(res); + return ADS_ERROR(LDAP_AUTH_METHOD_NOT_SUPPORTED); +} + +#endif /* HAVE_LDAP */ + diff --git a/source3/libads/sasl_wrapping.c b/source3/libads/sasl_wrapping.c new file mode 100644 index 0000000..7a58765 --- /dev/null +++ b/source3/libads/sasl_wrapping.c @@ -0,0 +1,351 @@ +/* + Unix SMB/CIFS implementation. + ads sasl wrapping code + Copyright (C) Stefan Metzmacher 2007 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include "ads.h" + +void ndr_print_ads_saslwrap_struct(struct ndr_print *ndr, const char *name, const struct ads_saslwrap *r) +{ + ndr_print_struct(ndr, name, "saslwrap"); + ndr->depth++; + ndr_print_uint16(ndr, "wrap_type", r->wrap_type); +#ifdef HAVE_LDAP_SASL_WRAPPING + ndr_print_ptr(ndr, "sbiod", r->sbiod); +#endif /* HAVE_LDAP_SASL_WRAPPING */ + ndr_print_ptr(ndr, "mem_ctx", r->mem_ctx); + ndr_print_ptr(ndr, "wrap_ops", r->wrap_ops); + ndr_print_ptr(ndr, "wrap_private_data", r->wrap_private_data); + ndr_print_struct(ndr, name, "in"); + ndr->depth++; + ndr_print_uint32(ndr, "ofs", r->in.ofs); + ndr_print_uint32(ndr, "needed", r->in.needed); + ndr_print_uint32(ndr, "left", r->in.left); + ndr_print_uint32(ndr, "max_wrapped", r->in.max_wrapped); + ndr_print_uint32(ndr, "min_wrapped", r->in.min_wrapped); + ndr_print_uint32(ndr, "size", r->in.size); + ndr_print_array_uint8(ndr, "buf", r->in.buf, r->in.size); + ndr->depth--; + ndr_print_struct(ndr, name, "out"); + ndr->depth++; + ndr_print_uint32(ndr, "ofs", r->out.ofs); + ndr_print_uint32(ndr, "left", r->out.left); + ndr_print_uint32(ndr, "max_unwrapped", r->out.max_unwrapped); + ndr_print_uint32(ndr, "sig_size", r->out.sig_size); + ndr_print_uint32(ndr, "size", r->out.size); + ndr_print_array_uint8(ndr, "buf", r->out.buf, r->out.size); + ndr->depth--; +} + +#ifdef HAVE_LDAP_SASL_WRAPPING + +static int ads_saslwrap_setup(Sockbuf_IO_Desc *sbiod, void *arg) +{ + struct ads_saslwrap *wrap = (struct ads_saslwrap *)arg; + + wrap->sbiod = (struct Sockbuf_IO_Desc *)sbiod; + + sbiod->sbiod_pvt = wrap; + + return 0; +} + +static int ads_saslwrap_remove(Sockbuf_IO_Desc *sbiod) +{ + return 0; +} + +static ber_slen_t ads_saslwrap_prepare_inbuf(struct ads_saslwrap *wrap) +{ + wrap->in.ofs = 0; + wrap->in.needed = 0; + wrap->in.left = 0; + wrap->in.size = 4 + wrap->in.min_wrapped; + wrap->in.buf = talloc_array(wrap->mem_ctx, + uint8_t, wrap->in.size); + if (!wrap->in.buf) { + return -1; + } + + return 0; +} + +static ber_slen_t ads_saslwrap_grow_inbuf(struct ads_saslwrap *wrap) +{ + if (wrap->in.size == (4 + wrap->in.needed)) { + return 0; + } + + wrap->in.size = 4 + wrap->in.needed; + wrap->in.buf = talloc_realloc(wrap->mem_ctx, + wrap->in.buf, + uint8_t, wrap->in.size); + if (!wrap->in.buf) { + return -1; + } + + return 0; +} + +static void ads_saslwrap_shrink_inbuf(struct ads_saslwrap *wrap) +{ + talloc_free(wrap->in.buf); + + wrap->in.buf = NULL; + wrap->in.size = 0; + wrap->in.ofs = 0; + wrap->in.needed = 0; + wrap->in.left = 0; +} + +static ber_slen_t ads_saslwrap_read(Sockbuf_IO_Desc *sbiod, + void *buf, ber_len_t len) +{ + struct ads_saslwrap *wrap = + (struct ads_saslwrap *)sbiod->sbiod_pvt; + ber_slen_t ret; + + /* If ofs < 4 it means we don't have read the length header yet */ + if (wrap->in.ofs < 4) { + ret = ads_saslwrap_prepare_inbuf(wrap); + if (ret < 0) return ret; + + ret = LBER_SBIOD_READ_NEXT(sbiod, + wrap->in.buf + wrap->in.ofs, + 4 - wrap->in.ofs); + if (ret <= 0) return ret; + wrap->in.ofs += ret; + + if (wrap->in.ofs < 4) goto eagain; + + wrap->in.needed = RIVAL(wrap->in.buf, 0); + if (wrap->in.needed > wrap->in.max_wrapped) { + errno = EINVAL; + return -1; + } + if (wrap->in.needed < wrap->in.min_wrapped) { + errno = EINVAL; + return -1; + } + + ret = ads_saslwrap_grow_inbuf(wrap); + if (ret < 0) return ret; + } + + /* + * if there's more data needed from the remote end, + * we need to read more + */ + if (wrap->in.needed > 0) { + ret = LBER_SBIOD_READ_NEXT(sbiod, + wrap->in.buf + wrap->in.ofs, + wrap->in.needed); + if (ret <= 0) return ret; + wrap->in.ofs += ret; + wrap->in.needed -= ret; + + if (wrap->in.needed > 0) goto eagain; + } + + /* + * if we have a complete packet and have not yet unwrapped it + * we need to call the mech specific unwrap() hook + */ + if (wrap->in.needed == 0 && wrap->in.left == 0) { + ADS_STATUS status; + status = wrap->wrap_ops->unwrap(wrap); + if (!ADS_ERR_OK(status)) { + errno = EACCES; + return -1; + } + } + + /* + * if we have unwrapped data give it to the caller + */ + if (wrap->in.left > 0) { + ret = MIN(wrap->in.left, len); + memcpy(buf, wrap->in.buf + wrap->in.ofs, ret); + wrap->in.ofs += ret; + wrap->in.left -= ret; + + /* + * if no more is left shrink the inbuf, + * this will trigger reading a new SASL packet + * from the remote stream in the next call + */ + if (wrap->in.left == 0) { + ads_saslwrap_shrink_inbuf(wrap); + } + + return ret; + } + + /* + * if we don't have anything for the caller yet, + * tell him to ask again + */ +eagain: + errno = EAGAIN; + return -1; +} + +static ber_slen_t ads_saslwrap_prepare_outbuf(struct ads_saslwrap *wrap, + uint32_t len) +{ + wrap->out.ofs = 0; + wrap->out.left = 0; + wrap->out.size = 4 + wrap->out.sig_size + len; + wrap->out.buf = talloc_array(wrap->mem_ctx, + uint8_t, wrap->out.size); + if (!wrap->out.buf) { + return -1; + } + + return 0; +} + +static void ads_saslwrap_shrink_outbuf(struct ads_saslwrap *wrap) +{ + talloc_free(wrap->out.buf); + + wrap->out.buf = NULL; + wrap->out.size = 0; + wrap->out.ofs = 0; + wrap->out.left = 0; +} + +static ber_slen_t ads_saslwrap_write(Sockbuf_IO_Desc *sbiod, + void *buf, ber_len_t len) +{ + struct ads_saslwrap *wrap = + (struct ads_saslwrap *)sbiod->sbiod_pvt; + ber_slen_t ret, rlen; + + /* if the buffer is empty, we need to wrap in incoming buffer */ + if (wrap->out.left == 0) { + ADS_STATUS status; + + if (len == 0) { + errno = EINVAL; + return -1; + } + + rlen = MIN(len, wrap->out.max_unwrapped); + + ret = ads_saslwrap_prepare_outbuf(wrap, rlen); + if (ret < 0) return ret; + + status = wrap->wrap_ops->wrap(wrap, (uint8_t *)buf, rlen); + if (!ADS_ERR_OK(status)) { + errno = EACCES; + return -1; + } + + RSIVAL(wrap->out.buf, 0, wrap->out.left - 4); + } else { + rlen = -1; + } + + ret = LBER_SBIOD_WRITE_NEXT(sbiod, + wrap->out.buf + wrap->out.ofs, + wrap->out.left); + if (ret <= 0) return ret; + wrap->out.ofs += ret; + wrap->out.left -= ret; + + if (wrap->out.left == 0) { + ads_saslwrap_shrink_outbuf(wrap); + } + + if (rlen > 0) return rlen; + + errno = EAGAIN; + return -1; +} + +static int ads_saslwrap_ctrl(Sockbuf_IO_Desc *sbiod, int opt, void *arg) +{ + struct ads_saslwrap *wrap = + (struct ads_saslwrap *)sbiod->sbiod_pvt; + int ret; + + switch (opt) { + case LBER_SB_OPT_DATA_READY: + if (wrap->in.left > 0) { + return 1; + } + ret = LBER_SBIOD_CTRL_NEXT(sbiod, opt, arg); + break; + default: + ret = LBER_SBIOD_CTRL_NEXT(sbiod, opt, arg); + break; + } + + return ret; +} + +static int ads_saslwrap_close(Sockbuf_IO_Desc *sbiod) +{ + return 0; +} + +static const Sockbuf_IO ads_saslwrap_sockbuf_io = { + ads_saslwrap_setup, /* sbi_setup */ + ads_saslwrap_remove, /* sbi_remove */ + ads_saslwrap_ctrl, /* sbi_ctrl */ + ads_saslwrap_read, /* sbi_read */ + ads_saslwrap_write, /* sbi_write */ + ads_saslwrap_close /* sbi_close */ +}; + +ADS_STATUS ads_setup_sasl_wrapping(struct ads_saslwrap *wrap, LDAP *ld, + const