diff options
| author | Stefan Metzmacher <metze@samba.org> | 2005-09-20 08:30:30 +0000 |
|---|---|---|
| committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:38:30 -0500 |
| commit | 444fcf12ef6ba93bd591da124620feaa1d60b444 (patch) | |
| tree | b085c5dbebe70e10768060b81c3b050c5f6b8e46 /source4 | |
| parent | efa30b073fb1121f61034d9ad60d0a76f14b3cd9 (diff) | |
| download | samba-444fcf12ef6ba93bd591da124620feaa1d60b444.tar.gz samba-444fcf12ef6ba93bd591da124620feaa1d60b444.tar.bz2 samba-444fcf12ef6ba93bd591da124620feaa1d60b444.zip | |
r10341: remove unused libads/ code, we'll never use this in samba4,
and have replacements for the most stuff already in the tree
discussed with abartlet
metze
(This used to be commit 18facf90e965053886abd642c71bf655d13ff5a5)
Diffstat (limited to 'source4')
| -rw-r--r-- | source4/libads/ads_ldap.c | 234 | ||||
| -rw-r--r-- | source4/libads/ads_status.c | 142 | ||||
| -rw-r--r-- | source4/libads/ads_struct.c | 140 | ||||
| -rw-r--r-- | source4/libads/disp_sec.c | 159 | ||||
| -rw-r--r-- | source4/libads/krb5_setpw.c | 689 | ||||
| -rw-r--r-- | source4/libads/ldap.c | 2140 | ||||
| -rw-r--r-- | source4/libads/ldap_printer.c | 353 | ||||
| -rw-r--r-- | source4/libads/ldap_user.c | 119 | ||||
| -rw-r--r-- | source4/libads/ldap_utils.c | 108 | ||||
| -rw-r--r-- | source4/libads/sasl.c | 438 | ||||
| -rw-r--r-- | source4/libads/util.c | 67 |
11 files changed, 0 insertions, 4589 deletions
diff --git a/source4/libads/ads_ldap.c b/source4/libads/ads_ldap.c deleted file mode 100644 index 1b1613e90c..0000000000 --- a/source4/libads/ads_ldap.c +++ /dev/null @@ -1,234 +0,0 @@ -/* - Unix SMB/CIFS implementation. - - Winbind ADS backend functions - - Copyright (C) Andrew Tridgell 2001 - Copyright (C) Andrew Bartlett 2002 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -*/ - -#include "includes.h" -#ifdef HAVE_LDAP - -/* convert a single name to a sid in a domain */ -NTSTATUS ads_name_to_sid(ADS_STRUCT *ads, - const char *name, - DOM_SID *sid, - enum samr_SidType *type) -{ - const char *attrs[] = {"objectSid", "sAMAccountType", NULL}; - int count; - ADS_STATUS rc; - void *res = NULL; - char *ldap_exp; - uint32_t t; - NTSTATUS status = NT_STATUS_UNSUCCESSFUL; - char *escaped_name = escape_ldap_string_alloc(name); - char *escaped_realm = escape_ldap_string_alloc(ads->config.realm); - - if (!escaped_name || !escaped_realm) { - status = NT_STATUS_NO_MEMORY; - goto done; - } - - if (asprintf(&ldap_exp, "(|(sAMAccountName=%s)(userPrincipalName=%s@%s))", - escaped_name, escaped_name, escaped_realm) == -1) { - DEBUG(1,("ads_name_to_sid: asprintf failed!\n")); - status = NT_STATUS_NO_MEMORY; - goto done; - } - - rc = ads_search_retry(ads, &res, ldap_exp, attrs); - free(ldap_exp); - if (!ADS_ERR_OK(rc)) { - DEBUG(1,("name_to_sid ads_search: %s\n", ads_errstr(rc))); - goto done; - } - - count = ads_count_replies(ads, res); - if (count != 1) { - DEBUG(1,("name_to_sid: %s not found\n", name)); - goto done; - } - - if (!ads_pull_sid(ads, res, "objectSid", sid)) { - DEBUG(1,("No sid for %s !?\n", name)); - goto done; - } - - if (!ads_pull_uint32_t(ads, res, "sAMAccountType", &t)) { - DEBUG(1,("No sAMAccountType for %s !?\n", name)); - goto done; - } - - *type = ads_atype_map(t); - - status = NT_STATUS_OK; - - DEBUG(3,("ads name_to_sid mapped %s\n", name)); - -done: - if (res) ads_msgfree(ads, res); - - SAFE_FREE(escaped_name); - SAFE_FREE(escaped_realm); - - return status; -} - -/* convert a sid to a user or group name */ -NTSTATUS ads_sid_to_name(ADS_STRUCT *ads, - TALLOC_CTX *mem_ctx, - const DOM_SID *sid, - char **name, - enum samr_SidType *type) -{ - const char *attrs[] = {"userPrincipalName", - "sAMAccountName", - "sAMAccountType", NULL}; - ADS_STATUS rc; - void *msg = NULL; - char *ldap_exp = NULL; - char *sidstr = NULL; - uint32_t atype; - NTSTATUS status = NT_STATUS_UNSUCCESSFUL; - - if (!(sidstr = sid_binstring(sid))) { - DEBUG(1,("ads_sid_to_name: sid_binstring failed!\n")); - status = NT_STATUS_NO_MEMORY; - goto done; - } - - if (asprintf(&ldap_exp, "(objectSid=%s)", sidstr) == -1) { - DEBUG(1,("ads_sid_to_name: asprintf failed!\n")); - status = NT_STATUS_NO_MEMORY; - goto done; - } - - rc = ads_search_retry(ads, &msg, ldap_exp, attrs); - if (!ADS_ERR_OK(rc)) { - status = ads_ntstatus(rc); - DEBUG(1,("ads_sid_to_name ads_search: %s\n", ads_errstr(rc))); - goto done; - } - - if (!ads_pull_uint32_t(ads, msg, "sAMAccountType", &atype)) { - goto done; - } - - *name = ads_pull_username(ads, mem_ctx, msg); - if (!*name) { - DEBUG(1,("ads_sid_to_name: ads_pull_username retuned NULL!\n")); - status = NT_STATUS_NO_MEMORY; - goto done; - } - - *type = ads_atype_map(atype); - - status = NT_STATUS_OK; - - DEBUG(3,("ads sid_to_name mapped %s\n", *name)); - -done: - if (msg) ads_msgfree(ads, msg); - - SAFE_FREE(ldap_exp); - SAFE_FREE(sidstr); - - return status; -} - - -/* convert a sid to a DN */ - -ADS_STATUS ads_sid_to_dn(ADS_STRUCT *ads, - TALLOC_CTX *mem_ctx, - const DOM_SID *sid, - char **dn) -{ - ADS_STATUS rc; - LDAPMessage *msg = NULL; - LDAPMessage *entry = NULL; - char *ldap_exp; - char *sidstr = NULL; - int count; - char *dn2 = NULL; - - const char *attr[] = { - "dn", - NULL - }; - - if (!(sidstr = sid_binstring(sid))) { - DEBUG(1,("ads_sid_to_dn: sid_binstring failed!\n")); - rc = ADS_ERROR_NT(NT_STATUS_NO_MEMORY); - goto done; - } - - if(!(ldap_exp = talloc_asprintf(mem_ctx, "(objectSid=%s)", sidstr))) { - DEBUG(1,("ads_sid_to_dn: talloc_asprintf failed!\n")); - rc = ADS_ERROR_NT(NT_STATUS_NO_MEMORY); - goto done; - } - - rc = ads_search_retry(ads, (void **)&msg, ldap_exp, attr); - - if (!ADS_ERR_OK(rc)) { - DEBUG(1,("ads_sid_to_dn ads_search: %s\n", ads_errstr(rc))); - goto done; - } - - if ((count = ads_count_replies(ads, msg)) != 1) { - fstring sid_string; - DEBUG(1,("ads_sid_to_dn (sid=%s): Not found (count=%d)\n", - sid_to_string(sid_string, sid), count)); - rc = ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL); - goto done; - } - - entry = ads_first_entry(ads, msg); - - dn2 = ads_get_dn(ads, entry); - - if (!dn2) { - rc = ADS_ERROR_NT(NT_STATUS_NO_MEMORY); - goto done; - } - - *dn = talloc_strdup(mem_ctx, dn2); - - if (!*dn) { - ads_memfree(ads, dn2); - rc = ADS_ERROR_NT(NT_STATUS_NO_MEMORY); - goto done; - } - - rc = ADS_ERROR_NT(NT_STATUS_OK); - - DEBUG(3,("ads sid_to_dn mapped %s\n", dn2)); - - SAFE_FREE(dn2); -done: - if (msg) ads_msgfree(ads, msg); - if (dn2) ads_memfree(ads, dn2); - - SAFE_FREE(sidstr); - - return rc; -} - -#endif diff --git a/source4/libads/ads_status.c b/source4/libads/ads_status.c deleted file mode 100644 index 9ad07bce99..0000000000 --- a/source4/libads/ads_status.c +++ /dev/null @@ -1,142 +0,0 @@ -/* - Unix SMB/CIFS implementation. - ads (active directory) utility library - Copyright (C) Andrew Tridgell 2001 - Copyright (C) Remus Koos 2001 - Copyright (C) Andrew Bartlett 2001 - - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -*/ - -#include "includes.h" - -/* - build a ADS_STATUS structure -*/ -ADS_STATUS ads_build_error(enum ads_error_type etype, - int rc, int minor_status) -{ - ADS_STATUS ret; - - if (etype == ENUM_ADS_ERROR_NT) { - DEBUG(0,("don't use ads_build_error with ENUM_ADS_ERROR_NT!\n")); - ret.err.rc = -1; - ret.error_type = ENUM_ADS_ERROR_SYSTEM; - ret.minor_status = 0; - return ret; - } - - ret.err.rc = rc; - ret.error_type = etype; - ret.minor_status = minor_status; - return ret; -} - -ADS_STATUS ads_build_nt_error(enum ads_error_type etype, - NTSTATUS nt_status) -{ - ADS_STATUS ret; - - if (etype != ENUM_ADS_ERROR_NT) { - DEBUG(0,("don't use ads_build_nt_error without ENUM_ADS_ERROR_NT!\n")); - ret.err.rc = -1; - ret.error_type = ENUM_ADS_ERROR_SYSTEM; - ret.minor_status = 0; - return ret; - } - ret.err.nt_status = nt_status; - ret.error_type = etype; - ret.minor_status = 0; - return ret; -} - -/* - do a rough conversion between ads error codes and NT status codes - we'll need to fill this in more -*/ -NTSTATUS ads_ntstatus(ADS_STATUS status) -{ - if (status.error_type == ENUM_ADS_ERROR_NT){ - return status.err.nt_status; - } -#ifdef HAVE_LDAP - if ((status.error_type == ENUM_ADS_ERROR_LDAP) - && (status.err.rc == LDAP_NO_MEMORY)) { - return NT_STATUS_NO_MEMORY; - } -#endif -#ifdef HAVE_KRB5 - if (status.error_type == ENUM_ADS_ERROR_KRB5) { - if (status.err.rc == KRB5KDC_ERR_PREAUTH_FAILED) { - return NT_STATUS_LOGON_FAILURE; - } else if (status.err.rc == KRB5_KDC_UNREACH) { - return NT_STATUS_NO_LOGON_SERVERS; - } - } -#endif - if (ADS_ERR_OK(status)) return NT_STATUS_OK; - return NT_STATUS_UNSUCCESSFUL; -} - -/* - return a string for an error from a ads routine -*/ -const char *ads_errstr(ADS_STATUS status) -{ - uint32_t msg_ctx; - static char *ret; - - SAFE_FREE(ret); - msg_ctx = 0; - - switch (status.error_type) { - case ENUM_ADS_ERROR_SYSTEM: - return strerror(status.err.rc); -#ifdef HAVE_LDAP - case ENUM_ADS_ERROR_LDAP: - return ldap_err2string(status.err.rc); -#endif -#ifdef HAVE_KRB5 - case ENUM_ADS_ERROR_KRB5: - return error_message(status.err.rc); -#endif -#ifdef HAVE_GSSAPI - case ENUM_ADS_ERROR_GSS: - { - uint32_t minor; - - gss_buffer_desc msg1, msg2; - msg1.value = NULL; - msg2.value = NULL; - gss_display_status(&minor, status.err.rc, GSS_C_GSS_CODE, - GSS_C_NULL_OID, &msg_ctx, &msg1); - gss_display_status(&minor, status.minor_status, GSS_C_MECH_CODE, - GSS_C_NULL_OID, &msg_ctx, &msg2); - asprintf(&ret, "%s : %s", (char *)msg1.value, (char *)msg2.value); - gss_release_buffer(&minor, &msg1); - gss_release_buffer(&minor, &msg2); - return ret; - } -#endif - case ENUM_ADS_ERROR_NT: - return get_friendly_nt_error_msg(ads_ntstatus(status)); - default: - return "Unknown ADS error type!? (not compiled in?)"; - } - -} - - diff --git a/source4/libads/ads_struct.c b/source4/libads/ads_struct.c deleted file mode 100644 index a6c679e002..0000000000 --- a/source4/libads/ads_struct.c +++ /dev/null @@ -1,140 +0,0 @@ -/* - Unix SMB/CIFS implementation. - ads (active directory) utility library - Copyright (C) Andrew Tridgell 2001 - Copyright (C) Andrew Bartlett 2001 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -*/ - -#include "includes.h" - -/* return a ldap dn path from a string, given separators and field name - caller must free -*/ -char *ads_build_path(const char *realm, const char *sep, const char *field, int reverse) -{ - char *p, *r; - int numbits = 0; - char *ret; - int len; - - r = strdup(realm); - - if (!r || !*r) - return r; - - for (p=r; *p; p++) - if (strchr(sep, *p)) - numbits++; - - len = (numbits+1)*(strlen(field)+1) + strlen(r) + 1; - - ret = malloc(len); - if (!ret) - return NULL; - - strlcpy(ret,field, len); - p=strtok(r,sep); - strlcat(ret, p, len); - - while ((p=strtok(NULL,sep))) { - char *s; - if (reverse) - asprintf(&s, "%s%s,%s", field, p, ret); - else - asprintf(&s, "%s,%s%s", ret, field, p); - free(ret); - ret = s; - } - - free(r); - return ret; -} - -/* return a dn of the form "dc=AA,dc=BB,dc=CC" from a - realm of the form AA.BB.CC - caller must free -*/ -char *ads_build_dn(const char *realm) -{ - return ads_build_path(realm, ".", "dc=", 0); -} - - -#ifndef LDAP_PORT -#define LDAP_PORT 389 -#endif - -/* - initialise a ADS_STRUCT, ready for some ads_ ops -*/ -ADS_STRUCT *ads_init(const char *realm, - const char *workgroup, - const char *ldap_server) -{ - ADS_STRUCT *ads; - - ads = smb_xmalloc_p(ADS_STRUCT); - ZERO_STRUCTP(ads); - - ads->server.realm = realm? strdup(realm) : NULL; - ads->server.workgroup = workgroup ? strdup(workgroup) : NULL; - ads->server.ldap_server = ldap_server? strdup(ldap_server) : NULL; - - /* we need to know if this is a foreign realm */ - if (realm && *realm && !strequal(lp_realm(), realm)) { - ads->server.foreign = 1; - } - if (workgroup && *workgroup && !strequal(lp_workgroup(), workgroup)) { - ads->server.foreign = 1; - } - - return ads; -} - -/* a simpler ads_init() interface using all defaults */ -ADS_STRUCT *ads_init_simple(void) -{ - return ads_init(NULL, NULL, NULL); -} - -/* - free the memory used by the ADS structure initialized with 'ads_init(...)' -*/ -void ads_destroy(ADS_STRUCT **ads) -{ - if (ads && *ads) { -#if HAVE_LDAP - if ((*ads)->ld) ldap_unbind((*ads)->ld); -#endif - SAFE_FREE((*ads)->server.realm); - SAFE_FREE((*ads)->server.workgroup); - SAFE_FREE((*ads)->server.ldap_server); - SAFE_FREE((*ads)->server.ldap_uri); - - SAFE_FREE((*ads)->auth.realm); - SAFE_FREE((*ads)->auth.password); - SAFE_FREE((*ads)->auth.user_name); - SAFE_FREE((*ads)->auth.kdc_server); - - SAFE_FREE((*ads)->config.realm); - SAFE_FREE((*ads)->config.bind_path); - SAFE_FREE((*ads)->config.ldap_server_name); - - ZERO_STRUCTP(*ads); - SAFE_FREE(*ads); - } -} diff --git a/source4/libads/disp_sec.c b/source4/libads/disp_sec.c deleted file mode 100644 index 8cdef5e168..0000000000 --- a/source4/libads/disp_sec.c +++ /dev/null @@ -1,159 +0,0 @@ -/* - Unix SMB/CIFS implementation. - Samba utility functions. ADS stuff - Copyright (C) Alexey Kotovich 2002 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -*/ - -#include "includes.h" - -static struct perm_mask_str { - uint32_t mask; - const char *str; -} perms[] = { - {SEC_RIGHTS_FULL_CTRL, "[Full Control]"}, - - {SEC_RIGHTS_LIST_CONTENTS, "[List Contents]"}, - {SEC_RIGHTS_LIST_OBJECT, "[List Object]"}, - - {SEC_RIGHTS_READ_ALL_PROP, "[Read All Properties]"}, - {SEC_RIGHTS_READ_PERMS, "[Read Permissions]"}, - - {SEC_RIGHTS_WRITE_ALL_VALID, "[All validate writes]"}, - {SEC_RIGHTS_WRITE_ALL_PROP, "[Write All Properties]"}, - - {SEC_RIGHTS_MODIFY_PERMS, "[Modify Permissions]"}, - {SEC_RIGHTS_MODIFY_OWNER, "[Modify Owner]"}, - - {SEC_RIGHTS_CREATE_CHILD, "[Create All Child Objects]"}, - - {SEC_RIGHTS_DELETE, "[Delete]"}, - {SEC_RIGHTS_DELETE_SUBTREE, "[Delete Subtree]"}, - {SEC_RIGHTS_DELETE_CHILD, "[Delete All Child Objects]"}, - - {SEC_RIGHTS_CHANGE_PASSWD, "[Change Password]"}, - {SEC_RIGHTS_RESET_PASSWD, "[Reset Password]"}, - {0, 0} -}; - -/* convert a security permissions into a string */ -static void ads_disp_perms(uint32_t type) -{ - int i = 0; - int j = 0; - - printf("Permissions: "); - - if (type == SEC_RIGHTS_FULL_CTRL) { - printf("%s\n", perms[j].str); - return; - } - - for (i = 0; i < 32; i++) { - if (type & (1 << i)) { - for (j = 1; perms[j].str; j ++) { - if (perms[j].mask == (((uint_t) 1) << i)) { - printf("\n\t%s", perms[j].str); - } - } - type &= ~(1 << i); - } - } - - /* remaining bits get added on as-is */ - if (type != 0) { - printf("[%08x]", type); - } - puts(""); -} - -/* display ACE */ -static void ads_disp_ace(SEC_ACE *sec_ace) -{ - const char *access_type = "UNKNOWN"; - - if (!sec_ace_object(sec_ace->type)) { - printf("------- ACE (type: 0x%02x, flags: 0x%02x, size: 0x%02x, mask: 0x%x)\n", - sec_ace->type, - sec_ace->flags, - sec_ace->size, - sec_ace->info.mask); - } else { - printf("------- ACE (type: 0x%02x, flags: 0x%02x, size: 0x%02x, mask: 