#include "ads.h"
#include "libads/sitename_cache.h"
#include "libads/cldap.h"
-#include "libads/dns.h"
+#include "../lib/addns/dnsquery.h"
#include "../libds/common/flags.h"
+#include "smbldap.h"
+#include "../libcli/security/security.h"
+#include "../librpc/gen_ndr/netlogon.h"
+#include "lib/param/loadparm.h"
+#include "libsmb/namequery.h"
#ifdef HAVE_LDAP
gotalarm = 1;
}
- LDAP *ldap_open_with_timeout(const char *server, int port, unsigned int to)
+ LDAP *ldap_open_with_timeout(const char *server,
+ struct sockaddr_storage *ss,
+ int port, unsigned int to)
{
LDAP *ldp = NULL;
-
+ int ldap_err;
+ char *uri;
DEBUG(10, ("Opening connection to LDAP server '%s:%d', timeout "
"%u seconds\n", server, port, to));
- /* Setup timeout */
- gotalarm = 0;
- CatchSignal(SIGALRM, gotalarm_sig);
- alarm(to);
- /* End setup timeout. */
+ if (to) {
+ /* Setup timeout */
+ gotalarm = 0;
+ CatchSignal(SIGALRM, gotalarm_sig);
+ alarm(to);
+ /* End setup timeout. */
+ }
- ldp = ldap_open(server, port);
+ if ( strchr_m(server, ':') ) {
+ /* IPv6 URI */
+ uri = talloc_asprintf(talloc_tos(), "ldap://[%s]:%u", server, port);
+ } else {
+ /* IPv4 URI */
+ uri = talloc_asprintf(talloc_tos(), "ldap://%s:%u", server, port);
+ }
+ if (uri == NULL) {
+ return NULL;
+ }
- if (ldp == NULL) {
- DEBUG(2,("Could not open connection to LDAP server %s:%d: %s\n",
- server, port, strerror(errno)));
+#ifdef HAVE_LDAP_INITIALIZE
+ ldap_err = ldap_initialize(&ldp, uri);
+#else
+ ldp = ldap_open(server, port);
+ if (ldp != NULL) {
+ ldap_err = LDAP_SUCCESS;
} else {
- DEBUG(10, ("Connected to LDAP server '%s:%d'\n", server, port));
+ ldap_err = LDAP_OTHER;
+ }
+#endif
+ if (ldap_err != LDAP_SUCCESS) {
+ DEBUG(2,("Could not initialize connection for LDAP server '%s': %s\n",
+ uri, ldap_err2string(ldap_err)));
+ } else {
+ DEBUG(10, ("Initialized connection for LDAP server '%s'\n", uri));
}
- /* Teardown timeout. */
- CatchSignal(SIGALRM, SIG_IGN);
- alarm(0);
+ if (to) {
+ /* Teardown timeout. */
+ alarm(0);
+ CatchSignal(SIGALRM, SIG_IGN);
+ }
return ldp;
}
int sizelimit,
LDAPMessage **res )
{
+ int to = lp_ldap_timeout();
struct timeval timeout;
+ struct timeval *timeout_ptr = NULL;
int result;
/* Setup timeout for the ldap_search_ext_s call - local and remote. */
- timeout.tv_sec = lp_ldap_timeout();
- timeout.tv_usec = 0;
-
- /* Setup alarm timeout.... Do we need both of these ? JRA. */
gotalarm = 0;
- CatchSignal(SIGALRM, gotalarm_sig);
- alarm(lp_ldap_timeout());
- /* End setup timeout. */
+
+ if (to) {
+ timeout.tv_sec = to;
+ timeout.tv_usec = 0;
+ timeout_ptr = &timeout;
+
+ /* Setup alarm timeout. */
+ CatchSignal(SIGALRM, gotalarm_sig);
+ /* Make the alarm time one second beyond
+ the timout we're setting for the
+ remote search timeout, to allow that
+ to fire in preference. */
+ alarm(to+1);
+ /* End setup timeout. */
+ }
+
result = ldap_search_ext_s(ld, base, scope, filter, attrs,
- attrsonly, sctrls, cctrls, &timeout,
+ attrsonly, sctrls, cctrls, timeout_ptr,
sizelimit, res);
- /* Teardown timeout. */
- CatchSignal(SIGALRM, SIG_IGN);
- alarm(0);
+ if (to) {
+ /* Teardown alarm timeout. */
+ CatchSignal(SIGALRM, SIG_IGN);
+ alarm(0);
+ }
if (gotalarm != 0)
return LDAP_TIMELIMIT_EXCEEDED;
try a connection to a given ldap server, returning True and setting the servers IP
in the ads struct if successful
*/
-static bool ads_try_connect(ADS_STRUCT *ads, const char *server, bool gc)
+static bool ads_try_connect(ADS_STRUCT *ads, bool gc,
+ struct sockaddr_storage *ss)
{
- char *srv;
struct NETLOGON_SAM_LOGON_RESPONSE_EX cldap_reply;
TALLOC_CTX *frame = talloc_stackframe();
bool ret = false;
+ char addr[INET6_ADDRSTRLEN];
- if (!server || !*server) {
+ if (ss == NULL) {
TALLOC_FREE(frame);
return False;
}
- if (!is_ipaddress(server)) {
- struct sockaddr_storage ss;
- char addr[INET6_ADDRSTRLEN];
-
- if (!resolve_name(server, &ss, 0x20, true)) {
- DEBUG(5,("ads_try_connect: unable to resolve name %s\n",
- server ));
- TALLOC_FREE(frame);
- return false;
- }
- print_sockaddr(addr, sizeof(addr), &ss);
- srv = talloc_strdup(frame, addr);
- } else {
- /* this copes with inet_ntoa brokenness */
- srv = talloc_strdup(frame, server);
- }
-
- if (!srv) {
- TALLOC_FREE(frame);
- return false;
- }
+ print_sockaddr(addr, sizeof(addr), ss);
DEBUG(5,("ads_try_connect: sending CLDAP request to %s (realm: %s)\n",
- srv, ads->server.realm));
+ addr, ads->server.realm));
ZERO_STRUCT( cldap_reply );
- if ( !ads_cldap_netlogon_5(frame, srv, ads->server.realm, &cldap_reply ) ) {
- DEBUG(3,("ads_try_connect: CLDAP request %s failed.\n", srv));
+ if ( !ads_cldap_netlogon_5(frame, ss, ads->server.realm, &cldap_reply ) ) {
+ DEBUG(3,("ads_try_connect: CLDAP request %s failed.\n", addr));
ret = false;
goto out;
}
if ( !(cldap_reply.server_type & NBT_SERVER_LDAP) ) {
DEBUG(1,("ads_try_connect: %s's CLDAP reply says it is not an LDAP server!\n",
- srv));
+ addr));
ret = false;
goto out;
}
SAFE_FREE(ads->config.client_site_name);
SAFE_FREE(ads->server.workgroup);
- ads->config.flags = cldap_reply.server_type;
+ if (!check_cldap_reply_required_flags(cldap_reply.server_type,
+ ads->config.flags)) {
+ ret = false;
+ goto out;
+ }
+
ads->config.ldap_server_name = SMB_STRDUP(cldap_reply.pdc_dns_name);
ads->config.realm = SMB_STRDUP(cldap_reply.dns_domain);
- strupper_m(ads->config.realm);
+ if (!strupper_m(ads->config.realm)) {
+ ret = false;
+ goto out;
+ }
+
ads->config.bind_path = ads_build_dn(ads->config.realm);
if (*cldap_reply.server_site) {
ads->config.server_site_name =
ads->server.workgroup = SMB_STRDUP(cldap_reply.domain_name);
ads->ldap.port = gc ? LDAP_GC_PORT : LDAP_PORT;
- if (!interpret_string_addr(&ads->ldap.ss, srv, 0)) {
- DEBUG(1,("ads_try_connect: unable to convert %s "
- "to an address\n",
- srv));
- ret = false;
- goto out;
- }
+ ads->ldap.ss = *ss;
/* Store our site name. */
sitename_store( cldap_reply.domain_name, cldap_reply.client_site);
sitename_store( cldap_reply.dns_domain, cldap_reply.client_site);
+ /* Leave this until last so that the flags are not clobbered */
+ ads->config.flags = cldap_reply.server_type;
+
ret = true;
out:
}
/**********************************************************************
- Try to find an AD dc using our internal name resolution routines
- Try the realm first and then then workgroup name if netbios is not
- disabled
+ send a cldap ping to list of servers, one at a time, until one of
+ them answers it's an ldap server. Record success in the ADS_STRUCT.
+ Take note of and update negative connection cache.
