s3:libnet: Require sealed LDAP SASL connections for joining

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

diff --git a/libgpo/pygpo.c b/libgpo/pygpo.c
index b1f788d3a00eb0a926e53f7891675b155fe06d5b..581d20e064963af3af8f82e5771a8d42cdef81fb 100644 (file)
--- a/libgpo/pygpo.c
+++ b/libgpo/pygpo.c
@@ -210,7 +210,7 @@ static int py_ads_init(ADS *self, PyObject *args, PyObject *kwds)
                self->ads_ptr = NULL;
        }
        /* always succeeds or crashes */
-       self->ads_ptr = ads_init(realm, workgroup, ldap_server);
+       self->ads_ptr = ads_init(realm, workgroup, ldap_server, ADS_SASL_PLAIN);
        
        return 0;
 }

diff --git a/source3/lib/netapi/joindomain.c b/source3/lib/netapi/joindomain.c
index 387c517c1be21c99212c0f91c71adb079764b3d2..f2d36fc00dbe18c015729d64c78ca3a74c8940a9 100644 (file)
--- a/source3/lib/netapi/joindomain.c
+++ b/source3/lib/netapi/joindomain.c
@@ -417,7 +417,10 @@ WERROR NetGetJoinableOUs_l(struct libnetapi_ctx *ctx,
 
        dc = strip_hostname(info->dc_unc);
 
-       ads = ads_init(info->domain_name, info->domain_name, dc);
+       ads = ads_init(info->domain_name,
+                      info->domain_name,
+                      dc,
+                      ADS_SASL_PLAIN);
        if (!ads) {
                return WERR_GEN_FAILURE;
        }

diff --git a/source3/libads/ads_proto.h b/source3/libads/ads_proto.h
index 154bf67f9641b5f05401e8f3622ce5c42de810f3..92bb3a22cdb9cafd037ff5d6b0eab913e73338be 100644 (file)
--- a/source3/libads/ads_proto.h
+++ b/source3/libads/ads_proto.h
@@ -32,6 +32,12 @@
 #ifndef _LIBADS_ADS_PROTO_H_
 #define _LIBADS_ADS_PROTO_H_
 
+enum ads_sasl_state_e {
+       ADS_SASL_PLAIN = 0,
+       ADS_SASL_SIGN,
+       ADS_SASL_SEAL,
+};
+
 /* The following definitions come from libads/ads_struct.c  */
 
 char *ads_build_path(const char *realm, const char *sep, const char *field, int reverse);
@@ -39,7 +45,8 @@ char *ads_build_dn(const char *realm);
 char *ads_build_domain(const char *dn);
 ADS_STRUCT *ads_init(const char *realm,
                     const char *workgroup,
-                    const char *ldap_server);
+                    const char *ldap_server,
+                    enum ads_sasl_state_e sasl_state);
 bool ads_set_sasl_wrap_flags(ADS_STRUCT *ads, int flags);
 void ads_destroy(ADS_STRUCT **ads);
 

diff --git a/source3/libads/ads_struct.c b/source3/libads/ads_struct.c
index 3ab682c0e3883459bd27f309105af7fc876d39a0..043a1b2124749ae64428eded918fa9e7f3e633bf 100644 (file)
--- a/source3/libads/ads_struct.c
+++ b/source3/libads/ads_struct.c
@@ -132,7 +132,8 @@ char *ads_build_domain(const char *dn)
 */
 ADS_STRUCT *ads_init(const char *realm, 
                     const char *workgroup,
-                    const char *ldap_server)
+                    const char *ldap_server,
+                    enum ads_sasl_state_e sasl_state)
 {
        ADS_STRUCT *ads;
        int wrap_flags;
@@ -152,6 +153,17 @@ ADS_STRUCT *ads_init(const char *realm,
                wrap_flags = 0;
        }
 
+       switch (sasl_state) {
+       case ADS_SASL_PLAIN:
+               break;
+       case ADS_SASL_SIGN:
+               wrap_flags |= ADS_AUTH_SASL_SIGN;
+               break;
+       case ADS_SASL_SEAL:
+               wrap_flags |= ADS_AUTH_SASL_SEAL;
+               break;
+       }
+
        ads->auth.flags = wrap_flags;
 
