This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
+ the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "includes.h"
return result;
}
-#ifdef HAVE_KRB5
/**********************************************
Do client and server sitename match ?
**********************************************/
DEBUG(10,("ads_sitename_match: name %s match\n", ads->config.server_site_name));
return True;
}
- DEBUG(10,("ads_sitename_match: no match %s %s\n",
+ DEBUG(10,("ads_sitename_match: no match between server: %s and client: %s\n",
ads->config.server_site_name ? ads->config.server_site_name : "NULL",
ads->config.client_site_name ? ads->config.client_site_name : "NULL"));
return False;
}
-#endif
+
+/**********************************************
+ Is this the closest DC ?
+**********************************************/
+
+BOOL ads_closest_dc(ADS_STRUCT *ads)
+{
+ if (ads->config.flags & ADS_CLOSEST) {
+ DEBUG(10,("ads_closest_dc: ADS_CLOSEST flag set\n"));
+ return True;
+ }
+
+ /* not sure if this can ever happen */
+ if (ads_sitename_match(ads)) {
+ DEBUG(10,("ads_closest_dc: ADS_CLOSEST flag not set but sites match\n"));
+ return True;
+ }
+
+ DEBUG(10,("ads_closest_dc: %s is not the closest DC\n",
+ ads->config.ldap_server_name));
+
+ return False;
+}
+
/*
try a connection to a given ldap server, returning True and setting the servers IP
SAFE_FREE(srv);
/* Store our site name. */
- sitename_store( cldap_reply.client_site_name );
+ sitename_store( cldap_reply.domain, cldap_reply.client_site_name );
return True;
}
pstring realm;
BOOL got_realm = False;
BOOL use_own_domain = False;
+ char *sitename;
NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
/* if the realm and workgroup are both empty, assume they are ours */
if (c_realm && *c_realm)
got_realm = True;
-again:
/* we need to try once with the realm name and fallback to the
netbios domain name if we fail (if netbios has not been disabled */
pstrcpy( realm, c_realm );
+ sitename = sitename_fetch(realm);
+
+ again:
+
DEBUG(6,("ads_find_dc: looking for %s '%s'\n",
(got_realm ? "realm" : "domain"), realm));
- status = get_sorted_dc_list(realm, &ip_list, &count, got_realm);
+ status = get_sorted_dc_list(realm, sitename, &ip_list, &count, got_realm);
if (!NT_STATUS_IS_OK(status)) {
/* fall back to netbios if we can */
if ( got_realm && !lp_disable_netbios() ) {
goto again;
}
+ SAFE_FREE(sitename);
return status;
}
if ( ads_try_connect(ads, server) ) {
SAFE_FREE(ip_list);
+ SAFE_FREE(sitename);
return NT_STATUS_OK;
}
}
SAFE_FREE(ip_list);
-
+
+ /* In case we failed to contact one of our closest DC on our site we
+ * need to try to find another DC, retry with a site-less SRV DNS query
+ * - Guenther */
+
+ if (sitename) {
+ DEBUG(1,("ads_find_dc: failed to find a valid DC on our site (%s), "
+ "trying to find another DC\n", sitename));
+ SAFE_FREE(sitename);
+ namecache_delete(realm, 0x1C);
+ goto again;
+ }
+
return NT_STATUS_NO_LOGON_SERVERS;
}
}
/* cache the successful connection for workgroup and realm */
- saf_store( ads->server.workgroup, inet_ntoa(ads->ldap_ip));
- saf_store( ads->server.realm, inet_ntoa(ads->ldap_ip));
+ if (ads_closest_dc(ads)) {
+ saf_store( ads->server.workgroup, inet_ntoa(ads->ldap_ip));