**********************************************************************/
-static NTSTATUS ads_find_dc(ADS_STRUCT *ads)
+static NTSTATUS cldap_ping_list(ADS_STRUCT *ads,const char *domain,
+ struct ip_service *ip_list, int count)
{
- const char *c_domain;
- const char *c_realm;
- int count, i=0;
- struct ip_service *ip_list;
- const char *realm;
- const char *domain;
- bool got_realm = False;
- bool use_own_domain = False;
- char *sitename;
- NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
-
- /* if the realm and workgroup are both empty, assume they are ours */
+ int i;
+ bool ok;
- /* realm */
- c_realm = ads->server.realm;
+ for (i = 0; i < count; i++) {
+ char server[INET6_ADDRSTRLEN];
- if ( !c_realm || !*c_realm ) {
- /* special case where no realm and no workgroup means our own */
- if ( !ads->server.workgroup || !*ads->server.workgroup ) {
- use_own_domain = True;
- c_realm = lp_realm();
- }
- }
+ print_sockaddr(server, sizeof(server), &ip_list[i].ss);
- if (c_realm && *c_realm)
- got_realm = True;
+ if (!NT_STATUS_IS_OK(
+ check_negative_conn_cache(domain, server)))
+ continue;
- /* we need to try once with the realm name and fallback to the
- netbios domain name if we fail (if netbios has not been disabled */
+ /* Returns ok only if it matches the correct server type */
+ ok = ads_try_connect(ads, false, &ip_list[i].ss);
- if ( !got_realm && !lp_disable_netbios() ) {
- c_realm = ads->server.workgroup;
- if (!c_realm || !*c_realm) {
- if ( use_own_domain )
- c_realm = lp_workgroup();
+ if (ok) {
+ return NT_STATUS_OK;
}
- }
- if ( !c_realm || !*c_realm ) {
- DEBUG(0,("ads_find_dc: no realm or workgroup! Don't know what to do\n"));
- return NT_STATUS_INVALID_PARAMETER; /* rather need MISSING_PARAMETER ... */
- }
-
- if ( use_own_domain ) {
- c_domain = lp_workgroup();
- } else {
- c_domain = ads->server.workgroup;
+ /* keep track of failures */
+ add_failed_connection_entry(domain, server,
+ NT_STATUS_UNSUCCESSFUL);
}
- realm = c_realm;
- domain = c_domain;
-
- /*
- * In case of LDAP we use get_dc_name() as that
- * creates the custom krb5.conf file
- */
- if (!(ads->auth.flags & ADS_AUTH_NO_BIND)) {
- fstring srv_name;
- struct sockaddr_storage ip_out;
-
- DEBUG(6,("ads_find_dc: (ldap) looking for %s '%s'\n",
- (got_realm ? "realm" : "domain"), realm));
-
- if (get_dc_name(domain, realm, srv_name, &ip_out)) {
- /*
- * we call ads_try_connect() to fill in the
- * ads->config details
- */
- if (ads_try_connect(ads, srv_name, false)) {
- return NT_STATUS_OK;
- }
- }
-
- return NT_STATUS_NO_LOGON_SERVERS;
- }
+ return NT_STATUS_NO_LOGON_SERVERS;
+}
- sitename = sitename_fetch(realm);
+/***************************************************************************
+ resolve a name and perform an "ldap ping" using NetBIOS and related methods
+****************************************************************************/
- again:
+static NTSTATUS resolve_and_ping_netbios(ADS_STRUCT *ads,
+ const char *domain, const char *realm)
+{
+ int count, i;
+ struct ip_service *ip_list;
+ NTSTATUS status;
- DEBUG(6,("ads_find_dc: (cldap) looking for %s '%s'\n",
- (got_realm ? "realm" : "domain"), realm));
+ DEBUG(6, ("resolve_and_ping_netbios: (cldap) looking for domain '%s'\n",
+ domain));
- status = get_sorted_dc_list(realm, sitename, &ip_list, &count, got_realm);
+ status = get_sorted_dc_list(domain, NULL, &ip_list, &count,
+ false);
if (!NT_STATUS_IS_OK(status)) {
- /* fall back to netbios if we can */
- if ( got_realm && !lp_disable_netbios() ) {
- got_realm = False;
- goto again;
- }
-
- SAFE_FREE(sitename);
return status;
}
- /* if we fail this loop, then giveup since all the IP addresses returned were dead */
- for ( i=0; i<count; i++ ) {
- char server[INET6_ADDRSTRLEN];
+ /* remove servers which are known to be dead based on
+ the corresponding DNS method */
+ if (*realm) {
+ for (i = 0; i < count; ++i) {
+ char server[INET6_ADDRSTRLEN];
- print_sockaddr(server, sizeof(server), &ip_list[i].ss);
-
- if ( !NT_STATUS_IS_OK(check_negative_conn_cache(realm, server)) )
- continue;
+ print_sockaddr(server, sizeof(server), &ip_list[i].ss);
- if (!got_realm) {
- /* realm in this case is a workgroup name. We need
- to ignore any IP addresses in the negative connection
- cache that match ip addresses returned in the ad realm
- case. It sucks that I have to reproduce the logic above... */
- c_realm = ads->server.realm;
- if ( !c_realm || !*c_realm ) {
- if ( !ads->server.workgroup || !*ads->server.workgroup ) {
- c_realm = lp_realm();
- }
- }
- if (c_realm && *c_realm &&
- !NT_STATUS_IS_OK(check_negative_conn_cache(c_realm, server))) {
+ if(!NT_STATUS_IS_OK(
+ check_negative_conn_cache(realm, server))) {
/* Ensure we add the workgroup name for this
IP address as negative too. */
- add_failed_connection_entry( realm, server, NT_STATUS_UNSUCCESSFUL );
- continue;
+ add_failed_connection_entry(
+ domain, server,
+ NT_STATUS_UNSUCCESSFUL);
}
}
-
- if ( ads_try_connect(ads, server, false) ) {
- SAFE_FREE(ip_list);
- SAFE_FREE(sitename);
- return NT_STATUS_OK;
- }
-
- /* keep track of failures */
- add_failed_connection_entry( realm, server, NT_STATUS_UNSUCCESSFUL );
}
- SAFE_FREE(ip_list);
+ status = cldap_ping_list(ads, domain, ip_list, count);
- /* In case we failed to contact one of our closest DC on our site we
- * need to try to find another DC, retry with a site-less SRV DNS query
- * - Guenther */
-
- if (sitename) {
- DEBUG(1,("ads_find_dc: failed to find a valid DC on our site (%s), "
- "trying to find another DC\n", sitename));
- SAFE_FREE(sitename);
- namecache_delete(realm, 0x1C);
- goto again;
- }
+ SAFE_FREE(ip_list);
- return NT_STATUS_NO_LOGON_SERVERS;
+ return status;
}
-/*********************************************************************
- *********************************************************************/
-static NTSTATUS ads_lookup_site(void)
-{
- ADS_STRUCT *ads = NULL;
- ADS_STATUS ads_status;
- NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
+/**********************************************************************
+ resolve a name and perform an "ldap ping" using DNS
+**********************************************************************/
- ads = ads_init(lp_realm(), NULL, NULL);
- if (!ads) {
- return NT_STATUS_NO_MEMORY;
- }
+static NTSTATUS resolve_and_ping_dns(ADS_STRUCT *ads, const char *sitename,
+ const char *realm)
+{
+ int count;
+ struct ip_service *ip_list = NULL;
+ NTSTATUS status;
- /* The NO_BIND here will find a DC and set the client site
- but not establish the TCP connection */
+ DEBUG(6, ("resolve_and_ping_dns: (cldap) looking for realm '%s'\n",
+ realm));
- ads->auth.flags = ADS_AUTH_NO_BIND;
- ads_status = ads_connect(ads);
- if (!ADS_ERR_OK(ads_status)) {
- DEBUG(4, ("ads_lookup_site: ads_connect to our realm failed! (%s)\n",
- ads_errstr(ads_status)));
+ status = get_sorted_dc_list(realm, sitename, &ip_list, &count,
+ true);
+ if (!NT_STATUS_IS_OK(status)) {
+ SAFE_FREE(ip_list);
+ return status;
}
- nt_status = ads_ntstatus(ads_status);
- if (ads) {
- ads_destroy(&ads);
- }
+ status = cldap_ping_list(ads, realm, ip_list, count);
- return nt_status;
