2 Unix SMB/CIFS implementation.
3 ads (active directory) utility library
4 Copyright (C) Andrew Tridgell 2001
5 Copyright (C) Remus Koos 2001
6 Copyright (C) Jim McDonough 2002
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program; if not, write to the Free Software
20 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
29 * @brief basic ldap client-side routines for ads server communications
31 * The routines contained here should do the necessary ldap calls for
34 * Important note: attribute names passed into ads_ routines must
35 * already be in UTF-8 format. We do not convert them because in almost
36 * all cases, they are just ascii (which is represented with the same
37 * codepoints in UTF-8). This may have to change at some point
42 try a connection to a given ldap server, returning True and setting the servers IP
43 in the ads struct if successful
45 TODO : add a negative connection cache in here leveraged off of the one
46 found in the rpc code. --jerry
48 static BOOL ads_try_connect(ADS_STRUCT *ads, const char *server, unsigned port)
52 if (!server || !*server) {
56 DEBUG(5,("ads_try_connect: trying ldap server '%s' port %u\n", server, port));
58 /* this copes with inet_ntoa brokenness */
61 ads->ld = ldap_open(srv, port);
66 ads->ldap_port = port;
67 ads->ldap_ip = *interpret_addr2(srv);
74 try a connection to a given ldap server, based on URL, returning True if successful
76 static BOOL ads_try_connect_uri(ADS_STRUCT *ads)
78 #if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
79 DEBUG(5,("ads_try_connect: trying ldap server at URI '%s'\n",
80 ads->server.ldap_uri));
83 if (ldap_initialize((LDAP**)&(ads->ld), ads->server.ldap_uri) == LDAP_SUCCESS) {
86 DEBUG(0, ("ldap_initialize: %s\n", strerror(errno)));
90 DEBUG(1, ("no URL support in LDAP libs!\n"));
96 /**********************************************************************
97 Try to find an AD dc using our internal name resolution routines
98 Try the realm first and then then workgroup name if netbios is not
100 **********************************************************************/
102 static BOOL ads_find_dc(ADS_STRUCT *ads)
106 struct ip_service *ip_list;
108 BOOL got_realm = False;
111 c_realm = ads->server.realm;
112 if (c_realm && *c_realm)
116 /* we need to try once with the realm name and fallback to the
117 netbios domain name if we fail (if netbios has not been disabled */
119 if ( !got_realm && !lp_disable_netbios() ) {
120 c_realm = ads->server.workgroup;
121 if (!c_realm || !*c_realm) {
122 DEBUG(0,("ads_find_dc: no realm or workgroup! Was the structure initialized?\n"));
127 pstrcpy( realm, c_realm );
129 DEBUG(6,("ads_find_dc: looking for %s '%s'\n",
130 (got_realm ? "realm" : "domain"), realm));
132 if ( !get_sorted_dc_list(realm, &ip_list, &count, got_realm) ) {
133 /* fall back to netbios if we can */
134 if ( got_realm && !lp_disable_netbios() ) {
142 /* if we fail this loop, then giveup since all the IP addresses returned were dead */
143 for ( i=0; i<count; i++ ) {
144 /* since this is an ads conection request, default to LDAP_PORT is not set */
145 int port = (ip_list[i].port!=PORT_NONE) ? ip_list[i].port : LDAP_PORT;
148 fstrcpy( server, inet_ntoa(ip_list[i].ip) );
150 if ( !NT_STATUS_IS_OK(check_negative_conn_cache(realm, server)) )
153 if ( ads_try_connect(ads, server, port) ) {
158 /* keep track of failures */
159 add_failed_connection_entry( realm, server, NT_STATUS_UNSUCCESSFUL );
169 * Connect to the LDAP server
170 * @param ads Pointer to an existing ADS_STRUCT
171 * @return status of connection
173 ADS_STATUS ads_connect(ADS_STRUCT *ads)
175 int version = LDAP_VERSION3;
178 ads->last_attempt = time(NULL);
181 /* try with a URL based server */
183 if (ads->server.ldap_uri &&
184 ads_try_connect_uri(ads)) {
188 /* try with a user specified server */
189 if (ads->server.ldap_server &&
190 ads_try_connect(ads, ads->server.ldap_server, LDAP_PORT)) {
194 if (ads_find_dc(ads)) {
198 return ADS_ERROR_SYSTEM(errno?errno:ENOENT);
201 DEBUG(3,("Connected to LDAP server %s\n", inet_ntoa(ads->ldap_ip)));
203 status = ads_server_info(ads);
204 if (!ADS_ERR_OK(status)) {
205 DEBUG(1,("Failed to get ldap server info\n"));
209 ldap_set_option(ads->ld, LDAP_OPT_PROTOCOL_VERSION, &version);
211 if (!ads->auth.user_name) {
212 /* by default use the machine account */
214 fstrcpy(myname, global_myname());
216 asprintf(&ads->auth.user_name, "HOST/%s", myname);
219 if (!ads->auth.realm) {
220 ads->auth.realm = strdup(ads->config.realm);
223 if (!ads->auth.kdc_server) {
224 ads->auth.kdc_server = strdup(inet_ntoa(ads->ldap_ip));
228 /* this is a really nasty hack to avoid ADS DNS problems. It needs a patch
229 to MIT kerberos to work (tridge) */
232 asprintf(&env, "KRB5_KDC_ADDRESS_%s", ads->config.realm);
233 setenv(env, ads->auth.kdc_server, 1);
238 if (ads->auth.flags & ADS_AUTH_NO_BIND) {
242 if (ads->auth.flags & ADS_AUTH_ANON_BIND) {
243 return ADS_ERROR(ldap_simple_bind_s( ads->ld, NULL, NULL));
246 if (ads->auth.flags & ADS_AUTH_SIMPLE_BIND) {
247 return ADS_ERROR(ldap_simple_bind_s( ads->ld, ads->auth.user_name, ads->auth.password));
250 return ads_sasl_bind(ads);
254 Duplicate a struct berval into talloc'ed memory
256 static struct berval *dup_berval(TALLOC_CTX *ctx, const struct berval *in_val)
258 struct berval *value;
260 if (!in_val) return NULL;
262 value = talloc_zero(ctx, sizeof(struct berval));
265 if (in_val->bv_len == 0) return value;
267 value->bv_len = in_val->bv_len;
268 value->bv_val = talloc_memdup(ctx, in_val->bv_val, in_val->bv_len);
273 Make a values list out of an array of (struct berval *)
275 static struct berval **ads_dup_values(TALLOC_CTX *ctx,
276 const struct berval **in_vals)
278 struct berval **values;
281 if (!in_vals) return NULL;
282 for (i=0; in_vals[i]; i++); /* count values */
283 values = (struct berval **) talloc_zero(ctx,
284 (i+1)*sizeof(struct berval *));
285 if (!values) return NULL;
287 for (i=0; in_vals[i]; i++) {
288 values[i] = dup_berval(ctx, in_vals[i]);
294 UTF8-encode a values list out of an array of (char *)
296 static char **ads_push_strvals(TALLOC_CTX *ctx, const char **in_vals)
301 if (!in_vals) return NULL;
302 for (i=0; in_vals[i]; i++); /* count values */
303 values = (char ** ) talloc_zero(ctx, (i+1)*sizeof(char *));
304 if (!values) return NULL;
306 for (i=0; in_vals[i]; i++) {
307 push_utf8_talloc(ctx, &values[i], in_vals[i]);
313 Pull a (char *) array out of a UTF8-encoded values list
315 static char **ads_pull_strvals(TALLOC_CTX *ctx, const char **in_vals)
320 if (!in_vals) return NULL;
321 for (i=0; in_vals[i]; i++); /* count values */
322 values = (char **) talloc_zero(ctx, (i+1)*sizeof(char *));
323 if (!values) return NULL;