struct ads_saslwrap_ops *ops, + void *private_data) +{ + ADS_STATUS status; + Sockbuf *sb; + Sockbuf_IO *io = discard_const_p(Sockbuf_IO, &ads_saslwrap_sockbuf_io); + int rc; + + rc = ldap_get_option(ld, LDAP_OPT_SOCKBUF, &sb); + status = ADS_ERROR_LDAP(rc); + if (!ADS_ERR_OK(status)) { + return status; + } + + /* setup the real wrapping callbacks */ + rc = ber_sockbuf_add_io(sb, io, LBER_SBIOD_LEVEL_TRANSPORT, wrap); + status = ADS_ERROR_LDAP(rc); + if (!ADS_ERR_OK(status)) { + return status; + } + + wrap->wrap_ops = discard_const(ops); + wrap->wrap_private_data = private_data; + + return ADS_SUCCESS; +} +#else +ADS_STATUS ads_setup_sasl_wrapping(struct ads_saslwrap *wrap, LDAP *ld, + const struct ads_saslwrap_ops *ops, + void *private_data) +{ + return ADS_ERROR_NT(NT_STATUS_NOT_SUPPORTED); +} +#endif /* HAVE_LDAP_SASL_WRAPPING */ diff --git a/source3/libads/sitename_cache.c b/source3/libads/sitename_cache.c new file mode 100644 index 0000000..4bf2ca7 --- /dev/null +++ b/source3/libads/sitename_cache.c @@ -0,0 +1,132 @@ +/* + Unix SMB/CIFS implementation. + DNS utility library + Copyright (C) Gerald (Jerry) Carter 2006. + Copyright (C) Jeremy Allison 2007. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include "libads/sitename_cache.h" +#include "lib/gencache.h" + +/**************************************************************************** + Store and fetch the AD client sitename. +****************************************************************************/ + +#define SITENAME_KEY "AD_SITENAME/DOMAIN/%s" + +static char *sitename_key(TALLOC_CTX *mem_ctx, const char *realm) +{ + char *keystr = talloc_asprintf_strupper_m( + mem_ctx, SITENAME_KEY, realm); + return keystr; +} + + +/**************************************************************************** + Store the AD client sitename. + We store indefinitely as every new CLDAP query will re-write this. +****************************************************************************/ + +bool sitename_store(const char *realm, const char *sitename) +{ + time_t expire; + bool ret = False; + char *key; + + if (!realm || (strlen(realm) == 0)) { + DEBUG(0,("sitename_store: no realm\n")); + return False; + } + + key = sitename_key(talloc_tos(), realm); + + if (!sitename || (sitename && !*sitename)) { + DEBUG(5,("sitename_store: deleting empty sitename!\n")); + ret = gencache_del(key); + TALLOC_FREE(key); + return ret; + } + + expire = get_time_t_max(); /* Store indefinitely. */ + + DEBUG(10,("sitename_store: realm = [%s], sitename = [%s], expire = [%u]\n", + realm, sitename, (unsigned int)expire )); + + ret = gencache_set( key, sitename, expire ); + TALLOC_FREE(key); + return ret; +} + +/**************************************************************************** + Fetch the AD client sitename. + Caller must free. +****************************************************************************/ + +char *sitename_fetch(TALLOC_CTX *mem_ctx, const char *realm) +{ + char *sitename = NULL; + time_t timeout; + bool ret = False; + const char *query_realm; + char *key; + + if (!realm || (strlen(realm) == 0)) { + query_realm = lp_realm(); + } else { + query_realm = realm; + } + + key = sitename_key(talloc_tos(), query_realm); + + ret = gencache_get( key, mem_ctx, &sitename, &timeout ); + TALLOC_FREE(key); + if ( !ret ) { + DBG_INFO("No stored sitename for realm '%s'\n", query_realm); + } else { + DBG_INFO("Returning sitename for realm '%s': \"%s\"\n", + query_realm, sitename); + } + return sitename; +} + +/**************************************************************************** + Did the sitename change ? +****************************************************************************/ + +bool stored_sitename_changed(const char *realm, const char *sitename) +{ + bool ret = False; + + char *new_sitename; + + if (!realm || (strlen(realm) == 0)) { + DEBUG(0,("stored_sitename_changed: no realm\n")); + return False; + } + + new_sitename = sitename_fetch(talloc_tos(), realm); + + if (sitename && new_sitename && !strequal(sitename, new_sitename)) { + ret = True; + } else if ((sitename && !new_sitename) || + (!sitename && new_sitename)) { + ret = True; + } + TALLOC_FREE(new_sitename); + return ret; +} + diff --git a/source3/libads/sitename_cache.h b/source3/libads/sitename_cache.h new file mode 100644 index 0000000..9044964 --- /dev/null +++ b/source3/libads/sitename_cache.h @@ -0,0 +1,28 @@ +/* + Unix SMB/CIFS implementation. + DNS utility library + Copyright (C) Gerald (Jerry) Carter 2006. + Copyright (C) Jeremy Allison 2007. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#ifndef _LIBADS_SITENAME_CACHE_H_ +#define _LIBADS_SITENAME_CACHE_H_ + +bool sitename_store(const char *realm, const char *sitename); +char *sitename_fetch(TALLOC_CTX *mem_ctx, const char *realm); +bool stored_sitename_changed(const char *realm, const char *sitename); + +#endif /* _LIBADS_SITENAME_CACHE_H_ */ diff --git a/source3/libads/util.c b/source3/libads/util.c new file mode 100644 index 0000000..a1e33fd --- /dev/null +++ b/source3/libads/util.c @@ -0,0 +1,236 @@ +/* + Unix SMB/CIFS implementation. + krb5 set password implementation + Copyright (C) Remus Koos 2001 (remuskoos@yahoo.com) + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include "ads.h" +#include "secrets.h" +#include "librpc/gen_ndr/ndr_secrets.h" + +#ifdef HAVE_KRB5 +ADS_STATUS ads_change_trust_account_password(ADS_STRUCT *ads, char *host_principal) +{ + const char *password = NULL; + const char *new_password = NULL; + ADS_STATUS ret; + const char *domain = lp_workgroup(); + struct secrets_domain_info1 *info = NULL; + struct secrets_domain_info1_change *prev = NULL; + const DATA_BLOB *cleartext_blob = NULL; + DATA_BLOB pw_blob = data_blob_null; + DATA_BLOB new_pw_blob = data_blob_null; + NTSTATUS status; + struct timeval tv = timeval_current(); + NTTIME now = timeval_to_nttime(&tv); + int role = lp_server_role(); + bool ok; + + if (role != ROLE_DOMAIN_MEMBER) { + DBG_ERR("Machine account password change only supported on a DOMAIN_MEMBER.\n"); + return ADS_ERROR_NT(NT_STATUS_INVALID_SERVER_STATE); + } + + new_password = trust_pw_new_value(talloc_tos(), SEC_CHAN_WKSTA, SEC_ADS); + if (new_password == NULL) { + ret = ADS_ERROR_SYSTEM(errno); + DEBUG(1,("Failed to generate machine password\n")); + return ret; + } + + status = secrets_prepare_password_change(domain, + ads->auth.kdc_server, + new_password, + talloc_tos(), + &info, &prev); + if (!NT_STATUS_IS_OK(status)) { + return ADS_ERROR_NT(status); + } + if (prev != NULL) { + status = NT_STATUS_REQUEST_NOT_ACCEPTED; + secrets_failed_password_change("localhost", + status, + NT_STATUS_NOT_COMMITTED, + info); + return ADS_ERROR_NT(status); + } + + cleartext_blob = &info->password->cleartext_blob; + ok = convert_string_talloc(talloc_tos(), CH_UTF16MUNGED, CH_UNIX, + cleartext_blob->data, + cleartext_blob->length, + (void **)&pw_blob.data, + &pw_blob.length); + if (!ok) { + status = NT_STATUS_UNMAPPABLE_CHARACTER; + if (errno == ENOMEM) { + status = NT_STATUS_NO_MEMORY; + } + DBG_ERR("convert_string_talloc(CH_UTF16MUNGED, CH_UNIX) " + "failed for password of %s - %s\n", + domain, nt_errstr(status)); + return ADS_ERROR_NT(status); + } + password = (const char *)pw_blob.data; + + cleartext_blob = &info->next_change->password->cleartext_blob; + ok = convert_string_talloc(talloc_tos(), CH_UTF16MUNGED, CH_UNIX, + cleartext_blob->data, + cleartext_blob->length, + (void **)&new_pw_blob.data, + &new_pw_blob.length); + if (!ok) { + status = NT_STATUS_UNMAPPABLE_CHARACTER; + if (errno == ENOMEM) { + status = NT_STATUS_NO_MEMORY; + } + DBG_ERR("convert_string_talloc(CH_UTF16MUNGED, CH_UNIX) " + "failed for new_password of %s - %s\n", + domain, nt_errstr(status)); + secrets_failed_password_change("localhost", + status, + NT_STATUS_NOT_COMMITTED, + info); + return ADS_ERROR_NT(status); + } + talloc_keep_secret(new_pw_blob.data); + new_password = (const char *)new_pw_blob.data; + + ret = kerberos_set_password(ads->auth.kdc_server, host_principal, password, host_principal, new_password, ads->auth.time_offset); + + if (!ADS_ERR_OK(ret)) { + status = ads_ntstatus(ret); + DBG_ERR("kerberos_set_password(%s, %s) " + "failed for new_password of %s - %s\n", + ads->auth.kdc_server, host_principal, + domain, nt_errstr(status)); + secrets_failed_password_change(ads->auth.kdc_server, + NT_STATUS_NOT_COMMITTED, + status, + info); + return ret; + } + + status = secrets_finish_password_change(ads->auth.kdc_server, now, info); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1,("Failed to save machine password\n")); + return ADS_ERROR_NT(status); + } + + return ADS_SUCCESS; +} +#endif + +/** +* @brief Parses windows style SPN service/host:port/servicename +* serviceclass - A string that identifies the general class of service +* e.g. 'http' +* host - A netbios name or fully-qualified DNS name +* port - An optional TCP or UDP port number +* servicename - An optional distinguished name, GUID, DNS name or +* DNS name of an SRV or MX record. (not needed for host +* based services) +* +* @param[in] ctx - Talloc context. +* @param[in] srvprinc - The service principal +* +* @return - struct spn_struct containing the fields parsed or NULL +* if srvprinc could not be parsed. +*/ +struct spn_struct *parse_spn(TALLOC_CTX *ctx, const char *srvprinc) +{ + struct spn_struct * result = NULL; + char *tmp = NULL; + char *port_str = NULL; + char *host_str = NULL; + + result = talloc_zero(ctx, struct spn_struct); + if (result == NULL) { + DBG_ERR("Out of memory\n"); + return NULL; + } + + result->serviceclass = talloc_strdup(result, srvprinc); + if (result->serviceclass == NULL) { + DBG_ERR("Out of memory\n"); + goto fail; + } + result->port = -1; + + tmp = strchr_m(result->serviceclass, '/'); + if (tmp == NULL) { + /* illegal */ + DBG_ERR("Failed to parse spn %s, no host definition\n", + srvprinc); + goto fail; + } + + /* terminate service principal */ + *tmp = '\0'; + tmp++; + host_str = tmp; + + tmp = strchr_m(host_str, ':'); + if (tmp != NULL) { + *tmp = '\0'; + tmp++; + port_str = tmp; + } else { + tmp = host_str; + } + + tmp = strchr_m(tmp, '/'); + if (tmp != NULL) { + *tmp = '\0'; + tmp++; + result->servicename = tmp; + } + + if (strlen(host_str) == 0) { + /* illegal */ + DBG_ERR("Failed to parse spn %s, illegal host definition\n", + srvprinc); + goto fail; + } + result->host = host_str; + + if (result->servicename != NULL && (strlen(result->servicename) == 0)) { + DBG_ERR("Failed to parse spn %s, empty servicename " + "definition\n", srvprinc); + goto fail; + } + if (port_str != NULL) { + if (strlen(port_str) == 0) { + DBG_ERR("Failed to parse spn %s, empty port " + "definition\n", srvprinc); + goto fail; + } + result->port = (int32_t)strtol(port_str, NULL, 10); + if (result->port <= 0 + || result->port > 65535 + || errno == ERANGE) { + DBG_ERR("Failed to parse spn %s, port number " + "conversion failed\n", srvprinc); + errno = 0; + goto fail; + } + } + return result; +fail: + TALLOC_FREE(result); + return NULL; +} |