Copyright (C) Andrew Tridgell 2001
Copyright (C) Remus Koos 2001
Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002
+ Copyright (C) Guenther Deschner 2005
+ Copyright (C) Gerald Carter 2006
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
* codepoints in UTF-8). This may have to change at some point
**/
+
+#define LDAP_SERVER_TREE_DELETE_OID "1.2.840.113556.1.4.805"
+
static SIG_ATOMIC_T gotalarm;
/***************************************************************
Signal function to tell us we timed out.
****************************************************************/
-
+
static void gotalarm_sig(void)
{
gotalarm = 1;
}
-
+
LDAP *ldap_open_with_timeout(const char *server, int port, unsigned int to)
{
LDAP *ldp = NULL;
-
+
/* Setup timeout */
gotalarm = 0;
CatchSignal(SIGALRM, SIGNAL_CAST gotalarm_sig);
alarm(to);
/* End setup timeout. */
-
+
ldp = ldap_open(server, port);
-
+
+ if (ldp == NULL) {
+ DEBUG(2,("Could not open LDAP connection to %s:%d: %s\n",
+ server, port, strerror(errno)));
+ }
+
/* Teardown timeout. */
CatchSignal(SIGALRM, SIGNAL_CAST SIG_IGN);
alarm(0);
-
+
return ldp;
}
return result;
}
+#ifdef HAVE_KRB5
+/**********************************************
+ Do client and server sitename match ?
+**********************************************/
+
+BOOL ads_sitename_match(ADS_STRUCT *ads)
+{
+ if (ads->config.server_site_name == NULL &&
+ ads->config.client_site_name == NULL ) {
+ DEBUG(10,("ads_sitename_match: both null\n"));
+ return True;
+ }
+ if (ads->config.server_site_name &&
+ ads->config.client_site_name &&
+ strequal(ads->config.server_site_name,
+ ads->config.client_site_name)) {
+ DEBUG(10,("ads_sitename_match: name %s match\n", ads->config.server_site_name));
+ return True;
+ }
+ DEBUG(10,("ads_sitename_match: no match %s %s\n",
+ ads->config.server_site_name ? ads->config.server_site_name : "NULL",
+ ads->config.client_site_name ? ads->config.client_site_name : "NULL"));
+ return False;
+}
+#endif
+
/*
try a connection to a given ldap server, returning True and setting the servers IP
in the ads struct if successful
-
- TODO : add a negative connection cache in here leveraged off of the one
- found in the rpc code. --jerry
*/
-BOOL ads_try_connect(ADS_STRUCT *ads, const char *server, unsigned port)
+BOOL ads_try_connect(ADS_STRUCT *ads, const char *server )
{
char *srv;
+ struct cldap_netlogon_reply cldap_reply;
if (!server || !*server) {
return False;
}
-
- DEBUG(5,("ads_try_connect: trying ldap server '%s' port %u\n", server, port));
+
+ DEBUG(5,("ads_try_connect: sending CLDAP request to %s (realm: %s)\n",
+ server, ads->server.realm));
/* this copes with inet_ntoa brokenness */
+
srv = SMB_STRDUP(server);
- ads->ld = ldap_open_with_timeout(srv, port, lp_ldap_timeout());
- if (!ads->ld) {
- free(srv);
+ ZERO_STRUCT( cldap_reply );
+
+ if ( !ads_cldap_netlogon( srv, ads->server.realm, &cldap_reply ) ) {
+ DEBUG(3,("ads_try_connect: CLDAP request %s failed.\n", srv));
+ SAFE_FREE( srv );
return False;
}
- ads->ldap_port = port;
- ads->ldap_ip = *interpret_addr2(srv);
- free(srv);
- return True;
-}
+ /* Check the CLDAP reply flags */
-/*
- try a connection to a given ldap server, based on URL, returning True if successful
- */
-static BOOL ads_try_connect_uri(ADS_STRUCT *ads)
-{
-#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
- DEBUG(5,("ads_try_connect: trying ldap server at URI '%s'\n",
- ads->server.ldap_uri));
+ if ( !(cldap_reply.flags & ADS_LDAP) ) {
+ DEBUG(1,("ads_try_connect: %s's CLDAP reply says it is not an LDAP server!\n",
+ srv));
+ SAFE_FREE( srv );
+ return False;
+ }
-
- if (ldap_initialize((LDAP**)&(ads->ld), ads->server.ldap_uri) == LDAP_SUCCESS) {
- return True;
+ /* Fill in the ads->config values */
+
+ SAFE_FREE(ads->config.realm);
+ SAFE_FREE(ads->config.bind_path);
+ SAFE_FREE(ads->config.ldap_server_name);
+ SAFE_FREE(ads->config.server_site_name);
+ SAFE_FREE(ads->config.client_site_name);
+ SAFE_FREE(ads->server.workgroup);
+
+ ads->config.flags = cldap_reply.flags;
+ ads->config.ldap_server_name = SMB_STRDUP(cldap_reply.hostname);
+ strupper_m(cldap_reply.domain);
+ ads->config.realm = SMB_STRDUP(cldap_reply.domain);
+ ads->config.bind_path = ads_build_dn(ads->config.realm);
+ if (*cldap_reply.server_site_name) {
+ ads->config.server_site_name =
+ SMB_STRDUP(cldap_reply.server_site_name);
+ }
+ if (*cldap_reply.client_site_name) {
+ ads->config.client_site_name =
+ SMB_STRDUP(cldap_reply.client_site_name);
}
- DEBUG(0, ("ldap_initialize: %s\n", strerror(errno)));
-
-#else
+
+ ads->server.workgroup = SMB_STRDUP(cldap_reply.netbios_domain);
- DEBUG(1, ("no URL support in LDAP libs!\n"));
-#endif
+ ads->ldap_port = LDAP_PORT;
+ ads->ldap_ip = *interpret_addr2(srv);
+ SAFE_FREE(srv);
+
+ /* Store our site name. */
+ sitename_store( cldap_reply.client_site_name );
- return False;
+ return True;
}
/**********************************************************************
disabled
**********************************************************************/
-static BOOL ads_find_dc(ADS_STRUCT *ads)
+static NTSTATUS ads_find_dc(ADS_STRUCT *ads)
{
const char *c_realm;
int count, i=0;
pstring realm;
BOOL got_realm = False;
BOOL use_own_domain = False;
+ NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
/* if the realm and workgroup are both empty, assume they are ours */
if ( !c_realm || !*c_realm ) {
DEBUG(0,("ads_find_dc: no realm or workgroup! Don't know what to do\n"));
- return False;
+ return NT_STATUS_INVALID_PARAMETER; /* rather need MISSING_PARAMETER ... */
}
}
DEBUG(6,("ads_find_dc: looking for %s '%s'\n",
(got_realm ? "realm" : "domain"), realm));
- if ( !get_sorted_dc_list(realm, &ip_list, &count, got_realm) ) {
+ status = get_sorted_dc_list(realm, &ip_list, &count, got_realm);
+ if (!NT_STATUS_IS_OK(status)) {
/* fall back to netbios if we can */
if ( got_realm && !lp_disable_netbios() ) {
got_realm = False;
goto again;
}
- return False;
+ return status;
}
-
+
/* if we fail this loop, then giveup since all the IP addresses returned were dead */
for ( i=0; i<count; i++ ) {
- /* since this is an ads conection request, default to LDAP_PORT is not set */
- int port = (ip_list[i].port!=PORT_NONE) ? ip_list[i].port : LDAP_PORT;
fstring server;
fstrcpy( server, inet_ntoa(ip_list[i].ip) );
if ( !NT_STATUS_IS_OK(check_negative_conn_cache(realm, server)) )
continue;
+
+ if (!got_realm) {
+ /* realm in this case is a workgroup name. We need
+ to ignore any IP addresses in the negative connection
+ cache that match ip addresses returned in the ad realm
+ case. It sucks that I have to reproduce the logic above... */
+ c_realm = ads->server.realm;
+ if ( !c_realm || !*c_realm ) {
+ if ( !ads->server.workgroup || !*ads->server.workgroup ) {
+ c_realm = lp_realm();
+ }
+ }
+ if (c_realm && *c_realm &&
+ !NT_STATUS_IS_OK(check_negative_conn_cache(c_realm, server))) {
+ /* Ensure we add the workgroup name for this
+ IP address as negative too. */
+ add_failed_connection_entry( realm, server, NT_STATUS_UNSUCCESSFUL );
+ continue;
+ }
+ }
- if ( ads_try_connect(ads, server, port) ) {
+ if ( ads_try_connect(ads, server) ) {
SAFE_FREE(ip_list);
