#include "ads.h"
#include "libads/sitename_cache.h"
#include "libads/cldap.h"
-#include "libads/dns.h"
+#include "../lib/addns/dnsquery.h"
#include "../libds/common/flags.h"
#include "smbldap.h"
#include "../libcli/security/security.h"
+#include "lib/param/loadparm.h"
#ifdef HAVE_LDAP
int port, unsigned int to)
{
LDAP *ldp = NULL;
+ int ldap_err;
+ char *uri;
DEBUG(10, ("Opening connection to LDAP server '%s:%d', timeout "
"%u seconds\n", server, port, to));
-#if defined(HAVE_LDAP_INIT_FD) && defined(SOCKET_WRAPPER)
- /* Only use this private LDAP function if we are in make test,
- * as this is the best way to get the emulated TCP socket into
- * OpenLDAP */
- if (socket_wrapper_dir() != NULL) {
- int fd, ldap_err;
- NTSTATUS status;
- char *uri;
-
- status = open_socket_out(ss, port, to, &fd);
-
- if (!NT_STATUS_IS_OK(status)) {
- return NULL;
- }
-
-#ifndef LDAP_PROTO_TCP
-#define LDAP_PROTO_TCP 1
-#endif
- uri = talloc_asprintf(talloc_tos(), "ldap://%s:%u", server, port);
- if (uri == NULL) {
- return NULL;
- }
- ldap_err = ldap_init_fd(fd, LDAP_PROTO_TCP, uri, &ldp);
- talloc_free(uri);
-
- if (ldap_err != LDAP_SUCCESS) {
- return NULL;
- }
- return ldp;
+ if (to) {
+ /* Setup timeout */
+ gotalarm = 0;
+ CatchSignal(SIGALRM, gotalarm_sig);
+ alarm(to);
+ /* End setup timeout. */
}
-#endif
- /* Setup timeout */
- gotalarm = 0;
- CatchSignal(SIGALRM, gotalarm_sig);
- alarm(to);
- /* End setup timeout. */
+ uri = talloc_asprintf(talloc_tos(), "ldap://%s:%u", server, port);
+ if (uri == NULL) {
+ return NULL;
+ }
+#ifdef HAVE_LDAP_INITIALIZE
+ ldap_err = ldap_initialize(&ldp, uri);
+#else
ldp = ldap_open(server, port);
-
- if (ldp == NULL) {
- DEBUG(2,("Could not open connection to LDAP server %s:%d: %s\n",
- server, port, strerror(errno)));
+ if (ldp != NULL) {
+ ldap_err = LDAP_SUCCESS;
+ } else {
+ ldap_err = LDAP_OTHER;
+ }
+#endif
+ if (ldap_err != LDAP_SUCCESS) {
+ DEBUG(2,("Could not initialize connection for LDAP server '%s': %s\n",
+ uri, ldap_err2string(ldap_err)));
} else {
- DEBUG(10, ("Connected to LDAP server '%s:%d'\n", server, port));
+ DEBUG(10, ("Initialized connection for LDAP server '%s'\n", uri));
}
- /* Teardown timeout. */
- CatchSignal(SIGALRM, SIG_IGN);
- alarm(0);
+ if (to) {
+ /* Teardown timeout. */
+ alarm(0);
+ CatchSignal(SIGALRM, SIG_IGN);
+ }
return ldp;
}
int sizelimit,
LDAPMessage **res )
{
+ int to = lp_ldap_timeout();
struct timeval timeout;
+ struct timeval *timeout_ptr = NULL;
int result;
/* Setup timeout for the ldap_search_ext_s call - local and remote. */
- timeout.tv_sec = lp_ldap_timeout();
- timeout.tv_usec = 0;
-
- /* Setup alarm timeout.... Do we need both of these ? JRA. */
gotalarm = 0;
- CatchSignal(SIGALRM, gotalarm_sig);
- alarm(lp_ldap_timeout());
- /* End setup timeout. */
+
+ if (to) {
+ timeout.tv_sec = to;
+ timeout.tv_usec = 0;
+ timeout_ptr = &timeout;
+
+ /* Setup alarm timeout. */
+ CatchSignal(SIGALRM, gotalarm_sig);
+ /* Make the alarm time one second beyond
+ the timout we're setting for the
+ remote search timeout, to allow that
+ to fire in preference. */
+ alarm(to+1);
+ /* End setup timeout. */
+ }
+
result = ldap_search_ext_s(ld, base, scope, filter, attrs,
