2 Unix SMB/Netbios implementation.
4 ads (active directory) utility library
5 Copyright (C) Andrew Tridgell 2001
6 Copyright (C) Remus Koos 2001
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 2 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program; if not, write to the Free Software
21 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
29 connect to the LDAP server
31 ADS_STATUS ads_connect(ADS_STRUCT *ads)
33 int version = LDAP_VERSION3;
36 ads->last_attempt = time(NULL);
38 ads->ld = ldap_open(ads->ldap_server, ads->ldap_port);
40 return ADS_ERROR_SYSTEM(errno)
42 status = ads_server_info(ads);
43 if (!ADS_ERR_OK(status)) {
44 DEBUG(1,("Failed to get ldap server info\n"));
48 ldap_set_option(ads->ld, LDAP_OPT_PROTOCOL_VERSION, &version);
51 ads_kinit_password(ads);
54 return ads_sasl_bind(ads);
58 do a search with a timeout
60 ADS_STATUS ads_do_search(ADS_STRUCT *ads, const char *bind_path, int scope,
62 const char **attrs, void **res)
64 struct timeval timeout;
67 timeout.tv_sec = ADS_SEARCH_TIMEOUT;
71 rc = ldap_search_ext_s(ads->ld,
73 exp, attrs, 0, NULL, NULL,
74 &timeout, LDAP_NO_LIMIT, (LDAPMessage **)res);
78 do a general ADS search
80 ADS_STATUS ads_search(ADS_STRUCT *ads, void **res,
84 return ads_do_search(ads, ads->bind_path, LDAP_SCOPE_SUBTREE,
89 do a search on a specific DistinguishedName
91 ADS_STATUS ads_search_dn(ADS_STRUCT *ads, void **res,
95 return ads_do_search(ads, dn, LDAP_SCOPE_BASE, "(objectclass=*)", attrs, res);
99 free up memory from a ads_search
101 void ads_msgfree(ADS_STRUCT *ads, void *msg)
108 find a machine account given a hostname
110 ADS_STATUS ads_find_machine_acct(ADS_STRUCT *ads, void **res, const char *host)
114 const char *attrs[] = {"*", "nTSecurityDescriptor", NULL};
116 /* the easiest way to find a machine account anywhere in the tree
117 is to look for hostname$ */
118 asprintf(&exp, "(samAccountName=%s$)", host);
119 status = ads_search(ads, res, exp, attrs);
126 a convenient routine for adding a generic LDAP record
128 ADS_STATUS ads_gen_add(ADS_STRUCT *ads, const char *new_dn, ...)
135 #define MAX_MOD_VALUES 10
137 /* count the number of attributes */
138 va_start(ap, new_dn);
139 for (i=0; va_arg(ap, char *); i++) {
140 /* skip the values */
141 while (va_arg(ap, char *)) ;
145 mods = malloc(sizeof(LDAPMod *) * (i+1));
147 va_start(ap, new_dn);
148 for (i=0; (name=va_arg(ap, char *)); i++) {
151 values = (char **)malloc(sizeof(char *) * (MAX_MOD_VALUES+1));
152 for (j=0; (value=va_arg(ap, char *)) && j < MAX_MOD_VALUES; j++) {
156 mods[i] = malloc(sizeof(LDAPMod));
157 mods[i]->mod_type = name;
158 mods[i]->mod_op = LDAP_MOD_ADD;
159 mods[i]->mod_values = values;
164 ret = ldap_add_s(ads->ld, new_dn, mods);
166 for (i=0; mods[i]; i++) {
167 free(mods[i]->mod_values);
172 return ADS_ERROR(ret);
176 build an org unit string
177 if org unit is Computers or blank then assume a container, otherwise
178 assume a \ separated list of organisational units
181 char *ads_ou_string(const char *org_unit)
183 if (!org_unit || !*org_unit || strcasecmp(org_unit, "Computers") == 0) {
184 return strdup("cn=Computers");
187 return ads_build_path(org_unit, "\\/", "ou=", 1);