0x%x, object flags: 0x%x)\n", - sec_ace->type, - sec_ace->flags, - sec_ace->size, - sec_ace->info.mask, - sec_ace->obj_flags); - } - - if (sec_ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED) { - access_type = "ALLOWED"; - } else if (sec_ace->type == SEC_ACE_TYPE_ACCESS_DENIED) { - access_type = "DENIED"; - } else if (sec_ace->type == SEC_ACE_TYPE_SYSTEM_AUDIT) { - access_type = "SYSTEM AUDIT"; - } else if (sec_ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT) { - access_type = "ALLOWED OBJECT"; - } else if (sec_ace->type == SEC_ACE_TYPE_ACCESS_DENIED_OBJECT) { - access_type = "DENIED OBJECT"; - } else if (sec_ace->type == SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT) { - access_type = "AUDIT OBJECT"; - } - - printf("access SID: %s\naccess type: %s\n", - sid_string_static(&sec_ace->trustee), access_type); - - ads_disp_perms(sec_ace->info.mask); -} - -/* display ACL */ -static void ads_disp_acl(SEC_ACL *sec_acl, const char *type) -{ - if (!sec_acl) - printf("------- (%s) ACL not present\n", type); - else { - printf("------- (%s) ACL (revision: %d, size: %d, number of ACEs: %d)\n", - type, - sec_acl->revision, - sec_acl->size, - sec_acl->num_aces); - } -} - -/* display SD */ -void ads_disp_sd(SEC_DESC *sd) -{ - int i; - - printf("-------------- Security Descriptor (revision: %d, type: 0x%02x)\n", - sd->revision, - sd->type); - printf("owner SID: %s\n", sid_string_static(sd->owner_sid)); - printf("group SID: %s\n", sid_string_static(sd->grp_sid)); - - ads_disp_acl(sd->sacl, "system"); - for (i = 0; i < sd->sacl->num_aces; i ++) - ads_disp_ace(&sd->sacl->ace[i]); - - ads_disp_acl(sd->dacl, "user"); - for (i = 0; i < sd->dacl->num_aces; i ++) - ads_disp_ace(&sd->dacl->ace[i]); - - printf("-------------- End Of Security Descriptor\n"); -} - - diff --git a/source4/libads/krb5_setpw.c b/source4/libads/krb5_setpw.c deleted file mode 100644 index 257c28e755..0000000000 --- a/source4/libads/krb5_setpw.c +++ /dev/null @@ -1,689 +0,0 @@ -/* - Unix SMB/CIFS implementation. - krb5 set password implementation - Copyright (C) Andrew Tridgell 2001 - Copyright (C) Remus Koos 2001 (remuskoos@yahoo.com) - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -*/ - -#include "includes.h" - -#ifdef HAVE_KRB5 - -#define DEFAULT_KPASSWD_PORT 464 -#define KRB5_KPASSWD_VERS_CHANGEPW 1 -#define KRB5_KPASSWD_VERS_SETPW 2 -#define KRB5_KPASSWD_VERS_SETPW_MS 0xff80 -#define KRB5_KPASSWD_ACCESSDENIED 5 -#define KRB5_KPASSWD_BAD_VERSION 6 -#define KRB5_KPASSWD_INITIAL_FLAG_NEEDED 7 - -/* Those are defined by kerberos-set-passwd-02.txt and are probably - * not supported by M$ implementation */ -#define KRB5_KPASSWD_POLICY_REJECT 8 -#define KRB5_KPASSWD_BAD_PRINCIPAL 9 -#define KRB5_KPASSWD_ETYPE_NOSUPP 10 - -/* This implements kerberos password change protocol as specified in - * kerb-chg-password-02.txt and kerberos-set-passwd-02.txt - * as well as microsoft version of the protocol - * as specified in kerberos-set-passwd-00.txt - */ -static DATA_BLOB encode_krb5_setpw(const char *principal, const char *password) -{ - char* princ_part1 = NULL; - char* princ_part2 = NULL; - char* realm = NULL; - char* c; - char* princ; - struct asn1_data req; - DATA_BLOB ret; - - - princ = strdup(principal); - - if ((c = strchr(princ, '/')) == NULL) { - c = princ; - } else { - *c = '\0'; - c++; - princ_part1 = princ; - } - - princ_part2 = c; - - if ((c = strchr(c, '@')) != NULL) { - *c = '\0'; - c++; - realm = c; - } - - memset(&req, 0, sizeof(req)); - - asn1_push_tag(&req, ASN1_SEQUENCE(0)); - asn1_push_tag(&req, ASN1_CONTEXT(0)); - asn1_write_OctetString(&req, password, strlen(password)); - asn1_pop_tag(&req); - - asn1_push_tag(&req, ASN1_CONTEXT(1)); - asn1_push_tag(&req, ASN1_SEQUENCE(0)); - - asn1_push_tag(&req, ASN1_CONTEXT(0)); - asn1_write_Integer(&req, 1); - asn1_pop_tag(&req); - - asn1_push_tag(&req, ASN1_CONTEXT(1)); - asn1_push_tag(&req, ASN1_SEQUENCE(0)); - - if (princ_part1) - asn1_write_GeneralString(&req, princ_part1); - - asn1_write_GeneralString(&req, princ_part2); - asn1_pop_tag(&req); - asn1_pop_tag(&req); - asn1_pop_tag(&req); - asn1_pop_tag(&req); - - asn1_push_tag(&req, ASN1_CONTEXT(2)); - asn1_write_GeneralString(&req, realm); - asn1_pop_tag(&req); - asn1_pop_tag(&req); - - ret = data_blob(req.data, req.length); - asn1_free(&req); - - free(princ); - - return ret; -} - -static krb5_error_code build_kpasswd_request(uint16_t pversion, - krb5_context context, - krb5_auth_context auth_context, - krb5_data *ap_req, - const char *princ, - const char *passwd, - krb5_data *packet) -{ - krb5_error_code ret; - krb5_data cipherpw; - krb5_data encoded_setpw; - krb5_replay_data replay; - char *p; - DATA_BLOB setpw; - - ret = krb5_auth_con_setflags(context, - auth_context,KRB5_AUTH_CONTEXT_DO_SEQUENCE); - if (ret) { - DEBUG(1,("krb5_auth_con_setflags failed (%s)\n", - error_message(ret))); - return ret; - } - - /* handle protocol differences in chpw and setpw */ - if (pversion == KRB5_KPASSWD_VERS_CHANGEPW) - setpw = data_blob(passwd, strlen(passwd)); - else if (pversion == KRB5_KPASSWD_VERS_SETPW || - pversion == KRB5_KPASSWD_VERS_SETPW_MS) - setpw = encode_krb5_setpw(princ, passwd); - else - return EINVAL; - - encoded_setpw.data = (char *)setpw.data; - encoded_setpw.length = setpw.length; - - ret = krb5_mk_priv(context, auth_context, - &encoded_setpw, &cipherpw, &replay); - - data_blob_free(&setpw); /*from 'encode_krb5_setpw(...)' */ - - if (ret) { - DEBUG(1,("krb5_mk_priv failed (%s)\n", error_message(ret))); - return ret; - } - - packet->data = (char *)malloc(ap_req->length + cipherpw.length + 6); - if (!packet->data) - return -1; - - /* see the RFC for details */ - p = ((char *)packet->data) + 2; - RSSVAL(p, 0, pversion); - p += 2; - RSSVAL(p, 0, ap_req->length); - p += 2; - memcpy(p, ap_req->data, ap_req->length); - p += ap_req->length; - memcpy(p, cipherpw.data, cipherpw.length); - p += cipherpw.length; - packet->length = PTR_DIFF(p,packet->data); - RSSVAL(packet->data, 0, packet->length); - - free(cipherpw.data); /* from 'krb5_mk_priv(...)' */ - - return 0; -} - -static const struct kpasswd_errors { - int result_code; - const char *error_string; -} kpasswd_errors[] = { - {KRB5_KPASSWD_MALFORMED, "Malformed request error"}, - {KRB5_KPASSWD_HARDERROR, "Server error"}, - {KRB5_KPASSWD_AUTHERROR, "Authentication error"}, - {KRB5_KPASSWD_SOFTERROR, "Password change rejected"}, - {KRB5_KPASSWD_ACCESSDENIED, "Client does not have proper authorization"}, - {KRB5_KPASSWD_BAD_VERSION, "Protocol version not supported"}, - {KRB5_KPASSWD_INITIAL_FLAG_NEEDED, "Authorization ticket must have initial flag set"}, - {KRB5_KPASSWD_POLICY_REJECT, "Password rejected due to policy requirements"}, - {KRB5_KPASSWD_BAD_PRINCIPAL, "Target principal does not exist"}, - {KRB5_KPASSWD_ETYPE_NOSUPP, "Unsupported encryption type"}, - {0, NULL} -}; - -static krb5_error_code setpw_result_code_string(krb5_context context, - int result_code, - const char **code_string) -{ - uint_t idx = 0; - - while (kpasswd_errors[idx].error_string != NULL) { - if (kpasswd_errors[idx].result_code == - result_code) { - *code_string = kpasswd_errors[idx].error_string; - return 0; - } - idx++; - } - *code_string = "Password change failed"; - return (0); -} - -static krb5_error_code parse_setpw_reply(krb5_context context, - krb5_auth_context auth_context, - krb5_data *packet) -{ - krb5_data ap_rep; - char *p; - int vnum, ret, res_code; - krb5_data cipherresult; - krb5_data clearresult; - krb5_ap_rep_enc_part *ap_rep_enc; - krb5_replay_data replay; - - if (packet->length < 4) { - return KRB5KRB_AP_ERR_MODIFIED; - } - - p = packet->data; - - if (((char *)packet->data)[0] == 0x7e || ((char *)packet->data)[0] == 0x5e) { - /* it's an error packet. We should parse it ... */ - DEBUG(1,("Got error packet 0x%x from kpasswd server\n", - ((char *)packet->data)[0])); - return KRB5KRB_AP_ERR_MODIFIED; - } - - if (RSVAL(p, 0) != packet->length) { - DEBUG(1,("Bad packet length (%d/%d) from kpasswd server\n", - RSVAL(p, 0), packet->length)); - return KRB5KRB_AP_ERR_MODIFIED; - } - - p += 2; - - vnum = RSVAL(p, 0); p += 2; - - /* FIXME: According to standard there is only one type of reply */ - if (vnum != KRB5_KPASSWD_VERS_SETPW && - vnum != KRB5_KPASSWD_VERS_SETPW_MS && - vnum != KRB5_KPASSWD_VERS_CHANGEPW) { - DEBUG(1,("Bad vnum (%d) from kpasswd server\n", vnum)); - return KRB5KDC_ERR_BAD_PVNO; - } - - ap_rep.length = RSVAL(p, 0); p += 2; - - if (p + ap_rep.length >= (char *)packet->data + packet->length) { - DEBUG(1,("ptr beyond end of packet from kpasswd server\n")); - return KRB5KRB_AP_ERR_MODIFIED; - } - - if (ap_rep.length == 0) { - DEBUG(1,("got unencrypted setpw result?!\n")); - return KRB5KRB_AP_ERR_MODIFIED; - } - - /* verify ap_rep */ - ap_rep.data = p; - p += ap_rep.length; - - ret = krb5_rd_rep(context, auth_context, &ap_rep, &ap_rep_enc); - if (ret) { - DEBUG(1,("failed to rd setpw reply (%s)\n", error_message(ret))); - return KRB5KRB_AP_ERR_MODIFIED; - } - - krb5_free_ap_rep_enc_part(context, ap_rep_enc); - - cipherresult.data = p; - cipherresult.length = ((char *)packet->data + packet->length) - p; - - ret = krb5_rd_priv(context, auth_context, &cipherresult, &clearresult, - &replay); - if (ret) { - DEBUG(1,("failed to decrypt setpw reply (%s)\n", error_message(ret))); - return KRB5KRB_AP_ERR_MODIFIED; - } - - if (clearresult.length < 2) { - free(clearresult.data); - ret = KRB5KRB_AP_ERR_MODIFIED; - return KRB5KRB_AP_ERR_MODIFIED; - } - - p = clearresult.data; - - res_code = RSVAL(p, 0); - - free(clearresult.data); - - if ((res_code < KRB5_KPASSWD_SUCCESS) || - (res_code > KRB5_KPASSWD_ETYPE_NOSUPP)) { - return KRB5KRB_AP_ERR_MODIFIED; - } - - if(res_code == KRB5_KPASSWD_SUCCESS) - return 0; - else { - const char *errstr; - setpw_result_code_string(context, res_code, &errstr); - DEBUG(1, ("Error changing password: %s\n", errstr)); - - switch(res_code) { - case KRB5_KPASSWD_ACCESSDENIED: - return KRB5KDC_ERR_BADOPTION; - break; - case KRB5_KPASSWD_INITIAL_FLAG_NEEDED: - return KRB5KDC_ERR_BADOPTION; - /* return KV5M_ALT_METHOD; MIT-only define */ - break; - case KRB5_KPASSWD_ETYPE_NOSUPP: - return KRB5KDC_ERR_ETYPE_NOSUPP; - break; - case KRB5_KPASSWD_BAD_PRINCIPAL: - return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; - break; - case KRB5_KPASSWD_POLICY_REJECT: - return KRB5KDC_ERR_POLICY; - break; - default: - return KRB5KRB_ERR_GENERIC; - break; - } - } -} - -static ADS_STATUS do_krb5_kpasswd_request(krb5_context context, - const char *kdc_host, - uint16_t pversion, - krb5_creds *credsp, - const char *princ, - const char *newpw) -{ - krb5_auth_context auth_context = NULL; - krb5_data ap_req, chpw_req, chpw_rep; - int ret, sock, addr_len; - struct sockaddr remote_addr, local_addr; - krb5_address local_kaddr, remote_kaddr; - - ret = krb5_mk_req_extended(context, &auth_context, AP_OPTS_USE_SUBKEY, - NULL, credsp, &ap_req); - if (ret) { - DEBUG(1,("krb5_mk_req_extended failed (%s)\n", error_message(ret))); - return ADS_ERROR_KRB5(ret); - } - - sock = open_udp_socket(kdc_host, DEFAULT_KPASSWD_PORT); - if (sock == -1) { - int rc = errno; - free(ap_req.data); - krb5_auth_con_free(context, auth_context); - DEBUG(1,("failed to open kpasswd socket to %s (%s)\n", - kdc_host, strerror(errno))); - return ADS_ERROR_SYSTEM(rc); - } - - addr_len = sizeof(remote_addr); - getpeername(sock, &remote_addr, &addr_len); - addr_len = sizeof(local_addr); - getsockname(sock, &local_addr, &addr_len); - - setup_kaddr(&remote_kaddr, &remote_addr); - setup_kaddr(&local_kaddr, &local_addr); - - ret = krb5_auth_con_setaddrs(context, auth_context, &local_kaddr, NULL); - if (ret) { - close(sock); - free(ap_req.data); - krb5_auth_con_free(context, auth_context); - DEBUG(1,("krb5_auth_con_setaddrs failed (%s)\n", error_message(ret))); - return ADS_ERROR_KRB5(ret); - } - - ret = build_kpasswd_request(pversion, context, auth_context, &ap_req, - princ, newpw, &chpw_req); - if (ret) { - close(sock); - free(ap_req.data); - krb5_auth_con_free(context, auth_context); - DEBUG(1,("build_setpw_request failed (%s)\n", error_message(ret))); - return ADS_ERROR_KRB5(ret); - } - - if (write(sock, chpw_req.data, chpw_req.length) != chpw_req.length) { - close(sock); - free(chpw_req.data); - free(ap_req.data); - krb5_auth_con_free(context, auth_context); - DEBUG(1,("send of chpw failed (%s)\n", strerror(errno))); - return ADS_ERROR_SYSTEM(errno); - } - - free(chpw_req.data); - - chpw_rep.length = 1500; - chpw_rep.data = (char *) malloc(chpw_rep.length); - if (!chpw_rep.data) { - close(sock); - free(ap_req.data); - krb5_auth_con_free(context, auth_context); - DEBUG(1,("send of chpw failed (%s)\n", strerror(errno))); - errno = ENOMEM; - return ADS_ERROR_SYSTEM(errno); - } - - ret = read(sock, chpw_rep.data, chpw_rep.length); - if (ret < 0) { - close(sock); - free(chpw_rep.data); - free(ap_req.data); - krb5_auth_con_free(context, auth_context); - DEBUG(1,("recv of chpw reply failed (%s)\n", strerror(errno))); - return ADS_ERROR_SYSTEM(errno); - } - - close(sock); - chpw_rep.length = ret; - - ret = krb5_auth_con_setaddrs(context, auth_context, NULL,&remote_kaddr); - if (ret) { - free(chpw_rep.data); - free(ap_req.data); - krb5_auth_con_free(context, auth_context); - DEBUG(1,("krb5_auth_con_setaddrs on reply failed (%s)\n", - error_message(ret))); - return ADS_ERROR_KRB5(ret); - } - - ret = parse_setpw_reply(context, auth_context, &chpw_rep); - free(chpw_rep.data); - - if (ret) { - free(ap_req.data); - krb5_auth_con_free(context, auth_context); - DEBUG(1,("parse_setpw_reply failed (%s)\n", - error_message(ret))); - return ADS_ERROR_KRB5(ret); - } - - free(ap_req.data); - krb5_auth_con_free(context, auth_context); - - return ADS_SUCCESS; -} - -ADS_STATUS ads_krb5_set_password(const char *kdc_host, const char *princ, - const char *newpw, int time_offset) -{ - - ADS_STATUS aret; - krb5_error_code ret; - krb5_context context; - krb5_principal principal; - char *princ_name; - char *realm; - krb5_creds creds, *credsp; - krb5_ccache ccache; - - ret = krb5_init_context(&context); - if (ret) { - DEBUG(1,("Failed to init krb5 context (%s)\n", error_message(ret))); - return ADS_ERROR_KRB5(ret); - } - - if (time_offset != 0) { - krb5_set_real_time(context, time(NULL) + time_offset, 0); - } - - ret = krb5_cc_default(context, &ccache); - if (ret) { - krb5_free_context(context); - DEBUG(1,("Failed to get default creds (%s)\n", error_message(ret))); - return ADS_ERROR_KRB5(ret); - } - - ZERO_STRUCT(creds); - - realm = strchr(princ, '@'); - realm++; - - asprintf(&princ_name, "kadmin/changepw@%s", realm); - ret = krb5_parse_name(context, princ_name, &creds.server); - if (ret) { - krb5_free_context(context); - DEBUG(1,("Failed to parse kadmin/changepw (%s)\n", error_message(ret))); - return ADS_ERROR_KRB5(ret); - } - free(princ_name); - - /* parse the principal we