summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source3/Makefile.in2
-rw-r--r--source3/include/ads.h124
-rw-r--r--source3/libads/ads_status.c48
-rw-r--r--source3/libads/ldap.c2
-rw-r--r--source3/nsswitch/winbindd_ads.c8
-rw-r--r--source3/smbd/sesssetup.c3
-rw-r--r--source3/utils/net_ads.c2
7 files changed, 154 insertions, 35 deletions
diff --git a/source3/Makefile.in b/source3/Makefile.in
index 499a098577..531ca74474 100644
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -153,7 +153,7 @@ PARAM_OBJ = param/loadparm.o param/params.o dynconfig.o
LIBADS_OBJ = libads/ldap.o libads/ldap_printer.o libads/sasl.o \
libads/krb5_setpw.o libads/kerberos.o libads/ldap_user.o \
libads/ads_struct.o libads/ads_status.o \
- libads/disp_sec.o
+ libads/disp_sec.o libads/ads_utils.o
LIBADS_SERVER_OBJ = libads/util.o libads/kerberos_verify.o
diff --git a/source3/include/ads.h b/source3/include/ads.h
index 7504a369b4..6106eb6b40 100644
--- a/source3/include/ads.h
+++ b/source3/include/ads.h
@@ -92,11 +92,14 @@ typedef struct {
/* there are 4 possible types of errors the ads subsystem can produce */
enum ads_error_type {ADS_ERROR_KRB5, ADS_ERROR_GSS,
- ADS_ERROR_LDAP, ADS_ERROR_SYSTEM};
+ ADS_ERROR_LDAP, ADS_ERROR_SYSTEM, ADS_ERROR_NT};
typedef struct {
enum ads_error_type error_type;
- int rc;
+ union err_state{
+ int rc;
+ NTSTATUS nt_status;
+ } err;
/* For error_type = ADS_ERROR_GSS minor_status describe GSS API error */
/* Where rc represents major_status of GSS API error */
int minor_status;
@@ -109,12 +112,14 @@ typedef void **ADS_MODLIST;
#endif
/* macros to simplify error returning */
-#define ADS_ERROR(rc) ads_build_error(ADS_ERROR_LDAP, rc, 0)
+#define ADS_ERROR(rc) ADS_ERROR_LDAP(rc)
+#define ADS_ERROR_LDAP(rc) ads_build_error(ADS_ERROR_LDAP, rc, 0)
#define ADS_ERROR_SYSTEM(rc) ads_build_error(ADS_ERROR_SYSTEM, rc?rc:EINVAL, 0)
#define ADS_ERROR_KRB5(rc) ads_build_error(ADS_ERROR_KRB5, rc, 0)
#define ADS_ERROR_GSS(rc, minor) ads_build_error(ADS_ERROR_GSS, rc, minor)
+#define ADS_ERROR_NT(rc) ads_build_nt_error(ADS_ERROR_NT,rc)
-#define ADS_ERR_OK(status) ((status).rc == 0)
+#define ADS_ERR_OK(status) ((status.error_type == ADS_ERROR_NT) ? NT_STATUS_IS_OK(status.err.nt_status):(status.err.rc == 0))
#define ADS_SUCCESS ADS_ERROR(0)
/* time between reconnect attempts */
@@ -128,23 +133,100 @@ typedef void **ADS_MODLIST;
#define ADS_NO_REFERRALS_OID "1.2.840.113556.1.4.1339"
#define ADS_SERVER_SORT_OID "1.2.840.113556.1.4.473"
-#define UF_DONT_EXPIRE_PASSWD 0x10000
-#define UF_MNS_LOGON_ACCOUNT 0x20000
-#define UF_SMARTCARD_REQUIRED 0x40000
-#define UF_TRUSTED_FOR_DELEGATION 0x80000
-#define UF_NOT_DELEGATED 0x100000
-#define UF_USE_DES_KEY_ONLY 0x200000
-#define UF_DONT_REQUIRE_PREAUTH 0x400000
-
-#define UF_TEMP_DUPLICATE_ACCOUNT 0x0100
-#define UF_NORMAL_ACCOUNT 0x0200
-#define UF_INTERDOMAIN_TRUST_ACCOUNT 0x0800
-#define UF_WORKSTATION_TRUST_ACCOUNT 0x1000
-#define UF_SERVER_TRUST_ACCOUNT 0x2000
-
-/* account types */
-#define ATYPE_GROUP 0x10000000
-#define ATYPE_USER 0x30000000
+/* UserFlags for userAccountControl */
