sync HEAD with recent changes in 3.0

(This used to be commit c98399e3c9d74e19b7c9d806ca8028b48866931e)

4 files changed, 104 insertions, 69 deletions

diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 28de7fc9f3..707a33881d 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -53,6 +53,13 @@ static BOOL cli_session_setup_lanman2(struct cli_state *cli, const char *user,
 	if (passlen > sizeof(pword)-1)
 		return False;
 
+	/* LANMAN servers predate NT status codes and Unicode and ignore those 
+	   smb flags so we must disable the corresponding default capabilities  
+	   that would otherwise cause the Unicode and NT Status flags to be
+	   set (and even returned by the server) */
+
+	cli->capabilities &= ~(CAP_UNICODE | CAP_STATUS32);
+
 	/* if in share level security then don't send a password now */
 	if (!(cli->sec_mode & NEGOTIATE_SECURITY_USER_LEVEL))
 		passlen = 0;
@@ -493,19 +500,22 @@ static void use_in_memory_ccache(void) {
  Do a spnego/kerberos encrypted session setup.
 ****************************************************************************/
 
-static NTSTATUS cli_session_setup_kerberos(struct cli_state *cli, const char *principal, const char *workgroup)
+static ADS_STATUS cli_session_setup_kerberos(struct cli_state *cli, const char *principal, const char *workgroup)
 {
 	DATA_BLOB blob2, negTokenTarg;
 	DATA_BLOB session_key_krb5;
 	DATA_BLOB null_blob = data_blob(NULL, 0);
-	
+	int rc;
+
 	DEBUG(2,("Doing kerberos session setup\n"));
 
 	/* generate the encapsulated kerberos5 ticket */
-	negTokenTarg = spnego_gen_negTokenTarg(principal, 0, &session_key_krb5);
+	rc = spnego_gen_negTokenTarg(principal, 0, &negTokenTarg, &session_key_krb5);
 
-	if (!negTokenTarg.data)
-		return NT_STATUS_UNSUCCESSFUL;
+	if (rc) {
+		DEBUG(1, ("spnego_gen_negTokenTarg failed: %s\n", error_message(rc)));
+		return ADS_ERROR_KRB5(rc);
+	}
 
 #if 0
 	file_save("negTokenTarg.dat", negTokenTarg.data, negTokenTarg.length);
@@ -524,10 +534,10 @@ static NTSTATUS cli_session_setup_kerberos(struct cli_state *cli, const char *pr
 
 	if (cli_is_error(cli)) {
 		if (NT_STATUS_IS_OK(cli_nt_error(cli))) {
-			return NT_STATUS_UNSUCCESSFUL;
+			return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
 		}
 	} 
-	return NT_STATUS_OK;
+	return ADS_ERROR_NT(cli_nt_error(cli));
 }
 #endif	/* HAVE_KRB5 */
 
@@ -537,7 +547,7 @@ static NTSTATUS cli_session_setup_kerberos(struct cli_state *cli, const char *pr
 ****************************************************************************/
 
 static NTSTATUS cli_session_setup_ntlmssp(struct cli_state *cli, const char *user, 
-				      const char *pass, const char *workgroup)
+					  const char *pass, const char *domain)
 {
 	struct ntlmssp_state *ntlmssp_state;
 	NTSTATUS nt_status;
@@ -556,7 +566,7 @@ static NTSTATUS cli_session_setup_ntlmssp(struct cli_state *cli, const char *use
 	if (!NT_STATUS_IS_OK(nt_status = ntlmssp_set_username(ntlmssp_state, user))) {
 		return nt_status;
 	}
-	if (!NT_STATUS_IS_OK(nt_status = ntlmssp_set_domain(ntlmssp_state, workgroup))) {
+	if (!NT_STATUS_IS_OK(nt_status = ntlmssp_set_domain(ntlmssp_state, domain))) {
 		return nt_status;
 	}
 	if (!NT_STATUS_IS_OK(nt_status = ntlmssp_set_password(ntlmssp_state, pass))) {
@@ -654,8 +664,8 @@ static NTSTATUS cli_session_setup_ntlmssp(struct cli_state *cli, const char *use
  Do a spnego encrypted session setup.
 ****************************************************************************/
 
-NTSTATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, 
-			      const char *pass, const char *workgroup)
+ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, 
+			      const char *pass, const char *domain)
 {
 	char *principal;
 	char *OIDs[ASN1_MAX_OIDS];
@@ -682,7 +692,7 @@ NTSTATUS cli_session_setup_spnego(struct cli_state *cli, const char *user,
 	   reply */
 	if (!spnego_parse_negTokenInit(blob, OIDs, &principal)) {
 		data_blob_free(&blob);
-		return NT_STATUS_INVALID_PARAMETER;
+		return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
 	}
 	data_blob_free(&blob);
 
@@ -712,11 +722,11 @@ NTSTATUS cli_session_setup_spnego(struct cli_state *cli, const char *user,
 			
 			if (ret){
 				DEBUG(0, ("Kinit failed: %s\n", error_message(ret)));
-				return NT_STATUS_LOGON_FAILURE;
+				return ADS_ERROR_KRB5(ret);
 			}
 		}
 		
-		return cli_session_setup_kerberos(cli, principal, workgroup);
+		return cli_session_setup_kerberos(cli, principal, domain);
 	}
 #endif
 
@@ -724,7 +734,7 @@ NTSTATUS cli_session_setup_spnego(struct cli_state *cli, const char *user,
 
 ntlmssp:
 
-	return cli_session_setup_ntlmssp(cli, user, pass, workgroup);
+	return ADS_ERROR_NT(cli_session_setup_ntlmssp(cli, user, pass, domain));
 }
 
 /****************************************************************************
@@ -805,9 +815,9 @@ BOOL cli_session_setup(struct cli_state *cli,
 	/* if the server supports extended security then use SPNEGO */
 
 	if (cli->capabilities & CAP_EXTENDED_SECURITY) {
-		NTSTATUS nt_status;
-		if (!NT_STATUS_IS_OK(nt_status = cli_session_setup_spnego(cli, user, pass, workgroup))) {
-			DEBUG(3, ("SPENGO login failed: %s\n", get_friendly_nt_error_msg(nt_status)));
+		ADS_STATUS status = cli_session_setup_spnego(cli, user, pass, workgroup);
+		if (!ADS_ERR_OK(status)) {
+			DEBUG(3, ("SPENGO login failed: %s\n", ads_errstr(status)));
 			return False;
 		}
 		return True;
diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c
index 5568b5e033..15b244a83d 100644
--- a/source3/libsmb/clikrb5.c
+++ b/source3/libsmb/clikrb5.c
@@ -307,14 +307,14 @@ cleanup_princ:
 /*
   get a kerberos5 ticket for the given service 
 */
-DATA_BLOB cli_krb5_get_ticket(const char *principal, time_t time_offset, DATA_BLOB *session_key_krb5)
+int cli_krb5_get_ticket(const char *principal, time_t time_offset, 
+			DATA_BLOB *ticket, DATA_BLOB *session_key_krb5)
 {
 	krb5_error_code retval;
 	krb5_data packet;
 	krb5_ccache ccdef;
 	krb5_context context;
 	krb5_auth_context auth_context = NULL;
-	DATA_BLOB ret;
 	krb5_enctype enc_types[] = {
 #ifdef ENCTYPE_ARCFOUR_HMAC
 		ENCTYPE_ARCFOUR_HMAC,
@@ -356,17 +356,18 @@ DATA_BLOB cli_krb5_get_ticket(const char *principal, time_t time_offset, DATA_BL
 
 	get_krb5_smb_session_key(context, auth_context, session_key_krb5, False);
 
-	ret = data_blob(packet.data, packet.length);
+	*ticket = data_blob(packet.data, packet.length);
+
 /* Hmm, heimdal dooesn't have this - what's the correct call? */
-/* 	krb5_free_data_contents(context, &packet); */
-	krb5_free_context(context);
-	return ret;
+#ifdef HAVE_KRB5_FREE_DATA_CONTENTS
+ 	krb5_free_data_contents(context, &packet); 
+#endif
 
 failed:
 	if ( context )
 		krb5_free_context(context);
 		
-	return data_blob(NULL, 0);
+	return retval;
 }
 
  BOOL get_krb5_smb_session_key(krb5_context context, krb5_auth_context auth_context, DATA_BLOB *session_key, BOOL remote)
@@ -410,10 +411,11 @@ failed:
 