325 for (i=0; in_vals[i]; i++) {
326 pull_utf8_talloc(ctx, &values[i], in_vals[i]);
332 * Do a search with paged results. cookie must be null on the first
333 * call, and then returned on each subsequent call. It will be null
334 * again when the entire search is complete
335 * @param ads connection to ads server
336 * @param bind_path Base dn for the search
337 * @param scope Scope of search (LDAP_SCOPE_BASE | LDAP_SCOPE_ONE | LDAP_SCOPE_SUBTREE)
338 * @param expr Search expression - specified in local charset
339 * @param attrs Attributes to retrieve - specified in utf8 or ascii
340 * @param res ** which will contain results - free res* with ads_msgfree()
341 * @param count Number of entries retrieved on this page
342 * @param cookie The paged results cookie to be returned on subsequent calls
343 * @return status of search
345 ADS_STATUS ads_do_paged_search(ADS_STRUCT *ads, const char *bind_path,
346 int scope, const char *expr,
347 const char **attrs, void **res,
348 int *count, void **cookie)
351 char *utf8_expr, *utf8_path, **search_attrs;
352 LDAPControl PagedResults, NoReferrals, *controls[3], **rcontrols;
353 BerElement *cookie_be = NULL;
354 struct berval *cookie_bv= NULL;
359 if (!(ctx = talloc_init("ads_do_paged_search")))
360 return ADS_ERROR(LDAP_NO_MEMORY);
362 /* 0 means the conversion worked but the result was empty
363 so we only fail if it's -1. In any case, it always
364 at least nulls out the dest */
365 if ((push_utf8_talloc(ctx, &utf8_expr, expr) == (size_t)-1) ||
366 (push_utf8_talloc(ctx, &utf8_path, bind_path) == (size_t)-1)) {
371 if (!attrs || !(*attrs))
374 /* This would be the utf8-encoded version...*/
375 /* if (!(search_attrs = ads_push_strvals(ctx, attrs))) */
376 if (!(str_list_copy(&search_attrs, attrs))) {
383 /* Paged results only available on ldap v3 or later */
384 ldap_get_option(ads->ld, LDAP_OPT_PROTOCOL_VERSION, &version);
385 if (version < LDAP_VERSION3) {
386 rc = LDAP_NOT_SUPPORTED;
390 cookie_be = ber_alloc_t(LBER_USE_DER);
391 if (cookie && *cookie) {
392 ber_printf(cookie_be, "{iO}", (ber_int_t) 1000, *cookie);
393 ber_bvfree(*cookie); /* don't need it from last time */
396 ber_printf(cookie_be, "{io}", (ber_int_t) 1000, "", 0);
398 ber_flatten(cookie_be, &cookie_bv);
399 PagedResults.ldctl_oid = ADS_PAGE_CTL_OID;
400 PagedResults.ldctl_iscritical = (char) 1;
401 PagedResults.ldctl_value.bv_len = cookie_bv->bv_len;
402 PagedResults.ldctl_value.bv_val = cookie_bv->bv_val;
404 NoReferrals.ldctl_oid = ADS_NO_REFERRALS_OID;
405 NoReferrals.ldctl_iscritical = (char) 0;
406 NoReferrals.ldctl_value.bv_len = 0;
407 NoReferrals.ldctl_value.bv_val = "";
410 controls[0] = &NoReferrals;
411 controls[1] = &PagedResults;
416 /* we need to disable referrals as the openldap libs don't
417 handle them and paged results at the same time. Using them
418 together results in the result record containing the server
419 page control being removed from the result list (tridge/jmcd)
421 leaving this in despite the control that says don't generate
422 referrals, in case the server doesn't support it (jmcd)
424 ldap_set_option(ads->ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF);
426 rc = ldap_search_ext_s(ads->ld, utf8_path, scope, utf8_expr,
427 search_attrs, 0, controls,
428 NULL, NULL, LDAP_NO_LIMIT, (LDAPMessage **)res);
430 ber_free(cookie_be, 1);
431 ber_bvfree(cookie_bv);
434 DEBUG(3,("ldap_search_ext_s(%s) -> %s\n", expr, ldap_err2string(rc)));
438 rc = ldap_parse_result(ads->ld, *res, NULL, NULL, NULL,
439 NULL, &rcontrols, 0);
445 for (i=0; rcontrols[i]; i++) {
446 if (strcmp(ADS_PAGE_CTL_OID, rcontrols[i]->ldctl_oid) == 0) {
447 cookie_be = ber_init(&rcontrols[i]->ldctl_value);
448 ber_scanf(cookie_be,"{iO}", (ber_int_t *) count,
450 /* the berval is the cookie, but must be freed when
452 if (cookie_bv->bv_len) /* still more to do */
453 *cookie=ber_bvdup(cookie_bv);
456 ber_bvfree(cookie_bv);
457 ber_free(cookie_be, 1);
461 ldap_controls_free(rcontrols);
465 /* if/when we decide to utf8-encode attrs, take out this next line */
466 str_list_free(&search_attrs);
468 return ADS_ERROR(rc);
473 * Get all results for a search. This uses ads_do_paged_search() to return
474 * all entries in a large search.
475 * @param ads connection to ads server
476 * @param bind_path Base dn for the search
477 * @param scope Scope of search (LDAP_SCOPE_BASE | LDAP_SCOPE_ONE | LDAP_SCOPE_SUBTREE)
478 * @param expr Search expression
479 * @param attrs Attributes to retrieve
480 * @param res ** which will contain results - free res* with ads_msgfree()
481 * @return status of search
483 ADS_STATUS ads_do_search_all(ADS_STRUCT *ads, const char *bind_path,
484 int scope, const char *expr,
485 const char **attrs, void **res)
491 status = ads_do_paged_search(ads, bind_path, scope, expr, attrs, res,
494 if (!ADS_ERR_OK(status)) return status;
499 LDAPMessage *msg, *next;
501 status2 = ads_do_paged_search(ads, bind_path, scope, expr,
502 attrs, &res2, &count, &cookie);
504 if (!ADS_ERR_OK(status2)) break;
506 /* this relies on the way that ldap_add_result_entry() works internally. I hope
507 that this works on all ldap libs, but I have only tested with openldap */
508 for (msg = ads_first_entry(ads, res2); msg; msg = next) {
509 next = ads_next_entry(ads, msg);
510 ldap_add_result_entry((LDAPMessage **)res, msg);
512 /* note that we do not free res2, as the memory is now
513 part of the main returned list */
520 * Run a function on all results for a search. Uses ads_do_paged_search() and
521 * runs the function as each page is returned, using ads_process_results()
522 * @param ads connection to ads server
523 * @param bind_path Base dn for the search
524 * @param scope Scope of search (LDAP_SCOPE_BASE | LDAP_SCOPE_ONE | LDAP_SCOPE_SUBTREE)
525 * @param expr Search expression - specified in local charset
526 * @param attrs Attributes to retrieve - specified in UTF-8 or ascii
527 * @param fn Function which takes attr name, values list, and data_area
528 * @param data_area Pointer which is passed to function on each call
529 * @return status of search
531 ADS_STATUS ads_do_search_all_fn(ADS_STRUCT *ads, const char *bind_path,
532 int scope, const char *expr, const char **attrs,
533 BOOL(*fn)(char *, void **, void *),
541 status = ads_do_paged_search(ads, bind_path, scope, expr, attrs, &res,
544 if (!ADS_ERR_OK(status)) return status;
546 ads_process_results(ads, res, fn, data_area);
547 ads_msgfree(ads, res);
550 status = ads_do_paged_search(ads, bind_path, scope, expr, attrs,
551 &res, &count, &cookie);
553 if (!ADS_ERR_OK(status)) break;
555 ads_process_results(ads, res, fn, data_area);
556 ads_msgfree(ads, res);
563 * Do a search with a timeout.