+ saf_store( ads->server.realm, inet_ntoa(ads->ldap_ip));
+ }
ldap_set_option(ads->ld, LDAP_OPT_PROTOCOL_VERSION, &version);
{
int rc, i, version;
char *utf8_expr, *utf8_path, **search_attrs;
- LDAPControl PagedResults, NoReferrals, ExtendedDn, *controls[4], **rcontrols;
+ LDAPControl PagedResults, NoReferrals, ExternalCtrl, *controls[4], **rcontrols;
BerElement *cookie_be = NULL;
struct berval *cookie_bv= NULL;
- BerElement *extdn_be = NULL;
- struct berval *extdn_bv= NULL;
+ BerElement *ext_be = NULL;
+ struct berval *ext_bv= NULL;
TALLOC_CTX *ctx;
ads_control *external_control = (ads_control *) args;
}
}
-
/* Paged results only available on ldap v3 or later */
ldap_get_option(ads->ld, LDAP_OPT_PROTOCOL_VERSION, &version);
if (version < LDAP_VERSION3) {
NoReferrals.ldctl_value.bv_len = 0;
NoReferrals.ldctl_value.bv_val = CONST_DISCARD(char *, "");
- if (external_control && strequal(external_control->control, ADS_EXTENDED_DN_OID)) {
+ if (external_control &&
+ (strequal(external_control->control, ADS_EXTENDED_DN_OID) ||
+ strequal(external_control->control, ADS_SD_FLAGS_OID))) {
- ExtendedDn.ldctl_oid = CONST_DISCARD(char *, external_control->control);
- ExtendedDn.ldctl_iscritical = (char) external_control->critical;
+ ExternalCtrl.ldctl_oid = CONST_DISCARD(char *, external_control->control);
+ ExternalCtrl.ldctl_iscritical = (char) external_control->critical;
/* win2k does not accept a ldctl_value beeing passed in */
if (external_control->val != 0) {
- if ((extdn_be = ber_alloc_t(LBER_USE_DER)) == NULL ) {
+ if ((ext_be = ber_alloc_t(LBER_USE_DER)) == NULL ) {
rc = LDAP_NO_MEMORY;
goto done;
}
- if ((ber_printf(extdn_be, "{i}", (ber_int_t) external_control->val)) == -1) {
+ if ((ber_printf(ext_be, "{i}", (ber_int_t) external_control->val)) == -1) {
rc = LDAP_NO_MEMORY;
goto done;
}
- if ((ber_flatten(extdn_be, &extdn_bv)) == -1) {
+ if ((ber_flatten(ext_be, &ext_bv)) == -1) {
rc = LDAP_NO_MEMORY;
goto done;
}
- ExtendedDn.ldctl_value.bv_len = extdn_bv->bv_len;
- ExtendedDn.ldctl_value.bv_val = extdn_bv->bv_val;
+ ExternalCtrl.ldctl_value.bv_len = ext_bv->bv_len;
+ ExternalCtrl.ldctl_value.bv_val = ext_bv->bv_val;
} else {
- ExtendedDn.ldctl_value.bv_len = 0;
- ExtendedDn.ldctl_value.bv_val = NULL;
+ ExternalCtrl.ldctl_value.bv_len = 0;
+ ExternalCtrl.ldctl_value.bv_val = NULL;
}
controls[0] = &NoReferrals;
controls[1] = &PagedResults;
- controls[2] = &ExtendedDn;
+ controls[2] = &ExternalCtrl;
controls[3] = NULL;
} else {
done:
talloc_destroy(ctx);
- if (extdn_be) {
- ber_free(extdn_be, 1);
+ if (ext_be) {
+ ber_free(ext_be, 1);
}
- if (extdn_bv) {
- ber_bvfree(extdn_bv);
+ if (ext_bv) {
+ ber_bvfree(ext_bv);
}
/* if/when we decide to utf8-encode attrs, take out this next line */
return ads_do_search_all_args(ads, bind_path, scope, expr, attrs, NULL, res);
}
+ ADS_STATUS ads_do_search_all_sd_flags(ADS_STRUCT *ads, const char *bind_path,
+ int scope, const char *expr,
+ const char **attrs, uint32 sd_flags,
+ LDAPMessage **res)
+{
+ ads_control args;
+
+ args.control = ADS_SD_FLAGS_OID;
+ args.val = sd_flags;
+ args.critical = True;
+
+ return ads_do_search_all_args(ads, bind_path, scope, expr, attrs, &args, res);
+}
+
+
/**
