/*
- Unix SMB/Netbios implementation.
- Version 3.0
+ Unix SMB/CIFS implementation.
ads (active directory) utility library
Copyright (C) Andrew Tridgell 2001
+ Copyright (C) Remus Koos 2001
+ Copyright (C) Jim McDonough 2002
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
#ifdef HAVE_ADS
-/*
- build a ADS_STATUS structure
-*/
-ADS_STATUS ads_build_error(enum ads_error_type etype,
- int rc, int minor_status)
-{
- ADS_STATUS ret;
- ret.error_type = etype;
- ret.rc = rc;
- ret.minor_status = minor_status;
- return ret;
-}
-
-/*
- do a rough conversion between ads error codes and NT status codes
- we'll need to fill this in more
-*/
-NTSTATUS ads_ntstatus(ADS_STATUS rc)
-{
- if (ADS_ERR_OK(rc)) return NT_STATUS_OK;
- return NT_STATUS_UNSUCCESSFUL;
-}
-
-/*
- return a string for an error from a ads routine
-*/
-const char *ads_errstr(ADS_STATUS status)
-{
- gss_buffer_desc msg1, msg2;
- uint32 minor;
- int msg_ctx;
- static char *ret;
-
- SAFE_FREE(ret);
- msg_ctx = 0;
-
- switch (status.error_type) {
- case ADS_ERROR_KRB5:
- return error_message(status.rc);
- case ADS_ERROR_LDAP:
- return ldap_err2string(status.rc);
- case ADS_ERROR_SYSTEM:
- return strerror(status.rc);
- case ADS_ERROR_GSS:
- msg1.value = NULL;
- msg2.value = NULL;
- gss_display_status(&minor, status.rc, GSS_C_GSS_CODE,
- GSS_C_NULL_OID, &msg_ctx, &msg1);
- gss_display_status(&minor, status.minor_status, GSS_C_MECH_CODE,
- GSS_C_NULL_OID, &msg_ctx, &msg2);
- asprintf(&ret, "%s : %s", (char *)msg1.value, (char *)msg2.value);
- gss_release_buffer(&minor, &msg1);
- gss_release_buffer(&minor, &msg2);
- return ret;
- }
-
- return "Unknown ADS error type!?";
-}
-
/*
connect to the LDAP server
*/
ADS_STATUS ads_connect(ADS_STRUCT *ads)
{
int version = LDAP_VERSION3;
+ int code;
ADS_STATUS status;
ads->last_attempt = time(NULL);
ads->ld = ldap_open(ads->ldap_server, ads->ldap_port);
if (!ads->ld) {
- return ADS_ERROR_SYSTEM(errno)
+ return ADS_ERROR_SYSTEM(errno);
}
status = ads_server_info(ads);
if (!ADS_ERR_OK(status)) {
ldap_set_option(ads->ld, LDAP_OPT_PROTOCOL_VERSION, &version);
if (ads->password) {
- ads_kinit_password(ads);
+ if ((code = ads_kinit_password(ads)))
+ return ADS_ERROR_KRB5(code);
}
return ads_sasl_bind(ads);
rc = ldap_search_ext_s(ads->ld,
bind_path, scope,
- exp, attrs, 0, NULL, NULL,
+ exp, (char **) attrs, 0, NULL, NULL,
&timeout, LDAP_NO_LIMIT, (LDAPMessage **)res);
return ADS_ERROR(rc);
}
ldap_msgfree(msg);
}
+/*
+ free up memory from various ads requests
+*/
+void ads_memfree(ADS_STRUCT *ads, void *mem)
+{
+ if (!mem) return;
+ ldap_memfree(mem);
+}
+
+/*
+ get a dn from search results
+*/
+char *ads_get_dn(ADS_STRUCT *ads, void *res)
+{
+ return ldap_get_dn(ads->ld, res);
+}
+
/*
find a machine account given a hostname
*/
{
ADS_STATUS status;
char *exp;
+ const char *attrs[] = {"*", "nTSecurityDescriptor", NULL};
/* the easiest way to find a machine account anywhere in the tree
is to look for hostname$ */
asprintf(&exp, "(samAccountName=%s$)", host);
- status = ads_search(ads, res, exp, NULL);
+ status = ads_search(ads, res, exp, attrs);
free(exp);
return status;
}
-
/*
- a convenient routine for adding a generic LDAP record
+ duplicate an already-assembled list of values so that it can be
+ freed as part of the standard msgfree call
*/
-ADS_STATUS ads_gen_add(ADS_STRUCT *ads, const char *new_dn, ...)
