+++ /dev/null
-/*
- Unix SMB/CIFS implementation.
-
- Winbind ADS backend functions
-
- Copyright (C) Andrew Tridgell 2001
- Copyright (C) Andrew Bartlett 2002
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-*/
-
-#include "includes.h"
-#ifdef HAVE_LDAP
-
-/* convert a single name to a sid in a domain */
-NTSTATUS ads_name_to_sid(ADS_STRUCT *ads,
- const char *name,
- DOM_SID *sid,
- enum samr_SidType *type)
-{
- const char *attrs[] = {"objectSid", "sAMAccountType", NULL};
- int count;
- ADS_STATUS rc;
- void *res = NULL;
- char *ldap_exp;
- uint32_t t;
- NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
- char *escaped_name = escape_ldap_string_alloc(name);
- char *escaped_realm = escape_ldap_string_alloc(ads->config.realm);
-
- if (!escaped_name || !escaped_realm) {
- status = NT_STATUS_NO_MEMORY;
- goto done;
- }
-
- if (asprintf(&ldap_exp, "(|(sAMAccountName=%s)(userPrincipalName=%s@%s))",
- escaped_name, escaped_name, escaped_realm) == -1) {
- DEBUG(1,("ads_name_to_sid: asprintf failed!\n"));
- status = NT_STATUS_NO_MEMORY;
- goto done;
- }
-
- rc = ads_search_retry(ads, &res, ldap_exp, attrs);
- free(ldap_exp);
- if (!ADS_ERR_OK(rc)) {
- DEBUG(1,("name_to_sid ads_search: %s\n", ads_errstr(rc)));
- goto done;
- }
-
- count = ads_count_replies(ads, res);
- if (count != 1) {
- DEBUG(1,("name_to_sid: %s not found\n", name));
- goto done;
- }
-
- if (!ads_pull_sid(ads, res, "objectSid", sid)) {
- DEBUG(1,("No sid for %s !?\n", name));
- goto done;
- }
-
- if (!ads_pull_uint32_t(ads, res, "sAMAccountType", &t)) {
- DEBUG(1,("No sAMAccountType for %s !?\n", name));
- goto done;
- }
-
- *type = ads_atype_map(t);
-
- status = NT_STATUS_OK;
-
- DEBUG(3,("ads name_to_sid mapped %s\n", name));
-
-done:
- if (res) ads_msgfree(ads, res);
-
- SAFE_FREE(escaped_name);
- SAFE_FREE(escaped_realm);
-
- return status;
-}
-
-/* convert a sid to a user or group name */
-NTSTATUS ads_sid_to_name(ADS_STRUCT *ads,
- TALLOC_CTX *mem_ctx,
- const DOM_SID *sid,
- char **name,
- enum samr_SidType *type)
-{
- const char *attrs[] = {"userPrincipalName",
- "sAMAccountName",
- "sAMAccountType", NULL};
- ADS_STATUS rc;
- void *msg = NULL;
- char *ldap_exp = NULL;
- char *sidstr = NULL;
- uint32_t atype;
- NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
-
- if (!(sidstr = sid_binstring(sid))) {
- DEBUG(1,("ads_sid_to_name: sid_binstring failed!\n"));
- status = NT_STATUS_NO_MEMORY;
- goto done;
- }
-
- if (asprintf(&ldap_exp, "(objectSid=%s)", sidstr) == -1) {
- DEBUG(1,("ads_sid_to_name: asprintf failed!\n"));
- status = NT_STATUS_NO_MEMORY;
- goto done;
- }
-
- rc = ads_search_retry(ads, &msg, ldap_exp, attrs);
- if (!ADS_ERR_OK(rc)) {
- status = ads_ntstatus(rc);
- DEBUG(1,("ads_sid_to_name ads_search: %s\n", ads_errstr(rc)));
- goto done;
- }
-
- if (!ads_pull_uint32_t(ads, msg, "sAMAccountType", &atype)) {
- goto done;
- }
-
- *name = ads_pull_username(ads, mem_ctx, msg);
- if (!*name) {
- DEBUG(1,("ads_sid_to_name: ads_pull_username retuned NULL!\n"));
- status = NT_STATUS_NO_MEMORY;
- goto done;
- }
-
- *type = ads_atype_map(atype);
-
- status = NT_STATUS_OK;
-
- DEBUG(3,("ads sid_to_name mapped %s\n", *name));
-
-done:
- if (msg) ads_msgfree(ads, msg);
-
- SAFE_FREE(ldap_exp);
- SAFE_FREE(sidstr);
-
- return status;
-}
-
-
-/* convert a sid to a DN */
-
-ADS_STATUS ads_sid_to_dn(ADS_STRUCT *ads,
- TALLOC_CTX *mem_ctx,
- const DOM_SID *sid,
- char **dn)
-{
- ADS_STATUS rc;
- LDAPMessage *msg = NULL;
- LDAPMessage *entry = NULL;
- char *ldap_exp;
- char *sidstr = NULL;
- int count;
- char *dn2 = NULL;
-
- const char *attr[] = {
- "dn",
- NULL
- };
-
- if (!(sidstr = sid_binstring(sid))) {
- DEBUG(1,("ads_sid_to_dn: sid_binstring failed!\n"));
- rc = ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
- goto done;
- }
-
- if(!(ldap_exp = talloc_asprintf(mem_ctx, "(objectSid=%s)", sidstr))) {
- DEBUG(1,("ads_sid_to_dn: talloc_asprintf failed!\n"));
- rc = ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
- goto done;
- }
-
- rc = ads_search_retry(ads, (void **)&msg, ldap_exp, attr);
-
- if (!ADS_ERR_OK(rc)) {
- DEBUG(1,("ads_sid_to_dn ads_search: %s\n", ads_errstr(rc)));
- goto done;
- }
-
- if ((count = ads_count_replies(ads, msg)) != 1) {
- fstring sid_string;
- DEBUG(1,("ads_sid_to_dn (sid=%s): Not found (count=%d)\n",
- sid_to_string(sid_string, sid), count));
- rc = ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
- goto done;
- }
-
- entry = ads_first_entry(ads, msg);
-
- dn2 = ads_get_dn(ads, entry);
-
- if (!dn2) {
- rc = ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
- goto done;
- }
-
- *dn = talloc_strdup(mem_ctx, dn2);
-
- if (!*dn) {
- ads_memfree(ads, dn2);
- rc = ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
- goto done;
- }
-
- rc = ADS_ERROR_NT(NT_STATUS_OK);
-
- DEBUG(3,("ads sid_to_dn mapped %s\n", dn2));
-
- SAFE_FREE(dn2);
-done:
- if (msg) ads_msgfree(ads, msg);
- if (dn2) ads_memfree(ads, dn2);
-
- SAFE_FREE(sidstr);
-
- return rc;
-}
-
-#endif
+++ /dev/null
-/*
- Unix SMB/CIFS implementation.
- ads (active directory) utility library
- Copyright (C) Andrew Tridgell 2001
- Copyright (C) Remus Koos 2001
- Copyright (C) Andrew Bartlett 2001
-
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-*/
-
-#include "includes.h"
-
-/*
- build a ADS_STATUS structure
-*/
-ADS_STATUS ads_build_error(enum ads_error_type etype,
- int rc, int minor_status)
-{
- ADS_STATUS ret;
-
- if (etype == ENUM_ADS_ERROR_NT) {
- DEBUG(0,("don't use ads_build_error with ENUM_ADS_ERROR_NT!\n"));
- ret.err.rc = -1;
- ret.error_type = ENUM_ADS_ERROR_SYSTEM;
- ret.minor_status = 0;
- return ret;
- }
-
- ret.err.rc = rc;
- ret.error_type = etype;
- ret.minor_status = minor_status;
- return ret;
-}
-
-ADS_STATUS ads_build_nt_error(enum ads_error_type etype,
- NTSTATUS nt_status)
-{
- ADS_STATUS ret;
-
- if (etype != ENUM_ADS_ERROR_NT) {
- DEBUG(0,("don't use ads_build_nt_error without ENUM_ADS_ERROR_NT!\n"));
- ret.err.rc = -1;
- ret.error_type = ENUM_ADS_ERROR_SYSTEM;
- ret.minor_status = 0;
- return ret;
- }
- ret.err.nt_status = nt_status;
- ret.error_type = etype;
- ret.minor_status = 0;
- return ret;
-}
-
-/*
- do a rough conversion between ads error codes and NT status codes
- we'll need to fill this in more
-*/
-NTSTATUS ads_ntstatus(ADS_STATUS status)
-{
- if (status.error_type == ENUM_ADS_ERROR_NT){
- return status.err.nt_status;
- }
-#ifdef HAVE_LDAP
- if ((status.error_type == ENUM_ADS_ERROR_LDAP)
- && (status.err.rc == LDAP_NO_MEMORY)) {
- return NT_STATUS_NO_MEMORY;
- }
-#endif
-#ifdef HAVE_KRB5
- if (status.error_type == ENUM_ADS_ERROR_KRB5) {
- if (status.err.rc == KRB5KDC_ERR_PREAUTH_FAILED) {
- return NT_STATUS_LOGON_FAILURE;
- } else if (status.err.rc == KRB5_KDC_UNREACH) {
- return NT_STATUS_NO_LOGON_SERVERS;
- }
- }
-#endif
- if (ADS_ERR_OK(status)) return NT_STATUS_OK;
- return NT_STATUS_UNSUCCESSFUL;
-}
-
-/*
- return a string for an error from a ads routine
-*/
-const char *ads_errstr(ADS_STATUS status)
-{
- uint32_t msg_ctx;
- static char *ret;
-
- SAFE_FREE(ret);
- msg_ctx = 0;
-
- switch (status.error_type) {
- case ENUM_ADS_ERROR_SYSTEM:
- return strerror(status.err.rc);
-#ifdef HAVE_LDAP
- case ENUM_ADS_ERROR_LDAP:
- return ldap_err2string(status.err.rc);
-#endif
-#ifdef HAVE_KRB5
- case ENUM_ADS_ERROR_KRB5:
- return error_message(status.err.rc);
-#endif
-#ifdef HAVE_GSSAPI
- case ENUM_ADS_ERROR_GSS:
- {
- uint32_t minor;
-
- gss_buffer_desc msg1, msg2;
- msg1.value = NULL;
- msg2.value = NULL;
- gss_display_status(&minor, status.err.rc, GSS_C_GSS_CODE,
- GSS_C_NULL_OID, &msg_ctx, &msg1);
- gss_display_status(&minor, status.minor_status, GSS_C_MECH_CODE,
- GSS_C_NULL_OID, &msg_ctx, &msg2);
- asprintf(&ret, "%s : %s", (char *)msg1.value, (char *)msg2.value);
- gss_release_buffer(&minor, &msg1);
- gss_release_buffer(&minor, &msg2);
- return ret;
- }
-#endif
- case ENUM_ADS_ERROR_NT:
- return get_friendly_nt_error_msg(ads_ntstatus(status));
- default:
- return "Unknown ADS error type!? (not compiled in?)";
- }
-
-}
-
-
+++ /dev/null
-/*
- Unix SMB/CIFS implementation.
- ads (active directory) utility library
- Copyright (C) Andrew Tridgell 2001
- Copyright (C) Andrew Bartlett 2001
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-*/
-
-#include "includes.h"
-
-/* return a ldap dn path from a string, given separators and field name
- caller must free
-*/
-char *ads_build_path(const char *realm, const char *sep, const char *field, int reverse)
-{
- char *p, *r;
- int numbits = 0;
- char *ret;
- int len;
-
- r = strdup(realm);
-
- if (!r || !*r)
- return r;
-
- for (p=r; *p; p++)
- if (strchr(sep, *p))
- numbits++;
-
- len = (numbits+1)*(strlen(field)+1) + strlen(r) + 1;
-
- ret = malloc(len);
- if (!ret)
- return NULL;
-
- strlcpy(ret,field, len);
- p=strtok(r,sep);
- strlcat(ret, p, len);
-
- while ((p=strtok(NULL,sep))) {
- char *s;
- if (reverse)
- asprintf(&s, "%s%s,%s", field, p, ret);
- else
- asprintf(&s, "%s,%s%s", ret, field, p);
- free(ret);
- ret = s;
- }
-
- free(r);
- return ret;
-}
-
-/* return a dn of the form "dc=AA,dc=BB,dc=CC" from a
- realm of the form AA.BB.CC
- caller must free
-*/
-char *ads_build_dn(const char *realm)
-{
- return ads_build_path(realm, ".", "dc=", 0);
-}
-
-
-#ifndef LDAP_PORT
-#define LDAP_PORT 389
-#endif
-
-/*
- initialise a ADS_STRUCT, ready for some ads_ ops
-*/
-ADS_STRUCT *ads_init(const char *realm,
- const char *workgroup,
- const char *ldap_server)
-{
- ADS_STRUCT *ads;
-
- ads = smb_xmalloc_p(ADS_STRUCT);
- ZERO_STRUCTP(ads);
-
- ads->server.realm = realm? strdup(realm) : NULL;
- ads->server.workgroup = workgroup ? strdup(workgroup) : NULL;
- ads->server.ldap_server = ldap_server? strdup(ldap_server) : NULL;
-
- /* we need to know if this is a foreign realm */
- if (realm && *realm && !strequal(lp_realm(), realm)) {
- ads->server.foreign = 1;
- }
- if (workgroup && *workgroup && !strequal(lp_workgroup(), workgroup)) {
- ads->server.foreign = 1;
- }
-
- return ads;
-}
-
-/* a simpler ads_init() interface using all defaults */
-ADS_STRUCT *ads_init_simple(void)
-{
- return ads_init(NULL, NULL, NULL);
-}
-
-/*
- free the memory used by the ADS structure initialized with 'ads_init(...)'
-*/
-void ads_destroy(ADS_STRUCT **ads)
-{
- if (ads && *ads) {
-#if HAVE_LDAP
- if ((*ads)->ld) ldap_unbind((*ads)->ld);
-#endif
- SAFE_FREE((*ads)->server.realm);
- SAFE_FREE((*ads)->server.workgroup);
- SAFE_FREE((*ads)->server.ldap_server);
- SAFE_FREE((*ads)->server.ldap_uri);
-
- SAFE_FREE((*ads)->auth.realm);
- SAFE_FREE((*ads)->auth.password);
- SAFE_FREE((*ads)->auth.user_name);
- SAFE_FREE((*ads)->auth.kdc_server);
-
- SAFE_FREE((*ads)->config.realm);
- SAFE_FREE((*ads)->config.bind_path);
- SAFE_FREE((*ads)->config.ldap_server_name);
-
- ZERO_STRUCTP(*ads);
- SAFE_FREE(*ads);
- }
-}
+++ /dev/null
-/*
- Unix SMB/CIFS implementation.
- Samba utility functions. ADS stuff
- Copyright (C) Alexey Kotovich 2002
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-*/
-
-#include "includes.h"
-
-static struct perm_mask_str {
- uint32_t mask;
- const char *str;
-} perms[] = {
- {SEC_RIGHTS_FULL_CTRL, "[Full Control]"},
-
- {SEC_RIGHTS_LIST_CONTENTS, "[List Contents]"},
- {SEC_RIGHTS_LIST_OBJECT, "[List Object]"},
-
- {SEC_RIGHTS_READ_ALL_PROP, "[Read All Properties]"},
- {SEC_RIGHTS_READ_PERMS, "[Read Permissions]"},
-
- {SEC_RIGHTS_WRITE_ALL_VALID, "[All validate writes]"},
- {SEC_RIGHTS_WRITE_ALL_PROP, "[Write All Properties]"},
-
- {SEC_RIGHTS_MODIFY_PERMS, "[Modify Permissions]"},
- {SEC_RIGHTS_MODIFY_OWNER, "[Modify Owner]"},
-
- {SEC_RIGHTS_CREATE_CHILD, "[Create All Child Objects]"},
-
- {SEC_RIGHTS_DELETE, "[Delete]"},
- {SEC_RIGHTS_DELETE_SUBTREE, "[Delete Subtree]"},
- {SEC_RIGHTS_DELETE_CHILD, "[Delete All Child Objects]"},
-
- {SEC_RIGHTS_CHANGE_PASSWD, "[Change Password]"},
- {SEC_RIGHTS_RESET_PASSWD, "[Reset Password]"},
- {0, 0}
-};
-
-/* convert a security permissions into a string */
-static void ads_disp_perms(uint32_t type)
-{
- int i = 0;
- int j = 0;
-
- printf("Permissions: ");
-
- if (type == SEC_RIGHTS_FULL_CTRL) {
- printf("%s\n", perms[j].str);
- return;
- }
-
- for (i = 0; i < 32; i++) {
- if (type & (1 << i)) {
- for (j = 1; perms[j].str; j ++) {
- if (perms[j].mask == (((uint_t) 1) << i)) {
- printf("\n\t%s", perms[j].str);
- }
- }
- type &= ~(1 << i);
- }
- }
-
- /* remaining bits get added on as-is */
- if (type != 0) {
- printf("[%08x]", type);
- }
- puts("");
-}
-
-/* display ACE */
-static void ads_disp_ace(SEC_ACE *sec_ace)
-{
- const char *access_type = "UNKNOWN";
-
- if (!sec_ace_object(sec_ace->type)) {
- printf("------- ACE (type: 0x%02x, flags: 0x%02x, size: 0x%02x, mask: 0x%x)\n",
- sec_ace->type,
- sec_ace->flags,
- sec_ace->size,
- sec_ace->info.mask);
- } else {
- printf("------- ACE (type: 0x%02x, flags: 0x%02x, size: 0x%02x, mask: 0x%x, object flags: 0x%x)\n",
- sec_ace->type,
- sec_ace->flags,
- sec_ace->size,
- sec_ace->info.mask,
- sec_ace->obj_flags);
- }
-
- if (sec_ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED) {
- access_type = "ALLOWED";
- } else if (sec_ace->type == SEC_ACE_TYPE_ACCESS_DENIED) {
- access_type = "DENIED";
- } else if (sec_ace->type == SEC_ACE_TYPE_SYSTEM_AUDIT) {
- access_type = "SYSTEM AUDIT";
- } else if (sec_ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT) {
- access_type = "ALLOWED OBJECT";
- } else if (sec_ace->type == SEC_ACE_TYPE_ACCESS_DENIED_OBJECT) {
- access_type = "DENIED OBJECT";
- } else if (sec_ace->type == SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT) {
- access_type = "AUDIT OBJECT";
- }
-
- printf("access SID: %s\naccess type: %s\n",
- sid_string_static(&sec_ace->trustee), access_type);
-
- ads_disp_perms(sec_ace->info.mask);
-}
-
-/* display ACL */
-static void ads_disp_acl(SEC_ACL *sec_acl, const char *type)
-{
- if (!sec_acl)
- printf("------- (%s) ACL not present\n", type);
- else {
- printf("------- (%s) ACL (revision: %d, size: %d, number of ACEs: %d)\n",
- type,
- sec_acl->revision,
- sec_acl->size,
- sec_acl->num_aces);
- }
-}
-
-/* display SD */
-void ads_disp_sd(SEC_DESC *sd)
-{
- int i;
-
- printf("-------------- Security Descriptor (revision: %d, type: 0x%02x)\n",
- sd->revision,
- sd->type);
- printf("owner SID: %s\n", sid_string_static(sd->owner_sid));
- printf("group SID: %s\n", sid_string_static(sd->grp_sid));
-
- ads_disp_acl(sd->sacl, "system");
- for (i = 0; i < sd->sacl->num_aces; i ++)
- ads_disp_ace(&sd->sacl->ace[i]);
-
- ads_disp_acl(sd->dacl, "user");
- for (i = 0; i < sd->dacl->num_aces; i ++)
- ads_disp_ace(&sd->dacl->ace[i]);
-
- printf("-------------- End Of Security Descriptor\n");
-}
-
-
+++ /dev/null
-/*
- Unix SMB/CIFS implementation.