        /* Start with the configured page size when the connection is new,

diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index 42c37d9e9d2fbd96efabe066c6bc08d495be185b..793e97efdacdba10df227f8a19a74474df074004 100644 (file)
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -2966,7 +2966,7 @@ ADS_STATUS ads_current_time(ADS_STRUCT *ads)
 
        if ( !ads->ldap.ld ) {
                if ( (ads_s = ads_init( ads->server.realm, ads->server.workgroup, 
-                       ads->server.ldap_server )) == NULL )
+                       ads->server.ldap_server, ADS_SASL_PLAIN )) == NULL )
                {
                        status = ADS_ERROR(LDAP_NO_MEMORY);
                        goto done;
@@ -3028,7 +3028,7 @@ ADS_STATUS ads_domain_func_level(ADS_STRUCT *ads, uint32_t *val)
 
        if ( !ads->ldap.ld ) {
                if ( (ads_s = ads_init( ads->server.realm, ads->server.workgroup, 
-                       ads->server.ldap_server )) == NULL )
+                       ads->server.ldap_server, ADS_SASL_PLAIN )) == NULL )
                {
                        status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
                        goto done;

diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index d2a6ed1876dd3d81880960c1c2430e8465a0c1d4..3e24ba77dfde7e17ecd83a4b7e1f510338382585 100644 (file)
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -140,7 +140,8 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name,
 
        my_ads = ads_init(dns_domain_name,
                          netbios_domain_name,
-                         dc_name);
+                         dc_name,
+                         ADS_SASL_SEAL);
        if (!my_ads) {
                return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
        }

diff --git a/source3/libsmb/namequery_dc.c b/source3/libsmb/namequery_dc.c
index 4ee5b5278e443d482d91cf94f0fa4883169c15b8..f63dde61603a2140f77c17f77065bd235f6625cb 100644 (file)
--- a/source3/libsmb/namequery_dc.c
+++ b/source3/libsmb/namequery_dc.c
@@ -69,7 +69,7 @@ static bool ads_dc_name(const char *domain,
 
        /* Try this 3 times then give up. */
        for( i =0 ; i < 3; i++) {
-               ads = ads_init(realm, domain, NULL);
+               ads = ads_init(realm, domain, NULL, ADS_SASL_PLAIN);
                if (!ads) {
                        TALLOC_FREE(sitename);
                        return False;

diff --git a/source3/printing/nt_printing_ads.c b/source3/printing/nt_printing_ads.c
index 2588e1de7e778e0be0926dd165cbf03315490b1d..a82f1361fc83f8e3d88119f72f3c287e5d38a899 100644 (file)
--- a/source3/printing/nt_printing_ads.c
+++ b/source3/printing/nt_printing_ads.c
@@ -227,7 +227,7 @@ WERROR nt_printer_guid_retrieve(TALLOC_CTX *mem_ctx, const char *printer,
                return WERR_NOT_ENOUGH_MEMORY;
        }
 
-       ads = ads_init(lp_realm(), lp_workgroup(), NULL);
+       ads = ads_init(lp_realm(), lp_workgroup(), NULL, ADS_SASL_PLAIN);
        if (ads == NULL) {
                result = WERR_RPC_S_SERVER_UNAVAILABLE;
                goto out;
@@ -577,7 +577,7 @@ WERROR nt_printer_publish(TALLOC_CTX *mem_ctx,
 
        TALLOC_FREE(sinfo2);
 
-       ads = ads_init(lp_realm(), lp_workgroup(), NULL);
+       ads = ads_init(lp_realm(), lp_workgroup(), NULL, ADS_SASL_PLAIN);
        if (!ads) {
                DEBUG(3, ("ads_init() failed\n"));
                win_rc = WERR_RPC_S_SERVER_UNAVAILABLE;
@@ -633,7 +633,7 @@ WERROR check_published_printers(struct messaging_context *msg_ctx)
        tmp_ctx = talloc_new(NULL);
        if (!tmp_ctx) return WERR_NOT_ENOUGH_MEMORY;
 