- attrsonly, sctrls, cctrls, &timeout,
+ attrsonly, sctrls, cctrls, timeout_ptr,
sizelimit, res);
- /* Teardown timeout. */
- CatchSignal(SIGALRM, SIG_IGN);
- alarm(0);
+ if (to) {
+ /* Teardown alarm timeout. */
+ CatchSignal(SIGALRM, SIG_IGN);
+ alarm(0);
+ }
if (gotalarm != 0)
return LDAP_TIMELIMIT_EXCEEDED;
try a connection to a given ldap server, returning True and setting the servers IP
in the ads struct if successful
*/
-static bool ads_try_connect(ADS_STRUCT *ads, const char *server, bool gc)
+static bool ads_try_connect(ADS_STRUCT *ads, bool gc,
+ struct sockaddr_storage *ss)
{
struct NETLOGON_SAM_LOGON_RESPONSE_EX cldap_reply;
TALLOC_CTX *frame = talloc_stackframe();
bool ret = false;
- struct sockaddr_storage ss;
char addr[INET6_ADDRSTRLEN];
- if (!server || !*server) {
+ if (ss == NULL) {
TALLOC_FREE(frame);
return False;
}
- if (!resolve_name(server, &ss, 0x20, true)) {
- DEBUG(5,("ads_try_connect: unable to resolve name %s\n",
- server ));
- TALLOC_FREE(frame);
- return false;
- }
- print_sockaddr(addr, sizeof(addr), &ss);
+ print_sockaddr(addr, sizeof(addr), ss);
DEBUG(5,("ads_try_connect: sending CLDAP request to %s (realm: %s)\n",
addr, ads->server.realm));
ZERO_STRUCT( cldap_reply );
- if ( !ads_cldap_netlogon_5(frame, &ss, ads->server.realm, &cldap_reply ) ) {
+ if ( !ads_cldap_netlogon_5(frame, ss, ads->server.realm, &cldap_reply ) ) {
DEBUG(3,("ads_try_connect: CLDAP request %s failed.\n", addr));
ret = false;
goto out;
ads->config.flags = cldap_reply.server_type;
ads->config.ldap_server_name = SMB_STRDUP(cldap_reply.pdc_dns_name);
ads->config.realm = SMB_STRDUP(cldap_reply.dns_domain);
- strupper_m(ads->config.realm);
+ if (!strupper_m(ads->config.realm)) {
+ ret = false;
+ goto out;
+ }
+
ads->config.bind_path = ads_build_dn(ads->config.realm);
if (*cldap_reply.server_site) {
ads->config.server_site_name =
ads->server.workgroup = SMB_STRDUP(cldap_reply.domain_name);
ads->ldap.port = gc ? LDAP_GC_PORT : LDAP_PORT;
- ads->ldap.ss = ss;
+ ads->ldap.ss = *ss;
/* Store our site name. */
sitename_store( cldap_reply.domain_name, cldap_reply.client_site);
bool use_own_domain = False;
char *sitename;
NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
+ bool ok = false;
/* if the realm and workgroup are both empty, assume they are ours */
}
if ( !c_realm || !*c_realm ) {
- DEBUG(0,("ads_find_dc: no realm or workgroup! Don't know what to do\n"));
+ DEBUG(1, ("ads_find_dc: no realm or workgroup! Don't know "
+ "what to do\n"));
return NT_STATUS_INVALID_PARAMETER; /* rather need MISSING_PARAMETER ... */
}
DEBUG(6,("ads_find_dc: (ldap) looking for %s '%s'\n",
(got_realm ? "realm" : "domain"), realm));
- if (get_dc_name(domain, realm, srv_name, &ip_out)) {
+ ok = get_dc_name(domain, realm, srv_name, &ip_out);
+ if (ok) {
/*
* we call ads_try_connect() to fill in the
* ads->config details
*/
- if (ads_try_connect(ads, srv_name, false)) {
+ ok = ads_try_connect(ads, false, &ip_out);
+ if (ok) {
return NT_STATUS_OK;
}
}
return NT_STATUS_NO_LOGON_SERVERS;
}
- sitename = sitename_fetch(realm);
+ sitename = sitename_fetch(talloc_tos(), realm);
again:
goto again;
}
- SAFE_FREE(sitename);
+ TALLOC_FREE(sitename);
return status;
}
}
}