+ SAFE_FREE(ip_list);
+
+ return status;
}
-/*********************************************************************
- *********************************************************************/
+/**********************************************************************
+ Try to find an AD dc using our internal name resolution routines
+ Try the realm first and then then workgroup name if netbios is not
+ disabled
+**********************************************************************/
-static const char* host_dns_domain(const char *fqdn)
+static NTSTATUS ads_find_dc(ADS_STRUCT *ads)
{
- const char *p = fqdn;
-
- /* go to next char following '.' */
+ const char *c_domain = "";
+ const char *c_realm;
+ bool use_own_domain = False;
+ char *sitename = NULL;
+ NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
+ bool ok = false;
- if ((p = strchr_m(fqdn, '.')) != NULL) {
- p++;
- }
+ /* if the realm and workgroup are both empty, assume they are ours */
- return p;
-}
+ /* realm */
+ c_realm = ads->server.realm;
+ if (c_realm == NULL)
+ c_realm = "";
-/**
- * Connect to the Global Catalog server
- * @param ads Pointer to an existing ADS_STRUCT
- * @return status of connection
- *
- * Simple wrapper around ads_connect() that fills in the
- * GC ldap server information
- **/
-
-ADS_STATUS ads_connect_gc(ADS_STRUCT *ads)
-{
- TALLOC_CTX *frame = talloc_stackframe();
- struct dns_rr_srv *gcs_list;
- int num_gcs;
- char *realm = ads->server.realm;
- NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
- ADS_STATUS ads_status = ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
- int i;
- bool done = false;
- char *sitename = NULL;
+ if (!*c_realm) {
+ /* special case where no realm and no workgroup means our own */
+ if ( !ads->server.workgroup || !*ads->server.workgroup ) {
+ use_own_domain = True;
+ c_realm = lp_realm();
+ }
+ }
- if (!realm)
- realm = lp_realm();
+ if (!lp_disable_netbios()) {
+ if (use_own_domain) {
+ c_domain = lp_workgroup();
+ } else {
+ c_domain = ads->server.workgroup;
+ if (!*c_realm && (!c_domain || !*c_domain)) {
+ c_domain = lp_workgroup();
+ }
+ }
- if ((sitename = sitename_fetch(realm)) == NULL) {
- ads_lookup_site();
- sitename = sitename_fetch(realm);
+ if (!c_domain) {
+ c_domain = "";
+ }
}
- do {
- /* We try once with a sitename and once without
- (unless we don't have a sitename and then we're
- done */
-
- if (sitename == NULL)
- done = true;
+ if (!*c_realm && !*c_domain) {
+ DEBUG(0, ("ads_find_dc: no realm or workgroup! Don't know "
+ "what to do\n"));
+ return NT_STATUS_INVALID_PARAMETER; /* rather need MISSING_PARAMETER ... */
+ }
- nt_status = ads_dns_query_gcs(frame, realm, sitename,
- &gcs_list, &num_gcs);
+ /*
+ * In case of LDAP we use get_dc_name() as that
+ * creates the custom krb5.conf file
+ */
+ if (!(ads->auth.flags & ADS_AUTH_NO_BIND)) {
+ fstring srv_name;
+ struct sockaddr_storage ip_out;
- SAFE_FREE(sitename);
+ DEBUG(6, ("ads_find_dc: (ldap) looking for realm '%s'"
+ " and falling back to domain '%s'\n",
+ c_realm, c_domain));
- if (!NT_STATUS_IS_OK(nt_status)) {
- ads_status = ADS_ERROR_NT(nt_status);
- goto done;
+ ok = get_dc_name(c_domain, c_realm, srv_name, &ip_out);
+ if (ok) {
+ /*
+ * we call ads_try_connect() to fill in the
+ * ads->config details
+ */
+ ok = ads_try_connect(ads, false, &ip_out);
+ if (ok) {
+ return NT_STATUS_OK;
+ }
}
- /* Loop until we get a successful connection or have gone
- through them all. When connecting a GC server, make sure that
- the realm is the server's DNS name and not the forest root */
-
- for (i=0; i<num_gcs; i++) {
- ads->server.gc = true;
- ads->server.ldap_server = SMB_STRDUP(gcs_list[i].hostname);
- ads->server.realm = SMB_STRDUP(host_dns_domain(ads->server.ldap_server));
- ads_status = ads_connect(ads);
- if (ADS_ERR_OK(ads_status)) {
- /* Reset the bind_dn to "". A Global Catalog server
- may host multiple domain trees in a forest.
- Windows 2003 GC server will accept "" as the search
- path to imply search all domain trees in the forest */
+ return NT_STATUS_NO_LOGON_SERVERS;
+ }
- SAFE_FREE(ads->config.bind_path);
- ads->config.bind_path = SMB_STRDUP("");
+ if (*c_realm) {
+ sitename = sitename_fetch(talloc_tos(), c_realm);
+ status = resolve_and_ping_dns(ads, sitename, c_realm);
+ if (NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(sitename);
+ return status;
+ }
- goto done;
+ /* In case we failed to contact one of our closest DC on our
+ * site we
+ * need to try to find another DC, retry with a site-less SRV
+ * DNS query
+ * - Guenther */
+
+ if (sitename) {
+ DEBUG(3, ("ads_find_dc: failed to find a valid DC on "
+ "our site (%s), Trying to find another DC "
+ "for realm '%s' (domain '%s')\n",
+ sitename, c_realm, c_domain));
+ namecache_delete(c_realm, 0x1C);
+ status =
+ resolve_and_ping_dns(ads, NULL, c_realm);
+
+ if (NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(sitename);
+ return status;
}
- SAFE_FREE(ads->server.ldap_server);
- SAFE_FREE(ads->server.realm);
}
- TALLOC_FREE(gcs_list);
- num_gcs = 0;
- } while (!done);
-
-done:
- SAFE_FREE(sitename);
- talloc_destroy(frame);
+ TALLOC_FREE(sitename);
+ }
- return ads_status;
-}
+ /* try netbios as fallback - if permitted,
+ or if configuration specifically requests it */
+ if (*c_domain) {
+ if (*c_realm) {
+ DEBUG(3, ("ads_find_dc: falling back to netbios "
+ "name resolution for domain '%s' (realm '%s')\n",
+ c_domain, c_realm));
+ }
+ status = resolve_and_ping_netbios(ads, c_domain, c_realm);
+ if (NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ }
+ DEBUG(1, ("ads_find_dc: "
+ "name resolution for realm '%s' (domain '%s') failed: %s\n",
+ c_realm, c_domain, nt_errstr(status)));
+ return status;
+}
/**
* Connect to the LDAP server
* @param ads Pointer to an existing ADS_STRUCT
char addr[INET6_ADDRSTRLEN];
ZERO_STRUCT(ads->ldap);
+ ZERO_STRUCT(ads->ldap_wrap_data);
ads->ldap.last_attempt = time_mono(NULL);
- ads->ldap.wrap_type = ADS_SASLWRAP_TYPE_PLAIN;
+ ads->ldap_wrap_data.wrap_type = ADS_SASLWRAP_TYPE_PLAIN;
/* try with a user specified server */
TALLOC_FREE(s);
}
- if (ads->server.ldap_server)
- {
- if (ads_try_connect(ads, ads->server.ldap_server, ads->server.gc)) {
+ if (ads->server.ldap_server) {
+ bool ok = false;
+ struct sockaddr_storage ss;
+
+ ok = resolve_name(ads->server.ldap_server, &ss, 0x20, true);
+ if (!ok) {
+ DEBUG(5,("ads_connect: unable to resolve name %s\n",
+ ads->server.ldap_server));
+ status = ADS_ERROR_NT(NT_STATUS_NOT_FOUND);
+ goto out;
+ }
+ ok = ads_try_connect(ads, ads->server.gc, &ss);
+ if (ok) {
goto got_connection;
}
if (ads->server.gc == true) {
return ADS_ERROR(LDAP_OPERATIONS_ERROR);
}
+
+ if (ads->server.no_fallback) {
+ status = ADS_ERROR_NT(NT_STATUS_NOT_FOUND);
+ goto out;
+ }
}
ntstatus = ads_find_dc(ads);
/* Must use the userPrincipalName value here or sAMAccountName
and not servicePrincipalName; found by Guenther Deschner */
- if (asprintf(&ads->auth.user_name, "%s$", global_myname() ) == -1) {
+ if (asprintf(&ads->auth.user_name, "%s$", lp_netbios_name() ) == -1) {
DEBUG(0,("ads_connect: asprintf fail.\n"));
ads->auth.user_name = NULL;
}
ads->auth.kdc_server = SMB_STRDUP(addr);