- return True;
+ return NT_STATUS_OK;
}
/* keep track of failures */
SAFE_FREE(ip_list);
- return False;
+ return NT_STATUS_NO_LOGON_SERVERS;
}
{
int version = LDAP_VERSION3;
ADS_STATUS status;
+ NTSTATUS ntstatus;
ads->last_attempt = time(NULL);
ads->ld = NULL;
- /* try with a URL based server */
-
- if (ads->server.ldap_uri &&
- ads_try_connect_uri(ads)) {
- goto got_connection;
- }
-
/* try with a user specified server */
+
if (ads->server.ldap_server &&
- ads_try_connect(ads, ads->server.ldap_server, LDAP_PORT)) {
+ ads_try_connect(ads, ads->server.ldap_server)) {
goto got_connection;
}
- if (ads_find_dc(ads)) {
+ ntstatus = ads_find_dc(ads);
+ if (NT_STATUS_IS_OK(ntstatus)) {
goto got_connection;
}
- return ADS_ERROR_SYSTEM(errno?errno:ENOENT);
+ return ADS_ERROR_NT(ntstatus);
got_connection:
DEBUG(3,("Connected to LDAP server %s\n", inet_ntoa(ads->ldap_ip)));
- status = ads_server_info(ads);
- if (!ADS_ERR_OK(status)) {
- DEBUG(1,("Failed to get ldap server info\n"));
- return status;
- }
-
- ldap_set_option(ads->ld, LDAP_OPT_PROTOCOL_VERSION, &version);
-
if (!ads->auth.user_name) {
- /* have to use the userPrincipalName value here and
- not servicePrincipalName; found by Guenther Deschner @ Sernet */
+ /* Must use the userPrincipalName value here or sAMAccountName
+ and not servicePrincipalName; found by Guenther Deschner */
- asprintf(&ads->auth.user_name, "host/%s", global_myname() );
+ asprintf(&ads->auth.user_name, "%s$", global_myname() );
}
if (!ads->auth.realm) {
}
#endif
+ /* If the caller() requested no LDAP bind, then we are done */
+
if (ads->auth.flags & ADS_AUTH_NO_BIND) {
return ADS_SUCCESS;
}
+
+ /* Otherwise setup the TCP LDAP session */
+
+ if ( (ads->ld = ldap_open_with_timeout(ads->config.ldap_server_name,
+ LDAP_PORT, lp_ldap_timeout())) == NULL )
+ {
+ return ADS_ERROR(LDAP_OPERATIONS_ERROR);
+ }
+
+ /* cache the successful connection */
+ saf_store( ads->server.workgroup, inet_ntoa(ads->ldap_ip));
+
+ ldap_set_option(ads->ld, LDAP_OPT_PROTOCOL_VERSION, &version);
+
+ status = ADS_ERROR(smb_ldap_start_tls(ads->ld, version));
+ if (!ADS_ERR_OK(status)) {
+ return status;
+ }
+
+ /* fill in the current time and offsets */
+
+ status = ads_current_time( ads );
+ if ( !ADS_ERR_OK(status) ) {
+ return status;
+ }
+ /* Now do the bind */
+
if (ads->auth.flags & ADS_AUTH_ANON_BIND) {
return ADS_ERROR(ldap_simple_bind_s( ads->ld, NULL, NULL));
}
if (in_val->bv_len == 0) return value;
value->bv_len = in_val->bv_len;
- value->bv_val = TALLOC_MEMDUP(ctx, in_val->bv_val, in_val->bv_len);
+ value->bv_val = (char *)TALLOC_MEMDUP(ctx, in_val->bv_val,
+ in_val->bv_len);
return value;
}
* @param cookie The paged results cookie to be returned on subsequent calls
* @return status of search
**/
-ADS_STATUS ads_do_paged_search(ADS_STRUCT *ads, const char *bind_path,
- int scope, const char *expr,
- const char **attrs, void **res,
- int *count, void **cookie)
+static ADS_STATUS ads_do_paged_search_args(ADS_STRUCT *ads,
+ const char *bind_path,
+ int scope, const char *expr,
+ const char **attrs, void *args,
+ LDAPMessage **res,
+ int *count, struct berval **cookie)
{
int rc, i, version;
char *utf8_expr, *utf8_path, **search_attrs;
- LDAPControl PagedResults, NoReferrals, *controls[3], **rcontrols;
+ LDAPControl PagedResults, NoReferrals, ExtendedDn, *controls[4], **rcontrols;
BerElement *cookie_be = NULL;
struct berval *cookie_bv= NULL;
+ BerElement *extdn_be = NULL;
+ struct berval *extdn_bv= NULL;
+
TALLOC_CTX *ctx;
+ ads_control *external_control = (ads_control *) args;
*res = NULL;
- if (!(ctx = talloc_init("ads_do_paged_search")))
+ if (!(ctx = talloc_init("ads_do_paged_search_args")))
return ADS_ERROR(LDAP_NO_MEMORY);
/* 0 means the conversion worked but the result was empty
}
cookie_be = ber_alloc_t(LBER_USE_DER);
- if (cookie && *cookie) {
+ if (*cookie) {
ber_printf(cookie_be, "{iO}", (ber_int_t) 1000, *cookie);
ber_bvfree(*cookie); /* don't need it from last time */
*cookie = NULL;
NoReferrals.ldctl_value.bv_len = 0;
NoReferrals.ldctl_value.bv_val = CONST_DISCARD(char *, "");
+ if (external_control && strequal(external_control->control, ADS_EXTENDED_DN_OID)) {
+
+ ExtendedDn.ldctl_oid = CONST_DISCARD(char *, external_control->control);
+ ExtendedDn.ldctl_iscritical = (char) external_control->critical;
+
+ /* win2k does not accept a ldctl_value beeing passed in */
+
+ if (external_control->val != 0) {
+
+ if ((extdn_be = ber_alloc_t(LBER_USE_DER)) == NULL ) {
+ rc = LDAP_NO_MEMORY;
+ goto done;
+ }
+
+ if ((ber_printf(extdn_be, "{i}", (ber_int_t) external_control->val)) == -1) {
+ rc = LDAP_NO_MEMORY;
+ goto done;
+ }
+ if ((ber_flatten(extdn_be, &extdn_bv)) == -1) {
+ rc = LDAP_NO_MEMORY;
+ goto done;
+ }
+
+ ExtendedDn.ldctl_value.bv_len = extdn_bv->bv_len;
+ ExtendedDn.ldctl_value.bv_val = extdn_bv->bv_val;
+
+ } else {
+ ExtendedDn.ldctl_value.bv_len = 0;
+ ExtendedDn.ldctl_value.bv_val = NULL;
+ }
- controls[0] = &NoReferrals;
- controls[1] = &PagedResults;
- controls[2] = NULL;
+ controls[0] = &NoReferrals;
+ controls[1] = &PagedResults;
+ controls[2] = &ExtendedDn;
+ controls[3] = NULL;
+
+ } else {
+ controls[0] = &NoReferrals;
+ controls[1] = &PagedResults;
+ controls[2] = NULL;
+ }
/* we need to disable referrals as the openldap libs don't
handle them and paged results at the same time. Using them
ber_bvfree(cookie_bv);
if (rc) {
- DEBUG(3,("ads_do_paged_search: ldap_search_with_timeout(%s) -> %s\n", expr,
+ DEBUG(3,("ads_do_paged_search_args: ldap_search_with_timeout(%s) -> %s\n", expr,
ldap_err2string(rc)));
goto done;
}
done:
talloc_destroy(ctx);
+
+ if (extdn_be) {
+ ber_free(extdn_be, 1);
+ }
+
+ if (extdn_bv) {
+ ber_bvfree(extdn_bv);
+ }
+
/* if/when we decide to utf8-encode attrs, take out this next line */
str_list_free(&search_attrs);
return ADS_ERROR(rc);
}
+static ADS_STATUS ads_do_paged_search(ADS_STRUCT *ads, const char *bind_path,
+ int scope, const char *expr,
+ const char **attrs, LDAPMessage **res,
+ int *count, struct berval **cookie)
+{
+ return ads_do_paged_search_args(ads, bind_path, scope, expr, attrs, NULL, res, count, cookie);
+}
+
/**
* Get all results for a search. This uses ads_do_paged_search() to return
* @param res ** which will contain results - free res* with ads_msgfree()
* @return status of search
**/
-ADS_STATUS ads_do_search_all(ADS_STRUCT *ads, const char *bind_path,
- int scope, const char *expr,
- const char **attrs, void **res)
+ ADS_STATUS ads_do_search_all_args(ADS_STRUCT *ads, const char *bind_path,
+ int scope, const char *expr,
+ const char **attrs, void *args,
+ LDAPMessage **res)
{
- void *cookie = NULL;
+ struct berval *cookie = NULL;
int count = 0;
ADS_STATUS status;
*res = NULL;
- status = ads_do_paged_search(ads, bind_path, scope, expr, attrs, res,
+ status = ads_do_paged_search_args(ads, bind_path, scope, expr, attrs, args, res,
&count, &cookie);
- if (!ADS_ERR_OK(status)) return status;
+ if (!ADS_ERR_OK(status))
+ return status;
+#ifdef HAVE_LDAP_ADD_RESULT_ENTRY
while (cookie) {
- void *res2 = NULL;
+ LDAPMessage *res2 = NULL;
ADS_STATUS status2;
LDAPMessage *msg, *next;
- status2 = ads_do_paged_search(ads, bind_path, scope, expr,