 #else /* HAVE_KRB5 */
  /* this saves a few linking headaches */
-DATA_BLOB cli_krb5_get_ticket(const char *principal, time_t time_offset, DATA_BLOB *session_key_krb5)
- {
+int cli_krb5_get_ticket(const char *principal, time_t time_offset, 
+			DATA_BLOB *ticket, DATA_BLOB *session_key_krb5) 
+{
 	 DEBUG(0,("NO KERBEROS SUPPORT\n"));
-	 return data_blob(NULL, 0);
- }
+	 return 1;
+}
 
 #endif
diff --git a/source3/libsmb/clispnego.c b/source3/libsmb/clispnego.c
index 92543736ff..e6cadc466c 100644
--- a/source3/libsmb/clispnego.c
+++ b/source3/libsmb/clispnego.c
@@ -323,27 +323,30 @@ BOOL spnego_parse_krb5_wrap(DATA_BLOB blob, DATA_BLOB *ticket, uint8 tok_id[2])
    generate a SPNEGO negTokenTarg packet, ready for a EXTENDED_SECURITY
    kerberos session setup 
 */
-DATA_BLOB spnego_gen_negTokenTarg(const char *principal, int time_offset, DATA_BLOB *session_key_krb5)
+int spnego_gen_negTokenTarg(const char *principal, int time_offset, 
+			    DATA_BLOB *targ, 
+			    DATA_BLOB *session_key_krb5)
 {
-	DATA_BLOB tkt, tkt_wrapped, targ;
+	int retval;
+	DATA_BLOB tkt, tkt_wrapped;
 	const char *krb_mechs[] = {OID_KERBEROS5_OLD, OID_NTLMSSP, NULL};
 
 	/* get a kerberos ticket for the service and extract the session key */
-	tkt = cli_krb5_get_ticket(principal, time_offset, session_key_krb5);
+	retval = cli_krb5_get_ticket(principal, time_offset, &tkt, session_key_krb5);
 
-	if (tkt.data == NULL)
-		return tkt;
+	if (retval)
+		return retval;
 
 	/* wrap that up in a nice GSS-API wrapping */
 	tkt_wrapped = spnego_gen_krb5_wrap(tkt, TOK_ID_KRB_AP_REQ);
 
 	/* and wrap that in a shiny SPNEGO wrapper */
-	targ = gen_negTokenTarg(krb_mechs, tkt_wrapped);
+	*targ = gen_negTokenTarg(krb_mechs, tkt_wrapped);
 
 	data_blob_free(&tkt_wrapped);
 	data_blob_free(&tkt);
 
-	return targ;
+	return retval;
 }
 
 
diff --git a/source3/libsmb/namequery.c b/source3/libsmb/namequery.c
index c7cc4848b7..83902971b0 100644
--- a/source3/libsmb/namequery.c
+++ b/source3/libsmb/namequery.c
@@ -884,6 +884,40 @@ static BOOL resolve_hosts(const char *name, int name_type,
 	 */
 	struct hostent *hp;
 	
+	if ( name_type != 0x20 && name_type != 0x0) {
+		DEBUG(5, ("resolve_hosts: not appropriate for name type <0x%x>\n", name_type));
+		return False;
+	}
+
+	*return_iplist = NULL;
+	*return_count = 0;
+
+	DEBUG(3,("resolve_hosts: Attempting host lookup for name %s<0x%x>\n", name, name_type));
+	
+	if (((hp = sys_gethostbyname(name)) != NULL) && (hp->h_addr != NULL)) {
+		struct in_addr return_ip;
+		putip((char *)&return_ip,(char *)hp->h_addr);
+		*return_iplist = (struct ip_service *)malloc(sizeof(struct ip_service));
+		if(*return_iplist == NULL) {
+			DEBUG(3,("resolve_hosts: malloc fail !\n"));
+			return False;
+		}
+		(*return_iplist)->ip   = return_ip;
+		(*return_iplist)->port = PORT_NONE;
+		*return_count = 1;
+		return True;
+	}
+	return False;
+}
+
+/********************************************************
+ Resolve via "ADS" method.
+*********************************************************/
+
+static BOOL resolve_ads(const char *name, int name_type,
+                         struct ip_service **return_iplist, int *return_count)
+{
+	
 #ifdef HAVE_ADS
 	if ( name_type == 0x1c ) {
 		int 			count, i = 0;
@@ -935,28 +969,11 @@ static BOOL resolve_hosts(const char *name, int name_type,
 		*return_count = i;
 				
