*/
#include "includes.h"
+#include "lib/ldb/include/includes.h"
#ifdef HAVE_LDAP
gotalarm = 1;
}
-LDAP *ldap_open_with_timeout(const char *server, int port, unsigned int to)
+ LDAP *ldap_open_with_timeout(const char *server, int port, unsigned int to)
{
LDAP *ldp = NULL;
bool ads_closest_dc(ADS_STRUCT *ads)
{
- if (ads->config.flags & ADS_CLOSEST) {
- DEBUG(10,("ads_closest_dc: ADS_CLOSEST flag set\n"));
+ if (ads->config.flags & NBT_SERVER_CLOSEST) {
+ DEBUG(10,("ads_closest_dc: NBT_SERVER_CLOSEST flag set\n"));
return True;
}
/* not sure if this can ever happen */
if (ads_sitename_match(ads)) {
- DEBUG(10,("ads_closest_dc: ADS_CLOSEST flag not set but sites match\n"));
+ DEBUG(10,("ads_closest_dc: NBT_SERVER_CLOSEST flag not set but sites match\n"));
+ return True;
+ }
+
+ if (ads->config.client_site_name == NULL) {
+ DEBUG(10,("ads_closest_dc: client belongs to no site\n"));
return True;
}
try a connection to a given ldap server, returning True and setting the servers IP
in the ads struct if successful
*/
-bool ads_try_connect(ADS_STRUCT *ads, const char *server )
+static bool ads_try_connect(ADS_STRUCT *ads, const char *server, bool gc)
{
char *srv;
- struct cldap_netlogon_reply cldap_reply;
+ struct NETLOGON_SAM_LOGON_RESPONSE_EX cldap_reply;
+ TALLOC_CTX *mem_ctx = NULL;
+ bool ret = false;
if (!server || !*server) {
return False;
DEBUG(5,("ads_try_connect: sending CLDAP request to %s (realm: %s)\n",
server, ads->server.realm));
+ mem_ctx = talloc_init("ads_try_connect");
+ if (!mem_ctx) {
+ DEBUG(0,("out of memory\n"));
+ return false;
+ }
+
/* this copes with inet_ntoa brokenness */
srv = SMB_STRDUP(server);
ZERO_STRUCT( cldap_reply );
- if ( !ads_cldap_netlogon( srv, ads->server.realm, &cldap_reply ) ) {
+ if ( !ads_cldap_netlogon_5(mem_ctx, srv, ads->server.realm, &cldap_reply ) ) {
DEBUG(3,("ads_try_connect: CLDAP request %s failed.\n", srv));
- SAFE_FREE( srv );
- return False;
+ ret = false;
+ goto out;
}
/* Check the CLDAP reply flags */
- if ( !(cldap_reply.flags & ADS_LDAP) ) {
+ if ( !(cldap_reply.server_type & NBT_SERVER_LDAP) ) {
DEBUG(1,("ads_try_connect: %s's CLDAP reply says it is not an LDAP server!\n",
srv));
- SAFE_FREE( srv );
- return False;
+ ret = false;
+ goto out;
}
/* Fill in the ads->config values */
SAFE_FREE(ads->config.client_site_name);
SAFE_FREE(ads->server.workgroup);
- ads->config.flags = cldap_reply.flags;
- ads->config.ldap_server_name = SMB_STRDUP(cldap_reply.hostname);
- strupper_m(cldap_reply.domain);
- ads->config.realm = SMB_STRDUP(cldap_reply.domain);
+ ads->config.flags = cldap_reply.server_type;
+ ads->config.ldap_server_name = SMB_STRDUP(cldap_reply.pdc_dns_name);
+ ads->config.realm = SMB_STRDUP(cldap_reply.dns_domain);
+ strupper_m(ads->config.realm);
ads->config.bind_path = ads_build_dn(ads->config.realm);
- if (*cldap_reply.server_site_name) {
+ if (*cldap_reply.server_site) {
ads->config.server_site_name =
- SMB_STRDUP(cldap_reply.server_site_name);
+ SMB_STRDUP(cldap_reply.server_site);
}
- if (*cldap_reply.client_site_name) {
+ if (*cldap_reply.client_site) {
ads->config.client_site_name =
- SMB_STRDUP(cldap_reply.client_site_name);
+ SMB_STRDUP(cldap_reply.client_site);
}
- ads->server.workgroup = SMB_STRDUP(cldap_reply.netbios_domain);
+ ads->server.workgroup = SMB_STRDUP(cldap_reply.domain);
- ads->ldap.port = LDAP_PORT;
+ ads->ldap.port = gc ? LDAP_GC_PORT : LDAP_PORT;
if (!interpret_string_addr(&ads->ldap.ss, srv, 0)) {
DEBUG(1,("ads_try_connect: unable to convert %s "
"to an address\n",
srv));
- SAFE_FREE( srv );
- return False;
+ ret = false;
+ goto out;
}
- SAFE_FREE(srv);
-
/* Store our site name. */
- sitename_store( cldap_reply.domain, cldap_reply.client_site_name );