- attrs, &res2, &count, &cookie);
+ status2 = ads_do_paged_search_args(ads, bind_path, scope, expr,
+ attrs, args, &res2, &count, &cookie);
if (!ADS_ERR_OK(status2)) break;
/* note that we do not free res2, as the memory is now
part of the main returned list */
}
+#else
+ DEBUG(0, ("no ldap_add_result_entry() support in LDAP libs!\n"));
+ status = ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
+#endif
return status;
}
+ ADS_STATUS ads_do_search_all(ADS_STRUCT *ads, const char *bind_path,
+ int scope, const char *expr,
+ const char **attrs, LDAPMessage **res)
+{
+ return ads_do_search_all_args(ads, bind_path, scope, expr, attrs, NULL, res);
+}
+
/**
* Run a function on all results for a search. Uses ads_do_paged_search() and
* runs the function as each page is returned, using ads_process_results()
BOOL(*fn)(char *, void **, void *),
void *data_area)
{
- void *cookie = NULL;
+ struct berval *cookie = NULL;
int count = 0;
ADS_STATUS status;
- void *res;
+ LDAPMessage *res;
status = ads_do_paged_search(ads, bind_path, scope, expr, attrs, &res,
&count, &cookie);
* @param res ** which will contain results - free res* with ads_msgfree()
* @return status of search
**/
-ADS_STATUS ads_do_search(ADS_STRUCT *ads, const char *bind_path, int scope,
- const char *expr,
- const char **attrs, void **res)
+ ADS_STATUS ads_do_search(ADS_STRUCT *ads, const char *bind_path, int scope,
+ const char *expr,
+ const char **attrs, LDAPMessage **res)
{
int rc;
char *utf8_expr, *utf8_path, **search_attrs = NULL;
* @param attrs Attributes to retrieve
* @return status of search
**/
-ADS_STATUS ads_search(ADS_STRUCT *ads, void **res,
- const char *expr,
- const char **attrs)
+ ADS_STATUS ads_search(ADS_STRUCT *ads, LDAPMessage **res,
+ const char *expr, const char **attrs)
{
return ads_do_search(ads, ads->config.bind_path, LDAP_SCOPE_SUBTREE,
expr, attrs, res);
* @param attrs Attributes to retrieve
* @return status of search
**/
-ADS_STATUS ads_search_dn(ADS_STRUCT *ads, void **res,
- const char *dn,
- const char **attrs)
+ ADS_STATUS ads_search_dn(ADS_STRUCT *ads, LDAPMessage **res,
+ const char *dn, const char **attrs)
{
- return ads_do_search(ads, dn, LDAP_SCOPE_BASE, "(objectclass=*)", attrs, res);
+ return ads_do_search(ads, dn, LDAP_SCOPE_BASE, "(objectclass=*)",
+ attrs, res);
}
/**
* @param ads connection to ads server
* @param msg Search results to free
**/
-void ads_msgfree(ADS_STRUCT *ads, void *msg)
+ void ads_msgfree(ADS_STRUCT *ads, LDAPMessage *msg)
{
if (!msg) return;
ldap_msgfree(msg);
* @param msg Search result
* @return dn string
**/
-char *ads_get_dn(ADS_STRUCT *ads, void *msg)
+ char *ads_get_dn(ADS_STRUCT *ads, LDAPMessage *msg)
{
char *utf8_dn, *unix_dn;
return unix_dn;
}
+/**
+ * Get a canonical dn from search results
+ * @param ads connection to ads server
+ * @param msg Search result
+ * @return dn string
+ **/
+ char *ads_get_dn_canonical(ADS_STRUCT *ads, LDAPMessage *msg)
+{
+#ifdef HAVE_LDAP_DN2AD_CANONICAL
+ return ldap_dn2ad_canonical(ads_get_dn(ads, msg));
+#else
+ return NULL;
+#endif
+}
+
+/**
+ * Get the parent from a dn
+ * @param dn the dn to return the parent from
+ * @return parent dn string
+ **/
+char *ads_parent_dn(const char *dn)
+{
+ char *p;
+
+ if (dn == NULL) {
+ return NULL;
+ }
+
+ p = strchr(dn, ',');
+
+ if (p == NULL) {
+ return NULL;
+ }
+
+ return p+1;
+}
+
/**
* Find a machine account given a hostname
* @param ads connection to ads server
* @param host Hostname to search for
* @return status of search
**/
-ADS_STATUS ads_find_machine_acct(ADS_STRUCT *ads, void **res, const char *machine)
+ ADS_STATUS ads_find_machine_acct(ADS_STRUCT *ads, LDAPMessage **res,
+ const char *machine)
{
ADS_STATUS status;
char *expr;
*/
static ADS_STATUS ads_modlist_add(TALLOC_CTX *ctx, ADS_MODLIST *mods,
int mod_op, const char *name,
- const void **invals)
+ const void *_invals)
{
+ const void **invals = (const void **)_invals;
int curmod;
LDAPMod **modlist = (LDAPMod **) *mods;
struct berval **ber_values = NULL;
if (!val)
return ads_modlist_add(ctx, mods, LDAP_MOD_DELETE, name, NULL);
- return ads_modlist_add(ctx, mods, LDAP_MOD_REPLACE, name,
- (const void **) values);
+ return ads_modlist_add(ctx, mods, LDAP_MOD_REPLACE, name, values);
}
/**
name, (const void **) vals);
}
+#if 0
/**
* Add a single ber-encoded value to a mod list
* @param ctx An initialized TALLOC_CTX
return ads_modlist_add(ctx, mods, LDAP_MOD_REPLACE|LDAP_MOD_BVALUES,
name, (const void **) values);
}
+#endif
/**
* Perform an ldap modify
/**
* Build an org unit string
* if org unit is Computers or blank then assume a container, otherwise
- * assume a \ separated list of organisational units
+ * assume a / separated list of organisational units.
+ * jmcd: '\' is now used for escapes so certain chars can be in the ou (e.g. #)
* @param ads connection to ads server
* @param org_unit Organizational unit
* @return org unit string - caller must free
return SMB_STRDUP("cn=Computers");
}
- return ads_build_path(org_unit, "\\/", "ou=", 1);
+ /* jmcd: removed "\\" from the separation chars, because it is
+ needed as an escape for chars like '#' which are valid in an
+ OU name */
+ return ads_build_path(org_unit, "/", "ou=", 1);
}
/**
char *ads_default_ou_string(ADS_STRUCT *ads, const char *wknguid)
{
ADS_STATUS status;
- void *res;
+ LDAPMessage *res;
char *base, *wkn_dn, *ret, **wkn_dn_exp, **bind_dn_exp;
const char *attrs[] = {"distinguishedName", NULL};
int new_ln, wkn_ln, bind_ln, i;
status = ads_search_dn(ads, &res, base, attrs);
if (!ADS_ERR_OK(status)) {
DEBUG(1,("Failed while searching for: %s\n", base));
+ SAFE_FREE(base);
return NULL;
}
- free(base);
+ SAFE_FREE(base);
if (ads_count_replies(ads, res) != 1) {
return NULL;
free(s);
}
+ ads_memfree(ads, wkn_dn);
+ ldap_value_free(wkn_dn_exp);
+ ldap_value_free(bind_dn_exp);
+
return ret;
}
ADS_STATUS ads_add_strlist(TALLOC_CTX *ctx, ADS_MODLIST *mods,
const char *name, const char **vals)
{
- return ads_modlist_add(ctx, mods, LDAP_MOD_ADD, name, (const void **) vals);
+ return ads_modlist_add(ctx, mods, LDAP_MOD_ADD, name,
+ (const void *) vals);
}
/**
if (asprintf(&filter, "(samAccountName=%s$)", machine_name) == -1) {
return kvno;
}
- ret = ads_search(ads, (void**) &res, filter, attrs);
+ ret = ads_search(ads, &res, filter, attrs);
SAFE_FREE(filter);
if (!ADS_ERR_OK(ret) && ads_count_replies(ads, res)) {
DEBUG(1,("ads_get_kvno: Computer Account For %s not found.\n", machine_name));
ADS_STATUS ret = ADS_ERROR(LDAP_SUCCESS);
char *dn_string = NULL;
- ret = ads_find_machine_acct(ads, (void **)&res, machine_name);
+ ret = ads_find_machine_acct(ads, &res, machine_name);
if (!ADS_ERR_OK(ret) || ads_count_replies(ads, res) != 1) {
DEBUG(5,("ads_clear_service_principal_names: WARNING: Host Account for %s not found... skipping operation.\n", machine_name));
DEBUG(5,("ads_clear_service_principal_names: WARNING: Service Principals for %s have NOT been cleared.\n", machine_name));
* (found by hostname) in AD.
* @param ads An initialized ADS_STRUCT
* @param machine_name the NetBIOS name of the computer, which is used to identify the computer account.