+#define UF_SCRIPT 0x00000001
+#define UF_ACCOUNTDISABLE 0x00000002
+#define UF_UNUSED_1 0x00000004
+#define UF_HOMEDIR_REQUIRED 0x00000008
+
+#define UF_LOCKOUT 0x00000010
+#define UF_PASSWD_NOTREQD 0x00000020
+#define UF_PASSWD_CANT_CHANGE 0x00000040
+#define UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED 0x00000080
+
+#define UF_TEMP_DUPLICATE_ACCOUNT 0x00000100
+#define UF_NORMAL_ACCOUNT 0x00000200
+#define UF_UNUSED_2 0x00000400
+#define UF_INTERDOMAIN_TRUST_ACCOUNT 0x00000800
+
+#define UF_WORKSTATION_TRUST_ACCOUNT 0x00001000
+#define UF_SERVER_TRUST_ACCOUNT 0x00002000
+#define UF_UNUSED_3 0x00004000
+#define UF_UNUSED_4 0x00008000
+
+#define UF_DONT_EXPIRE_PASSWD 0x00010000
+#define UF_MNS_LOGON_ACCOUNT 0x00020000
+#define UF_SMARTCARD_REQUIRED 0x00040000
+#define UF_TRUSTED_FOR_DELEGATION 0x00080000
+
+#define UF_NOT_DELEGATED 0x00100000
+#define UF_USE_DES_KEY_ONLY 0x00200000
+#define UF_DONT_REQUIRE_PREAUTH 0x00400000
+#define UF_UNUSED_5 0x00800000
+
+#define UF_UNUSED_6 0x01000000
+#define UF_UNUSED_7 0x02000000
+#define UF_UNUSED_8 0x04000000
+#define UF_UNUSED_9 0x08000000
+
+#define UF_UNUSED_10 0x10000000
+#define UF_UNUSED_11 0x20000000
+#define UF_UNUSED_12 0x40000000
+#define UF_UNUSED_13 0x80000000
+
+#define UF_MACHINE_ACCOUNT_MASK (\
+ UF_INTERDOMAIN_TRUST_ACCOUNT |\
+ UF_WORKSTATION_TRUST_ACCOUNT |\
+ UF_SERVER_TRUST_ACCOUNT \
+ )
+
+#define UF_ACCOUNT_TYPE_MASK (\
+ UF_TEMP_DUPLICATE_ACCOUNT |\
+ UF_NORMAL_ACCOUNT |\
+ UF_INTERDOMAIN_TRUST_ACCOUNT |\
+ UF_WORKSTATION_TRUST_ACCOUNT |\
+ UF_SERVER_TRUST_ACCOUNT \
+ )
+
+#define UF_SETTABLE_BITS (\
+ UF_SCRIPT |\
+ UF_ACCOUNTDISABLE |\
+ UF_HOMEDIR_REQUIRED |\
+ UF_LOCKOUT |\
+ UF_PASSWD_NOTREQD |\
+ UF_PASSWD_CANT_CHANGE |\
+ UF_ACCOUNT_TYPE_MASK | \
+ UF_DONT_EXPIRE_PASSWD | \
+ UF_MNS_LOGON_ACCOUNT |\
+ UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED |\
+ UF_SMARTCARD_REQUIRED |\
+ UF_TRUSTED_FOR_DELEGATION |\
+ UF_NOT_DELEGATED |\
+ UF_USE_DES_KEY_ONLY |\
+ UF_DONT_REQUIRE_PREAUTH \
+ )
+
+/* sAMAccountType */
+#define ATYPE_NORMAL_ACCOUNT 0x30000000 /* 805306368 */
+#define ATYPE_WORKSTATION_TRUST 0x30000001 /* 805306369 */
+#define ATYPE_INTERDOMAIN_TRUST 0x30000002 /* 805306370 */
+#define ATYPE_SECURITY_GLOBAL_GROUP 0x10000000 /* 268435456 */
+#define ATYPE_DISTRIBUTION_GLOBAL_GROUP 0x10000001 /* 268435457 */
+#define ATYPE_DISTRIBUTION_UNIVERSAL_GROUP AT_DISTRIBUTION_GLOBAL_GROUP
+#define ATYPE_SECURITY_LOCAL_GROUP 0x20000000 /* 536870912 */
+#define ATYPE_DISTRIBUTION_LOCAL_GROUP 0x20000001 /* 536870913 */
+
+#define ATYPE_ACCOUNT ATYPE_NORMAL_ACCOUNT /* 0x30000000 805306368 */
+#define ATYPE_GLOBAL_GROUP ATYPE_SECURITY_GLOBAL_GROUP /* 0x10000000 268435456 */
+#define ATYPE_LOCAL_GROUP ATYPE_SECURITY_LOCAL_GROUP /* 0x20000000 536870912 */
+
+/* groupType */
+#define GTYPE_SECURITY_BUILTIN_LOCAL_GROUP 0x80000005 /* -2147483643 */
+#define GTYPE_SECURITY_DOMAIN_LOCAL_GROUP 0x80000004 /* -2147483644 */
+#define GTYPE_SECURITY_GLOBAL_GROUP 0x80000002 /* -2147483646 */
+#define GTYPE_DISTRIBUTION_GLOBAL_GROUP 0x00000002 /* 2 */