+static char **ads_dup_values(TALLOC_CTX *ctx, char **values)
{
+ char **newvals;
int i;
- va_list ap;
+#define ADS_MAX_NUM_VALUES 32
+
+ for (i=0; values[i] && i<ADS_MAX_NUM_VALUES; i++);
+ if (!(newvals = talloc_zero(ctx, (i+1)*sizeof(char *))))
+ return NULL;
+ for (i=0; values[i] && i<ADS_MAX_NUM_VALUES; i++)
+ newvals[i] = values[i];
+ newvals[i] = NULL;
+ return newvals;
+}
+
+/*
+ initialize a list of mods
+*/
+
+ADS_MODLIST ads_init_mods(TALLOC_CTX *ctx)
+{
+#define ADS_MODLIST_ALLOC_SIZE 10
LDAPMod **mods;
- char *name, *value;
- int ret;
-#define MAX_MOD_VALUES 10
- /* count the number of attributes */
- va_start(ap, new_dn);
- for (i=0; va_arg(ap, char *); i++) {
- /* skip the values */
- while (va_arg(ap, char *)) ;
+ if ((mods = (LDAPMod **) talloc_zero(ctx, sizeof(LDAPMod *) *
+ (ADS_MODLIST_ALLOC_SIZE + 1))))
+ /* -1 is safety to make sure we don't go over the end.
+ need to reset it to NULL before doing ldap modify */
+ mods[ADS_MODLIST_ALLOC_SIZE] = (LDAPMod *) -1;
+
+ return mods;
+}
+
+/*
+ add an attribute to the list, with values list already constructed
+*/
+static ADS_STATUS ads_modlist_add(TALLOC_CTX *ctx, ADS_MODLIST *mods,
+ int mod_op, char *name, char **values)
+{
+ int curmod;
+ LDAPMod **modlist = (LDAPMod **) *mods;
+
+ /* find the first empty slot */
+ for (curmod=0; modlist[curmod] && modlist[curmod] != (LDAPMod *) -1;
+ curmod++);
+ if (modlist[curmod] == (LDAPMod *) -1) {
+ if (!(modlist = talloc_realloc(ctx, modlist,
+ (curmod+ADS_MODLIST_ALLOC_SIZE+1)*sizeof(LDAPMod *))))
+ return ADS_ERROR(LDAP_NO_MEMORY);
+ memset(&modlist[curmod], 0,
+ ADS_MODLIST_ALLOC_SIZE*sizeof(LDAPMod *));
+ modlist[curmod+ADS_MODLIST_ALLOC_SIZE] = (LDAPMod *) -1;
+ *mods = modlist;
}
- va_end(ap);
+
+ if (!(modlist[curmod] = talloc_zero(ctx, sizeof(LDAPMod))))
+ return ADS_ERROR(LDAP_NO_MEMORY);
+ modlist[curmod]->mod_type = name;
+ if (mod_op & LDAP_MOD_BVALUES)
+ modlist[curmod]->mod_bvalues = (struct berval **) values;
+ else
+ modlist[curmod]->mod_values = values;
+ modlist[curmod]->mod_op = mod_op;
+ return ADS_ERROR(LDAP_SUCCESS);
+}
- mods = malloc(sizeof(LDAPMod *) * (i+1));
+ADS_STATUS ads_mod_add_list(TALLOC_CTX *ctx, ADS_MODLIST *mods,
+ char *name, char **values)
+{
+ char **newvals = ads_dup_values(ctx, values);
+ if (newvals)
+ return ads_modlist_add(ctx, mods, LDAP_MOD_ADD, name, newvals);
+ else
+ return ADS_ERROR(LDAP_NO_MEMORY);
+}
- va_start(ap, new_dn);
- for (i=0; (name=va_arg(ap, char *)); i++) {
- char **values;
- int j;
- values = (char **)malloc(sizeof(char *) * (MAX_MOD_VALUES+1));
- for (j=0; (value=va_arg(ap, char *)) && j < MAX_MOD_VALUES; j++) {
- values[j] = value;
- }
- values[j] = NULL;
- mods[i] = malloc(sizeof(LDAPMod));
- mods[i]->mod_type = name;
- mods[i]->mod_op = LDAP_MOD_ADD;
- mods[i]->mod_values = values;
+ADS_STATUS ads_mod_repl_list(TALLOC_CTX *ctx, ADS_MODLIST *mods,
+ char *name, char **values)
+{
+ char **newvals;
+ if (values && *values) {
+ if (!(newvals = ads_dup_values(ctx, values)))
+ return ADS_ERROR(LDAP_NO_MEMORY);
+ else
+ return ads_modlist_add(ctx, mods, LDAP_MOD_REPLACE,
+ name, newvals);
}
- mods[i] = NULL;
+ else
+ return ads_modlist_add(ctx, mods, LDAP_MOD_DELETE, name, NULL);
+}
+
+/*
+ add an attribute to the list, with values list to be built from args
+*/
+ADS_STATUS ads_mod_add_var(TALLOC_CTX *ctx, ADS_MODLIST *mods,
+ int mod_op, char *name, ...)