* Run a function on all results for a search. Uses ads_do_paged_search() and
* runs the function as each page is returned, using ads_process_results()
return unix_dn;
}
-/**
- * Get a canonical dn from search results
- * @param ads connection to ads server
- * @param msg Search result
- * @return dn string
- **/
- char *ads_get_dn_canonical(ADS_STRUCT *ads, LDAPMessage *msg)
-{
-#ifdef HAVE_LDAP_DN2AD_CANONICAL
- return ldap_dn2ad_canonical(ads_get_dn(ads, msg));
-#else
- return NULL;
-#endif
-}
-
/**
* Get the parent from a dn
* @param dn the dn to return the parent from
}
ret = ldap_delete_s(ads->ld, utf8_dn);
+ SAFE_FREE(utf8_dn);
return ADS_ERROR(ret);
}
char *ads_default_ou_string(ADS_STRUCT *ads, const char *wknguid)
{
ADS_STATUS status;
- LDAPMessage *res;
- char *base, *wkn_dn, *ret, **wkn_dn_exp, **bind_dn_exp;
+ LDAPMessage *res = NULL;
+ char *base, *wkn_dn = NULL, *ret = NULL, **wkn_dn_exp = NULL,
+ **bind_dn_exp = NULL;
const char *attrs[] = {"distinguishedName", NULL};
int new_ln, wkn_ln, bind_ln, i;
status = ads_search_dn(ads, &res, base, attrs);
if (!ADS_ERR_OK(status)) {
DEBUG(1,("Failed while searching for: %s\n", base));
- SAFE_FREE(base);
- return NULL;
+ goto out;
}
- SAFE_FREE(base);
if (ads_count_replies(ads, res) != 1) {
- return NULL;
+ goto out;
}
/* substitute the bind-path from the well-known-guid-search result */
wkn_dn = ads_get_dn(ads, res);
+ if (!wkn_dn) {
+ goto out;
+ }
+
wkn_dn_exp = ldap_explode_dn(wkn_dn, 0);
+ if (!wkn_dn_exp) {
+ goto out;
+ }
+
bind_dn_exp = ldap_explode_dn(ads->config.bind_path, 0);
+ if (!bind_dn_exp) {
+ goto out;
+ }
for (wkn_ln=0; wkn_dn_exp[wkn_ln]; wkn_ln++)
;
new_ln = wkn_ln - bind_ln;
- ret = wkn_dn_exp[0];
+ ret = SMB_STRDUP(wkn_dn_exp[0]);
+ if (!ret) {
+ goto out;
+ }
for (i=1; i < new_ln; i++) {
- char *s;
- asprintf(&s, "%s,%s", ret, wkn_dn_exp[i]);
+ char *s = NULL;
+
+ if (asprintf(&s, "%s,%s", ret, wkn_dn_exp[i]) == -1) {
+ SAFE_FREE(ret);
+ goto out;
+ }
+
+ SAFE_FREE(ret);
ret = SMB_STRDUP(s);
free(s);
+ if (!ret) {
+ goto out;
+ }
}
+ out:
+ SAFE_FREE(base);
+ ads_msgfree(ads, res);
ads_memfree(ads, wkn_dn);
- ldap_value_free(wkn_dn_exp);
- ldap_value_free(bind_dn_exp);
+ if (wkn_dn_exp) {
+ ldap_value_free(wkn_dn_exp);
+ }
+ if (bind_dn_exp) {
+ ldap_value_free(bind_dn_exp);
+ }
return ret;
}
char *samAccountName, *controlstr;
TALLOC_CTX *ctx;
ADS_MODLIST mods;
+ char *machine_escaped = NULL;
char *new_dn;
const char *objectClass[] = {"top", "person", "organizationalPerson",
"user", "computer", NULL};
return ADS_ERROR(LDAP_NO_MEMORY);
ret = ADS_ERROR(LDAP_NO_MEMORY);
-
- new_dn = talloc_asprintf(ctx, "cn=%s,%s", machine_name, org_unit);
+
+ machine_escaped = escape_rdn_val_string_alloc(machine_name);
+ if (!machine_escaped) {
+ goto done;
+ }
+
+ new_dn = talloc_asprintf(ctx, "cn=%s,%s", machine_escaped, org_unit);
samAccountName = talloc_asprintf(ctx, "%s$", machine_name);
if ( !new_dn || !samAccountName ) {
ret = ads_gen_add(ads, new_dn, mods);
done:
+ SAFE_FREE(machine_escaped);
ads_msgfree(ads, res);
talloc_destroy(ctx);
return ret;
}
+/**
+ * move a machine account to another OU on the ADS server
+ * @param ads - An intialized ADS_STRUCT
+ * @param machine_name - the NetBIOS machine name of this account.