193 add a machine account to the ADS server
195 static ADS_STATUS ads_add_machine_acct(ADS_STRUCT *ads, const char *hostname,
196 const char *org_unit)
199 char *host_spn, *host_upn, *new_dn, *samAccountName, *controlstr;
202 asprintf(&host_spn, "HOST/%s", hostname);
203 asprintf(&host_upn, "%s@%s", host_spn, ads->realm);
204 ou_str = ads_ou_string(org_unit);
205 asprintf(&new_dn, "cn=%s,%s,%s", hostname, ou_str, ads->bind_path);
207 asprintf(&samAccountName, "%s$", hostname);
208 asprintf(&controlstr, "%u",
209 UF_DONT_EXPIRE_PASSWD | UF_WORKSTATION_TRUST_ACCOUNT |
210 UF_TRUSTED_FOR_DELEGATION | UF_USE_DES_KEY_ONLY);
212 ret = ads_gen_add(ads, new_dn,
213 "cn", hostname, NULL,
214 "sAMAccountName", samAccountName, NULL,
216 "top", "person", "organizationalPerson",
217 "user", "computer", NULL,
218 "userPrincipalName", host_upn, NULL,
219 "servicePrincipalName", host_spn, NULL,
220 "dNSHostName", hostname, NULL,
221 "userAccountControl", controlstr, NULL,
222 "operatingSystem", "Samba", NULL,
223 "operatingSystemVersion", VERSION, NULL,
229 free(samAccountName);
236 dump a binary result from ldap
238 static void dump_binary(const char *field, struct berval **values)
241 for (i=0; values[i]; i++) {
242 printf("%s: ", field);
243 for (j=0; j<values[i]->bv_len; j++) {
244 printf("%02X", (unsigned char)values[i]->bv_val[j]);
251 dump a sid result from ldap
253 static void dump_sid(const char *field, struct berval **values)
256 for (i=0; values[i]; i++) {
258 sid_parse(values[i]->bv_val, values[i]->bv_len, &sid);
259 printf("%s: %s\n", field, sid_string_static(&sid));
264 dump a string result from ldap
266 static void dump_string(const char *field, struct berval **values)
269 for (i=0; values[i]; i++) {
270 printf("%s: %s\n", field, values[i]->bv_val);
275 dump a record from LDAP on stdout
278 void ads_dump(ADS_STRUCT *ads, void *res)
285 void (*handler)(const char *, struct berval **);
287 {"objectGUID", dump_binary},
288 {"nTSecurityDescriptor", dump_binary},
289 {"objectSid", dump_sid},
293 for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
294 for (field = ldap_first_attribute(ads->ld, (LDAPMessage *)msg, &b);
296 field = ldap_next_attribute(ads->ld, (LDAPMessage *)msg, b)) {
297 struct berval **values;
300 values = ldap_get_values_len(ads->ld, (LDAPMessage *)msg, field);
302 for (i=0; handlers[i].name; i++) {
303 if (StrCaseCmp(handlers[i].name, field) == 0) {
304 handlers[i].handler(field, values);
308 if (!handlers[i].name) {
309 dump_string(field, values);
311 ldap_value_free_len(values);
321 count how many replies are in a LDAPMessage
323 int ads_count_replies(ADS_STRUCT *ads, void *res)
325 return ldap_count_entries(ads->ld, (LDAPMessage *)res);
329 join a machine to a realm, creating the machine account
330 and setting the machine password
332 ADS_STATUS ads_join_realm(ADS_STRUCT *ads, const char *hostname, const char *org_unit)
338 /* hostname must be lowercase */
339 host = strdup(hostname);
342 status = ads_find_machine_acct(ads, (void **)&res, host);
343 if (ADS_ERR_OK(status) && ads_count_replies(ads, res) == 1) {
344 DEBUG(0, ("Host account for %s already exists - deleting for readd\n", host));