+{
+ va_list ap;
+ int num_vals, i, do_op;
+ char *value, **values;
+
+ /* count the number of values */
+ va_start(ap, name);
+ for (num_vals=0; va_arg(ap, char *); num_vals++);
va_end(ap);
- ret = ldap_add_s(ads->ld, new_dn, mods);
+ if (num_vals) {
+ if (!(values = talloc_zero(ctx, sizeof(char *)*(num_vals+1))))
+ return ADS_ERROR(LDAP_NO_MEMORY);
+ va_start(ap, name);
+ for (i=0; (value = (char *) va_arg(ap, char *)) &&
+ i < num_vals; i++)
+ values[i] = value;
+ va_end(ap);
+ values[i] = NULL;
+ do_op = mod_op;
+ } else {
+ do_op = LDAP_MOD_DELETE;
+ values = NULL;
+ }
+ return ads_modlist_add(ctx, mods, do_op, name, values);
+}
+
+ADS_STATUS ads_mod_add_ber(TALLOC_CTX *ctx, ADS_MODLIST *mods,
+ int mod_op, char *name, ...)
+{
+ va_list ap;
+ int num_vals, i, do_op;
+ char *value, **values;
- for (i=0; mods[i]; i++) {
- free(mods[i]->mod_values);
- free(mods[i]);
+ /* count the number of values */
+ va_start(ap, name);
+ for (num_vals=0; va_arg(ap, struct berval *); num_vals++);
+ va_end(ap);
+
+ if (num_vals) {
+ if (!(values = talloc_zero(ctx, sizeof(struct berval) *
+ (num_vals + 1))))
+ return ADS_ERROR(LDAP_NO_MEMORY);
+ va_start(ap, name);
+ for (i=0; (value = (char *) va_arg(ap, char *)) &&
+ i < num_vals; i++)
+ values[i] = value;
+ va_end(ap);
+ values[i] = NULL;
+ do_op = mod_op;
+ } else {
+ do_op = LDAP_MOD_DELETE;
+ values = NULL;
}
- free(mods);
-
+ do_op |= LDAP_MOD_BVALUES;
+ return ads_modlist_add(ctx, mods, do_op, name, values);
+}
+
+ADS_STATUS ads_mod_repl(TALLOC_CTX *ctx, ADS_MODLIST *mods,
+ char *name, char *val)
+{
+ if (val)
+ return ads_mod_add_var(ctx, mods, LDAP_MOD_REPLACE,
+ name, val, NULL);
+ else
+ return ads_mod_add_var(ctx, mods, LDAP_MOD_DELETE, name, NULL);
+}
+
+ADS_STATUS ads_mod_add(TALLOC_CTX *ctx, ADS_MODLIST *mods,
+ char *name, char *val)
+{
+ return ads_mod_add_var(ctx, mods, LDAP_MOD_ADD, name, val, NULL);
+}
+
+ADS_STATUS ads_mod_add_len(TALLOC_CTX *ctx, ADS_MODLIST *mods,
+ char *name, size_t size, char *val)
+{
+ struct berval *bval = NULL;
+
+ if (!(bval = talloc_zero(ctx, sizeof(struct berval *))))
+ return ADS_ERROR(LDAP_NO_MEMORY);
+ if (!(bval->bv_val = talloc_zero(ctx, sizeof(char *))))
+ return ADS_ERROR(LDAP_NO_MEMORY);
+
+ bval->bv_val = val;
+ bval->bv_len = size;
+ return ads_mod_add_ber(ctx, mods, LDAP_MOD_ADD, name, bval, NULL);
+}
+
+ADS_STATUS ads_mod_repl_len(TALLOC_CTX *ctx, ADS_MODLIST *mods,
+ char *name, size_t size, char *val)
+{
+ struct berval *bval = NULL;
+
+ if (!(bval = talloc_zero(ctx, sizeof(struct berval *))))
+ return ADS_ERROR(LDAP_NO_MEMORY);
+
+ if (!val)
+ return ads_mod_add_ber(ctx, mods, LDAP_MOD_DELETE, name, NULL);
+ else {
+ if (!(bval->bv_val = talloc_zero(ctx, sizeof(char *))))
+ return ADS_ERROR(LDAP_NO_MEMORY);
+ bval->bv_val = val;
+ bval->bv_len = size;
+ return ads_mod_add_ber(ctx, mods, LDAP_MOD_REPLACE, name,
+ bval, NULL);
+ }
+}
+
+ADS_STATUS ads_gen_mod(ADS_STRUCT *ads, const char *mod_dn, ADS_MODLIST mods)
+{
+ int ret,i;
+ /*