+ * @param my_fqdn The fully qualified DNS name of the machine
* @param spn A string of the service principal to add, i.e. 'host'
* @return 0 upon sucess, or non-zero if a failure occurs
**/
-ADS_STATUS ads_add_service_principal_name(ADS_STRUCT *ads, const char *machine_name, const char *spn)
+ADS_STATUS ads_add_service_principal_name(ADS_STRUCT *ads, const char *machine_name,
+ const char *my_fqdn, const char *spn)
{
ADS_STATUS ret;
TALLOC_CTX *ctx;
LDAPMessage *res = NULL;
- char *host_spn, *psp1, *psp2, *psp3;
+ char *psp1, *psp2;
ADS_MODLIST mods;
- fstring my_fqdn;
char *dn_string = NULL;
- const char *servicePrincipalName[4] = {NULL, NULL, NULL, NULL};
+ const char *servicePrincipalName[3] = {NULL, NULL, NULL};
- ret = ads_find_machine_acct(ads, (void **)&res, machine_name);
+ ret = ads_find_machine_acct(ads, &res, machine_name);
if (!ADS_ERR_OK(ret) || ads_count_replies(ads, res) != 1) {
DEBUG(1,("ads_add_service_principal_name: WARNING: Host Account for %s not found... skipping operation.\n",
machine_name));
return ADS_ERROR(LDAP_NO_MEMORY);
}
- name_to_fqdn(my_fqdn, machine_name);
- strlower_m(my_fqdn);
-
- if (!(host_spn = talloc_asprintf(ctx, "HOST/%s", my_fqdn))) {
+ /* add short name spn */
+
+ if ( (psp1 = talloc_asprintf(ctx, "%s/%s", spn, machine_name)) == NULL ) {
talloc_destroy(ctx);
ads_msgfree(ads, res);
- return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
+ return ADS_ERROR(LDAP_NO_MEMORY);
}
-
- /* Add the extra principal */
- psp1 = talloc_asprintf(ctx, "%s/%s", spn, machine_name);
strupper_m(psp1);
strlower_m(&psp1[strlen(spn)]);
- DEBUG(5,("ads_add_service_principal_name: INFO: Adding %s to host %s\n", psp1, machine_name));
servicePrincipalName[0] = psp1;
- psp2 = talloc_asprintf(ctx, "%s/%s.%s", spn, machine_name, ads->config.realm);
+
+ DEBUG(5,("ads_add_service_principal_name: INFO: Adding %s to host %s\n",
+ psp1, machine_name));
+
+
+ /* add fully qualified spn */
+
+ if ( (psp2 = talloc_asprintf(ctx, "%s/%s", spn, my_fqdn)) == NULL ) {
+ ret = ADS_ERROR(LDAP_NO_MEMORY);
+ goto out;
+ }
strupper_m(psp2);
strlower_m(&psp2[strlen(spn)]);
- DEBUG(5,("ads_add_service_principal_name: INFO: Adding %s to host %s\n", psp2, machine_name));
servicePrincipalName[1] = psp2;
- /* Add another principal in case the realm != the DNS domain, so that
- * the KDC doesn't send "server principal unknown" errors to clients
- * which use the DNS name in determining service principal names. */
- psp3 = talloc_asprintf(ctx, "%s/%s", spn, my_fqdn);
- strupper_m(psp3);
- strlower_m(&psp3[strlen(spn)]);
- if (strcmp(psp2, psp3) != 0) {
- DEBUG(5,("ads_add_service_principal_name: INFO: Adding %s to host %s\n", psp3, machine_name));
- servicePrincipalName[2] = psp3;
- }
+ DEBUG(5,("ads_add_service_principal_name: INFO: Adding %s to host %s\n",
+ psp2, machine_name));
- if (!(mods = ads_init_mods(ctx))) {
- talloc_destroy(ctx);
- ads_msgfree(ads, res);
- return ADS_ERROR(LDAP_NO_MEMORY);
+ if ( (mods = ads_init_mods(ctx)) == NULL ) {
+ ret = ADS_ERROR(LDAP_NO_MEMORY);
+ goto out;
}
+
ret = ads_add_strlist(ctx, &mods, "servicePrincipalName", servicePrincipalName);
if (!ADS_ERR_OK(ret)) {
DEBUG(1,("ads_add_service_principal_name: Error: Updating Service Principals in LDAP\n"));
- talloc_destroy(ctx);
- ads_msgfree(ads, res);
- return ret;
+ goto out;
}
- dn_string = ads_get_dn(ads, res);
- if (!dn_string) {
- talloc_destroy(ctx);
- ads_msgfree(ads, res);
- return ADS_ERROR(LDAP_NO_MEMORY);
+
+ if ( (dn_string = ads_get_dn(ads, res)) == NULL ) {
+ ret = ADS_ERROR(LDAP_NO_MEMORY);
+ goto out;
}
+
ret = ads_gen_mod(ads, dn_string, mods);
ads_memfree(ads,dn_string);
if (!ADS_ERR_OK(ret)) {
DEBUG(1,("ads_add_service_principal_name: Error: Updating Service Principals in LDAP\n"));
- talloc_destroy(ctx);
- ads_msgfree(ads, res);
- return ret;
+ goto out;
}
- talloc_destroy(ctx);
+ out:
+ TALLOC_FREE( ctx );
ads_msgfree(ads, res);
return ret;
}
* @return 0 upon success, or non-zero otherwise
**/
-static ADS_STATUS ads_add_machine_acct(ADS_STRUCT *ads, const char *machine_name,
- uint32 account_type,
- const char *org_unit)
+ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, const char *machine_name,
+ const char *org_unit)
{
- ADS_STATUS ret, status;
- char *host_spn, *host_upn, *new_dn, *samAccountName, *controlstr;
+ ADS_STATUS ret;
+ char *samAccountName, *controlstr;
TALLOC_CTX *ctx;
ADS_MODLIST mods;
+ char *new_dn;
const char *objectClass[] = {"top", "person", "organizationalPerson",
"user", "computer", NULL};
- const char *servicePrincipalName[7] = {NULL, NULL, NULL, NULL, NULL, NULL, NULL};
- char *psp, *psp2, *psp3, *psp4;
- unsigned acct_control;
- unsigned exists=0;
- fstring my_fqdn;
LDAPMessage *res = NULL;
- int i, next_spn;
-
+ uint32 acct_control = ( UF_WORKSTATION_TRUST_ACCOUNT |\
+ UF_DONT_EXPIRE_PASSWD |\
+ UF_ACCOUNTDISABLE );
+
if (!(ctx = talloc_init("ads_add_machine_acct")))
return ADS_ERROR(LDAP_NO_MEMORY);
ret = ADS_ERROR(LDAP_NO_MEMORY);
+
+ new_dn = talloc_asprintf(ctx, "cn=%s,%s", machine_name, org_unit);
+ samAccountName = talloc_asprintf(ctx, "%s$", machine_name);
- name_to_fqdn(my_fqdn, machine_name);
-
- status = ads_find_machine_acct(ads, (void **)&res, machine_name);
- if (ADS_ERR_OK(status) && ads_count_replies(ads, res) == 1) {
- char *dn_string = ads_get_dn(ads, res);
- if (!dn_string) {
- DEBUG(1, ("ads_add_machine_acct: ads_get_dn returned NULL (malloc failure?)\n"));
- goto done;
- }
- new_dn = talloc_strdup(ctx, dn_string);
- ads_memfree(ads,dn_string);
- DEBUG(0, ("ads_add_machine_acct: Host account for %s already exists - modifying old account\n",
- machine_name));
- exists=1;
- } else {
- char *ou_str = ads_ou_string(ads,org_unit);
- if (!ou_str) {
- DEBUG(1, ("ads_add_machine_acct: ads_ou_string returned NULL (malloc failure?)\n"));
- goto done;
- }
- new_dn = talloc_asprintf(ctx, "cn=%s,%s,%s", machine_name, ou_str,
- ads->config.bind_path);
-
- SAFE_FREE(ou_str);
- }
-
- if (!new_dn) {
- goto done;
- }
-
- if (!(host_spn = talloc_asprintf(ctx, "HOST/%s", machine_name)))
- goto done;
- if (!(host_upn = talloc_asprintf(ctx, "%s@%s", host_spn, ads->config.realm)))
- goto done;
- servicePrincipalName[0] = talloc_asprintf(ctx, "HOST/%s", machine_name);
- psp = talloc_asprintf(ctx, "HOST/%s.%s",
- machine_name,
- ads->config.realm);
- strlower_m(&psp[5]);
- servicePrincipalName[1] = psp;
- servicePrincipalName[2] = talloc_asprintf(ctx, "CIFS/%s", machine_name);
- psp2 = talloc_asprintf(ctx, "CIFS/%s.%s",
- machine_name,
- ads->config.realm);
- strlower_m(&psp2[5]);
- servicePrincipalName[3] = psp2;
-
- /* Ensure servicePrincipalName[4] and [5] are unique. */
- strlower_m(my_fqdn);
- psp3 = talloc_asprintf(ctx, "CIFS/%s", my_fqdn);
- strlower_m(&psp3[5]);
-
- next_spn = 4;
- for (i = 0; i < next_spn; i++) {
- if (strequal(servicePrincipalName[i], psp3))
- break;
- }
- if (i == next_spn) {
- servicePrincipalName[next_spn++] = psp3;
- }
-
- psp4 = talloc_asprintf(ctx, "HOST/%s", my_fqdn);
- strlower_m(&psp4[5]);
- for (i = 0; i < next_spn; i++) {
- if (strequal(servicePrincipalName[i], psp4))
- break;
- }
- if (i == next_spn) {
- servicePrincipalName[next_spn++] = psp4;
- }
-
- if (!(samAccountName = talloc_asprintf(ctx, "%s$", machine_name))) {
+ if ( !new_dn || !samAccountName ) {
goto done;
}
-
- acct_control = account_type | UF_DONT_EXPIRE_PASSWD;
+
#ifndef ENCTYPE_ARCFOUR_HMAC
acct_control |= UF_USE_DES_KEY_ONLY;
#endif
if (!(mods = ads_init_mods(ctx))) {
goto done;
}
+
+ ads_mod_str(ctx, &mods, "cn", machine_name);
+ ads_mod_str(ctx, &mods, "sAMAccountName", samAccountName);
+ ads_mod_strlist(ctx, &mods, "objectClass", objectClass);
+ ads_mod_str(ctx, &mods, "userAccountControl", controlstr);
- if (!exists) {
- ads_mod_str(ctx, &mods, "cn", machine_name);
- ads_mod_str(ctx, &mods, "sAMAccountName", samAccountName);
- ads_mod_str(ctx, &mods, "userAccountControl", controlstr);
- ads_mod_strlist(ctx, &mods, "objectClass", objectClass);
- }
- ads_mod_str(ctx, &mods, "dNSHostName", my_fqdn);
- ads_mod_str(ctx, &mods, "userPrincipalName", host_upn);
- ads_mod_strlist(ctx, &mods, "servicePrincipalName", servicePrincipalName);
- ads_mod_str(ctx, &mods, "operatingSystem", "Samba");
- ads_mod_str(ctx, &mods, "operatingSystemVersion", SAMBA_VERSION_STRING);
-
- if (!exists) {
- ret = ads_gen_add(ads, new_dn, mods);
- } else {
- ret = ads_gen_mod(ads, new_dn, mods);
- }
-
- if (!ADS_ERR_OK(ret)) {
- goto done;
- }
+ ret = ads_gen_add(ads, new_dn, mods);
- /* Do not fail if we can't set security descriptor
- * it shouldn't be mandatory and probably we just
- * don't have enough rights to do it.
