- added initial support for trusted domains in winbindd_ads

- gss error code patch from a.bokovoy@sam-solutions.net
- better sid dumping in ads_dump
- fixed help in wbinfo
(This used to be commit ee1c3e1f044b4ef62169ad74c5cac40eef81bfda)

diff --git a/source3/include/ads.h b/source3/include/ads.h
index 5ae127ff28822c898bce95d31ed8549e5139e094..4a20d0e79fd71555eece6f4034412752d315b6d3 100644 (file)
--- a/source3/include/ads.h
+++ b/source3/include/ads.h
@@ -15,8 +15,19 @@ typedef struct {
        time_t last_attempt;
        char *password;
        char *user_name;
+       char *server_realm;
 } ADS_STRUCT;
 
+typedef struct {
+       /* Type of error returned by ads_connect: */
+       /* True corresponds GSS API, False - LDAP */
+       int error_type;
+       /* For error_type = False rc describes LDAP error */
+       int rc;
+       /* For error_type = True rc and minor_status describe GSS API error */
+       /* Where rc represents major_status of GSS API error */
+       int minor_status;
+} ADS_RETURN_CODE;
 
 /* time between reconnect attempts */
 #define ADS_RECONNECT_TIME 5

diff --git a/source3/libads/ads_struct.c b/source3/libads/ads_struct.c
index 4b2ab5b40fa3f0270ba0619f9d5f67e00c297186..a7c8d1a6813ef068bba861d87514834660d26d99 100644 (file)
--- a/source3/libads/ads_struct.c
+++ b/source3/libads/ads_struct.c
@@ -157,3 +157,29 @@ void ads_destroy(ADS_STRUCT **ads)
        }
 }
 
+
+static void ads_display_status_helper(char *m, OM_uint32 code, int type)
+{
+     int maj_stat, min_stat;
+     gss_buffer_desc msg;
+     int msg_ctx;
+     
+     msg_ctx = 0;
+     while (1) {
+         maj_stat = gss_display_status(&min_stat, code,
+                                      type, GSS_C_NULL_OID,
+                                      &msg_ctx, &msg);
+         DEBUG(1, ("GSS-API error %s: %s\n", m,
+                     (char *)msg.value)); 
+         (void) gss_release_buffer(&min_stat, &msg);
+         
+         if (!msg_ctx)
+              break;
+     }
+}
+
+void ads_display_status(char * msg, int maj_stat,int min_stat)
+{
+     ads_display_status_helper(msg, maj_stat, GSS_C_GSS_CODE);
+     ads_display_status_helper(msg, min_stat, GSS_C_MECH_CODE);
+}

diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index 09498b4384e12267e5cc5b9db2e5204e1e592f12..b41a864ae2e6a0088463fb68e67be72ce840d60b 100644 (file)
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -38,20 +38,24 @@ char *ads_errstr(int rc)
 /*
   connect to the LDAP server
 */
-int ads_connect(ADS_STRUCT *ads)
+ADS_RETURN_CODE ads_connect(ADS_STRUCT *ads)
 {
        int version = LDAP_VERSION3;
-       int rc;
+       ADS_RETURN_CODE rc;
+       
+       rc.error_type = False;
 
        ads->last_attempt = time(NULL);
 
        ads->ld = ldap_open(ads->ldap_server, ads->ldap_port);
        if (!ads->ld) {
-               return LDAP_SERVER_DOWN;
+               rc.rc = LDAP_SERVER_DOWN;
+               return rc;
        }
        if (!ads_server_info(ads)) {
                DEBUG(1,("Failed to get ldap server info\n"));
-               return LDAP_SERVER_DOWN;
+               rc.rc = LDAP_SERVER_DOWN;
+               return rc;
        }
 
        ldap_set_option(ads->ld, LDAP_OPT_PROTOCOL_VERSION, &version);
@@ -232,6 +236,19 @@ static void dump_binary(const char *field, struct berval **values)
        }
 }
 