+ sitename_store( cldap_reply.domain, cldap_reply.client_site);
+ sitename_store( cldap_reply.dns_domain, cldap_reply.client_site);
- return True;
+ ret = true;
+ out:
+ SAFE_FREE(srv);
+ TALLOC_FREE(mem_ctx);
+
+ return ret;
}
/**********************************************************************
static NTSTATUS ads_find_dc(ADS_STRUCT *ads)
{
+ const char *c_domain;
const char *c_realm;
int count, i=0;
struct ip_service *ip_list;
const char *realm;
+ const char *domain;
bool got_realm = False;
bool use_own_domain = False;
char *sitename;
if ( use_own_domain )
c_realm = lp_workgroup();
}
+ }
- if ( !c_realm || !*c_realm ) {
- DEBUG(0,("ads_find_dc: no realm or workgroup! Don't know what to do\n"));
- return NT_STATUS_INVALID_PARAMETER; /* rather need MISSING_PARAMETER ... */
- }
+ if ( !c_realm || !*c_realm ) {
+ DEBUG(0,("ads_find_dc: no realm or workgroup! Don't know what to do\n"));
+ return NT_STATUS_INVALID_PARAMETER; /* rather need MISSING_PARAMETER ... */
+ }
+
+ if ( use_own_domain ) {
+ c_domain = lp_workgroup();
+ } else {
+ c_domain = ads->server.workgroup;
}
realm = c_realm;
+ domain = c_domain;
+
+ /*
+ * In case of LDAP we use get_dc_name() as that
+ * creates the custom krb5.conf file
+ */
+ if (!(ads->auth.flags & ADS_AUTH_NO_BIND)) {
+ fstring srv_name;
+ struct sockaddr_storage ip_out;
+
+ DEBUG(6,("ads_find_dc: (ldap) looking for %s '%s'\n",
+ (got_realm ? "realm" : "domain"), realm));
+
+ if (get_dc_name(domain, realm, srv_name, &ip_out)) {
+ /*
+ * we call ads_try_connect() to fill in the
+ * ads->config details
+ */
+ if (ads_try_connect(ads, srv_name, false)) {
+ return NT_STATUS_OK;
+ }
+ }
+
+ return NT_STATUS_NO_LOGON_SERVERS;
+ }
sitename = sitename_fetch(realm);
again:
- DEBUG(6,("ads_find_dc: looking for %s '%s'\n",
+ DEBUG(6,("ads_find_dc: (cldap) looking for %s '%s'\n",
(got_realm ? "realm" : "domain"), realm));
status = get_sorted_dc_list(realm, sitename, &ip_list, &count, got_realm);
}
}
- if ( ads_try_connect(ads, server) ) {
+ if ( ads_try_connect(ads, server, false) ) {
SAFE_FREE(ip_list);
SAFE_FREE(sitename);
return NT_STATUS_OK;
return NT_STATUS_NO_LOGON_SERVERS;
}
+/*********************************************************************
+ *********************************************************************/
+
+static NTSTATUS ads_lookup_site(void)
+{
+ ADS_STRUCT *ads = NULL;
+ ADS_STATUS ads_status;
+ NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
+
+ ads = ads_init(lp_realm(), NULL, NULL);
+ if (!ads) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ /* The NO_BIND here will find a DC and set the client site
+ but not establish the TCP connection */
+
+ ads->auth.flags = ADS_AUTH_NO_BIND;
+ ads_status = ads_connect(ads);
+ if (!ADS_ERR_OK(ads_status)) {
+ DEBUG(4, ("ads_lookup_site: ads_connect to our realm failed! (%s)\n",
+ ads_errstr(ads_status)));
+ }
+ nt_status = ads_ntstatus(ads_status);
+
+ if (ads) {
+ ads_destroy(&ads);
+ }
+
+ return nt_status;
+}
+
+/*********************************************************************
+ *********************************************************************/
+
+static const char* host_dns_domain(const char *fqdn)
+{
+ const char *p = fqdn;
+
+ /* go to next char following '.' */
+
+ if ((p = strchr_m(fqdn, '.')) != NULL) {
+ p++;
+ }
+
+ return p;
+}
+
+
+/**
+ * Connect to the Global Catalog server
+ * @param ads Pointer to an existing ADS_STRUCT
+ * @return status of connection
+ *
+ * Simple wrapper around ads_connect() that fills in the
+ * GC ldap server information
+ **/
+
+ADS_STATUS ads_connect_gc(ADS_STRUCT *ads)
+{
+ TALLOC_CTX *frame = talloc_stackframe();
+ struct dns_rr_srv *gcs_list;
+ int num_gcs;
+ char *realm = ads->server.realm;
+ NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
+ ADS_STATUS ads_status = ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
+ int i;
+ bool done = false;
+ char *sitename = NULL;
+
+ if (!realm)
+ realm = lp_realm();
+
+ if ((sitename = sitename_fetch(realm)) == NULL) {
+ ads_lookup_site();
+ sitename = sitename_fetch(realm);
+ }
+
+ do {
+ /* We try once with a sitename and once without
+ (unless we don't have a sitename and then we're
+ done */
+
+ if (sitename == NULL)
+ done = true;
+
+ nt_status = ads_dns_query_gcs(frame, realm, sitename,
+ &gcs_list, &num_gcs);
+
+ SAFE_FREE(sitename);
+
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ ads_status = ADS_ERROR_NT(nt_status);
+ goto done;
+ }
+
+ /* Loop until we get a successful connection or have gone
+ through them all. When connecting a GC server, make sure that
+ the realm is the server's DNS name and not the forest root */
+
+ for (i=0; i<num_gcs; i++) {
+ ads->server.gc = true;
+ ads->server.ldap_server = SMB_STRDUP(gcs_list[i].hostname);
+ ads->server.realm = SMB_STRDUP(host_dns_domain(ads->server.ldap_server));
+ ads_status = ads_connect(ads);
+ if (ADS_ERR_OK(ads_status)) {
+ /* Reset the bind_dn to "". A Global Catalog server
+ may host multiple domain trees in a forest.
+ Windows 2003 GC server will accept "" as the search
+ path to imply search all domain trees in the forest */
+
+ SAFE_FREE(ads->config.bind_path);
+ ads->config.bind_path = SMB_STRDUP("");
+
+
+ goto done;
+ }
+ SAFE_FREE(ads->server.ldap_server);
+ SAFE_FREE(ads->server.realm);
+ }
+
+ TALLOC_FREE(gcs_list);
+ num_gcs = 0;
+ } while (!done);
+
+done:
+ SAFE_FREE(sitename);
+ talloc_destroy(frame);
+
+ return ads_status;
+}
+
/**
* Connect to the LDAP server
/* try with a user specified server */
- if (ads->server.ldap_server &&
- ads_try_connect(ads, ads->server.ldap_server)) {
- goto got_connection;
+ if (DEBUGLEVEL >= 11) {
+ char *s = NDR_PRINT_STRUCT_STRING(talloc_tos(), ads_struct, ads);
+ DEBUG(11,("ads_connect: entering\n"));
+ DEBUGADD(11,("%s\n", s));
+ TALLOC_FREE(s);
+ }
+
+ if (ads->server.ldap_server)
+ {
+ if (ads_try_connect(ads, ads->server.ldap_server, ads->server.gc)) {
+ goto got_connection;
+ }
+
+ /* The choice of which GC use is handled one level up in
+ ads_connect_gc(). If we continue on from here with
+ ads_find_dc() we will get GC searches on port 389 which
+ doesn't work. --jerry */
+
+ if (ads->server.gc == true) {
+ return ADS_ERROR(LDAP_OPERATIONS_ERROR);
+ }
}
ntstatus = ads_find_dc(ads);
goto got_connection;
}
- return ADS_ERROR_NT(ntstatus);
+ status = ADS_ERROR_NT(ntstatus);
+ goto out;
got_connection:
/* Must use the userPrincipalName value here or sAMAccountName
and not servicePrincipalName; found by Guenther Deschner */
- asprintf(&ads->auth.user_name, "%s$", global_myname() );
+ if (asprintf(&ads->auth.user_name, "%s$", global_myname() ) == -1) {
+ DEBUG(0,("ads_connect: asprintf fail.\n"));
+ ads->auth.user_name = NULL;
+ }
}
if (!ads->auth.realm) {
/* this is a really nasty hack to avoid ADS DNS problems. It needs a patch
to MIT kerberos to work (tridge) */
{
- char *env;
- asprintf(&env, "KRB5_KDC_ADDRESS_%s", ads->config.realm);
- setenv(env, ads->auth.kdc_server, 1);
- free(env);
+ char *env = NULL;
+ if (asprintf(&env, "KRB5_KDC_ADDRESS_%s", ads->config.realm) > 0) {
+ setenv(env, ads->auth.kdc_server, 1);
+ free(env);
+ }
}
#endif
/* If the caller() requested no LDAP bind, then we are done */
if (ads->auth.flags & ADS_AUTH_NO_BIND) {
- return ADS_SUCCESS;
+ status = ADS_SUCCESS;
+ goto out;
}
ads->ldap.mem_ctx = talloc_init("ads LDAP connection memory");
if (!ads->ldap.mem_ctx) {
- return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