- */
- if (!exists) {
- status = ads_set_machine_sd(ads, machine_name, new_dn);
-
- if (!ADS_ERR_OK(status)) {
- DEBUG(0, ("Warning: ads_set_machine_sd: %s\n",
- ads_errstr(status)));
- }
- }
done:
ads_msgfree(ads, res);
talloc_destroy(ctx);
+
return ret;
}
void (*handler)(const char *, struct berval **);
} handlers[] = {
{"objectGUID", False, dump_guid},
+ {"netbootGUID", False, dump_guid},
{"nTSecurityDescriptor", False, dump_sd},
{"dnsRecord", False, dump_binary},
{"objectSid", False, dump_sid},
{"tokenGroups", False, dump_sid},
+ {"tokenGroupsNoGCAcceptable", False, dump_sid},
+ {"tokengroupsGlobalandUniversal", False, dump_sid},
{NULL, True, NULL}
};
int i;
* @param res Results to dump
**/
-void ads_dump(ADS_STRUCT *ads, void *res)
+ void ads_dump(ADS_STRUCT *ads, LDAPMessage *res)
{
ads_process_results(ads, res, ads_dump_field, NULL);
}
* @param fn Function for processing each result
* @param data_area user-defined area to pass to function
**/
-void ads_process_results(ADS_STRUCT *ads, void *res,
- BOOL(*fn)(char *, void **, void *),
- void *data_area)
+ void ads_process_results(ADS_STRUCT *ads, LDAPMessage *res,
+ BOOL(*fn)(char *, void **, void *),
+ void *data_area)
{
- void *msg;
+ LDAPMessage *msg;
TALLOC_CTX *ctx;
if (!(ctx = talloc_init("ads_process_results")))
}
/**
- * Join a machine to a realm
- * Creates the machine account and sets the machine password
+ * pull the first entry from a ADS result
* @param ads connection to ads server
- * @param machine name of host to add
- * @param org_unit Organizational unit to place machine in
- * @return status of join
+ * @param res Results of search
+ * @return first entry from result
**/
-ADS_STATUS ads_join_realm(ADS_STRUCT *ads, const char *machine_name,
- uint32 account_type, const char *org_unit)
+ LDAPMessage *ads_first_entry(ADS_STRUCT *ads, LDAPMessage *res)
{
- ADS_STATUS status;
- LDAPMessage *res = NULL;
- char *machine;
-
- /* machine name must be lowercase */
- machine = SMB_STRDUP(machine_name);
- strlower_m(machine);
-
- /*
- status = ads_find_machine_acct(ads, (void **)&res, machine);
- if (ADS_ERR_OK(status) && ads_count_replies(ads, res) == 1) {
- DEBUG(0, ("Host account for %s already exists - deleting old account\n", machine));
- status = ads_leave_realm(ads, machine);
- if (!ADS_ERR_OK(status)) {
- DEBUG(0, ("Failed to delete host '%s' from the '%s' realm.\n",
- machine, ads->config.realm));
- return status;
- }
- }
- */
-
- status = ads_add_machine_acct(ads, machine, account_type, org_unit);
- if (!ADS_ERR_OK(status)) {
- DEBUG(0, ("ads_join_realm: ads_add_machine_acct failed (%s): %s\n", machine, ads_errstr(status)));
- SAFE_FREE(machine);
- return status;
- }
-
- status = ads_find_machine_acct(ads, (void **)&res, machine);
- if (!ADS_ERR_OK(status)) {
- DEBUG(0, ("ads_join_realm: Host account test failed for machine %s\n", machine));
- SAFE_FREE(machine);
- return status;
- }
-
- SAFE_FREE(machine);
- ads_msgfree(ads, res);
-
- return status;
+ return ldap_first_entry(ads->ld, res);
}
/**
- * Delete a machine from the realm
+ * pull the next entry from a ADS result
* @param ads connection to ads server
- * @param hostname Machine to remove
- * @return status of delete
+ * @param res Results of search
+ * @return next entry from result
**/
-ADS_STATUS ads_leave_realm(ADS_STRUCT *ads, const char *hostname)
+ LDAPMessage *ads_next_entry(ADS_STRUCT *ads, LDAPMessage *res)
{
- ADS_STATUS status;
- void *res, *msg;
- char *hostnameDN, *host;
- int rc;
-
- /* hostname must be lowercase */
- host = SMB_STRDUP(hostname);
- strlower_m(host);
-
- status = ads_find_machine_acct(ads, &res, host);
- if (!ADS_ERR_OK(status)) {
- DEBUG(0, ("Host account for %s does not exist.\n", host));
- return status;
- }
-
- msg = ads_first_entry(ads, res);
- if (!msg) {
- return ADS_ERROR_SYSTEM(ENOENT);
- }
-
- hostnameDN = ads_get_dn(ads, (LDAPMessage *)msg);
- rc = ldap_delete_s(ads->ld, hostnameDN);
- ads_memfree(ads, hostnameDN);
- if (rc != LDAP_SUCCESS) {
- return ADS_ERROR(rc);
- }
-
- status = ads_find_machine_acct(ads, &res, host);
- if (ADS_ERR_OK(status) && ads_count_replies(ads, res) == 1) {
- DEBUG(0, ("Failed to remove host account.\n"));
- return status;
- }
-
- free(host);
-
- return status;
-}
-
-/**
- * add machine account to existing security descriptor
- * @param ads connection to ads server
- * @param hostname machine to add
- * @param dn DN of security descriptor
- * @return status
- **/
-ADS_STATUS ads_set_machine_sd(ADS_STRUCT *ads, const char *hostname, char *dn)
-{
- const char *attrs[] = {"nTSecurityDescriptor", "objectSid", 0};
- char *expr = 0;
- size_t sd_size = 0;
- struct berval bval = {0, NULL};
- prs_struct ps_wire;
- char *escaped_hostname = escape_ldap_string_alloc(hostname);
-
- LDAPMessage *res = 0;
- LDAPMessage *msg = 0;
- ADS_MODLIST mods = 0;
-
- NTSTATUS status;
- ADS_STATUS ret;
- DOM_SID sid;
- SEC_DESC *psd = NULL;
- TALLOC_CTX *ctx = NULL;
-
- /* Avoid segmentation fault in prs_mem_free if
- * we have to bail out before prs_init */
- ps_wire.is_dynamic = False;
-
- if (!ads) return ADS_ERROR(LDAP_SERVER_DOWN);
-
- ret = ADS_ERROR(LDAP_SUCCESS);
-
- if (!escaped_hostname) {
- return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
- }
-
- if (asprintf(&expr, "(samAccountName=%s$)", escaped_hostname) == -1) {
- DEBUG(1, ("ads_set_machine_sd: asprintf failed!\n"));
- SAFE_FREE(escaped_hostname);
- return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
- }
-
- SAFE_FREE(escaped_hostname);
-
- ret = ads_search(ads, (void *) &res, expr, attrs);
-
- if (!ADS_ERR_OK(ret)) return ret;
-
- if ( !(msg = ads_first_entry(ads, res) )) {
- ret = ADS_ERROR(LDAP_NO_RESULTS_RETURNED);
- goto ads_set_sd_error;
- }
-
- if (!ads_pull_sid(ads, msg, attrs[1], &sid)) {
- ret = ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
- goto ads_set_sd_error;
- }
-
- if (!(ctx = talloc_init("sec_io_desc"))) {
- ret = ADS_ERROR(LDAP_NO_MEMORY);
- goto ads_set_sd_error;
- }
-
- if (!ads_pull_sd(ads, ctx, msg, attrs[0], &psd)) {
- ret = ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
- goto ads_set_sd_error;
- }
-
- status = sec_desc_add_sid(ctx, &psd, &sid, SEC_RIGHTS_FULL_CTRL, &sd_size);
-
- if (!NT_STATUS_IS_OK(status)) {
- ret = ADS_ERROR_NT(status);
- goto ads_set_sd_error;
- }
-
- if (!prs_init(&ps_wire, sd_size, ctx, MARSHALL)) {
- ret = ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
- }
-
- if (!sec_io_desc("sd_wire", &psd, &ps_wire, 1)) {
- ret = ADS_ERROR(LDAP_NO_MEMORY);
- goto ads_set_sd_error;
- }
-
-#if 0
- file_save("/tmp/sec_desc.new", ps_wire.data_p, sd_size);
-#endif
- if (!(mods = ads_init_mods(ctx))) return ADS_ERROR(LDAP_NO_MEMORY);
-
- bval.bv_len = prs_offset(&ps_wire);
- bval.bv_val = TALLOC(ctx, bval.bv_len);
- if (!bval.bv_val) {
- ret = ADS_ERROR(LDAP_NO_MEMORY);
- goto ads_set_sd_error;
- }
-
- prs_set_offset(&ps_wire, 0);
-
- if (!prs_copy_data_out(bval.bv_val, &ps_wire, bval.bv_len)) {
- ret = ADS_ERROR(LDAP_NO_MEMORY);
- goto ads_set_sd_error;
- }
-
- ret = ads_mod_ber(ctx, &mods, attrs[0], &bval);
- if (ADS_ERR_OK(ret)) {
- ret = ads_gen_mod(ads, dn, mods);
- }
-
-ads_set_sd_error:
- ads_msgfree(ads, res);
- prs_mem_free(&ps_wire);
- talloc_destroy(ctx);
- return ret;
-}
-
-/**
- * pull the first entry from a ADS result
- * @param ads connection to ads server
- * @param res Results of search
- * @return first entry from result
- **/
-void *ads_first_entry(ADS_STRUCT *ads, void *res)
-{
- return (void *)ldap_first_entry(ads->ld, (LDAPMessage *)res);
-}
-
-/**
- * pull the next entry from a ADS result
- * @param ads connection to ads server
- * @param res Results of search
- * @return next entry from result
- **/
-void *ads_next_entry(ADS_STRUCT *ads, void *res)
-{
- return (void *)ldap_next_entry(ads->ld, (LDAPMessage *)res);
-}
+ return ldap_next_entry(ads->ld, res);
+}
/**
* pull a single string from a ADS result
* @param field Attribute to retrieve
* @return Result string in talloc context
**/
-char *ads_pull_string(ADS_STRUCT *ads,
- TALLOC_CTX *mem_ctx, void *msg, const char *field)
+ char *ads_pull_string(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, LDAPMessage *msg,
+ const char *field)
{
char **values;
char *ret = NULL;
* @param field Attribute to retrieve
* @return Result strings in talloc context
**/
-char **ads_pull_strings(ADS_STRUCT *ads,
- TALLOC_CTX *mem_ctx, void *msg, const char *field,
- size_t *num_values)
+ char **ads_pull_strings(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx,
+ LDAPMessage *msg, const char *field,
+ size_t *num_values)
{
char **values;
char **ret = NULL;
* @param more_values Are there more values to get?