+/*
+  dump a sid result from ldap
+*/
+static void dump_sid(const char *field, struct berval **values)
+{
+       int i;
+       for (i=0; values[i]; i++) {
+               DOM_SID sid;
+               sid_parse(values[i]->bv_val, values[i]->bv_len, &sid);
+               printf("%s: %s\n", field, sid_string_static(&sid));
+       }
+}
+
 /*
   dump a string result from ldap
 */
@@ -257,7 +274,7 @@ void ads_dump(ADS_STRUCT *ads, void *res)
                void (*handler)(const char *, struct berval **);
        } handlers[] = {
                {"objectGUID", dump_binary},
-               {"objectSid", dump_binary},
+               {"objectSid", dump_sid},
                {NULL, NULL}
        };
     
@@ -547,12 +564,16 @@ BOOL ads_server_info(ADS_STRUCT *ads)
 
        *p = 0;
 
+       SAFE_FREE(ads->server_realm);
+       SAFE_FREE(ads->bind_path);
+
+       ads->server_realm = strdup(p+2);
+       ads->bind_path = ads_build_dn(ads->server_realm);
+
        /* in case the realm isn't configured in smb.conf */
        if (!ads->realm || !ads->realm[0]) {
                SAFE_FREE(ads->realm);
-               SAFE_FREE(ads->bind_path);
-               ads->realm = strdup(p+2);
-               ads->bind_path = ads_build_dn(ads->realm);
+               ads->realm = strdup(ads->server_realm);
        }
 
        DEBUG(3,("got ldap server name %s@%s\n", 
@@ -561,4 +582,44 @@ BOOL ads_server_info(ADS_STRUCT *ads)
        return True;
 }
 
+
+/* 
+   find the list of trusted domains
+*/
+BOOL ads_trusted_domains(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, 
+                        int *num_trusts, char ***names, DOM_SID **sids)
+{
+       const char *attrs[] = {"flatName", "securityIdentifier", NULL};
+       int rc;
+       void *res, *msg;
+       int count, i;
+
+       *num_trusts = 0;
+
+       rc = ads_search(ads, &res, "(objectcategory=trustedDomain)", attrs);
+       if (rc) return False;
+
+       count = ads_count_replies(ads, res);
+       if (count == 0) {
+               ads_msgfree(ads, res);
+               return False;
+       }
+
+       (*names) = talloc(mem_ctx, sizeof(char *) * count);
+       (*sids) = talloc(mem_ctx, sizeof(DOM_SID) * count);
+       if (! *names || ! *sids) return False;
+
+       for (i=0, msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
+               (*names)[i] = ads_pull_string(ads, mem_ctx, msg, "flatName");
+               ads_pull_sid(ads, msg, "securityIdentifier", &(*sids)[i]);
+               i++;
+       }
+
+       ads_msgfree(ads, res);
+
+       *num_trusts = i;
+
+       return True;
+}
+
 #endif

diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index dd948b5d4de06e1e4f64d6af239fa08c0fa4026a..b3610b8fdb7c1f126be38efee65818c72f8ead5f 100644 (file)
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -53,9 +53,9 @@ static int sasl_interact(LDAP *ld,unsigned flags,void *defaults,void *in)
    this routine is much less fragile
    see RFC2078 for details
 */
-int ads_sasl_gssapi_bind(ADS_STRUCT *ads)
+ADS_RETURN_CODE ads_sasl_gssapi_bind(ADS_STRUCT *ads)
 {
-       int rc, minor_status;
+       int minor_status;
        gss_name_t serv_name;
        gss_buffer_desc input_name;
        gss_ctx_id_t context_handle;
@@ -69,15 +69,27 @@ int ads_sasl_gssapi_bind(ADS_STRUCT *ads)
        uint8 *p;
        uint32 max_msg_size;
        char *sname;
+       ADS_RETURN_CODE rc;
+       krb5_principal principal;
+       krb5_context ctx;
+       krb5_enctype enc_types[] = {ENCTYPE_DES_CBC_MD5, ENCTYPE_NULL};
+       gss_OID_desc nt_principal = 
+       {10, "\052\206\110\206\367\022\001\002\002\002"};
+
+       /* we need to fetch a service ticket as the ldap user in the
+          servers realm, regardless of our realm */
+       asprintf(&sname, "ldap/%s@%s", ads->ldap_server_name, ads->server_realm);
+       krb5_init_context(&ctx);
+       krb5_set_default_tgs_ktypes(ctx, enc_types);
+       krb5_parse_name(ctx, sname, &principal);
+       free(sname);
+       krb5_free_context(ctx); 
 
