return ldp;
}
+static int ldap_search_with_timeout(LDAP *ld,
+ LDAP_CONST char *base,
+ int scope,
+ LDAP_CONST char *filter,
+ char **attrs,
+ int attrsonly,
+ LDAPControl **sctrls,
+ LDAPControl **cctrls,
+ int sizelimit,
+ LDAPMessage **res )
+{
+ struct timeval timeout;
+ int result;
+
+ /* Setup timeout for the ldap_search_ext_s call - local and remote. */
+ timeout.tv_sec = lp_ldap_timeout();
+ timeout.tv_usec = 0;
+
+ /* Setup alarm timeout.... Do we need both of these ? JRA. */
+ gotalarm = 0;
+ CatchSignal(SIGALRM, SIGNAL_CAST gotalarm_sig);
+ alarm(lp_ldap_timeout());
+ /* End setup timeout. */
+
+ result = ldap_search_ext_s(ld, base, scope, filter, attrs,
+ attrsonly, sctrls, cctrls, &timeout,
+ sizelimit, res);
+
+ /* Teardown timeout. */
+ CatchSignal(SIGALRM, SIGNAL_CAST SIG_IGN);
+ alarm(0);
+
+ if (gotalarm != 0)
+ return LDAP_TIMELIMIT_EXCEEDED;
+
+ return result;
+}
+
/*
try a connection to a given ldap server, returning True and setting the servers IP
in the ads struct if successful
TODO : add a negative connection cache in here leveraged off of the one
found in the rpc code. --jerry
*/
-static BOOL ads_try_connect(ADS_STRUCT *ads, const char *server, unsigned port)
+BOOL ads_try_connect(ADS_STRUCT *ads, const char *server, unsigned port)
{
char *srv;
DEBUG(5,("ads_try_connect: trying ldap server '%s' port %u\n", server, port));
/* this copes with inet_ntoa brokenness */
- srv = strdup(server);
+ srv = SMB_STRDUP(server);
ads->ld = ldap_open_with_timeout(srv, port, lp_ldap_timeout());
if (!ads->ld) {
}
if (!ads->auth.realm) {
- ads->auth.realm = strdup(ads->config.realm);
+ ads->auth.realm = SMB_STRDUP(ads->config.realm);
}
if (!ads->auth.kdc_server) {
- ads->auth.kdc_server = strdup(inet_ntoa(ads->ldap_ip));
+ ads->auth.kdc_server = SMB_STRDUP(inet_ntoa(ads->ldap_ip));
}
#if KRB5_DNS_HACK
if (!in_val) return NULL;
- value = talloc_zero(ctx, sizeof(struct berval));
+ value = TALLOC_ZERO_P(ctx, struct berval);
if (value == NULL)
return NULL;
if (in_val->bv_len == 0) return value;
value->bv_len = in_val->bv_len;
- value->bv_val = talloc_memdup(ctx, in_val->bv_val, in_val->bv_len);
+ value->bv_val = TALLOC_MEMDUP(ctx, in_val->bv_val, in_val->bv_len);
return value;
}
int i;
if (!in_vals) return NULL;
- for (i=0; in_vals[i]; i++); /* count values */
- values = (struct berval **) talloc_zero(ctx,
- (i+1)*sizeof(struct berval *));
+ for (i=0; in_vals[i]; i++)
+ ; /* count values */
+ values = TALLOC_ZERO_ARRAY(ctx, struct berval *, i+1);
if (!values) return NULL;
for (i=0; in_vals[i]; i++) {
int i;
if (!in_vals) return NULL;
- for (i=0; in_vals[i]; i++); /* count values */
- values = (char ** ) talloc_zero(ctx, (i+1)*sizeof(char *));
+ for (i=0; in_vals[i]; i++)
+ ; /* count values */
+ values = TALLOC_ZERO_ARRAY(ctx, char *, i+1);
if (!values) return NULL;
for (i=0; in_vals[i]; i++) {
int i;
if (!in_vals) return NULL;
- for (i=0; in_vals[i]; i++); /* count values */
- values = (char **) talloc_zero(ctx, (i+1)*sizeof(char *));
+ for (i=0; in_vals[i]; i++)
+ ; /* count values */
+ values = TALLOC_ZERO_ARRAY(ctx, char *, i+1);
if (!values) return NULL;
for (i=0; in_vals[i]; i++) {