- krb5 set password implementation
- Copyright (C) Andrew Tridgell 2001
- Copyright (C) Remus Koos 2001 (remuskoos@yahoo.com)
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-*/
-
-#include "includes.h"
-
-#ifdef HAVE_KRB5
-
-#define DEFAULT_KPASSWD_PORT 464
-#define KRB5_KPASSWD_VERS_CHANGEPW 1
-#define KRB5_KPASSWD_VERS_SETPW 2
-#define KRB5_KPASSWD_VERS_SETPW_MS 0xff80
-#define KRB5_KPASSWD_ACCESSDENIED 5
-#define KRB5_KPASSWD_BAD_VERSION 6
-#define KRB5_KPASSWD_INITIAL_FLAG_NEEDED 7
-
-/* Those are defined by kerberos-set-passwd-02.txt and are probably
- * not supported by M$ implementation */
-#define KRB5_KPASSWD_POLICY_REJECT 8
-#define KRB5_KPASSWD_BAD_PRINCIPAL 9
-#define KRB5_KPASSWD_ETYPE_NOSUPP 10
-
-/* This implements kerberos password change protocol as specified in
- * kerb-chg-password-02.txt and kerberos-set-passwd-02.txt
- * as well as microsoft version of the protocol
- * as specified in kerberos-set-passwd-00.txt
- */
-static DATA_BLOB encode_krb5_setpw(const char *principal, const char *password)
-{
- char* princ_part1 = NULL;
- char* princ_part2 = NULL;
- char* realm = NULL;
- char* c;
- char* princ;
- struct asn1_data req;
- DATA_BLOB ret;
-
-
- princ = strdup(principal);
-
- if ((c = strchr(princ, '/')) == NULL) {
- c = princ;
- } else {
- *c = '\0';
- c++;
- princ_part1 = princ;
- }
-
- princ_part2 = c;
-
- if ((c = strchr(c, '@')) != NULL) {
- *c = '\0';
- c++;
- realm = c;
- }
-
- memset(&req, 0, sizeof(req));
-
- asn1_push_tag(&req, ASN1_SEQUENCE(0));
- asn1_push_tag(&req, ASN1_CONTEXT(0));
- asn1_write_OctetString(&req, password, strlen(password));
- asn1_pop_tag(&req);
-
- asn1_push_tag(&req, ASN1_CONTEXT(1));
- asn1_push_tag(&req, ASN1_SEQUENCE(0));
-
- asn1_push_tag(&req, ASN1_CONTEXT(0));
- asn1_write_Integer(&req, 1);
- asn1_pop_tag(&req);
-
- asn1_push_tag(&req, ASN1_CONTEXT(1));
- asn1_push_tag(&req, ASN1_SEQUENCE(0));
-
- if (princ_part1)
- asn1_write_GeneralString(&req, princ_part1);
-
- asn1_write_GeneralString(&req, princ_part2);
- asn1_pop_tag(&req);
- asn1_pop_tag(&req);
- asn1_pop_tag(&req);
- asn1_pop_tag(&req);
-
- asn1_push_tag(&req, ASN1_CONTEXT(2));
- asn1_write_GeneralString(&req, realm);
- asn1_pop_tag(&req);
- asn1_pop_tag(&req);
-
- ret = data_blob(req.data, req.length);
- asn1_free(&req);
-
- free(princ);
-
- return ret;
-}
-
-static krb5_error_code build_kpasswd_request(uint16_t pversion,
- krb5_context context,
- krb5_auth_context auth_context,
- krb5_data *ap_req,
- const char *princ,
- const char *passwd,
- krb5_data *packet)
-{
- krb5_error_code ret;
- krb5_data cipherpw;
- krb5_data encoded_setpw;
- krb5_replay_data replay;
- char *p;
- DATA_BLOB setpw;
-
- ret = krb5_auth_con_setflags(context,
- auth_context,KRB5_AUTH_CONTEXT_DO_SEQUENCE);
- if (ret) {
- DEBUG(1,("krb5_auth_con_setflags failed (%s)\n",
- error_message(ret)));
- return ret;
- }
-
- /* handle protocol differences in chpw and setpw */
- if (pversion == KRB5_KPASSWD_VERS_CHANGEPW)
- setpw = data_blob(passwd, strlen(passwd));
- else if (pversion == KRB5_KPASSWD_VERS_SETPW ||
- pversion == KRB5_KPASSWD_VERS_SETPW_MS)
- setpw = encode_krb5_setpw(princ, passwd);
- else
- return EINVAL;
-
- encoded_setpw.data = (char *)setpw.data;
- encoded_setpw.length = setpw.length;
-
- ret = krb5_mk_priv(context, auth_context,
- &encoded_setpw, &cipherpw, &replay);
-
- data_blob_free(&setpw); /*from 'encode_krb5_setpw(...)' */
-
- if (ret) {
- DEBUG(1,("krb5_mk_priv failed (%s)\n", error_message(ret)));
- return ret;
- }
-
- packet->data = (char *)malloc(ap_req->length + cipherpw.length + 6);
- if (!packet->data)
- return -1;
-
- /* see the RFC for details */
- p = ((char *)packet->data) + 2;
- RSSVAL(p, 0, pversion);
- p += 2;
- RSSVAL(p, 0, ap_req->length);
- p += 2;
- memcpy(p, ap_req->data, ap_req->length);
- p += ap_req->length;
- memcpy(p, cipherpw.data, cipherpw.length);
- p += cipherpw.length;
- packet->length = PTR_DIFF(p,packet->data);
- RSSVAL(packet->data, 0, packet->length);
-
- free(cipherpw.data); /* from 'krb5_mk_priv(...)' */
-
- return 0;
-}
-
-static const struct kpasswd_errors {
- int result_code;
- const char *error_string;
-} kpasswd_errors[] = {
- {KRB5_KPASSWD_MALFORMED, "Malformed request error"},
- {KRB5_KPASSWD_HARDERROR, "Server error"},
- {KRB5_KPASSWD_AUTHERROR, "Authentication error"},
- {KRB5_KPASSWD_SOFTERROR, "Password change rejected"},
- {KRB5_KPASSWD_ACCESSDENIED, "Client does not have proper authorization"},
- {KRB5_KPASSWD_BAD_VERSION, "Protocol version not supported"},
- {KRB5_KPASSWD_INITIAL_FLAG_NEEDED, "Authorization ticket must have initial flag set"},
- {KRB5_KPASSWD_POLICY_REJECT, "Password rejected due to policy requirements"},
- {KRB5_KPASSWD_BAD_PRINCIPAL, "Target principal does not exist"},
- {KRB5_KPASSWD_ETYPE_NOSUPP, "Unsupported encryption type"},
- {0, NULL}
-};
-
-static krb5_error_code setpw_result_code_string(krb5_context context,
- int result_code,
- const char **code_string)
-{
- uint_t idx = 0;
-
- while (kpasswd_errors[idx].error_string != NULL) {
- if (kpasswd_errors[idx].result_code ==
- result_code) {
- *code_string = kpasswd_errors[idx].error_string;
- return 0;
- }
- idx++;
- }
- *code_string = "Password change failed";
- return (0);
-}
-
-static krb5_error_code parse_setpw_reply(krb5_context context,
- krb5_auth_context auth_context,
- krb5_data *packet)
-{
- krb5_data ap_rep;
- char *p;
- int vnum, ret, res_code;
- krb5_data cipherresult;
- krb5_data clearresult;
- krb5_ap_rep_enc_part *ap_rep_enc;
- krb5_replay_data replay;
-
- if (packet->length < 4) {
- return KRB5KRB_AP_ERR_MODIFIED;
- }
-
- p = packet->data;
-
- if (((char *)packet->data)[0] == 0x7e || ((char *)packet->data)[0] == 0x5e) {
- /* it's an error packet. We should parse it ... */
- DEBUG(1,("Got error packet 0x%x from kpasswd server\n",
- ((char *)packet->data)[0]));
- return KRB5KRB_AP_ERR_MODIFIED;
- }
-
- if (RSVAL(p, 0) != packet->length) {
- DEBUG(1,("Bad packet length (%d/%d) from kpasswd server\n",
- RSVAL(p, 0), packet->length));
- return KRB5KRB_AP_ERR_MODIFIED;
- }
-
- p += 2;
-
- vnum = RSVAL(p, 0); p += 2;
-
- /* FIXME: According to standard there is only one type of reply */
- if (vnum != KRB5_KPASSWD_VERS_SETPW &&
- vnum != KRB5_KPASSWD_VERS_SETPW_MS &&
- vnum != KRB5_KPASSWD_VERS_CHANGEPW) {
- DEBUG(1,("Bad vnum (%d) from kpasswd server\n", vnum));
- return KRB5KDC_ERR_BAD_PVNO;
- }
-
- ap_rep.length = RSVAL(p, 0); p += 2;
-
- if (p + ap_rep.length >= (char *)packet->data + packet->length) {
- DEBUG(1,("ptr beyond end of packet from kpasswd server\n"));
- return KRB5KRB_AP_ERR_MODIFIED;
- }
-
- if (ap_rep.length == 0) {
- DEBUG(1,("got unencrypted setpw result?!\n"));
- return KRB5KRB_AP_ERR_MODIFIED;
- }
-
- /* verify ap_rep */
- ap_rep.data = p;
- p += ap_rep.length;
-
- ret = krb5_rd_rep(context, auth_context, &ap_rep, &ap_rep_enc);
- if (ret) {
- DEBUG(1,("failed to rd setpw reply (%s)\n", error_message(ret)));
- return KRB5KRB_AP_ERR_MODIFIED;
- }
-
- krb5_free_ap_rep_enc_part(context, ap_rep_enc);
-
- cipherresult.data = p;
- cipherresult.length = ((char *)packet->data + packet->length) - p;
-
- ret = krb5_rd_priv(context, auth_context, &cipherresult, &clearresult,
- &replay);
- if (ret) {
- DEBUG(1,("failed to decrypt setpw reply (%s)\n", error_message(ret)));
- return KRB5KRB_AP_ERR_MODIFIED;
- }
-
- if (clearresult.length < 2) {
- free(clearresult.data);
- ret = KRB5KRB_AP_ERR_MODIFIED;
- return KRB5KRB_AP_ERR_MODIFIED;
- }
-
- p = clearresult.data;
-
- res_code = RSVAL(p, 0);
-
- free(clearresult.data);
-
- if ((res_code < KRB5_KPASSWD_SUCCESS) ||
- (res_code > KRB5_KPASSWD_ETYPE_NOSUPP)) {
- return KRB5KRB_AP_ERR_MODIFIED;
- }
-
- if(res_code == KRB5_KPASSWD_SUCCESS)
- return 0;
- else {
- const char *errstr;
- setpw_result_code_string(context, res_code, &errstr);
- DEBUG(1, ("Error changing password: %s\n", errstr));
-
- switch(res_code) {
- case KRB5_KPASSWD_ACCESSDENIED:
- return KRB5KDC_ERR_BADOPTION;
- break;
- case KRB5_KPASSWD_INITIAL_FLAG_NEEDED:
- return KRB5KDC_ERR_BADOPTION;
- /* return KV5M_ALT_METHOD; MIT-only define */
- break;
- case KRB5_KPASSWD_ETYPE_NOSUPP:
- return KRB5KDC_ERR_ETYPE_NOSUPP;
- break;
- case KRB5_KPASSWD_BAD_PRINCIPAL:
- return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
- break;
- case KRB5_KPASSWD_POLICY_REJECT:
- return KRB5KDC_ERR_POLICY;
- break;
- default:
- return KRB5KRB_ERR_GENERIC;
- break;
- }
- }
-}
-
-static ADS_STATUS do_krb5_kpasswd_request(krb5_context context,
- const char *kdc_host,
- uint16_t pversion,
- krb5_creds *credsp,
- const char *princ,
- const char *newpw)
-{
- krb5_auth_context auth_context = NULL;
- krb5_data ap_req, chpw_req, chpw_rep;
- int ret, sock, addr_len;
- struct sockaddr remote_addr, local_addr;
- krb5_address local_kaddr, remote_kaddr;
-
- ret = krb5_mk_req_extended(context, &auth_context, AP_OPTS_USE_SUBKEY,
- NULL, credsp, &ap_req);
- if (ret) {
- DEBUG(1,("krb5_mk_req_extended failed (%s)\n", error_message(ret)));
- return ADS_ERROR_KRB5(ret);
- }
-
- sock = open_udp_socket(kdc_host, DEFAULT_KPASSWD_PORT);
- if (sock == -1) {
- int rc = errno;
- free(ap_req.data);
- krb5_auth_con_free(context, auth_context);
- DEBUG(1,("failed to open kpasswd socket to %s (%s)\n",
- kdc_host, strerror(errno)));
- return ADS_ERROR_SYSTEM(rc);
- }
-
- addr_len = sizeof(remote_addr);
- getpeername(sock, &remote_addr, &addr_len);
- addr_len = sizeof(local_addr);
- getsockname(sock, &local_addr, &addr_len);
-
- setup_kaddr(&remote_kaddr, &remote_addr);
- setup_kaddr(&local_kaddr, &local_addr);
-
- ret = krb5_auth_con_setaddrs(context, auth_context, &local_kaddr, NULL);
- if (ret) {
- close(sock);
- free(ap_req.data);
- krb5_auth_con_free(context, auth_context);
- DEBUG(1,("krb5_auth_con_setaddrs failed (%s)\n", error_message(ret)));
- return ADS_ERROR_KRB5(ret);
- }
-
- ret = build_kpasswd_request(pversion, context, auth_context, &ap_req,
- princ, newpw, &chpw_req);
- if (ret) {
- close(sock);
- free(ap_req.data);
- krb5_auth_con_free(context, auth_context);
- DEBUG(1,("build_setpw_request failed (%s)\n", error_message(ret)));
- return ADS_ERROR_KRB5(ret);
- }
-
- if (write(sock, chpw_req.data, chpw_req.length) != chpw_req.length) {
- close(sock);
- free(chpw_req.data);
- free(ap_req.data);
- krb5_auth_con_free(context, auth_context);
- DEBUG(1,("send of chpw failed (%s)\n", strerror(errno)));
- return ADS_ERROR_SYSTEM(errno);
- }
-
- free(chpw_req.data);
-
- chpw_rep.length = 1500;
- chpw_rep.data = (char *) malloc(chpw_rep.length);
- if (!chpw_rep.data) {
- close(sock);
- free(ap_req.data);
- krb5_auth_con_free(context, auth_context);
- DEBUG(1,("send of chpw failed (%s)\n", strerror(errno)));
- errno = ENOMEM;
- return ADS_ERROR_SYSTEM(errno);
- }
-
- ret = read(sock, chpw_rep.data, chpw_rep.length);
- if (ret < 0) {
- close(sock);
- free(chpw_rep.data);
- free(ap_req.data);
- krb5_auth_con_free(context, auth_context);
- DEBUG(1,("recv of chpw reply failed (%s)\n", strerror(errno)));
- return ADS_ERROR_SYSTEM(errno);
- }
-
- close(sock);
- chpw_rep.length = ret;
-
- ret = krb5_auth_con_setaddrs(context, auth_context, NULL,&remote_kaddr);
- if (ret) {
- free(chpw_rep.data);
- free(ap_req.data);
- krb5_auth_con_free(context, auth_context);
- DEBUG(1,("krb5_auth_con_setaddrs on reply failed (%s)\n",
- error_message(ret)));
- return ADS_ERROR_KRB5(ret);
- }
-
- ret = parse_setpw_reply(context, auth_context, &chpw_rep);
- free(chpw_rep.data);
-
- if (ret) {
- free(ap_req.data);
- krb5_auth_con_free(context, auth_context);
- DEBUG(1,("parse_setpw_reply failed (%s)\n",
- error_message(ret)));
- return ADS_ERROR_KRB5(ret);
- }
-
- free(ap_req.data);
- krb5_auth_con_free(context, auth_context);
-
- return ADS_SUCCESS;
-}
-
-ADS_STATUS ads_krb5_set_password(const char *kdc_host, const char *princ,
- const char *newpw, int time_offset)
-{
-
- ADS_STATUS aret;
- krb5_error_code ret;
- krb5_context context;
- krb5_principal principal;
- char *princ_name;
- char *realm;
- krb5_creds creds, *credsp;
- krb5_ccache ccache;
-
- ret = krb5_init_context(&context);
- if (ret) {
- DEBUG(1,("Failed to init krb5 context (%s)\n", error_message(ret)));
- return ADS_ERROR_KRB5(ret);
- }
-
- if (time_offset != 0) {
- krb5_set_real_time(context, time(NULL) + time_offset, 0);
- }
-
- ret = krb5_cc_default(context, &ccache);
- if (ret) {
- krb5_free_context(context);
- DEBUG(1,("Failed to get default creds (%s)\n", error_message(ret)));
- return ADS_ERROR_KRB5(ret);
- }
-
- ZERO_STRUCT(creds);
-
- realm = strchr(princ, '@');
- realm++;
-
- asprintf(&princ_name, "kadmin/changepw@%s", realm);
- ret = krb5_parse_name(context, princ_name, &creds.server);
- if (ret) {
- krb5_free_context(context);
- DEBUG(1,("Failed to parse kadmin/changepw (%s)\n", error_message(ret)));
- return ADS_ERROR_KRB5(ret);
- }
- free(princ_name);
-
- /* parse the principal we got as a function argument */
- ret = krb5_parse_name(context, princ, &principal);
- if (ret) {
- krb5_free_context(context);
- DEBUG(1,("Failed to parse %s (%s)\n", princ_name, error_message(ret)));
- return ADS_ERROR_KRB5(ret);
- }
-
- krb5_princ_set_realm(context, creds.server,
- krb5_princ_realm(context, principal));
-
- ret = krb5_cc_get_principal(context, ccache, &creds.client);
- if (ret) {
- krb5_free_principal(context, principal);
- krb5_free_context(context);
- DEBUG(1,("Failed to get principal from ccache (%s)\n",
- error_message(ret)));
- return ADS_ERROR_KRB5(ret);
- }
-
- ret = krb5_get_credentials(context, 0, ccache, &creds, &credsp);
- if (ret) {
- krb5_free_principal(context, creds.client);
- krb5_free_principal(context, principal);
- krb5_free_context(context);
- DEBUG(1,("krb5_get_credentials failed (%s)\n", error_message(ret)));
- return ADS_ERROR_KRB5(ret);
- }
-
- /* we might have to call krb5_free_creds(...) from now on ... */
-
- aret = do_krb5_kpasswd_request(context, kdc_host,
- KRB5_KPASSWD_VERS_SETPW_MS,
- credsp, princ, newpw);
-
- krb5_free_creds(context, credsp);
- krb5_free_principal(context, creds.client);
- krb5_free_principal(context, principal);
- krb5_free_context(context);
-
- return aret;
-}
-
-/*
- we use a prompter to avoid a crash bug in the kerberos libs when
- dealing with empty passwords
- this prompter is just a string copy ...