+ status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
+ goto out;
}
/* Otherwise setup the TCP LDAP session */
ads->ldap.ld = ldap_open_with_timeout(ads->config.ldap_server_name,
- LDAP_PORT, lp_ldap_timeout());
+ ads->ldap.port, lp_ldap_timeout());
if (ads->ldap.ld == NULL) {
- return ADS_ERROR(LDAP_OPERATIONS_ERROR);
+ status = ADS_ERROR(LDAP_OPERATIONS_ERROR);
+ goto out;
}
DEBUG(3,("Connected to LDAP server %s\n", ads->config.ldap_server_name));
/* cache the successful connection for workgroup and realm */
if (ads_closest_dc(ads)) {
- print_sockaddr(addr, sizeof(addr), &ads->ldap.ss);
- saf_store( ads->server.workgroup, addr);
- saf_store( ads->server.realm, addr);
+ saf_store( ads->server.workgroup, ads->config.ldap_server_name);
+ saf_store( ads->server.realm, ads->config.ldap_server_name);
}
ldap_set_option(ads->ldap.ld, LDAP_OPT_PROTOCOL_VERSION, &version);
- status = ADS_ERROR(smb_ldap_start_tls(ads->ldap.ld, version));
- if (!ADS_ERR_OK(status)) {
- return status;
+ if ( lp_ldap_ssl_ads() ) {
+ status = ADS_ERROR(smb_ldap_start_tls(ads->ldap.ld, version));
+ if (!ADS_ERR_OK(status)) {
+ goto out;
+ }
}
/* fill in the current time and offsets */
status = ads_current_time( ads );
if ( !ADS_ERR_OK(status) ) {
- return status;
+ goto out;
}
/* Now do the bind */
if (ads->auth.flags & ADS_AUTH_ANON_BIND) {
- return ADS_ERROR(ldap_simple_bind_s( ads->ldap.ld, NULL, NULL));
+ status = ADS_ERROR(ldap_simple_bind_s(ads->ldap.ld, NULL, NULL));
+ goto out;
}
if (ads->auth.flags & ADS_AUTH_SIMPLE_BIND) {
- return ADS_ERROR(ldap_simple_bind_s( ads->ldap.ld, ads->auth.user_name, ads->auth.password));
+ status = ADS_ERROR(ldap_simple_bind_s(ads->ldap.ld, ads->auth.user_name, ads->auth.password));
+ goto out;
+ }
+
+ status = ads_sasl_bind(ads);
+
+ out:
+ if (DEBUGLEVEL >= 11) {
+ char *s = NDR_PRINT_STRUCT_STRING(talloc_tos(), ads_struct, ads);
+ DEBUG(11,("ads_connect: leaving with: %s\n",
+ ads_errstr(status)));
+ DEBUGADD(11,("%s\n", s));
+ TALLOC_FREE(s);
}
- return ads_sasl_bind(ads);
+ return status;
+}
+
+/**
+ * Connect to the LDAP server using given credentials
+ * @param ads Pointer to an existing ADS_STRUCT
+ * @return status of connection
+ **/
+ADS_STATUS ads_connect_user_creds(ADS_STRUCT *ads)
+{
+ ads->auth.flags |= ADS_AUTH_USER_CREDS;
+
+ return ads_connect(ads);
}
/**
{
char **values;
int i;
-
+ size_t size;
+
if (!in_vals) return NULL;
for (i=0; in_vals[i]; i++)
; /* count values */
if (!values) return NULL;
for (i=0; in_vals[i]; i++) {
- push_utf8_talloc(ctx, &values[i], in_vals[i]);
+ if (!push_utf8_talloc(ctx, &values[i], in_vals[i], &size)) {
+ TALLOC_FREE(values);
+ return NULL;
+ }
}
return values;
}
{
char **values;
int i;
+ size_t converted_size;
if (!in_vals) return NULL;
for (i=0; in_vals[i]; i++)
if (!values) return NULL;
for (i=0; in_vals[i]; i++) {
- pull_utf8_talloc(ctx, &values[i], in_vals[i]);
+ if (!pull_utf8_talloc(ctx, &values[i], in_vals[i],
+ &converted_size)) {
+ DEBUG(0,("ads_pull_strvals: pull_utf8_talloc failed: "
+ "%s", strerror(errno)));
+ }
}
return values;
}
int *count, struct berval **cookie)
{
int rc, i, version;
- char *utf8_expr, *utf8_path, **search_attrs;
+ char *utf8_expr, *utf8_path, **search_attrs = NULL;
+ size_t converted_size;
LDAPControl PagedResults, NoReferrals, ExternalCtrl, *controls[4], **rcontrols;
BerElement *cookie_be = NULL;
struct berval *cookie_bv= NULL;
/* 0 means the conversion worked but the result was empty
so we only fail if it's -1. In any case, it always
at least nulls out the dest */
- if ((push_utf8_talloc(ctx, &utf8_expr, expr) == (size_t)-1) ||
- (push_utf8_talloc(ctx, &utf8_path, bind_path) == (size_t)-1)) {
+ if (!push_utf8_talloc(ctx, &utf8_expr, expr, &converted_size) ||