345 status = ads_leave_realm(ads, host);
346 if (!ADS_ERR_OK(status)) {
347 DEBUG(0, ("Failed to delete host '%s' from the '%s' realm.\n",
353 status = ads_add_machine_acct(ads, host, org_unit);
354 if (!ADS_ERR_OK(status)) {
355 DEBUG(0, ("ads_add_machine_acct: %s\n", ads_errstr(status)));
359 status = ads_find_machine_acct(ads, (void **)&res, host);
360 if (!ADS_ERR_OK(status)) {
361 DEBUG(0, ("Host account test failed\n"));
371 delete a machine from the realm
373 ADS_STATUS ads_leave_realm(ADS_STRUCT *ads, const char *hostname)
377 char *hostnameDN, *host;
380 /* hostname must be lowercase */
381 host = strdup(hostname);
384 status = ads_find_machine_acct(ads, &res, host);
385 if (!ADS_ERR_OK(status)) {
386 DEBUG(0, ("Host account for %s does not exist.\n", host));
390 hostnameDN = ldap_get_dn(ads->ld, (LDAPMessage *)res);
391 rc = ldap_delete_s(ads->ld, hostnameDN);
392 ldap_memfree(hostnameDN);
393 if (rc != LDAP_SUCCESS) {
394 return ADS_ERROR(rc);
397 status = ads_find_machine_acct(ads, &res, host);
398 if (ADS_ERR_OK(status) && ads_count_replies(ads, res) == 1) {
399 DEBUG(0, ("Failed to remove host account.\n"));
409 ADS_STATUS ads_set_machine_password(ADS_STRUCT *ads,
410 const char *hostname,
411 const char *password)
414 char *host = strdup(hostname);
419 asprintf(&principal, "%s@%s", host, ads->realm);
421 status = krb5_set_password(ads->kdc_server, principal, password);
430 pull the first entry from a ADS result
432 void *ads_first_entry(ADS_STRUCT *ads, void *res)
434 return (void *)ldap_first_entry(ads->ld, (LDAPMessage *)res);
438 pull the next entry from a ADS result
440 void *ads_next_entry(ADS_STRUCT *ads, void *res)
442 return (void *)ldap_next_entry(ads->ld, (LDAPMessage *)res);
446 pull a single string from a ADS result
448 char *ads_pull_string(ADS_STRUCT *ads,
449 TALLOC_CTX *mem_ctx, void *msg, const char *field)
454 values = ldap_get_values(ads->ld, msg, field);
455 if (!values) return NULL;
458 ret = talloc_strdup(mem_ctx, values[0]);
460 ldap_value_free(values);
465 pull a single uint32 from a ADS result
467 BOOL ads_pull_uint32(ADS_STRUCT *ads,
468 void *msg, const char *field, uint32 *v)
472 values = ldap_get_values(ads->ld, msg, field);
473 if (!values) return False;
475 ldap_value_free(values);
479 *v = atoi(values[0]);
480 ldap_value_free(values);
485 pull a single DOM_SID from a ADS result
487 BOOL ads_pull_sid(ADS_STRUCT *ads,
488 void *msg, const char *field, DOM_SID *sid)
490 struct berval **values;
493 values = ldap_get_values_len(ads->ld, msg, field);
495 if (!values) return False;
498 ret = sid_parse(values[0]->bv_val, values[0]->bv_len, sid);
501 ldap_value_free_len(values);
506 pull an array of DOM_SIDs from a ADS result
507 return the count of SIDs pulled
509 int ads_pull_sids(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx,
510 void *msg, const char *field, DOM_SID **sids)
512 struct berval **values;
516 values = ldap_get_values_len(ads->ld, msg, field);
518 if (!values) return 0;
520 for (i=0; values[i]; i++) /* nop */ ;
522 (*sids) = talloc(mem_ctx, sizeof(DOM_SID) * i);
525 for (i=0; values[i]; i++) {
526 ret = sid_parse(values[i]->bv_val, values[i]->bv_len, &(*sids)[count]);