+ this control is needed to modify that contains a currently
+ non-existent attribute (but allowable for the object) to run
+ */
+ LDAPControl PermitModify = {
+ "1.2.840.113556.1.4.1413",
+ {0, NULL},
+ (char) 1};
+ LDAPControl *controls[2];
+
+ controls[0] = &PermitModify;
+ controls[1] = NULL;
+
+ /* find the end of the list, marked by NULL or -1 */
+ for(i=0;(mods[i]!=0)&&(mods[i]!=(LDAPMod *) -1);i++);
+ /* make sure the end of the list is NULL */
+ mods[i] = NULL;
+ ret = ldap_modify_ext_s(ads->ld, mod_dn, (LDAPMod **) mods,
+ controls, NULL);
return ADS_ERROR(ret);
}
+ADS_STATUS ads_gen_add(ADS_STRUCT *ads, const char *new_dn, ADS_MODLIST mods)
+{
+ int i;
+
+ /* find the end of the list, marked by NULL or -1 */
+ for(i=0;(mods[i]!=0)&&(mods[i]!=(LDAPMod *) -1);i++);
+ /* make sure the end of the list is NULL */
+ mods[i] = NULL;
+
+ return ADS_ERROR(ldap_add_s(ads->ld, new_dn, mods));
+}
+
+ADS_STATUS ads_del_dn(ADS_STRUCT *ads, char *del_dn)
+{
+ return ADS_ERROR(ldap_delete(ads->ld, del_dn));
+}
+
+/*
+ build an org unit string
+ if org unit is Computers or blank then assume a container, otherwise
+ assume a \ separated list of organisational units
+ caller must free
+*/
+char *ads_ou_string(const char *org_unit)
+{
+ if (!org_unit || !*org_unit || strcasecmp(org_unit, "Computers") == 0) {
+ return strdup("cn=Computers");
+ }
+
+ return ads_build_path(org_unit, "\\/", "ou=", 1);
+}
+
+
+
/*
add a machine account to the ADS server
*/
{
ADS_STATUS ret;
char *host_spn, *host_upn, *new_dn, *samAccountName, *controlstr;
-
- asprintf(&host_spn, "HOST/%s", hostname);
- asprintf(&host_upn, "%s@%s", host_spn, ads->realm);
- asprintf(&new_dn, "cn=%s,cn=%s,%s", hostname, org_unit, ads->bind_path);
- asprintf(&samAccountName, "%s$", hostname);
- asprintf(&controlstr, "%u",
- UF_DONT_EXPIRE_PASSWD | UF_WORKSTATION_TRUST_ACCOUNT |
- UF_TRUSTED_FOR_DELEGATION | UF_USE_DES_KEY_ONLY);
-
- ret = ads_gen_add(ads, new_dn,
- "cn", hostname, NULL,
- "sAMAccountName", samAccountName, NULL,
- "objectClass",
- "top", "person", "organizationalPerson",
- "user", "computer", NULL,
- "userPrincipalName", host_upn, NULL,
- "servicePrincipalName", host_spn, NULL,
- "dNSHostName", hostname, NULL,
- "userAccountControl", controlstr, NULL,
- "operatingSystem", "Samba", NULL,
- "operatingSystemVersion", VERSION, NULL,
- NULL);
-
- free(host_spn);
- free(host_upn);
- free(new_dn);
- free(samAccountName);
- free(controlstr);
-
+ char *ou_str;
+ TALLOC_CTX *ctx;
+ ADS_MODLIST mods;
+
+ if (!(ctx = talloc_init_named("machine_account")))
+ return ADS_ERROR(LDAP_NO_MEMORY);
+
+ ret = ADS_ERROR(LDAP_NO_MEMORY);
+
+ if (!(host_spn = talloc_asprintf(ctx, "HOST/%s", hostname)))
+ goto done;
+ if (!(host_upn = talloc_asprintf(ctx, "%s@%s", host_spn, ads->realm)))
+ goto done;
+ ou_str = ads_ou_string(org_unit);
+ new_dn = talloc_asprintf(ctx, "cn=%s,%s,%s", hostname, ou_str,
+ ads->bind_path);
+ free(ou_str);
+ if (!new_dn)
+ goto done;
+
+ if (!(samAccountName = talloc_asprintf(ctx, "%s$", hostname)))