+ !push_utf8_talloc(ctx, &utf8_path, bind_path, &converted_size))
+ {
rc = LDAP_NO_MEMORY;
goto done;
}
else {
/* This would be the utf8-encoded version...*/
/* if (!(search_attrs = ads_push_strvals(ctx, attrs))) */
- if (!(str_list_copy(&search_attrs, attrs))) {
+ if (!(search_attrs = str_list_copy(talloc_tos(), attrs))) {
rc = LDAP_NO_MEMORY;
goto done;
}
}
/* if/when we decide to utf8-encode attrs, take out this next line */
- str_list_free(&search_attrs);
+ TALLOC_FREE(search_attrs);
return ADS_ERROR(rc);
}
/* this relies on the way that ldap_add_result_entry() works internally. I hope
that this works on all ldap libs, but I have only tested with openldap */
- for (msg = ads_first_entry(ads, res2); msg; msg = next) {
- next = ads_next_entry(ads, msg);
+ for (msg = ads_first_message(ads, res2); msg; msg = next) {
+ next = ads_next_message(ads, msg);
ldap_add_result_entry((LDAPMessage **)res, msg);
}
/* note that we do not free res2, as the memory is now
{
int rc;
char *utf8_expr, *utf8_path, **search_attrs = NULL;
+ size_t converted_size;
TALLOC_CTX *ctx;
*res = NULL;
/* 0 means the conversion worked but the result was empty
so we only fail if it's negative. In any case, it always
at least nulls out the dest */
- if ((push_utf8_talloc(ctx, &utf8_expr, expr) == (size_t)-1) ||
- (push_utf8_talloc(ctx, &utf8_path, bind_path) == (size_t)-1)) {
+ if (!push_utf8_talloc(ctx, &utf8_expr, expr, &converted_size) ||
+ !push_utf8_talloc(ctx, &utf8_path, bind_path, &converted_size))
+ {
DEBUG(1,("ads_do_search: push_utf8_talloc() failed!"));
rc = LDAP_NO_MEMORY;
goto done;
else {
/* This would be the utf8-encoded version...*/
/* if (!(search_attrs = ads_push_strvals(ctx, attrs))) */
- if (!(str_list_copy(&search_attrs, attrs)))
+ if (!(search_attrs = str_list_copy(talloc_tos(), attrs)))
{
DEBUG(1,("ads_do_search: str_list_copy() failed!"));
rc = LDAP_NO_MEMORY;
done:
talloc_destroy(ctx);
/* if/when we decide to utf8-encode attrs, take out this next line */
- str_list_free(&search_attrs);
+ TALLOC_FREE(search_attrs);
return ADS_ERROR(rc);
}
/**
char *ads_get_dn(ADS_STRUCT *ads, LDAPMessage *msg)
{
char *utf8_dn, *unix_dn;
+ size_t converted_size;
utf8_dn = ldap_get_dn(ads->ldap.ld, msg);
return NULL;
}
- if (pull_utf8_allocate(&unix_dn, utf8_dn) == (size_t)-1) {
+ if (!pull_utf8_allocate(&unix_dn, utf8_dn, &converted_size)) {
DEBUG(0,("ads_get_dn: string conversion failure utf8 [%s]\n",
utf8_dn ));
return NULL;
{
int ret,i;
char *utf8_dn = NULL;
+ size_t converted_size;
/*
this control is needed to modify that contains a currently
non-existent attribute (but allowable for the object) to run
controls[0] = &PermitModify;
controls[1] = NULL;
- if (push_utf8_allocate(&utf8_dn, mod_dn) == -1) {
+ if (!push_utf8_allocate(&utf8_dn, mod_dn, &converted_size)) {
return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
}
{
int ret, i;
char *utf8_dn = NULL;
+ size_t converted_size;
- if (push_utf8_allocate(&utf8_dn, new_dn) == -1) {
+ if (!push_utf8_allocate(&utf8_dn, new_dn, &converted_size)) {
DEBUG(1, ("ads_gen_add: push_utf8_allocate failed!"));
return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
}
{
int ret;
char *utf8_dn = NULL;
- if (push_utf8_allocate(&utf8_dn, del_dn) == -1) {
+ size_t converted_size;
+ if (!push_utf8_allocate(&utf8_dn, del_dn, &converted_size)) {
DEBUG(1, ("ads_del_dn: push_utf8_allocate failed!"));
return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
}
}
/**
- * Determines the computer account's current KVNO via an LDAP lookup
+ * Determines the an account's current KVNO via an LDAP lookup
* @param ads An initialized ADS_STRUCT
- * @param machine_name the NetBIOS name of the computer, which is used to identify the computer account.