ber_printf(cookie_be, "{io}", (ber_int_t) 1000, "", 0);
}
ber_flatten(cookie_be, &cookie_bv);
- PagedResults.ldctl_oid = ADS_PAGE_CTL_OID;
+ PagedResults.ldctl_oid = CONST_DISCARD(char *, ADS_PAGE_CTL_OID);
PagedResults.ldctl_iscritical = (char) 1;
PagedResults.ldctl_value.bv_len = cookie_bv->bv_len;
PagedResults.ldctl_value.bv_val = cookie_bv->bv_val;
- NoReferrals.ldctl_oid = ADS_NO_REFERRALS_OID;
+ NoReferrals.ldctl_oid = CONST_DISCARD(char *, ADS_NO_REFERRALS_OID);
NoReferrals.ldctl_iscritical = (char) 0;
NoReferrals.ldctl_value.bv_len = 0;
- NoReferrals.ldctl_value.bv_val = "";
+ NoReferrals.ldctl_value.bv_val = CONST_DISCARD(char *, "");
controls[0] = &NoReferrals;
controls[1] = &PagedResults;
controls[2] = NULL;
- *res = NULL;
-
/* we need to disable referrals as the openldap libs don't
handle them and paged results at the same time. Using them
together results in the result record containing the server
*/
ldap_set_option(ads->ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF);
- rc = ldap_search_ext_s(ads->ld, utf8_path, scope, utf8_expr,
- search_attrs, 0, controls,
- NULL, NULL, LDAP_NO_LIMIT, (LDAPMessage **)res);
+ rc = ldap_search_with_timeout(ads->ld, utf8_path, scope, utf8_expr,
+ search_attrs, 0, controls,
+ NULL, LDAP_NO_LIMIT,
+ (LDAPMessage **)res);
ber_free(cookie_be, 1);
ber_bvfree(cookie_bv);
if (rc) {
- DEBUG(3,("ldap_search_ext_s(%s) -> %s\n", expr, ldap_err2string(rc)));
+ DEBUG(3,("ads_do_paged_search: ldap_search_with_timeout(%s) -> %s\n", expr,
+ ldap_err2string(rc)));
goto done;
}
int count = 0;
ADS_STATUS status;
+ *res = NULL;
status = ads_do_paged_search(ads, bind_path, scope, expr, attrs, res,
&count, &cookie);
const char *expr,
const char **attrs, void **res)
{
- struct timeval timeout;
int rc;
char *utf8_expr, *utf8_path, **search_attrs = NULL;
TALLOC_CTX *ctx;
+ *res = NULL;
if (!(ctx = talloc_init("ads_do_search"))) {
DEBUG(1,("ads_do_search: talloc_init() failed!"));
return ADS_ERROR(LDAP_NO_MEMORY);
}
}
- timeout.tv_sec = ADS_SEARCH_TIMEOUT;
- timeout.tv_usec = 0;
- *res = NULL;
-
/* see the note in ads_do_paged_search - we *must* disable referrals */
ldap_set_option(ads->ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF);
- rc = ldap_search_ext_s(ads->ld, utf8_path, scope, utf8_expr,
- search_attrs, 0, NULL, NULL,
- &timeout, LDAP_NO_LIMIT, (LDAPMessage **)res);
+ rc = ldap_search_with_timeout(ads->ld, utf8_path, scope, utf8_expr,
+ search_attrs, 0, NULL, NULL,
+ LDAP_NO_LIMIT,
+ (LDAPMessage **)res);
if (rc == LDAP_SIZELIMIT_EXCEEDED) {
DEBUG(3,("Warning! sizelimit exceeded in ldap. Truncating.\n"));
char *expr;
const char *attrs[] = {"*", "nTSecurityDescriptor", NULL};
+ *res = NULL;
+
/* the easiest way to find a machine account anywhere in the tree
is to look for hostname$ */
if (asprintf(&expr, "(samAccountName=%s$)", machine) == -1) {
#define ADS_MODLIST_ALLOC_SIZE 10
LDAPMod **mods;
- if ((mods = (LDAPMod **) talloc_zero(ctx, sizeof(LDAPMod *) *
- (ADS_MODLIST_ALLOC_SIZE + 1))))
+ if ((mods = TALLOC_ZERO_ARRAY(ctx, LDAPMod *, ADS_MODLIST_ALLOC_SIZE + 1)))
/* -1 is safety to make sure we don't go over the end.