}
-#if KRB5_DNS_HACK
- /* this is a really nasty hack to avoid ADS DNS problems. It needs a patch
- to MIT kerberos to work (tridge) */
- {
- char *env = NULL;
- if (asprintf(&env, "KRB5_KDC_ADDRESS_%s", ads->config.realm) > 0) {
- setenv(env, ads->auth.kdc_server, 1);
- free(env);
- }
- }
-#endif
-
/* If the caller() requested no LDAP bind, then we are done */
if (ads->auth.flags & ADS_AUTH_NO_BIND) {
goto out;
}
- ads->ldap.mem_ctx = talloc_init("ads LDAP connection memory");
- if (!ads->ldap.mem_ctx) {
+ ads->ldap_wrap_data.mem_ctx = talloc_init("ads LDAP connection memory");
+ if (!ads->ldap_wrap_data.mem_ctx) {
status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
goto out;
}
/* Otherwise setup the TCP LDAP session */
- ads->ldap.ld = ldap_open_with_timeout(ads->config.ldap_server_name,
+ ads->ldap.ld = ldap_open_with_timeout(addr,
+ &ads->ldap.ss,
ads->ldap.port, lp_ldap_timeout());
if (ads->ldap.ld == NULL) {
status = ADS_ERROR(LDAP_OPERATIONS_ERROR);
ldap_set_option(ads->ldap.ld, LDAP_OPT_PROTOCOL_VERSION, &version);
if ( lp_ldap_ssl_ads() ) {
- status = ADS_ERROR(smb_ldap_start_tls(ads->ldap.ld, version));
+ status = ADS_ERROR(smbldap_start_tls(ads->ldap.ld, version));
if (!ADS_ERR_OK(status)) {
goto out;
}
ldap_unbind(ads->ldap.ld);
ads->ldap.ld = NULL;
}
- if (ads->ldap.wrap_ops && ads->ldap.wrap_ops->disconnect) {
- ads->ldap.wrap_ops->disconnect(ads);
+ if (ads->ldap_wrap_data.wrap_ops &&
+ ads->ldap_wrap_data.wrap_ops->disconnect) {
+ ads->ldap_wrap_data.wrap_ops->disconnect(&ads->ldap_wrap_data);
}
- if (ads->ldap.mem_ctx) {
- talloc_free(ads->ldap.mem_ctx);
+ if (ads->ldap_wrap_data.mem_ctx) {
+ talloc_free(ads->ldap_wrap_data.mem_ctx);
}
ZERO_STRUCT(ads->ldap);
+ ZERO_STRUCT(ads->ldap_wrap_data);
}
/*
if (!in_val) return NULL;
- value = TALLOC_ZERO_P(ctx, struct berval);
+ value = talloc_zero(ctx, struct berval);
if (value == NULL)
return NULL;
if (in_val->bv_len == 0) return value;
value->bv_len = in_val->bv_len;
- value->bv_val = (char *)TALLOC_MEMDUP(ctx, in_val->bv_val,
+ value->bv_val = (char *)talloc_memdup(ctx, in_val->bv_val,
in_val->bv_len);
return value;
}
if (!in_vals) return NULL;
for (i=0; in_vals[i]; i++)
; /* count values */
- values = TALLOC_ZERO_ARRAY(ctx, struct berval *, i+1);
+ values = talloc_zero_array(ctx, struct berval *, i+1);
if (!values) return NULL;
for (i=0; in_vals[i]; i++) {
if (!in_vals) return NULL;
for (i=0; in_vals[i]; i++)
; /* count values */
- values = TALLOC_ZERO_ARRAY(ctx, char *, i+1);
+ values = talloc_zero_array(ctx, char *, i+1);
if (!values) return NULL;
for (i=0; in_vals[i]; i++) {
if (!in_vals) return NULL;
for (i=0; in_vals[i]; i++)
; /* count values */
- values = TALLOC_ZERO_ARRAY(ctx, char *, i+1);
+ values = talloc_zero_array(ctx, char *, i+1);
if (!values) return NULL;
for (i=0; in_vals[i]; i++) {
cookie_be = ber_alloc_t(LBER_USE_DER);
if (*cookie) {
- ber_printf(cookie_be, "{iO}", (ber_int_t) 1000, *cookie);
+ ber_printf(cookie_be, "{iO}", (ber_int_t) ads->config.ldap_page_size, *cookie);
ber_bvfree(*cookie); /* don't need it from last time */
*cookie = NULL;
} else {
- ber_printf(cookie_be, "{io}", (ber_int_t) 1000, "", 0);
+ ber_printf(cookie_be, "{io}", (ber_int_t) ads->config.ldap_page_size, "", 0);
}
ber_flatten(cookie_be, &cookie_bv);
- PagedResults.ldctl_oid = CONST_DISCARD(char *, ADS_PAGE_CTL_OID);
+ PagedResults.ldctl_oid = discard_const_p(char, ADS_PAGE_CTL_OID);
PagedResults.ldctl_iscritical = (char) 1;
PagedResults.ldctl_value.bv_len = cookie_bv->bv_len;
PagedResults.ldctl_value.bv_val = cookie_bv->bv_val;
- NoReferrals.ldctl_oid = CONST_DISCARD(char *, ADS_NO_REFERRALS_OID);
+ NoReferrals.ldctl_oid = discard_const_p(char, ADS_NO_REFERRALS_OID);
NoReferrals.ldctl_iscritical = (char) 0;
NoReferrals.ldctl_value.bv_len = 0;
- NoReferrals.ldctl_value.bv_val = CONST_DISCARD(char *, "");
+ NoReferrals.ldctl_value.bv_val = discard_const_p(char, "");
if (external_control &&
(strequal(external_control->control, ADS_EXTENDED_DN_OID) ||
strequal(external_control->control, ADS_SD_FLAGS_OID))) {
- ExternalCtrl.ldctl_oid = CONST_DISCARD(char *, external_control->control);
+ ExternalCtrl.ldctl_oid = discard_const_p(char, external_control->control);
ExternalCtrl.ldctl_iscritical = (char) external_control->critical;
/* win2k does not accept a ldctl_value beeing passed in */
if (rc) {
DEBUG(3,("ads_do_paged_search_args: ldap_search_with_timeout(%s) -> %s\n", expr,
ldap_err2string(rc)));
+ if (rc == LDAP_OTHER) {
+ char *ldap_errmsg;
+ int ret;
+
+ ret = ldap_parse_result(ads->ldap.ld,
+ *res,
+ NULL,
+ NULL,
+ &ldap_errmsg,
+ NULL,
+ NULL,
+ 0);
+ if (ret == LDAP_SUCCESS) {
+ DEBUG(3, ("ldap_search_with_timeout(%s) "
+ "error: %s\n", expr, ldap_errmsg));
+ ldap_memfree(ldap_errmsg);
+ }
+ }
goto done;
}
ber_bvfree(ext_bv);
}
+ if (rc != LDAP_SUCCESS && *res != NULL) {
+ ads_msgfree(ads, *res);
+ *res = NULL;
+ }
+
/* if/when we decide to utf8-encode attrs, take out this next line */
TALLOC_FREE(search_attrs);
#ifdef HAVE_LDAP_ADD_RESULT_ENTRY
while (cookie) {
LDAPMessage *res2 = NULL;
- ADS_STATUS status2;
LDAPMessage *msg, *next;
- status2 = ads_do_paged_search_args(ads, bind_path, scope, expr,
+ status = ads_do_paged_search_args(ads, bind_path, scope, expr,
attrs, args, &res2, &count, &cookie);
-
- if (!ADS_ERR_OK(status2)) break;
+ if (!ADS_ERR_OK(status)) {
+ break;
+ }
/* this relies on the way that ldap_add_result_entry() works internally. I hope
that this works on all ldap libs, but I have only tested with openldap */
ADS_STATUS ads_do_search_all_sd_flags(ADS_STRUCT *ads, const char *bind_path,
int scope, const char *expr,
- const char **attrs, uint32 sd_flags,
+ const char **attrs, uint32_t sd_flags,
LDAPMessage **res)
{
ads_control args;
{
ADS_STATUS status;
char *expr;
- const char *attrs[] = {"*", "nTSecurityDescriptor", NULL};
+ const char *attrs[] = {
+ /* This is how Windows checks for machine accounts */
+ "objectClass",
+ "SamAccountName",
+ "userAccountControl",
+ "DnsHostName",
+ "ServicePrincipalName",
+ "unicodePwd",
+
+ /* Additional attributes Samba checks */
+ "msDS-SupportedEncryptionTypes",
+ "nTSecurityDescriptor",
+
+ NULL
+ };
+ TALLOC_CTX *frame = talloc_stackframe();
*res = NULL;
/* the easiest way to find a machine account anywhere in the tree
is to look for hostname$ */
- if (asprintf(&expr, "(samAccountName=%s$)", machine) == -1) {
- DEBUG(1, ("asprintf failed!\n"));
- return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
+ expr = talloc_asprintf(frame, "(samAccountName=%s$)", machine);
+ if (expr == NULL) {
+ status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
+ goto done;
}
status = ads_search(ads, res, expr, attrs);
- SAFE_FREE(expr);
+ if (ADS_ERR_OK(status)) {
+ if (ads_count_replies(ads, *res) != 1) {
+ status = ADS_ERROR_LDAP(LDAP_NO_SUCH_OBJECT);
+ }
+ }
+
+done:
+ TALLOC_FREE(frame);
return status;
}
#define ADS_MODLIST_ALLOC_SIZE 10
LDAPMod **mods;
- if ((mods = TALLOC_ZERO_ARRAY(ctx, LDAPMod *, ADS_MODLIST_ALLOC_SIZE + 1)))
+ if ((mods = talloc_zero_array(ctx, LDAPMod *, ADS_MODLIST_ALLOC_SIZE + 1)))
/* -1 is safety to make sure we don't go over the end.