* @return Result strings in talloc context
**/
-char **ads_pull_strings_range(ADS_STRUCT *ads,
- TALLOC_CTX *mem_ctx,
- void *msg, const char *field,
- char **current_strings,
- const char **next_attribute,
- size_t *num_strings,
- BOOL *more_strings)
+ char **ads_pull_strings_range(ADS_STRUCT *ads,
+ TALLOC_CTX *mem_ctx,
+ LDAPMessage *msg, const char *field,
+ char **current_strings,
+ const char **next_attribute,
+ size_t *num_strings,
+ BOOL *more_strings)
{
char *attr;
char *expected_range_attrib, *range_attr;
if ((*num_strings) != range_start) {
DEBUG(1, ("ads_pull_strings_range: Range attribute (%s) doesn't start at %u, but at %lu"
" - aborting range retreival\n",
- range_attr, *num_strings + 1, range_start));
+ range_attr, (unsigned int)(*num_strings) + 1, range_start));
ldap_memfree(range_attr);
*more_strings = False;
return NULL;
return NULL;
}
- memcpy(&strings[*num_strings], new_strings,
- sizeof(*new_strings) * num_new_strings);
+ if (new_strings && num_new_strings) {
+ memcpy(&strings[*num_strings], new_strings,
+ sizeof(*new_strings) * num_new_strings);
+ }
(*num_strings) += num_new_strings;
*next_attribute = talloc_asprintf(mem_ctx,
"%s;range=%d-*",
field,
- *num_strings);
+ (int)*num_strings);
if (!*next_attribute) {
DEBUG(1, ("talloc_asprintf for next attribute failed!\n"));
* @param v Pointer to int to store result
* @return boolean inidicating success
*/
-BOOL ads_pull_uint32(ADS_STRUCT *ads,
- void *msg, const char *field, uint32 *v)
+ BOOL ads_pull_uint32(ADS_STRUCT *ads, LDAPMessage *msg, const char *field,
+ uint32 *v)
{
char **values;
* @param guid 37-byte area to receive text guid
* @return boolean indicating success
**/
-BOOL ads_pull_guid(ADS_STRUCT *ads,
- void *msg, struct uuid *guid)
+ BOOL ads_pull_guid(ADS_STRUCT *ads, LDAPMessage *msg, struct uuid *guid)
{
char **values;
UUID_FLAT flat_guid;
* @param sid Pointer to sid to store result
* @return boolean inidicating success
*/
-BOOL ads_pull_sid(ADS_STRUCT *ads,
- void *msg, const char *field, DOM_SID *sid)
+ BOOL ads_pull_sid(ADS_STRUCT *ads, LDAPMessage *msg, const char *field,
+ DOM_SID *sid)
{
struct berval **values;
BOOL ret = False;
* @param sids pointer to sid array to allocate
* @return the count of SIDs pulled
**/
-int ads_pull_sids(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx,
- void *msg, const char *field, DOM_SID **sids)
+ int ads_pull_sids(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx,
+ LDAPMessage *msg, const char *field, DOM_SID **sids)
{
struct berval **values;
BOOL ret;
* @param sd Pointer to *SEC_DESC to store result (talloc()ed)
* @return boolean inidicating success
*/
-BOOL ads_pull_sd(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx,
- void *msg, const char *field, SEC_DESC **sd)
+ BOOL ads_pull_sd(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx,
+ LDAPMessage *msg, const char *field, SEC_DESC **sd)
{
struct berval **values;
prs_struct ps;
* @param msg Results of search
* @return the username
*/
-char *ads_pull_username(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, void *msg)
+ char *ads_pull_username(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx,
+ LDAPMessage *msg)
{
#if 0 /* JERRY */
char *ret, *p;
{
const char *attrs[] = {"highestCommittedUSN", NULL};
ADS_STATUS status;
- void *res;
+ LDAPMessage *res;
status = ads_do_search_retry(ads, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res);
if (!ADS_ERR_OK(status))
return timegm(&tm);
}
+/********************************************************************
+********************************************************************/
-const char *ads_get_attrname_by_oid(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, const char * OID)
+ADS_STATUS ads_current_time(ADS_STRUCT *ads)
{
- ADS_STATUS rc;
- int count = 0;
- void *res = NULL;
- char *expr = NULL;
- const char *attrs[] = { "lDAPDisplayName", NULL };
+ const char *attrs[] = {"currentTime", NULL};
+ ADS_STATUS status;
+ LDAPMessage *res;
+ char *timestr;
+ TALLOC_CTX *ctx;
+ ADS_STRUCT *ads_s = ads;
- if (ads == NULL || mem_ctx == NULL || OID == NULL) {
- goto failed;
+ if (!(ctx = talloc_init("ads_current_time"))) {
+ return ADS_ERROR(LDAP_NO_MEMORY);
}
- expr = talloc_asprintf(mem_ctx, "(attributeId=%s)", OID);
- if (expr == NULL) {
- goto failed;
+ /* establish a new ldap tcp session if necessary */
+
+ if ( !ads->ld ) {
+ if ( (ads_s = ads_init( ads->server.realm, ads->server.workgroup,
+ ads->server.ldap_server )) == NULL )
+ {
+ goto done;
+ }
+ ads_s->auth.flags = ADS_AUTH_ANON_BIND;
+ status = ads_connect( ads_s );
+ if ( !ADS_ERR_OK(status))
+ goto done;
}
- rc = ads_do_search_retry(ads, ads->config.schema_path,
- LDAP_SCOPE_SUBTREE, expr, attrs, &res);
- if (!ADS_ERR_OK(rc)) {
- goto failed;
+ status = ads_do_search(ads_s, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res);
+ if (!ADS_ERR_OK(status)) {
+ goto done;
}
- count = ads_count_replies(ads, res);
- if (count == 0 || !res) {
- goto failed;
+ timestr = ads_pull_string(ads_s, ctx, res, "currentTime");
+ if (!timestr) {
+ ads_msgfree(ads, res);
+ status = ADS_ERROR(LDAP_NO_RESULTS_RETURNED);
+ goto done;
}
- return ads_pull_string(ads, mem_ctx, res, "lDAPDisplayName");
+ /* but save the time and offset in the original ADS_STRUCT */
-failed:
- DEBUG(0,("ads_get_attrname_by_oid: failed to retrieve name for oid: %s\n",
- OID));
+ ads->config.current_time = ads_parse_time(timestr);
+
+ if (ads->config.current_time != 0) {
+ ads->auth.time_offset = ads->config.current_time - time(NULL);
+ DEBUG(4,("time offset is %d seconds\n", ads->auth.time_offset));
+ }
+
+ ads_msgfree(ads, res);
+
+ status = ADS_SUCCESS;
+
+done:
+ /* free any temporary ads connections */
+ if ( ads_s != ads ) {
+ ads_destroy( &ads_s );
+ }
+ talloc_destroy(ctx);
+
+ return status;
+}
+
+/********************************************************************
+********************************************************************/
+
+ADS_STATUS ads_domain_func_level(ADS_STRUCT *ads, uint32 *val)
+{
+ const char *attrs[] = {"domainFunctionality", NULL};
+ ADS_STATUS status;
+ LDAPMessage *res;
+ ADS_STRUCT *ads_s = ads;
- return NULL;
+ *val = DS_DOMAIN_FUNCTION_2000;
+
+ /* establish a new ldap tcp session if necessary */
+
+ if ( !ads->ld ) {
+ if ( (ads_s = ads_init( ads->server.realm, ads->server.workgroup,
+ ads->server.ldap_server )) == NULL )
+ {
+ goto done;
+ }
+ ads_s->auth.flags = ADS_AUTH_ANON_BIND;
+ status = ads_connect( ads_s );
+ if ( !ADS_ERR_OK(status))
+ goto done;
+ }
+
+ /* If the attribute does not exist assume it is a Windows 2000
+ functional domain */
+
+ status = ads_do_search(ads_s, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res);
+ if (!ADS_ERR_OK(status)) {
+ if ( status.err.rc == LDAP_NO_SUCH_ATTRIBUTE ) {
+ status = ADS_SUCCESS;
+ }
+ goto done;
+ }
+
+ if ( !ads_pull_uint32(ads_s, res, "domainFunctionality", val) ) {
+ DEBUG(5,("ads_domain_func_level: Failed to pull the domainFunctionality attribute.\n"));
+ }
+ DEBUG(3,("ads_domain_func_level: %d\n", *val));
+
+
+ ads_msgfree(ads, res);
+
+done:
+ /* free any temporary ads connections */
+ if ( ads_s != ads ) {
+ ads_destroy( &ads_s );
+ }
+
+ return status;
}
/**
- * Find the servers name and realm - this can be done before authentication
- * The ldapServiceName field on w2k looks like this:
- * vnet3.home.samba.org:win2000-vnet3$@VNET3.HOME.SAMBA.ORG
+ * find the domain sid for our domain
* @param ads connection to ads server
+ * @param sid Pointer to domain sid
* @return status of search
**/
-ADS_STATUS ads_server_info(ADS_STRUCT *ads)
+ADS_STATUS ads_domain_sid(ADS_STRUCT *ads, DOM_SID *sid)
{
- const char *attrs[] = {"ldapServiceName",
- "currentTime",
- "schemaNamingContext", NULL};
- ADS_STATUS status;
- void *res;
- char *value;
- char *p;
- char *timestr;
- char *schema_path;