got as a function argument */ - ret = krb5_parse_name(context, princ, &principal); - if (ret) { - krb5_free_context(context); - DEBUG(1,("Failed to parse %s (%s)\n", princ_name, error_message(ret))); - return ADS_ERROR_KRB5(ret); - } - - krb5_princ_set_realm(context, creds.server, - krb5_princ_realm(context, principal)); - - ret = krb5_cc_get_principal(context, ccache, &creds.client); - if (ret) { - krb5_free_principal(context, principal); - krb5_free_context(context); - DEBUG(1,("Failed to get principal from ccache (%s)\n", - error_message(ret))); - return ADS_ERROR_KRB5(ret); - } - - ret = krb5_get_credentials(context, 0, ccache, &creds, &credsp); - if (ret) { - krb5_free_principal(context, creds.client); - krb5_free_principal(context, principal); - krb5_free_context(context); - DEBUG(1,("krb5_get_credentials failed (%s)\n", error_message(ret))); - return ADS_ERROR_KRB5(ret); - } - - /* we might have to call krb5_free_creds(...) from now on ... */ - - aret = do_krb5_kpasswd_request(context, kdc_host, - KRB5_KPASSWD_VERS_SETPW_MS, - credsp, princ, newpw); - - krb5_free_creds(context, credsp); - krb5_free_principal(context, creds.client); - krb5_free_principal(context, principal); - krb5_free_context(context); - - return aret; -} - -/* - we use a prompter to avoid a crash bug in the kerberos libs when - dealing with empty passwords - this prompter is just a string copy ... -*/ -static krb5_error_code -kerb_prompter(krb5_context ctx, void *data, - const char *name, - const char *banner, - int num_prompts, - krb5_prompt prompts[]) -{ - if (num_prompts == 0) return 0; - - memset(prompts[0].reply->data, 0, prompts[0].reply->length); - if (prompts[0].reply->length > 0) { - if (data) { - strncpy(prompts[0].reply->data, data, prompts[0].reply->length-1); - prompts[0].reply->length = strlen(prompts[0].reply->data); - } else { - prompts[0].reply->length = 0; - } - } - return 0; -} - -static ADS_STATUS ads_krb5_chg_password(const char *kdc_host, - const char *principal, - const char *oldpw, - const char *newpw, - int time_offset) -{ - ADS_STATUS aret; - krb5_error_code ret; - krb5_context context; - krb5_principal princ; - krb5_get_init_creds_opt opts; - krb5_creds creds; - char *chpw_princ = NULL, *password; - - ret = krb5_init_context(&context); - if (ret) { - DEBUG(1,("Failed to init krb5 context (%s)\n", error_message(ret))); - return ADS_ERROR_KRB5(ret); - } - - if ((ret = krb5_parse_name(context, principal, - &princ))) { - krb5_free_context(context); - DEBUG(1,("Failed to parse %s (%s)\n", principal, error_message(ret))); - return ADS_ERROR_KRB5(ret); - } - - krb5_get_init_creds_opt_init(&opts); - krb5_get_init_creds_opt_set_tkt_life(&opts, 5*60); - krb5_get_init_creds_opt_set_renew_life(&opts, 0); - krb5_get_init_creds_opt_set_forwardable(&opts, 0); - krb5_get_init_creds_opt_set_proxiable(&opts, 0); - - /* We have to obtain an INITIAL changepw ticket for changing password */ - asprintf(&chpw_princ, "kadmin/changepw@%s", - (char *) krb5_princ_realm(context, princ)); - password = strdup(oldpw); - ret = krb5_get_init_creds_password(context, &creds, princ, password, - kerb_prompter, NULL, - 0, chpw_princ, &opts); - SAFE_FREE(chpw_princ); - SAFE_FREE(password); - - if (ret) { - if (ret == KRB5KRB_AP_ERR_BAD_INTEGRITY) - DEBUG(1,("Password incorrect while getting initial ticket")); - else - DEBUG(1,("krb5_get_init_creds_password failed (%s)\n", error_message(ret))); - - krb5_free_principal(context, princ); - krb5_free_context(context); - return ADS_ERROR_KRB5(ret); - } - - aret = do_krb5_kpasswd_request(context, kdc_host, - KRB5_KPASSWD_VERS_CHANGEPW, - &creds, principal, newpw); - - krb5_free_principal(context, princ); - krb5_free_context(context); - - return aret; -} - - -ADS_STATUS kerberos_set_password(const char *kpasswd_server, - const char *auth_principal, const char *auth_password, - const char *target_principal, const char *new_password, - int time_offset) -{ - int ret; - - if ((ret = kerberos_kinit_password(auth_principal, auth_password, time_offset))) { - DEBUG(1,("Failed kinit for principal %s (%s)\n", auth_principal, error_message(ret))); - return ADS_ERROR_KRB5(ret); - } - - if (!strcmp(auth_principal, target_principal)) - return ads_krb5_chg_password(kpasswd_server, target_principal, - auth_password, new_password, time_offset); - else - return ads_krb5_set_password(kpasswd_server, target_principal, - new_password, time_offset); -} - - -/** - * Set the machine account password - * @param ads connection to ads server - * @param hostname machine whose password is being set - * @param password new password - * @return status of password change - **/ -ADS_STATUS ads_set_machine_password(ADS_STRUCT *ads, - const char *machine_account, - const char *password) -{ - ADS_STATUS status; - char *principal = NULL; - - /* - we need to use the '$' form of the name here (the machine account name), - as otherwise the server might end up setting the password for a user - instead - */ - asprintf(&principal, "%s@%s", machine_account, ads->config.realm); - - status = ads_krb5_set_password(ads->auth.kdc_server, principal, - password, ads->auth.time_offset); - - free(principal); - - return status; -} - - - -#endif diff --git a/source4/libads/ldap.c b/source4/libads/ldap.c deleted file mode 100644 index 642e31bb96..0000000000 --- a/source4/libads/ldap.c +++ /dev/null @@ -1,2140 +0,0 @@ -/* - Unix SMB/CIFS implementation. - ads (active directory) utility library - Copyright (C) Andrew Tridgell 2001 - Copyright (C) Remus Koos 2001 - Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -*/ - -#include "includes.h" -#include "version.h" - -#ifdef HAVE_LDAP - -/** - * @file ldap.c - * @brief basic ldap client-side routines for ads server communications - * - * The routines contained here should do the necessary ldap calls for - * ads setups. - * - * Important note: attribute names passed into ads_ routines must - * already be in UTF-8 format. We do not convert them because in almost - * all cases, they are just ascii (which is represented with the same - * codepoints in UTF-8). This may have to change at some point - **/ - - -/* - try a connection to a given ldap server, returning True and setting the servers IP - in the ads struct if successful - - TODO : add a negative connection cache in here leveraged off of the one - found in the rpc code. --jerry - */ -static BOOL ads_try_connect(ADS_STRUCT *ads, const char *server, uint_t port) -{ - char *srv; - - if (!server || !*server) { - return False; - } - - DEBUG(5,("ads_try_connect: trying ldap server '%s' port %u\n", server, port)); - - /* this copes with inet_ntoa brokenness */ - srv = strdup(server); - - ads->ld = ldap_open(srv, port); - if (!ads->ld) { - free(srv); - return False; - } - ads->ldap_port = port; - ads->ldap_ip = interpret_addr2(srv); - free(srv); - - return True; -} - -/* - try a connection to a given ldap server, based on URL, returning True if successful - */ -static BOOL ads_try_connect_uri(ADS_STRUCT *ads) -{ -#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000) - DEBUG(5,("ads_try_connect: trying ldap server at URI '%s'\n", - ads->server.ldap_uri)); - - - if (ldap_initialize((LDAP**)&(ads->ld), ads->server.ldap_uri) == LDAP_SUCCESS) { - return True; - } - DEBUG(0, ("ldap_initialize: %s\n", strerror(errno))); - -#else - - DEBUG(1, ("no URL support in LDAP libs!\n")); -#endif - - return False; -} - -/********************************************************************** - Try to find an AD dc using our internal name resolution routines - Try the realm first and then then workgroup name if netbios is not - disabled -**********************************************************************/ - -static BOOL ads_find_dc(ADS_STRUCT *ads) -{ - const char *c_realm; - int count, i=0; - struct ip_service *ip_list; - pstring realm; - BOOL got_realm = False; - BOOL use_own_domain = False; - - /* if the realm and workgroup are both empty, assume they are ours */ - - /* realm */ - c_realm = ads->server.realm; - - if ( !c_realm || !*c_realm ) { - /* special case where no realm and no workgroup means our own */ - if ( !ads->server.workgroup || !*ads->server.workgroup ) { - use_own_domain = True; - c_realm = lp_realm(); - } - } - - if (c_realm && *c_realm) - got_realm = True; - -again: - /* we need to try once with the realm name and fallback to the - netbios domain name if we fail (if netbios has not been disabled */ - - if ( !got_realm && !lp_disable_netbios() ) { - c_realm = ads->server.workgroup; - if (!c_realm || !*c_realm) { - if ( use_own_domain ) - c_realm = lp_workgroup(); - } - - if ( !c_realm || !*c_realm ) { - DEBUG(0,("ads_find_dc: no realm or workgroup! Don't know what to do\n")); - return False; - } - } - - pstrcpy( realm, c_realm ); - - DEBUG(6,("ads_find_dc: looking for %s '%s'\n", - (got_realm ? "realm" : "domain"), realm)); - - if ( !get_sorted_dc_list(realm, &ip_list, &count, got_realm) ) { - /* fall back to netbios if we can */ - if ( got_realm && !lp_disable_netbios() ) { - got_realm = False; - goto again; - } - - return False; - } - - /* if we fail this loop, then giveup since all the IP addresses returned were dead */ - for ( i=0; i<count; i++ ) { - /* since this is an ads conection request, default to LDAP_PORT is not set */ - int port = (ip_list[i].port!=PORT_NONE) ? ip_list[i].port : LDAP_PORT; - fstring server; - - fstrcpy( server, inet_ntoa(ip_list[i].ip) ); - - if ( !NT_STATUS_IS_OK(check_negative_conn_cache(realm, server)) ) - continue; - - if ( ads_try_connect(ads, server, port) ) { - SAFE_FREE(ip_list); - return True; - } - - /* keep track of failures */ - add_failed_connection_entry( realm, server, NT_STATUS_UNSUCCESSFUL ); - } - - SAFE_FREE(ip_list); - - return False; -} - - -/** - * Connect to the LDAP server - * @param ads Pointer to an existing ADS_STRUCT - * @return status of connection - **/ -ADS_STATUS ads_connect(ADS_STRUCT *ads) -{ - int version = LDAP_VERSION3; - ADS_STATUS status; - - ads->last_attempt = time(NULL); - ads->ld = NULL; - - /* try with a URL based server */ - - if (ads->server.ldap_uri && - ads_try_connect_uri(ads)) { - goto got_connection; - } - - /* try with a user specified server */ - if (ads->server.ldap_server && - ads_try_connect(ads, ads->server.ldap_server, LDAP_PORT)) { - goto got_connection; - } - - if (ads_find_dc(ads)) { - goto got_connection; - } - - return ADS_ERROR_SYSTEM(errno?errno:ENOENT); - -got_connection: - DEBUG(3,("Connected to LDAP server %s\n", inet_ntoa(ads->ldap_ip))); - - status = ads_server_info(ads); - if (!ADS_ERR_OK(status)) { - DEBUG(1,("Failed to get ldap server info\n")); - return status; - } - - ldap_set_option(ads->ld, LDAP_OPT_PROTOCOL_VERSION, &version); - - if (!ads->auth.user_name) { - /* by default use the machine account */ - fstring myname; - fstrcpy(myname, lp_netbios_name()); - strlower_m(myname); - asprintf(&ads->auth.user_name, "HOST/%s", myname); - } - - if (!ads->auth.realm) { - ads->auth.realm = strdup(ads->config.realm); - } - - if (!ads->auth.kdc_server) { - ads->auth.kdc_server = strdup(inet_ntoa(ads->ldap_ip)); - } - -#if KRB5_DNS_HACK - /* this is a really nasty hack to avoid ADS DNS problems. It needs a patch - to MIT kerberos to work (tridge) */ - { - char *env; - asprintf(&env, "KRB5_KDC_ADDRESS_%s", ads->config.realm); - setenv(env, ads->auth.kdc_server, 1); - free(env); - } -#endif - - if (ads->auth.flags & ADS_AUTH_NO_BIND) { - return ADS_SUCCESS; - } - - if (ads->auth.flags & ADS_AUTH_ANON_BIND) { - return ADS_ERROR(ldap_simple_bind_s( ads->ld, NULL, NULL)); - } - - if (ads->auth.flags & ADS_AUTH_SIMPLE_BIND) { - return ADS_ERROR(ldap_simple_bind_s( ads->ld, ads->auth.user_name, ads->auth.password)); - } - - return ads_sasl_bind(ads); -} - -/* - Duplicate a struct berval into talloc'ed memory - */ -static struct berval *dup_berval(TALLOC_CTX *ctx, const struct berval *in_val) -{ - struct berval *value; - - if (!in_val) return NULL; - - value = talloc_zero(ctx, struct berval); - if (value == NULL) - return NULL; - if (in_val->bv_len == 0) return value; - - value->bv_len = in_val->bv_len; - value->bv_val = talloc_memdup(ctx, in_val->bv_val, in_val->bv_len); - return value; -} - -/* - Make a values list out of an array of (struct berval *) - */ -static struct berval **ads_dup_values(TALLOC_CTX *ctx, - const struct berval **in_vals) -{ - struct berval **values; - int i; - - if (!in_vals) return NULL; - for (i=0; in_vals[i]; i++); /* count values */ - values = (struct berval **) talloc_zero(ctx, - (i+1)*sizeof(struct berval *)); - if (!values) return NULL; - - for (i=0; in_vals[i]; i++) { - values[i] = dup_berval(ctx, in_vals[i]); - } - return values; -} - -/* - UTF8-encode a values list out of an array of (char *) - */ -static char **ads_push_strvals(TALLOC_CTX *ctx, const char **in_vals) -{ - char **values; - int i; - - if (!in_vals) return NULL; - for (i=0; in_vals[i]; i++); /* count values */ - values = talloc_zero_array_p(ctx, char *, i+1); - if (!values) return NULL; - - for (i=0; in_vals[i]; i++) { - push_utf8_talloc(ctx, &values[i], in_vals[i]); - } - return values; -} - -/* - Pull a (char *) array out of a UTF8-encoded values list - */ -static char **ads_pull_strvals(TALLOC_CTX *ctx, const char **in_vals) -{ - char **values; - int i; - - if (!in_vals) return NULL; - for (i=0; in_vals[i]; i++); /* count values */ - values = talloc_zero_array_p(ctx, char *, i+1); - if (!values) return NULL; - - for (i=0; in_vals[i]; i++) { - pull_utf8_talloc(ctx, &values[i], in_vals[i]); - } - return values; -} - -/** - * Do a search with paged results. cookie must be null on the first - * call, and then returned on each subsequent call. It will be null - * again when the entire search is complete - * @param ads connection to ads server - * @param bind_path Base dn for the search - * @param scope Scope of search (LDAP_SCOPE_BASE | LDAP_SCOPE_ONE | LDAP_SCOPE_SUBTREE) - * @param expr Search expression - specified in local charset - * @param attrs Attributes to retrieve - specified in utf8 or ascii - * @param res ** which will contain results - free res* with ads_msgfree() - * @param count Number of entries retrieved on this page - * @param cookie The paged results cookie to be returned on subsequent calls - * @return status of search - **/ -ADS_STATUS ads_do_paged_search(ADS_STRUCT *ads, const char *bind_path, - int scope, const char *expr, - const char **attrs, void **res, - int *count, void **cookie) -{ - int rc, i, version; - char *utf8_expr, *utf8_path, **search_attrs; - LDAPControl PagedResults, NoReferrals, *controls[3], **rcontrols; - BerElement *cookie_be = NULL; - struct berval *cookie_bv= NULL; - TALLOC_CTX *ctx; - - *res = NULL; - - if (!