564 * @param ads connection to ads server
565 * @param bind_path Base dn for the search
566 * @param scope Scope of search (LDAP_SCOPE_BASE | LDAP_SCOPE_ONE | LDAP_SCOPE_SUBTREE)
567 * @param expr Search expression
568 * @param attrs Attributes to retrieve
569 * @param res ** which will contain results - free res* with ads_msgfree()
570 * @return status of search
572 ADS_STATUS ads_do_search(ADS_STRUCT *ads, const char *bind_path, int scope,
574 const char **attrs, void **res)
576 struct timeval timeout;
578 char *utf8_expr, *utf8_path, **search_attrs = NULL;
581 if (!(ctx = talloc_init("ads_do_search"))) {
582 DEBUG(1,("ads_do_search: talloc_init() failed!"));
583 return ADS_ERROR(LDAP_NO_MEMORY);
586 /* 0 means the conversion worked but the result was empty
587 so we only fail if it's negative. In any case, it always
588 at least nulls out the dest */
589 if ((push_utf8_talloc(ctx, &utf8_expr, expr) == (size_t)-1) ||
590 (push_utf8_talloc(ctx, &utf8_path, bind_path) == (size_t)-1)) {
591 DEBUG(1,("ads_do_search: push_utf8_talloc() failed!"));
596 if (!attrs || !(*attrs))
599 /* This would be the utf8-encoded version...*/
600 /* if (!(search_attrs = ads_push_strvals(ctx, attrs))) */
601 if (!(str_list_copy(&search_attrs, attrs)))
603 DEBUG(1,("ads_do_search: str_list_copy() failed!"));
609 timeout.tv_sec = ADS_SEARCH_TIMEOUT;
613 /* see the note in ads_do_paged_search - we *must* disable referrals */
614 ldap_set_option(ads->ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF);
616 rc = ldap_search_ext_s(ads->ld, utf8_path, scope, utf8_expr,
617 search_attrs, 0, NULL, NULL,
618 &timeout, LDAP_NO_LIMIT, (LDAPMessage **)res);
620 if (rc == LDAP_SIZELIMIT_EXCEEDED) {
621 DEBUG(3,("Warning! sizelimit exceeded in ldap. Truncating.\n"));
627 /* if/when we decide to utf8-encode attrs, take out this next line */
628 str_list_free(&search_attrs);
629 return ADS_ERROR(rc);
632 * Do a general ADS search
633 * @param ads connection to ads server
634 * @param res ** which will contain results - free res* with ads_msgfree()
635 * @param expr Search expression
636 * @param attrs Attributes to retrieve
637 * @return status of search
639 ADS_STATUS ads_search(ADS_STRUCT *ads, void **res,
643 return ads_do_search(ads, ads->config.bind_path, LDAP_SCOPE_SUBTREE,
648 * Do a search on a specific DistinguishedName
649 * @param ads connection to ads server
650 * @param res ** which will contain results - free res* with ads_msgfree()
651 * @param dn DistinguishName to search
652 * @param attrs Attributes to retrieve
653 * @return status of search
655 ADS_STATUS ads_search_dn(ADS_STRUCT *ads, void **res,
659 return ads_do_search(ads, dn, LDAP_SCOPE_BASE, "(objectclass=*)", attrs, res);
663 * Free up memory from a ads_search
664 * @param ads connection to ads server
665 * @param msg Search results to free
667 void ads_msgfree(ADS_STRUCT *ads, void *msg)
674 * Free up memory from various ads requests
675 * @param ads connection to ads server
676 * @param mem Area to free
678 void ads_memfree(ADS_STRUCT *ads, void *mem)
684 * Get a dn from search results
685 * @param ads connection to ads server
686 * @param msg Search result
689 char *ads_get_dn(ADS_STRUCT *ads, void *msg)
691 char *utf8_dn, *unix_dn;
693 utf8_dn = ldap_get_dn(ads->ld, msg);
695 pull_utf8_allocate((void **) &unix_dn, utf8_dn);
696 ldap_memfree(utf8_dn);
701 * Find a machine account given a hostname
702 * @param ads connection to ads server
703 * @param res ** which will contain results - free res* with ads_msgfree()
704 * @param host Hostname to search for
705 * @return status of search
707 ADS_STATUS ads_find_machine_acct(ADS_STRUCT *ads, void **res, const char *host)
711 const char *attrs[] = {"*", "nTSecurityDescriptor", NULL};
713 /* the easiest way to find a machine account anywhere in the tree
714 is to look for hostname$ */
715 if (asprintf(&expr, "(samAccountName=%s$)", host) == -1) {
716 DEBUG(1, ("asprintf failed!\n"));
717 return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
720 status = ads_search(ads, res, expr, attrs);
726 * Initialize a list of mods to be used in a modify request
727 * @param ctx An initialized TALLOC_CTX
728 * @return allocated ADS_MODLIST
730 ADS_MODLIST ads_init_mods(TALLOC_CTX *ctx)
732 #define ADS_MODLIST_ALLOC_SIZE 10
735 if ((mods = (LDAPMod **) talloc_zero(ctx, sizeof(LDAPMod *) *
736 (ADS_MODLIST_ALLOC_SIZE + 1))))
737 /* -1 is safety to make sure we don't go over the end.