-       asprintf(&sname, "ldap@%s.%s", ads->ldap_server_name, ads->realm);
-
-       input_name.value = sname;
-       input_name.length = strlen(input_name.value);
-
-       rc = gss_import_name(&minor_status,&input_name,gss_nt_service_name, &serv_name);
+       input_name.value = &principal;
+       input_name.length = sizeof(principal);
 
-       free(sname);
+       rc.rc = gss_import_name(&minor_status,&input_name,&nt_principal, &serv_name);
+       rc.error_type = False;
 
        context_handle = GSS_C_NO_CONTEXT;
 
@@ -103,12 +115,17 @@ int ads_sasl_gssapi_bind(ADS_STRUCT *ads)
                        gss_release_buffer(&minor_status, &input_token);
                }
 
-               if (gss_rc && gss_rc != GSS_S_CONTINUE_NEEDED) goto failed;
+               if (gss_rc && gss_rc != GSS_S_CONTINUE_NEEDED) {
+                   rc.minor_status = minor_status;
+                   rc.rc = gss_rc;
+                   rc.error_type = True;
+                   goto failed;
+               }
 
                cred.bv_val = output_token.value;
                cred.bv_len = output_token.length;
 
-               rc = ldap_sasl_bind_s(ads->ld, NULL, "GSSAPI", &cred, NULL, NULL, 
+               rc.rc = ldap_sasl_bind_s(ads->ld, NULL, "GSSAPI", &cred, NULL, NULL, 
                                      &scred);
 
                if (output_token.value) {
@@ -152,7 +169,7 @@ int ads_sasl_gssapi_bind(ADS_STRUCT *ads)
 
        output_token.length = strlen(ads->bind_path) + 8;
 
-       gss_rc = gss_wrap(&minor_status, context_handle,0,GSS_C_QOP_DEFAULT,
+       rc.rc = gss_wrap(&minor_status, context_handle,0,GSS_C_QOP_DEFAULT,
                          &output_token, &conf_state,
                          &input_token);
 
@@ -161,22 +178,24 @@ int ads_sasl_gssapi_bind(ADS_STRUCT *ads)
        cred.bv_val = input_token.value;
        cred.bv_len = input_token.length;
 
-       rc = ldap_sasl_bind_s(ads->ld, NULL, "GSSAPI", &cred, NULL, NULL, 
+       rc.rc = ldap_sasl_bind_s(ads->ld, NULL, "GSSAPI", &cred, NULL, NULL, 
                              &scred);
 
        gss_release_buffer(&minor_status, &input_token);
-       return rc;
 
 failed:
-       return gss_rc;
+       return rc;
 }
 
-int ads_sasl_bind(ADS_STRUCT *ads)
+ADS_RETURN_CODE ads_sasl_bind(ADS_STRUCT *ads)
 {
 #if USE_CYRUS_SASL
-       return ldap_sasl_interactive_bind_s(ads->ld, NULL, NULL, NULL, NULL, 
+    ADS_RETURN_CODE rc;
+       rc.error_type = False;
+       rc.rc = ldap_sasl_interactive_bind_s(ads->ld, NULL, NULL, NULL, NULL, 
                                            LDAP_SASL_QUIET,
                                            sasl_interact, NULL);
+       return rc;
 #else
        return ads_sasl_gssapi_bind(ads);
 #endif

diff --git a/source3/nsswitch/wbinfo.c b/source3/nsswitch/wbinfo.c
index 82d483611f7448fe5b8514318f88875461ebc16f..9c012eb85da84e0d7eb90c46fffb818a4ed5a4c2 100644 (file)
--- a/source3/nsswitch/wbinfo.c
+++ b/source3/nsswitch/wbinfo.c
@@ -486,7 +486,7 @@ int main(int argc, char **argv)
        struct poptOption long_options[] = {
 