(ctx = talloc_init("ads_do_paged_search"))) - return ADS_ERROR(LDAP_NO_MEMORY); - - /* 0 means the conversion worked but the result was empty - so we only fail if it's -1. In any case, it always - at least nulls out the dest */ - if ((push_utf8_talloc(ctx, &utf8_expr, expr) == (size_t)-1) || - (push_utf8_talloc(ctx, &utf8_path, bind_path) == (size_t)-1)) { - rc = LDAP_NO_MEMORY; - goto done; - } - - if (!attrs || !(*attrs)) - search_attrs = NULL; - else { - /* This would be the utf8-encoded version...*/ - /* if (!(search_attrs = ads_push_strvals(ctx, attrs))) */ - search_attrs = str_list_copy(ctx, attrs); - if (search_attrs == NULL) { - rc = LDAP_NO_MEMORY; - goto done; - } - } - - - /* Paged results only available on ldap v3 or later */ - ldap_get_option(ads->ld, LDAP_OPT_PROTOCOL_VERSION, &version); - if (version < LDAP_VERSION3) { - rc = LDAP_NOT_SUPPORTED; - goto done; - } - - cookie_be = ber_alloc_t(LBER_USE_DER); - if (cookie && *cookie) { - ber_printf(cookie_be, "{iO}", (ber_int_t) 1000, *cookie); - ber_bvfree(*cookie); /* don't need it from last time */ - *cookie = NULL; - } else { - ber_printf(cookie_be, "{io}", (ber_int_t) 1000, "", 0); - } - ber_flatten(cookie_be, &cookie_bv); - PagedResults.ldctl_oid = ADS_PAGE_CTL_OID; - PagedResults.ldctl_iscritical = (char) 1; - PagedResults.ldctl_value.bv_len = cookie_bv->bv_len; - PagedResults.ldctl_value.bv_val = cookie_bv->bv_val; - - NoReferrals.ldctl_oid = ADS_NO_REFERRALS_OID; - NoReferrals.ldctl_iscritical = (char) 0; - NoReferrals.ldctl_value.bv_len = 0; - NoReferrals.ldctl_value.bv_val = ""; - - - controls[0] = &NoReferrals; - controls[1] = &PagedResults; - controls[2] = NULL; - - *res = NULL; - - /* we need to disable referrals as the openldap libs don't - handle them and paged results at the same time. Using them - together results in the result record containing the server - page control being removed from the result list (tridge/jmcd) - - leaving this in despite the control that says don't generate - referrals, in case the server doesn't support it (jmcd) - */ - ldap_set_option(ads->ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF); - - rc = ldap_search_ext_s(ads->ld, utf8_path, scope, utf8_expr, - search_attrs, 0, controls, - NULL, NULL, LDAP_NO_LIMIT, (LDAPMessage **)res); - - ber_free(cookie_be, 1); - ber_bvfree(cookie_bv); - - if (rc) { - DEBUG(3,("ldap_search_ext_s(%s) -> %s\n", expr, ldap_err2string(rc))); - goto done; - } - - rc = ldap_parse_result(ads->ld, *res, NULL, NULL, NULL, - NULL, &rcontrols, 0); - - if (!rcontrols) { - goto done; - } - - for (i=0; rcontrols[i]; i++) { - if (strcmp(ADS_PAGE_CTL_OID, rcontrols[i]->ldctl_oid) == 0) { - cookie_be = ber_init(&rcontrols[i]->ldctl_value); - ber_scanf(cookie_be,"{iO}", (ber_int_t *) count, - &cookie_bv); - /* the berval is the cookie, but must be freed when - it is all done */ - if (cookie_bv->bv_len) /* still more to do */ - *cookie=ber_bvdup(cookie_bv); - else - *cookie=NULL; - ber_bvfree(cookie_bv); - ber_free(cookie_be, 1); - break; - } - } - ldap_controls_free(rcontrols); - -done: - talloc_free(ctx); - /* if/when we decide to utf8-encode attrs, take out this next line */ - str_list_free(&search_attrs); - - return ADS_ERROR(rc); -} - - -/** - * Get all results for a search. This uses ads_do_paged_search() to return - * all entries in a large search. - * @param ads connection to ads server - * @param bind_path Base dn for the search - * @param scope Scope of search (LDAP_SCOPE_BASE | LDAP_SCOPE_ONE | LDAP_SCOPE_SUBTREE) - * @param expr Search expression - * @param attrs Attributes to retrieve - * @param res ** which will contain results - free res* with ads_msgfree() - * @return status of search - **/ -ADS_STATUS ads_do_search_all(ADS_STRUCT *ads, const char *bind_path, - int scope, const char *expr, - const char **attrs, void **res) -{ - void *cookie = NULL; - int count = 0; - ADS_STATUS status; - - status = ads_do_paged_search(ads, bind_path, scope, expr, attrs, res, - &count, &cookie); - - if (!ADS_ERR_OK(status)) return status; - - while (cookie) { - void *res2 = NULL; - ADS_STATUS status2; - LDAPMessage *msg, *next; - - status2 = ads_do_paged_search(ads, bind_path, scope, expr, - attrs, &res2, &count, &cookie); - - if (!ADS_ERR_OK(status2)) break; - - /* this relies on the way that ldap_add_result_entry() works internally. I hope - that this works on all ldap libs, but I have only tested with openldap */ - for (msg = ads_first_entry(ads, res2); msg; msg = next) { - next = ads_next_entry(ads, msg); - ldap_add_result_entry((LDAPMessage **)res, msg); - } - /* note that we do not free res2, as the memory is now - part of the main returned list */ - } - - return status; -} - -/** - * Run a function on all results for a search. Uses ads_do_paged_search() and - * runs the function as each page is returned, using ads_process_results() - * @param ads connection to ads server - * @param bind_path Base dn for the search - * @param scope Scope of search (LDAP_SCOPE_BASE | LDAP_SCOPE_ONE | LDAP_SCOPE_SUBTREE) - * @param expr Search expression - specified in local charset - * @param attrs Attributes to retrieve - specified in UTF-8 or ascii - * @param fn Function which takes attr name, values list, and data_area - * @param data_area Pointer which is passed to function on each call - * @return status of search - **/ -ADS_STATUS ads_do_search_all_fn(ADS_STRUCT *ads, const char *bind_path, - int scope, const char *expr, const char **attrs, - BOOL(*fn)(char *, void **, void *), - void *data_area) -{ - void *cookie = NULL; - int count = 0; - ADS_STATUS status; - void *res; - - status = ads_do_paged_search(ads, bind_path, scope, expr, attrs, &res, - &count, &cookie); - - if (!ADS_ERR_OK(status)) return status; - - ads_process_results(ads, res, fn, data_area); - ads_msgfree(ads, res); - - while (cookie) { - status = ads_do_paged_search(ads, bind_path, scope, expr, attrs, - &res, &count, &cookie); - - if (!ADS_ERR_OK(status)) break; - - ads_process_results(ads, res, fn, data_area); - ads_msgfree(ads, res); - } - - return status; -} - -/** - * Do a search with a timeout. - * @param ads connection to ads server - * @param bind_path Base dn for the search - * @param scope Scope of search (LDAP_SCOPE_BASE | LDAP_SCOPE_ONE | LDAP_SCOPE_SUBTREE) - * @param expr Search expression - * @param attrs Attributes to retrieve - * @param res ** which will contain results - free res* with ads_msgfree() - * @return status of search - **/ -ADS_STATUS ads_do_search(ADS_STRUCT *ads, const char *bind_path, int scope, - const char *expr, - const char **attrs, void **res) -{ - struct timeval timeout; - int rc; - char *utf8_expr, *utf8_path, **search_attrs = NULL; - TALLOC_CTX *ctx; - - if (!(ctx = talloc_init("ads_do_search"))) { - DEBUG(1,("ads_do_search: talloc_init() failed!")); - return ADS_ERROR(LDAP_NO_MEMORY); - } - - /* 0 means the conversion worked but the result was empty - so we only fail if it's negative. In any case, it always - at least nulls out the dest */ - if ((push_utf8_talloc(ctx, &utf8_expr, expr) == (size_t)-1) || - (push_utf8_talloc(ctx, &utf8_path, bind_path) == (size_t)-1)) { - DEBUG(1,("ads_do_search: push_utf8_talloc() failed!")); - rc = LDAP_NO_MEMORY; - goto done; - } - - if (!attrs || !(*attrs)) - search_attrs = NULL; - else { - /* This would be the utf8-encoded version...*/ - /* if (!(search_attrs = ads_push_strvals(ctx, attrs))) */ - search_attrs = str_list_copy(ctx, attrs); - if (search_attrs == NULL) { - DEBUG(1,("ads_do_search: str_list_copy() failed!")); - rc = LDAP_NO_MEMORY; - goto done; - } - } - - timeout.tv_sec = ADS_SEARCH_TIMEOUT; - timeout.tv_usec = 0; - *res = NULL; - - /* see the note in ads_do_paged_search - we *must* disable referrals */ - ldap_set_option(ads->ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF); - - rc = ldap_search_ext_s(ads->ld, utf8_path, scope, utf8_expr, - search_attrs, 0, NULL, NULL, - &timeout, LDAP_NO_LIMIT, (LDAPMessage **)res); - - if (rc == LDAP_SIZELIMIT_EXCEEDED) { - DEBUG(3,("Warning! sizelimit exceeded in ldap. Truncating.\n")); - rc = 0; - } - - done: - talloc_free(ctx); - /* if/when we decide to utf8-encode attrs, take out this next line */ - str_list_free(&search_attrs); - return ADS_ERROR(rc); -} -/** - * Do a general ADS search - * @param ads connection to ads server - * @param res ** which will contain results - free res* with ads_msgfree() - * @param expr Search expression - * @param attrs Attributes to retrieve - * @return status of search - **/ -ADS_STATUS ads_search(ADS_STRUCT *ads, void **res, - const char *expr, - const char **attrs) -{ - return ads_do_search(ads, ads->config.bind_path, LDAP_SCOPE_SUBTREE, - expr, attrs, res); -} - -/** - * Do a search on a specific DistinguishedName - * @param ads connection to ads server - * @param res ** which will contain results - free res* with ads_msgfree() - * @param dn DistinguishName to search - * @param attrs Attributes to retrieve - * @return status of search - **/ -ADS_STATUS ads_search_dn(ADS_STRUCT *ads, void **res, - const char *dn, - const char **attrs) -{ - return ads_do_search(ads, dn, LDAP_SCOPE_BASE, "(objectclass=*)", attrs, res); -} - -/** - * Free up memory from a ads_search - * @param ads connection to ads server - * @param msg Search results to free - **/ -void ads_msgfree(ADS_STRUCT *ads, void *msg) -{ - if (!msg) return; - ldap_msgfree(msg); -} - -/** - * Free up memory from various ads requests - * @param ads connection to ads server - * @param mem Area to free - **/ -void ads_memfree(ADS_STRUCT *ads, void *mem) -{ - SAFE_FREE(mem); -} - -/** - * Get a dn from search results - * @param ads connection to ads server - * @param msg Search result - * @return dn string - **/ -char *ads_get_dn(ADS_STRUCT *ads, void *msg) -{ - char *utf8_dn, *unix_dn; - - utf8_dn = ldap_get_dn(ads->ld, msg); - - if (!utf8_dn) { - DEBUG (5, ("ads_get_dn: ldap_get_dn failed\n")); - return NULL; - } - - if (pull_utf8_allocate(&unix_dn, utf8_dn) == (size_t)-1) { - DEBUG(0,("ads_get_dn: string conversion failure utf8 [%s]\n", - utf8_dn )); - return NULL; - } - ldap_memfree(utf8_dn); - return unix_dn; -} - -/** - * Find a machine account given a hostname - * @param ads connection to ads server - * @param res ** which will contain results - free res* with ads_msgfree() - * @param host Hostname to search for - * @return status of search - **/ -ADS_STATUS ads_find_machine_acct(ADS_STRUCT *ads, void **res, const char *host) -{ - ADS_STATUS status; - char *expr; - const char *attrs[] = {"*", "nTSecurityDescriptor", NULL}; - - /* the easiest way to find a machine account anywhere in the tree - is to look for hostname$ */ - if (asprintf(&expr, "(samAccountName=%s$)", host) == -1) { - DEBUG(1, ("asprintf failed!\n")); - return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); - } - - status = ads_search(ads, res, expr, attrs); - free(expr); - return status; -} - -/** - * Initialize a list of mods to be used in a modify request - * @param ctx An initialized TALLOC_CTX - * @return allocated ADS_MODLIST - **/ -ADS_MODLIST ads_init_mods(TALLOC_CTX *ctx) -{ -#define ADS_MODLIST_ALLOC_SIZE 10 - LDAPMod **mods; - - if ((mods = talloc_zero_array_p(ctx, LDAPMod *, ADS_MODLIST_ALLOC_SIZE + 1))) { - /* -1 is safety to make sure we don't go over the end. - need to reset it to NULL before doing ldap modify */ - mods[ADS_MODLIST_ALLOC_SIZE] = (LDAPMod *) -1; - } - - return mods; -} - - -/* - add an attribute to the list, with values list already constructed -*/ -static ADS_STATUS ads_modlist_add(TALLOC_CTX *ctx, ADS_MODLIST *mods, - int mod_op, const char *name, - const void **invals) -{ - int curmod; - LDAPMod **modlist = (LDAPMod **) *mods; - struct berval **ber_values = NULL; - char **char_values = NULL; - - if (!invals) { - mod_op = LDAP_MOD_DELETE; - } else { - if (mod_op & LDAP_MOD_BVALUES) - ber_values = ads_dup_values(ctx, - (const struct berval **)invals); - else - char_values = ads_push_strvals(ctx, - (const char **) invals); - } - - /* find the first empty slot */ - for (curmod=0; modlist[curmod] && modlist[curmod] != (LDAPMod *) -1; - curmod++); - if (modlist[curmod] == (LDAPMod *) -1) { - if (!(modlist = talloc_realloc(modlist, - (curmod+ADS_MODLIST_ALLOC_SIZE+1)*sizeof(LDAPMod *)))) - return ADS_ERROR(LDAP_NO_MEMORY); - memset(&modlist[curmod], 0, - ADS_MODLIST_ALLOC_SIZE*sizeof(LDAPMod *)); - modlist[curmod+ADS_MODLIST_ALLOC_SIZE] = (LDAPMod *) -1; - *mods = modlist; - } - - if (!(modlist[curmod] = talloc_zero(ctx, LDAPMod))) - return ADS_ERROR(LDAP_NO_MEMORY); - modlist[curmod]->mod_type = talloc_strdup(ctx, name); - if (mod_op & LDAP_MOD_BVALUES) { - modlist[curmod]->mod_bvalues = ber_values; - } else if (mod_op & LDAP_MOD_DELETE) { - modlist[curmod]->mod_values = NULL; - } else { - modlist[curmod]->mod_values = char_values; - } - - modlist[curmod]->mod_op = mod_op; - return ADS_ERROR(LDAP_SUCCESS); -} - -/** - * Add a single string value to a mod list - * @param ctx An initialized TALLOC_CTX - * @param mods An initialized ADS_MODLIST - * @param name The attribute name to add - * @param val The value to add - NULL means DELETE - * @return ADS STATUS indicating success of add - **/ -ADS_STATUS ads_mod_str(TALLOC_CTX *ctx, ADS_MODLIST *mods, - const char *name, const char *val) -{ - const char *values[2]; - - values[0] = val; - values[1] = NULL; - - if (!val) - return ads_modlist_add(ctx, mods, LDAP_MOD_DELETE, name, NULL); - return ads_modlist_add(ctx, mods, LDAP_MOD_REPLACE, name, - (const void **) values); -} - -/** - * Add an array of string values to a mod list - * @param ctx An initialized TALLOC_CTX - * @param mods An initialized ADS_MODLIST - * @param name The attribute name to add - * @param vals The array of string values to add - NULL means DELETE - * @return ADS STATUS indicating success of add - **/ -ADS_STATUS ads_mod_strlist(TALLOC_CTX *ctx, ADS_MODLIST *mods, - const char *name, const char **vals) -{ - if (!vals) - return ads_modlist_add(ctx, mods, LDAP_MOD_DELETE, name, NULL); - return ads_modlist_add(ctx, mods, LDAP_MOD_REPLACE, - name, (const void **) vals); -} - -/** - * Add a single ber-encoded value to a mod list - * @param ctx An initialized TALLOC_CTX - * @param mods An initialized ADS_MODLIST - * @param name The attribute name to add - * @param val The value to add - NULL means DELETE - * @return ADS STATUS indicating success of add - **/ -static ADS_STATUS ads_mod_ber(TALLOC_CTX *ctx, ADS_MODLIST *mods, - const char *name, const struct berval *val) -{ - const struct berval *values[2]; - - values[0] = val; - values[1] = NULL; - if (!val) - return ads_modlist_add(ctx, mods, LDAP_MOD_DELETE, name, NULL); - return ads_modlist_add(ctx, mods, LDAP_MOD_REPLACE|LDAP_MOD_BVALUES, - name, (const void **) values); -} - -/** - * Perform an ldap modify - * @param ads connection to ads server - * @param mod_dn DistinguishedName to modify - * @param mods list of modifications to perform - * @return status of modify - **/ -ADS_STATUS ads_gen_mod(ADS_STRUCT *ads, const char *mod_dn, ADS_MODLIST mods) -{ - int ret,i; - char *utf8_dn = NULL; - /* - this control is needed to modify that contains a currently - non-existent attribute (but allowable for the object) to run - */ - LDAPControl PermitModify = { - ADS_PERMIT_MODIFY_OID, - {0, NULL}, - (char) 1}; - LDAPControl *controls[2]; - - controls[0] = &PermitModify; - controls[1] = NULL; - - if (push_utf8_allocate(&utf8_dn, mod_dn) == -1) { - return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); - } - - /* find the end of the list, marked by NULL or -1 */ - for(i=0;(mods[i]!