need to reset it to NULL before doing ldap modify */
mods[ADS_MODLIST_ALLOC_SIZE] = (LDAPMod *) -1;
int mod_op, const char *name,
const void *_invals)
{
- const void **invals = (const void **)_invals;
int curmod;
LDAPMod **modlist = (LDAPMod **) *mods;
struct berval **ber_values = NULL;
char **char_values = NULL;
- if (!invals) {
+ if (!_invals) {
mod_op = LDAP_MOD_DELETE;
} else {
- if (mod_op & LDAP_MOD_BVALUES)
- ber_values = ads_dup_values(ctx,
- (const struct berval **)invals);
- else
- char_values = ads_push_strvals(ctx,
- (const char **) invals);
+ if (mod_op & LDAP_MOD_BVALUES) {
+ const struct berval **b;
+ b = discard_const_p(const struct berval *, _invals);
+ ber_values = ads_dup_values(ctx, b);
+ } else {
+ const char **c;
+ c = discard_const_p(const char *, _invals);
+ char_values = ads_push_strvals(ctx, c);
+ }
}
/* find the first empty slot */
for (curmod=0; modlist[curmod] && modlist[curmod] != (LDAPMod *) -1;
curmod++);
if (modlist[curmod] == (LDAPMod *) -1) {
- if (!(modlist = TALLOC_REALLOC_ARRAY(ctx, modlist, LDAPMod *,
+ if (!(modlist = talloc_realloc(ctx, modlist, LDAPMod *,
curmod+ADS_MODLIST_ALLOC_SIZE+1)))
return ADS_ERROR(LDAP_NO_MEMORY);
memset(&modlist[curmod], 0,
*mods = (ADS_MODLIST)modlist;
}
- if (!(modlist[curmod] = TALLOC_ZERO_P(ctx, LDAPMod)))
+ if (!(modlist[curmod] = talloc_zero(ctx, LDAPMod)))
return ADS_ERROR(LDAP_NO_MEMORY);
modlist[curmod]->mod_type = talloc_strdup(ctx, name);
if (mod_op & LDAP_MOD_BVALUES) {
name, (const void **) vals);
}
-#if 0
/**
* Add a single ber-encoded value to a mod list
* @param ctx An initialized TALLOC_CTX
return ads_modlist_add(ctx, mods, LDAP_MOD_REPLACE|LDAP_MOD_BVALUES,
name, (const void **) values);
}
-#endif
+
+static void ads_print_error(int ret, LDAP *ld)
+{
+ if (ret != 0) {
+ char *ld_error = NULL;
+ ldap_get_option(ld, LDAP_OPT_ERROR_STRING, &ld_error);
+ DBG_ERR("AD LDAP ERROR: %d (%s): %s\n",
+ ret,
+ ldap_err2string(ret),
+ ld_error);
+ SAFE_FREE(ld_error);
+ }
+}
/**
* Perform an ldap modify
non-existent attribute (but allowable for the object) to run
*/
LDAPControl PermitModify = {
- CONST_DISCARD(char *, ADS_PERMIT_MODIFY_OID),
+ discard_const_p(char, ADS_PERMIT_MODIFY_OID),
{0, NULL},
(char) 1};
LDAPControl *controls[2];
+ DBG_INFO("AD LDAP: Modifying %s\n", mod_dn);
+
controls[0] = &PermitModify;
controls[1] = NULL;
mods[i] = NULL;
ret = ldap_modify_ext_s(ads->ldap.ld, utf8_dn,
(LDAPMod **) mods, controls, NULL);
+ ads_print_error(ret, ads->ldap.ld);
TALLOC_FREE(utf8_dn);
return ADS_ERROR(ret);
}
char *utf8_dn = NULL;
size_t converted_size;
+ DBG_INFO("AD LDAP: Adding %s\n", new_dn);
+
if (!push_utf8_talloc(talloc_tos(), &utf8_dn, new_dn, &converted_size)) {
DEBUG(1, ("ads_gen_add: push_utf8_talloc failed!"));
return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
/* make sure the end of the list is NULL */
mods[i] = NULL;
- ret = ldap_add_s(ads->ldap.ld, utf8_dn, (LDAPMod**)mods);
+ ret = ldap_add_ext_s(ads->ldap.ld, utf8_dn, (LDAPMod**)mods, NULL, NULL);
+ ads_print_error(ret, ads->ldap.ld);
TALLOC_FREE(utf8_dn);
return ADS_ERROR(ret);
}
return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
}
+ DBG_INFO("AD LDAP: Deleting %s\n", del_dn);
+
ret = ldap_delete_s(ads->ldap.ld, utf8_dn);
+ ads_print_error(ret, ads->ldap.ld);
TALLOC_FREE(utf8_dn);
return ADS_ERROR(ret);
}
* @return the kvno for the account, or -1 in case of a failure.
**/
-uint32 ads_get_kvno(ADS_STRUCT *ads, const char *account_name)
+uint32_t ads_get_kvno(ADS_STRUCT *ads, const char *account_name)
{
LDAPMessage *res = NULL;
- uint32 kvno = (uint32)-1; /* -1 indicates a failure */
+ uint32_t kvno = (uint32_t)-1; /* -1 indicates a failure */
char *filter;
const char *attrs[] = {"msDS-KeyVersionNumber", NULL};
char *dn_string = NULL;
- ADS_STATUS ret = ADS_ERROR(LDAP_SUCCESS);
+ ADS_STATUS ret;
DEBUG(5,("ads_get_kvno: Searching for account %s\n", account_name));
if (asprintf(&filter, "(samAccountName=%s)", account_name) == -1) {
LDAPMessage *res = NULL;
ADS_MODLIST mods;
const char *servicePrincipalName[1] = {NULL};
- ADS_STATUS ret = ADS_ERROR(LDAP_SUCCESS);
+ ADS_STATUS ret;
char *dn_string = NULL;
ret = ads_find_machine_acct(ads, &res, machine_name);
- if (!ADS_ERR_OK(ret) || ads_count_replies(ads, res) != 1) {
+ if (!ADS_ERR_OK(ret)) {
DEBUG(5,("ads_clear_service_principal_names: WARNING: Host Account for %s not found... skipping operation.\n", machine_name));
DEBUG(5,("ads_clear_service_principal_names: WARNING: Service Principals for %s have NOT been cleared.\n", machine_name));
ads_msgfree(ads, res);
- return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
+ return ret;
}
DEBUG(5,("ads_clear_service_principal_names: Host account for %s found\n", machine_name));
return ret;
}
+/**
+ * @brief Search for an element in a string array.
+ *
+ * @param[in] el_array The string array to search.
+ *
+ * @param[in] num_el The number of elements in the string array.
+ *
+ * @param[in] el The string to search.
+ *
+ * @return True if found, false if not.
+ */
+bool ads_element_in_array(const char **el_array, size_t num_el, const char *el)
+{
+ size_t i;
+
+ if (el_array == NULL || num_el == 0 || el == NULL) {
+ return false;
+ }
+
+ for (i = 0; i < num_el && el_array[i] != NULL; i++) {
+ int cmp;
+
+ cmp = strcasecmp_m(el_array[i], el);
+ if (cmp == 0) {
+ return true;
+ }
+ }
+
+ return false;
+}
+
+/**
+ * @brief This gets the service principal names of an existing computer account.
+ *
+ * @param[in] mem_ctx The memory context to use to allocate the spn array.
+ *
+ * @param[in] ads The ADS context to use.
+ *
+ * @param[in] machine_name The NetBIOS name of the computer, which is used to
+ * identify the computer account.
+ *
+ * @param[in] spn_array A pointer to store the array for SPNs.
+ *
+ * @param[in] num_spns The number of principals stored in the array.
+ *
+ * @return 0 on success, or a ADS error if a failure occurred.
+ */
+ADS_STATUS ads_get_service_principal_names(TALLOC_CTX *mem_ctx,
+ ADS_STRUCT *ads,
+ const char *machine_name,
+ char ***spn_array,
+ size_t *num_spns)
+{
+ ADS_STATUS status;
+ LDAPMessage *res = NULL;
+ int count;
+
+ status = ads_find_machine_acct(ads,
+ &res,
+ machine_name);
+ if (!ADS_ERR_OK(status)) {
+ DEBUG(1,("Host Account for %s not found... skipping operation.\n",
+ machine_name));
+ return status;
+ }
+
+ count = ads_count_replies(ads, res);
+ if (count != 1) {
+ status = ADS_ERROR(LDAP_NO_SUCH_OBJECT);
+ goto done;
+ }
+
+ *spn_array = ads_pull_strings(ads,
+ mem_ctx,
+ res,
+ "servicePrincipalName",
+ num_spns);
+ if (*spn_array == NULL) {
+ DEBUG(1, ("Host account for %s does not have service principal "
+ "names.\n",
+ machine_name));
+ status = ADS_ERROR(LDAP_NO_SUCH_OBJECT);
+ goto done;
+ }
+
+done:
+ ads_msgfree(ads, res);
+
+ return status;
+}
+
/**
* This adds a service principal name to an existing computer account
* (found by hostname) in AD.
* @param ads An initialized ADS_STRUCT
* @param machine_name the NetBIOS name of the computer, which is used to identify the computer account.
- * @param my_fqdn The fully qualified DNS name of the machine
- * @param spn A string of the service principal to add, i.e. 'host'
+ * @param spns An array or strings for the service principals to add,
+ * i.e. 'cifs/machine_name', 'http/machine.full.domain.com' etc.