738 need to reset it to NULL before doing ldap modify */
739 mods[ADS_MODLIST_ALLOC_SIZE] = (LDAPMod *) -1;
746 add an attribute to the list, with values list already constructed
748 static ADS_STATUS ads_modlist_add(TALLOC_CTX *ctx, ADS_MODLIST *mods,
749 int mod_op, const char *name,
753 LDAPMod **modlist = (LDAPMod **) *mods;
754 struct berval **ber_values = NULL;
755 char **char_values = NULL;
758 mod_op = LDAP_MOD_DELETE;
760 if (mod_op & LDAP_MOD_BVALUES)
761 ber_values = ads_dup_values(ctx,
762 (const struct berval **)invals);
764 char_values = ads_push_strvals(ctx,
765 (const char **) invals);
768 /* find the first empty slot */
769 for (curmod=0; modlist[curmod] && modlist[curmod] != (LDAPMod *) -1;
771 if (modlist[curmod] == (LDAPMod *) -1) {
772 if (!(modlist = talloc_realloc(ctx, modlist,
773 (curmod+ADS_MODLIST_ALLOC_SIZE+1)*sizeof(LDAPMod *))))
774 return ADS_ERROR(LDAP_NO_MEMORY);
775 memset(&modlist[curmod], 0,
776 ADS_MODLIST_ALLOC_SIZE*sizeof(LDAPMod *));
777 modlist[curmod+ADS_MODLIST_ALLOC_SIZE] = (LDAPMod *) -1;
781 if (!(modlist[curmod] = talloc_zero(ctx, sizeof(LDAPMod))))
782 return ADS_ERROR(LDAP_NO_MEMORY);
783 modlist[curmod]->mod_type = talloc_strdup(ctx, name);
784 if (mod_op & LDAP_MOD_BVALUES) {
785 modlist[curmod]->mod_bvalues = ber_values;
786 } else if (mod_op & LDAP_MOD_DELETE) {
787 modlist[curmod]->mod_values = NULL;
789 modlist[curmod]->mod_values = char_values;
792 modlist[curmod]->mod_op = mod_op;
793 return ADS_ERROR(LDAP_SUCCESS);
797 * Add a single string value to a mod list
798 * @param ctx An initialized TALLOC_CTX
799 * @param mods An initialized ADS_MODLIST
800 * @param name The attribute name to add
801 * @param val The value to add - NULL means DELETE
802 * @return ADS STATUS indicating success of add
804 ADS_STATUS ads_mod_str(TALLOC_CTX *ctx, ADS_MODLIST *mods,
805 const char *name, const char *val)
807 const char *values[2];
813 return ads_modlist_add(ctx, mods, LDAP_MOD_DELETE, name, NULL);
814 return ads_modlist_add(ctx, mods, LDAP_MOD_REPLACE, name,
815 (const void **) values);
819 * Add an array of string values to a mod list
820 * @param ctx An initialized TALLOC_CTX
821 * @param mods An initialized ADS_MODLIST
822 * @param name The attribute name to add
823 * @param vals The array of string values to add - NULL means DELETE
824 * @return ADS STATUS indicating success of add
826 ADS_STATUS ads_mod_strlist(TALLOC_CTX *ctx, ADS_MODLIST *mods,
827 const char *name, const char **vals)
830 return ads_modlist_add(ctx, mods, LDAP_MOD_DELETE, name, NULL);
831 return ads_modlist_add(ctx, mods, LDAP_MOD_REPLACE,
832 name, (const void **) vals);
836 * Add a single ber-encoded value to a mod list
837 * @param ctx An initialized TALLOC_CTX
838 * @param mods An initialized ADS_MODLIST
839 * @param name The attribute name to add
840 * @param val The value to add - NULL means DELETE
841 * @return ADS STATUS indicating success of add
843 static ADS_STATUS ads_mod_ber(TALLOC_CTX *ctx, ADS_MODLIST *mods,
844 const char *name, const struct berval *val)
846 const struct berval *values[2];
851 return ads_modlist_add(ctx, mods, LDAP_MOD_DELETE, name, NULL);
852 return ads_modlist_add(ctx, mods, LDAP_MOD_REPLACE|LDAP_MOD_BVALUES,
853 name, (const void **) values);
857 * Perform an ldap modify
858 * @param ads connection to ads server
859 * @param mod_dn DistinguishedName to modify
860 * @param mods list of modifications to perform
861 * @return status of modify
863 ADS_STATUS ads_gen_mod(ADS_STRUCT *ads, const char *mod_dn, ADS_MODLIST mods)
866 char *utf8_dn = NULL;
868 this control is needed to modify that contains a currently
869 non-existent attribute (but allowable for the object) to run
871 LDAPControl PermitModify = {
872 ADS_PERMIT_MODIFY_OID,
875 LDAPControl *controls[2];
877 controls[0] = &PermitModify;
880 if (push_utf8_allocate(&utf8_dn, mod_dn) == -1) {
881 return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
884 /* find the end of the list, marked by NULL or -1 */
885 for(i=0;(mods[i]!=0)&&(mods[i]!=(LDAPMod *) -1);i++);
886 /* make sure the end of the list is NULL */
888 ret = ldap_modify_ext_s(ads->ld, utf8_dn,
889 (LDAPMod **) mods, controls, NULL);
891 return ADS_ERROR(ret);
895 * Perform an ldap add
896 * @param ads connection to ads server
897 * @param new_dn DistinguishedName to add
898 * @param mods list of attributes and values for DN
899 * @return status of add
901 ADS_STATUS ads_gen_add(ADS_STRUCT *ads, const char *new_dn, ADS_MODLIST mods)
904 char *utf8_dn = NULL;
906 if (push_utf8_allocate(&utf8_dn, new_dn) == -1) {
907 DEBUG(1, ("ads_gen_add: push_utf8_allocate failed!"));
908 return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
911 /* find the end of the list, marked by NULL or -1 */
912 for(i=0;(mods[i]!=0)&&(mods[i]!=(LDAPMod *) -1);i++);
913 /* make sure the end of the list is NULL */
916 ret = ldap_add_s(ads->ld, utf8_dn, mods);
918 return ADS_ERROR(ret);
922 * Delete a DistinguishedName
923 * @param ads connection to ads server
924 * @param new_dn DistinguishedName to delete
925 * @return status of delete
927 ADS_STATUS ads_del_dn(ADS_STRUCT *ads, char *del_dn)
930 char *utf8_dn = NULL;
931 if (push_utf8_allocate(&utf8_dn, del_dn) == -1) {
932 DEBUG(1, ("ads_del_dn: push_utf8_allocate failed!"));
933 return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
936 ret = ldap_delete_s(ads->ld, utf8_dn);
937 return ADS_ERROR(ret);
941 * Build an org unit string