530 ldap_value_free_len(values);
535 /* find the update serial number - this is the core of the ldap cache */
536 ADS_STATUS ads_USN(ADS_STRUCT *ads, uint32 *usn)
538 const char *attrs[] = {"highestCommittedUSN", NULL};
542 status = ads_do_search(ads, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res);
543 if (!ADS_ERR_OK(status)) return status;
545 if (ads_count_replies(ads, res) != 1) {
546 return ADS_ERROR(LDAP_NO_RESULTS_RETURNED);
549 ads_pull_uint32(ads, res, "highestCommittedUSN", usn);
550 ads_msgfree(ads, res);
555 /* find the servers name and realm - this can be done before authentication
556 The ldapServiceName field on w2k looks like this:
557 vnet3.home.samba.org:win2000-vnet3$@VNET3.HOME.SAMBA.ORG
559 ADS_STATUS ads_server_info(ADS_STRUCT *ads)
561 const char *attrs[] = {"ldapServiceName", NULL};
567 status = ads_do_search(ads, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res);
568 if (!ADS_ERR_OK(status)) return status;
570 values = ldap_get_values(ads->ld, res, "ldapServiceName");
571 if (!values || !values[0]) return ADS_ERROR(LDAP_NO_RESULTS_RETURNED);
573 p = strchr(values[0], ':');
575 ldap_value_free(values);
577 return ADS_ERROR(LDAP_DECODING_ERROR);
580 SAFE_FREE(ads->ldap_server_name);
582 ads->ldap_server_name = strdup(p+1);
583 p = strchr(ads->ldap_server_name, '$');
584 if (!p || p[1] != '@') {
585 ldap_value_free(values);
587 SAFE_FREE(ads->ldap_server_name);
588 return ADS_ERROR(LDAP_DECODING_ERROR);
593 SAFE_FREE(ads->server_realm);
594 SAFE_FREE(ads->bind_path);
596 ads->server_realm = strdup(p+2);
597 ads->bind_path = ads_build_dn(ads->server_realm);
599 /* in case the realm isn't configured in smb.conf */
600 if (!ads->realm || !ads->realm[0]) {
601 SAFE_FREE(ads->realm);
602 ads->realm = strdup(ads->server_realm);
605 DEBUG(3,("got ldap server name %s@%s\n",
606 ads->ldap_server_name, ads->realm));
613 find the list of trusted domains
615 ADS_STATUS ads_trusted_domains(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx,
616 int *num_trusts, char ***names, DOM_SID **sids)
618 const char *attrs[] = {"flatName", "securityIdentifier", NULL};
625 status = ads_search(ads, &res, "(objectcategory=trustedDomain)", attrs);
626 if (!ADS_ERR_OK(status)) return status;
628 count = ads_count_replies(ads, res);
630 ads_msgfree(ads, res);
631 return ADS_ERROR(LDAP_NO_RESULTS_RETURNED);
634 (*names) = talloc(mem_ctx, sizeof(char *) * count);
635 (*sids) = talloc(mem_ctx, sizeof(DOM_SID) * count);
636 if (! *names || ! *sids) return ADS_ERROR(LDAP_NO_MEMORY);
638 for (i=0, msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
639 (*names)[i] = ads_pull_string(ads, mem_ctx, msg, "flatName");
640 ads_pull_sid(ads, msg, "securityIdentifier", &(*sids)[i]);
644 ads_msgfree(ads, res);
651 /* find the domain sid for our domain */
652 ADS_STATUS ads_domain_sid(ADS_STRUCT *ads, DOM_SID *sid)
654 const char *attrs[] = {"objectSid", NULL};
658 rc = ads_do_search(ads, ads->bind_path, LDAP_SCOPE_BASE, "(objectclass=*)",
660 if (!ADS_ERR_OK(rc)) return rc;
661 if (!ads_pull_sid(ads, res, "objectSid", sid)) {
662 return ADS_ERROR_SYSTEM(ENOENT);
664 ads_msgfree(ads, res);