* @return 0 upon sucess, or non-zero if a failure occurs
**/
-ADS_STATUS ads_add_service_principal_name(ADS_STRUCT *ads, const char *machine_name,
- const char *my_fqdn, const char *spn)
+ADS_STATUS ads_add_service_principal_names(ADS_STRUCT *ads,
+ const char *machine_name,
+ const char **spns)
{
ADS_STATUS ret;
TALLOC_CTX *ctx;
LDAPMessage *res = NULL;
- char *psp1, *psp2;
ADS_MODLIST mods;
char *dn_string = NULL;
- const char *servicePrincipalName[3] = {NULL, NULL, NULL};
+ const char **servicePrincipalName = spns;
ret = ads_find_machine_acct(ads, &res, machine_name);
- if (!ADS_ERR_OK(ret) || ads_count_replies(ads, res) != 1) {
+ if (!ADS_ERR_OK(ret)) {
DEBUG(1,("ads_add_service_principal_name: WARNING: Host Account for %s not found... skipping operation.\n",
machine_name));
- DEBUG(1,("ads_add_service_principal_name: WARNING: Service Principal '%s/%s@%s' has NOT been added.\n",
- spn, machine_name, ads->config.realm));
+ DEBUG(1,("ads_add_service_principal_name: WARNING: Service Principals have NOT been added.\n"));
ads_msgfree(ads, res);
- return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
+ return ret;
}
DEBUG(1,("ads_add_service_principal_name: Host account for %s found\n", machine_name));
return ADS_ERROR(LDAP_NO_MEMORY);
}
- /* add short name spn */
+ DEBUG(5,("ads_add_service_principal_name: INFO: "
+ "Adding %s to host %s\n",
+ spns[0] ? "N/A" : spns[0], machine_name));
- if ( (psp1 = talloc_asprintf(ctx, "%s/%s", spn, machine_name)) == NULL ) {
- talloc_destroy(ctx);
- ads_msgfree(ads, res);
- return ADS_ERROR(LDAP_NO_MEMORY);
- }
- strupper_m(psp1);
- strlower_m(&psp1[strlen(spn)]);
- servicePrincipalName[0] = psp1;
-
- DEBUG(5,("ads_add_service_principal_name: INFO: Adding %s to host %s\n",
- psp1, machine_name));
-
-
- /* add fully qualified spn */
-
- if ( (psp2 = talloc_asprintf(ctx, "%s/%s", spn, my_fqdn)) == NULL ) {
- ret = ADS_ERROR(LDAP_NO_MEMORY);
- goto out;
- }
- strupper_m(psp2);
- strlower_m(&psp2[strlen(spn)]);
- servicePrincipalName[1] = psp2;
- DEBUG(5,("ads_add_service_principal_name: INFO: Adding %s to host %s\n",
- psp2, machine_name));
+ DEBUG(5,("ads_add_service_principal_name: INFO: "
+ "Adding %s to host %s\n",
+ spns[1] ? "N/A" : spns[1], machine_name));
if ( (mods = ads_init_mods(ctx)) == NULL ) {
ret = ADS_ERROR(LDAP_NO_MEMORY);
goto out;
}
- ret = ads_add_strlist(ctx, &mods, "servicePrincipalName", servicePrincipalName);
+ ret = ads_add_strlist(ctx,
+ &mods,
+ "servicePrincipalName",
+ servicePrincipalName);
if (!ADS_ERR_OK(ret)) {
DEBUG(1,("ads_add_service_principal_name: Error: Updating Service Principals in LDAP\n"));
goto out;
* @return 0 upon success, or non-zero otherwise
**/
-ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, const char *machine_name,
- const char *org_unit)
+ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads,
+ const char *machine_name,
+ const char *machine_password,
+ const char *org_unit,
+ uint32_t etype_list,
+ const char *dns_domain_name)
{
ADS_STATUS ret;
- char *samAccountName, *controlstr;
- TALLOC_CTX *ctx;
+ char *samAccountName = NULL;
+ char *controlstr = NULL;
+ TALLOC_CTX *ctx = NULL;
ADS_MODLIST mods;
char *machine_escaped = NULL;
- char *new_dn;
- const char *objectClass[] = {"top", "person", "organizationalPerson",
- "user", "computer", NULL};
+ char *dns_hostname = NULL;
+ char *new_dn = NULL;
+ char *utf8_pw = NULL;
+ size_t utf8_pw_len = 0;
+ char *utf16_pw = NULL;
+ size_t utf16_pw_len = 0;
+ struct berval machine_pw_val;
+ bool ok;
+ const char **spn_array = NULL;
+ size_t num_spns = 0;
+ const char *spn_prefix[] = {
+ "HOST",
+ "RestrictedKrbHost",
+ };
+ size_t i;
LDAPMessage *res = NULL;
- uint32 acct_control = ( UF_WORKSTATION_TRUST_ACCOUNT |\
- UF_DONT_EXPIRE_PASSWD |\
- UF_ACCOUNTDISABLE );
+ uint32_t acct_control = UF_WORKSTATION_TRUST_ACCOUNT;
- if (!(ctx = talloc_init("ads_add_machine_acct")))
+ ctx = talloc_init("ads_add_machine_acct");
+ if (ctx == NULL) {
return ADS_ERROR(LDAP_NO_MEMORY);
-
- ret = ADS_ERROR(LDAP_NO_MEMORY);
+ }
machine_escaped = escape_rdn_val_string_alloc(machine_name);
- if (!machine_escaped) {
+ if (machine_escaped == NULL) {
+ ret = ADS_ERROR(LDAP_NO_MEMORY);
goto done;
}
+ /* Check if the machine account already exists. */
+ ret = ads_find_machine_acct(ads, &res, machine_escaped);
+ if (ADS_ERR_OK(ret)) {
+ ret = ADS_ERROR_LDAP(LDAP_ALREADY_EXISTS);
+ ads_msgfree(ads, res);
+ goto done;
+ }
+ ads_msgfree(ads, res);
+
new_dn = talloc_asprintf(ctx, "cn=%s,%s", machine_escaped, org_unit);
+ if (new_dn == NULL) {
+ ret = ADS_ERROR(LDAP_NO_MEMORY);
+ goto done;
+ }
+
+ /* Create machine account */
+
samAccountName = talloc_asprintf(ctx, "%s$", machine_name);
+ if (samAccountName == NULL) {
+ ret = ADS_ERROR(LDAP_NO_MEMORY);
+ goto done;
+ }
- if ( !new_dn || !samAccountName ) {
+ dns_hostname = talloc_asprintf(ctx,
+ "%s.%s",
+ machine_name,
+ dns_domain_name);
+ if (dns_hostname == NULL) {
+ ret = ADS_ERROR(LDAP_NO_MEMORY);
goto done;
}
-#ifndef ENCTYPE_ARCFOUR_HMAC
- acct_control |= UF_USE_DES_KEY_ONLY;
-#endif
+ /* Add dns_hostname SPNs */
+ for (i = 0; i < ARRAY_SIZE(spn_prefix); i++) {
+ char *spn = talloc_asprintf(ctx,
+ "%s/%s",
+ spn_prefix[i],
+ dns_hostname);
+ if (spn == NULL) {
+ ret = ADS_ERROR(LDAP_NO_MEMORY);
+ goto done;
+ }
+
+ ok = add_string_to_array(spn_array,
+ spn,
+ &spn_array,
+ &num_spns);
+ if (!ok) {
+ ret = ADS_ERROR(LDAP_NO_MEMORY);
+ goto done;
+ }
+ }
- if (!(controlstr = talloc_asprintf(ctx, "%u", acct_control))) {
+ /* Add machine_name SPNs */
+ for (i = 0; i < ARRAY_SIZE(spn_prefix); i++) {
+ char *spn = talloc_asprintf(ctx,
+ "%s/%s",
+ spn_prefix[i],
+ machine_name);
+ if (spn == NULL) {
+ ret = ADS_ERROR(LDAP_NO_MEMORY);
+ goto done;
+ }
+
+ ok = add_string_to_array(spn_array,
+ spn,
+ &spn_array,
+ &num_spns);
+ if (!ok) {
+ ret = ADS_ERROR(LDAP_NO_MEMORY);
+ goto done;
+ }
+ }
+
+ /* Make sure to NULL terminate the array */
+ spn_array = talloc_realloc(ctx, spn_array, const char *, num_spns + 1);
+ if (spn_array == NULL) {
+ return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+ }
+ spn_array[num_spns] = NULL;
+
+ controlstr = talloc_asprintf(ctx, "%u", acct_control);
+ if (controlstr == NULL) {
+ ret = ADS_ERROR(LDAP_NO_MEMORY);
goto done;
}
- if (!(mods = ads_init_mods(ctx))) {
+ utf8_pw = talloc_asprintf(ctx, "\"%s\"", machine_password);
+ if (utf8_pw == NULL) {
+ ret = ADS_ERROR(LDAP_NO_MEMORY);
goto done;
}
+ utf8_pw_len = strlen(utf8_pw);
- ads_mod_str(ctx, &mods, "cn", machine_name);
- ads_mod_str(ctx, &mods, "sAMAccountName", samAccountName);
- ads_mod_strlist(ctx, &mods, "objectClass", objectClass);
+ ok = convert_string_talloc(ctx,
+ CH_UTF8, CH_UTF16MUNGED,
+ utf8_pw, utf8_pw_len,
+ (void *)&utf16_pw, &utf16_pw_len);
+ if (!ok) {
+ ret = ADS_ERROR(LDAP_NO_MEMORY);
+ goto done;
+ }
+
+ machine_pw_val = (struct berval) {
+ .bv_val = utf16_pw,
+ .bv_len = utf16_pw_len,
+ };
+
+ mods = ads_init_mods(ctx);
+ if (mods == NULL) {
+ ret = ADS_ERROR(LDAP_NO_MEMORY);