+ * @param org_unit - The LDAP path in which to place this account
+ * @param moved - whether we moved the machine account (optional)
+ * @return 0 upon success, or non-zero otherwise
+**/
+
+ADS_STATUS ads_move_machine_acct(ADS_STRUCT *ads, const char *machine_name,
+ const char *org_unit, BOOL *moved)
+{
+ ADS_STATUS rc;
+ int ldap_status;
+ LDAPMessage *res = NULL;
+ char *filter = NULL;
+ char *computer_dn = NULL;
+ char *parent_dn;
+ char *computer_rdn = NULL;
+ BOOL need_move = False;
+
+ if (asprintf(&filter, "(samAccountName=%s$)", machine_name) == -1) {
+ rc = ADS_ERROR(LDAP_NO_MEMORY);
+ goto done;
+ }
+
+ /* Find pre-existing machine */
+ rc = ads_search(ads, &res, filter, NULL);
+ if (!ADS_ERR_OK(rc)) {
+ goto done;
+ }
+
+ computer_dn = ads_get_dn(ads, res);
+ if (!computer_dn) {
+ rc = ADS_ERROR(LDAP_NO_MEMORY);
+ goto done;
+ }
+
+ parent_dn = ads_parent_dn(computer_dn);
+ if (strequal(parent_dn, org_unit)) {
+ goto done;
+ }
+
+ need_move = True;
+
+ if (asprintf(&computer_rdn, "CN=%s", machine_name) == -1) {
+ rc = ADS_ERROR(LDAP_NO_MEMORY);
+ goto done;
+ }
+
+ ldap_status = ldap_rename_s(ads->ld, computer_dn, computer_rdn,
+ org_unit, 1, NULL, NULL);
+ rc = ADS_ERROR(ldap_status);
+
+done:
+ ads_msgfree(ads, res);
+ SAFE_FREE(filter);
+ SAFE_FREE(computer_dn);
+ SAFE_FREE(computer_rdn);
+
+ if (!ADS_ERR_OK(rc)) {
+ need_move = False;
+ }
+
+ if (moved) {
+ *moved = need_move;
+ }
+
+ return rc;
+}
+
/*
dump a binary result from ldap
*/
{"tokenGroups", False, dump_sid},
{"tokenGroupsNoGCAcceptable", False, dump_sid},
{"tokengroupsGlobalandUniversal", False, dump_sid},
+ {"mS-DS-CreatorSID", False, dump_sid},
{NULL, True, NULL}
};
int i;
* @param guid 37-byte area to receive text guid
* @return boolean indicating success
**/
- BOOL ads_pull_guid(ADS_STRUCT *ads, LDAPMessage *msg, struct uuid *guid)
+ BOOL ads_pull_guid(ADS_STRUCT *ads, LDAPMessage *msg, struct GUID *guid)
{
char **values;
UUID_FLAT flat_guid;
for (i=0; values[i]; i++)
/* nop */ ;
- (*sids) = TALLOC_ARRAY(mem_ctx, DOM_SID, i);
- if (!(*sids)) {
- ldap_value_free_len(values);
- return 0;
+ if (i) {
+ (*sids) = TALLOC_ARRAY(mem_ctx, DOM_SID, i);
+ if (!(*sids)) {
+ ldap_value_free_len(values);
+ return 0;
+ }
+ } else {
+ (*sids) = NULL;
}
count = 0;
LDAPMessage *msg, const char *field, SEC_DESC **sd)
{
struct berval **values;
- prs_struct ps;
BOOL ret = False;
values = ldap_get_values_len(ads->ld, msg, field);
if (!values) return False;
if (values[0]) {
+ prs_struct ps;
prs_init(&ps, values[0]->bv_len, mem_ctx, UNMARSHALL);
prs_copy_data_in(&ps, values[0]->bv_val, values[0]->bv_len);
prs_set_offset(&ps,0);
ret = sec_io_desc("sd", sd, &ps, 1);
+ prs_mem_free(&ps);
}
ldap_value_free_len(values);
