2 Unix SMB/Netbios implementation.
4 ads (active directory) utility library
5 Copyright (C) Andrew Tridgell 2001
6 Copyright (C) Remus Koos 2001
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 2 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program; if not, write to the Free Software
21 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
29 connect to the LDAP server
31 ADS_STATUS ads_connect(ADS_STRUCT *ads)
33 int version = LDAP_VERSION3;
36 ads->last_attempt = time(NULL);
38 ads->ld = ldap_open(ads->ldap_server, ads->ldap_port);
40 return ADS_ERROR_SYSTEM(errno)
42 status = ads_server_info(ads);
43 if (!ADS_ERR_OK(status)) {
44 DEBUG(1,("Failed to get ldap server info\n"));
48 ldap_set_option(ads->ld, LDAP_OPT_PROTOCOL_VERSION, &version);
51 ads_kinit_password(ads);
54 return ads_sasl_bind(ads);
58 do a search with a timeout
60 ADS_STATUS ads_do_search(ADS_STRUCT *ads, const char *bind_path, int scope,
62 const char **attrs, void **res)
64 struct timeval timeout;
67 timeout.tv_sec = ADS_SEARCH_TIMEOUT;
71 rc = ldap_search_ext_s(ads->ld,
73 exp, attrs, 0, NULL, NULL,
74 &timeout, LDAP_NO_LIMIT, (LDAPMessage **)res);
78 do a general ADS search
80 ADS_STATUS ads_search(ADS_STRUCT *ads, void **res,
84 return ads_do_search(ads, ads->bind_path, LDAP_SCOPE_SUBTREE,
89 do a search on a specific DistinguishedName
91 ADS_STATUS ads_search_dn(ADS_STRUCT *ads, void **res,
95 return ads_do_search(ads, dn, LDAP_SCOPE_BASE, "(objectclass=*)", attrs, res);
99 free up memory from a ads_search
101 void ads_msgfree(ADS_STRUCT *ads, void *msg)
108 find a machine account given a hostname
110 ADS_STATUS ads_find_machine_acct(ADS_STRUCT *ads, void **res, const char *host)
114 const char *attrs[] = {"*", "nTSecurityDescriptor", NULL};
116 /* the easiest way to find a machine account anywhere in the tree
117 is to look for hostname$ */
118 asprintf(&exp, "(samAccountName=%s$)", host);
119 status = ads_search(ads, res, exp, attrs);
126 a convenient routine for adding a generic LDAP record
128 ADS_STATUS ads_gen_add(ADS_STRUCT *ads, const char *new_dn, ...)
135 #define MAX_MOD_VALUES 10
137 /* count the number of attributes */
138 va_start(ap, new_dn);
139 for (i=0; va_arg(ap, char *); i++) {
140 /* skip the values */
141 while (va_arg(ap, char *)) ;
145 mods = malloc(sizeof(LDAPMod *) * (i+1));
147 va_start(ap, new_dn);
148 for (i=0; (name=va_arg(ap, char *)); i++) {
151 values = (char **)malloc(sizeof(char *) * (MAX_MOD_VALUES+1));
152 for (j=0; (value=va_arg(ap, char *)) && j < MAX_MOD_VALUES; j++) {
156 mods[i] = malloc(sizeof(LDAPMod));
157 mods[i]->mod_type = name;
158 mods[i]->mod_op = LDAP_MOD_ADD;
159 mods[i]->mod_values = values;
164 ret = ldap_add_s(ads->ld, new_dn, mods);
166 for (i=0; mods[i]; i++) {
167 free(mods[i]->mod_values);
172 return ADS_ERROR(ret);
176 add a machine account to the ADS server
178 static ADS_STATUS ads_add_machine_acct(ADS_STRUCT *ads, const char *hostname,
179 const char *org_unit)
182 char *host_spn, *host_upn, *new_dn, *samAccountName, *controlstr;
184 asprintf(&host_spn, "HOST/%s", hostname);
185 asprintf(&host_upn, "%s@%s", host_spn, ads->realm);
186 asprintf(&new_dn, "cn=%s,cn=%s,%s", hostname, org_unit, ads->bind_path);
187 asprintf(&samAccountName, "%s$", hostname);
188 asprintf(&controlstr, "%u",
189 UF_DONT_EXPIRE_PASSWD | UF_WORKSTATION_TRUST_ACCOUNT |
190 UF_TRUSTED_FOR_DELEGATION | UF_USE_DES_KEY_ONLY);
192 ret = ads_gen_add(ads, new_dn,
193 "cn", hostname, NULL,
194 "sAMAccountName", samAccountName, NULL,
196 "top", "person", "organizationalPerson",
197 "user", "computer", NULL,
198 "userPrincipalName", host_upn, NULL,
199 "servicePrincipalName", host_spn, NULL,
200 "dNSHostName", hostname, NULL,
201 "userAccountControl", controlstr, NULL,
202 "operatingSystem", "Samba", NULL,
203 "operatingSystemVersion", VERSION, NULL,
209 free(samAccountName);
216 dump a binary result from ldap
218 static void dump_binary(const char *field, struct berval **values)
221 for (i=0; values[i]; i++) {
222 printf("%s: ", field);