=0)&&(mods[i]!=(LDAPMod *) -1);i++); - /* make sure the end of the list is NULL */ - mods[i] = NULL; - ret = ldap_modify_ext_s(ads->ld, utf8_dn, - (LDAPMod **) mods, controls, NULL); - SAFE_FREE(utf8_dn); - return ADS_ERROR(ret); -} - -/** - * Perform an ldap add - * @param ads connection to ads server - * @param new_dn DistinguishedName to add - * @param mods list of attributes and values for DN - * @return status of add - **/ -ADS_STATUS ads_gen_add(ADS_STRUCT *ads, const char *new_dn, ADS_MODLIST mods) -{ - int ret, i; - char *utf8_dn = NULL; - - if (push_utf8_allocate(&utf8_dn, new_dn) == -1) { - DEBUG(1, ("ads_gen_add: push_utf8_allocate failed!")); - return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); - } - - /* find the end of the list, marked by NULL or -1 */ - for(i=0;(mods[i]!=0)&&(mods[i]!=(LDAPMod *) -1);i++); - /* make sure the end of the list is NULL */ - mods[i] = NULL; - - ret = ldap_add_s(ads->ld, utf8_dn, mods); - SAFE_FREE(utf8_dn); - return ADS_ERROR(ret); -} - -/** - * Delete a DistinguishedName - * @param ads connection to ads server - * @param new_dn DistinguishedName to delete - * @return status of delete - **/ -ADS_STATUS ads_del_dn(ADS_STRUCT *ads, char *del_dn) -{ - int ret; - char *utf8_dn = NULL; - if (push_utf8_allocate(&utf8_dn, del_dn) == -1) { - DEBUG(1, ("ads_del_dn: push_utf8_allocate failed!")); - return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); - } - - ret = ldap_delete_s(ads->ld, utf8_dn); - return ADS_ERROR(ret); -} - -/** - * Build an org unit string - * if org unit is Computers or blank then assume a container, otherwise - * assume a \ separated list of organisational units - * @param org_unit Organizational unit - * @return org unit string - caller must free - **/ -char *ads_ou_string(const char *org_unit) -{ - if (!org_unit || !*org_unit || strequal(org_unit, "Computers")) { - return strdup("cn=Computers"); - } - - return ads_build_path(org_unit, "\\/", "ou=", 1); -} - - - -/* - add a machine account to the ADS server -*/ -static ADS_STATUS ads_add_machine_acct(ADS_STRUCT *ads, const char *hostname, - uint32_t account_type, - const char *org_unit) -{ - ADS_STATUS ret, status; - char *host_spn, *host_upn, *new_dn, *samAccountName, *controlstr; - char *ou_str; - TALLOC_CTX *ctx; - ADS_MODLIST mods; - const char *objectClass[] = {"top", "person", "organizationalPerson", - "user", "computer", NULL}; - const char *servicePrincipalName[5] = {NULL, NULL, NULL, NULL, NULL}; - char *psp, *psp2; - uint_t acct_control; - uint_t exists=0; - LDAPMessage *res; - - status = ads_find_machine_acct(ads, (void **)&res, hostname); - if (ADS_ERR_OK(status) && ads_count_replies(ads, res) == 1) { - DEBUG(0, ("Host account for %s already exists - modifying old account\n", hostname)); - exists=1; - } - - if (!(ctx = talloc_init("machine_account"))) - return ADS_ERROR(LDAP_NO_MEMORY); - - ret = ADS_ERROR(LDAP_NO_MEMORY); - - if (!(host_spn = talloc_asprintf(ctx, "HOST/%s", hostname))) - goto done; - if (!(host_upn = talloc_asprintf(ctx, "%s@%s", host_spn, ads->config.realm))) - goto done; - ou_str = ads_ou_string(org_unit); - if (!ou_str) { - DEBUG(1, ("ads_ou_string returned NULL (malloc failure?)\n")); - goto done; - } - new_dn = talloc_asprintf(ctx, "cn=%s,%s,%s", hostname, ou_str, - ads->config.bind_path); - servicePrincipalName[0] = talloc_asprintf(ctx, "HOST/%s", hostname); - psp = talloc_asprintf(ctx, "HOST/%s.%s", - hostname, - ads->config.realm); - strlower_m(&psp[5]); - servicePrincipalName[1] = psp; - servicePrincipalName[2] = talloc_asprintf(ctx, "CIFS/%s", hostname); - psp2 = talloc_asprintf(ctx, "CIFS/%s.%s", - hostname, - ads->config.realm); - strlower_m(&psp2[5]); - servicePrincipalName[3] = psp2; - - free(ou_str); - if (!new_dn) - goto done; - - if (!(samAccountName = talloc_asprintf(ctx, "%s$", hostname))) - goto done; - - acct_control = account_type | UF_DONT_EXPIRE_PASSWD; -#ifndef ENCTYPE_ARCFOUR_HMAC - acct_control |= UF_USE_DES_KEY_ONLY; -#endif - - if (!(controlstr = talloc_asprintf(ctx, "%u", acct_control))) - goto done; - - if (!(mods = ads_init_mods(ctx))) - goto done; - - if (!exists) { - ads_mod_str(ctx, &mods, "cn", hostname); - ads_mod_str(ctx, &mods, "sAMAccountName", samAccountName); - ads_mod_str(ctx, &mods, "userAccountControl", controlstr); - ads_mod_strlist(ctx, &mods, "objectClass", objectClass); - } - ads_mod_str(ctx, &mods, "dNSHostName", hostname); - ads_mod_str(ctx, &mods, "userPrincipalName", host_upn); - ads_mod_strlist(ctx, &mods, "servicePrincipalName", servicePrincipalName); - ads_mod_str(ctx, &mods, "operatingSystem", "Samba"); - ads_mod_str(ctx, &mods, "operatingSystemVersion", SAMBA_VERSION_STRING); - - if (!exists) - ret = ads_gen_add(ads, new_dn, mods); - else - ret = ads_gen_mod(ads, new_dn, mods); - - if (!ADS_ERR_OK(ret)) - goto done; - - /* Do not fail if we can't set security descriptor - * it shouldn't be mandatory and probably we just - * don't have enough rights to do it. - */ - if (!exists) { - status = ads_set_machine_sd(ads, hostname, new_dn); - - if (!ADS_ERR_OK(status)) { - DEBUG(0, ("Warning: ads_set_machine_sd: %s\n", - ads_errstr(status))); - } - } -done: - talloc_free(ctx); - return ret; -} - -/* - dump a binary result from ldap -*/ -static void dump_binary(const char *field, struct berval **values) -{ - int i, j; - for (i=0; values[i]; i++) { - printf("%s: ", field); - for (j=0; j<values[i]->bv_len; j++) { - printf("%02X", (uint8_t)values[i]->bv_val[j]); - } - printf("\n"); - } -} - -struct uuid { - uint32_t i1; - uint16_t i2; - uint16_t i3; - uint8_t s[8]; -}; - -static void dump_guid(const char *field, struct berval **values) -{ - int i; - GUID guid; - for (i=0; values[i]; i++) { - memcpy(guid.info, values[i]->bv_val, sizeof(guid.info)); - printf("%s: %s\n", field, smb_uuid_string_static(guid)); - } -} - -/* - dump a sid result from ldap -*/ -static void dump_sid(const char *field, struct berval **values) -{ - int i; - for (i=0; values[i]; i++) { - DOM_SID sid; - sid_parse(values[i]->bv_val, values[i]->bv_len, &sid); - printf("%s: %s\n", field, sid_string_static(&sid)); - } -} - -/* - dump ntSecurityDescriptor -*/ -static void dump_sd(const char *filed, struct berval **values) -{ - prs_struct ps; - - SEC_DESC *psd = 0; - TALLOC_CTX *ctx = 0; - - if (!(ctx = talloc_init("sec_io_desc"))) - return; - - /* prepare data */ - prs_init(&ps, values[0]->bv_len, ctx, UNMARSHALL); - prs_copy_data_in(&ps, values[0]->bv_val, values[0]->bv_len); - prs_set_offset(&ps,0); - - /* parse secdesc */ - if (!sec_io_desc("sd", &psd, &ps, 1)) { - prs_mem_free(&ps); - talloc_free(ctx); - return; - } - if (psd) ads_disp_sd(psd); - - prs_mem_free(&ps); - talloc_free(ctx); -} - -/* - dump a string result from ldap -*/ -static void dump_string(const char *field, char **values) -{ - int i; - for (i=0; values[i]; i++) { - printf("%s: %s\n", field, values[i]); - } -} - -/* - dump a field from LDAP on stdout - used for debugging -*/ - -static BOOL ads_dump_field(char *field, void **values, void *data_area) -{ - const struct { - const char *name; - BOOL string; - void (*handler)(const char *, struct berval **); - } handlers[] = { - {"objectGUID", False, dump_guid}, - {"nTSecurityDescriptor", False, dump_sd}, - {"dnsRecord", False, dump_binary}, - {"objectSid", False, dump_sid}, - {"tokenGroups", False, dump_sid}, - {NULL, True, NULL} - }; - int i; - - if (!field) { /* must be end of an entry */ - printf("\n"); - return False; - } - - for (i=0; handlers[i].name; i++) { - if (strcasecmp_m(handlers[i].name, field) == 0) { - if (!values) /* first time, indicate string or not */ - return handlers[i].string; - handlers[i].handler(field, (struct berval **) values); - break; - } - } - if (!handlers[i].name) { - if (!values) /* first time, indicate string conversion */ - return True; - dump_string(field, (char **)values); - } - return False; -} - -/** - * Dump a result from LDAP on stdout - * used for debugging - * @param ads connection to ads server - * @param res Results to dump - **/ - -void ads_dump(ADS_STRUCT *ads, void *res) -{ - ads_process_results(ads, res, ads_dump_field, NULL); -} - -/** - * Walk through results, calling a function for each entry found. - * The function receives a field name, a berval * array of values, - * and a data area passed through from the start. The function is - * called once with null for field and values at the end of each - * entry. - * @param ads connection to ads server - * @param res Results to process - * @param fn Function for processing each result - * @param data_area user-defined area to pass to function - **/ -void ads_process_results(ADS_STRUCT *ads, void *res, - BOOL(*fn)(char *, void **, void *), - void *data_area) -{ - void *msg; - TALLOC_CTX *ctx; - - if (!(ctx = talloc_init("ads_process_results"))) - return; - - for (msg = ads_first_entry(ads, res); msg; - msg = ads_next_entry(ads, msg)) { - char *utf8_field; - BerElement *b; - - for (utf8_field=ldap_first_attribute(ads->ld, - (LDAPMessage *)msg,&b); - utf8_field; - utf8_field=ldap_next_attribute(ads->ld, - (LDAPMessage *)msg,b)) { - struct berval **ber_vals; - char **str_vals, **utf8_vals; - char *field; - BOOL string; - - pull_utf8_talloc(ctx, &field, utf8_field); - string = fn(field, NULL, data_area); - - if (string) { - utf8_vals = ldap_get_values(ads->ld, - (LDAPMessage *)msg, field); - str_vals = ads_pull_strvals(ctx, - (const char **) utf8_vals); - fn(field, (void **) str_vals, data_area); - ldap_value_free(utf8_vals); - } else { - ber_vals = ldap_get_values_len(ads->ld, - (LDAPMessage *)msg, field); - fn(field, (void **) ber_vals, data_area); - - ldap_value_free_len(ber_vals); - } - ldap_memfree(utf8_field); - } - ber_free(b, 0); - talloc_destroy_pool(ctx); - fn(NULL, NULL, data_area); /* completed an entry */ - - } - talloc_free(ctx); -} - -/** - * count how many replies are in a LDAPMessage - * @param ads connection to ads server - * @param res Results to count - * @return number of replies - **/ -int ads_count_replies(ADS_STRUCT *ads, void *res) -{ - return ldap_count_entries(ads->ld, (LDAPMessage *)res); -} - -/** - * Join a machine to a realm - * Creates the machine account and sets the machine password - * @param ads connection to ads server - * @param hostname name of host to add - * @param org_unit Organizational unit to place machine in - * @return status of join - **/ -ADS_STATUS ads_join_realm(ADS_STRUCT *ads, const char *hostname, - uint32_t account_type, const char *org_unit) -{ - ADS_STATUS status; - LDAPMessage *res; - char *host; - - /* hostname must be lowercase */ - host = strdup(hostname); - strlower_m(host); - - /* - status = ads_find_machine_acct(ads, (void **)&res, host); - if (ADS_ERR_OK(status) && ads_count_replies(ads, res) == 1) { - DEBUG(0, ("Host account for %s already exists - deleting old account\n", host)); - status = ads_leave_realm(ads, host); - if (!ADS_ERR_OK(status)) { - DEBUG(0, ("Failed to delete host '%s' from the '%s' realm.\n", - host, ads->config.realm)); - return status; - } - } - */ - - status = ads_add_machine_acct(ads, host, account_type, org_unit); - if (!ADS_ERR_OK(status)) { - DEBUG(0, ("ads_add_machine_acct: %s\n", ads_errstr(status))); - return status; - } - - status = ads_find_machine_acct(ads, (void **)&res, host); - if (!ADS_ERR_OK(status)) { - DEBUG(0, ("Host account test failed\n")); - return status; - } - - free(host); - - return status; -} - -/** - * Delete a machine from the realm - * @param ads connection to ads server - * @param hostname Machine to remove - * @return status of delete - **/ -ADS_STATUS ads_leave_realm(ADS_STRUCT *ads, const char *hostname) -{ - ADS_STATUS status; - void *res, *msg; - char *hostnameDN, *host; - int rc; - - /* hostname must be lowercase */ - host = strdup(hostname); - strlower_m(host); - - status = ads_find_machine_acct(ads, &res, host); - if (!ADS_ERR_OK(status)) { - DEBUG(0, ("Host account for %s does not exist.\n", host)); - return status; - } - - msg = ads_first_entry(ads, res); - if (!msg) { - return ADS_ERROR_SYSTEM(ENOENT); - } - - hostnameDN = ads_get_dn(ads, (LDAPMessage *)msg); - rc = ldap_delete_s(ads->ld, hostnameDN); - ads_memfree(ads, hostnameDN); - if (rc != LDAP_SUCCESS) { - return ADS_ERROR(rc); - } - - status = ads_find_machine_acct(ads, &res, host); - if (ADS_ERR_OK(status) && ads_count_replies(ads, res) == 1) { - DEBUG(0, ("Failed to remove host account.\n")); - return status; - } - - free(host); - - return status; -} - -/** - * add machine account to existing security descriptor - * @param ads connection to ads server - * @param hostname machine to add - * @param dn DN of security descriptor - * @return status - **/ -ADS_STATUS ads_set_machine_sd(ADS_STRUCT *ads, const char *hostname, char *dn) -{ - const char *attrs[] = {"nTSecurityDescriptor", "objectSid", 0}; - char *expr = 0; - size_t sd_size = 0; - struct berval bval = {0, NULL}; - prs_struct ps_wire; - char *escaped_hostname = escape_ldap_string_alloc(hostname); - - LDAPMessage *res = 0; - LDAPMessage *msg = 0; - ADS_MODLIST mods = 0; - - NTSTATUS status; - ADS_STATUS ret; - DOM_SID sid; - SEC_DESC *psd = NULL; - TALLOC_CTX *ctx = NULL; - - /* Avoid segmentation fault in prs_mem_free if - * we have to bail out before prs_init */ - ps_wire.is_dynamic = False; - - if (!ads) return ADS_ERROR(LDAP_SERVER_DOWN); - - ret = ADS_ERROR(LDAP_SUCCESS); - - if (!escaped_hostname) { - return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); - } - - if (asprintf(&expr, "(samAccountName=%s$)", escaped_hostname) == -1) { - DEBUG(1, ("ads_set_machine_sd: asprintf failed!\n")); - SAFE_FREE(escaped_hostname); - return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); - } - - SAFE_FREE(escaped_hostname); - - ret = ads_search(ads, (void *) &res, expr, attrs); - - if (!ADS_ERR_OK(ret)) return ret; - - if ( !(msg = ads_first_entry(ads, res) )) { - ret = ADS_ERROR(LDAP_NO_RESULTS_RETURNED); - goto ads_set_sd_error; - } - - if (!ads_pull_sid(ads, msg, attrs[1], &sid)) { - ret = ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER); - goto ads_set_sd_error; - } - - if (!