942 * if org unit is Computers or blank then assume a container, otherwise
943 * assume a \ separated list of organisational units
944 * @param org_unit Organizational unit
945 * @return org unit string - caller must free
947 char *ads_ou_string(const char *org_unit)
949 if (!org_unit || !*org_unit || strcasecmp(org_unit, "Computers") == 0) {
950 return strdup("cn=Computers");
953 return ads_build_path(org_unit, "\\/", "ou=", 1);
959 add a machine account to the ADS server
961 static ADS_STATUS ads_add_machine_acct(ADS_STRUCT *ads, const char *hostname,
963 const char *org_unit)
965 ADS_STATUS ret, status;
966 char *host_spn, *host_upn, *new_dn, *samAccountName, *controlstr;
970 const char *objectClass[] = {"top", "person", "organizationalPerson",
971 "user", "computer", NULL};
972 const char *servicePrincipalName[5] = {NULL, NULL, NULL, NULL, NULL};
974 unsigned acct_control;
976 if (!(ctx = talloc_init("machine_account")))
977 return ADS_ERROR(LDAP_NO_MEMORY);
979 ret = ADS_ERROR(LDAP_NO_MEMORY);
981 if (!(host_spn = talloc_asprintf(ctx, "HOST/%s", hostname)))
983 if (!(host_upn = talloc_asprintf(ctx, "%s@%s", host_spn, ads->config.realm)))
985 ou_str = ads_ou_string(org_unit);
987 DEBUG(1, ("ads_ou_string returned NULL (malloc failure?)\n"));
990 new_dn = talloc_asprintf(ctx, "cn=%s,%s,%s", hostname, ou_str,
991 ads->config.bind_path);
992 servicePrincipalName[0] = talloc_asprintf(ctx, "HOST/%s", hostname);
993 psp = talloc_asprintf(ctx, "HOST/%s.%s",
997 servicePrincipalName[1] = psp;
998 servicePrincipalName[2] = talloc_asprintf(ctx, "CIFS/%s", hostname);
999 psp2 = talloc_asprintf(ctx, "CIFS/%s.%s",
1002 strlower_m(&psp2[5]);
1003 servicePrincipalName[3] = psp2;
1009 if (!(samAccountName = talloc_asprintf(ctx, "%s$", hostname)))
1012 acct_control = account_type | UF_DONT_EXPIRE_PASSWD;
1013 #ifndef ENCTYPE_ARCFOUR_HMAC
1014 acct_control |= UF_USE_DES_KEY_ONLY;
1017 if (!(controlstr = talloc_asprintf(ctx, "%u", acct_control)))
1020 if (!(mods = ads_init_mods(ctx)))
1023 ads_mod_str(ctx, &mods, "cn", hostname);
1024 ads_mod_str(ctx, &mods, "sAMAccountName", samAccountName);
1025 ads_mod_strlist(ctx, &mods, "objectClass", objectClass);
1026 ads_mod_str(ctx, &mods, "userPrincipalName", host_upn);
1027 ads_mod_strlist(ctx, &mods, "servicePrincipalName", servicePrincipalName);
1028 ads_mod_str(ctx, &mods, "dNSHostName", hostname);
1029 ads_mod_str(ctx, &mods, "userAccountControl", controlstr);
1030 ads_mod_str(ctx, &mods, "operatingSystem", "Samba");
1031 ads_mod_str(ctx, &mods, "operatingSystemVersion", VERSION);
1033 ret = ads_gen_add(ads, new_dn, mods);
1035 if (!ADS_ERR_OK(ret))
1038 /* Do not fail if we can't set security descriptor
1039 * it shouldn't be mandatory and probably we just
1040 * don't have enough rights to do it.
1042 status = ads_set_machine_sd(ads, hostname, new_dn);
1044 if (!ADS_ERR_OK(status)) {
1045 DEBUG(0, ("Warning: ads_set_machine_sd: %s\n",
1046 ads_errstr(status)));
1049 talloc_destroy(ctx);
1054 dump a binary result from ldap
1056 static void dump_binary(const char *field, struct berval **values)
1059 for (i=0; values[i]; i++) {
1060 printf("%s: ", field);
1061 for (j=0; j<values[i]->bv_len; j++) {
1062 printf("%02X", (unsigned char)values[i]->bv_val[j]);
1075 static void dump_guid(const char *field, struct berval **values)
1079 for (i=0; values[i]; i++) {
1080 memcpy(guid.info, values[i]->bv_val, sizeof(guid.info));
1081 printf("%s: %s\n", field, smb_uuid_string_static(guid));
1086 dump a sid result from ldap
1088 static void dump_sid(const char *field, struct berval **values)
1091 for (i=0; values[i]; i++) {
1093 sid_parse(values[i]->bv_val, values[i]->bv_len, &sid);
1094 printf("%s: %s\n", field, sid_string_static(&sid));
1099 dump ntSecurityDescriptor
1101 static void dump_sd(const char *filed, struct berval **values)
1106 TALLOC_CTX *ctx = 0;
1108 if (!(ctx = talloc_init("sec_io_desc")))
1112 prs_init(&ps, values[0]->bv_len, ctx, UNMARSHALL);
1113 prs_copy_data_in(&ps, values[0]->bv_val, values[0]->bv_len);
1114 prs_set_offset(&ps,0);
1117 if (!sec_io_desc("sd", &psd, &ps, 1)) {
1119 talloc_destroy(ctx);
1122 if (psd) ads_disp_sd(psd);
1125 talloc_destroy(ctx);
1129 dump a string result from ldap
1131 static void dump_string(const char *field, char **values)
1134 for (i=0; values[i]; i++) {
1135 printf("%s: %s\n", field, values[i]);
1140 dump a field from LDAP on stdout
1144 static BOOL ads_dump_field(char *field, void **values, void *data_area)
1149 void (*handler)(const char *, struct berval **);
1151 {"objectGUID", False, dump_guid},
1152 {"nTSecurityDescriptor", False, dump_sd},
1153 {"dnsRecord", False, dump_binary},
1154 {"objectSid", False, dump_sid},
1155 {"tokenGroups", False, dump_sid},
1160 if (!field) { /* must be end of an entry */
1165 for (i=0; handlers[i].name; i++) {
1166 if (StrCaseCmp(handlers[i].name, field) == 0) {
1167 if (!values) /* first time, indicate string or not */
1168 return handlers[i].string;
1169 handlers[i].handler(field, (struct berval **) values);
1173 if (!handlers[i].name) {
1174 if (!values) /* first time, indicate string conversion */
1176 dump_string(field, (char **)values);
1182 * Dump a result from LDAP on stdout
1183 * used for debugging
1184 * @param ads connection to ads server
1185 * @param res Results to dump
1188 void ads_dump(ADS_STRUCT *ads, void *res)
1190 ads_process_results(ads, res, ads_dump_field, NULL);
1194 * Walk through results, calling a function for each entry found.