-*/
-static krb5_error_code
-kerb_prompter(krb5_context ctx, void *data,
- const char *name,
- const char *banner,
- int num_prompts,
- krb5_prompt prompts[])
-{
- if (num_prompts == 0) return 0;
-
- memset(prompts[0].reply->data, 0, prompts[0].reply->length);
- if (prompts[0].reply->length > 0) {
- if (data) {
- strncpy(prompts[0].reply->data, data, prompts[0].reply->length-1);
- prompts[0].reply->length = strlen(prompts[0].reply->data);
- } else {
- prompts[0].reply->length = 0;
- }
- }
- return 0;
-}
-
-static ADS_STATUS ads_krb5_chg_password(const char *kdc_host,
- const char *principal,
- const char *oldpw,
- const char *newpw,
- int time_offset)
-{
- ADS_STATUS aret;
- krb5_error_code ret;
- krb5_context context;
- krb5_principal princ;
- krb5_get_init_creds_opt opts;
- krb5_creds creds;
- char *chpw_princ = NULL, *password;
-
- ret = krb5_init_context(&context);
- if (ret) {
- DEBUG(1,("Failed to init krb5 context (%s)\n", error_message(ret)));
- return ADS_ERROR_KRB5(ret);
- }
-
- if ((ret = krb5_parse_name(context, principal,
- &princ))) {
- krb5_free_context(context);
- DEBUG(1,("Failed to parse %s (%s)\n", principal, error_message(ret)));
- return ADS_ERROR_KRB5(ret);
- }
-
- krb5_get_init_creds_opt_init(&opts);
- krb5_get_init_creds_opt_set_tkt_life(&opts, 5*60);
- krb5_get_init_creds_opt_set_renew_life(&opts, 0);
- krb5_get_init_creds_opt_set_forwardable(&opts, 0);
- krb5_get_init_creds_opt_set_proxiable(&opts, 0);
-
- /* We have to obtain an INITIAL changepw ticket for changing password */
- asprintf(&chpw_princ, "kadmin/changepw@%s",
- (char *) krb5_princ_realm(context, princ));
- password = strdup(oldpw);
- ret = krb5_get_init_creds_password(context, &creds, princ, password,
- kerb_prompter, NULL,
- 0, chpw_princ, &opts);
- SAFE_FREE(chpw_princ);
- SAFE_FREE(password);
-
- if (ret) {
- if (ret == KRB5KRB_AP_ERR_BAD_INTEGRITY)
- DEBUG(1,("Password incorrect while getting initial ticket"));
- else
- DEBUG(1,("krb5_get_init_creds_password failed (%s)\n", error_message(ret)));
-
- krb5_free_principal(context, princ);
- krb5_free_context(context);
- return ADS_ERROR_KRB5(ret);
- }
-
- aret = do_krb5_kpasswd_request(context, kdc_host,
- KRB5_KPASSWD_VERS_CHANGEPW,
- &creds, principal, newpw);
-
- krb5_free_principal(context, princ);
- krb5_free_context(context);
-
- return aret;
-}
-
-
-ADS_STATUS kerberos_set_password(const char *kpasswd_server,
- const char *auth_principal, const char *auth_password,
- const char *target_principal, const char *new_password,
- int time_offset)
-{
- int ret;
-
- if ((ret = kerberos_kinit_password(auth_principal, auth_password, time_offset))) {
- DEBUG(1,("Failed kinit for principal %s (%s)\n", auth_principal, error_message(ret)));
- return ADS_ERROR_KRB5(ret);
- }
-
- if (!strcmp(auth_principal, target_principal))
- return ads_krb5_chg_password(kpasswd_server, target_principal,
- auth_password, new_password, time_offset);
- else
- return ads_krb5_set_password(kpasswd_server, target_principal,
- new_password, time_offset);
-}
-
-
-/**
- * Set the machine account password
- * @param ads connection to ads server
- * @param hostname machine whose password is being set
- * @param password new password
- * @return status of password change
- **/
-ADS_STATUS ads_set_machine_password(ADS_STRUCT *ads,
- const char *machine_account,
- const char *password)
-{
- ADS_STATUS status;
- char *principal = NULL;
-
- /*
- we need to use the '$' form of the name here (the machine account name),
- as otherwise the server might end up setting the password for a user
- instead
- */
- asprintf(&principal, "%s@%s", machine_account, ads->config.realm);
-
- status = ads_krb5_set_password(ads->auth.kdc_server, principal,
- password, ads->auth.time_offset);
-
- free(principal);
-
- return status;
-}
-
-
-
-#endif
+++ /dev/null
-/*
- Unix SMB/CIFS implementation.
- ads (active directory) utility library
- Copyright (C) Andrew Tridgell 2001
- Copyright (C) Remus Koos 2001
- Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-*/
-
-#include "includes.h"
-#include "version.h"
-
-#ifdef HAVE_LDAP
-
-/**
- * @file ldap.c
- * @brief basic ldap client-side routines for ads server communications
- *
- * The routines contained here should do the necessary ldap calls for
- * ads setups.
- *
- * Important note: attribute names passed into ads_ routines must
- * already be in UTF-8 format. We do not convert them because in almost
- * all cases, they are just ascii (which is represented with the same
- * codepoints in UTF-8). This may have to change at some point
- **/
-
-
-/*
- try a connection to a given ldap server, returning True and setting the servers IP
- in the ads struct if successful
-
- TODO : add a negative connection cache in here leveraged off of the one
- found in the rpc code. --jerry
- */
-static BOOL ads_try_connect(ADS_STRUCT *ads, const char *server, uint_t port)
-{
- char *srv;
-
- if (!server || !*server) {
- return False;
- }
-
- DEBUG(5,("ads_try_connect: trying ldap server '%s' port %u\n", server, port));
-
- /* this copes with inet_ntoa brokenness */
- srv = strdup(server);
-
- ads->ld = ldap_open(srv, port);
- if (!ads->ld) {
- free(srv);
- return False;
- }
- ads->ldap_port = port;
- ads->ldap_ip = interpret_addr2(srv);
- free(srv);
-
- return True;
-}
-
-/*
- try a connection to a given ldap server, based on URL, returning True if successful
- */
-static BOOL ads_try_connect_uri(ADS_STRUCT *ads)
-{
-#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
- DEBUG(5,("ads_try_connect: trying ldap server at URI '%s'\n",
- ads->server.ldap_uri));
-
-
- if (ldap_initialize((LDAP**)&(ads->ld), ads->server.ldap_uri) == LDAP_SUCCESS) {
- return True;
- }
- DEBUG(0, ("ldap_initialize: %s\n", strerror(errno)));
-
-#else
-
- DEBUG(1, ("no URL support in LDAP libs!\n"));
-#endif
-
- return False;
-}
-
-/**********************************************************************
- Try to find an AD dc using our internal name resolution routines
- Try the realm first and then then workgroup name if netbios is not
- disabled
-**********************************************************************/
-
-static BOOL ads_find_dc(ADS_STRUCT *ads)
-{
- const char *c_realm;
- int count, i=0;
- struct ip_service *ip_list;
- pstring realm;
- BOOL got_realm = False;
- BOOL use_own_domain = False;
-
- /* if the realm and workgroup are both empty, assume they are ours */
-
- /* realm */
- c_realm = ads->server.realm;
-
- if ( !c_realm || !*c_realm ) {
- /* special case where no realm and no workgroup means our own */
- if ( !ads->server.workgroup || !*ads->server.workgroup ) {
- use_own_domain = True;
- c_realm = lp_realm();
- }
- }
-
- if (c_realm && *c_realm)
- got_realm = True;
-
-again:
- /* we need to try once with the realm name and fallback to the
- netbios domain name if we fail (if netbios has not been disabled */
-
- if ( !got_realm && !lp_disable_netbios() ) {
- c_realm = ads->server.workgroup;
- if (!c_realm || !*c_realm) {
- if ( use_own_domain )
- c_realm = lp_workgroup();
- }
-
- if ( !c_realm || !*c_realm ) {
- DEBUG(0,("ads_find_dc: no realm or workgroup! Don't know what to do\n"));
- return False;
- }
- }
-
- pstrcpy( realm, c_realm );
-
- DEBUG(6,("ads_find_dc: looking for %s '%s'\n",
- (got_realm ? "realm" : "domain"), realm));
-
- if ( !get_sorted_dc_list(realm, &ip_list, &count, got_realm) ) {
- /* fall back to netbios if we can */
- if ( got_realm && !lp_disable_netbios() ) {
- got_realm = False;
- goto again;
- }
-
- return False;
- }
-
- /* if we fail this loop, then giveup since all the IP addresses returned were dead */
- for ( i=0; i<count; i++ ) {
- /* since this is an ads conection request, default to LDAP_PORT is not set */
- int port = (ip_list[i].port!=PORT_NONE) ? ip_list[i].port : LDAP_PORT;
- fstring server;
-
- fstrcpy( server, inet_ntoa(ip_list[i].ip) );
-
- if ( !NT_STATUS_IS_OK(check_negative_conn_cache(realm, server)) )
- continue;
-
- if ( ads_try_connect(ads, server, port) ) {
- SAFE_FREE(ip_list);
- return True;
- }
-
- /* keep track of failures */
- add_failed_connection_entry( realm, server, NT_STATUS_UNSUCCESSFUL );
- }
-
- SAFE_FREE(ip_list);
-
- return False;
-}
-
-
-/**
- * Connect to the LDAP server
- * @param ads Pointer to an existing ADS_STRUCT
- * @return status of connection
- **/
-ADS_STATUS ads_connect(ADS_STRUCT *ads)
-{
- int version = LDAP_VERSION3;
- ADS_STATUS status;
-
- ads->last_attempt = time(NULL);
- ads->ld = NULL;
-
- /* try with a URL based server */
-
- if (ads->server.ldap_uri &&
- ads_try_connect_uri(ads)) {
- goto got_connection;
- }
-
- /* try with a user specified server */
- if (ads->server.ldap_server &&
- ads_try_connect(ads, ads->server.ldap_server, LDAP_PORT)) {
- goto got_connection;
- }
-
- if (ads_find_dc(ads)) {
- goto got_connection;
- }
-
- return ADS_ERROR_SYSTEM(errno?errno:ENOENT);
-
-got_connection:
- DEBUG(3,("Connected to LDAP server %s\n", inet_ntoa(ads->ldap_ip)));
-
- status = ads_server_info(ads);
- if (!ADS_ERR_OK(status)) {
- DEBUG(1,("Failed to get ldap server info\n"));
- return status;
- }
-
- ldap_set_option(ads->ld, LDAP_OPT_PROTOCOL_VERSION, &version);
-
- if (!ads->auth.user_name) {
- /* by default use the machine account */
- fstring myname;
- fstrcpy(myname, lp_netbios_name());
- strlower_m(myname);
- asprintf(&ads->auth.user_name, "HOST/%s", myname);
- }
-
- if (!ads->auth.realm) {
- ads->auth.realm = strdup(ads->config.realm);
- }
-
- if (!ads->auth.kdc_server) {
- ads->auth.kdc_server = strdup(inet_ntoa(ads->ldap_ip));
- }
-
-#if KRB5_DNS_HACK
- /* this is a really nasty hack to avoid ADS DNS problems. It needs a patch
- to MIT kerberos to work (tridge) */
- {
- char *env;
- asprintf(&env, "KRB5_KDC_ADDRESS_%s", ads->config.realm);
- setenv(env, ads->auth.kdc_server, 1);
- free(env);
- }
-#endif
-
- if (ads->auth.flags & ADS_AUTH_NO_BIND) {
- return ADS_SUCCESS;
- }
-
- if (ads->auth.flags & ADS_AUTH_ANON_BIND) {
- return ADS_ERROR(ldap_simple_bind_s( ads->ld, NULL, NULL));
- }
-
- if (ads->auth.flags & ADS_AUTH_SIMPLE_BIND) {
- return ADS_ERROR(ldap_simple_bind_s( ads->ld, ads->auth.user_name, ads->auth.password));
- }
-
- return ads_sasl_bind(ads);
-}
-
-/*
- Duplicate a struct berval into talloc'ed memory
- */
-static struct berval *dup_berval(TALLOC_CTX *ctx, const struct berval *in_val)
-{
- struct berval *value;
-
- if (!in_val) return NULL;
-
- value = talloc_zero(ctx, struct berval);
- if (value == NULL)
- return NULL;
- if (in_val->bv_len == 0) return value;
-
- value->bv_len = in_val->bv_len;
- value->bv_val = talloc_memdup(ctx, in_val->bv_val, in_val->bv_len);
- return value;
-}
-
-/*
- Make a values list out of an array of (struct berval *)
- */
-static struct berval **ads_dup_values(TALLOC_CTX *ctx,
- const struct berval **in_vals)
-{
- struct berval **values;
- int i;
-
- if (!in_vals) return NULL;
- for (i=0; in_vals[i]; i++); /* count values */
- values = (struct berval **) talloc_zero(ctx,
- (i+1)*sizeof(struct berval *));
- if (!values) return NULL;
-
- for (i=0; in_vals[i]; i++) {
- values[i] = dup_berval(ctx, in_vals[i]);
- }
- return values;
-}
-
-/*
- UTF8-encode a values list out of an array of (char *)
- */
-static char **ads_push_strvals(TALLOC_CTX *ctx, const char **in_vals)
-{
- char **values;
- int i;
-
- if (!in_vals) return NULL;
- for (i=0; in_vals[i]; i++); /* count values */
- values = talloc_zero_array_p(ctx, char *, i+1);
- if (!values) return NULL;
-
- for (i=0; in_vals[i]; i++) {
- push_utf8_talloc(ctx, &values[i], in_vals[i]);
- }
- return values;
-}
-
-/*
- Pull a (char *) array out of a UTF8-encoded values list
- */
-static char **ads_pull_strvals(TALLOC_CTX *ctx, const char **in_vals)
-{
- char **values;
- int i;
-
- if (!in_vals) return NULL;
- for (i=0; in_vals[i]; i++); /* count values */
- values = talloc_zero_array_p(ctx, char *, i+1);
- if (!values) return NULL;
-
- for (i=0; in_vals[i]; i++) {
- pull_utf8_talloc(ctx, &values[i], in_vals[i]);
- }
- return values;
-}
-
-/**
- * Do a search with paged results. cookie must be null on the first
- * call, and then returned on each subsequent call. It will be null
- * again when the entire search is complete
- * @param ads connection to ads server
- * @param bind_path Base dn for the search
- * @param scope Scope of search (LDAP_SCOPE_BASE | LDAP_SCOPE_ONE | LDAP_SCOPE_SUBTREE)
- * @param expr Search expression - specified in local charset
- * @param attrs Attributes to retrieve - specified in utf8 or ascii
- * @param res ** which will contain results - free res* with ads_msgfree()
- * @param count Number of entries retrieved on this page
- * @param cookie The paged results cookie to be returned on subsequent calls
- * @return status of search
- **/
-ADS_STATUS ads_do_paged_search(ADS_STRUCT *ads, const char *bind_path,
- int scope, const char *expr,
- const char **attrs, void **res,
- int *count, void **cookie)
-{
- int rc, i, version;
- char *utf8_expr, *utf8_path, **search_attrs;
- LDAPControl PagedResults, NoReferrals, *controls[3], **rcontrols;
- BerElement *cookie_be = NULL;
- struct berval *cookie_bv= NULL;
- TALLOC_CTX *ctx;
-
- *res = NULL;
-
- if (!(ctx = talloc_init("ads_do_paged_search")))
- return ADS_ERROR(LDAP_NO_MEMORY);
-
- /* 0 means the conversion worked but the result was empty
- so we only fail if it's -1. In any case, it always
- at least nulls out the dest */
- if ((push_utf8_talloc(ctx, &utf8_expr, expr) == (size_t)-1) ||
- (push_utf8_talloc(ctx, &utf8_path, bind_path) == (size_t)-1)) {
- rc = LDAP_NO_MEMORY;
- goto done;
- }
-
- if (!attrs || !(*attrs))
- search_attrs = NULL;
- else {
- /* This would be the utf8-encoded version...*/
- /* if (!(search_attrs = ads_push_strvals(ctx, attrs))) */
- search_attrs = str_list_copy(ctx, attrs);
- if (search_attrs == NULL) {
- rc = LDAP_NO_MEMORY;
- goto done;
- }
- }
-
-
- /* Paged results only available on ldap v3 or later */
- ldap_get_option(ads->ld, LDAP_OPT_PROTOCOL_VERSION, &version);
- if (version < LDAP_VERSION3) {
- rc = LDAP_NOT_SUPPORTED;
- goto done;
- }
-
- cookie_be = ber_alloc_t(LBER_USE_DER);
- if (cookie && *cookie) {
- ber_printf(cookie_be, "{iO}", (ber_int_t) 1000, *cookie);
- ber_bvfree(*cookie); /* don't need it from last time */
- *cookie = NULL;
- } else {
- ber_printf(cookie_be, "{io}", (ber_int_t) 1000, "", 0);
- }
- ber_flatten(cookie_be, &cookie_bv);
- PagedResults.ldctl_oid = ADS_PAGE_CTL_OID;
- PagedResults.ldctl_iscritical = (char) 1;
- PagedResults.ldctl_value.bv_len = cookie_bv->bv_len;
- PagedResults.ldctl_value.bv_val = cookie_bv->bv_val;
-
- NoReferrals.ldctl_oid = ADS_NO_REFERRALS_OID;
- NoReferrals.ldctl_iscritical = (char) 0;
- NoReferrals.ldctl_value.bv_len = 0;
- NoReferrals.ldctl_value.bv_val = "";
-
-
- controls[0] = &NoReferrals;
- controls[1] = &PagedResults;
- controls[2] = NULL;
-
- *res = NULL;
-
- /* we need to disable referrals as the openldap libs don't
- handle them and paged results at the same time. Using them
- together results in the result record containing the server
- page control being removed from the result list (tridge/jmcd)
-
- leaving this in despite the control that says don't generate
- referrals, in case the server doesn't support it (jmcd)
- */
- ldap_set_option(ads->ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF);
-
- rc = ldap_search_ext_s(ads->ld, utf8_path, scope, utf8_expr,
- search_attrs, 0, controls,
- NULL, NULL, LDAP_NO_LIMIT, (LDAPMessage **)res);
-
- ber_free(cookie_be, 1);
- ber_bvfree(cookie_bv);
-
- if (rc) {
- DEBUG(3,("ldap_search_ext_s(%s) -> %s\n", expr, ldap_err2string(rc)));
- goto done;
- }
-
- rc = ldap_parse_result(ads->ld, *res, NULL, NULL, NULL,
- NULL, &rcontrols, 0);
-
- if (!rcontrols) {
- goto done;
- }
-
- for (i=0; rcontrols[i]; i++) {
- if (strcmp(ADS_PAGE_CTL_OID, rcontrols[i]->ldctl_oid) == 0) {
- cookie_be = ber_init(&rcontrols[i]->ldctl_value);
- ber_scanf(cookie_be,"{iO}", (ber_int_t *) count,
- &cookie_bv);
- /* the berval is the cookie, but must be freed when
- it is all done */
- if (cookie_bv->bv_len) /* still more to do */
- *cookie=ber_bvdup(cookie_bv);
- else
- *cookie=NULL;
- ber_bvfree(cookie_bv);
- ber_free(cookie_be, 1);
- break;
- }
- }
- ldap_controls_free(rcontrols);
-
-done:
- talloc_free(ctx);
- /* if/when we decide to utf8-encode attrs, take out this next line */
- str_list_free(&search_attrs);
-
- return ADS_ERROR(rc);
-}
-
-
-/**
- * Get all results for a search. This uses ads_do_paged_search() to return
- * all entries in a large search.