                /* longName, shortName, argInfo, argPtr, value, descrip, argDesc */
-
+               { "help", 'h', POPT_ARG_NONE, 0, 'h' },
                { "domain-users", 'u', POPT_ARG_NONE, 0, 'u' },
                { "domain-groups", 'g', POPT_ARG_NONE, 0, 'g' },
                { "name-to-sid", 'n', POPT_ARG_STRING, &string_arg, 'n' },
@@ -548,6 +548,9 @@ int main(int argc, char **argv)
 
        while((opt = poptGetNextOpt(pc)) != -1) {
                switch (opt) {
+               case 'h':
+                       usage();
+                       exit(0);
                case 'u':
                        if (!print_domain_users()) {
                                printf("Error looking up domain users\n");
@@ -644,6 +647,7 @@ int main(int argc, char **argv)
                        break;
                default:
                        fprintf(stderr, "Invalid option\n");
+                       usage();
                        return 1;
                }
        }

diff --git a/source3/nsswitch/winbindd_ads.c b/source3/nsswitch/winbindd_ads.c
index e52f448a63737737da64da34f4f521638ad80612..4ce0894ab3e00b47eb3d50b5112fbdc8d1a4f9d9 100644 (file)
--- a/source3/nsswitch/winbindd_ads.c
+++ b/source3/nsswitch/winbindd_ads.c
@@ -24,6 +24,9 @@
 
 #ifdef HAVE_ADS
 
+/* the realm of our primary LDAP server */
+static char *primary_realm;
+
 
 /*
   a wrapper around ldap_search_s that retries depending on the error code
@@ -33,7 +36,8 @@ int ads_do_search_retry(ADS_STRUCT *ads, const char *bind_path, int scope,
                        const char *exp,
                        const char **attrs, void **res)
 {
-       int rc = -1, rc2;
+       int rc = -1;
+       ADS_RETURN_CODE rc2;
        int count = 3;
 
        if (!ads->ld &&
@@ -59,9 +63,15 @@ int ads_do_search_retry(ADS_STRUCT *ads, const char *bind_path, int scope,
                }
                ads->ld = NULL;
                rc2 = ads_connect(ads);
-               if (rc2) {
-                       DEBUG(1,("ads_search_retry: failed to reconnect (%s)\n", ads_errstr(rc)));
-                       return rc2;
+               if (rc2.rc) {
+                   DEBUG(1,("ads_search_retry: failed to reconnect:\n"));
+                   if(rc2.error_type) 
+                       ads_display_status("", rc2.rc, rc2.minor_status);
+                   else 
+                       DEBUG(1,("LDAP error: %s\n", ads_errstr(rc2.rc)));
+                   
+                   ads_destroy(&ads);
+                   return rc2.rc;
                }
        }
        DEBUG(1,("ads reopen failed after error %s\n", ads_errstr(rc)));
@@ -92,8 +102,9 @@ int ads_search_retry_dn(ADS_STRUCT *ads, void **res,
 static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain)
 {
        ADS_STRUCT *ads;
-       int rc;
+       ADS_RETURN_CODE rc;
        char *ccache;
+       struct in_addr server_ip;
 
        if (domain->private) {
                return (ADS_STRUCT *)domain->private;
@@ -104,7 +115,12 @@ static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain)
        SETENV("KRB5CCNAME", ccache, 1);
        unlink(ccache);
 
-       ads = ads_init(NULL, NULL, NULL, NULL);
+       if (!resolve_name(domain->name, &server_ip, 0x1b)) {
+               DEBUG(1,("Can't find PDC for domain %s\n", domain->name));
+               return NULL;
+       }
+
+       ads = ads_init(primary_realm, inet_ntoa(server_ip), NULL, NULL);
        if (!ads) {
                DEBUG(1,("ads_init for domain %s failed\n", domain->name));
                return NULL;
@@ -115,12 +131,22 @@ static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain)
        ads->password = secrets_fetch_machine_password();
 
        rc = ads_connect(ads);
-       if (rc) {
-               DEBUG(1,("ads_connect for domain %s failed: %s\n", domain->name, ads_errstr(rc)));
+       if (rc.rc) {
+               DEBUG(1,("ads_connect for domain %s failed:\n", domain->name));
+               if(rc.error_type) 
+                   ads_display_status("", rc.rc, rc.minor_status);
+               else 
+                   DEBUG(1,("LDAP error: %s\n", ads_errstr(rc.rc)));
+                   
                ads_destroy(&ads);
                return NULL;
        }
 