223 for (j=0; j<values[i]->bv_len; j++) {
224 printf("%02X", (unsigned char)values[i]->bv_val[j]);
231 dump a sid result from ldap
233 static void dump_sid(const char *field, struct berval **values)
236 for (i=0; values[i]; i++) {
238 sid_parse(values[i]->bv_val, values[i]->bv_len, &sid);
239 printf("%s: %s\n", field, sid_string_static(&sid));
244 dump a string result from ldap
246 static void dump_string(const char *field, struct berval **values)
249 for (i=0; values[i]; i++) {
250 printf("%s: %s\n", field, values[i]->bv_val);
255 dump a record from LDAP on stdout
258 void ads_dump(ADS_STRUCT *ads, void *res)
265 void (*handler)(const char *, struct berval **);
267 {"objectGUID", dump_binary},
268 {"nTSecurityDescriptor", dump_binary},
269 {"objectSid", dump_sid},
273 for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
274 for (field = ldap_first_attribute(ads->ld, (LDAPMessage *)msg, &b);
276 field = ldap_next_attribute(ads->ld, (LDAPMessage *)msg, b)) {
277 struct berval **values;
280 values = ldap_get_values_len(ads->ld, (LDAPMessage *)msg, field);
282 for (i=0; handlers[i].name; i++) {
283 if (StrCaseCmp(handlers[i].name, field) == 0) {
284 handlers[i].handler(field, values);
288 if (!handlers[i].name) {
289 dump_string(field, values);
291 ldap_value_free_len(values);
301 count how many replies are in a LDAPMessage
303 int ads_count_replies(ADS_STRUCT *ads, void *res)
305 return ldap_count_entries(ads->ld, (LDAPMessage *)res);
309 join a machine to a realm, creating the machine account
310 and setting the machine password
312 ADS_STATUS ads_join_realm(ADS_STRUCT *ads, const char *hostname, const char *org_unit)
318 /* hostname must be lowercase */
319 host = strdup(hostname);
322 status = ads_find_machine_acct(ads, (void **)&res, host);
323 if (ADS_ERR_OK(status) && ads_count_replies(ads, res) == 1) {
324 DEBUG(0, ("Host account for %s already exists\n", host));
328 status = ads_add_machine_acct(ads, host, org_unit);
329 if (!ADS_ERR_OK(status)) {
330 DEBUG(0, ("ads_add_machine_acct: %s\n", ads_errstr(status)));
334 status = ads_find_machine_acct(ads, (void **)&res, host);
335 if (!ADS_ERR_OK(status)) {
336 DEBUG(0, ("Host account test failed\n"));
346 delete a machine from the realm
348 ADS_STATUS ads_leave_realm(ADS_STRUCT *ads, const char *hostname)
352 char *hostnameDN, *host;
355 /* hostname must be lowercase */
356 host = strdup(hostname);
359 status = ads_find_machine_acct(ads, &res, host);
360 if (!ADS_ERR_OK(status)) {
361 DEBUG(0, ("Host account for %s does not exist.\n", host));
365 hostnameDN = ldap_get_dn(ads->ld, (LDAPMessage *)res);
366 rc = ldap_delete_s(ads->ld, hostnameDN);
367 ldap_memfree(hostnameDN);
368 if (rc != LDAP_SUCCESS) {
369 return ADS_ERROR(rc);
372 status = ads_find_machine_acct(ads, &res, host);
373 if (ADS_ERR_OK(status) && ads_count_replies(ads, res) == 1) {
374 DEBUG(0, ("Failed to remove host account.\n"));
384 ADS_STATUS ads_set_machine_password(ADS_STRUCT *ads,
385 const char *hostname,
386 const char *password)
389 char *host = strdup(hostname);
394 asprintf(&principal, "%s@%s", host, ads->realm);
396 status = krb5_set_password(ads->kdc_server, principal, password);
405 pull the first entry from a ADS result
407 void *ads_first_entry(ADS_STRUCT *ads, void *res)
409 return (void *)ldap_first_entry(ads->ld, (LDAPMessage *)res);
413 pull the next entry from a ADS result
415 void *ads_next_entry(ADS_STRUCT *ads, void *res)
417 return (void *)ldap_next_entry(ads->ld, (LDAPMessage *)res);
421 pull a single string from a ADS result
423 char *ads_pull_string(ADS_STRUCT *ads,
424 TALLOC_CTX *mem_ctx, void *msg, const char *field)
429 values = ldap_get_values(ads->ld, msg, field);
430 if (!values) return NULL;
433 ret = talloc_strdup(mem_ctx, values[0]);
435 ldap_value_free(values);
440 pull a single uint32 from a ADS result
442 BOOL ads_pull_uint32(ADS_STRUCT *ads,
443 void *msg, const char *field, uint32 *v)
447 values = ldap_get_values(ads->ld, msg, field);
448 if (!values) return False;
450 ldap_value_free(values);
454 *v = atoi(values[0]);