- * @param ads connection to ads server
- * @param bind_path Base dn for the search
- * @param scope Scope of search (LDAP_SCOPE_BASE | LDAP_SCOPE_ONE | LDAP_SCOPE_SUBTREE)
- * @param expr Search expression
- * @param attrs Attributes to retrieve
- * @param res ** which will contain results - free res* with ads_msgfree()
- * @return status of search
- **/
-ADS_STATUS ads_do_search_all(ADS_STRUCT *ads, const char *bind_path,
- int scope, const char *expr,
- const char **attrs, void **res)
-{
- void *cookie = NULL;
- int count = 0;
- ADS_STATUS status;
-
- status = ads_do_paged_search(ads, bind_path, scope, expr, attrs, res,
- &count, &cookie);
-
- if (!ADS_ERR_OK(status)) return status;
-
- while (cookie) {
- void *res2 = NULL;
- ADS_STATUS status2;
- LDAPMessage *msg, *next;
-
- status2 = ads_do_paged_search(ads, bind_path, scope, expr,
- attrs, &res2, &count, &cookie);
-
- if (!ADS_ERR_OK(status2)) break;
-
- /* this relies on the way that ldap_add_result_entry() works internally. I hope
- that this works on all ldap libs, but I have only tested with openldap */
- for (msg = ads_first_entry(ads, res2); msg; msg = next) {
- next = ads_next_entry(ads, msg);
- ldap_add_result_entry((LDAPMessage **)res, msg);
- }
- /* note that we do not free res2, as the memory is now
- part of the main returned list */
- }
-
- return status;
-}
-
-/**
- * Run a function on all results for a search. Uses ads_do_paged_search() and
- * runs the function as each page is returned, using ads_process_results()
- * @param ads connection to ads server
- * @param bind_path Base dn for the search
- * @param scope Scope of search (LDAP_SCOPE_BASE | LDAP_SCOPE_ONE | LDAP_SCOPE_SUBTREE)
- * @param expr Search expression - specified in local charset
- * @param attrs Attributes to retrieve - specified in UTF-8 or ascii
- * @param fn Function which takes attr name, values list, and data_area
- * @param data_area Pointer which is passed to function on each call
- * @return status of search
- **/
-ADS_STATUS ads_do_search_all_fn(ADS_STRUCT *ads, const char *bind_path,
- int scope, const char *expr, const char **attrs,
- BOOL(*fn)(char *, void **, void *),
- void *data_area)
-{
- void *cookie = NULL;
- int count = 0;
- ADS_STATUS status;
- void *res;
-
- status = ads_do_paged_search(ads, bind_path, scope, expr, attrs, &res,
- &count, &cookie);
-
- if (!ADS_ERR_OK(status)) return status;
-
- ads_process_results(ads, res, fn, data_area);
- ads_msgfree(ads, res);
-
- while (cookie) {
- status = ads_do_paged_search(ads, bind_path, scope, expr, attrs,
- &res, &count, &cookie);
-
- if (!ADS_ERR_OK(status)) break;
-
- ads_process_results(ads, res, fn, data_area);
- ads_msgfree(ads, res);
- }
-
- return status;
-}
-
-/**
- * Do a search with a timeout.
- * @param ads connection to ads server
- * @param bind_path Base dn for the search
- * @param scope Scope of search (LDAP_SCOPE_BASE | LDAP_SCOPE_ONE | LDAP_SCOPE_SUBTREE)
- * @param expr Search expression
- * @param attrs Attributes to retrieve
- * @param res ** which will contain results - free res* with ads_msgfree()
- * @return status of search
- **/
-ADS_STATUS ads_do_search(ADS_STRUCT *ads, const char *bind_path, int scope,
- const char *expr,
- const char **attrs, void **res)
-{
- struct timeval timeout;
- int rc;
- char *utf8_expr, *utf8_path, **search_attrs = NULL;
- TALLOC_CTX *ctx;
-
- if (!(ctx = talloc_init("ads_do_search"))) {
- DEBUG(1,("ads_do_search: talloc_init() failed!"));
- return ADS_ERROR(LDAP_NO_MEMORY);
- }
-
- /* 0 means the conversion worked but the result was empty
- so we only fail if it's negative. In any case, it always
- at least nulls out the dest */
- if ((push_utf8_talloc(ctx, &utf8_expr, expr) == (size_t)-1) ||
- (push_utf8_talloc(ctx, &utf8_path, bind_path) == (size_t)-1)) {
- DEBUG(1,("ads_do_search: push_utf8_talloc() failed!"));
- rc = LDAP_NO_MEMORY;
- goto done;
- }
-
- if (!attrs || !(*attrs))
- search_attrs = NULL;
- else {
- /* This would be the utf8-encoded version...*/
- /* if (!(search_attrs = ads_push_strvals(ctx, attrs))) */
- search_attrs = str_list_copy(ctx, attrs);
- if (search_attrs == NULL) {
- DEBUG(1,("ads_do_search: str_list_copy() failed!"));
- rc = LDAP_NO_MEMORY;
- goto done;
- }
- }
-
- timeout.tv_sec = ADS_SEARCH_TIMEOUT;
- timeout.tv_usec = 0;
- *res = NULL;
-
- /* see the note in ads_do_paged_search - we *must* disable referrals */
- ldap_set_option(ads->ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF);
-
- rc = ldap_search_ext_s(ads->ld, utf8_path, scope, utf8_expr,
- search_attrs, 0, NULL, NULL,
- &timeout, LDAP_NO_LIMIT, (LDAPMessage **)res);
-
- if (rc == LDAP_SIZELIMIT_EXCEEDED) {
- DEBUG(3,("Warning! sizelimit exceeded in ldap. Truncating.\n"));
- rc = 0;
- }
-
- done:
- talloc_free(ctx);
- /* if/when we decide to utf8-encode attrs, take out this next line */
- str_list_free(&search_attrs);
- return ADS_ERROR(rc);
-}
-/**
- * Do a general ADS search
- * @param ads connection to ads server
- * @param res ** which will contain results - free res* with ads_msgfree()
- * @param expr Search expression
- * @param attrs Attributes to retrieve
- * @return status of search
- **/
-ADS_STATUS ads_search(ADS_STRUCT *ads, void **res,
- const char *expr,
- const char **attrs)
-{
- return ads_do_search(ads, ads->config.bind_path, LDAP_SCOPE_SUBTREE,
- expr, attrs, res);
-}
-
-/**
- * Do a search on a specific DistinguishedName
- * @param ads connection to ads server
- * @param res ** which will contain results - free res* with ads_msgfree()
- * @param dn DistinguishName to search
- * @param attrs Attributes to retrieve
- * @return status of search
- **/
-ADS_STATUS ads_search_dn(ADS_STRUCT *ads, void **res,
- const char *dn,
- const char **attrs)
-{
- return ads_do_search(ads, dn, LDAP_SCOPE_BASE, "(objectclass=*)", attrs, res);
-}
-
-/**
- * Free up memory from a ads_search
- * @param ads connection to ads server
- * @param msg Search results to free
- **/
-void ads_msgfree(ADS_STRUCT *ads, void *msg)
-{
- if (!msg) return;
- ldap_msgfree(msg);
-}
-
-/**
- * Free up memory from various ads requests
- * @param ads connection to ads server
- * @param mem Area to free
- **/
-void ads_memfree(ADS_STRUCT *ads, void *mem)
-{
- SAFE_FREE(mem);
-}
-
-/**
- * Get a dn from search results
- * @param ads connection to ads server
- * @param msg Search result
- * @return dn string
- **/
-char *ads_get_dn(ADS_STRUCT *ads, void *msg)
-{
- char *utf8_dn, *unix_dn;
-
- utf8_dn = ldap_get_dn(ads->ld, msg);
-
- if (!utf8_dn) {
- DEBUG (5, ("ads_get_dn: ldap_get_dn failed\n"));
- return NULL;
- }
-
- if (pull_utf8_allocate(&unix_dn, utf8_dn) == (size_t)-1) {
- DEBUG(0,("ads_get_dn: string conversion failure utf8 [%s]\n",
- utf8_dn ));
- return NULL;
- }
- ldap_memfree(utf8_dn);
- return unix_dn;
-}
-
-/**
- * Find a machine account given a hostname
- * @param ads connection to ads server
- * @param res ** which will contain results - free res* with ads_msgfree()
- * @param host Hostname to search for
- * @return status of search
- **/
-ADS_STATUS ads_find_machine_acct(ADS_STRUCT *ads, void **res, const char *host)
-{
- ADS_STATUS status;
- char *expr;
- const char *attrs[] = {"*", "nTSecurityDescriptor", NULL};
-
- /* the easiest way to find a machine account anywhere in the tree
- is to look for hostname$ */
- if (asprintf(&expr, "(samAccountName=%s$)", host) == -1) {
- DEBUG(1, ("asprintf failed!\n"));
- return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
- }
-
- status = ads_search(ads, res, expr, attrs);
- free(expr);
- return status;
-}
-
-/**
- * Initialize a list of mods to be used in a modify request
- * @param ctx An initialized TALLOC_CTX
- * @return allocated ADS_MODLIST
- **/
-ADS_MODLIST ads_init_mods(TALLOC_CTX *ctx)
-{
-#define ADS_MODLIST_ALLOC_SIZE 10
- LDAPMod **mods;
-
- if ((mods = talloc_zero_array_p(ctx, LDAPMod *, ADS_MODLIST_ALLOC_SIZE + 1))) {
- /* -1 is safety to make sure we don't go over the end.
- need to reset it to NULL before doing ldap modify */
- mods[ADS_MODLIST_ALLOC_SIZE] = (LDAPMod *) -1;
- }
-
- return mods;
-}
-
-
-/*
- add an attribute to the list, with values list already constructed
-*/
-static ADS_STATUS ads_modlist_add(TALLOC_CTX *ctx, ADS_MODLIST *mods,
- int mod_op, const char *name,
- const void **invals)
-{
- int curmod;
- LDAPMod **modlist = (LDAPMod **) *mods;
- struct berval **ber_values = NULL;
- char **char_values = NULL;
-
- if (!invals) {
- mod_op = LDAP_MOD_DELETE;
- } else {
- if (mod_op & LDAP_MOD_BVALUES)
- ber_values = ads_dup_values(ctx,
- (const struct berval **)invals);
- else
- char_values = ads_push_strvals(ctx,
- (const char **) invals);
- }
-
- /* find the first empty slot */
- for (curmod=0; modlist[curmod] && modlist[curmod] != (LDAPMod *) -1;
- curmod++);
- if (modlist[curmod] == (LDAPMod *) -1) {
- if (!(modlist = talloc_realloc(modlist,
- (curmod+ADS_MODLIST_ALLOC_SIZE+1)*sizeof(LDAPMod *))))
- return ADS_ERROR(LDAP_NO_MEMORY);
- memset(&modlist[curmod], 0,
- ADS_MODLIST_ALLOC_SIZE*sizeof(LDAPMod *));
- modlist[curmod+ADS_MODLIST_ALLOC_SIZE] = (LDAPMod *) -1;
- *mods = modlist;
- }
-
- if (!(modlist[curmod] = talloc_zero(ctx, LDAPMod)))
- return ADS_ERROR(LDAP_NO_MEMORY);
- modlist[curmod]->mod_type = talloc_strdup(ctx, name);
- if (mod_op & LDAP_MOD_BVALUES) {
- modlist[curmod]->mod_bvalues = ber_values;
- } else if (mod_op & LDAP_MOD_DELETE) {
- modlist[curmod]->mod_values = NULL;
- } else {
- modlist[curmod]->mod_values = char_values;
- }
-
- modlist[curmod]->mod_op = mod_op;
- return ADS_ERROR(LDAP_SUCCESS);
-}
-
-/**
- * Add a single string value to a mod list
- * @param ctx An initialized TALLOC_CTX
- * @param mods An initialized ADS_MODLIST
- * @param name The attribute name to add
- * @param val The value to add - NULL means DELETE
- * @return ADS STATUS indicating success of add
- **/
-ADS_STATUS ads_mod_str(TALLOC_CTX *ctx, ADS_MODLIST *mods,
- const char *name, const char *val)
-{
- const char *values[2];
-
- values[0] = val;
- values[1] = NULL;
-
- if (!val)
- return ads_modlist_add(ctx, mods, LDAP_MOD_DELETE, name, NULL);
- return ads_modlist_add(ctx, mods, LDAP_MOD_REPLACE, name,
- (const void **) values);
-}
-
-/**
- * Add an array of string values to a mod list
- * @param ctx An initialized TALLOC_CTX
- * @param mods An initialized ADS_MODLIST
- * @param name The attribute name to add
- * @param vals The array of string values to add - NULL means DELETE
- * @return ADS STATUS indicating success of add
- **/
-ADS_STATUS ads_mod_strlist(TALLOC_CTX *ctx, ADS_MODLIST *mods,
- const char *name, const char **vals)
-{
- if (!vals)
- return ads_modlist_add(ctx, mods, LDAP_MOD_DELETE, name, NULL);
- return ads_modlist_add(ctx, mods, LDAP_MOD_REPLACE,
- name, (const void **) vals);
-}
-
-/**
- * Add a single ber-encoded value to a mod list
- * @param ctx An initialized TALLOC_CTX
- * @param mods An initialized ADS_MODLIST
- * @param name The attribute name to add
- * @param val The value to add - NULL means DELETE
- * @return ADS STATUS indicating success of add
- **/
-static ADS_STATUS ads_mod_ber(TALLOC_CTX *ctx, ADS_MODLIST *mods,
- const char *name, const struct berval *val)
-{
- const struct berval *values[2];
-
- values[0] = val;
- values[1] = NULL;
- if (!val)
- return ads_modlist_add(ctx, mods, LDAP_MOD_DELETE, name, NULL);
- return ads_modlist_add(ctx, mods, LDAP_MOD_REPLACE|LDAP_MOD_BVALUES,
- name, (const void **) values);
-}
-
-/**
- * Perform an ldap modify
- * @param ads connection to ads server
- * @param mod_dn DistinguishedName to modify
- * @param mods list of modifications to perform
- * @return status of modify
- **/
-ADS_STATUS ads_gen_mod(ADS_STRUCT *ads, const char *mod_dn, ADS_MODLIST mods)
-{
- int ret,i;
- char *utf8_dn = NULL;
- /*
- this control is needed to modify that contains a currently
- non-existent attribute (but allowable for the object) to run
- */
- LDAPControl PermitModify = {
- ADS_PERMIT_MODIFY_OID,
- {0, NULL},
- (char) 1};
- LDAPControl *controls[2];
-
- controls[0] = &PermitModify;
- controls[1] = NULL;
-
- if (push_utf8_allocate(&utf8_dn, mod_dn) == -1) {
- return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
- }
-
- /* find the end of the list, marked by NULL or -1 */
- for(i=0;(mods[i]!=0)&&(mods[i]!=(LDAPMod *) -1);i++);
- /* make sure the end of the list is NULL */
- mods[i] = NULL;
- ret = ldap_modify_ext_s(ads->ld, utf8_dn,
- (LDAPMod **) mods, controls, NULL);
- SAFE_FREE(utf8_dn);
- return ADS_ERROR(ret);
-}
-
-/**
- * Perform an ldap add
- * @param ads connection to ads server
- * @param new_dn DistinguishedName to add
- * @param mods list of attributes and values for DN
- * @return status of add
- **/
-ADS_STATUS ads_gen_add(ADS_STRUCT *ads, const char *new_dn, ADS_MODLIST mods)
-{
- int ret, i;
- char *utf8_dn = NULL;
-
- if (push_utf8_allocate(&utf8_dn, new_dn) == -1) {
- DEBUG(1, ("ads_gen_add: push_utf8_allocate failed!"));
- return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
- }
-
- /* find the end of the list, marked by NULL or -1 */
- for(i=0;(mods[i]!=0)&&(mods[i]!=(LDAPMod *) -1);i++);
- /* make sure the end of the list is NULL */
- mods[i] = NULL;
-
- ret = ldap_add_s(ads->ld, utf8_dn, mods);
- SAFE_FREE(utf8_dn);
- return ADS_ERROR(ret);
-}
-
-/**
- * Delete a DistinguishedName
- * @param ads connection to ads server
- * @param new_dn DistinguishedName to delete
- * @return status of delete
- **/
-ADS_STATUS ads_del_dn(ADS_STRUCT *ads, char *del_dn)
-{
- int ret;
- char *utf8_dn = NULL;
- if (push_utf8_allocate(&utf8_dn, del_dn) == -1) {
- DEBUG(1, ("ads_del_dn: push_utf8_allocate failed!"));
- return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
- }
-
- ret = ldap_delete_s(ads->ld, utf8_dn);
- return ADS_ERROR(ret);
-}
-
-/**
- * Build an org unit string
- * if org unit is Computers or blank then assume a container, otherwise
- * assume a \ separated list of organisational units
- * @param org_unit Organizational unit
- * @return org unit string - caller must free
- **/
-char *ads_ou_string(const char *org_unit)
-{
- if (!org_unit || !*org_unit || strequal(org_unit, "Computers")) {
- return strdup("cn=Computers");
- }
-
- return ads_build_path(org_unit, "\\/", "ou=", 1);
-}
-
-
-
-/*
- add a machine account to the ADS server
-*/
-static ADS_STATUS ads_add_machine_acct(ADS_STRUCT *ads, const char *hostname,
- uint32_t account_type,
- const char *org_unit)
-{
- ADS_STATUS ret, status;
- char *host_spn, *host_upn, *new_dn, *samAccountName, *controlstr;
- char *ou_str;
- TALLOC_CTX *ctx;
- ADS_MODLIST mods;
- const char *objectClass[] = {"top", "person", "organizationalPerson",
- "user", "computer", NULL};
- const char *servicePrincipalName[5] = {NULL, NULL, NULL, NULL, NULL};
- char *psp, *psp2;
- uint_t acct_control;
- uint_t exists=0;
- LDAPMessage *res;
-
- status = ads_find_machine_acct(ads, (void **)&res, hostname);
- if (ADS_ERR_OK(status) && ads_count_replies(ads, res) == 1) {
- DEBUG(0, ("Host account for %s already exists - modifying old account\n", hostname));
- exists=1;
- }
-
- if (!(ctx = talloc_init("machine_account")))
- return ADS_ERROR(LDAP_NO_MEMORY);
-
- ret = ADS_ERROR(LDAP_NO_MEMORY);
-
- if (!(host_spn = talloc_asprintf(ctx, "HOST/%s", hostname)))