1195 * The function receives a field name, a berval * array of values,
1196 * and a data area passed through from the start. The function is
1197 * called once with null for field and values at the end of each
1199 * @param ads connection to ads server
1200 * @param res Results to process
1201 * @param fn Function for processing each result
1202 * @param data_area user-defined area to pass to function
1204 void ads_process_results(ADS_STRUCT *ads, void *res,
1205 BOOL(*fn)(char *, void **, void *),
1211 if (!(ctx = talloc_init("ads_process_results")))
1214 for (msg = ads_first_entry(ads, res); msg;
1215 msg = ads_next_entry(ads, msg)) {
1219 for (utf8_field=ldap_first_attribute(ads->ld,
1220 (LDAPMessage *)msg,&b);
1222 utf8_field=ldap_next_attribute(ads->ld,
1223 (LDAPMessage *)msg,b)) {
1224 struct berval **ber_vals;
1225 char **str_vals, **utf8_vals;
1229 pull_utf8_talloc(ctx, &field, utf8_field);
1230 string = fn(field, NULL, data_area);
1233 utf8_vals = ldap_get_values(ads->ld,
1234 (LDAPMessage *)msg, field);
1235 str_vals = ads_pull_strvals(ctx,
1236 (const char **) utf8_vals);
1237 fn(field, (void **) str_vals, data_area);
1238 ldap_value_free(utf8_vals);
1240 ber_vals = ldap_get_values_len(ads->ld,
1241 (LDAPMessage *)msg, field);
1242 fn(field, (void **) ber_vals, data_area);
1244 ldap_value_free_len(ber_vals);
1246 ldap_memfree(utf8_field);
1249 talloc_destroy_pool(ctx);
1250 fn(NULL, NULL, data_area); /* completed an entry */
1253 talloc_destroy(ctx);
1257 * count how many replies are in a LDAPMessage
1258 * @param ads connection to ads server
1259 * @param res Results to count
1260 * @return number of replies
1262 int ads_count_replies(ADS_STRUCT *ads, void *res)
1264 return ldap_count_entries(ads->ld, (LDAPMessage *)res);
1268 * Join a machine to a realm
1269 * Creates the machine account and sets the machine password
1270 * @param ads connection to ads server
1271 * @param hostname name of host to add
1272 * @param org_unit Organizational unit to place machine in
1273 * @return status of join
1275 ADS_STATUS ads_join_realm(ADS_STRUCT *ads, const char *hostname,
1276 uint32 account_type, const char *org_unit)
1282 /* hostname must be lowercase */
1283 host = strdup(hostname);
1286 status = ads_find_machine_acct(ads, (void **)&res, host);
1287 if (ADS_ERR_OK(status) && ads_count_replies(ads, res) == 1) {
1288 DEBUG(0, ("Host account for %s already exists - deleting old account\n", host));
1289 status = ads_leave_realm(ads, host);
1290 if (!ADS_ERR_OK(status)) {
1291 DEBUG(0, ("Failed to delete host '%s' from the '%s' realm.\n",
1292 host, ads->config.realm));
1297 status = ads_add_machine_acct(ads, host, account_type, org_unit);
1298 if (!ADS_ERR_OK(status)) {
1299 DEBUG(0, ("ads_add_machine_acct: %s\n", ads_errstr(status)));
1303 status = ads_find_machine_acct(ads, (void **)&res, host);
1304 if (!ADS_ERR_OK(status)) {
1305 DEBUG(0, ("Host account test failed\n"));
1315 * Delete a machine from the realm
1316 * @param ads connection to ads server
1317 * @param hostname Machine to remove
1318 * @return status of delete
1320 ADS_STATUS ads_leave_realm(ADS_STRUCT *ads, const char *hostname)
1324 char *hostnameDN, *host;
1327 /* hostname must be lowercase */
1328 host = strdup(hostname);
1331 status = ads_find_machine_acct(ads, &res, host);
1332 if (!ADS_ERR_OK(status)) {
1333 DEBUG(0, ("Host account for %s does not exist.\n", host));
1337 msg = ads_first_entry(ads, res);
1339 return ADS_ERROR_SYSTEM(ENOENT);
1342 hostnameDN = ads_get_dn(ads, (LDAPMessage *)msg);
1343 rc = ldap_delete_s(ads->ld, hostnameDN);
1344 ads_memfree(ads, hostnameDN);
1345 if (rc != LDAP_SUCCESS) {
1346 return ADS_ERROR(rc);
1349 status = ads_find_machine_acct(ads, &res, host);
1350 if (ADS_ERR_OK(status) && ads_count_replies(ads, res) == 1) {
1351 DEBUG(0, ("Failed to remove host account.\n"));
1361 * add machine account to existing security descriptor
1362 * @param ads connection to ads server
1363 * @param hostname machine to add
1364 * @param dn DN of security descriptor
1367 ADS_STATUS ads_set_machine_sd(ADS_STRUCT *ads, const char *hostname, char *dn)
1369 const char *attrs[] = {"nTSecurityDescriptor", "objectSid", 0};
1372 struct berval bval = {0, NULL};
1374 char *escaped_hostname = escape_ldap_string_alloc(hostname);
1376 LDAPMessage *res = 0;
1377 LDAPMessage *msg = 0;
1378 ADS_MODLIST mods = 0;
1383 SEC_DESC *psd = NULL;
1384 TALLOC_CTX *ctx = NULL;
1386 /* Avoid segmentation fault in prs_mem_free if
1387 * we have to bail out before prs_init */
1388 ps_wire.is_dynamic = False;
1390 if (!ads) return ADS_ERROR(LDAP_SERVER_DOWN);
1392 ret = ADS_ERROR(LDAP_SUCCESS);
1394 if (!escaped_hostname) {
1395 return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
1398 if (asprintf(&expr, "(samAccountName=%s$)", escaped_hostname) == -1) {
1399 DEBUG(1, ("ads_set_machine_sd: asprintf failed!\n"));
1400 SAFE_FREE(escaped_hostname);
1401 return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
1404 SAFE_FREE(escaped_hostname);
1406 ret = ads_search(ads, (void *) &res, expr, attrs);
1408 if (!ADS_ERR_OK(ret)) return ret;
1410 if ( !(msg = ads_first_entry(ads, res) )) {
1411 ret = ADS_ERROR(LDAP_NO_RESULTS_RETURNED);
1412 goto ads_set_sd_error;
1415 if (!ads_pull_sid(ads, msg, attrs[1], &sid)) {
1416 ret = ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
1417 goto ads_set_sd_error;
1420 if (!(ctx = talloc_init("sec_io_desc"))) {
1421 ret = ADS_ERROR(LDAP_NO_MEMORY);
1422 goto ads_set_sd_error;
1425 if (!ads_pull_sd(ads, ctx, msg, attrs[0], &psd)) {
1426 ret = ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
1427 goto ads_set_sd_error;
1430 status = sec_desc_add_sid(ctx, &psd, &sid, SEC_RIGHTS_FULL_CTRL, &sd_size);
1432 if (!NT_STATUS_IS_OK(status)) {
1433 ret = ADS_ERROR_NT(status);
1434 goto ads_set_sd_error;
1437 if (!prs_init(&ps_wire, sd_size, ctx, MARSHALL)) {
1438 ret = ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
1441 if (!sec_io_desc("sd_wire", &psd, &ps_wire, 1)) {
1442 ret = ADS_ERROR(LDAP_NO_MEMORY);
1443 goto ads_set_sd_error;
1447 file_save("/tmp/sec_desc.new", ps_wire.data_p, sd_size);
1449 if (!(mods = ads_init_mods(ctx))) return ADS_ERROR(LDAP_NO_MEMORY);
1451 bval.bv_len = prs_offset(&ps_wire);
1452 bval.bv_val = talloc(ctx, bval.bv_len);
1454 ret = ADS_ERROR(LDAP_NO_MEMORY);
1455 goto ads_set_sd_error;
1458 prs_set_offset(&ps_wire, 0);
1460 if (!prs_copy_data_out(bval.bv_val, &ps_wire, bval.bv_len)) {
1461 ret = ADS_ERROR(LDAP_NO_MEMORY);