- * @return the kvno for the computer account, or -1 in case of a failure.
+ * @param account_name the NT samaccountname.
+ * @return the kvno for the account, or -1 in case of a failure.
**/
-uint32 ads_get_kvno(ADS_STRUCT *ads, const char *machine_name)
+uint32 ads_get_kvno(ADS_STRUCT *ads, const char *account_name)
{
LDAPMessage *res = NULL;
uint32 kvno = (uint32)-1; /* -1 indicates a failure */
char *dn_string = NULL;
ADS_STATUS ret = ADS_ERROR(LDAP_SUCCESS);
- DEBUG(5,("ads_get_kvno: Searching for host %s\n", machine_name));
- if (asprintf(&filter, "(samAccountName=%s$)", machine_name) == -1) {
+ DEBUG(5,("ads_get_kvno: Searching for account %s\n", account_name));
+ if (asprintf(&filter, "(samAccountName=%s)", account_name) == -1) {
return kvno;
}
ret = ads_search(ads, &res, filter, attrs);
SAFE_FREE(filter);
- if (!ADS_ERR_OK(ret) && ads_count_replies(ads, res)) {
- DEBUG(1,("ads_get_kvno: Computer Account For %s not found.\n", machine_name));
+ if (!ADS_ERR_OK(ret) || (ads_count_replies(ads, res) != 1)) {
+ DEBUG(1,("ads_get_kvno: Account for %s not found.\n", account_name));
ads_msgfree(ads, res);
return kvno;
}
return kvno;
}
+/**
+ * Determines the computer account's current KVNO via an LDAP lookup
+ * @param ads An initialized ADS_STRUCT
+ * @param machine_name the NetBIOS name of the computer, which is used to identify the computer account.
+ * @return the kvno for the computer account, or -1 in case of a failure.
+ **/
+
+uint32_t ads_get_machine_kvno(ADS_STRUCT *ads, const char *machine_name)
+{
+ char *computer_account = NULL;
+ uint32_t kvno = -1;
+
+ if (asprintf(&computer_account, "%s$", machine_name) < 0) {
+ return kvno;
+ }
+
+ kvno = ads_get_kvno(ads, computer_account);
+ free(computer_account);
+
+ return kvno;
+}
+
/**
* This clears out all registered spn's for a given hostname
* @param ads An initilaized ADS_STRUCT
memcpy(guid.info, values[i]->bv_val, sizeof(guid.info));
smb_uuid_unpack(guid, &tmp);
- printf("%s: %s\n", field, smb_uuid_string(talloc_tos(), tmp));
+ printf("%s: %s\n", field, GUID_string(talloc_tos(), &tmp));
}
}
{
LDAPMessage *msg;
TALLOC_CTX *ctx;
+ size_t converted_size;
if (!(ctx = talloc_init("ads_process_results")))
return;
char *field;
bool string;
- pull_utf8_talloc(ctx, &field, utf8_field);
+ if (!pull_utf8_talloc(ctx, &field, utf8_field,
+ &converted_size))
+ {
+ DEBUG(0,("ads_process_results: "
+ "pull_utf8_talloc failed: %s",
+ strerror(errno)));
+ }
+
string = fn(ads, field, NULL, data_area);
if (string) {
return ldap_next_entry(ads->ldap.ld, res);
}
+/**
+ * pull the first message from a ADS result
+ * @param ads connection to ads server
+ * @param res Results of search
+ * @return first message from result
+ **/
+ LDAPMessage *ads_first_message(ADS_STRUCT *ads, LDAPMessage *res)
+{
+ return ldap_first_message(ads->ldap.ld, res);
+}
+
+/**
+ * pull the next message from a ADS result
+ * @param ads connection to ads server
+ * @param res Results of search
+ * @return next message from result
+ **/
+ LDAPMessage *ads_next_message(ADS_STRUCT *ads, LDAPMessage *res)
+{
+ return ldap_next_message(ads->ldap.ld, res);
+}
+
/**
* pull a single string from a ADS result
* @param ads connection to ads server
char **values;
char *ret = NULL;
char *ux_string;
- size_t rc;
+ size_t converted_size;
values = ldap_get_values(ads->ldap.ld, msg, field);
if (!values)
return NULL;
- if (values[0]) {
- rc = pull_utf8_talloc(mem_ctx, &ux_string,