- goto done;
- if (!(host_upn = talloc_asprintf(ctx, "%s@%s", host_spn, ads->config.realm)))
- goto done;
- ou_str = ads_ou_string(org_unit);
- if (!ou_str) {
- DEBUG(1, ("ads_ou_string returned NULL (malloc failure?)\n"));
- goto done;
- }
- new_dn = talloc_asprintf(ctx, "cn=%s,%s,%s", hostname, ou_str,
- ads->config.bind_path);
- servicePrincipalName[0] = talloc_asprintf(ctx, "HOST/%s", hostname);
- psp = talloc_asprintf(ctx, "HOST/%s.%s",
- hostname,
- ads->config.realm);
- strlower_m(&psp[5]);
- servicePrincipalName[1] = psp;
- servicePrincipalName[2] = talloc_asprintf(ctx, "CIFS/%s", hostname);
- psp2 = talloc_asprintf(ctx, "CIFS/%s.%s",
- hostname,
- ads->config.realm);
- strlower_m(&psp2[5]);
- servicePrincipalName[3] = psp2;
-
- free(ou_str);
- if (!new_dn)
- goto done;
-
- if (!(samAccountName = talloc_asprintf(ctx, "%s$", hostname)))
- goto done;
-
- acct_control = account_type | UF_DONT_EXPIRE_PASSWD;
-#ifndef ENCTYPE_ARCFOUR_HMAC
- acct_control |= UF_USE_DES_KEY_ONLY;
-#endif
-
- if (!(controlstr = talloc_asprintf(ctx, "%u", acct_control)))
- goto done;
-
- if (!(mods = ads_init_mods(ctx)))
- goto done;
-
- if (!exists) {
- ads_mod_str(ctx, &mods, "cn", hostname);
- ads_mod_str(ctx, &mods, "sAMAccountName", samAccountName);
- ads_mod_str(ctx, &mods, "userAccountControl", controlstr);
- ads_mod_strlist(ctx, &mods, "objectClass", objectClass);
- }
- ads_mod_str(ctx, &mods, "dNSHostName", hostname);
- ads_mod_str(ctx, &mods, "userPrincipalName", host_upn);
- ads_mod_strlist(ctx, &mods, "servicePrincipalName", servicePrincipalName);
- ads_mod_str(ctx, &mods, "operatingSystem", "Samba");
- ads_mod_str(ctx, &mods, "operatingSystemVersion", SAMBA_VERSION_STRING);
-
- if (!exists)
- ret = ads_gen_add(ads, new_dn, mods);
- else
- ret = ads_gen_mod(ads, new_dn, mods);
-
- if (!ADS_ERR_OK(ret))
- goto done;
-
- /* Do not fail if we can't set security descriptor
- * it shouldn't be mandatory and probably we just
- * don't have enough rights to do it.
- */
- if (!exists) {
- status = ads_set_machine_sd(ads, hostname, new_dn);
-
- if (!ADS_ERR_OK(status)) {
- DEBUG(0, ("Warning: ads_set_machine_sd: %s\n",
- ads_errstr(status)));
- }
- }
-done:
- talloc_free(ctx);
- return ret;
-}
-
-/*
- dump a binary result from ldap
-*/
-static void dump_binary(const char *field, struct berval **values)
-{
- int i, j;
- for (i=0; values[i]; i++) {
- printf("%s: ", field);
- for (j=0; j<values[i]->bv_len; j++) {
- printf("%02X", (uint8_t)values[i]->bv_val[j]);
- }
- printf("\n");
- }
-}
-
-struct uuid {
- uint32_t i1;
- uint16_t i2;
- uint16_t i3;
- uint8_t s[8];
-};
-
-static void dump_guid(const char *field, struct berval **values)
-{
- int i;
- GUID guid;
- for (i=0; values[i]; i++) {
- memcpy(guid.info, values[i]->bv_val, sizeof(guid.info));
- printf("%s: %s\n", field, smb_uuid_string_static(guid));
- }
-}
-
-/*
- dump a sid result from ldap
-*/
-static void dump_sid(const char *field, struct berval **values)
-{
- int i;
- for (i=0; values[i]; i++) {
- DOM_SID sid;
- sid_parse(values[i]->bv_val, values[i]->bv_len, &sid);
- printf("%s: %s\n", field, sid_string_static(&sid));
- }
-}
-
-/*
- dump ntSecurityDescriptor
-*/
-static void dump_sd(const char *filed, struct berval **values)
-{
- prs_struct ps;
-
- SEC_DESC *psd = 0;
- TALLOC_CTX *ctx = 0;
-
- if (!(ctx = talloc_init("sec_io_desc")))
- return;
-
- /* prepare data */
- prs_init(&ps, values[0]->bv_len, ctx, UNMARSHALL);
- prs_copy_data_in(&ps, values[0]->bv_val, values[0]->bv_len);
- prs_set_offset(&ps,0);
-
- /* parse secdesc */
- if (!sec_io_desc("sd", &psd, &ps, 1)) {
- prs_mem_free(&ps);
- talloc_free(ctx);
- return;
- }
- if (psd) ads_disp_sd(psd);
-
- prs_mem_free(&ps);
- talloc_free(ctx);
-}
-
-/*
- dump a string result from ldap
-*/
-static void dump_string(const char *field, char **values)
-{
- int i;
- for (i=0; values[i]; i++) {
- printf("%s: %s\n", field, values[i]);
- }
-}
-
-/*
- dump a field from LDAP on stdout
- used for debugging
-*/
-
-static BOOL ads_dump_field(char *field, void **values, void *data_area)
-{
- const struct {
- const char *name;
- BOOL string;
- void (*handler)(const char *, struct berval **);
- } handlers[] = {
- {"objectGUID", False, dump_guid},
- {"nTSecurityDescriptor", False, dump_sd},
- {"dnsRecord", False, dump_binary},
- {"objectSid", False, dump_sid},
- {"tokenGroups", False, dump_sid},
- {NULL, True, NULL}
- };
- int i;
-
- if (!field) { /* must be end of an entry */
- printf("\n");
- return False;
- }
-
- for (i=0; handlers[i].name; i++) {
- if (strcasecmp_m(handlers[i].name, field) == 0) {
- if (!values) /* first time, indicate string or not */
- return handlers[i].string;
- handlers[i].handler(field, (struct berval **) values);
- break;
- }
- }
- if (!handlers[i].name) {
- if (!values) /* first time, indicate string conversion */
- return True;
- dump_string(field, (char **)values);
- }
- return False;
-}
-
-/**
- * Dump a result from LDAP on stdout
- * used for debugging
- * @param ads connection to ads server
- * @param res Results to dump
- **/
-
-void ads_dump(ADS_STRUCT *ads, void *res)
-{
- ads_process_results(ads, res, ads_dump_field, NULL);
-}
-
-/**
- * Walk through results, calling a function for each entry found.
- * The function receives a field name, a berval * array of values,
- * and a data area passed through from the start. The function is
- * called once with null for field and values at the end of each
- * entry.
- * @param ads connection to ads server
- * @param res Results to process
- * @param fn Function for processing each result
- * @param data_area user-defined area to pass to function
- **/
-void ads_process_results(ADS_STRUCT *ads, void *res,
- BOOL(*fn)(char *, void **, void *),
- void *data_area)
-{
- void *msg;
- TALLOC_CTX *ctx;
-
- if (!(ctx = talloc_init("ads_process_results")))
- return;
-
- for (msg = ads_first_entry(ads, res); msg;
- msg = ads_next_entry(ads, msg)) {
- char *utf8_field;
- BerElement *b;
-
- for (utf8_field=ldap_first_attribute(ads->ld,
- (LDAPMessage *)msg,&b);
- utf8_field;
- utf8_field=ldap_next_attribute(ads->ld,
- (LDAPMessage *)msg,b)) {
- struct berval **ber_vals;
- char **str_vals, **utf8_vals;
- char *field;
- BOOL string;
-
- pull_utf8_talloc(ctx, &field, utf8_field);
- string = fn(field, NULL, data_area);
-
- if (string) {
- utf8_vals = ldap_get_values(ads->ld,
- (LDAPMessage *)msg, field);
- str_vals = ads_pull_strvals(ctx,
- (const char **) utf8_vals);
- fn(field, (void **) str_vals, data_area);
- ldap_value_free(utf8_vals);
- } else {
- ber_vals = ldap_get_values_len(ads->ld,
- (LDAPMessage *)msg, field);
- fn(field, (void **) ber_vals, data_area);
-
- ldap_value_free_len(ber_vals);
- }
- ldap_memfree(utf8_field);
- }
- ber_free(b, 0);
- talloc_destroy_pool(ctx);
- fn(NULL, NULL, data_area); /* completed an entry */
-
- }
- talloc_free(ctx);
-}
-
-/**
- * count how many replies are in a LDAPMessage
- * @param ads connection to ads server
- * @param res Results to count
- * @return number of replies
- **/
-int ads_count_replies(ADS_STRUCT *ads, void *res)
-{
- return ldap_count_entries(ads->ld, (LDAPMessage *)res);
-}
-
-/**
- * Join a machine to a realm
- * Creates the machine account and sets the machine password
- * @param ads connection to ads server
- * @param hostname name of host to add
- * @param org_unit Organizational unit to place machine in
- * @return status of join
- **/
-ADS_STATUS ads_join_realm(ADS_STRUCT *ads, const char *hostname,
- uint32_t account_type, const char *org_unit)
-{
- ADS_STATUS status;
- LDAPMessage *res;
- char *host;
-
- /* hostname must be lowercase */
- host = strdup(hostname);
- strlower_m(host);
-
- /*
- status = ads_find_machine_acct(ads, (void **)&res, host);
- if (ADS_ERR_OK(status) && ads_count_replies(ads, res) == 1) {
- DEBUG(0, ("Host account for %s already exists - deleting old account\n", host));
- status = ads_leave_realm(ads, host);
- if (!ADS_ERR_OK(status)) {
- DEBUG(0, ("Failed to delete host '%s' from the '%s' realm.\n",
- host, ads->config.realm));
- return status;
- }
- }
- */
-
- status = ads_add_machine_acct(ads, host, account_type, org_unit);
- if (!ADS_ERR_OK(status)) {
- DEBUG(0, ("ads_add_machine_acct: %s\n", ads_errstr(status)));
- return status;
- }
-
- status = ads_find_machine_acct(ads, (void **)&res, host);
- if (!ADS_ERR_OK(status)) {
- DEBUG(0, ("Host account test failed\n"));
- return status;
- }
-
- free(host);
-
- return status;
-}
-
-/**
- * Delete a machine from the realm
- * @param ads connection to ads server
- * @param hostname Machine to remove
- * @return status of delete
- **/
-ADS_STATUS ads_leave_realm(ADS_STRUCT *ads, const char *hostname)
-{
- ADS_STATUS status;
- void *res, *msg;
- char *hostnameDN, *host;
- int rc;
-
- /* hostname must be lowercase */
- host = strdup(hostname);
- strlower_m(host);
-
- status = ads_find_machine_acct(ads, &res, host);
- if (!ADS_ERR_OK(status)) {
- DEBUG(0, ("Host account for %s does not exist.\n", host));
- return status;
- }
-
- msg = ads_first_entry(ads, res);
- if (!msg) {
- return ADS_ERROR_SYSTEM(ENOENT);
- }
-
- hostnameDN = ads_get_dn(ads, (LDAPMessage *)msg);
- rc = ldap_delete_s(ads->ld, hostnameDN);
- ads_memfree(ads, hostnameDN);
- if (rc != LDAP_SUCCESS) {
- return ADS_ERROR(rc);
- }
-
- status = ads_find_machine_acct(ads, &res, host);
- if (ADS_ERR_OK(status) && ads_count_replies(ads, res) == 1) {
- DEBUG(0, ("Failed to remove host account.\n"));
- return status;
- }
-
- free(host);
-
- return status;
-}
-
-/**
- * add machine account to existing security descriptor
- * @param ads connection to ads server
- * @param hostname machine to add
- * @param dn DN of security descriptor
- * @return status
- **/
-ADS_STATUS ads_set_machine_sd(ADS_STRUCT *ads, const char *hostname, char *dn)
-{
- const char *attrs[] = {"nTSecurityDescriptor", "objectSid", 0};
- char *expr = 0;
- size_t sd_size = 0;
- struct berval bval = {0, NULL};
- prs_struct ps_wire;
- char *escaped_hostname = escape_ldap_string_alloc(hostname);
-
- LDAPMessage *res = 0;
- LDAPMessage *msg = 0;
- ADS_MODLIST mods = 0;
-
- NTSTATUS status;
- ADS_STATUS ret;
- DOM_SID sid;
- SEC_DESC *psd = NULL;
- TALLOC_CTX *ctx = NULL;
-
- /* Avoid segmentation fault in prs_mem_free if
- * we have to bail out before prs_init */
- ps_wire.is_dynamic = False;
-
- if (!ads) return ADS_ERROR(LDAP_SERVER_DOWN);
-
- ret = ADS_ERROR(LDAP_SUCCESS);
-
- if (!escaped_hostname) {
- return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
- }
-
- if (asprintf(&expr, "(samAccountName=%s$)", escaped_hostname) == -1) {
- DEBUG(1, ("ads_set_machine_sd: asprintf failed!\n"));
- SAFE_FREE(escaped_hostname);
- return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
- }
-
- SAFE_FREE(escaped_hostname);
-
- ret = ads_search(ads, (void *) &res, expr, attrs);
-
- if (!ADS_ERR_OK(ret)) return ret;
-
- if ( !(msg = ads_first_entry(ads, res) )) {
- ret = ADS_ERROR(LDAP_NO_RESULTS_RETURNED);
- goto ads_set_sd_error;
- }
-
- if (!ads_pull_sid(ads, msg, attrs[1], &sid)) {
- ret = ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
- goto ads_set_sd_error;
- }
-
- if (!(ctx = talloc_init("sec_io_desc"))) {
- ret = ADS_ERROR(LDAP_NO_MEMORY);
- goto ads_set_sd_error;
- }
-
- if (!ads_pull_sd(ads, ctx, msg, attrs[0], &psd)) {
- ret = ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
- goto ads_set_sd_error;
- }
-
- status = sec_desc_add_sid(ctx, &psd, &sid, SEC_RIGHTS_FULL_CTRL, &sd_size);
-
- if (!NT_STATUS_IS_OK(status)) {
- ret = ADS_ERROR_NT(status);
- goto ads_set_sd_error;
- }
-
- if (!prs_init(&ps_wire, sd_size, ctx, MARSHALL)) {
- ret = ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
- }
-
- if (!sec_io_desc("sd_wire", &psd, &ps_wire, 1)) {
- ret = ADS_ERROR(LDAP_NO_MEMORY);
- goto ads_set_sd_error;
- }
-
-#if 0
- file_save("/tmp/sec_desc.new", ps_wire.data_p, sd_size);
-#endif
- if (!(mods = ads_init_mods(ctx))) return ADS_ERROR(LDAP_NO_MEMORY);
-
- bval.bv_len = prs_offset(&ps_wire);
- bval.bv_val = talloc(ctx, bval.bv_len);
- if (!bval.bv_val) {
- ret = ADS_ERROR(LDAP_NO_MEMORY);
- goto ads_set_sd_error;
- }
-
- prs_set_offset(&ps_wire, 0);
-
- if (!prs_copy_data_out(bval.bv_val, &ps_wire, bval.bv_len)) {
- ret = ADS_ERROR(LDAP_NO_MEMORY);
- goto ads_set_sd_error;
- }
-
- ret = ads_mod_ber(ctx, &mods, attrs[0], &bval);
- if (ADS_ERR_OK(ret)) {
- ret = ads_gen_mod(ads, dn, mods);
- }
-
-ads_set_sd_error:
- ads_msgfree(ads, res);
- prs_mem_free(&ps_wire);
- talloc_free(ctx);
- return ret;
-}
-
-/**
- * pull the first entry from a ADS result
- * @param ads connection to ads server
- * @param res Results of search
- * @return first entry from result
- **/
-void *ads_first_entry(ADS_STRUCT *ads, void *res)
-{
- return (void *)ldap_first_entry(ads->ld, (LDAPMessage *)res);
-}
-
-/**
- * pull the next entry from a ADS result
- * @param ads connection to ads server
- * @param res Results of search
- * @return next entry from result
- **/
-void *ads_next_entry(ADS_STRUCT *ads, void *res)
-{
- return (void *)ldap_next_entry(ads->ld, (LDAPMessage *)res);
-}
-
-/**
- * pull a single string from a ADS result
- * @param ads connection to ads server
- * @param mem_ctx TALLOC_CTX to use for allocating result string
- * @param msg Results of search
- * @param field Attribute to retrieve
- * @return Result string in talloc context
- **/
-char *ads_pull_string(ADS_STRUCT *ads,
- TALLOC_CTX *mem_ctx, void *msg, const char *field)
-{
- char **values;
- char *ret = NULL;
- char *ux_string;
- size_t rc;
-
- values = ldap_get_values(ads->ld, msg, field);
- if (!values)
- return NULL;
-
- if (values[0]) {
- rc = pull_utf8_talloc(mem_ctx, &ux_string,
- values[0]);
- if (rc != (size_t)-1)
- ret = ux_string;
-
- }
- ldap_value_free(values);
- return ret;
-}
-
-/**
- * pull an array of strings from a ADS result
- * @param ads connection to ads server
- * @param mem_ctx TALLOC_CTX to use for allocating result string
- * @param msg Results of search
- * @param field Attribute to retrieve
- * @return Result strings in talloc context
- **/
-char **ads_pull_strings(ADS_STRUCT *ads,
- TALLOC_CTX *mem_ctx, void *msg, const char *field,
- size_t *num_values)
-{
- char **values;
- char **ret = NULL;
- int i;
-
- values = ldap_get_values(ads->ld, msg, field);
- if (!values)
- return NULL;
-
- *num_values = ldap_count_values(values);
-
- ret = talloc_array(mem_ctx, char *, *num_values+1);
- if (!ret) {
- ldap_value_free(values);
- return NULL;
- }
-
- for (i=0;i<*num_values;i++) {
- if (pull_utf8_talloc(mem_ctx, &ret[i], values[i]) == -1) {
- ldap_value_free(values);
- return NULL;
- }
- }
- ret[i] = NULL;
-
- ldap_value_free(values);
- return ret;
-}
-
-/**
- * pull an array of strings from a ADS result
- * (handle large multivalue attributes with range retrieval)
- * @param ads connection to ads server
- * @param mem_ctx TALLOC_CTX to use for allocating result string
- * @param msg Results of search
- * @param field Attribute to retrieve
- * @param current_strings strings returned by a previous call to this function
- * @param next_attribute The next query should ask for this attribute
- * @param num_values How many values did we get this time?