(ctx = talloc_init("sec_io_desc"))) { - ret = ADS_ERROR(LDAP_NO_MEMORY); - goto ads_set_sd_error; - } - - if (!ads_pull_sd(ads, ctx, msg, attrs[0], &psd)) { - ret = ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER); - goto ads_set_sd_error; - } - - status = sec_desc_add_sid(ctx, &psd, &sid, SEC_RIGHTS_FULL_CTRL, &sd_size); - - if (!NT_STATUS_IS_OK(status)) { - ret = ADS_ERROR_NT(status); - goto ads_set_sd_error; - } - - if (!prs_init(&ps_wire, sd_size, ctx, MARSHALL)) { - ret = ADS_ERROR_NT(NT_STATUS_NO_MEMORY); - } - - if (!sec_io_desc("sd_wire", &psd, &ps_wire, 1)) { - ret = ADS_ERROR(LDAP_NO_MEMORY); - goto ads_set_sd_error; - } - -#if 0 - file_save("/tmp/sec_desc.new", ps_wire.data_p, sd_size); -#endif - if (!(mods = ads_init_mods(ctx))) return ADS_ERROR(LDAP_NO_MEMORY); - - bval.bv_len = prs_offset(&ps_wire); - bval.bv_val = talloc(ctx, bval.bv_len); - if (!bval.bv_val) { - ret = ADS_ERROR(LDAP_NO_MEMORY); - goto ads_set_sd_error; - } - - prs_set_offset(&ps_wire, 0); - - if (!prs_copy_data_out(bval.bv_val, &ps_wire, bval.bv_len)) { - ret = ADS_ERROR(LDAP_NO_MEMORY); - goto ads_set_sd_error; - } - - ret = ads_mod_ber(ctx, &mods, attrs[0], &bval); - if (ADS_ERR_OK(ret)) { - ret = ads_gen_mod(ads, dn, mods); - } - -ads_set_sd_error: - ads_msgfree(ads, res); - prs_mem_free(&ps_wire); - talloc_free(ctx); - return ret; -} - -/** - * pull the first entry from a ADS result - * @param ads connection to ads server - * @param res Results of search - * @return first entry from result - **/ -void *ads_first_entry(ADS_STRUCT *ads, void *res) -{ - return (void *)ldap_first_entry(ads->ld, (LDAPMessage *)res); -} - -/** - * pull the next entry from a ADS result - * @param ads connection to ads server - * @param res Results of search - * @return next entry from result - **/ -void *ads_next_entry(ADS_STRUCT *ads, void *res) -{ - return (void *)ldap_next_entry(ads->ld, (LDAPMessage *)res); -} - -/** - * pull a single string from a ADS result - * @param ads connection to ads server - * @param mem_ctx TALLOC_CTX to use for allocating result string - * @param msg Results of search - * @param field Attribute to retrieve - * @return Result string in talloc context - **/ -char *ads_pull_string(ADS_STRUCT *ads, - TALLOC_CTX *mem_ctx, void *msg, const char *field) -{ - char **values; - char *ret = NULL; - char *ux_string; - size_t rc; - - values = ldap_get_values(ads->ld, msg, field); - if (!values) - return NULL; - - if (values[0]) { - rc = pull_utf8_talloc(mem_ctx, &ux_string, - values[0]); - if (rc != (size_t)-1) - ret = ux_string; - - } - ldap_value_free(values); - return ret; -} - -/** - * pull an array of strings from a ADS result - * @param ads connection to ads server - * @param mem_ctx TALLOC_CTX to use for allocating result string - * @param msg Results of search - * @param field Attribute to retrieve - * @return Result strings in talloc context - **/ -char **ads_pull_strings(ADS_STRUCT *ads, - TALLOC_CTX *mem_ctx, void *msg, const char *field, - size_t *num_values) -{ - char **values; - char **ret = NULL; - int i; - - values = ldap_get_values(ads->ld, msg, field); - if (!values) - return NULL; - - *num_values = ldap_count_values(values); - - ret = talloc_array(mem_ctx, char *, *num_values+1); - if (!ret) { - ldap_value_free(values); - return NULL; - } - - for (i=0;i<*num_values;i++) { - if (pull_utf8_talloc(mem_ctx, &ret[i], values[i]) == -1) { - ldap_value_free(values); - return NULL; - } - } - ret[i] = NULL; - - ldap_value_free(values); - return ret; -} - -/** - * pull an array of strings from a ADS result - * (handle large multivalue attributes with range retrieval) - * @param ads connection to ads server - * @param mem_ctx TALLOC_CTX to use for allocating result string - * @param msg Results of search - * @param field Attribute to retrieve - * @param current_strings strings returned by a previous call to this function - * @param next_attribute The next query should ask for this attribute - * @param num_values How many values did we get this time? - * @param more_values Are there more values to get? - * @return Result strings in talloc context - **/ -char **ads_pull_strings_range(ADS_STRUCT *ads, - TALLOC_CTX *mem_ctx, - void *msg, const char *field, - char **current_strings, - const char **next_attribute, - size_t *num_strings, - BOOL *more_strings) -{ - char *attr; - char *expected_range_attrib, *range_attr; - BerElement *ptr = NULL; - char **strings; - char **new_strings; - size_t num_new_strings; - unsigned long int range_start; - unsigned long int range_end; - - /* we might have been given the whole lot anyway */ - if ((strings = ads_pull_strings(ads, mem_ctx, msg, field, num_strings))) { - *more_strings = False; - return strings; - } - - expected_range_attrib = talloc_asprintf(mem_ctx, "%s;Range=", field); - - /* look for Range result */ - for (attr = ldap_first_attribute(ads->ld, (LDAPMessage *)msg, &ptr); - attr; - attr = ldap_next_attribute(ads->ld, (LDAPMessage *)msg, ptr)) { - /* we ignore the fact that this is utf8, as all attributes are ascii... */ - if (strncasecmp(attr, expected_range_attrib, strlen(expected_range_attrib)) == 0) { - range_attr = attr; - break; - } - ldap_memfree(attr); - } - if (!attr) { - ber_free(ptr, 0); - /* nothing here - this field is just empty */ - *more_strings = False; - return NULL; - } - - if (sscanf(&range_attr[strlen(expected_range_attrib)], "%lu-%lu", - &range_start, &range_end) == 2) { - *more_strings = True; - } else { - if (sscanf(&range_attr[strlen(expected_range_attrib)], "%lu-*", - &range_start) == 1) { - *more_strings = False; - } else { - DEBUG(1, ("ads_pull_strings_range: Cannot parse Range attriubte (%s)\n", - range_attr)); - ldap_memfree(range_attr); - *more_strings = False; - return NULL; - } - } - - if ((*num_strings) != range_start) { - DEBUG(1, ("ads_pull_strings_range: Range attribute (%s) doesn't start at %u, but at %lu" - " - aborting range retreival\n", - range_attr, *num_strings + 1, range_start)); - ldap_memfree(range_attr); - *more_strings = False; - return NULL; - } - - new_strings = ads_pull_strings(ads, mem_ctx, msg, range_attr, &num_new_strings); - - if (*more_strings && ((*num_strings + num_new_strings) != (range_end + 1))) { - DEBUG(1, ("ads_pull_strings_range: Range attribute (%s) tells us we have %lu " - "strings in this bunch, but we only got %lu - aborting range retreival\n", - range_attr, (unsigned long int)range_end - range_start + 1, - (unsigned long int)num_new_strings)); - ldap_memfree(range_attr); - *more_strings = False; - return NULL; - } - - strings = talloc_realloc(current_strings, - sizeof(*current_strings) * - (*num_strings + num_new_strings)); - - if (strings == NULL) { - ldap_memfree(range_attr); - *more_strings = False; - return NULL; - } - - memcpy(&strings[*num_strings], new_strings, - sizeof(*new_strings) * num_new_strings); - - (*num_strings) += num_new_strings; - - if (*more_strings) { - *next_attribute = talloc_asprintf(mem_ctx, - "member;range=%d-*", - *num_strings); - - if (!*next_attribute) { - DEBUG(1, ("talloc_asprintf for next attribute failed!\n")); - ldap_memfree(range_attr); - *more_strings = False; - return NULL; - } - } - - ldap_memfree(range_attr); - - return strings; -} - -/** - * pull a single uint32_t from a ADS result - * @param ads connection to ads server - * @param msg Results of search - * @param field Attribute to retrieve - * @param v Pointer to int to store result - * @return boolean inidicating success -*/ -BOOL ads_pull_uint32_t(ADS_STRUCT *ads, - void *msg, const char *field, uint32_t *v) -{ - char **values; - - values = ldap_get_values(ads->ld, msg, field); - if (!values) - return False; - if (!values[0]) { - ldap_value_free(values); - return False; - } - - *v = atoi(values[0]); - ldap_value_free(values); - return True; -} - -/** - * pull a single objectGUID from an ADS result - * @param ads connection to ADS server - * @param msg results of search - * @param guid 37-byte area to receive text guid - * @return boolean indicating success - **/ -BOOL ads_pull_guid(ADS_STRUCT *ads, - void *msg, GUID *guid) -{ - char **values; - - values = ldap_get_values(ads->ld, msg, "objectGUID"); - if (!values) - return False; - - if (values[0]) { - memcpy(guid, values[0], sizeof(GUID)); - ldap_value_free(values); - return True; - } - ldap_value_free(values); - return False; - -} - - -/** - * pull a single DOM_SID from a ADS result - * @param ads connection to ads server - * @param msg Results of search - * @param field Attribute to retrieve - * @param sid Pointer to sid to store result - * @return boolean inidicating success -*/ -BOOL ads_pull_sid(ADS_STRUCT *ads, - void *msg, const char *field, DOM_SID *sid) -{ - struct berval **values; - BOOL ret = False; - - values = ldap_get_values_len(ads->ld, msg, field); - - if (!values) - return False; - - if (values[0]) - ret = sid_parse(values[0]->bv_val, values[0]->bv_len, sid); - - ldap_value_free_len(values); - return ret; -} - -/** - * pull an array of DOM_SIDs from a ADS result - * @param ads connection to ads server - * @param mem_ctx TALLOC_CTX for allocating sid array - * @param msg Results of search - * @param field Attribute to retrieve - * @param sids pointer to sid array to allocate - * @return the count of SIDs pulled - **/ -int ads_pull_sids(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, - void *msg, const char *field, DOM_SID **sids) -{ - struct berval **values; - BOOL ret; - int count, i; - - values = ldap_get_values_len(ads->ld, msg, field); - - if (!values) - return 0; - - for (i=0; values[i]; i++) - /* nop */ ; - - (*sids) = talloc_array(mem_ctx, DOM_SID, i); - if (!(*sids)) { - ldap_value_free_len(values); - return 0; - } - - count = 0; - for (i=0; values[i]; i++) { - ret = sid_parse(values[i]->bv_val, values[i]->bv_len, &(*sids)[count]); - if (ret) { - fstring sid; - DEBUG(10, ("pulling SID: %s\n", sid_to_string(sid, &(*sids)[count]))); - count++; - } - } - - ldap_value_free_len(values); - return count; -} - -/** - * pull a SEC_DESC from a ADS result - * @param ads connection to ads server - * @param mem_ctx TALLOC_CTX for allocating sid array - * @param msg Results of search - * @param field Attribute to retrieve - * @param sd Pointer to *SEC_DESC to store result (talloc()ed) - * @return boolean inidicating success -*/ -BOOL ads_pull_sd(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, - void *msg, const char *field, SEC_DESC **sd) -{ - struct berval **values; - prs_struct ps; - BOOL ret = False; - - values = ldap_get_values_len(ads->ld, msg, field); - - if (!values) return False; - - if (values[0]) { - prs_init(&ps, values[0]->bv_len, mem_ctx, UNMARSHALL); - prs_copy_data_in(&ps, values[0]->bv_val, values[0]->bv_len); - prs_set_offset(&ps,0); - - ret = sec_io_desc("sd", sd, &ps, 1); - } - - ldap_value_free_len(values); - return ret; -} - -/* - * in order to support usernames longer than 21 characters we need to - * use both the sAMAccountName and the userPrincipalName attributes - * It seems that not all users have the userPrincipalName attribute set - * - * @param ads connection to ads server - * @param mem_ctx TALLOC_CTX for allocating sid array - * @param msg Results of search - * @return the username - */ -char *ads_pull_username(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, void *msg) -{ - char *ret, *p; - - ret = ads_pull_string(ads, mem_ctx, msg, "userPrincipalName"); - if (ret && (p = strchr(ret, '@'))) { - *p = 0; - return ret; - } - return ads_pull_string(ads, mem_ctx, msg, "sAMAccountName"); -} - - -/** - * find the update serial number - this is the core of the ldap cache - * @param ads connection to ads server - * @param ads connection to ADS server - * @param usn Pointer to retrieved update serial number - * @return status of search - **/ -ADS_STATUS ads_USN(ADS_STRUCT *ads, uint32_t *usn) -{ - const char *attrs[] = {"highestCommittedUSN", NULL}; - ADS_STATUS status; - void *res; - - status = ads_do_search_retry(ads, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res); - if (!ADS_ERR_OK(status)) - return status; - - if (ads_count_replies(ads, res) != 1) { - return ADS_ERROR(LDAP_NO_RESULTS_RETURNED); - } - - ads_pull_uint32_t(ads, res, "highestCommittedUSN", usn); - ads_msgfree(ads, res); - return ADS_SUCCESS; -} - -/* parse a ADS timestring - typical string is - '20020917091222.0Z0' which means 09:12.22 17th September - 2002, timezone 0 */ -static time_t ads_parse_time(const char *str) -{ - struct tm tm; - - ZERO_STRUCT(tm); - - if (sscanf(str, "%4d%2d%2d%2d%2d%2d", - &tm.tm_year, &tm.tm_mon, &tm.tm_mday, - &tm.tm_hour, &tm.tm_min, &tm.tm_sec) != 6) { - return 0; - } - tm.tm_year -= 1900; - tm.tm_mon -= 1; - - return timegm(&tm); -} - - -/** - * Find the servers name and realm - this can be done before authentication - * The ldapServiceName field on w2k looks like this: - * vnet3.home.samba.org:win2000-vnet3$@VNET3.HOME.SAMBA.ORG - * @param ads connection to ads server - * @return status of search - **/ -ADS_STATUS ads_server_info(ADS_STRUCT *ads) -{ - const char *attrs[] = {"ldapServiceName", "currentTime", NULL}; - ADS_STATUS status; - void *res; - char *value; - char *p; - char *timestr; - TALLOC_CTX *ctx; - - if (!(ctx = talloc_init("ads_server_info"))) { - return ADS_ERROR(LDAP_NO_MEMORY); - } - - status = ads_do_search(ads, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res); - if (!ADS_ERR_OK(status)) return status; - - value = ads_pull_string(ads, ctx, res, "ldapServiceName"); - if (!value) { - return ADS_ERROR(LDAP_NO_RESULTS_RETURNED); - } - - timestr = ads_pull_string(ads, ctx, res, "currentTime"); - if (!timestr) { - return ADS_ERROR(LDAP_NO_RESULTS_RETURNED); - } - - ldap_msgfree(res); - - p = strchr(value, ':'); - if (!p) { - talloc_free(ctx); - DEBUG(1, ("ads_server_info: returned ldap server name did not contain a ':' " - "so was deemed invalid\n")); - return ADS_ERROR(LDAP_DECODING_ERROR); - } - - SAFE_FREE(ads->config.ldap_server_name); - - ads->config.ldap_server_name = strdup(p+1); - p = strchr(ads->config.ldap_server_name, '$'); - if (!p || p[1] != '@') { - talloc_free(ctx); - DEBUG(1, ("ads_server_info: returned ldap server name (%s) does not contain '$@'" - " so was deemed invalid\n", ads->config.ldap_server_name)); - SAFE_FREE(ads->config.ldap_server_name); - return ADS_ERROR(LDAP_DECODING_ERROR); - } - - *p = 0; - - SAFE_FREE(ads->config.realm); - SAFE_FREE(ads->config.bind_path); - - ads->config.realm = strdup(p+2); - ads->config.bind_path = ads_build_dn(ads->config.realm); - - DEBUG(3,("got ldap server name %s@%s, using bind path: %s\n", - ads->config.ldap_server_name, ads->config.realm, - ads->config.bind_path)); - - ads->config.current_time = ads_parse_time(timestr); - - if (ads->config.current_time != 0) { - ads->auth.time_offset = ads->config.current_time - time(NULL); - DEBUG(4,("time offset is %d seconds\n", ads->auth.time_offset)); - } - - talloc_free(ctx); - - return ADS_SUCCESS; -} - -/** - * find the domain sid for our domain - * @param ads connection to ads server - * @param sid Pointer to domain sid - * @return status of search - **/ -ADS_STATUS ads_domain_sid(ADS_STRUCT *ads, DOM_SID *sid) -{ - const char *attrs[] = {"objectSid", NULL}; - void *res; - ADS_STATUS rc; - - rc = ads_do_search_retry(ads, ads->config.bind_path, LDAP_SCOPE_BASE, "(objectclass=*)", - attrs, &res); - if (!ADS_ERR_OK(rc)) return rc; - if (!ads_pull_sid(ads, res, "objectSid", sid)) { - return ADS_ERROR_SYSTEM(ENOENT); - } - ads_msgfree(ads, res); - - return ADS_SUCCESS; -} - -/* this is rather complex - we need to find the allternate (netbios) name - for the domain, but there isn't a simple query to do this. Instead - we look for the principle names on the DCs account and find one that has - the right form, then extract the netbios name of the domain from that - - NOTE! better method is this: - -bin/net -Uadministrator%XXXXX ads search '(&(objectclass=crossref)(dnsroot=VNET3.HOME.SAMBA.ORG))' nETBIOSName - -but you need to force the bind path to match the configurationNamingContext from the rootDSE - -*/ -ADS_STATUS ads_workgroup_name(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, const char **workgroup) -{ - char *expr; - ADS_STATUS rc; - char **principles; - char *prefix; - int prefix_length; - int i; - void *res; - const char *attrs[] = {"servicePrincipalName", NULL}; - int num_principals; - - (*workgroup) = NULL; - - asprintf(&expr, "(&(objectclass=computer)(dnshostname=%s.