need to reset it to NULL before doing ldap modify */
mods[ADS_MODLIST_ALLOC_SIZE] = (LDAPMod *) -1;
- return mods;
+ return (ADS_MODLIST)mods;
}
for (curmod=0; modlist[curmod] && modlist[curmod] != (LDAPMod *) -1;
curmod++);
if (modlist[curmod] == (LDAPMod *) -1) {
- if (!(modlist = talloc_realloc(ctx, modlist,
- (curmod+ADS_MODLIST_ALLOC_SIZE+1)*sizeof(LDAPMod *))))
+ if (!(modlist = TALLOC_REALLOC_ARRAY(ctx, modlist, LDAPMod *,
+ curmod+ADS_MODLIST_ALLOC_SIZE+1)))
return ADS_ERROR(LDAP_NO_MEMORY);
memset(&modlist[curmod], 0,
ADS_MODLIST_ALLOC_SIZE*sizeof(LDAPMod *));
modlist[curmod+ADS_MODLIST_ALLOC_SIZE] = (LDAPMod *) -1;
- *mods = modlist;
+ *mods = (ADS_MODLIST)modlist;
}
- if (!(modlist[curmod] = talloc_zero(ctx, sizeof(LDAPMod))))
+ if (!(modlist[curmod] = TALLOC_ZERO_P(ctx, LDAPMod)))
return ADS_ERROR(LDAP_NO_MEMORY);
modlist[curmod]->mod_type = talloc_strdup(ctx, name);
if (mod_op & LDAP_MOD_BVALUES) {
non-existent attribute (but allowable for the object) to run
*/
LDAPControl PermitModify = {
- ADS_PERMIT_MODIFY_OID,
+ CONST_DISCARD(char *, ADS_PERMIT_MODIFY_OID),
{0, NULL},
(char) 1};
LDAPControl *controls[2];
/* make sure the end of the list is NULL */
mods[i] = NULL;
- ret = ldap_add_s(ads->ld, utf8_dn, mods);
+ ret = ldap_add_s(ads->ld, utf8_dn, (LDAPMod**)mods);
SAFE_FREE(utf8_dn);
return ADS_ERROR(ret);
}
ret = ads_default_ou_string(ads, WELL_KNOWN_GUID_COMPUTERS);
/* samba4 might not yet respond to a wellknownobject-query */
- return ret ? ret : strdup("cn=Computers");
+ return ret ? ret : SMB_STRDUP("cn=Computers");
}
if (strequal(org_unit, "Computers")) {
- return strdup("cn=Computers");
+ return SMB_STRDUP("cn=Computers");
}
return ads_build_path(org_unit, "\\/", "ou=", 1);
for (i=1; i < new_ln; i++) {
char *s;
asprintf(&s, "%s,%s", ret, wkn_dn_exp[i]);
- ret = strdup(s);
+ ret = SMB_STRDUP(s);
free(s);
}
ADS_STATUS ret;
TALLOC_CTX *ctx;
LDAPMessage *res = NULL;
- char *host_spn, *host_upn, *psp1, *psp2;
+ char *host_spn, *psp1, *psp2, *psp3;
ADS_MODLIST mods;
fstring my_fqdn;
char *dn_string = NULL;
- const char *servicePrincipalName[3] = {NULL, NULL, NULL};
+ const char *servicePrincipalName[4] = {NULL, NULL, NULL, NULL};
ret = ads_find_machine_acct(ads, (void **)&res, machine_name);
if (!ADS_ERR_OK(ret) || ads_count_replies(ads, res) != 1) {
}
name_to_fqdn(my_fqdn, machine_name);
+ strlower_m(my_fqdn);
+
if (!(host_spn = talloc_asprintf(ctx, "HOST/%s", my_fqdn))) {
talloc_destroy(ctx);
ads_msgfree(ads, res);
return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
}
- if (!(host_upn = talloc_asprintf(ctx, "%s@%s", host_spn, ads->config.realm))) {
- talloc_destroy(ctx);
- ads_msgfree(ads, res);
- return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
- }
/* Add the extra principal */
psp1 = talloc_asprintf(ctx, "%s/%s", spn, machine_name);
DEBUG(5,("ads_add_service_principal_name: INFO: Adding %s to host %s\n", psp2, machine_name));
servicePrincipalName[1] = psp2;
+ /* Add another principal in case the realm != the DNS domain, so that
+ * the KDC doesn't send "server principal unknown" errors to clients
+ * which use the DNS name in determining service principal names. */
+ psp3 = talloc_asprintf(ctx, "%s/%s", spn, my_fqdn);
+ strupper_m(psp3);
+ strlower_m(&psp3[strlen(spn)]);
+ if (strcmp(psp2, psp3) != 0) {
+ DEBUG(5,("ads_add_service_principal_name: INFO: Adding %s to host %s\n", psp3, machine_name));
+ servicePrincipalName[2] = psp3;
+ }
+
if (!(mods = ads_init_mods(ctx))) {
talloc_destroy(ctx);
ads_msgfree(ads, res);
ADS_MODLIST mods;
const char *objectClass[] = {"top", "person", "organizationalPerson",
"user", "computer", NULL};
- const char *servicePrincipalName[5] = {NULL, NULL, NULL, NULL, NULL};
- char *psp, *psp2;