455 ldap_value_free(values);
460 pull a single DOM_SID from a ADS result
462 BOOL ads_pull_sid(ADS_STRUCT *ads,
463 void *msg, const char *field, DOM_SID *sid)
465 struct berval **values;
468 values = ldap_get_values_len(ads->ld, msg, field);
470 if (!values) return False;
473 ret = sid_parse(values[0]->bv_val, values[0]->bv_len, sid);
476 ldap_value_free_len(values);
481 pull an array of DOM_SIDs from a ADS result
482 return the count of SIDs pulled
484 int ads_pull_sids(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx,
485 void *msg, const char *field, DOM_SID **sids)
487 struct berval **values;
491 values = ldap_get_values_len(ads->ld, msg, field);
493 if (!values) return 0;
495 for (i=0; values[i]; i++) /* nop */ ;
497 (*sids) = talloc(mem_ctx, sizeof(DOM_SID) * i);
500 for (i=0; values[i]; i++) {
501 ret = sid_parse(values[i]->bv_val, values[i]->bv_len, &(*sids)[count]);
505 ldap_value_free_len(values);
510 /* find the update serial number - this is the core of the ldap cache */
511 ADS_STATUS ads_USN(ADS_STRUCT *ads, uint32 *usn)
513 const char *attrs[] = {"highestCommittedUSN", NULL};
517 status = ads_do_search(ads, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res);
518 if (!ADS_ERR_OK(status)) return status;
520 if (ads_count_replies(ads, res) != 1) {
521 return ADS_ERROR(LDAP_NO_RESULTS_RETURNED);
524 ads_pull_uint32(ads, res, "highestCommittedUSN", usn);
525 ads_msgfree(ads, res);
530 /* find the servers name and realm - this can be done before authentication
531 The ldapServiceName field on w2k looks like this:
532 vnet3.home.samba.org:win2000-vnet3$@VNET3.HOME.SAMBA.ORG
534 ADS_STATUS ads_server_info(ADS_STRUCT *ads)
536 const char *attrs[] = {"ldapServiceName", NULL};
542 status = ads_do_search(ads, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res);
543 if (!ADS_ERR_OK(status)) return status;
545 values = ldap_get_values(ads->ld, res, "ldapServiceName");
546 if (!values || !values[0]) return ADS_ERROR(LDAP_NO_RESULTS_RETURNED);
548 p = strchr(values[0], ':');
550 ldap_value_free(values);
552 return ADS_ERROR(LDAP_DECODING_ERROR);
555 SAFE_FREE(ads->ldap_server_name);
557 ads->ldap_server_name = strdup(p+1);
558 p = strchr(ads->ldap_server_name, '$');
559 if (!p || p[1] != '@') {
560 ldap_value_free(values);
562 SAFE_FREE(ads->ldap_server_name);
563 return ADS_ERROR(LDAP_DECODING_ERROR);
568 SAFE_FREE(ads->server_realm);
569 SAFE_FREE(ads->bind_path);
571 ads->server_realm = strdup(p+2);
572 ads->bind_path = ads_build_dn(ads->server_realm);
574 /* in case the realm isn't configured in smb.conf */
575 if (!ads->realm || !ads->realm[0]) {
576 SAFE_FREE(ads->realm);
577 ads->realm = strdup(ads->server_realm);
580 DEBUG(3,("got ldap server name %s@%s\n",
581 ads->ldap_server_name, ads->realm));
588 find the list of trusted domains
590 ADS_STATUS ads_trusted_domains(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx,
591 int *num_trusts, char ***names, DOM_SID **sids)
593 const char *attrs[] = {"flatName", "securityIdentifier", NULL};
600 status = ads_search(ads, &res, "(objectcategory=trustedDomain)", attrs);
601 if (!ADS_ERR_OK(status)) return status;
603 count = ads_count_replies(ads, res);
605 ads_msgfree(ads, res);
606 return ADS_ERROR(LDAP_NO_RESULTS_RETURNED);
609 (*names) = talloc(mem_ctx, sizeof(char *) * count);
610 (*sids) = talloc(mem_ctx, sizeof(DOM_SID) * count);
611 if (! *names || ! *sids) return ADS_ERROR(LDAP_NO_MEMORY);
613 for (i=0, msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
614 (*names)[i] = ads_pull_string(ads, mem_ctx, msg, "flatName");
615 ads_pull_sid(ads, msg, "securityIdentifier", &(*sids)[i]);
619 ads_msgfree(ads, res);
626 /* find the domain sid for our domain */
627 ADS_STATUS ads_domain_sid(ADS_STRUCT *ads, DOM_SID *sid)
629 const char *attrs[] = {"objectSid", NULL};
633 rc = ads_do_search(ads, ads->bind_path, LDAP_SCOPE_BASE, "(objectclass=*)",
635 if (!ADS_ERR_OK(rc)) return rc;
636 if (!ads_pull_sid(ads, res, "objectSid", sid)) {
637 return ADS_ERROR_SYSTEM(ENOENT);
639 ads_msgfree(ads, res);