1462 goto ads_set_sd_error;
1465 ret = ads_mod_ber(ctx, &mods, attrs[0], &bval);
1466 if (ADS_ERR_OK(ret)) {
1467 ret = ads_gen_mod(ads, dn, mods);
1471 ads_msgfree(ads, res);
1472 prs_mem_free(&ps_wire);
1473 talloc_destroy(ctx);
1478 * pull the first entry from a ADS result
1479 * @param ads connection to ads server
1480 * @param res Results of search
1481 * @return first entry from result
1483 void *ads_first_entry(ADS_STRUCT *ads, void *res)
1485 return (void *)ldap_first_entry(ads->ld, (LDAPMessage *)res);
1489 * pull the next entry from a ADS result
1490 * @param ads connection to ads server
1491 * @param res Results of search
1492 * @return next entry from result
1494 void *ads_next_entry(ADS_STRUCT *ads, void *res)
1496 return (void *)ldap_next_entry(ads->ld, (LDAPMessage *)res);
1500 * pull a single string from a ADS result
1501 * @param ads connection to ads server
1502 * @param mem_ctx TALLOC_CTX to use for allocating result string
1503 * @param msg Results of search
1504 * @param field Attribute to retrieve
1505 * @return Result string in talloc context
1507 char *ads_pull_string(ADS_STRUCT *ads,
1508 TALLOC_CTX *mem_ctx, void *msg, const char *field)
1515 values = ldap_get_values(ads->ld, msg, field);
1520 rc = pull_utf8_talloc(mem_ctx, &ux_string,
1522 if (rc != (size_t)-1)
1526 ldap_value_free(values);
1531 * pull an array of strings from a ADS result
1532 * @param ads connection to ads server
1533 * @param mem_ctx TALLOC_CTX to use for allocating result string
1534 * @param msg Results of search
1535 * @param field Attribute to retrieve
1536 * @return Result strings in talloc context
1538 char **ads_pull_strings(ADS_STRUCT *ads,
1539 TALLOC_CTX *mem_ctx, void *msg, const char *field)
1545 values = ldap_get_values(ads->ld, msg, field);
1549 for (i=0;values[i];i++)
1553 ret = talloc(mem_ctx, sizeof(char *) * (n+1));
1555 ldap_value_free(values);
1560 if (pull_utf8_talloc(mem_ctx, &ret[i], values[i]) == -1) {
1561 ldap_value_free(values);
1567 ldap_value_free(values);
1573 * pull a single uint32 from a ADS result
1574 * @param ads connection to ads server
1575 * @param msg Results of search
1576 * @param field Attribute to retrieve
1577 * @param v Pointer to int to store result
1578 * @return boolean inidicating success
1580 BOOL ads_pull_uint32(ADS_STRUCT *ads,
1581 void *msg, const char *field, uint32 *v)
1585 values = ldap_get_values(ads->ld, msg, field);
1589 ldap_value_free(values);
1593 *v = atoi(values[0]);
1594 ldap_value_free(values);
1599 * pull a single objectGUID from an ADS result
1600 * @param ads connection to ADS server
1601 * @param msg results of search
1602 * @param guid 37-byte area to receive text guid
1603 * @return boolean indicating success
1605 BOOL ads_pull_guid(ADS_STRUCT *ads,
1606 void *msg, GUID *guid)
1610 values = ldap_get_values(ads->ld, msg, "objectGUID");
1615 memcpy(guid, values[0], sizeof(GUID));
1616 ldap_value_free(values);
1619 ldap_value_free(values);
1626 * pull a single DOM_SID from a ADS result
1627 * @param ads connection to ads server
1628 * @param msg Results of search
1629 * @param field Attribute to retrieve
1630 * @param sid Pointer to sid to store result
1631 * @return boolean inidicating success
1633 BOOL ads_pull_sid(ADS_STRUCT *ads,
1634 void *msg, const char *field, DOM_SID *sid)
1636 struct berval **values;
1639 values = ldap_get_values_len(ads->ld, msg, field);
1645 ret = sid_parse(values[0]->bv_val, values[0]->bv_len, sid);
1647 ldap_value_free_len(values);
1652 * pull an array of DOM_SIDs from a ADS result
1653 * @param ads connection to ads server
1654 * @param mem_ctx TALLOC_CTX for allocating sid array
1655 * @param msg Results of search
1656 * @param field Attribute to retrieve
1657 * @param sids pointer to sid array to allocate
1658 * @return the count of SIDs pulled
1660 int ads_pull_sids(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx,
1661 void *msg, const char *field, DOM_SID **sids)
1663 struct berval **values;
1667 values = ldap_get_values_len(ads->ld, msg, field);
1672 for (i=0; values[i]; i++)
1675 (*sids) = talloc(mem_ctx, sizeof(DOM_SID) * i);
1677 ldap_value_free_len(values);
1682 for (i=0; values[i]; i++) {
1683 ret = sid_parse(values[i]->bv_val, values[i]->bv_len, &(*sids)[count]);
1686 DEBUG(10, ("pulling SID: %s\n", sid_to_string(sid, &(*sids)[count])));
1691 ldap_value_free_len(values);
1696 * pull a SEC_DESC from a ADS result
1697 * @param ads connection to ads server
1698 * @param mem_ctx TALLOC_CTX for allocating sid array
1699 * @param msg Results of search
1700 * @param field Attribute to retrieve
1701 * @param sd Pointer to *SEC_DESC to store result (talloc()ed)
1702 * @return boolean inidicating success
1704 BOOL ads_pull_sd(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx,
1705 void *msg, const char *field, SEC_DESC **sd)
1707 struct berval **values;
1711 values = ldap_get_values_len(ads->ld, msg, field);
1713 if (!values) return False;
1716 prs_init(&ps, values[0]->bv_len, mem_ctx, UNMARSHALL);
1717 prs_copy_data_in(&ps, values[0]->bv_val, values[0]->bv_len);
1718 prs_set_offset(&ps,0);
1720 ret = sec_io_desc("sd", sd, &ps, 1);
1723 ldap_value_free_len(values);
1728 * in order to support usernames longer than 21 characters we need to
1729 * use both the sAMAccountName and the userPrincipalName attributes
1730 * It seems that not all users have the userPrincipalName attribute set
1732 * @param ads connection to ads server
1733 * @param mem_ctx TALLOC_CTX for allocating sid array
1734 * @param msg Results of search
1735 * @return the username
1737 char *ads_pull_username(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, void *msg)
1741 ret = ads_pull_string(ads, mem_ctx, msg, "userPrincipalName");
1742 if (ret && (p = strchr(ret, '@'))) {
1746 return ads_pull_string(ads, mem_ctx, msg, "sAMAccountName");
1751 * find the update serial number - this is the core of the ldap cache
1752 * @param ads connection to ads server
1753 * @param ads connection to ADS server
1754 * @param usn Pointer to retrieved update serial number
1755 * @return status of search
1757 ADS_STATUS ads_USN(ADS_STRUCT *ads, uint32 *usn)
1759 const char *attrs[] = {"highestCommittedUSN", NULL};
1763 status = ads_do_search(ads, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res);
1764 if (!ADS_ERR_OK(status)) return status;
1766 if (ads_count_replies(ads, res) != 1) {
1767 return ADS_ERROR(LDAP_NO_RESULTS_RETURNED);
1770 ads_pull_uint32(ads, res, "highestCommittedUSN", usn);