- values[0]);
- if (rc != (size_t)-1)
- ret = ux_string;
-
+ if (values[0] && pull_utf8_talloc(mem_ctx, &ux_string, values[0],
+ &converted_size))
+ {
+ ret = ux_string;
}
ldap_value_free(values);
return ret;
char **values;
char **ret = NULL;
int i;
+ size_t converted_size;
values = ldap_get_values(ads->ldap.ld, msg, field);
if (!values)
}
for (i=0;i<*num_values;i++) {
- if (pull_utf8_talloc(mem_ctx, &ret[i], values[i]) == -1) {
+ if (!pull_utf8_talloc(mem_ctx, &ret[i], values[i],
+ &converted_size))
+ {
ldap_value_free(values);
return NULL;
}
if ( (ads_s = ads_init( ads->server.realm, ads->server.workgroup,
ads->server.ldap_server )) == NULL )
{
+ status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
goto done;
}
ads_s->auth.flags = ADS_AUTH_ANON_BIND;
/**
* pull a DOM_SID from an extended dn string
- * @param mem_ctx TALLOC_CTX
+ * @param mem_ctx TALLOC_CTX
* @param extended_dn string
* @param flags string type of extended_dn
* @param sid pointer to a DOM_SID
- * @return boolean inidicating success
+ * @return NT_STATUS_OK on success,
+ * NT_INVALID_PARAMETER on error,
+ * NT_STATUS_NOT_FOUND if no SID present
**/
-bool ads_get_sid_from_extended_dn(TALLOC_CTX *mem_ctx,
- const char *extended_dn,
- enum ads_extended_dn_flags flags,
- DOM_SID *sid)
+ADS_STATUS ads_get_sid_from_extended_dn(TALLOC_CTX *mem_ctx,
+ const char *extended_dn,
+ enum ads_extended_dn_flags flags,
+ DOM_SID *sid)
{
char *p, *q, *dn;
if (!extended_dn) {
- return False;
+ return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
}
/* otherwise extended_dn gets stripped off */
if ((dn = talloc_strdup(mem_ctx, extended_dn)) == NULL) {
- return False;
+ return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
}
- /*
+ /*
* ADS_EXTENDED_DN_HEX_STRING:
* <GUID=238e1963cb390f4bb032ba0105525a29>;<SID=010500000000000515000000bb68c8fd6b61b427572eb04556040000>;CN=gd,OU=berlin,OU=suse,DC=ber,DC=suse,DC=de
*
* ADS_EXTENDED_DN_STRING (only with w2k3):
- <GUID=63198e23-39cb-4b0f-b032-ba0105525a29>;<SID=S-1-5-21-4257769659-666132843-1169174103-1110>;CN=gd,OU=berlin,OU=suse,DC=ber,DC=suse,DC=de
+ * <GUID=63198e23-39cb-4b0f-b032-ba0105525a29>;<SID=S-1-5-21-4257769659-666132843-1169174103-1110>;CN=gd,OU=berlin,OU=suse,DC=ber,DC=suse,DC=de
+ *
+ * Object with no SID, such as an Exchange Public Folder
+ * <GUID=28907fb4bdf6854993e7f0a10b504e7c>;CN=public,CN=Microsoft Exchange System Objects,DC=sd2k3ms,DC=west,DC=isilon,DC=com
*/
p = strchr(dn, ';');
if (!p) {
- return False;
+ return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
}
if (strncmp(p, ";<SID=", strlen(";<SID=")) != 0) {
- return False;
+ DEBUG(5,("No SID present in extended dn\n"));
+ return ADS_ERROR_NT(NT_STATUS_NOT_FOUND);
}
p += strlen(";<SID=");
q = strchr(p, '>');
if (!q) {
- return False;
+ return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
}
-
+
*q = '\0';
DEBUG(100,("ads_get_sid_from_extended_dn: sid string is %s\n", p));
switch (flags) {
-
+
case ADS_EXTENDED_DN_STRING:
if (!string_to_sid(sid, p)) {
- return False;
+ return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
}
break;
case ADS_EXTENDED_DN_HEX_STRING: {
buf_len = strhex_to_str(buf, sizeof(buf), p, strlen(p));
if (buf_len == 0) {
- return False;
+ return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
}
if (!sid_parse(buf, buf_len, sid)) {
DEBUG(10,("failed to parse sid\n"));
- return False;
+ return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