- * @param more_values Are there more values to get?
- * @return Result strings in talloc context
- **/
-char **ads_pull_strings_range(ADS_STRUCT *ads,
- TALLOC_CTX *mem_ctx,
- void *msg, const char *field,
- char **current_strings,
- const char **next_attribute,
- size_t *num_strings,
- BOOL *more_strings)
-{
- char *attr;
- char *expected_range_attrib, *range_attr;
- BerElement *ptr = NULL;
- char **strings;
- char **new_strings;
- size_t num_new_strings;
- unsigned long int range_start;
- unsigned long int range_end;
-
- /* we might have been given the whole lot anyway */
- if ((strings = ads_pull_strings(ads, mem_ctx, msg, field, num_strings))) {
- *more_strings = False;
- return strings;
- }
-
- expected_range_attrib = talloc_asprintf(mem_ctx, "%s;Range=", field);
-
- /* look for Range result */
- for (attr = ldap_first_attribute(ads->ld, (LDAPMessage *)msg, &ptr);
- attr;
- attr = ldap_next_attribute(ads->ld, (LDAPMessage *)msg, ptr)) {
- /* we ignore the fact that this is utf8, as all attributes are ascii... */
- if (strncasecmp(attr, expected_range_attrib, strlen(expected_range_attrib)) == 0) {
- range_attr = attr;
- break;
- }
- ldap_memfree(attr);
- }
- if (!attr) {
- ber_free(ptr, 0);
- /* nothing here - this field is just empty */
- *more_strings = False;
- return NULL;
- }
-
- if (sscanf(&range_attr[strlen(expected_range_attrib)], "%lu-%lu",
- &range_start, &range_end) == 2) {
- *more_strings = True;
- } else {
- if (sscanf(&range_attr[strlen(expected_range_attrib)], "%lu-*",
- &range_start) == 1) {
- *more_strings = False;
- } else {
- DEBUG(1, ("ads_pull_strings_range: Cannot parse Range attriubte (%s)\n",
- range_attr));
- ldap_memfree(range_attr);
- *more_strings = False;
- return NULL;
- }
- }
-
- if ((*num_strings) != range_start) {
- DEBUG(1, ("ads_pull_strings_range: Range attribute (%s) doesn't start at %u, but at %lu"
- " - aborting range retreival\n",
- range_attr, *num_strings + 1, range_start));
- ldap_memfree(range_attr);
- *more_strings = False;
- return NULL;
- }
-
- new_strings = ads_pull_strings(ads, mem_ctx, msg, range_attr, &num_new_strings);
-
- if (*more_strings && ((*num_strings + num_new_strings) != (range_end + 1))) {
- DEBUG(1, ("ads_pull_strings_range: Range attribute (%s) tells us we have %lu "
- "strings in this bunch, but we only got %lu - aborting range retreival\n",
- range_attr, (unsigned long int)range_end - range_start + 1,
- (unsigned long int)num_new_strings));
- ldap_memfree(range_attr);
- *more_strings = False;
- return NULL;
- }
-
- strings = talloc_realloc(current_strings,
- sizeof(*current_strings) *
- (*num_strings + num_new_strings));
-
- if (strings == NULL) {
- ldap_memfree(range_attr);
- *more_strings = False;
- return NULL;
- }
-
- memcpy(&strings[*num_strings], new_strings,
- sizeof(*new_strings) * num_new_strings);
-
- (*num_strings) += num_new_strings;
-
- if (*more_strings) {
- *next_attribute = talloc_asprintf(mem_ctx,
- "member;range=%d-*",
- *num_strings);
-
- if (!*next_attribute) {
- DEBUG(1, ("talloc_asprintf for next attribute failed!\n"));
- ldap_memfree(range_attr);
- *more_strings = False;
- return NULL;
- }
- }
-
- ldap_memfree(range_attr);
-
- return strings;
-}
-
-/**
- * pull a single uint32_t from a ADS result
- * @param ads connection to ads server
- * @param msg Results of search
- * @param field Attribute to retrieve
- * @param v Pointer to int to store result
- * @return boolean inidicating success
-*/
-BOOL ads_pull_uint32_t(ADS_STRUCT *ads,
- void *msg, const char *field, uint32_t *v)
-{
- char **values;
-
- values = ldap_get_values(ads->ld, msg, field);
- if (!values)
- return False;
- if (!values[0]) {
- ldap_value_free(values);
- return False;
- }
-
- *v = atoi(values[0]);
- ldap_value_free(values);
- return True;
-}
-
-/**
- * pull a single objectGUID from an ADS result
- * @param ads connection to ADS server
- * @param msg results of search
- * @param guid 37-byte area to receive text guid
- * @return boolean indicating success
- **/
-BOOL ads_pull_guid(ADS_STRUCT *ads,
- void *msg, GUID *guid)
-{
- char **values;
-
- values = ldap_get_values(ads->ld, msg, "objectGUID");
- if (!values)
- return False;
-
- if (values[0]) {
- memcpy(guid, values[0], sizeof(GUID));
- ldap_value_free(values);
- return True;
- }
- ldap_value_free(values);
- return False;
-
-}
-
-
-/**
- * pull a single DOM_SID from a ADS result
- * @param ads connection to ads server
- * @param msg Results of search
- * @param field Attribute to retrieve
- * @param sid Pointer to sid to store result
- * @return boolean inidicating success
-*/
-BOOL ads_pull_sid(ADS_STRUCT *ads,
- void *msg, const char *field, DOM_SID *sid)
-{
- struct berval **values;
- BOOL ret = False;
-
- values = ldap_get_values_len(ads->ld, msg, field);
-
- if (!values)
- return False;
-
- if (values[0])
- ret = sid_parse(values[0]->bv_val, values[0]->bv_len, sid);
-
- ldap_value_free_len(values);
- return ret;
-}
-
-/**
- * pull an array of DOM_SIDs from a ADS result
- * @param ads connection to ads server
- * @param mem_ctx TALLOC_CTX for allocating sid array
- * @param msg Results of search
- * @param field Attribute to retrieve
- * @param sids pointer to sid array to allocate
- * @return the count of SIDs pulled
- **/
-int ads_pull_sids(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx,
- void *msg, const char *field, DOM_SID **sids)
-{
- struct berval **values;
- BOOL ret;
- int count, i;
-
- values = ldap_get_values_len(ads->ld, msg, field);
-
- if (!values)
- return 0;
-
- for (i=0; values[i]; i++)
- /* nop */ ;
-
- (*sids) = talloc_array(mem_ctx, DOM_SID, i);
- if (!(*sids)) {
- ldap_value_free_len(values);
- return 0;
- }
-
- count = 0;
- for (i=0; values[i]; i++) {
- ret = sid_parse(values[i]->bv_val, values[i]->bv_len, &(*sids)[count]);
- if (ret) {
- fstring sid;
- DEBUG(10, ("pulling SID: %s\n", sid_to_string(sid, &(*sids)[count])));
- count++;
- }
- }
-
- ldap_value_free_len(values);
- return count;
-}
-
-/**
- * pull a SEC_DESC from a ADS result
- * @param ads connection to ads server
- * @param mem_ctx TALLOC_CTX for allocating sid array
- * @param msg Results of search
- * @param field Attribute to retrieve
- * @param sd Pointer to *SEC_DESC to store result (talloc()ed)
- * @return boolean inidicating success
-*/
-BOOL ads_pull_sd(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx,
- void *msg, const char *field, SEC_DESC **sd)
-{
- struct berval **values;
- prs_struct ps;
- BOOL ret = False;
-
- values = ldap_get_values_len(ads->ld, msg, field);
-
- if (!values) return False;
-
- if (values[0]) {
- prs_init(&ps, values[0]->bv_len, mem_ctx, UNMARSHALL);
- prs_copy_data_in(&ps, values[0]->bv_val, values[0]->bv_len);
- prs_set_offset(&ps,0);
-
- ret = sec_io_desc("sd", sd, &ps, 1);
- }
-
- ldap_value_free_len(values);
- return ret;
-}
-
-/*
- * in order to support usernames longer than 21 characters we need to
- * use both the sAMAccountName and the userPrincipalName attributes
- * It seems that not all users have the userPrincipalName attribute set
- *
- * @param ads connection to ads server
- * @param mem_ctx TALLOC_CTX for allocating sid array
- * @param msg Results of search
- * @return the username
- */
-char *ads_pull_username(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, void *msg)
-{
- char *ret, *p;
-
- ret = ads_pull_string(ads, mem_ctx, msg, "userPrincipalName");
- if (ret && (p = strchr(ret, '@'))) {
- *p = 0;
- return ret;
- }
- return ads_pull_string(ads, mem_ctx, msg, "sAMAccountName");
-}
-
-
-/**
- * find the update serial number - this is the core of the ldap cache
- * @param ads connection to ads server
- * @param ads connection to ADS server
- * @param usn Pointer to retrieved update serial number
- * @return status of search
- **/
-ADS_STATUS ads_USN(ADS_STRUCT *ads, uint32_t *usn)
-{
- const char *attrs[] = {"highestCommittedUSN", NULL};
- ADS_STATUS status;
- void *res;
-
- status = ads_do_search_retry(ads, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res);
- if (!ADS_ERR_OK(status))
- return status;
-
- if (ads_count_replies(ads, res) != 1) {
- return ADS_ERROR(LDAP_NO_RESULTS_RETURNED);
- }
-
- ads_pull_uint32_t(ads, res, "highestCommittedUSN", usn);
- ads_msgfree(ads, res);
- return ADS_SUCCESS;
-}
-
-/* parse a ADS timestring - typical string is
- '20020917091222.0Z0' which means 09:12.22 17th September
- 2002, timezone 0 */
-static time_t ads_parse_time(const char *str)
-{
- struct tm tm;
-
- ZERO_STRUCT(tm);
-
- if (sscanf(str, "%4d%2d%2d%2d%2d%2d",
- &tm.tm_year, &tm.tm_mon, &tm.tm_mday,
- &tm.tm_hour, &tm.tm_min, &tm.tm_sec) != 6) {
- return 0;
- }
- tm.tm_year -= 1900;
- tm.tm_mon -= 1;
-
- return timegm(&tm);
-}
-
-
-/**
- * Find the servers name and realm - this can be done before authentication
- * The ldapServiceName field on w2k looks like this:
- * vnet3.home.samba.org:win2000-vnet3$@VNET3.HOME.SAMBA.ORG
- * @param ads connection to ads server
- * @return status of search
- **/
-ADS_STATUS ads_server_info(ADS_STRUCT *ads)
-{
- const char *attrs[] = {"ldapServiceName", "currentTime", NULL};
- ADS_STATUS status;
- void *res;
- char *value;
- char *p;
- char *timestr;
- TALLOC_CTX *ctx;
-
- if (!(ctx = talloc_init("ads_server_info"))) {
- return ADS_ERROR(LDAP_NO_MEMORY);
- }
-
- status = ads_do_search(ads, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res);
- if (!ADS_ERR_OK(status)) return status;
-
- value = ads_pull_string(ads, ctx, res, "ldapServiceName");
- if (!value) {
- return ADS_ERROR(LDAP_NO_RESULTS_RETURNED);
- }
-
- timestr = ads_pull_string(ads, ctx, res, "currentTime");
- if (!timestr) {
- return ADS_ERROR(LDAP_NO_RESULTS_RETURNED);
- }
-
- ldap_msgfree(res);
-
- p = strchr(value, ':');
- if (!p) {
- talloc_free(ctx);
- DEBUG(1, ("ads_server_info: returned ldap server name did not contain a ':' "
- "so was deemed invalid\n"));
- return ADS_ERROR(LDAP_DECODING_ERROR);
- }
-
- SAFE_FREE(ads->config.ldap_server_name);
-
- ads->config.ldap_server_name = strdup(p+1);
- p = strchr(ads->config.ldap_server_name, '$');
- if (!p || p[1] != '@') {
- talloc_free(ctx);
- DEBUG(1, ("ads_server_info: returned ldap server name (%s) does not contain '$@'"
- " so was deemed invalid\n", ads->config.ldap_server_name));
- SAFE_FREE(ads->config.ldap_server_name);
- return ADS_ERROR(LDAP_DECODING_ERROR);
- }
-
- *p = 0;
-
- SAFE_FREE(ads->config.realm);
- SAFE_FREE(ads->config.bind_path);
-
- ads->config.realm = strdup(p+2);
- ads->config.bind_path = ads_build_dn(ads->config.realm);
-
- DEBUG(3,("got ldap server name %s@%s, using bind path: %s\n",
- ads->config.ldap_server_name, ads->config.realm,
- ads->config.bind_path));
-
- ads->config.current_time = ads_parse_time(timestr);
-
- if (ads->config.current_time != 0) {
- ads->auth.time_offset = ads->config.current_time - time(NULL);
- DEBUG(4,("time offset is %d seconds\n", ads->auth.time_offset));
- }
-
- talloc_free(ctx);
-
- return ADS_SUCCESS;
-}
-
-/**
- * find the domain sid for our domain
- * @param ads connection to ads server
- * @param sid Pointer to domain sid
- * @return status of search
- **/
-ADS_STATUS ads_domain_sid(ADS_STRUCT *ads, DOM_SID *sid)
-{
- const char *attrs[] = {"objectSid", NULL};
- void *res;
- ADS_STATUS rc;
-
- rc = ads_do_search_retry(ads, ads->config.bind_path, LDAP_SCOPE_BASE, "(objectclass=*)",
- attrs, &res);
- if (!ADS_ERR_OK(rc)) return rc;
- if (!ads_pull_sid(ads, res, "objectSid", sid)) {
- return ADS_ERROR_SYSTEM(ENOENT);
- }
- ads_msgfree(ads, res);
-
- return ADS_SUCCESS;
-}
-
-/* this is rather complex - we need to find the allternate (netbios) name
- for the domain, but there isn't a simple query to do this. Instead
- we look for the principle names on the DCs account and find one that has
- the right form, then extract the netbios name of the domain from that
-
- NOTE! better method is this:
-
-bin/net -Uadministrator%XXXXX ads search '(&(objectclass=crossref)(dnsroot=VNET3.HOME.SAMBA.ORG))' nETBIOSName
-
-but you need to force the bind path to match the configurationNamingContext from the rootDSE
-
-*/
-ADS_STATUS ads_workgroup_name(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, const char **workgroup)
-{
- char *expr;
- ADS_STATUS rc;
- char **principles;
- char *prefix;
- int prefix_length;
- int i;
- void *res;
- const char *attrs[] = {"servicePrincipalName", NULL};
- int num_principals;
-
- (*workgroup) = NULL;
-
- asprintf(&expr, "(&(objectclass=computer)(dnshostname=%s.%s))",
- ads->config.ldap_server_name, ads->config.realm);
- rc = ads_search(ads, &res, expr, attrs);
- free(expr);
-
- if (!ADS_ERR_OK(rc)) {
- return rc;
- }
-
- principles = ads_pull_strings(ads, mem_ctx, res,
- "servicePrincipalName", &num_principals);
-
- ads_msgfree(ads, res);
-
- if (!principles) {
- return ADS_ERROR(LDAP_NO_RESULTS_RETURNED);
- }
-
- asprintf(&prefix, "HOST/%s.%s/",
- ads->config.ldap_server_name,
- ads->config.realm);
-
- prefix_length = strlen(prefix);
-
- for (i=0;principles[i]; i++) {
- if (strnequal(principles[i], prefix, prefix_length) &&
- !strequal(ads->config.realm, principles[i]+prefix_length) &&
- !strchr(principles[i]+prefix_length, '.')) {
- /* found an alternate (short) name for the domain. */
- DEBUG(3,("Found alternate name '%s' for realm '%s'\n",
- principles[i]+prefix_length,
- ads->config.realm));
- (*workgroup) = talloc_strdup(mem_ctx, principles[i]+prefix_length);
- break;
- }
- }
- free(prefix);
-
- if (!*workgroup) {
- return ADS_ERROR(LDAP_NO_RESULTS_RETURNED);
- }
-
- return ADS_SUCCESS;
-}
-
-#endif
+++ /dev/null
-/*
- Unix SMB/CIFS implementation.