+       /* remember our primary realm for trusted domain support */
+       if (!primary_realm) {
+               primary_realm = strdup(ads->realm);
+       }
+
        domain->private = (void *)ads;
        return ads;
 }
@@ -546,7 +572,7 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
        }
 
        if (!ads_pull_uint32(ads, msg, "primaryGroupID", &primary_group)) {
-               DEBUG(1,("No primary group for rid=%d !?\n", user_rid));
+               DEBUG(1,("%s: No primary group for rid=%d !?\n", domain->name, user_rid));
                goto done;
        }
 
@@ -666,8 +692,19 @@ static NTSTATUS trusted_domains(struct winbindd_domain *domain,
                                char ***names,
                                DOM_SID **dom_sids)
 {
+       ADS_STRUCT *ads = NULL;
+
        *num_domains = 0;
-       return NT_STATUS_NOT_IMPLEMENTED;
+       *names = NULL;
+
+       ads = ads_cached_connection(domain);
+       if (!ads) return NT_STATUS_UNSUCCESSFUL;
+
+       if (!ads_trusted_domains(ads, mem_ctx, num_domains, names, dom_sids)) {
+               return NT_STATUS_UNSUCCESSFUL;
+       }
+
+       return NT_STATUS_OK;
 }
 
 /* find the domain sid for a domain */

diff --git a/source3/nsswitch/winbindd_cache.c b/source3/nsswitch/winbindd_cache.c
index 32f9f0d69f1c6968856adcc00953f75a5dad3a33..847ec9e5417f052bb5328d516972b3fcb3c2039a 100644 (file)
--- a/source3/nsswitch/winbindd_cache.c
+++ b/source3/nsswitch/winbindd_cache.c
@@ -462,8 +462,10 @@ do_cached:
        return status;
 
 do_query:
+       *num_entries = 0;
+       *info = NULL;
+
        if (wcache_server_down(domain)) {
-               *num_entries = 0;
                return NT_STATUS_SERVER_DISABLED;
        }
 
@@ -533,8 +535,10 @@ do_cached:
        return status;
 
 do_query:
+       *num_entries = 0;
+       *info = NULL;
+
        if (wcache_server_down(domain)) {
-               *num_entries = 0;
                return NT_STATUS_SERVER_DISABLED;
        }
 
@@ -580,6 +584,8 @@ static NTSTATUS name_to_sid(struct winbindd_domain *domain,
        return status;
 
 do_query:
+       ZERO_STRUCTP(sid);
+
        if (wcache_server_down(domain)) {
                return NT_STATUS_SERVER_DISABLED;
        }
@@ -619,6 +625,8 @@ static NTSTATUS sid_to_name(struct winbindd_domain *domain,
        return status;
 
 do_query:
+       *name = NULL;
+
        if (wcache_server_down(domain)) {
                return NT_STATUS_SERVER_DISABLED;
        }
@@ -656,9 +664,12 @@ static NTSTATUS query_user(struct winbindd_domain *domain,
        return status;
 
 do_query:
+       ZERO_STRUCTP(info);
+
        if (wcache_server_down(domain)) {
                return NT_STATUS_SERVER_DISABLED;
        }
+       
        status = cache->backend->query_user(domain, mem_ctx, user_rid, info);
 