+ goto done;
+ }
+
+ ads_mod_str(ctx, &mods, "objectClass", "Computer");
+ ads_mod_str(ctx, &mods, "SamAccountName", samAccountName);
ads_mod_str(ctx, &mods, "userAccountControl", controlstr);
+ ads_mod_str(ctx, &mods, "DnsHostName", dns_hostname);
+ ads_mod_strlist(ctx, &mods, "ServicePrincipalName", spn_array);
+ ads_mod_ber(ctx, &mods, "unicodePwd", &machine_pw_val);
ret = ads_gen_add(ads, new_dn, mods);
done:
SAFE_FREE(machine_escaped);
- ads_msgfree(ads, res);
talloc_destroy(ctx);
return ret;
*/
static void dump_binary(ADS_STRUCT *ads, const char *field, struct berval **values)
{
- int i, j;
+ size_t i;
for (i=0; values[i]; i++) {
+ ber_len_t j;
printf("%s: ", field);
for (j=0; j<values[i]->bv_len; j++) {
printf("%02X", (unsigned char)values[i]->bv_val[j]);
{
int i;
for (i=0; values[i]; i++) {
+ NTSTATUS status;
+ DATA_BLOB in = data_blob_const(values[i]->bv_val, values[i]->bv_len);
+ struct GUID guid;
- UUID_FLAT guid;
- struct GUID tmp;
-
- memcpy(guid.info, values[i]->bv_val, sizeof(guid.info));
- smb_uuid_unpack(guid, &tmp);
- printf("%s: %s\n", field, GUID_string(talloc_tos(), &tmp));
+ status = GUID_from_ndr_blob(&in, &guid);
+ if (NT_STATUS_IS_OK(status)) {
+ printf("%s: %s\n", field, GUID_string(talloc_tos(), &guid));
+ } else {
+ printf("%s: INVALID GUID\n", field);
+ }
}
}
{
int i;
for (i=0; values[i]; i++) {
+ ssize_t ret;
struct dom_sid sid;
- fstring tmp;
- sid_parse(values[i]->bv_val, values[i]->bv_len, &sid);
- printf("%s: %s\n", field, sid_to_fstring(tmp, &sid));
+ struct dom_sid_buf tmp;
+ ret = sid_parse((const uint8_t *)values[i]->bv_val,
+ values[i]->bv_len, &sid);
+ if (ret == -1) {
+ return;
+ }
+ printf("%s: %s\n", field, dom_sid_str_buf(&sid, &tmp));
}
}
struct security_descriptor *psd;
NTSTATUS status;
- status = unmarshall_sec_desc(talloc_tos(), (uint8 *)values[0]->bv_val,
+ status = unmarshall_sec_desc(talloc_tos(), (uint8_t *)values[0]->bv_val,
values[0]->bv_len, &psd);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("unmarshall_sec_desc failed: %s\n",
}
for (i=0; handlers[i].name; i++) {
- if (StrCaseCmp(handlers[i].name, field) == 0) {
+ if (strcasecmp_m(handlers[i].name, field) == 0) {
if (!values) /* first time, indicate string or not */
return handlers[i].string;
handlers[i].handler(ads, field, (struct berval **) values);
utf8_field=ldap_next_attribute(ads->ldap.ld,
(LDAPMessage *)msg,b)) {
struct berval **ber_vals;
- char **str_vals, **utf8_vals;
+ char **str_vals;
+ char **utf8_vals;
char *field;
bool string;
string = fn(ads, field, NULL, data_area);
if (string) {
+ const char **p;
+
utf8_vals = ldap_get_values(ads->ldap.ld,
(LDAPMessage *)msg, field);
- str_vals = ads_pull_strvals(ctx,
- (const char **) utf8_vals);
+ p = discard_const_p(const char *, utf8_vals);
+ str_vals = ads_pull_strvals(ctx, p);
fn(ads, field, (void **) str_vals, data_area);
ldap_value_free(utf8_vals);
} else {
{
char **values;
char **ret = NULL;
- int i;
- size_t converted_size;
+ size_t i, converted_size;
values = ldap_get_values(ads->ldap.ld, msg, field);
if (!values)
*num_values = ldap_count_values(values);
- ret = TALLOC_ARRAY(mem_ctx, char *, *num_values + 1);
+ ret = talloc_array(mem_ctx, char *, *num_values + 1);
if (!ret) {
ldap_value_free(values);
return NULL;
return NULL;
}
- strings = TALLOC_REALLOC_ARRAY(mem_ctx, current_strings, char *,
+ strings = talloc_realloc(mem_ctx, current_strings, char *,
*num_strings + num_new_strings);
if (strings == NULL) {
}
/**
- * pull a single uint32 from a ADS result
+ * pull a single uint32_t from a ADS result
* @param ads connection to ads server
* @param msg Results of search
* @param field Attribute to retrieve
* @return boolean inidicating success
*/
bool ads_pull_uint32(ADS_STRUCT *ads, LDAPMessage *msg, const char *field,
- uint32 *v)
+ uint32_t *v)
{
char **values;
**/
bool ads_pull_guid(ADS_STRUCT *ads, LDAPMessage *msg, struct GUID *guid)
{
- char **values;
- UUID_FLAT flat_guid;
-
- values = ldap_get_values(ads->ldap.ld, msg, "objectGUID");
- if (!values)
- return False;
+ DATA_BLOB blob;
+ NTSTATUS status;
- if (values[0]) {
- memcpy(&flat_guid.info, values[0], sizeof(UUID_FLAT));
- smb_uuid_unpack(flat_guid, guid);
- ldap_value_free(values);
- return True;
+ if (!smbldap_talloc_single_blob(talloc_tos(), ads->ldap.ld, msg, "objectGUID",
+ &blob)) {
+ return false;
}
- ldap_value_free(values);
- return False;
+ status = GUID_from_ndr_blob(&blob, guid);
+ talloc_free(blob.data);
+ return NT_STATUS_IS_OK(status);
}
LDAPMessage *msg, const char *field, struct dom_sid **sids)
{
struct berval **values;
- bool ret;
int count, i;
values = ldap_get_values_len(ads->ldap.ld, msg, field);
/* nop */ ;
if (i) {
- (*sids) = TALLOC_ARRAY(mem_ctx, struct dom_sid, i);
+ (*sids) = talloc_array(mem_ctx, struct dom_sid, i);
if (!(*sids)) {
ldap_value_free_len(values);
return 0;
count = 0;
for (i=0; values[i]; i++) {
- ret = sid_parse(values[i]->bv_val, values[i]->bv_len, &(*sids)[count]);
- if (ret) {
- DEBUG(10, ("pulling SID: %s\n",
- sid_string_dbg(&(*sids)[count])));
+ ssize_t ret;
+ ret = sid_parse((const uint8_t *)values[i]->bv_val,
+ values[i]->bv_len, &(*sids)[count]);
+ if (ret != -1) {
+ struct dom_sid_buf buf;
+ DBG_DEBUG("pulling SID: %s\n",
+ dom_sid_str_buf(&(*sids)[count], &buf));
count++;
}
}
if (values[0]) {
NTSTATUS status;
status = unmarshall_sec_desc(mem_ctx,
- (uint8 *)values[0]->bv_val,
+ (uint8_t *)values[0]->bv_val,
values[0]->bv_len, sd);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("unmarshall_sec_desc failed: %s\n",
* @param usn Pointer to retrieved update serial number
* @return status of search
**/
-ADS_STATUS ads_USN(ADS_STRUCT *ads, uint32 *usn)
+ADS_STATUS ads_USN(ADS_STRUCT *ads, uint32_t *usn)
{
const char *attrs[] = {"highestCommittedUSN", NULL};
ADS_STATUS status;
if ( !ads->ldap.ld ) {
if ( (ads_s = ads_init( ads->server.realm, ads->server.workgroup,
- ads->server.ldap_server )) == NULL )
+ ads->server.ldap_server, ADS_SASL_PLAIN )) == NULL )
{
+ status = ADS_ERROR(LDAP_NO_MEMORY);
goto done;
}
ads_s->auth.flags = ADS_AUTH_ANON_BIND;
if (ads->config.current_time != 0) {
ads->auth.time_offset = ads->config.current_time - time(NULL);
- DEBUG(4,("time offset is %d seconds\n", ads->auth.time_offset));
+ DEBUG(4,("KDC time offset is %d seconds\n", ads->auth.time_offset));
}
ads_msgfree(ads, res);
/********************************************************************
********************************************************************/
-ADS_STATUS ads_domain_func_level(ADS_STRUCT *ads, uint32 *val)
+ADS_STATUS ads_domain_func_level(ADS_STRUCT *ads, uint32_t *val)
{
const char *attrs[] = {"domainFunctionality", NULL};
ADS_STATUS status;
if ( !ads->ldap.ld ) {
if ( (ads_s = ads_init( ads->server.realm, ads->server.workgroup,
- ads->server.ldap_server )) == NULL )
+ ads->server.ldap_server, ADS_SASL_PLAIN )) == NULL )
{
status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
goto done;
for (msg = ads_first_entry(ads, res); msg;
msg = ads_next_entry(ads, msg)) {