-       ads = ads_init(lp_realm(), lp_workgroup(), NULL);
+       ads = ads_init(lp_realm(), lp_workgroup(), NULL, ADS_SASL_PLAIN);
        if (!ads) {
                DEBUG(3, ("ads_init() failed\n"));
                return WERR_RPC_S_SERVER_UNAVAILABLE;

diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index 97d417125dce736f0e9a4fe1b0b97d5eb306e0f5..b7b221ddafac69e6c18f81b9bc4495c4a5ee70c0 100644 (file)
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -620,7 +620,10 @@ retry_connect:
                realm = assume_own_realm(c);
        }
 
-       ads = ads_init(realm, c->opt_target_workgroup, c->opt_host);
+       ads = ads_init(realm,
+                       c->opt_target_workgroup,
+                       c->opt_host,
+                       ADS_SASL_PLAIN);
 
        if (!c->opt_user_name) {
                c->opt_user_name = "administrator";
@@ -729,7 +732,8 @@ static int net_ads_check_int(const char *realm, const char *workgroup, const cha
        ADS_STRUCT *ads;
        ADS_STATUS status;
 
-       if ( (ads = ads_init( realm, workgroup, host )) == NULL ) {
+       ads = ads_init(realm, workgroup, host, ADS_SASL_PLAIN);
+       if (ads == NULL ) {
                return -1;
        }
 
@@ -1764,7 +1768,7 @@ static void _net_ads_join_dns_updates(struct net_context *c, TALLOC_CTX *ctx, st
         * kinit with the machine password to do dns update.
         */
 
-       ads_dns = ads_init(lp_realm(), NULL, r->in.dc_name);
+       ads_dns = ads_init(lp_realm(), NULL, r->in.dc_name, ADS_SASL_PLAIN);
 
        if (ads_dns == NULL) {
                d_fprintf(stderr, _("DNS update failed: out of memory!\n"));
@@ -2655,7 +2659,8 @@ static int net_ads_password(struct net_context *c, int argc, const char **argv)
 
        /* use the realm so we can eventually change passwords for users
        in realms other than default */
-       if (!(ads = ads_init(realm, c->opt_workgroup, c->opt_host))) {
+       ads = ads_init(realm, c->opt_workgroup, c->opt_host, ADS_SASL_PLAIN);
+       if (ads == NULL) {
                return -1;
        }
 

diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
index 485ca831be9616ccea32be806eefa123a2ed3802..20f47eb5954f67d569aaa250d75ac0524c50fc36 100644 (file)
--- a/source3/winbindd/winbindd_ads.c
+++ b/source3/winbindd/winbindd_ads.c
@@ -110,7 +110,10 @@ static ADS_STATUS ads_cached_connection_connect(ADS_STRUCT **adsp,
        /* we don't want this to affect the users ccache */
        setenv("KRB5CCNAME", WINBIND_CCACHE_NAME, 1);
 
-       ads = ads_init(target_realm, target_dom_name, ldap_server);
+       ads = ads_init(target_realm,
+                      target_dom_name,
+                      ldap_server,
+                      ADS_SASL_SEAL);
        if (!ads) {
                DEBUG(1,("ads_init for domain %s failed\n", target_dom_name));
                return ADS_ERROR(LDAP_NO_MEMORY);

diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index b9a1c1eda7b27cdf7252e1a980dfaf623df159dc..0e671ca22be9019afbaa95dbe805929298d4a9f2 100644 (file)
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -1414,7 +1414,10 @@ static bool dcip_check_name(TALLOC_CTX *mem_ctx,
 
                print_sockaddr(addr, sizeof(addr), pss);
 
-               ads = ads_init(domain->alt_name, domain->name, addr);
+               ads = ads_init(domain->alt_name,
+                              domain->name,
+                              addr,
+                              ADS_SASL_PLAIN);
                ads->auth.flags |= ADS_AUTH_NO_BIND;
                ads->config.flags |= request_flags;
                ads->server.no_fallback = true;