- TALLOC_CTX *ctx;
+ const char *attrs[] = {"objectSid", NULL};
+ LDAPMessage *res;
+ ADS_STATUS rc;
- if (!(ctx = talloc_init("ads_server_info"))) {
- return ADS_ERROR(LDAP_NO_MEMORY);
+ rc = ads_do_search_retry(ads, ads->config.bind_path, LDAP_SCOPE_BASE, "(objectclass=*)",
+ attrs, &res);
+ if (!ADS_ERR_OK(rc)) return rc;
+ if (!ads_pull_sid(ads, res, "objectSid", sid)) {
+ ads_msgfree(ads, res);
+ return ADS_ERROR_SYSTEM(ENOENT);
}
+ ads_msgfree(ads, res);
+
+ return ADS_SUCCESS;
+}
+
+/**
+ * find our site name
+ * @param ads connection to ads server
+ * @param mem_ctx Pointer to talloc context
+ * @param site_name Pointer to the sitename
+ * @return status of search
+ **/
+ADS_STATUS ads_site_dn(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, const char **site_name)
+{
+ ADS_STATUS status;
+ LDAPMessage *res;
+ const char *dn, *service_name;
+ const char *attrs[] = { "dsServiceName", NULL };
status = ads_do_search(ads, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res);
if (!ADS_ERR_OK(status)) {
- talloc_destroy(ctx);
return status;
}
- value = ads_pull_string(ads, ctx, res, "ldapServiceName");
- if (!value) {
- ads_msgfree(ads, res);
- talloc_destroy(ctx);
+ service_name = ads_pull_string(ads, mem_ctx, res, "dsServiceName");
+ if (service_name == NULL) {
return ADS_ERROR(LDAP_NO_RESULTS_RETURNED);
}
- timestr = ads_pull_string(ads, ctx, res, "currentTime");
- if (!timestr) {
- ads_msgfree(ads, res);
- talloc_destroy(ctx);
- return ADS_ERROR(LDAP_NO_RESULTS_RETURNED);
+ /* go up three levels */
+ dn = ads_parent_dn(ads_parent_dn(ads_parent_dn(service_name)));
+ if (dn == NULL) {
+ return ADS_ERROR(LDAP_NO_MEMORY);
}
- schema_path = ads_pull_string(ads, ctx, res, "schemaNamingContext");
- if (!schema_path) {
- ads_msgfree(ads, res);
- talloc_destroy(ctx);
- return ADS_ERROR(LDAP_NO_RESULTS_RETURNED);
+ *site_name = talloc_strdup(mem_ctx, dn);
+ if (*site_name == NULL) {
+ return ADS_ERROR(LDAP_NO_MEMORY);
}
- SAFE_FREE(ads->config.schema_path);
- ads->config.schema_path = SMB_STRDUP(schema_path);
-
ads_msgfree(ads, res);
- p = strchr(value, ':');
- if (!p) {
- talloc_destroy(ctx);
- DEBUG(1, ("ads_server_info: returned ldap server name did not contain a ':' "
- "so was deemed invalid\n"));
- return ADS_ERROR(LDAP_DECODING_ERROR);
+ return status;
+ /*
+ dsServiceName: CN=NTDS Settings,CN=W2K3DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ber,DC=suse,DC=de
+ */
+}
+
+/**
+ * find the site dn where a machine resides
+ * @param ads connection to ads server
+ * @param mem_ctx Pointer to talloc context
+ * @param computer_name name of the machine
+ * @param site_name Pointer to the sitename
+ * @return status of search
+ **/
+ADS_STATUS ads_site_dn_for_machine(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, const char *computer_name, const char **site_dn)
+{
+ ADS_STATUS status;
+ LDAPMessage *res;
+ const char *parent, *config_context, *filter;
+ const char *attrs[] = { "configurationNamingContext", NULL };
+ char *dn;
+
+ /* shortcut a query */
+ if (strequal(computer_name, ads->config.ldap_server_name)) {
+ return ads_site_dn(ads, mem_ctx, site_dn);
}
- SAFE_FREE(ads->config.ldap_server_name);
+ status = ads_do_search(ads, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res);
+ if (!ADS_ERR_OK(status)) {
+ return status;
+ }
- ads->config.ldap_server_name = SMB_STRDUP(p+1);
- p = strchr(ads->config.ldap_server_name, '$');
- if (!p || p[1] != '@') {
- talloc_destroy(ctx);
- DEBUG(1, ("ads_server_info: returned ldap server name (%s) does not contain '$@'"
- " so was deemed invalid\n", ads->config.ldap_server_name));
- SAFE_FREE(ads->config.ldap_server_name);
- return ADS_ERROR(LDAP_DECODING_ERROR);
+ config_context = ads_pull_string(ads, mem_ctx, res, "configurationNamingContext");
+ if (config_context == NULL) {
+ return ADS_ERROR(LDAP_NO_MEMORY);
}
- *p = 0;
+ filter = talloc_asprintf(mem_ctx, "(cn=%s)", computer_name);
+ if (filter == NULL) {
+ return ADS_ERROR(LDAP_NO_MEMORY);
+ }
- SAFE_FREE(ads->config.realm);
- SAFE_FREE(ads->config.bind_path);
+ status = ads_do_search(ads, config_context, LDAP_SCOPE_SUBTREE, filter, NULL, &res);
+ if (!ADS_ERR_OK(status)) {
+ return status;
+ }
- ads->config.realm = SMB_STRDUP(p+2);
- ads->config.bind_path = ads_build_dn(ads->config.realm);
+ if (ads_count_replies(ads, res) != 1) {
+ return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
+ }
- DEBUG(3,("got ldap server name %s@%s, using bind path: %s\n",
- ads->config.ldap_server_name, ads->config.realm,
- ads->config.bind_path));
+ dn = ads_get_dn(ads, res);
+ if (dn == NULL) {
+ return ADS_ERROR(LDAP_NO_MEMORY);
+ }
- ads->config.current_time = ads_parse_time(timestr);
+ /* go up three levels */
+ parent = ads_parent_dn(ads_parent_dn(ads_parent_dn(dn)));
+ if (parent == NULL) {
+ ads_memfree(ads, dn);
+ return ADS_ERROR(LDAP_NO_MEMORY);
+ }
- if (ads->config.current_time != 0) {
- ads->auth.time_offset = ads->config.current_time - time(NULL);
- DEBUG(4,("time offset is %d seconds\n", ads->auth.time_offset));
+ *site_dn = talloc_strdup(mem_ctx, parent);
+ if (*site_dn == NULL) {
+ ads_memfree(ads, dn);
+ ADS_ERROR(LDAP_NO_MEMORY);
}
- talloc_destroy(ctx);
+ ads_memfree(ads, dn);
+ ads_msgfree(ads, res);
- return ADS_SUCCESS;
+ return status;
}
/**
- * Check for "Services for Unix"-Schema and load some attributes into the ADS_STRUCT
+ * get the upn suffixes for a domain
* @param ads connection to ads server
- * @return BOOL status of search (False if one or more attributes couldn't be
- * found in Active Directory)
- **/
-BOOL ads_check_sfu_mapping(ADS_STRUCT *ads)
-{
- BOOL ret = False;
- TALLOC_CTX *ctx = NULL;
- const char *gidnumber, *uidnumber, *homedir, *shell;
-
- ctx = talloc_init("ads_check_sfu_mapping");
- if (ctx == NULL)
- goto done;
+ * @param mem_ctx Pointer to talloc context
+ * @param suffixes Pointer to an array of suffixes
+ * @param site_name Pointer to the number of suffixes
+ * @return status of search
+ **/
+ADS_STATUS ads_upn_suffixes(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, char **suffixes, size_t *num_suffixes)
+{
+ ADS_STATUS status;
+ LDAPMessage *res;
+ const char *config_context, *base;
+ const char *attrs[] = { "configurationNamingContext", NULL };
+ const char *attrs2[] = { "uPNSuffixes", NULL };
- gidnumber = ads_get_attrname_by_oid(ads, ctx, ADS_ATTR_SFU_GIDNUMBER_OID);
- if (gidnumber == NULL)
- goto done;
- ads->schema.sfu_gidnumber_attr = SMB_STRDUP(gidnumber);
+ status = ads_do_search(ads, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res);
+ if (!ADS_ERR_OK(status)) {
+ return status;
+ }
- uidnumber = ads_get_attrname_by_oid(ads, ctx, ADS_ATTR_SFU_UIDNUMBER_OID);
- if (uidnumber == NULL)
- goto done;
- ads->schema.sfu_uidnumber_attr = SMB_STRDUP(uidnumber);
+ config_context = ads_pull_string(ads, mem_ctx, res, "configurationNamingContext");
+ if (config_context == NULL) {
+ return ADS_ERROR(LDAP_NO_MEMORY);
+ }
- homedir = ads_get_attrname_by_oid(ads, ctx, ADS_ATTR_SFU_HOMEDIR_OID);
- if (homedir == NULL)
- goto done;
- ads->schema.sfu_homedir_attr = SMB_STRDUP(homedir);
-
- shell = ads_get_attrname_by_oid(ads, ctx, ADS_ATTR_SFU_SHELL_OID);
- if (shell == NULL)
- goto done;
- ads->schema.sfu_shell_attr = SMB_STRDUP(shell);
+ base = talloc_asprintf(mem_ctx, "cn=Partitions,%s", config_context);
+ if (base == NULL) {
+ return ADS_ERROR(LDAP_NO_MEMORY);
+ }
- ret = True;
-done:
- if (ctx)
- talloc_destroy(ctx);
-
- return ret;
+ status = ads_search_dn(ads, &res, base, attrs2);
+ if (!ADS_ERR_OK(status)) {
+ return status;
+ }
+
+ if (ads_count_replies(ads, res) != 1) {
+ return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
+ }
+
+ suffixes = ads_pull_strings(ads, mem_ctx, res, "uPNSuffixes", num_suffixes);
+ if (suffixes == NULL) {
+ ads_msgfree(ads, res);
+ return ADS_ERROR(LDAP_NO_MEMORY);