-
+ const char **p = discard_const_p(const char *, *ous);
char *dn = NULL;
dn = ads_get_dn(ads, talloc_tos(), msg);
return ADS_ERROR(LDAP_NO_MEMORY);
}
- if (!add_string_to_array(mem_ctx, dn,
- (const char ***)ous,
- (int *)num_ous)) {
+ if (!add_string_to_array(mem_ctx, dn, &p, num_ous)) {
TALLOC_FREE(dn);
ads_msgfree(ads, res);
return ADS_ERROR(LDAP_NO_MEMORY);
}
TALLOC_FREE(dn);
+ *ous = discard_const_p(char *, p);
}
ads_msgfree(ads, res);
}
break;
case ADS_EXTENDED_DN_HEX_STRING: {
+ ssize_t ret;
fstring buf;
size_t buf_len;
return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
}
- if (!sid_parse(buf, buf_len, sid)) {
+ ret = sid_parse((const uint8_t *)buf, buf_len, sid);
+ if (ret == -1) {
DEBUG(10,("failed to parse sid\n"));
return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
}
return ADS_ERROR_NT(NT_STATUS_OK);
}
-/**
- * pull an array of struct dom_sids from a ADS result
- * @param ads connection to ads server
- * @param mem_ctx TALLOC_CTX for allocating sid array
- * @param msg Results of search
- * @param field Attribute to retrieve
- * @param flags string type of extended_dn
- * @param sids pointer to sid array to allocate
- * @return the count of SIDs pulled
- **/
- int ads_pull_sids_from_extendeddn(ADS_STRUCT *ads,
- TALLOC_CTX *mem_ctx,
- LDAPMessage *msg,
- const char *field,
- enum ads_extended_dn_flags flags,
- struct dom_sid **sids)
-{
- int i;
- ADS_STATUS rc;
- size_t dn_count, ret_count = 0;
- char **dn_strings;
-
- if ((dn_strings = ads_pull_strings(ads, mem_ctx, msg, field,
- &dn_count)) == NULL) {
- return 0;
- }
-
- (*sids) = TALLOC_ZERO_ARRAY(mem_ctx, struct dom_sid, dn_count + 1);
- if (!(*sids)) {
- TALLOC_FREE(dn_strings);
- return 0;
- }
-
- for (i=0; i<dn_count; i++) {
- rc = ads_get_sid_from_extended_dn(mem_ctx, dn_strings[i],
- flags, &(*sids)[i]);
- if (!ADS_ERR_OK(rc)) {
- if (NT_STATUS_EQUAL(ads_ntstatus(rc),
- NT_STATUS_NOT_FOUND)) {
- continue;
- }
- else {
- TALLOC_FREE(*sids);
- TALLOC_FREE(dn_strings);
- return 0;
- }
- }
- ret_count++;
- }
-
- TALLOC_FREE(dn_strings);
-
- return ret_count;
-}
-
/********************************************************************
********************************************************************/
int count = 0;
char *name = NULL;
- status = ads_find_machine_acct(ads, &res, global_myname());
+ status = ads_find_machine_acct(ads, &res, machine_name);
if (!ADS_ERR_OK(status)) {
DEBUG(0,("ads_get_dnshostname: Failed to find account for %s\n",
- global_myname()));
+ lp_netbios_name()));
goto out;
}
status = ads_find_machine_acct(ads, &res, machine_name);
if (!ADS_ERR_OK(status)) {
DEBUG(0,("ads_get_upn: Failed to find account for %s\n",
- global_myname()));
+ lp_netbios_name()));
goto out;
}
/********************************************************************
********************************************************************/
-char* ads_get_samaccountname( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name )
+bool ads_has_samaccountname( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name )
{
LDAPMessage *res = NULL;
ADS_STATUS status;
int count = 0;
char *name = NULL;
+ bool ok = false;
- status = ads_find_machine_acct(ads, &res, global_myname());
+ status = ads_find_machine_acct(ads, &res, machine_name);
if (!ADS_ERR_OK(status)) {
- DEBUG(0,("ads_get_dnshostname: Failed to find account for %s\n",
- global_myname()));
+ DEBUG(0,("ads_has_samaccountname: Failed to find account for %s\n",
+ lp_netbios_name()));
goto out;
}
if ( (count = ads_count_replies(ads, res)) != 1 ) {
- DEBUG(1,("ads_get_dnshostname: %d entries returned!\n", count));
+ DEBUG(1,("ads_has_samaccountname: %d entries returned!\n", count));
goto out;
}
if ( (name = ads_pull_string(ads, ctx, res, "sAMAccountName")) == NULL ) {
- DEBUG(0,("ads_get_dnshostname: No sAMAccountName attribute!\n"));
+ DEBUG(0,("ads_has_samaccountname: No sAMAccountName attribute!\n"));
}
out:
ads_msgfree(ads, res);
-
- return name;
+ if (name != NULL) {
+ ok = (strlen(name) > 0);
+ }
+ TALLOC_FREE(name);
+ return ok;
}
#if 0
* @return status of join
**/
ADS_STATUS ads_join_realm(ADS_STRUCT *ads, const char *machine_name,
- uint32 account_type, const char *org_unit)
+ uint32_t account_type, const char *org_unit)
{
ADS_STATUS status;
LDAPMessage *res = NULL;
pldap_control[0] = &ldap_control;
memset(&ldap_control, 0, sizeof(LDAPControl));
- ldap_control.ldctl_oid = (char *)LDAP_SERVER_TREE_DELETE_OID;
+ ldap_control.ldctl_oid = discard_const_p(char, LDAP_SERVER_TREE_DELETE_OID);
/* hostname must be lowercase */
host = SMB_STRDUP(hostname);
- strlower_m(host);
+ if (!strlower_m(host)) {
+ SAFE_FREE(host);
+ return ADS_ERROR_SYSTEM(EINVAL);
+ }
status = ads_find_machine_acct(ads, &res, host);
if (!ADS_ERR_OK(status)) {
}
hostnameDN = ads_get_dn(ads, talloc_tos(), (LDAPMessage *)msg);
+ if (hostnameDN == NULL) {
+ SAFE_FREE(host);
+ return ADS_ERROR_SYSTEM(ENOENT);
+ }
rc = ldap_delete_ext_s(ads->ldap.ld, hostnameDN, pldap_control, NULL);
if (rc) {
TALLOC_FREE(hostnameDN);
status = ads_find_machine_acct(ads, &res, host);
- if (ADS_ERR_OK(status) && ads_count_replies(ads, res) == 1) {
+ if ((status.error_type == ENUM_ADS_ERROR_LDAP) &&
+ (status.err.rc != LDAP_NO_SUCH_OBJECT)) {
DEBUG(3, ("Failed to remove host account.\n"));
SAFE_FREE(host);
return status;
}
SAFE_FREE(host);
- return status;
+ return ADS_SUCCESS;
}
/**
struct dom_sid *tmp_sids;
struct dom_sid tmp_user_sid;
struct dom_sid tmp_primary_group_sid;
- uint32 pgid;
+ uint32_t pgid;
const char *attrs[] = {
"objectSid",
"tokenGroups",
* domsid */
struct dom_sid domsid;
- uint32 dummy_rid;
sid_copy(&domsid, &tmp_user_sid);
- if (!sid_split_rid(&domsid, &dummy_rid)) {
+ if (!sid_split_rid(&domsid, NULL)) {
ads_msgfree(ads, res);
return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
}
* @param ads connection to ads server
* @param mem_ctx TALLOC_CTX for allocating sid array
* @param samaccountname to search
- * @param uac_ret uint32 pointer userAccountControl attribute value
+ * @param uac_ret uint32_t pointer userAccountControl attribute value
* @param dn_ret pointer to dn
* @return status of token query
**/
ADS_STATUS ads_find_samaccount(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx,
const char *samaccountname,
- uint32 *uac_ret,
+ uint32_t *uac_ret,
const char **dn_ret)
{
ADS_STATUS status;
const char *filter;
LDAPMessage *res = NULL;
char *dn = NULL;
- uint32 uac = 0;
+ uint32_t uac = 0;
filter = talloc_asprintf(mem_ctx, "(&(objectclass=user)(sAMAccountName=%s))",
samaccountname);
const char *name;
char *ou_string;
- exploded_dn = ldap_explode_dn(*account_ou, 0);
- if (exploded_dn) {
- ldap_value_free(exploded_dn);
- return ADS_SUCCESS;
+ if (account_ou == NULL) {
+ return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
+ }
+
+ if (*account_ou != NULL) {
+ exploded_dn = ldap_explode_dn(*account_ou, 0);
+ if (exploded_dn) {
+ ldap_value_free(exploded_dn);
+ return ADS_SUCCESS;
+ }
}
ou_string = ads_ou_string(ads, *account_ou);