+ goto done;
+ if (!(controlstr = talloc_asprintf(ctx, "%u",
+ UF_DONT_EXPIRE_PASSWD | UF_WORKSTATION_TRUST_ACCOUNT |
+ UF_TRUSTED_FOR_DELEGATION | UF_USE_DES_KEY_ONLY)))
+ goto done;
+
+ if (!(mods = ads_init_mods(ctx)))
+ goto done;
+
+ ads_mod_add(ctx, &mods, "cn", hostname);
+ ads_mod_add(ctx, &mods, "sAMAccountName", samAccountName);
+ ads_mod_add_var(ctx, &mods, LDAP_MOD_ADD, "objectClass",
+ "top", "person", "organizationalPerson",
+ "user", "computer", NULL);
+ ads_mod_add(ctx, &mods, "userPrincipalName", host_upn);
+ ads_mod_add(ctx, &mods, "servicePrincipalName", host_spn);
+ ads_mod_add(ctx, &mods, "dNSHostName", hostname);
+ ads_mod_add(ctx, &mods, "userAccountControl", controlstr);
+ ads_mod_add(ctx, &mods, "operatingSystem", "Samba");
+ ads_mod_add(ctx, &mods, "operatingSystemVersion", VERSION);
+
+ ret = ads_gen_add(ads, new_dn, mods);
+
+done:
+ talloc_destroy(ctx);
return ret;
}
void (*handler)(const char *, struct berval **);
} handlers[] = {
{"objectGUID", dump_binary},
+ {"nTSecurityDescriptor", dump_binary},
{"objectSid", dump_sid},
{NULL, NULL}
};
status = ads_find_machine_acct(ads, (void **)&res, host);
if (ADS_ERR_OK(status) && ads_count_replies(ads, res) == 1) {
- DEBUG(0, ("Host account for %s already exists\n", host));
- return ADS_SUCCESS;
+ DEBUG(0, ("Host account for %s already exists - deleting for readd\n", host));
+ status = ads_leave_realm(ads, host);
+ if (!ADS_ERR_OK(status)) {
+ DEBUG(0, ("Failed to delete host '%s' from the '%s' realm.\n",
+ host, ads->realm));
+ return status;
+ }
}
status = ads_add_machine_acct(ads, host, org_unit);
return status;
}
- hostnameDN = ldap_get_dn(ads->ld, (LDAPMessage *)res);
+ hostnameDN = ads_get_dn(ads, (LDAPMessage *)res);
rc = ldap_delete_s(ads->ld, hostnameDN);
- ldap_memfree(hostnameDN);
+ ads_memfree(ads, hostnameDN);
if (rc != LDAP_SUCCESS) {
return ADS_ERROR(rc);
}
{
ADS_STATUS status;
char *host = strdup(hostname);
+ char *principal;
+
strlower(host);
- status = krb5_set_password(ads->kdc_server, host, ads->realm, password);
+
+ asprintf(&principal, "%s@%s", host, ads->realm);
+
+ status = krb5_set_password(ads->kdc_server, principal, password);
+
free(host);
+ free(principal);
+
return status;
}
for (i=0, msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
(*names)[i] = ads_pull_string(ads, mem_ctx, msg, "flatName");
- ads_pull_sid(ads, msg, "securityIdentifier", &(*sids)[i]);
- i++;
+ if (ads_pull_sid(ads, msg, "securityIdentifier", &(*sids)[i])) {
+ i++;
+ }
}
ads_msgfree(ads, res);
return ADS_SUCCESS;
}
+/* find the domain sid for our domain */
+ADS_STATUS ads_domain_sid(ADS_STRUCT *ads, DOM_SID *sid)
+{
+ const char *attrs[] = {"objectSid", NULL};
+ void *res;
+ ADS_STATUS rc;
+
+ rc = ads_do_search(ads, ads->bind_path, LDAP_SCOPE_BASE, "(objectclass=*)",
+ attrs, &res);
+ if (!ADS_ERR_OK(rc)) return rc;
+ if (!ads_pull_sid(ads, res, "objectSid", sid)) {
+ return ADS_ERROR_SYSTEM(ENOENT);
+ }
+ ads_msgfree(ads, res);
+
+ return ADS_SUCCESS;
+}
+
#endif