+ const char *servicePrincipalName[7] = {NULL, NULL, NULL, NULL, NULL, NULL, NULL};
+ char *psp, *psp2, *psp3, *psp4;
unsigned acct_control;
unsigned exists=0;
fstring my_fqdn;
LDAPMessage *res = NULL;
+ int i, next_spn;
if (!(ctx = talloc_init("ads_add_machine_acct")))
return ADS_ERROR(LDAP_NO_MEMORY);
strlower_m(&psp2[5]);
servicePrincipalName[3] = psp2;
+ /* Ensure servicePrincipalName[4] and [5] are unique. */
+ strlower_m(my_fqdn);
+ psp3 = talloc_asprintf(ctx, "CIFS/%s", my_fqdn);
+ strlower_m(&psp3[5]);
+
+ next_spn = 4;
+ for (i = 0; i < next_spn; i++) {
+ if (strequal(servicePrincipalName[i], psp3))
+ break;
+ }
+ if (i == next_spn) {
+ servicePrincipalName[next_spn++] = psp3;
+ }
+
+ psp4 = talloc_asprintf(ctx, "HOST/%s", my_fqdn);
+ strlower_m(&psp4[5]);
+ for (i = 0; i < next_spn; i++) {
+ if (strequal(servicePrincipalName[i], psp4))
+ break;
+ }
+ if (i == next_spn) {
+ servicePrincipalName[next_spn++] = psp4;
+ }
+
if (!(samAccountName = talloc_asprintf(ctx, "%s$", machine_name))) {
goto done;
}
char *machine;
/* machine name must be lowercase */
- machine = strdup(machine_name);
+ machine = SMB_STRDUP(machine_name);
strlower_m(machine);
/*
status = ads_add_machine_acct(ads, machine, account_type, org_unit);
if (!ADS_ERR_OK(status)) {
- DEBUG(0, ("ads_add_machine_acct (%s): %s\n", machine, ads_errstr(status)));
+ DEBUG(0, ("ads_join_realm: ads_add_machine_acct failed (%s): %s\n", machine, ads_errstr(status)));
SAFE_FREE(machine);
return status;
}
status = ads_find_machine_acct(ads, (void **)&res, machine);
if (!ADS_ERR_OK(status)) {
- DEBUG(0, ("Host account test failed for machine %s\n", machine));
+ DEBUG(0, ("ads_join_realm: Host account test failed for machine %s\n", machine));
SAFE_FREE(machine);
return status;
}
int rc;
/* hostname must be lowercase */
- host = strdup(hostname);
+ host = SMB_STRDUP(hostname);
strlower_m(host);
status = ads_find_machine_acct(ads, &res, host);
if (!(mods = ads_init_mods(ctx))) return ADS_ERROR(LDAP_NO_MEMORY);
bval.bv_len = prs_offset(&ps_wire);
- bval.bv_val = talloc(ctx, bval.bv_len);
+ bval.bv_val = TALLOC(ctx, bval.bv_len);
if (!bval.bv_val) {
ret = ADS_ERROR(LDAP_NO_MEMORY);
goto ads_set_sd_error;
*num_values = ldap_count_values(values);
- ret = talloc(mem_ctx, sizeof(char *) * (*num_values+1));
+ ret = TALLOC_ARRAY(mem_ctx, char *, *num_values + 1);
if (!ret) {
ldap_value_free(values);
return NULL;
return NULL;
}
- strings = talloc_realloc(mem_ctx, current_strings,
- sizeof(*current_strings) *
- (*num_strings + num_new_strings));
+ strings = TALLOC_REALLOC_ARRAY(mem_ctx, current_strings, char *,
+ *num_strings + num_new_strings);
if (strings == NULL) {
ldap_memfree(range_attr);
for (i=0; values[i]; i++)
/* nop */ ;
- (*sids) = talloc(mem_ctx, sizeof(DOM_SID) * i);
+ (*sids) = TALLOC_ARRAY(mem_ctx, DOM_SID, i);
if (!(*sids)) {
ldap_value_free_len(values);
return 0;
SAFE_FREE(ads->config.ldap_server_name);
- ads->config.ldap_server_name = strdup(p+1);
+ ads->config.ldap_server_name = SMB_STRDUP(p+1);
p = strchr(ads->config.ldap_server_name, '$');
if (!p || p[1] != '@') {
talloc_destroy(ctx);
SAFE_FREE(ads->config.realm);
SAFE_FREE(ads->config.bind_path);
- ads->config.realm = strdup(p+2);
+ ads->config.realm = SMB_STRDUP(p+2);
ads->config.bind_path = ads_build_dn(ads->config.realm);
DEBUG(3,("got ldap server name %s@%s, using bind path: %s\n",
int i;
void *res;
const char *attrs[] = {"servicePrincipalName", NULL};
- int num_principals;
+ size_t num_principals;
(*workgroup) = NULL;
asprintf(&expr, "(&(objectclass=computer)(dnshostname=%s.%s))",
ads->config.ldap_server_name, ads->config.realm);
+ if (expr == NULL) {
+ ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
+ }
+
rc = ads_search(ads, &res, expr, attrs);
free(expr);