service_name = ads_pull_string(ads, mem_ctx, res, "dsServiceName");
if (service_name == NULL) {
+ ads_msgfree(ads, res);
return ADS_ERROR(LDAP_NO_RESULTS_RETURNED);
}
+ ads_msgfree(ads, res);
+
/* go up three levels */
dn = ads_parent_dn(ads_parent_dn(ads_parent_dn(service_name)));
if (dn == NULL) {
return ADS_ERROR(LDAP_NO_MEMORY);
}
- ads_msgfree(ads, res);
-
return status;
/*
dsServiceName: CN=NTDS Settings,CN=W2K3DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ber,DC=suse,DC=de
config_context = ads_pull_string(ads, mem_ctx, res, "configurationNamingContext");
if (config_context == NULL) {
+ ads_msgfree(ads, res);
return ADS_ERROR(LDAP_NO_MEMORY);
}
filter = talloc_asprintf(mem_ctx, "(cn=%s)", computer_name);
if (filter == NULL) {
+ ads_msgfree(ads, res);
return ADS_ERROR(LDAP_NO_MEMORY);
}
+ ads_msgfree(ads, res);
+
status = ads_do_search(ads, config_context, LDAP_SCOPE_SUBTREE, filter, NULL, &res);
if (!ADS_ERR_OK(status)) {
return status;
}
if (ads_count_replies(ads, res) != 1) {
+ ads_msgfree(ads, res);
return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
}
dn = ads_get_dn(ads, res);
if (dn == NULL) {
+ ads_msgfree(ads, res);
return ADS_ERROR(LDAP_NO_MEMORY);
}
/* go up three levels */
parent = ads_parent_dn(ads_parent_dn(ads_parent_dn(dn)));
if (parent == NULL) {
+ ads_msgfree(ads, res);
ads_memfree(ads, dn);
return ADS_ERROR(LDAP_NO_MEMORY);
}
*site_dn = talloc_strdup(mem_ctx, parent);
if (*site_dn == NULL) {
+ ads_msgfree(ads, res);
ads_memfree(ads, dn);
ADS_ERROR(LDAP_NO_MEMORY);
}
* @param ads connection to ads server
* @param mem_ctx Pointer to talloc context
* @param suffixes Pointer to an array of suffixes
- * @param site_name Pointer to the number of suffixes
+ * @param num_suffixes Pointer to the number of suffixes
* @return status of search
**/
-ADS_STATUS ads_upn_suffixes(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, char **suffixes, size_t *num_suffixes)
+ADS_STATUS ads_upn_suffixes(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, char ***suffixes, size_t *num_suffixes)
{
ADS_STATUS status;
LDAPMessage *res;
config_context = ads_pull_string(ads, mem_ctx, res, "configurationNamingContext");
if (config_context == NULL) {
+ ads_msgfree(ads, res);
return ADS_ERROR(LDAP_NO_MEMORY);
}
+ ads_msgfree(ads, res);
+
base = talloc_asprintf(mem_ctx, "cn=Partitions,%s", config_context);
if (base == NULL) {
return ADS_ERROR(LDAP_NO_MEMORY);
return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
}
- suffixes = ads_pull_strings(ads, mem_ctx, res, "uPNSuffixes", num_suffixes);
- if (suffixes == NULL) {
+ (*suffixes) = ads_pull_strings(ads, mem_ctx, res, "uPNSuffixes", num_suffixes);
+ if ((*suffixes) == NULL) {
ads_msgfree(ads, res);
return ADS_ERROR(LDAP_NO_MEMORY);