%s))", - ads->config.ldap_server_name, ads->config.realm); - rc = ads_search(ads, &res, expr, attrs); - free(expr); - - if (!ADS_ERR_OK(rc)) { - return rc; - } - - principles = ads_pull_strings(ads, mem_ctx, res, - "servicePrincipalName", &num_principals); - - ads_msgfree(ads, res); - - if (!principles) { - return ADS_ERROR(LDAP_NO_RESULTS_RETURNED); - } - - asprintf(&prefix, "HOST/%s.%s/", - ads->config.ldap_server_name, - ads->config.realm); - - prefix_length = strlen(prefix); - - for (i=0;principles[i]; i++) { - if (strnequal(principles[i], prefix, prefix_length) && - !strequal(ads->config.realm, principles[i]+prefix_length) && - !strchr(principles[i]+prefix_length, '.')) { - /* found an alternate (short) name for the domain. */ - DEBUG(3,("Found alternate name '%s' for realm '%s'\n", - principles[i]+prefix_length, - ads->config.realm)); - (*workgroup) = talloc_strdup(mem_ctx, principles[i]+prefix_length); - break; - } - } - free(prefix); - - if (!*workgroup) { - return ADS_ERROR(LDAP_NO_RESULTS_RETURNED); - } - - return ADS_SUCCESS; -} - -#endif diff --git a/source4/libads/ldap_printer.c b/source4/libads/ldap_printer.c deleted file mode 100644 index 4e79f73a28..0000000000 --- a/source4/libads/ldap_printer.c +++ /dev/null @@ -1,353 +0,0 @@ -/* - Unix SMB/CIFS implementation. - ads (active directory) printer utility library - Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -*/ - -#include "includes.h" - -#ifdef HAVE_ADS - -/* - find a printer given the name and the hostname - Note that results "res" may be allocated on return so that the - results can be used. It should be freed using ads_msgfree. -*/ -ADS_STATUS ads_find_printer_on_server(ADS_STRUCT *ads, void **res, - const char *printer, const char *servername) -{ - ADS_STATUS status; - char *srv_dn, **srv_cn, *s; - const char *attrs[] = {"*", "nTSecurityDescriptor", NULL}; - - status = ads_find_machine_acct(ads, res, servername); - if (!ADS_ERR_OK(status)) { - DEBUG(1, ("ads_add_printer: cannot find host %s in ads\n", - servername)); - return status; - } - srv_dn = ldap_get_dn(ads->ld, *res); - srv_cn = ldap_explode_dn(srv_dn, 1); - ads_msgfree(ads, *res); - - asprintf(&s, "(cn=%s-%s)", srv_cn[0], printer); - status = ads_search(ads, res, s, attrs); - - ldap_memfree(srv_dn); - ldap_value_free(srv_cn); - free(s); - return status; -} - -ADS_STATUS ads_find_printers(ADS_STRUCT *ads, void **res) -{ - char *ldap_expr; - const char *attrs[] = { "objectClass", "printerName", "location", "driverName", - "serverName", "description", NULL }; - - /* For the moment only display all printers */ - - ldap_expr = "(&(!(showInAdvancedViewOnly=TRUE))(uncName=*)" - "(objectCategory=printQueue))"; - - return ads_search(ads, res, ldap_expr, attrs); -} - -/* - modify a printer entry in the directory -*/ -ADS_STATUS ads_mod_printer_entry(ADS_STRUCT *ads, char *prt_dn, - TALLOC_CTX *ctx, const ADS_MODLIST *mods) -{ - return ads_gen_mod(ads, prt_dn, *mods); -} - -/* - add a printer to the directory -*/ -ADS_STATUS ads_add_printer_entry(ADS_STRUCT *ads, char *prt_dn, - TALLOC_CTX *ctx, ADS_MODLIST *mods) -{ - ads_mod_str(ctx, mods, "objectClass", "printQueue"); - return ads_gen_add(ads, prt_dn, *mods); -} - -/* - map a REG_SZ to an ldap mod -*/ -static BOOL map_sz(TALLOC_CTX *ctx, ADS_MODLIST *mods, - const REGISTRY_VALUE *value) -{ - char *str_value = NULL; - ADS_STATUS status; - - if (value->type != REG_SZ) - return False; - - if (value->size && SVAL(value->data_p, 0)) { - pull_ucs2_talloc(ctx, &str_value, value->data_p); - status = ads_mod_str(ctx, mods, value->valuename, str_value); - return ADS_ERR_OK(status); - } - return True; - -} - -/* - map a REG_DWORD to an ldap mod -*/ -static BOOL map_dword(TALLOC_CTX *ctx, ADS_MODLIST *mods, - const REGISTRY_VALUE *value) -{ - char *str_value = NULL; - ADS_STATUS status; - - if (value->type != REG_DWORD) - return False; - str_value = talloc_asprintf(ctx, "%d", *((uint32_t *) value->data_p)); - status = ads_mod_str(ctx, mods, value->valuename, str_value); - return ADS_ERR_OK(status); -} - -/* - map a boolean REG_BINARY to an ldap mod -*/ -static BOOL map_bool(TALLOC_CTX *ctx, ADS_MODLIST *mods, - const REGISTRY_VALUE *value) -{ - char *str_value; - ADS_STATUS status; - - if ((value->type != REG_BINARY) || (value->size != 1)) - return False; - str_value = talloc_asprintf(ctx, "%s", - *(value->data_p) ? "TRUE" : "FALSE"); - status = ads_mod_str(ctx, mods, value->valuename, str_value); - return ADS_ERR_OK(status); -} - -/* - map a REG_MULTI_SZ to an ldap mod -*/ -static BOOL map_multi_sz(TALLOC_CTX *ctx, ADS_MODLIST *mods, - const REGISTRY_VALUE *value) -{ - char **str_values = NULL; - char *cur_str = value->data_p; - uint32_t size = 0, num_vals = 0, i=0; - ADS_STATUS status; - - if (value->type != REG_MULTI_SZ) - return False; - - while (cur_str && *cur_str && (size < value->size)) { - size_t this_size = utf16_len(cur_str); - cur_str += this_size; - size += this_size; - num_vals++; - }; - - if (num_vals) { - str_values = talloc_array(ctx, char *, num_vals + 1); - cur_str = value->data_p; - for (i=0; i < num_vals; i++) { - pull_ucs2_talloc(ctx, &str_values[i], cur_str); - cur_str += utf16_len(cur_str); - } - str_values[i] = NULL; - - status = ads_mod_strlist(ctx, mods, value->valuename, - (const char **) str_values); - return ADS_ERR_OK(status); - } - return True; -} - -struct valmap_to_ads { - const char *valname; - BOOL (*fn)(TALLOC_CTX *, ADS_MODLIST *, const REGISTRY_VALUE *); -}; - -/* - map a REG_SZ to an ldap mod -*/ -static void map_regval_to_ads(TALLOC_CTX *ctx, ADS_MODLIST *mods, - REGISTRY_VALUE *value) -{ - const struct valmap_to_ads map[] = { - {SPOOL_REG_ASSETNUMBER, map_sz}, - {SPOOL_REG_BYTESPERMINUTE, map_dword}, - {SPOOL_REG_DEFAULTPRIORITY, map_dword}, - {SPOOL_REG_DESCRIPTION, map_sz}, - {SPOOL_REG_DRIVERNAME, map_sz}, - {SPOOL_REG_DRIVERVERSION, map_dword}, - {SPOOL_REG_FLAGS, map_dword}, - {SPOOL_REG_LOCATION, map_sz}, - {SPOOL_REG_OPERATINGSYSTEM, map_sz}, - {SPOOL_REG_OPERATINGSYSTEMHOTFIX, map_sz}, - {SPOOL_REG_OPERATINGSYSTEMSERVICEPACK, map_sz}, - {SPOOL_REG_OPERATINGSYSTEMVERSION, map_sz}, - {SPOOL_REG_PORTNAME, map_multi_sz}, - {SPOOL_REG_PRINTATTRIBUTES, map_dword}, - {SPOOL_REG_PRINTBINNAMES, map_multi_sz}, - {SPOOL_REG_PRINTCOLLATE, map_bool}, - {SPOOL_REG_PRINTCOLOR, map_bool}, - {SPOOL_REG_PRINTDUPLEXSUPPORTED, map_bool}, - {SPOOL_REG_PRINTENDTIME, map_dword}, - {SPOOL_REG_PRINTFORMNAME, map_sz}, - {SPOOL_REG_PRINTKEEPPRINTEDJOBS, map_bool}, - {SPOOL_REG_PRINTLANGUAGE, map_multi_sz}, - {SPOOL_REG_PRINTMACADDRESS, map_sz}, - {SPOOL_REG_PRINTMAXCOPIES, map_sz}, - {SPOOL_REG_PRINTMAXRESOLUTIONSUPPORTED, map_dword}, - {SPOOL_REG_PRINTMAXXEXTENT, map_dword}, - {SPOOL_REG_PRINTMAXYEXTENT, map_dword}, - {SPOOL_REG_PRINTMEDIAREADY, map_multi_sz}, - {SPOOL_REG_PRINTMEDIASUPPORTED, map_multi_sz}, - {SPOOL_REG_PRINTMEMORY, map_dword}, - {SPOOL_REG_PRINTMINXEXTENT, map_dword}, - {SPOOL_REG_PRINTMINYEXTENT, map_dword}, - {SPOOL_REG_PRINTNETWORKADDRESS, map_sz}, - {SPOOL_REG_PRINTNOTIFY, map_sz}, - {SPOOL_REG_PRINTNUMBERUP, map_dword}, - {SPOOL_REG_PRINTORIENTATIONSSUPPORTED, map_multi_sz}, - {SPOOL_REG_PRINTOWNER, map_sz}, - {SPOOL_REG_PRINTPAGESPERMINUTE, map_dword}, - {SPOOL_REG_PRINTRATE, map_dword}, - {SPOOL_REG_PRINTRATEUNIT, map_sz}, - {SPOOL_REG_PRINTSEPARATORFILE, map_sz}, - {SPOOL_REG_PRINTSHARENAME, map_sz}, - {SPOOL_REG_PRINTSPOOLING, map_sz}, - {SPOOL_REG_PRINTSTAPLINGSUPPORTED, map_bool}, - {SPOOL_REG_PRINTSTARTTIME, map_dword}, - {SPOOL_REG_PRINTSTATUS, map_sz}, - {SPOOL_REG_PRIORITY, map_dword}, - {SPOOL_REG_SERVERNAME, map_sz}, - {SPOOL_REG_SHORTSERVERNAME, map_sz}, - {SPOOL_REG_UNCNAME, map_sz}, - {SPOOL_REG_URL, map_sz}, - {SPOOL_REG_VERSIONNUMBER, map_dword}, - {NULL, NULL} - }; - int i; - - for (i=0; map[i].valname; i++) { - if (strcasecmp_m(map[i].valname, value->valuename) == 0) { - if (!map[i].fn(ctx, mods, value)) { - DEBUG(5, ("Add of value %s to modlist failed\n", value->valuename)); - } else { - DEBUG(7, ("Mapped value %s\n", value->valuename)); - } - - } - } -} - - -WERROR get_remote_printer_publishing_data(struct smbcli_state *cli, - TALLOC_CTX *mem_ctx, - ADS_MODLIST *mods, - const char *printer) -{ - WERROR result; - char *printername, *servername; - REGVAL_CTR dsdriver_ctr, dsspooler_ctr; - BOOL got_dsdriver = False, got_dsspooler = False; - uint32_t needed, i; - POLICY_HND pol; - - asprintf(&servername, "\\\\%s", cli->desthost); - asprintf(&printername, "%s\\%s", servername, printer); - if (!servername || !printername) { - DEBUG(3, ("Insufficient memory\n")); - return WERR_NOMEM; - } - - result = smbcli_spoolss_open_printer_ex(cli, mem_ctx, printername, - "", MAXIMUM_ALLOWED_ACCESS, - servername, cli->user_name, &pol); - if (!W_ERROR_IS_OK(result)) { - DEBUG(3, ("Unable to open printer %s, error is %s.\n", - printername, dos_errstr(result))); - return result; - } - - result = smbcli_spoolss_enumprinterdataex(cli, mem_ctx, 0, &needed, - &pol, SPOOL_DSDRIVER_KEY, NULL); - - if (W_ERROR_V(result) == ERRmoredata) - result = smbcli_spoolss_enumprinterdataex(cli, mem_ctx, needed, - NULL, &pol, - SPOOL_DSDRIVER_KEY, - &dsdriver_ctr); - - if (!W_ERROR_IS_OK(result)) { - DEBUG(3, ("Unable to do enumdataex on %s, error is %s.\n", - printername, dos_errstr(result))); - } else { - - /* Have the data we need now, so start building */ - got_dsdriver = True; - for (i=0; i < dsdriver_ctr.num_values; i++) - map_regval_to_ads(mem_ctx, mods, - dsdriver_ctr.values[i]); - } - - result = smbcli_spoolss_enumprinterdataex(cli, mem_ctx, 0, &needed, - &pol, SPOOL_DSSPOOLER_KEY, - NULL); - - if (W_ERROR_V(result) == ERRmoredata) - result = smbcli_spoolss_enumprinterdataex(cli, mem_ctx, needed, - NULL, &pol, - SPOOL_DSSPOOLER_KEY, - &dsspooler_ctr); - - if (!W_ERROR_IS_OK(result)) { - DEBUG(3, ("Unable to do enumdataex on %s, error is %s.\n", - printername, dos_errstr(result))); - } else { - got_dsspooler = True; - for (i=0; i < dsspooler_ctr.num_values; i++) - map_regval_to_ads(mem_ctx, mods, - dsspooler_ctr.values[i]); - } - - ads_mod_str(mem_ctx, mods, SPOOL_REG_PRINTERNAME, printer); - - if (got_dsdriver) regval_ctr_destroy(&dsdriver_ctr); - if (got_dsspooler) regval_ctr_destroy(&dsspooler_ctr); - smbcli_spoolss_close_printer(cli, mem_ctx, &pol); - - return result; -} - -BOOL get_local_printer_publishing_data(TALLOC_CTX *mem_ctx, - ADS_MODLIST *mods, - NT_PRINTER_DATA *data) -{ - uint32_t key,val; - - for (key=0; key < data->num_keys; key++) { - REGVAL_CTR ctr = data->keys[key].values; - for (val=0; val < ctr.num_values; val++) - map_regval_to_ads(mem_ctx, mods, ctr.values[val]); - } - return True; -} - -#endif diff --git a/source4/libads/ldap_user.c b/source4/libads/ldap_user.c deleted file mode 100644 index 0032f8c9ab..0000000000 --- a/source4/libads/ldap_user.c +++ /dev/null @@ -1,119 +0,0 @@ -/* - Unix SMB/CIFS implementation. - ads (active directory) utility library - Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -*/ - -#include "includes.h" - -#ifdef HAVE_ADS - -/* - find a user account -*/ -ADS_STATUS ads_find_user_acct(ADS_STRUCT *ads, void **res, const char *user) -{ - ADS_STATUS status; - char *ldap_exp; - const char *attrs[] = {"*", NULL}; - char *escaped_user = escape_ldap_string_alloc(user); - if (!escaped_user) { - return ADS_ERROR(LDAP_NO_MEMORY); - } - - asprintf(&ldap_exp, "(samAccountName=%s)", escaped_user); - status = ads_search(ads, res, ldap_exp, attrs); - SAFE_FREE(ldap_exp); - SAFE_FREE(escaped_user); - return status; -} - -ADS_STATUS ads_add_user_acct(ADS_STRUCT *ads, const char *user, - const char *container, const char *fullname) -{ - TALLOC_CTX *ctx; - ADS_MODLIST mods; - ADS_STATUS status; - const char *upn, *new_dn, *name, *controlstr; - const char *objectClass[] = {"top", "person", "organizationalPerson", - "user", NULL}; - - if (fullname && *fullname) name = fullname; - else name = user; - - if (!(ctx = talloc_init("ads_add_user_acct"))) - return ADS_ERROR(LDAP_NO_MEMORY); - - status = ADS_ERROR(LDAP_NO_MEMORY); - - if (!(upn = talloc_asprintf(ctx, "%s@%s", user, ads->config.realm))) - goto done; - if (!(new_dn = talloc_asprintf(ctx, "cn=%s,%s,%s", name, container, - ads->config.bind_path))) - goto done; - if (!(controlstr = talloc_asprintf(ctx, "%u", UF_NORMAL_ACCOUNT))) - goto done; - if (!(mods = ads_init_mods(ctx))) - goto done; - - ads_mod_str(ctx, &mods, "cn", name); - ads_mod_strlist(ctx, &mods, "objectClass", objectClass); - ads_mod_str(ctx, &mods, "userPrincipalName", upn); - ads_mod_str(ctx, &mods, "name", name); - ads_mod_str(ctx, &mods, "displayName", name); - ads_mod_str(ctx, &mods, "sAMAccountName", user); - ads_mod_str(ctx, &mods, "userAccountControl", controlstr); - status = ads_gen_add(ads, new_dn, mods); - - done: - talloc_free(ctx); - return status; -} - -ADS_STATUS ads_add_group_acct(ADS_STRUCT *ads, const char *group, - const char *container, const char *comment) -{ - TALLOC_CTX *ctx; - ADS_MODLIST mods; - ADS_STATUS status; - char *new_dn; - const char *objectClass[] = {"top", "group", NULL}; - - if (!(ctx = talloc_init("ads_add_group_acct"))) - return ADS_ERROR(LDAP_NO_MEMORY); - - status = ADS_ERROR(LDAP_NO_MEMORY); - - if (!(new_dn = talloc_asprintf(ctx, "cn=%s,%s,%s", group, container, - ads->config.bind_path))) - goto done; - if (!