- ads (active directory) printer utility library
- Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-*/
-
-#include "includes.h"
-
-#ifdef HAVE_ADS
-
-/*
- find a printer given the name and the hostname
- Note that results "res" may be allocated on return so that the
- results can be used. It should be freed using ads_msgfree.
-*/
-ADS_STATUS ads_find_printer_on_server(ADS_STRUCT *ads, void **res,
- const char *printer, const char *servername)
-{
- ADS_STATUS status;
- char *srv_dn, **srv_cn, *s;
- const char *attrs[] = {"*", "nTSecurityDescriptor", NULL};
-
- status = ads_find_machine_acct(ads, res, servername);
- if (!ADS_ERR_OK(status)) {
- DEBUG(1, ("ads_add_printer: cannot find host %s in ads\n",
- servername));
- return status;
- }
- srv_dn = ldap_get_dn(ads->ld, *res);
- srv_cn = ldap_explode_dn(srv_dn, 1);
- ads_msgfree(ads, *res);
-
- asprintf(&s, "(cn=%s-%s)", srv_cn[0], printer);
- status = ads_search(ads, res, s, attrs);
-
- ldap_memfree(srv_dn);
- ldap_value_free(srv_cn);
- free(s);
- return status;
-}
-
-ADS_STATUS ads_find_printers(ADS_STRUCT *ads, void **res)
-{
- char *ldap_expr;
- const char *attrs[] = { "objectClass", "printerName", "location", "driverName",
- "serverName", "description", NULL };
-
- /* For the moment only display all printers */
-
- ldap_expr = "(&(!(showInAdvancedViewOnly=TRUE))(uncName=*)"
- "(objectCategory=printQueue))";
-
- return ads_search(ads, res, ldap_expr, attrs);
-}
-
-/*
- modify a printer entry in the directory
-*/
-ADS_STATUS ads_mod_printer_entry(ADS_STRUCT *ads, char *prt_dn,
- TALLOC_CTX *ctx, const ADS_MODLIST *mods)
-{
- return ads_gen_mod(ads, prt_dn, *mods);
-}
-
-/*
- add a printer to the directory
-*/
-ADS_STATUS ads_add_printer_entry(ADS_STRUCT *ads, char *prt_dn,
- TALLOC_CTX *ctx, ADS_MODLIST *mods)
-{
- ads_mod_str(ctx, mods, "objectClass", "printQueue");
- return ads_gen_add(ads, prt_dn, *mods);
-}
-
-/*
- map a REG_SZ to an ldap mod
-*/
-static BOOL map_sz(TALLOC_CTX *ctx, ADS_MODLIST *mods,
- const REGISTRY_VALUE *value)
-{
- char *str_value = NULL;
- ADS_STATUS status;
-
- if (value->type != REG_SZ)
- return False;
-
- if (value->size && SVAL(value->data_p, 0)) {
- pull_ucs2_talloc(ctx, &str_value, value->data_p);
- status = ads_mod_str(ctx, mods, value->valuename, str_value);
- return ADS_ERR_OK(status);
- }
- return True;
-
-}
-
-/*
- map a REG_DWORD to an ldap mod
-*/
-static BOOL map_dword(TALLOC_CTX *ctx, ADS_MODLIST *mods,
- const REGISTRY_VALUE *value)
-{
- char *str_value = NULL;
- ADS_STATUS status;
-
- if (value->type != REG_DWORD)
- return False;
- str_value = talloc_asprintf(ctx, "%d", *((uint32_t *) value->data_p));
- status = ads_mod_str(ctx, mods, value->valuename, str_value);
- return ADS_ERR_OK(status);
-}
-
-/*
- map a boolean REG_BINARY to an ldap mod
-*/
-static BOOL map_bool(TALLOC_CTX *ctx, ADS_MODLIST *mods,
- const REGISTRY_VALUE *value)
-{
- char *str_value;
- ADS_STATUS status;
-
- if ((value->type != REG_BINARY) || (value->size != 1))
- return False;
- str_value = talloc_asprintf(ctx, "%s",
- *(value->data_p) ? "TRUE" : "FALSE");
- status = ads_mod_str(ctx, mods, value->valuename, str_value);
- return ADS_ERR_OK(status);
-}
-
-/*
- map a REG_MULTI_SZ to an ldap mod
-*/
-static BOOL map_multi_sz(TALLOC_CTX *ctx, ADS_MODLIST *mods,
- const REGISTRY_VALUE *value)
-{
- char **str_values = NULL;
- char *cur_str = value->data_p;
- uint32_t size = 0, num_vals = 0, i=0;
- ADS_STATUS status;
-
- if (value->type != REG_MULTI_SZ)
- return False;
-
- while (cur_str && *cur_str && (size < value->size)) {
- size_t this_size = utf16_len(cur_str);
- cur_str += this_size;
- size += this_size;
- num_vals++;
- };
-
- if (num_vals) {
- str_values = talloc_array(ctx, char *, num_vals + 1);
- cur_str = value->data_p;
- for (i=0; i < num_vals; i++) {
- pull_ucs2_talloc(ctx, &str_values[i], cur_str);
- cur_str += utf16_len(cur_str);
- }
- str_values[i] = NULL;
-
- status = ads_mod_strlist(ctx, mods, value->valuename,
- (const char **) str_values);
- return ADS_ERR_OK(status);
- }
- return True;
-}
-
-struct valmap_to_ads {
- const char *valname;
- BOOL (*fn)(TALLOC_CTX *, ADS_MODLIST *, const REGISTRY_VALUE *);
-};
-
-/*
- map a REG_SZ to an ldap mod
-*/
-static void map_regval_to_ads(TALLOC_CTX *ctx, ADS_MODLIST *mods,
- REGISTRY_VALUE *value)
-{
- const struct valmap_to_ads map[] = {
- {SPOOL_REG_ASSETNUMBER, map_sz},
- {SPOOL_REG_BYTESPERMINUTE, map_dword},
- {SPOOL_REG_DEFAULTPRIORITY, map_dword},
- {SPOOL_REG_DESCRIPTION, map_sz},
- {SPOOL_REG_DRIVERNAME, map_sz},
- {SPOOL_REG_DRIVERVERSION, map_dword},
- {SPOOL_REG_FLAGS, map_dword},
- {SPOOL_REG_LOCATION, map_sz},
- {SPOOL_REG_OPERATINGSYSTEM, map_sz},
- {SPOOL_REG_OPERATINGSYSTEMHOTFIX, map_sz},
- {SPOOL_REG_OPERATINGSYSTEMSERVICEPACK, map_sz},
- {SPOOL_REG_OPERATINGSYSTEMVERSION, map_sz},
- {SPOOL_REG_PORTNAME, map_multi_sz},
- {SPOOL_REG_PRINTATTRIBUTES, map_dword},
- {SPOOL_REG_PRINTBINNAMES, map_multi_sz},
- {SPOOL_REG_PRINTCOLLATE, map_bool},
- {SPOOL_REG_PRINTCOLOR, map_bool},
- {SPOOL_REG_PRINTDUPLEXSUPPORTED, map_bool},
- {SPOOL_REG_PRINTENDTIME, map_dword},
- {SPOOL_REG_PRINTFORMNAME, map_sz},
- {SPOOL_REG_PRINTKEEPPRINTEDJOBS, map_bool},
- {SPOOL_REG_PRINTLANGUAGE, map_multi_sz},
- {SPOOL_REG_PRINTMACADDRESS, map_sz},
- {SPOOL_REG_PRINTMAXCOPIES, map_sz},
- {SPOOL_REG_PRINTMAXRESOLUTIONSUPPORTED, map_dword},
- {SPOOL_REG_PRINTMAXXEXTENT, map_dword},
- {SPOOL_REG_PRINTMAXYEXTENT, map_dword},
- {SPOOL_REG_PRINTMEDIAREADY, map_multi_sz},
- {SPOOL_REG_PRINTMEDIASUPPORTED, map_multi_sz},
- {SPOOL_REG_PRINTMEMORY, map_dword},
- {SPOOL_REG_PRINTMINXEXTENT, map_dword},
- {SPOOL_REG_PRINTMINYEXTENT, map_dword},
- {SPOOL_REG_PRINTNETWORKADDRESS, map_sz},
- {SPOOL_REG_PRINTNOTIFY, map_sz},
- {SPOOL_REG_PRINTNUMBERUP, map_dword},
- {SPOOL_REG_PRINTORIENTATIONSSUPPORTED, map_multi_sz},
- {SPOOL_REG_PRINTOWNER, map_sz},
- {SPOOL_REG_PRINTPAGESPERMINUTE, map_dword},
- {SPOOL_REG_PRINTRATE, map_dword},
- {SPOOL_REG_PRINTRATEUNIT, map_sz},
- {SPOOL_REG_PRINTSEPARATORFILE, map_sz},
- {SPOOL_REG_PRINTSHARENAME, map_sz},
- {SPOOL_REG_PRINTSPOOLING, map_sz},
- {SPOOL_REG_PRINTSTAPLINGSUPPORTED, map_bool},
- {SPOOL_REG_PRINTSTARTTIME, map_dword},
- {SPOOL_REG_PRINTSTATUS, map_sz},
- {SPOOL_REG_PRIORITY, map_dword},
- {SPOOL_REG_SERVERNAME, map_sz},
- {SPOOL_REG_SHORTSERVERNAME, map_sz},
- {SPOOL_REG_UNCNAME, map_sz},
- {SPOOL_REG_URL, map_sz},
- {SPOOL_REG_VERSIONNUMBER, map_dword},
- {NULL, NULL}
- };
- int i;
-
- for (i=0; map[i].valname; i++) {
- if (strcasecmp_m(map[i].valname, value->valuename) == 0) {
- if (!map[i].fn(ctx, mods, value)) {
- DEBUG(5, ("Add of value %s to modlist failed\n", value->valuename));
- } else {
- DEBUG(7, ("Mapped value %s\n", value->valuename));
- }
-
- }
- }
-}
-
-
-WERROR get_remote_printer_publishing_data(struct smbcli_state *cli,
- TALLOC_CTX *mem_ctx,
- ADS_MODLIST *mods,
- const char *printer)
-{
- WERROR result;
- char *printername, *servername;
- REGVAL_CTR dsdriver_ctr, dsspooler_ctr;
- BOOL got_dsdriver = False, got_dsspooler = False;
- uint32_t needed, i;
- POLICY_HND pol;
-
- asprintf(&servername, "\\\\%s", cli->desthost);
- asprintf(&printername, "%s\\%s", servername, printer);
- if (!servername || !printername) {
- DEBUG(3, ("Insufficient memory\n"));
- return WERR_NOMEM;
- }
-
- result = smbcli_spoolss_open_printer_ex(cli, mem_ctx, printername,
- "", MAXIMUM_ALLOWED_ACCESS,
- servername, cli->user_name, &pol);
- if (!W_ERROR_IS_OK(result)) {
- DEBUG(3, ("Unable to open printer %s, error is %s.\n",
- printername, dos_errstr(result)));
- return result;
- }
-
- result = smbcli_spoolss_enumprinterdataex(cli, mem_ctx, 0, &needed,
- &pol, SPOOL_DSDRIVER_KEY, NULL);
-
- if (W_ERROR_V(result) == ERRmoredata)
- result = smbcli_spoolss_enumprinterdataex(cli, mem_ctx, needed,
- NULL, &pol,
- SPOOL_DSDRIVER_KEY,
- &dsdriver_ctr);
-
- if (!W_ERROR_IS_OK(result)) {
- DEBUG(3, ("Unable to do enumdataex on %s, error is %s.\n",
- printername, dos_errstr(result)));
- } else {
-
- /* Have the data we need now, so start building */
- got_dsdriver = True;
- for (i=0; i < dsdriver_ctr.num_values; i++)
- map_regval_to_ads(mem_ctx, mods,
- dsdriver_ctr.values[i]);
- }
-
- result = smbcli_spoolss_enumprinterdataex(cli, mem_ctx, 0, &needed,
- &pol, SPOOL_DSSPOOLER_KEY,
- NULL);
-
- if (W_ERROR_V(result) == ERRmoredata)
- result = smbcli_spoolss_enumprinterdataex(cli, mem_ctx, needed,
- NULL, &pol,
- SPOOL_DSSPOOLER_KEY,
- &dsspooler_ctr);
-
- if (!W_ERROR_IS_OK(result)) {
- DEBUG(3, ("Unable to do enumdataex on %s, error is %s.\n",
- printername, dos_errstr(result)));
- } else {
- got_dsspooler = True;
- for (i=0; i < dsspooler_ctr.num_values; i++)
- map_regval_to_ads(mem_ctx, mods,
- dsspooler_ctr.values[i]);
- }
-
- ads_mod_str(mem_ctx, mods, SPOOL_REG_PRINTERNAME, printer);
-
- if (got_dsdriver) regval_ctr_destroy(&dsdriver_ctr);
- if (got_dsspooler) regval_ctr_destroy(&dsspooler_ctr);
- smbcli_spoolss_close_printer(cli, mem_ctx, &pol);
-
- return result;
-}
-
-BOOL get_local_printer_publishing_data(TALLOC_CTX *mem_ctx,
- ADS_MODLIST *mods,
- NT_PRINTER_DATA *data)
-{
- uint32_t key,val;
-
- for (key=0; key < data->num_keys; key++) {
- REGVAL_CTR ctr = data->keys[key].values;
- for (val=0; val < ctr.num_values; val++)
- map_regval_to_ads(mem_ctx, mods, ctr.values[val]);
- }
- return True;
-}
-
-#endif
+++ /dev/null
-/*
- Unix SMB/CIFS implementation.
- ads (active directory) utility library
- Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-*/
-
-#include "includes.h"
-
-#ifdef HAVE_ADS
-
-/*
- find a user account
-*/
-ADS_STATUS ads_find_user_acct(ADS_STRUCT *ads, void **res, const char *user)
-{
- ADS_STATUS status;
- char *ldap_exp;
- const char *attrs[] = {"*", NULL};
- char *escaped_user = escape_ldap_string_alloc(user);
- if (!escaped_user) {
- return ADS_ERROR(LDAP_NO_MEMORY);
- }
-
- asprintf(&ldap_exp, "(samAccountName=%s)", escaped_user);
- status = ads_search(ads, res, ldap_exp, attrs);
- SAFE_FREE(ldap_exp);
- SAFE_FREE(escaped_user);
- return status;
-}
-
-ADS_STATUS ads_add_user_acct(ADS_STRUCT *ads, const char *user,
- const char *container, const char *fullname)
-{
- TALLOC_CTX *ctx;
- ADS_MODLIST mods;
- ADS_STATUS status;
- const char *upn, *new_dn, *name, *controlstr;
- const char *objectClass[] = {"top", "person", "organizationalPerson",
- "user", NULL};
-
- if (fullname && *fullname) name = fullname;
- else name = user;
-
- if (!(ctx = talloc_init("ads_add_user_acct")))
- return ADS_ERROR(LDAP_NO_MEMORY);
-
- status = ADS_ERROR(LDAP_NO_MEMORY);
-
- if (!(upn = talloc_asprintf(ctx, "%s@%s", user, ads->config.realm)))
- goto done;
- if (!(new_dn = talloc_asprintf(ctx, "cn=%s,%s,%s", name, container,
- ads->config.bind_path)))
- goto done;
- if (!(controlstr = talloc_asprintf(ctx, "%u", UF_NORMAL_ACCOUNT)))
- goto done;
- if (!(mods = ads_init_mods(ctx)))
- goto done;
-
- ads_mod_str(ctx, &mods, "cn", name);
- ads_mod_strlist(ctx, &mods, "objectClass", objectClass);
- ads_mod_str(ctx, &mods, "userPrincipalName", upn);
- ads_mod_str(ctx, &mods, "name", name);
- ads_mod_str(ctx, &mods, "displayName", name);
- ads_mod_str(ctx, &mods, "sAMAccountName", user);
- ads_mod_str(ctx, &mods, "userAccountControl", controlstr);
- status = ads_gen_add(ads, new_dn, mods);
-
- done:
- talloc_free(ctx);
- return status;
-}
-
-ADS_STATUS ads_add_group_acct(ADS_STRUCT *ads, const char *group,
- const char *container, const char *comment)
-{
- TALLOC_CTX *ctx;
- ADS_MODLIST mods;
- ADS_STATUS status;
- char *new_dn;
- const char *objectClass[] = {"top", "group", NULL};
-
- if (!(ctx = talloc_init("ads_add_group_acct")))
- return ADS_ERROR(LDAP_NO_MEMORY);
-
- status = ADS_ERROR(LDAP_NO_MEMORY);
-
- if (!(new_dn = talloc_asprintf(ctx, "cn=%s,%s,%s", group, container,
- ads->config.bind_path)))
- goto done;
- if (!(mods = ads_init_mods(ctx)))
- goto done;
-
- ads_mod_str(ctx, &mods, "cn", group);
- ads_mod_strlist(ctx, &mods, "objectClass",objectClass);
- ads_mod_str(ctx, &mods, "name", group);
- if (comment && *comment)
- ads_mod_str(ctx, &mods, "description", comment);
- ads_mod_str(ctx, &mods, "sAMAccountName", group);
- status = ads_gen_add(ads, new_dn, mods);
-
- done:
- talloc_free(ctx);
- return status;
-}
-#endif
+++ /dev/null
-/*
- Unix SMB/CIFS implementation.