}
/**
* pull a DOM_SID from an extended dn string
* @param mem_ctx TALLOC_CTX
+ * @param extended_dn string
* @param flags string type of extended_dn
* @param sid pointer to a DOM_SID
* @return boolean inidicating success
**/
BOOL ads_get_sid_from_extended_dn(TALLOC_CTX *mem_ctx,
- const char *dn,
+ const char *extended_dn,
enum ads_extended_dn_flags flags,
DOM_SID *sid)
{
- char *p, *q;
+ char *p, *q, *dn;
- if (!dn) {
+ if (!extended_dn) {
return False;
}
+ /* otherwise extended_dn gets stripped off */
+ if ((dn = talloc_strdup(mem_ctx, extended_dn)) == NULL) {
+ return False;
+ }
/*
* ADS_EXTENDED_DN_HEX_STRING:
* <GUID=238e1963cb390f4bb032ba0105525a29>;<SID=010500000000000515000000bb68c8fd6b61b427572eb04556040000>;CN=gd,OU=berlin,OU=suse,DC=ber,DC=suse,DC=de
}
#endif
-#ifdef HAVE_LDAP
-
/**
* Delete a machine from the realm
* @param ads connection to ads server
DEBUG(3,("ldap_delete_ext_s succeeded with error code %d\n", rc));
}
- ads_memfree(ads, hostnameDN);
if (rc != LDAP_SUCCESS) {
const char *attrs[] = { "cn", NULL };
- void *msg_sub;
+ LDAPMessage *msg_sub;
/* we only search with scope ONE, we do not expect any further
* objects to be created deeper */
- status = ads_do_search_retry(ads, hostnameDN, LDAP_SCOPE_ONE,
- "(objectclass=*)", attrs, &res);
+ status = ads_do_search_retry(ads, hostnameDN,
+ LDAP_SCOPE_ONELEVEL,
+ "(objectclass=*)", attrs, &res);
if (!ADS_ERR_OK(status)) {
SAFE_FREE(host);
}
/* there should be no subordinate objects anymore */
- status = ads_do_search_retry(ads, hostnameDN, LDAP_SCOPE_ONE,
- "(objectclass=*)", attrs, &res);
+ status = ads_do_search_retry(ads, hostnameDN,
+ LDAP_SCOPE_ONELEVEL,
+ "(objectclass=*)", attrs, &res);
if (!ADS_ERR_OK(status) || ( (ads_count_replies(ads, res)) > 0 ) ) {
SAFE_FREE(host);
SAFE_FREE(host);
return status;
}
-#endif
+/**
+ * pull all token-sids from an LDAP dn
+ * @param ads connection to ads server
+ * @param mem_ctx TALLOC_CTX for allocating sid array
+ * @param dn of LDAP object
+ * @param user_sid pointer to DOM_SID (objectSid)
+ * @param primary_group_sid pointer to DOM_SID (self composed)
+ * @param sids pointer to sid array to allocate
+ * @param num_sids counter of SIDs pulled
+ * @return status of token query
+ **/
+ ADS_STATUS ads_get_tokensids(ADS_STRUCT *ads,
+ TALLOC_CTX *mem_ctx,
+ const char *dn,
+ DOM_SID *user_sid,
+ DOM_SID *primary_group_sid,
+ DOM_SID **sids,
+ size_t *num_sids)
+{
+ ADS_STATUS status;
+ LDAPMessage *res = NULL;
+ int count = 0;
+ size_t tmp_num_sids;
+ DOM_SID *tmp_sids;
+ DOM_SID tmp_user_sid;
+ DOM_SID tmp_primary_group_sid;
+ uint32 pgid;
+ const char *attrs[] = {
+ "objectSid",
+ "tokenGroups",
+ "primaryGroupID",
+ NULL
+ };
+
+ status = ads_search_retry_dn(ads, &res, dn, attrs);