(mods = ads_init_mods(ctx))) - goto done; - - ads_mod_str(ctx, &mods, "cn", group); - ads_mod_strlist(ctx, &mods, "objectClass",objectClass); - ads_mod_str(ctx, &mods, "name", group); - if (comment && *comment) - ads_mod_str(ctx, &mods, "description", comment); - ads_mod_str(ctx, &mods, "sAMAccountName", group); - status = ads_gen_add(ads, new_dn, mods); - - done: - talloc_free(ctx); - return status; -} -#endif diff --git a/source4/libads/ldap_utils.c b/source4/libads/ldap_utils.c deleted file mode 100644 index 991f16c845..0000000000 --- a/source4/libads/ldap_utils.c +++ /dev/null @@ -1,108 +0,0 @@ -/* - Unix SMB/CIFS implementation. - - Some Helpful wrappers on LDAP - - Copyright (C) Andrew Tridgell 2001 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -*/ - -#include "includes.h" - -#ifdef HAVE_LDAP -/* - a wrapper around ldap_search_s that retries depending on the error code - this is supposed to catch dropped connections and auto-reconnect -*/ -ADS_STATUS ads_do_search_retry(ADS_STRUCT *ads, const char *bind_path, int scope, - const char *expr, - const char **attrs, void **res) -{ - ADS_STATUS status; - int count = 3; - char *bp; - - *res = NULL; - - if (!ads->ld && - time(NULL) - ads->last_attempt < ADS_RECONNECT_TIME) { - return ADS_ERROR(LDAP_SERVER_DOWN); - } - - bp = strdup(bind_path); - - if (!bp) { - return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); - } - - while (count--) { - *res = NULL; - status = ads_do_search_all(ads, bp, scope, expr, attrs, res); - if (ADS_ERR_OK(status)) { - DEBUG(5,("Search for %s gave %d replies\n", - expr, ads_count_replies(ads, *res))); - SAFE_FREE(bp); - return status; - } - - if (*res) - ads_msgfree(ads, *res); - *res = NULL; - - DEBUG(3,("Reopening ads connection to realm '%s' after error %s\n", - ads->config.realm, ads_errstr(status))); - - if (ads->ld) { - ldap_unbind(ads->ld); - } - - ads->ld = NULL; - status = ads_connect(ads); - - if (!ADS_ERR_OK(status)) { - DEBUG(1,("ads_search_retry: failed to reconnect (%s)\n", - ads_errstr(status))); - ads_destroy(&ads); - SAFE_FREE(bp); - return status; - } - } - SAFE_FREE(bp); - - if (!ADS_ERR_OK(status)) - DEBUG(1,("ads reopen failed after error %s\n", - ads_errstr(status))); - - return status; -} - - -ADS_STATUS ads_search_retry(ADS_STRUCT *ads, void **res, - const char *expr, - const char **attrs) -{ - return ads_do_search_retry(ads, ads->config.bind_path, LDAP_SCOPE_SUBTREE, - expr, attrs, res); -} - -ADS_STATUS ads_search_retry_dn(ADS_STRUCT *ads, void **res, - const char *dn, - const char **attrs) -{ - return ads_do_search_retry(ads, dn, LDAP_SCOPE_BASE, - "(objectclass=*)", attrs, res); -} -#endif diff --git a/source4/libads/sasl.c b/source4/libads/sasl.c deleted file mode 100644 index b79f54c86d..0000000000 --- a/source4/libads/sasl.c +++ /dev/null @@ -1,438 +0,0 @@ -/* - Unix SMB/CIFS implementation. - ads sasl code - Copyright (C) Andrew Tridgell 2001 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -*/ - -#include "includes.h" - -#ifdef HAVE_LDAP - -/* - perform a LDAP/SASL/SPNEGO/NTLMSSP bind (just how many layers can - we fit on one socket??) -*/ -static ADS_STATUS ads_sasl_spnego_ntlmssp_bind(ADS_STRUCT *ads) -{ - const char *mechs[] = {OID_NTLMSSP, NULL}; - DATA_BLOB msg1; - DATA_BLOB blob, chal1, chal2, auth; - uint8_t challenge[8]; - uint8_t nthash[24], lmhash[24], sess_key[16]; - uint32_t neg_flags; - struct berval cred, *scred; - ADS_STATUS status; - int rc; - - if (!ads->auth.password) { - /* No password, don't segfault below... */ - return ADS_ERROR_NT(NT_STATUS_LOGON_FAILURE); - } - - neg_flags = NTLMSSP_NEGOTIATE_UNICODE | - NTLMSSP_NEGOTIATE_128 | - NTLMSSP_NEGOTIATE_NTLM; - - memset(sess_key, 0, 16); - - /* generate the ntlmssp negotiate packet */ - msrpc_gen(&blob, "CddB", - "NTLMSSP", - NTLMSSP_NEGOTIATE, - neg_flags, - sess_key, 16); - - /* and wrap it in a SPNEGO wrapper */ - msg1 = gen_negTokenTarg(mechs, blob); - data_blob_free(&blob); - - cred.bv_val = (char *)msg1.data; - cred.bv_len = msg1.length; - - rc = ldap_sasl_bind_s(ads->ld, NULL, "GSS-SPNEGO", &cred, NULL, NULL, &scred); - if (rc != LDAP_SASL_BIND_IN_PROGRESS) { - status = ADS_ERROR(rc); - goto failed; - } - - blob = data_blob(scred->bv_val, scred->bv_len); - - /* the server gives us back two challenges */ - if (!spnego_parse_challenge(blob, &chal1, &chal2)) { - DEBUG(3,("Failed to parse challenges\n")); - status = ADS_ERROR(LDAP_OPERATIONS_ERROR); - goto failed; - } - - data_blob_free(&blob); - - /* encrypt the password with the challenge */ - memcpy(challenge, chal1.data + 24, 8); - SMBencrypt(ads->auth.password, challenge,lmhash); - SMBNTencrypt(ads->auth.password, challenge,nthash); - - data_blob_free(&chal1); - data_blob_free(&chal2); - - /* this generates the actual auth packet */ - msrpc_gen(&blob, "CdBBUUUBd", - "NTLMSSP", - NTLMSSP_AUTH, - lmhash, 24, - nthash, 24, - lp_workgroup(), - ads->auth.user_name, - lp_netbios_name(), - sess_key, 16, - neg_flags); - - /* wrap it in SPNEGO */ - auth = spnego_gen_auth(blob); - - data_blob_free(&blob); - - /* now send the auth packet and we should be done */ - cred.bv_val = (char *)auth.data; - cred.bv_len = auth.length; - - rc = ldap_sasl_bind_s(ads->ld, NULL, "GSS-SPNEGO", &cred, NULL, NULL, &scred); - - return ADS_ERROR(rc); - -failed: - return status; -} - -/* - perform a LDAP/SASL/SPNEGO/KRB5 bind -*/ -static ADS_STATUS ads_sasl_spnego_krb5_bind(ADS_STRUCT *ads, const char *principal) -{ - DATA_BLOB blob; - struct berval cred, *scred; - DATA_BLOB session_key; - int rc; - - rc = spnego_gen_negTokenTarg(principal, ads->auth.time_offset, &blob, &session_key); - - if (rc) { - return ADS_ERROR_KRB5(rc); - } - - /* now send the auth packet and we should be done */ - cred.bv_val = (char *)blob.data; - cred.bv_len = blob.length; - - rc = ldap_sasl_bind_s(ads->ld, NULL, "GSS-SPNEGO", &cred, NULL, NULL, &scred); - - data_blob_free(&blob); - data_blob_free(&session_key); - - return ADS_ERROR(rc); -} - -/* - this performs a SASL/SPNEGO bind -*/ -static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) -{ - struct berval *scred=NULL; - int rc, i; - ADS_STATUS status; - DATA_BLOB blob; - char *principal; - char *OIDs[ASN1_MAX_OIDS]; - BOOL got_kerberos_mechanism = False; - - rc = ldap_sasl_bind_s(ads->ld, NULL, "GSS-SPNEGO", NULL, NULL, NULL, &scred); - - if (rc != LDAP_SASL_BIND_IN_PROGRESS) { - status = ADS_ERROR(rc); - goto failed; - } - - blob = data_blob(scred->bv_val, scred->bv_len); - - ber_bvfree(scred); - -#if 0 - file_save("sasl_spnego.dat", blob.data, blob.length); -#endif - - /* the server sent us the first part of the SPNEGO exchange in the negprot - reply */ - if (!spnego_parse_negTokenInit(blob, OIDs, &principal)) { - data_blob_free(&blob); - status = ADS_ERROR(LDAP_OPERATIONS_ERROR); - goto failed; - } - data_blob_free(&blob); - - /* make sure the server understands kerberos */ - for (i=0;OIDs[i];i++) { - DEBUG(3,("got OID=%s\n", OIDs[i])); - if (strcmp(OIDs[i], OID_KERBEROS5_OLD) == 0 || - strcmp(OIDs[i], OID_KERBEROS5) == 0) { - got_kerberos_mechanism = True; - } - free(OIDs[i]); - } - DEBUG(3,("got principal=%s\n", principal)); - -#ifdef HAVE_KRB5 - if (!(ads->auth.flags & ADS_AUTH_DISABLE_KERBEROS) && - got_kerberos_mechanism) { - status = ads_sasl_spnego_krb5_bind(ads, principal); - if (ADS_ERR_OK(status)) - return status; - - status = ADS_ERROR_KRB5(ads_kinit_password(ads)); - - if (ADS_ERR_OK(status)) { - status = ads_sasl_spnego_krb5_bind(ads, principal); - } - - /* only fallback to NTLMSSP if allowed */ - if (ADS_ERR_OK(status) || - !(ads->auth.flags & ADS_AUTH_ALLOW_NTLMSSP)) { - return status; - } - } -#endif - - /* lets do NTLMSSP ... this has the big advantage that we don't need - to sync clocks, and we don't rely on special versions of the krb5 - library for HMAC_MD4 encryption */ - return ads_sasl_spnego_ntlmssp_bind(ads); - -failed: - return status; -} - -#ifdef HAVE_GSSAPI -#define MAX_GSS_PASSES 3 - -/* this performs a SASL/gssapi bind - we avoid using cyrus-sasl to make Samba more robust. cyrus-sasl - is very dependent on correctly configured DNS whereas - this routine is much less fragile - see RFC2078 and RFC2222 for details -*/ -static ADS_STATUS ads_sasl_gssapi_bind(ADS_STRUCT *ads) -{ - uint32_t minor_status; - gss_name_t serv_name; - gss_buffer_desc input_name; - gss_ctx_id_t context_handle; - gss_OID mech_type = GSS_C_NULL_OID; - gss_buffer_desc output_token, input_token; - uint32_t ret_flags, conf_state; - struct berval cred; - struct berval *scred; - int i=0; - int gss_rc, rc; - uint8_t *p; - uint32_t max_msg_size; - char *sname; - uint_t sec_layer; - ADS_STATUS status; - krb5_principal principal; - krb5_context ctx; - krb5_enctype enc_types[] = { -#ifdef ENCTYPE_ARCFOUR_HMAC - ENCTYPE_ARCFOUR_HMAC, -#endif - ENCTYPE_DES_CBC_MD5, - ENCTYPE_NULL}; - gss_OID_desc nt_principal = - {10, "\052\206\110\206\367\022\001\002\002\002"}; - - /* we need to fetch a service ticket as the ldap user in the - servers realm, regardless of our realm */ - asprintf(&sname, "ldap/%s@%s", ads->config.ldap_server_name, ads->config.realm); - krb5_init_context(&ctx); - krb5_set_default_tgs_ktypes(ctx, enc_types); - krb5_parse_name(ctx, sname, &principal); - free(sname); - krb5_free_context(ctx); - - input_name.value = &principal; - input_name.length = sizeof(principal); - - gss_rc = gss_import_name(&minor_status,&input_name,&nt_principal, &serv_name); - if (gss_rc) { - return ADS_ERROR_GSS(gss_rc, minor_status); - } - - context_handle = GSS_C_NO_CONTEXT; - - input_token.value = NULL; - input_token.length = 0; - - for (i=0; i < MAX_GSS_PASSES; i++) { - gss_rc = gss_init_sec_context(&minor_status, - GSS_C_NO_CREDENTIAL, - &context_handle, - serv_name, - mech_type, - GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG, - 0, - NULL, - &input_token, - NULL, - &output_token, - &ret_flags, - NULL); - - if (input_token.value) { - gss_release_buffer(&minor_status, &input_token); - } - - if (gss_rc && gss_rc != GSS_S_CONTINUE_NEEDED) { - status = ADS_ERROR_GSS(gss_rc, minor_status); - goto failed; - } - - cred.bv_val = output_token.value; - cred.bv_len = output_token.length; - - rc = ldap_sasl_bind_s(ads->ld, NULL, "GSSAPI", &cred, NULL, NULL, - &scred); - if (rc != LDAP_SASL_BIND_IN_PROGRESS) { - status = ADS_ERROR(rc); - goto failed; - } - - if (output_token.value) { - gss_release_buffer(&minor_status, &output_token); - } - - if (scred) { - input_token.value = scred->bv_val; - input_token.length = scred->bv_len; - } else { - input_token.value = NULL; - input_token.length = 0; - } - - if (gss_rc == 0) break; - } - - gss_release_name(&minor_status, &serv_name); - - gss_rc = gss_unwrap(&minor_status,context_handle,&input_token,&output_token, - (int *)&conf_state,NULL); - if (gss_rc) { - status = ADS_ERROR_GSS(gss_rc, minor_status); - goto failed; - } - - gss_release_buffer(&minor_status, &input_token); - - p = (uint8_t *)output_token.value; - - file_save("sasl_gssapi.dat", output_token.value, output_token.length); - - max_msg_size = (p[1]<<16) | (p[2]<<8) | p[3]; - sec_layer = *p; - - gss_release_buffer(&minor_status, &output_token); - - output_token.value = malloc(strlen(ads->config.bind_path) + 8); - p = output_token.value; - - *p++ = 1; /* no sign & seal selection */ - /* choose the same size as the server gave us */ - *p++ = max_msg_size>>16; - *p++ = max_msg_size>>8; - *p++ = max_msg_size; - snprintf((char *)p, strlen(ads->config.bind_path)+4, "dn:%s", ads->config.bind_path); - p += strlen((const char *)p); - - output_token.length = PTR_DIFF(p, output_token.value); - - gss_rc = gss_wrap(&minor_status, context_handle,0,GSS_C_QOP_DEFAULT, - &output_token, (int *)&conf_state, - &input_token); - if (gss_rc) { - status = ADS_ERROR_GSS(gss_rc, minor_status); - goto failed; - } - - free(output_token.value); - - cred.bv_val = input_token.value; - cred.bv_len = input_token.length; - - rc = ldap_sasl_bind_s(ads->ld, NULL, "GSSAPI", &cred, NULL, NULL, - &scred); - status = ADS_ERROR(rc); - - gss_release_buffer(&minor_status, &input_token); - -failed: - return status; -} -#endif - -/* mapping between SASL mechanisms and functions */ -static struct { - const char *name; - ADS_STATUS (*fn)(ADS_STRUCT *); -} sasl_mechanisms[] = { - {"GSS-SPNEGO", ads_sasl_spnego_bind}, -#ifdef HAVE_GSSAPI - {"GSSAPI", ads_sasl_gssapi_bind}, /* doesn't work with .NET RC1. No idea why */ -#endif - {NULL, NULL} -}; - -ADS_STATUS ads_sasl_bind(ADS_STRUCT *ads) -{ - const char *attrs[] = {"supportedSASLMechanisms", NULL}; - char **values; - ADS_STATUS status; - int i, j; - void *res; - - /* get a list of supported SASL mechanisms */ - status = ads_do_search(ads, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res); - if (!ADS_ERR_OK(status)) return status; - - values = ldap_get_values(ads->ld, res, "supportedSASLMechanisms"); - - /* try our supported mechanisms in order */ - for (i=0;sasl_mechanisms[i].name;i++) { - /* see if the server supports it */ - for (j=0;values && values[j];j++) { - if (strcmp(values[j], sasl_mechanisms[i].name) == 0) { - DEBUG(4,("Found SASL mechanism %s\n", values[j])); - status = sasl_mechanisms[i].fn(ads); - ldap_value_free(values); - ldap_msgfree(res); - return status; - } - } - } - - ldap_value_free(values); - ldap_msgfree(res); - return ADS_ERROR(LDAP_AUTH_METHOD_NOT_SUPPORTED); -} - -#endif - diff --git a/source4/libads/util.c b/source4/libads/util.c deleted file mode 100644 index f7dc219790..0000000000 --- a/source4/libads/util.c +++ /dev/null @@ -1,67 +0,0 @@ -/* - Unix SMB/CIFS implementation. - krb5 set password implementation - Copyright (C) Remus Koos 2001 (remuskoos@yahoo.com) - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -*/ - -#include "includes.h" - -#ifdef HAVE_KRB5 - -ADS_STATUS ads_change_trust_account_password(ADS_STRUCT *ads, char *host_principal) -{ - char *tmp_password; - char *password; - char *new_password; - char *service_principal = NULL; - ADS_STATUS ret; - uint32_t sec_channel_type; - - if ((password = secrets_fetch_machine_password(lp_workgroup(), NULL, &sec_channel_type)) == NULL) { - DEBUG(1,("Failed to retrieve password for principal %s\n", host_principal)); - return ADS_ERROR_SYSTEM(ENOENT); - } - - tmp_password = generate_random_str(DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH); - new_password = strdup(tmp_password); - - asprintf(&service_principal, "HOST/%s", host_principal); - - if (!service_principal) { - DEBUG(1,("asprintf() failed principal %s\n", host_principal)); - return ADS_ERROR_SYSTEM(ENOMEM); - } - - ret = kerberos_set_password(ads->auth.kdc_server, service_principal, password, service_principal, new_password, ads->auth.time_offset); - - if (!ADS_ERR_OK(ret)) goto failed; - - if (!secrets_store_machine_password(new_password, lp_workgroup(), sec_channel_type)) { - DEBUG(1,("Failed to save machine password\n")); - return ADS_ERROR_SYSTEM(EACCES); - } - -failed: - SAFE_FREE(service_principal); - SAFE_FREE(new_password); - - return ret; -} - - - -#endif |