}
break;
}
default:
DEBUG(10,("unknown extended dn format\n"));
- return False;
+ return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
}
- return True;
+ return ADS_ERROR_NT(NT_STATUS_OK);
}
/**
* @param sids pointer to sid array to allocate
* @return the count of SIDs pulled
**/
- int ads_pull_sids_from_extendeddn(ADS_STRUCT *ads,
- TALLOC_CTX *mem_ctx,
- LDAPMessage *msg,
+ int ads_pull_sids_from_extendeddn(ADS_STRUCT *ads,
+ TALLOC_CTX *mem_ctx,
+ LDAPMessage *msg,
const char *field,
enum ads_extended_dn_flags flags,
DOM_SID **sids)
{
int i;
- size_t dn_count;
+ ADS_STATUS rc;
+ size_t dn_count, ret_count = 0;
char **dn_strings;
- if ((dn_strings = ads_pull_strings(ads, mem_ctx, msg, field,
+ if ((dn_strings = ads_pull_strings(ads, mem_ctx, msg, field,
&dn_count)) == NULL) {
return 0;
}
}
for (i=0; i<dn_count; i++) {
-
- if (!ads_get_sid_from_extended_dn(mem_ctx, dn_strings[i],
- flags, &(*sids)[i])) {
- TALLOC_FREE(*sids);
- TALLOC_FREE(dn_strings);
- return 0;
+ rc = ads_get_sid_from_extended_dn(mem_ctx, dn_strings[i],
+ flags, &(*sids)[i]);
+ if (!ADS_ERR_OK(rc)) {
+ if (NT_STATUS_EQUAL(ads_ntstatus(rc),
+ NT_STATUS_NOT_FOUND)) {
+ continue;
+ }
+ else {
+ TALLOC_FREE(*sids);
+ TALLOC_FREE(dn_strings);
+ return 0;
+ }
}
+ ret_count++;
}
TALLOC_FREE(dn_strings);
- return dn_count;
+ return ret_count;
}
/********************************************************************
ADS_STATUS status;
int count = 0;
char *name = NULL;
-
- status = ads_find_machine_acct(ads, &res, global_myname());
+
+ status = ads_find_machine_acct(ads, &res, machine_name);
if (!ADS_ERR_OK(status)) {
DEBUG(0,("ads_get_upn: Failed to find account for %s\n",
global_myname()));
goto out;
}
-
+
if ( (count = ads_count_replies(ads, res)) != 1 ) {
DEBUG(1,("ads_get_upn: %d entries returned!\n", count));
goto out;
}
-
+
if ( (name = ads_pull_string(ads, ctx, res, "userPrincipalName")) == NULL ) {
DEBUG(2,("ads_get_upn: No userPrincipalName attribute!\n"));
}
out:
ads_msgfree(ads, res);
-
+
return name;
}
filter = talloc_asprintf(mem_ctx, "(&(objectclass=user)(sAMAccountName=%s))",
samaccountname);
if (filter == NULL) {
+ status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
goto out;
}
}
expr = talloc_asprintf(mem_ctx, "(rightsGuid=%s)",
- smb_uuid_string(mem_ctx, *rights_guid));
+ GUID_string(mem_ctx, rights_guid));
if (!expr) {
goto done;
}
}
+/**
+ * verify or build and verify an account ou
+ * @param mem_ctx Pointer to talloc context
+ * @param ads connection to ads server
+ * @param account_ou
+ * @return status of search
+ **/
+
+ADS_STATUS ads_check_ou_dn(TALLOC_CTX *mem_ctx,
+ ADS_STRUCT *ads,
+ const char **account_ou)
+{
+ struct ldb_dn *name_dn = NULL;
+ const char *name = NULL;
+ char *ou_string = NULL;
+
+ name_dn = ldb_dn_explode(mem_ctx, *account_ou);
+ if (name_dn) {
+ return ADS_SUCCESS;
+ }
+
+ ou_string = ads_ou_string(ads, *account_ou);
+ if (!ou_string) {
+ return ADS_ERROR_LDAP(LDAP_INVALID_DN_SYNTAX);
+ }
+
+ name = talloc_asprintf(mem_ctx, "%s,%s", ou_string,
+ ads->config.bind_path);
+ SAFE_FREE(ou_string);
+ if (!name) {
+ return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+ }
+
+ name_dn = ldb_dn_explode(mem_ctx, name);
+ if (!name_dn) {
+ return ADS_ERROR_LDAP(LDAP_INVALID_DN_SYNTAX);
+ }
+
+ *account_ou = talloc_strdup(mem_ctx, name);
+ if (!*account_ou) {
+ return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+ }
+
+ return ADS_SUCCESS;
+}
+
#endif