-
- Some Helpful wrappers on LDAP
-
- Copyright (C) Andrew Tridgell 2001
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-*/
-
-#include "includes.h"
-
-#ifdef HAVE_LDAP
-/*
- a wrapper around ldap_search_s that retries depending on the error code
- this is supposed to catch dropped connections and auto-reconnect
-*/
-ADS_STATUS ads_do_search_retry(ADS_STRUCT *ads, const char *bind_path, int scope,
- const char *expr,
- const char **attrs, void **res)
-{
- ADS_STATUS status;
- int count = 3;
- char *bp;
-
- *res = NULL;
-
- if (!ads->ld &&
- time(NULL) - ads->last_attempt < ADS_RECONNECT_TIME) {
- return ADS_ERROR(LDAP_SERVER_DOWN);
- }
-
- bp = strdup(bind_path);
-
- if (!bp) {
- return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
- }
-
- while (count--) {
- *res = NULL;
- status = ads_do_search_all(ads, bp, scope, expr, attrs, res);
- if (ADS_ERR_OK(status)) {
- DEBUG(5,("Search for %s gave %d replies\n",
- expr, ads_count_replies(ads, *res)));
- SAFE_FREE(bp);
- return status;
- }
-
- if (*res)
- ads_msgfree(ads, *res);
- *res = NULL;
-
- DEBUG(3,("Reopening ads connection to realm '%s' after error %s\n",
- ads->config.realm, ads_errstr(status)));
-
- if (ads->ld) {
- ldap_unbind(ads->ld);
- }
-
- ads->ld = NULL;
- status = ads_connect(ads);
-
- if (!ADS_ERR_OK(status)) {
- DEBUG(1,("ads_search_retry: failed to reconnect (%s)\n",
- ads_errstr(status)));
- ads_destroy(&ads);
- SAFE_FREE(bp);
- return status;
- }
- }
- SAFE_FREE(bp);
-
- if (!ADS_ERR_OK(status))
- DEBUG(1,("ads reopen failed after error %s\n",
- ads_errstr(status)));
-
- return status;
-}
-
-
-ADS_STATUS ads_search_retry(ADS_STRUCT *ads, void **res,
- const char *expr,
- const char **attrs)
-{
- return ads_do_search_retry(ads, ads->config.bind_path, LDAP_SCOPE_SUBTREE,
- expr, attrs, res);
-}
-
-ADS_STATUS ads_search_retry_dn(ADS_STRUCT *ads, void **res,
- const char *dn,
- const char **attrs)
-{
- return ads_do_search_retry(ads, dn, LDAP_SCOPE_BASE,
- "(objectclass=*)", attrs, res);
-}
-#endif
+++ /dev/null
-/*
- Unix SMB/CIFS implementation.
- ads sasl code
- Copyright (C) Andrew Tridgell 2001
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-*/
-
-#include "includes.h"
-
-#ifdef HAVE_LDAP
-
-/*
- perform a LDAP/SASL/SPNEGO/NTLMSSP bind (just how many layers can
- we fit on one socket??)
-*/
-static ADS_STATUS ads_sasl_spnego_ntlmssp_bind(ADS_STRUCT *ads)
-{
- const char *mechs[] = {OID_NTLMSSP, NULL};
- DATA_BLOB msg1;
- DATA_BLOB blob, chal1, chal2, auth;
- uint8_t challenge[8];
- uint8_t nthash[24], lmhash[24], sess_key[16];
- uint32_t neg_flags;
- struct berval cred, *scred;
- ADS_STATUS status;
- int rc;
-
- if (!ads->auth.password) {
- /* No password, don't segfault below... */
- return ADS_ERROR_NT(NT_STATUS_LOGON_FAILURE);
- }
-
- neg_flags = NTLMSSP_NEGOTIATE_UNICODE |
- NTLMSSP_NEGOTIATE_128 |
- NTLMSSP_NEGOTIATE_NTLM;
-
- memset(sess_key, 0, 16);
-
- /* generate the ntlmssp negotiate packet */
- msrpc_gen(&blob, "CddB",
- "NTLMSSP",
- NTLMSSP_NEGOTIATE,
- neg_flags,
- sess_key, 16);
-
- /* and wrap it in a SPNEGO wrapper */
- msg1 = gen_negTokenTarg(mechs, blob);
- data_blob_free(&blob);
-
- cred.bv_val = (char *)msg1.data;
- cred.bv_len = msg1.length;
-
- rc = ldap_sasl_bind_s(ads->ld, NULL, "GSS-SPNEGO", &cred, NULL, NULL, &scred);
- if (rc != LDAP_SASL_BIND_IN_PROGRESS) {
- status = ADS_ERROR(rc);
- goto failed;
- }
-
- blob = data_blob(scred->bv_val, scred->bv_len);
-
- /* the server gives us back two challenges */
- if (!spnego_parse_challenge(blob, &chal1, &chal2)) {
- DEBUG(3,("Failed to parse challenges\n"));
- status = ADS_ERROR(LDAP_OPERATIONS_ERROR);
- goto failed;
- }
-
- data_blob_free(&blob);
-
- /* encrypt the password with the challenge */
- memcpy(challenge, chal1.data + 24, 8);
- SMBencrypt(ads->auth.password, challenge,lmhash);
- SMBNTencrypt(ads->auth.password, challenge,nthash);
-
- data_blob_free(&chal1);
- data_blob_free(&chal2);
-
- /* this generates the actual auth packet */
- msrpc_gen(&blob, "CdBBUUUBd",
- "NTLMSSP",
- NTLMSSP_AUTH,
- lmhash, 24,
- nthash, 24,
- lp_workgroup(),
- ads->auth.user_name,
- lp_netbios_name(),
- sess_key, 16,
- neg_flags);
-
- /* wrap it in SPNEGO */
- auth = spnego_gen_auth(blob);
-
- data_blob_free(&blob);
-
- /* now send the auth packet and we should be done */
- cred.bv_val = (char *)auth.data;
- cred.bv_len = auth.length;
-
- rc = ldap_sasl_bind_s(ads->ld, NULL, "GSS-SPNEGO", &cred, NULL, NULL, &scred);
-
- return ADS_ERROR(rc);
-
-failed:
- return status;
-}
-
-/*
- perform a LDAP/SASL/SPNEGO/KRB5 bind
-*/
-static ADS_STATUS ads_sasl_spnego_krb5_bind(ADS_STRUCT *ads, const char *principal)
-{
- DATA_BLOB blob;
- struct berval cred, *scred;
- DATA_BLOB session_key;
- int rc;
-
- rc = spnego_gen_negTokenTarg(principal, ads->auth.time_offset, &blob, &session_key);
-
- if (rc) {
- return ADS_ERROR_KRB5(rc);
- }
-
- /* now send the auth packet and we should be done */
- cred.bv_val = (char *)blob.data;
- cred.bv_len = blob.length;
-
- rc = ldap_sasl_bind_s(ads->ld, NULL, "GSS-SPNEGO", &cred, NULL, NULL, &scred);
-
- data_blob_free(&blob);
- data_blob_free(&session_key);
-
- return ADS_ERROR(rc);
-}
-
-/*
- this performs a SASL/SPNEGO bind
-*/
-static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
-{
- struct berval *scred=NULL;
- int rc, i;
- ADS_STATUS status;
- DATA_BLOB blob;
- char *principal;
- char *OIDs[ASN1_MAX_OIDS];
- BOOL got_kerberos_mechanism = False;
-
- rc = ldap_sasl_bind_s(ads->ld, NULL, "GSS-SPNEGO", NULL, NULL, NULL, &scred);
-
- if (rc != LDAP_SASL_BIND_IN_PROGRESS) {
- status = ADS_ERROR(rc);
- goto failed;
- }
-
- blob = data_blob(scred->bv_val, scred->bv_len);
-
- ber_bvfree(scred);
-
-#if 0
- file_save("sasl_spnego.dat", blob.data, blob.length);
-#endif
-
- /* the server sent us the first part of the SPNEGO exchange in the negprot
- reply */
- if (!spnego_parse_negTokenInit(blob, OIDs, &principal)) {
- data_blob_free(&blob);
- status = ADS_ERROR(LDAP_OPERATIONS_ERROR);
- goto failed;
- }
- data_blob_free(&blob);
-
- /* make sure the server understands kerberos */
- for (i=0;OIDs[i];i++) {
- DEBUG(3,("got OID=%s\n", OIDs[i]));
- if (strcmp(OIDs[i], OID_KERBEROS5_OLD) == 0 ||
- strcmp(OIDs[i], OID_KERBEROS5) == 0) {
- got_kerberos_mechanism = True;
- }
- free(OIDs[i]);
- }
- DEBUG(3,("got principal=%s\n", principal));
-
-#ifdef HAVE_KRB5
- if (!(ads->auth.flags & ADS_AUTH_DISABLE_KERBEROS) &&
- got_kerberos_mechanism) {
- status = ads_sasl_spnego_krb5_bind(ads, principal);
- if (ADS_ERR_OK(status))
- return status;
-
- status = ADS_ERROR_KRB5(ads_kinit_password(ads));
-
- if (ADS_ERR_OK(status)) {
- status = ads_sasl_spnego_krb5_bind(ads, principal);
- }
-
- /* only fallback to NTLMSSP if allowed */
- if (ADS_ERR_OK(status) ||
- !(ads->auth.flags & ADS_AUTH_ALLOW_NTLMSSP)) {
- return status;
- }
- }
-#endif
-
- /* lets do NTLMSSP ... this has the big advantage that we don't need
- to sync clocks, and we don't rely on special versions of the krb5
- library for HMAC_MD4 encryption */
- return ads_sasl_spnego_ntlmssp_bind(ads);
-
-failed:
- return status;
-}
-
-#ifdef HAVE_GSSAPI
-#define MAX_GSS_PASSES 3
-
-/* this performs a SASL/gssapi bind
- we avoid using cyrus-sasl to make Samba more robust. cyrus-sasl
- is very dependent on correctly configured DNS whereas
- this routine is much less fragile
- see RFC2078 and RFC2222 for details
-*/
-static ADS_STATUS ads_sasl_gssapi_bind(ADS_STRUCT *ads)
-{
- uint32_t minor_status;
- gss_name_t serv_name;
- gss_buffer_desc input_name;
- gss_ctx_id_t context_handle;
- gss_OID mech_type = GSS_C_NULL_OID;
- gss_buffer_desc output_token, input_token;
- uint32_t ret_flags, conf_state;
- struct berval cred;
- struct berval *scred;
- int i=0;
- int gss_rc, rc;
- uint8_t *p;
- uint32_t max_msg_size;
- char *sname;
- uint_t sec_layer;
- ADS_STATUS status;
- krb5_principal principal;
- krb5_context ctx;
- krb5_enctype enc_types[] = {
-#ifdef ENCTYPE_ARCFOUR_HMAC
- ENCTYPE_ARCFOUR_HMAC,
-#endif
- ENCTYPE_DES_CBC_MD5,
- ENCTYPE_NULL};
- gss_OID_desc nt_principal =
- {10, "\052\206\110\206\367\022\001\002\002\002"};
-
- /* we need to fetch a service ticket as the ldap user in the
- servers realm, regardless of our realm */
- asprintf(&sname, "ldap/%s@%s", ads->config.ldap_server_name, ads->config.realm);
- krb5_init_context(&ctx);
- krb5_set_default_tgs_ktypes(ctx, enc_types);
- krb5_parse_name(ctx, sname, &principal);
- free(sname);
- krb5_free_context(ctx);
-
- input_name.value = &principal;
- input_name.length = sizeof(principal);
-
- gss_rc = gss_import_name(&minor_status,&input_name,&nt_principal, &serv_name);
- if (gss_rc) {
- return ADS_ERROR_GSS(gss_rc, minor_status);
- }
-
- context_handle = GSS_C_NO_CONTEXT;
-
- input_token.value = NULL;
- input_token.length = 0;
-
- for (i=0; i < MAX_GSS_PASSES; i++) {
- gss_rc = gss_init_sec_context(&minor_status,
- GSS_C_NO_CREDENTIAL,
- &context_handle,
- serv_name,
- mech_type,
- GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG,
- 0,
- NULL,
- &input_token,
- NULL,
- &output_token,
- &ret_flags,
- NULL);
-
- if (input_token.value) {
- gss_release_buffer(&minor_status, &input_token);
- }
-
- if (gss_rc && gss_rc != GSS_S_CONTINUE_NEEDED) {
- status = ADS_ERROR_GSS(gss_rc, minor_status);
- goto failed;
- }
-
- cred.bv_val = output_token.value;
- cred.bv_len = output_token.length;
-
- rc = ldap_sasl_bind_s(ads->ld, NULL, "GSSAPI", &cred, NULL, NULL,
- &scred);
- if (rc != LDAP_SASL_BIND_IN_PROGRESS) {
- status = ADS_ERROR(rc);
- goto failed;
- }
-
- if (output_token.value) {
- gss_release_buffer(&minor_status, &output_token);
- }
-
- if (scred) {
- input_token.value = scred->bv_val;
- input_token.length = scred->bv_len;
- } else {
- input_token.value = NULL;
- input_token.length = 0;
- }
-
- if (gss_rc == 0) break;
- }
-
- gss_release_name(&minor_status, &serv_name);
-
- gss_rc = gss_unwrap(&minor_status,context_handle,&input_token,&output_token,
- (int *)&conf_state,NULL);
- if (gss_rc) {
- status = ADS_ERROR_GSS(gss_rc, minor_status);
- goto failed;
- }
-
- gss_release_buffer(&minor_status, &input_token);
-
- p = (uint8_t *)output_token.value;
-
- file_save("sasl_gssapi.dat", output_token.value, output_token.length);
-
- max_msg_size = (p[1]<<16) | (p[2]<<8) | p[3];
- sec_layer = *p;
-
- gss_release_buffer(&minor_status, &output_token);
-
- output_token.value = malloc(strlen(ads->config.bind_path) + 8);
- p = output_token.value;
-
- *p++ = 1; /* no sign & seal selection */
- /* choose the same size as the server gave us */
- *p++ = max_msg_size>>16;
- *p++ = max_msg_size>>8;
- *p++ = max_msg_size;
- snprintf((char *)p, strlen(ads->config.bind_path)+4, "dn:%s", ads->config.bind_path);
- p += strlen((const char *)p);
-
- output_token.length = PTR_DIFF(p, output_token.value);
-
- gss_rc = gss_wrap(&minor_status, context_handle,0,GSS_C_QOP_DEFAULT,
- &output_token, (int *)&conf_state,
- &input_token);
- if (gss_rc) {
- status = ADS_ERROR_GSS(gss_rc, minor_status);
- goto failed;
- }
-
- free(output_token.value);
-
- cred.bv_val = input_token.value;
- cred.bv_len = input_token.length;
-
- rc = ldap_sasl_bind_s(ads->ld, NULL, "GSSAPI", &cred, NULL, NULL,
- &scred);
- status = ADS_ERROR(rc);
-
- gss_release_buffer(&minor_status, &input_token);
-
-failed:
- return status;
-}
-#endif
-
-/* mapping between SASL mechanisms and functions */
-static struct {
- const char *name;
- ADS_STATUS (*fn)(ADS_STRUCT *);
-} sasl_mechanisms[] = {
- {"GSS-SPNEGO", ads_sasl_spnego_bind},
-#ifdef HAVE_GSSAPI
- {"GSSAPI", ads_sasl_gssapi_bind}, /* doesn't work with .NET RC1. No idea why */
-#endif
- {NULL, NULL}
-};
-
-ADS_STATUS ads_sasl_bind(ADS_STRUCT *ads)
-{
- const char *attrs[] = {"supportedSASLMechanisms", NULL};
- char **values;
- ADS_STATUS status;
- int i, j;
- void *res;
-
- /* get a list of supported SASL mechanisms */
- status = ads_do_search(ads, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res);
- if (!ADS_ERR_OK(status)) return status;
-
- values = ldap_get_values(ads->ld, res, "supportedSASLMechanisms");
-
- /* try our supported mechanisms in order */
- for (i=0;sasl_mechanisms[i].name;i++) {
- /* see if the server supports it */
- for (j=0;values && values[j];j++) {
- if (strcmp(values[j], sasl_mechanisms[i].name) == 0) {
- DEBUG(4,("Found SASL mechanism %s\n", values[j]));
- status = sasl_mechanisms[i].fn(ads);
- ldap_value_free(values);
- ldap_msgfree(res);
- return status;
- }
- }
- }
-
- ldap_value_free(values);
- ldap_msgfree(res);
- return ADS_ERROR(LDAP_AUTH_METHOD_NOT_SUPPORTED);
-}
-
-#endif
-
+++ /dev/null
-/*
- Unix SMB/CIFS implementation.
- krb5 set password implementation
- Copyright (C) Remus Koos 2001 (remuskoos@yahoo.com)
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-*/
-
-#include "includes.h"
-
-#ifdef HAVE_KRB5
-
-ADS_STATUS ads_change_trust_account_password(ADS_STRUCT *ads, char *host_principal)
-{
- char *tmp_password;
- char *password;
- char *new_password;
- char *service_principal = NULL;
- ADS_STATUS ret;
- uint32_t sec_channel_type;
-
- if ((password = secrets_fetch_machine_password(lp_workgroup(), NULL, &sec_channel_type)) == NULL) {
- DEBUG(1,("Failed to retrieve password for principal %s\n", host_principal));
- return ADS_ERROR_SYSTEM(ENOENT);
- }
-
- tmp_password = generate_random_str(DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
- new_password = strdup(tmp_password);
-
- asprintf(&service_principal, "HOST/%s", host_principal);
-
- if (!service_principal) {
- DEBUG(1,("asprintf() failed principal %s\n", host_principal));
- return ADS_ERROR_SYSTEM(ENOMEM);
- }
-
- ret = kerberos_set_password(ads->auth.kdc_server, service_principal, password, service_principal, new_password, ads->auth.time_offset);
-
- if (!ADS_ERR_OK(ret)) goto failed;
-
- if (!secrets_store_machine_password(new_password, lp_workgroup(), sec_channel_type)) {
- DEBUG(1,("Failed to save machine password\n"));
- return ADS_ERROR_SYSTEM(EACCES);
- }
-
-failed:
- SAFE_FREE(service_principal);
- SAFE_FREE(new_password);
-
- return ret;
-}
-
-
-
-#endif
git.samba.org / jelmer / samba4-debian.git / commitdiff