- if ( ads_try_connect(ads, server, false) ) {
+ ok = ads_try_connect(ads, false, &ip_list[i].ss);
+ if (ok) {
SAFE_FREE(ip_list);
- SAFE_FREE(sitename);
+ TALLOC_FREE(sitename);
return NT_STATUS_OK;
}
if (sitename) {
DEBUG(1,("ads_find_dc: failed to find a valid DC on our site (%s), "
"trying to find another DC\n", sitename));
- SAFE_FREE(sitename);
+ TALLOC_FREE(sitename);
namecache_delete(realm, 0x1C);
goto again;
}
if (!realm)
realm = lp_realm();
- if ((sitename = sitename_fetch(realm)) == NULL) {
+ if ((sitename = sitename_fetch(frame, realm)) == NULL) {
ads_lookup_site();
- sitename = sitename_fetch(realm);
+ sitename = sitename_fetch(frame, realm);
}
do {
if (sitename == NULL)
done = true;
- nt_status = ads_dns_query_gcs(frame, realm, sitename,
- &gcs_list, &num_gcs);
-
- SAFE_FREE(sitename);
+ nt_status = ads_dns_query_gcs(frame,
+ realm,
+ sitename,
+ &gcs_list,
+ &num_gcs);
if (!NT_STATUS_IS_OK(nt_status)) {
ads_status = ADS_ERROR_NT(nt_status);
} while (!done);
done:
- SAFE_FREE(sitename);
talloc_destroy(frame);
return ads_status;
TALLOC_FREE(s);
}
- if (ads->server.ldap_server)
- {
- if (ads_try_connect(ads, ads->server.ldap_server, ads->server.gc)) {
+ if (ads->server.ldap_server) {
+ bool ok = false;
+ struct sockaddr_storage ss;
+
+ ok = resolve_name(ads->server.ldap_server, &ss, 0x20, true);
+ if (!ok) {
+ DEBUG(5,("ads_connect: unable to resolve name %s\n",
+ ads->server.ldap_server));
+ status = ADS_ERROR_NT(NT_STATUS_NOT_FOUND);
+ goto out;
+ }
+ ok = ads_try_connect(ads, ads->server.gc, &ss);
+ if (ok) {
goto got_connection;
}
/* Otherwise setup the TCP LDAP session */
- ads->ldap.ld = ldap_open_with_timeout(ads->config.ldap_server_name,
+ ads->ldap.ld = ldap_open_with_timeout(addr,
&ads->ldap.ss,
ads->ldap.port, lp_ldap_timeout());
if (ads->ldap.ld == NULL) {
ldap_set_option(ads->ldap.ld, LDAP_OPT_PROTOCOL_VERSION, &version);
if ( lp_ldap_ssl_ads() ) {
- status = ADS_ERROR(smb_ldap_start_tls(ads->ldap.ld, version));
+ status = ADS_ERROR(smbldap_start_tls(ads->ldap.ld, version));
if (!ADS_ERR_OK(status)) {
goto out;
}
cookie_be = ber_alloc_t(LBER_USE_DER);
if (*cookie) {
- ber_printf(cookie_be, "{iO}", (ber_int_t) 1000, *cookie);
+ ber_printf(cookie_be, "{iO}", (ber_int_t) ads->config.ldap_page_size, *cookie);
ber_bvfree(*cookie); /* don't need it from last time */
*cookie = NULL;
} else {
- ber_printf(cookie_be, "{io}", (ber_int_t) 1000, "", 0);
+ ber_printf(cookie_be, "{io}", (ber_int_t) ads->config.ldap_page_size, "", 0);
}
ber_flatten(cookie_be, &cookie_bv);
PagedResults.ldctl_oid = discard_const_p(char, ADS_PAGE_CTL_OID);
if (rc) {
DEBUG(3,("ads_do_paged_search_args: ldap_search_with_timeout(%s) -> %s\n", expr,
ldap_err2string(rc)));
+ if (rc == LDAP_OTHER) {
+ char *ldap_errmsg;
+ int ret;
+
+ ret = ldap_parse_result(ads->ldap.ld,
+ *res,
+ NULL,
+ NULL,
+ &ldap_errmsg,
+ NULL,
+ NULL,
+ 0);
+ if (ret == LDAP_SUCCESS) {
+ DEBUG(3, ("ldap_search_with_timeout(%s) "
+ "error: %s\n", expr, ldap_errmsg));
+ ldap_memfree(ldap_errmsg);
+ }
+ }
goto done;
}
#ifdef HAVE_LDAP_ADD_RESULT_ENTRY
while (cookie) {
LDAPMessage *res2 = NULL;
- ADS_STATUS status2;
LDAPMessage *msg, *next;
- status2 = ads_do_paged_search_args(ads, bind_path, scope, expr,