+ if (!ADS_ERR_OK(status)) {
+ return status;
+ }
+
+ count = ads_count_replies(ads, res);
+ if (count != 1) {
+ ads_msgfree(ads, res);
+ return ADS_ERROR_LDAP(LDAP_NO_SUCH_OBJECT);
+ }
+
+ if (!ads_pull_sid(ads, res, "objectSid", &tmp_user_sid)) {
+ ads_msgfree(ads, res);
+ return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+ }
+
+ if (!ads_pull_uint32(ads, res, "primaryGroupID", &pgid)) {
+ ads_msgfree(ads, res);
+ return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+ }
+
+ {
+ /* hack to compose the primary group sid without knowing the
+ * domsid */
+
+ DOM_SID domsid;
+ uint32 dummy_rid;
+
+ sid_copy(&domsid, &tmp_user_sid);
+
+ if (!sid_split_rid(&domsid, &dummy_rid)) {
+ ads_msgfree(ads, res);
+ return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+ }
+
+ if (!sid_compose(&tmp_primary_group_sid, &domsid, pgid)) {
+ ads_msgfree(ads, res);
+ return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+ }
+ }
+
+ tmp_num_sids = ads_pull_sids(ads, mem_ctx, res, "tokenGroups", &tmp_sids);
+
+ if (tmp_num_sids == 0 || !tmp_sids) {
+ ads_msgfree(ads, res);
+ return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+ }
+
+ if (num_sids) {
+ *num_sids = tmp_num_sids;
+ }
+
+ if (sids) {
+ *sids = tmp_sids;
+ }
+
+ if (user_sid) {
+ *user_sid = tmp_user_sid;
+ }
+
+ if (primary_group_sid) {
+ *primary_group_sid = tmp_primary_group_sid;
+ }
+
+ DEBUG(10,("ads_get_tokensids: returned %d sids\n", (int)tmp_num_sids + 2));
+
+ ads_msgfree(ads, res);
+ return ADS_ERROR_LDAP(LDAP_SUCCESS);
+}
+
+ADS_STATUS ads_find_samaccount(ADS_STRUCT *ads,
+ TALLOC_CTX *mem_ctx,
+ const char *samaccountname,
+ uint32 *uac_ret,
+ const char **dn_ret)
+{
+ ADS_STATUS status;
+ const char *attrs[] = { "userAccountControl", NULL };
+ const char *filter;
+ LDAPMessage *res = NULL;
+ char *dn = NULL;
+ uint32 uac = 0;
+
+ filter = talloc_asprintf(mem_ctx, "(&(objectclass=user)(sAMAccountName=%s))",
+ samaccountname);
+ if (filter == NULL) {
+ goto out;
+ }
+
+ status = ads_do_search_all(ads, ads->config.bind_path,
+ LDAP_SCOPE_SUBTREE,
+ filter, attrs, &res);
+
+ if (!ADS_ERR_OK(status)) {
+ goto out;
+ }
+
+ if (ads_count_replies(ads, res) != 1) {
+ printf("no result\n");
+ goto out;
+ }
+
+ dn = ads_get_dn(ads, res);
+ if (dn == NULL) {
+ status = ADS_ERROR(LDAP_NO_MEMORY);
+ goto out;
+ }
+
+ if (!ads_pull_uint32(ads, res, "userAccountControl", &uac)) {
+ status = ADS_ERROR(LDAP_NO_SUCH_ATTRIBUTE);
+ goto out;
+ }
+
+ if (uac_ret) {
+ *uac_ret = uac;
+ }
+
+ if (dn_ret) {
+ *dn_ret = talloc_strdup(mem_ctx, dn);
+ if (!*dn_ret) {
+ status = ADS_ERROR(LDAP_NO_MEMORY);
+ goto out;
+ }
+ }
+ out:
+ ads_memfree(ads, dn);
+ ads_msgfree(ads, res);
+
+ return status;
+}
#endif