1771 ads_msgfree(ads, res);
1775 /* parse a ADS timestring - typical string is
1776 '20020917091222.0Z0' which means 09:12.22 17th September
1778 static time_t ads_parse_time(const char *str)
1784 if (sscanf(str, "%4d%2d%2d%2d%2d%2d",
1785 &tm.tm_year, &tm.tm_mon, &tm.tm_mday,
1786 &tm.tm_hour, &tm.tm_min, &tm.tm_sec) != 6) {
1797 * Find the servers name and realm - this can be done before authentication
1798 * The ldapServiceName field on w2k looks like this:
1799 * vnet3.home.samba.org:win2000-vnet3$@VNET3.HOME.SAMBA.ORG
1800 * @param ads connection to ads server
1801 * @return status of search
1803 ADS_STATUS ads_server_info(ADS_STRUCT *ads)
1805 const char *attrs[] = {"ldapServiceName", "currentTime", NULL};
1813 if (!(ctx = talloc_init("ads_server_info"))) {
1814 return ADS_ERROR(LDAP_NO_MEMORY);
1817 status = ads_do_search(ads, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res);
1818 if (!ADS_ERR_OK(status)) return status;
1820 value = ads_pull_string(ads, ctx, res, "ldapServiceName");
1822 return ADS_ERROR(LDAP_NO_RESULTS_RETURNED);
1825 timestr = ads_pull_string(ads, ctx, res, "currentTime");
1827 return ADS_ERROR(LDAP_NO_RESULTS_RETURNED);
1832 p = strchr(value, ':');
1834 talloc_destroy(ctx);
1835 DEBUG(1, ("ads_server_info: returned ldap server name did not contain a ':' so was deemed invalid\n"));
1836 return ADS_ERROR(LDAP_DECODING_ERROR);
1839 SAFE_FREE(ads->config.ldap_server_name);
1841 ads->config.ldap_server_name = strdup(p+1);
1842 p = strchr(ads->config.ldap_server_name, '$');
1843 if (!p || p[1] != '@') {
1844 talloc_destroy(ctx);
1845 DEBUG(1, ("ads_server_info: returned ldap server name (%s) does not contain '$@' so was deemed invalid\n", ads->config.ldap_server_name));
1846 SAFE_FREE(ads->config.ldap_server_name);
1847 return ADS_ERROR(LDAP_DECODING_ERROR);
1852 SAFE_FREE(ads->config.realm);
1853 SAFE_FREE(ads->config.bind_path);
1855 ads->config.realm = strdup(p+2);
1856 ads->config.bind_path = ads_build_dn(ads->config.realm);
1858 DEBUG(3,("got ldap server name %s@%s, using bind path: %s\n",
1859 ads->config.ldap_server_name, ads->config.realm,
1860 ads->config.bind_path));
1862 ads->config.current_time = ads_parse_time(timestr);
1864 if (ads->config.current_time != 0) {
1865 ads->auth.time_offset = ads->config.current_time - time(NULL);
1866 DEBUG(4,("time offset is %d seconds\n", ads->auth.time_offset));
1869 talloc_destroy(ctx);
1876 * find the list of trusted domains
1877 * @param ads connection to ads server
1878 * @param mem_ctx TALLOC_CTX for allocating results
1879 * @param num_trusts pointer to number of trusts
1880 * @param names pointer to trusted domain name list
1881 * @param sids pointer to list of sids of trusted domains
1882 * @return the count of SIDs pulled
1884 ADS_STATUS ads_trusted_domains(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx,
1890 const char *attrs[] = {"name", "flatname", "securityIdentifier",
1891 "trustDirection", NULL};
1898 status = ads_search(ads, &res, "(objectcategory=trustedDomain)", attrs);
1899 if (!ADS_ERR_OK(status)) return status;
1901 count = ads_count_replies(ads, res);
1903 ads_msgfree(ads, res);
1904 return ADS_ERROR(LDAP_NO_RESULTS_RETURNED);
1907 (*names) = talloc(mem_ctx, sizeof(char *) * count);
1908 (*alt_names) = talloc(mem_ctx, sizeof(char *) * count);
1909 (*sids) = talloc(mem_ctx, sizeof(DOM_SID) * count);
1910 if (! *names || ! *sids) return ADS_ERROR(LDAP_NO_MEMORY);
1912 for (i=0, msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
1915 /* direction is a 2 bit bitfield, 1 means they trust us
1916 but we don't trust them, so we should not list them
1917 as users from that domain can't login */
1918 if (ads_pull_uint32(ads, msg, "trustDirection", &direction) &&
1923 (*names)[i] = ads_pull_string(ads, mem_ctx, msg, "name");
1924 (*alt_names)[i] = ads_pull_string(ads, mem_ctx, msg, "flatname");
1926 if ((*alt_names)[i] && (*alt_names)[i][0]) {
1927 /* we prefer the flatname as the primary name
1928 for consistency with RPC */
1929 char *name = (*alt_names)[i];
1930 (*alt_names)[i] = (*names)[i];
1933 if (ads_pull_sid(ads, msg, "securityIdentifier", &(*sids)[i])) {
1938 ads_msgfree(ads, res);
1946 * find the domain sid for our domain
1947 * @param ads connection to ads server
1948 * @param sid Pointer to domain sid
1949 * @return status of search
1951 ADS_STATUS ads_domain_sid(ADS_STRUCT *ads, DOM_SID *sid)
1953 const char *attrs[] = {"objectSid", NULL};
1957 rc = ads_do_search(ads, ads->config.bind_path, LDAP_SCOPE_BASE, "(objectclass=*)",
1959 if (!ADS_ERR_OK(rc)) return rc;
1960 if (!ads_pull_sid(ads, res, "objectSid", sid)) {
1961 return ADS_ERROR_SYSTEM(ENOENT);
1963 ads_msgfree(ads, res);
1968 /* this is rather complex - we need to find the allternate (netbios) name
1969 for the domain, but there isn't a simple query to do this. Instead
1970 we look for the principle names on the DCs account and find one that has
1971 the right form, then extract the netbios name of the domain from that
1973 NOTE! better method is this:
1975 bin/net -Uadministrator%XXXXX ads search '(&(objectclass=crossref)(dnsroot=VNET3.HOME.SAMBA.ORG))' nETBIOSName
1977 but you need to force the bind path to match the configurationNamingContext from the rootDSE
1980 ADS_STATUS ads_workgroup_name(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, char **workgroup)
1989 const char *attrs[] = {"servicePrincipalName", NULL};
1991 (*workgroup) = NULL;
1993 asprintf(&expr, "(&(objectclass=computer)(dnshostname=%s.%s))",
1994 ads->config.ldap_server_name, ads->config.realm);
1995 rc = ads_search(ads, &res, expr, attrs);
1998 if (!ADS_ERR_OK(rc)) {
2002 principles = ads_pull_strings(ads, mem_ctx, res, "servicePrincipalName");
2004 ads_msgfree(ads, res);
2007 return ADS_ERROR(LDAP_NO_RESULTS_RETURNED);
2010 asprintf(&prefix, "HOST/%s.%s/",
2011 ads->config.ldap_server_name,
2014 prefix_length = strlen(prefix);
2016 for (i=0;principles[i]; i++) {
2017 if (strncasecmp(principles[i], prefix, prefix_length) == 0 &&
2018 strcasecmp(ads->config.realm, principles[i]+prefix_length) != 0 &&
2019 !strchr(principles[i]+prefix_length, '.')) {
2020 /* found an alternate (short) name for the domain. */
2021 DEBUG(3,("Found alternate name '%s' for realm '%s'\n",
2022 principles[i]+prefix_length,
2023 ads->config.realm));
2024 (*workgroup) = talloc_strdup(mem_ctx, principles[i]+prefix_length);
2031 return ADS_ERROR(LDAP_NO_RESULTS_RETURNED);
git.samba.org / bbaumbach / samba-autobuild / .git / blob