+ }
+
+ ads_msgfree(ads, res);
+
+ return status;
}
/**
- * find the domain sid for our domain
- * @param ads connection to ads server
- * @param sid Pointer to domain sid
- * @return status of search
+ * pull a DOM_SID from an extended dn string
+ * @param mem_ctx TALLOC_CTX
+ * @param flags string type of extended_dn
+ * @param sid pointer to a DOM_SID
+ * @return boolean inidicating success
**/
-ADS_STATUS ads_domain_sid(ADS_STRUCT *ads, DOM_SID *sid)
+BOOL ads_get_sid_from_extended_dn(TALLOC_CTX *mem_ctx,
+ const char *dn,
+ enum ads_extended_dn_flags flags,
+ DOM_SID *sid)
{
- const char *attrs[] = {"objectSid", NULL};
- void *res;
- ADS_STATUS rc;
+ char *p, *q;
- rc = ads_do_search_retry(ads, ads->config.bind_path, LDAP_SCOPE_BASE, "(objectclass=*)",
- attrs, &res);
- if (!ADS_ERR_OK(rc)) return rc;
- if (!ads_pull_sid(ads, res, "objectSid", sid)) {
- ads_msgfree(ads, res);
- return ADS_ERROR_SYSTEM(ENOENT);
+ if (!dn) {
+ return False;
+ }
+
+ /*
+ * ADS_EXTENDED_DN_HEX_STRING:
+ * <GUID=238e1963cb390f4bb032ba0105525a29>;<SID=010500000000000515000000bb68c8fd6b61b427572eb04556040000>;CN=gd,OU=berlin,OU=suse,DC=ber,DC=suse,DC=de
+ *
+ * ADS_EXTENDED_DN_STRING (only with w2k3):
+ <GUID=63198e23-39cb-4b0f-b032-ba0105525a29>;<SID=S-1-5-21-4257769659-666132843-1169174103-1110>;CN=gd,OU=berlin,OU=suse,DC=ber,DC=suse,DC=de
+ */
+
+ p = strchr(dn, ';');
+ if (!p) {
+ return False;
+ }
+
+ if (strncmp(p, ";<SID=", strlen(";<SID=")) != 0) {
+ return False;
+ }
+
+ p += strlen(";<SID=");
+
+ q = strchr(p, '>');
+ if (!q) {
+ return False;
}
- ads_msgfree(ads, res);
- return ADS_SUCCESS;
-}
+ *q = '\0';
-/* this is rather complex - we need to find the allternate (netbios) name
- for the domain, but there isn't a simple query to do this. Instead
- we look for the principle names on the DCs account and find one that has
- the right form, then extract the netbios name of the domain from that
+ DEBUG(100,("ads_get_sid_from_extended_dn: sid string is %s\n", p));
- NOTE! better method is this:
+ switch (flags) {
+
+ case ADS_EXTENDED_DN_STRING:
+ if (!string_to_sid(sid, p)) {
+ return False;
+ }
+ break;
+ case ADS_EXTENDED_DN_HEX_STRING: {
+ pstring buf;
+ size_t buf_len;
-bin/net -Uadministrator%XXXXX ads search '(&(objectclass=crossref)(dnsroot=VNET3.HOME.SAMBA.ORG))' nETBIOSName
+ buf_len = strhex_to_str(buf, strlen(p), p);
+ if (buf_len == 0) {
+ return False;
+ }
-but you need to force the bind path to match the configurationNamingContext from the rootDSE
+ if (!sid_parse(buf, buf_len, sid)) {
+ DEBUG(10,("failed to parse sid\n"));
+ return False;
+ }
+ break;
+ }
+ default:
+ DEBUG(10,("unknown extended dn format\n"));
+ return False;
+ }
-*/
-ADS_STATUS ads_workgroup_name(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, const char **workgroup)
+ return True;
+}
+
+/**
+ * pull an array of DOM_SIDs from a ADS result
+ * @param ads connection to ads server
+ * @param mem_ctx TALLOC_CTX for allocating sid array
+ * @param msg Results of search
+ * @param field Attribute to retrieve
+ * @param flags string type of extended_dn
+ * @param sids pointer to sid array to allocate
+ * @return the count of SIDs pulled
+ **/
+ int ads_pull_sids_from_extendeddn(ADS_STRUCT *ads,
+ TALLOC_CTX *mem_ctx,
+ LDAPMessage *msg,
+ const char *field,
+ enum ads_extended_dn_flags flags,
+ DOM_SID **sids)
{
- char *expr;
- ADS_STATUS rc;
- char **principles;
- char *prefix;
- int prefix_length;
int i;
- void *res;
- const char *attrs[] = {"servicePrincipalName", NULL};
- size_t num_principals;
+ size_t dn_count;
+ char **dn_strings;
- (*workgroup) = NULL;
+ if ((dn_strings = ads_pull_strings(ads, mem_ctx, msg, field,
+ &dn_count)) == NULL) {
+ return 0;
+ }
- asprintf(&expr, "(&(objectclass=computer)(dnshostname=%s.%s))",
- ads->config.ldap_server_name, ads->config.realm);
- if (expr == NULL) {
- ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
+ (*sids) = TALLOC_ZERO_ARRAY(mem_ctx, DOM_SID, dn_count + 1);
+ if (!(*sids)) {
+ TALLOC_FREE(dn_strings);
+ return 0;
}
- rc = ads_search(ads, &res, expr, attrs);
- free(expr);
+ for (i=0; i<dn_count; i++) {
- if (!ADS_ERR_OK(rc)) {
- return rc;
+ if (!ads_get_sid_from_extended_dn(mem_ctx, dn_strings[i],
+ flags, &(*sids)[i])) {
+ TALLOC_FREE(*sids);
+ TALLOC_FREE(dn_strings);
+ return 0;
+ }
}
- principles = ads_pull_strings(ads, mem_ctx, res,
- "servicePrincipalName", &num_principals);
+ TALLOC_FREE(dn_strings);
- ads_msgfree(ads, res);
+ return dn_count;
+}
- if (!principles) {
- return ADS_ERROR(LDAP_NO_RESULTS_RETURNED);
+/********************************************************************
+********************************************************************/
+
+char* ads_get_dnshostname( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name )
+{
+ LDAPMessage *res = NULL;
+ ADS_STATUS status;
+ int count = 0;
+ char *name = NULL;
+
+ status = ads_find_machine_acct(ads, &res, global_myname());
+ if (!ADS_ERR_OK(status)) {
+ DEBUG(0,("ads_get_dnshostname: Failed to find account for %s\n",
+ global_myname()));
+ goto out;
+ }
+
+ if ( (count = ads_count_replies(ads, res)) != 1 ) {
+ DEBUG(1,("ads_get_dnshostname: %d entries returned!\n", count));
+ goto out;
+ }
+
+ if ( (name = ads_pull_string(ads, ctx, res, "dNSHostName")) == NULL ) {
+ DEBUG(0,("ads_get_dnshostname: No dNSHostName attribute!\n"));
}
- asprintf(&prefix, "HOST/%s.%s/",
- ads->config.ldap_server_name,
- ads->config.realm);
+out:
+ ads_msgfree(ads, res);
+
+ return name;
+}
- prefix_length = strlen(prefix);
+/********************************************************************
+********************************************************************/
- for (i=0;principles[i]; i++) {
- if (strnequal(principles[i], prefix, prefix_length) &&
- !strequal(ads->config.realm, principles[i]+prefix_length) &&
- !strchr(principles[i]+prefix_length, '.')) {
- /* found an alternate (short) name for the domain. */
- DEBUG(3,("Found alternate name '%s' for realm '%s'\n",
- principles[i]+prefix_length,
- ads->config.realm));
- (*workgroup) = talloc_strdup(mem_ctx, principles[i]+prefix_length);
- break;
- }
+char* ads_get_upn( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name )
+{
+ LDAPMessage *res = NULL;
+ ADS_STATUS status;
+ int count = 0;
+ char *name = NULL;
+
+ status = ads_find_machine_acct(ads, &res, global_myname());
+ if (!ADS_ERR_OK(status)) {
+ DEBUG(0,("ads_get_upn: Failed to find account for %s\n",
+ global_myname()));
+ goto out;
+ }
+
+ if ( (count = ads_count_replies(ads, res)) != 1 ) {
+ DEBUG(1,("ads_get_upn: %d entries returned!\n", count));
+ goto out;
+ }
+
+ if ( (name = ads_pull_string(ads, ctx, res, "userPrincipalName")) == NULL ) {
+ DEBUG(2,("ads_get_upn: No userPrincipalName attribute!\n"));
}
- free(prefix);
- if (!*workgroup) {
- return ADS_ERROR(LDAP_NO_RESULTS_RETURNED);
+out:
+ ads_msgfree(ads, res);
+
+ return name;
+}
+
+/********************************************************************
+********************************************************************/
+
+char* ads_get_samaccountname( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name )
+{
+ LDAPMessage *res = NULL;
+ ADS_STATUS status;
+ int count = 0;
+ char *name = NULL;
+
+ status = ads_find_machine_acct(ads, &res, global_myname());
+ if (!ADS_ERR_OK(status)) {
+ DEBUG(0,("ads_get_dnshostname: Failed to find account for %s\n",
+ global_myname()));
+ goto out;
+ }
+
+ if ( (count = ads_count_replies(ads, res)) != 1 ) {
+ DEBUG(1,("ads_get_dnshostname: %d entries returned!\n", count));
+ goto out;
}
+
+ if ( (name = ads_pull_string(ads, ctx, res, "sAMAccountName")) == NULL ) {
+ DEBUG(0,("ads_get_dnshostname: No sAMAccountName attribute!\n"));
+ }
+
+out:
+ ads_msgfree(ads, res);
- return ADS_SUCCESS;
+ return name;
}
#endif
git.samba.org / sfrench / samba-autobuild / .git / blobdiff