 		return True;
-	}
+	} else 
 #endif 	/* HAVE_ADS */
-
-	*return_iplist = NULL;
-	*return_count = 0;
-
-	DEBUG(3,("resolve_hosts: Attempting host lookup for name %s<0x20>\n", name));
-	
-	if (((hp = sys_gethostbyname(name)) != NULL) && (hp->h_addr != NULL)) {
-		struct in_addr return_ip;
-		putip((char *)&return_ip,(char *)hp->h_addr);
-		*return_iplist = (struct ip_service *)malloc(sizeof(struct ip_service));
-		if(*return_iplist == NULL) {
-			DEBUG(3,("resolve_hosts: malloc fail !\n"));
-			return False;
-		}
-		(*return_iplist)->ip   = return_ip;
-		(*return_iplist)->port = PORT_NONE;
-		*return_count = 1;
-		return True;
+	{ 
+		return False;
 	}
-	return False;
 }
 
 /*******************************************************************
@@ -1034,14 +1051,17 @@ static BOOL internal_resolve_name(const char *name, int name_type,
   
   while (next_token(&ptr, tok, LIST_SEP, sizeof(tok))) {
 	  if((strequal(tok, "host") || strequal(tok, "hosts"))) {
-                  /* deal with 0x20 & 0x1c names here.  The latter will result
-		     in a SRV record lookup for _ldap._tcp.<domain> if we are using 
-		     'security = ads' */
-		  if ( name_type==0x20 || name_type == 0x1c ) {
-			  if (resolve_hosts(name, name_type, return_iplist, return_count)) {
-				  result = True;
-				  goto done;
-			  }
+		  if (resolve_hosts(name, name_type, return_iplist, return_count)) {
+			  result = True;
+			  goto done;
+		  }
+	  } else if(strequal( tok, "ads")) {
+                  /* deal with 0x1c names here.  This will result in a
+		     SRV record lookup for _ldap._tcp.<domain> if we
+		     are using 'security = ads' */
+		  if (resolve_ads(name, name_type, return_iplist, return_count)) {
+		    result = True;
+		    goto done;
 		  }
 	  } else if(strequal( tok, "lmhosts")) {
 		  if (resolve_lmhosts(name, name_type, return_iplist, return_count)) {
@@ -1207,14 +1227,14 @@ BOOL get_pdc_ip(const char *domain, struct in_addr *ip)
 /*********************************************************************
  small wrapper function to get the DC list and sort it if neccessary 
 *********************************************************************/
-BOOL get_sorted_dc_list( const char *domain, struct ip_service **ip_list, int *count, BOOL dns_only )
+BOOL get_sorted_dc_list( const char *domain, struct ip_service **ip_list, int *count, BOOL ads_only )
 {
 	BOOL ordered;
 	
 	DEBUG(8,("get_sorted_dc_list: attempting lookup using [%s]\n",
-		(dns_only ? "hosts" : lp_name_resolve_order())));
+		(ads_only ? "ads" : lp_name_resolve_order())));
 	
-	if ( !get_dc_list(domain, ip_list, count, dns_only, &ordered) )
+	if ( !get_dc_list(domain, ip_list, count, ads_only, &ordered) )
 		return False;
 		
 	/* only sort if we don't already have an ordered list */
@@ -1230,11 +1250,11 @@ BOOL get_sorted_dc_list( const char *domain, struct ip_service **ip_list, int *c
 *********************************************************/
 
 BOOL get_dc_list(const char *domain, struct ip_service **ip_list, 
-                 int *count, BOOL dns_only, int *ordered)
+                 int *count, BOOL ads_only, int *ordered)
 {
 	/* defined the name resolve order to internal_name_resolve() 
 	   only used for looking up 0x1c names */
-	const char *resolve_oder = (dns_only ? "hosts" : lp_name_resolve_order());
+	const char *resolve_oder = (ads_only ? "ads" : lp_name_resolve_order());
 	
 	*ordered = False;