+ status = ads_do_paged_search_args(ads, bind_path, scope, expr,
attrs, args, &res2, &count, &cookie);
-
- if (!ADS_ERR_OK(status2)) break;
+ if (!ADS_ERR_OK(status)) {
+ /* Ensure we free all collected results */
+ ads_msgfree(ads, *res);
+ *res = NULL;
+ break;
+ }
/* this relies on the way that ldap_add_result_entry() works internally. I hope
that this works on all ldap libs, but I have only tested with openldap */
int mod_op, const char *name,
const void *_invals)
{
- const void **invals = (const void **)_invals;
int curmod;
LDAPMod **modlist = (LDAPMod **) *mods;
struct berval **ber_values = NULL;
char **char_values = NULL;
- if (!invals) {
+ if (!_invals) {
mod_op = LDAP_MOD_DELETE;
} else {
- if (mod_op & LDAP_MOD_BVALUES)
- ber_values = ads_dup_values(ctx,
- (const struct berval **)invals);
- else
- char_values = ads_push_strvals(ctx,
- (const char **) invals);
+ if (mod_op & LDAP_MOD_BVALUES) {
+ const struct berval **b;
+ b = discard_const_p(const struct berval *, _invals);
+ ber_values = ads_dup_values(ctx, b);
+ } else {
+ const char **c;
+ c = discard_const_p(const char *, _invals);
+ char_values = ads_push_strvals(ctx, c);
+ }
}
/* find the first empty slot */
return ret;
}
+/**
+ * @brief Search for an element in a string array.
+ *
+ * @param[in] el_array The string array to search.
+ *
+ * @param[in] num_el The number of elements in the string array.
+ *
+ * @param[in] el The string to search.
+ *
+ * @return True if found, false if not.
+ */
+bool ads_element_in_array(const char **el_array, size_t num_el, const char *el)
+{
+ size_t i;
+
+ if (el_array == NULL || num_el == 0 || el == NULL) {
+ return false;
+ }
+
+ for (i = 0; i < num_el && el_array[i] != NULL; i++) {
+ int cmp;
+
+ cmp = strcasecmp_m(el_array[i], el);
+ if (cmp == 0) {
+ return true;
+ }
+ }
+
+ return false;
+}
+
+/**
+ * @brief This gets the service principal names of an existing computer account.
+ *
+ * @param[in] mem_ctx The memory context to use to allocate the spn array.
+ *
+ * @param[in] ads The ADS context to use.
+ *
+ * @param[in] machine_name The NetBIOS name of the computer, which is used to
+ * identify the computer account.
+ *
+ * @param[in] spn_array A pointer to store the array for SPNs.
+ *
+ * @param[in] num_spns The number of principals stored in the array.
+ *
+ * @return 0 on success, or a ADS error if a failure occured.
+ */
+ADS_STATUS ads_get_service_principal_names(TALLOC_CTX *mem_ctx,
+ ADS_STRUCT *ads,
+ const char *machine_name,
+ char ***spn_array,
+ size_t *num_spns)
+{
+ ADS_STATUS status;
+ LDAPMessage *res = NULL;
+ int count;
+
+ status = ads_find_machine_acct(ads,
+ &res,
+ machine_name);
+ if (!ADS_ERR_OK(status)) {
+ DEBUG(1,("Host Account for %s not found... skipping operation.\n",
+ machine_name));
+ return status;
+ }
+
+ count = ads_count_replies(ads, res);
+ if (count != 1) {
+ status = ADS_ERROR(LDAP_NO_SUCH_OBJECT);
+ goto done;
+ }
+
+ *spn_array = ads_pull_strings(ads,
+ mem_ctx,
+ res,
+ "servicePrincipalName",
+ num_spns);
+
+done:
+ ads_msgfree(ads, res);
+
+ return status;
+}
+
/**
* This adds a service principal name to an existing computer account
* (found by hostname) in AD.