        /* and save it */
@@ -701,8 +712,10 @@ do_cached:
        return status;
 
 do_query:
+       (*num_groups) = 0;
+       (*user_gids) = NULL;
+
        if (wcache_server_down(domain)) {
-               (*num_groups) = 0;
                return NT_STATUS_SERVER_DISABLED;
        }
        status = cache->backend->lookup_usergroups(domain, mem_ctx, user_rid, num_groups, user_gids);
@@ -763,8 +776,13 @@ do_cached:
        return status;
 
 do_query:
+       (*num_names) = 0;
+       (*rid_mem) = NULL;
+       (*names) = NULL;
+       (*name_types) = NULL;
+       
+
        if (wcache_server_down(domain)) {
-               (*num_names) = 0;
                return NT_STATUS_SERVER_DISABLED;
        }
        status = cache->backend->lookup_groupmem(domain, mem_ctx, group_rid, num_names, 

diff --git a/source3/nsswitch/winbindd_util.c b/source3/nsswitch/winbindd_util.c
index 608749b39dbe8bd8af7fa135c2dad42709d2ac2a..f760b635d643aeb61767d7ac5acad1a17452cc69 100644 (file)
--- a/source3/nsswitch/winbindd_util.c
+++ b/source3/nsswitch/winbindd_util.c
@@ -98,10 +98,7 @@ static struct winbindd_domain *add_trusted_domain(char *domain_name,
                }
        }
         
-       DEBUG(1, ("adding domain %s\n", domain_name));
-        
        /* Create new domain entry */
-        
        if ((domain = (struct winbindd_domain *)malloc(sizeof(*domain))) == NULL)
                return NULL;
 
@@ -146,6 +143,10 @@ BOOL get_domain_info(void)
                         domain->name));
                result = cache_methods.domain_sid(domain, &domain->sid);
        }
+       
+       DEBUG(1,("Added domain %s (%s)\n", 
+                domain->name, 
+                sid_string_static(&domain->sid)));
 
        DEBUG(1, ("getting trusted domain list\n"));
 
@@ -160,6 +161,9 @@ BOOL get_domain_info(void)
                        if (domain) {
                                sid_copy(&domain->sid, &dom_sids[i]);
                        }
+                       DEBUG(1,("Added domain %s (%s)\n", 
+                                domain->name, 
+                                sid_string_static(&domain->sid)));
                }
        }
 

diff --git a/source3/script/mkproto.awk b/source3/script/mkproto.awk
index f927d273bdafc21728195d5a780d06337ec8c59f..7c8bc3d6cfbc2e11cef5c2322d9ef677c4713fa3 100644 (file)
--- a/source3/script/mkproto.awk
+++ b/source3/script/mkproto.awk
@@ -122,7 +122,7 @@ END {
     gotstart = 1;
   }
 
-  if( $0 ~ /^ADS_STRUCT|^DATA_BLOB|^ASN1_DATA|^TDB_CONTEXT|^TDB_DATA|^smb_ucs2_t|^TALLOC_CTX|^hash_element|^NT_DEVICEMODE|^enum.*\(|^NT_USER_TOKEN|^SAM_ACCOUNT/ ) {
+  if( $0 ~ /^ADS_STRUCT|^ADS_RETURN_CODE|^DATA_BLOB|^ASN1_DATA|^TDB_CONTEXT|^TDB_DATA|^smb_ucs2_t|^TALLOC_CTX|^hash_element|^NT_DEVICEMODE|^enum.*\(|^NT_USER_TOKEN|^SAM_ACCOUNT/ ) {
     gotstart = 1;
   }
 

diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index 8d41c09208268c12969e78e2faf6b04dd770ee50..0d7b641771f6a5658119f587f196c780ff8c763a 100644 (file)
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -68,7 +68,7 @@ static int net_ads_info(int argc, const char **argv)
 static ADS_STRUCT *ads_startup(void)
 {
        ADS_STRUCT *ads;
-       int rc;
+       ADS_RETURN_CODE rc;
        extern char *opt_password;
        extern char *opt_user_name;
 
@@ -88,8 +88,11 @@ static ADS_STRUCT *ads_startup(void)
        ads->user_name = strdup(opt_user_name);
 
        rc = ads_connect(ads);
-       if (rc) {
-               d_printf("ads_connect: %s\n", ads_errstr(rc));
+       if (rc.rc) {
+               if(rc.error_type) 
+                   ads_display_status("ads_connect", rc.rc, rc.minor_status);
+               else
+                   d_printf("ads_connect: %s\n", ads_errstr(rc.rc));
                return NULL;
        }
        return ads;