ads_msgfree(ads, res);
return ADS_ERROR(LDAP_NO_MEMORY);
}
- strupper_m(psp1);
- strlower_m(&psp1[strlen(spn)]);
+ if (!strlower_m(&psp1[strlen(spn) + 1])) {
+ ret = ADS_ERROR(LDAP_NO_MEMORY);
+ goto out;
+ }
servicePrincipalName[0] = psp1;
DEBUG(5,("ads_add_service_principal_name: INFO: Adding %s to host %s\n",
ret = ADS_ERROR(LDAP_NO_MEMORY);
goto out;
}
- strupper_m(psp2);
- strlower_m(&psp2[strlen(spn)]);
+ if (!strlower_m(&psp2[strlen(spn) + 1])) {
+ ret = ADS_ERROR(LDAP_NO_MEMORY);
+ goto out;
+ }
servicePrincipalName[1] = psp2;
DEBUG(5,("ads_add_service_principal_name: INFO: Adding %s to host %s\n",
utf8_field=ldap_next_attribute(ads->ldap.ld,
(LDAPMessage *)msg,b)) {
struct berval **ber_vals;
- char **str_vals, **utf8_vals;
+ char **str_vals;
+ char **utf8_vals;
char *field;
bool string;
string = fn(ads, field, NULL, data_area);
if (string) {
+ const char **p;
+
utf8_vals = ldap_get_values(ads->ldap.ld,
(LDAPMessage *)msg, field);
- str_vals = ads_pull_strvals(ctx,
- (const char **) utf8_vals);
+ p = discard_const_p(const char *, utf8_vals);
+ str_vals = ads_pull_strvals(ctx, p);
fn(ads, field, (void **) str_vals, data_area);
ldap_value_free(utf8_vals);
} else {
for (msg = ads_first_entry(ads, res); msg;
msg = ads_next_entry(ads, msg)) {
-
+ const char **p = discard_const_p(const char *, *ous);
char *dn = NULL;
dn = ads_get_dn(ads, talloc_tos(), msg);
return ADS_ERROR(LDAP_NO_MEMORY);
}
- if (!add_string_to_array(mem_ctx, dn,
- (const char ***)ous,
- (int *)num_ous)) {
+ if (!add_string_to_array(mem_ctx, dn, &p, num_ous)) {
TALLOC_FREE(dn);
ads_msgfree(ads, res);
return ADS_ERROR(LDAP_NO_MEMORY);
}
TALLOC_FREE(dn);
+ *ous = discard_const_p(char *, p);
}
ads_msgfree(ads, res);
return ADS_ERROR_NT(NT_STATUS_OK);
}
-/**
- * pull an array of struct dom_sids from a ADS result
- * @param ads connection to ads server
- * @param mem_ctx TALLOC_CTX for allocating sid array
- * @param msg Results of search
- * @param field Attribute to retrieve
- * @param flags string type of extended_dn
- * @param sids pointer to sid array to allocate
- * @return the count of SIDs pulled
- **/
- int ads_pull_sids_from_extendeddn(ADS_STRUCT *ads,
- TALLOC_CTX *mem_ctx,
- LDAPMessage *msg,
- const char *field,
- enum ads_extended_dn_flags flags,
- struct dom_sid **sids)
-{
- int i;
- ADS_STATUS rc;
- size_t dn_count, ret_count = 0;
- char **dn_strings;
-
- if ((dn_strings = ads_pull_strings(ads, mem_ctx, msg, field,
- &dn_count)) == NULL) {
- return 0;
- }
-
- (*sids) = talloc_zero_array(mem_ctx, struct dom_sid, dn_count + 1);
- if (!(*sids)) {
- TALLOC_FREE(dn_strings);
- return 0;
- }
-
- for (i=0; i<dn_count; i++) {
- rc = ads_get_sid_from_extended_dn(mem_ctx, dn_strings[i],
- flags, &(*sids)[i]);
- if (!ADS_ERR_OK(rc)) {
- if (NT_STATUS_EQUAL(ads_ntstatus(rc),
- NT_STATUS_NOT_FOUND)) {
- continue;
- }
- else {
- TALLOC_FREE(*sids);
- TALLOC_FREE(dn_strings);
- return 0;
- }
- }
- ret_count++;
- }
-
- TALLOC_FREE(dn_strings);
-
- return ret_count;
-}
-
/********************************************************************
********************************************************************/
/* hostname must be lowercase */
host = SMB_STRDUP(hostname);
- strlower_m(host);
+ if (!strlower_m(host)) {
+ SAFE_FREE(host);
+ return ADS_ERROR_SYSTEM(EINVAL);
+ }
status = ads_find_machine_acct(ads, &res, host);
if (!ADS_ERR_OK(status)) {