+#define GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP 0x00000004 /* 4 */
+#define GTYPE_DISTRIBUTION_UNIVERSAL_GROUP 0x00000008 /* 8 */
/* Mailslot or cldap getdcname response flags */
#define ADS_PDC 0x00000001 /* DC is PDC */
diff --git a/source3/libads/ads_status.c b/source3/libads/ads_status.c
index 2d1830435f..d85f9c9b58 100644
--- a/source3/libads/ads_status.c
+++ b/source3/libads/ads_status.c
@@ -30,19 +30,49 @@ ADS_STATUS ads_build_error(enum ads_error_type etype,
int rc, int minor_status)
{
ADS_STATUS ret;
- ret.error_type = etype;
- ret.rc = rc;
+
+ if (etype == ADS_ERROR_NT) {
+ DEBUG(0,("don't use ads_build_error with ADS_ERROR_NT!\n"));
+ ret.err.rc = -1;
+ ret.error_type = ADS_ERROR_SYSTEM;
+ ret.minor_status = 0;
+ return ret;
+ }
+
+ ret.err.rc = rc;
+ ret.error_type = etype;
ret.minor_status = minor_status;
return ret;
}
+ADS_STATUS ads_build_nt_error(enum ads_error_type etype,
+ NTSTATUS nt_status)
+{
+ ADS_STATUS ret;
+
+ if (etype != ADS_ERROR_NT) {
+ DEBUG(0,("don't use ads_build_nt_error without ADS_ERROR_NT!\n"));
+ ret.err.rc = -1;
+ ret.error_type = ADS_ERROR_SYSTEM;
+ ret.minor_status = 0;
+ return ret;
+ }
+ ret.err.nt_status = nt_status;
+ ret.error_type = etype;
+ ret.minor_status = 0;
+ return ret;
+}
+
/*
do a rough conversion between ads error codes and NT status codes
we'll need to fill this in more
*/
-NTSTATUS ads_ntstatus(ADS_STATUS rc)
+NTSTATUS ads_ntstatus(ADS_STATUS status)
{
- if (ADS_ERR_OK(rc)) return NT_STATUS_OK;
+ if (status.error_type == ADS_ERROR_NT){
+ return status.err.nt_status;
+ }
+ if (ADS_ERR_OK(status)) return NT_STATUS_OK;
return NT_STATUS_UNSUCCESSFUL;
}
@@ -59,14 +89,14 @@ const char *ads_errstr(ADS_STATUS status)
switch (status.error_type) {
case ADS_ERROR_SYSTEM:
- return strerror(status.rc);
+ return strerror(status.err.rc);
#ifdef HAVE_LDAP
case ADS_ERROR_LDAP:
- return ldap_err2string(status.rc);
+ return ldap_err2string(status.err.rc);
#endif
#ifdef HAVE_KRB5
case ADS_ERROR_KRB5:
- return error_message(status.rc);
+ return error_message(status.err.rc);
#endif
#ifdef HAVE_GSSAPI
case ADS_ERROR_GSS:
@@ -76,7 +106,7 @@ const char *ads_errstr(ADS_STATUS status)
gss_buffer_desc msg1, msg2;
msg1.value = NULL;
msg2.value = NULL;
- gss_display_status(&minor, status.rc, GSS_C_GSS_CODE,
+ gss_display_status(&minor, status.err.rc, GSS_C_GSS_CODE,
GSS_C_NULL_OID, &msg_ctx, &msg1);
gss_display_status(&minor, status.minor_status, GSS_C_MECH_CODE,
GSS_C_NULL_OID, &msg_ctx, &msg2);
@@ -86,6 +116,8 @@ const char *ads_errstr(ADS_STATUS status)
return ret;
}
#endif
+ case ADS_ERROR_NT:
+ return nt_errstr(ads_ntstatus(status));
default:
return "Unknown ADS error type!? (not compiled in?)";
}
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index 428fc02065..2f70d3a285 100644
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -1648,6 +1648,7 @@ ADS_STATUS ads_server_info(ADS_STRUCT *ads)
if (!p) {
ldap_value_free(values);
ldap_msgfree(res);
+ DEBUG(1, ("ads_server_info: returned ldap server name did not contain a ':' so was deemed invalid\n"));
return ADS_ERROR(LDAP_DECODING_ERROR);
}
@@ -1659,6 +1660,7 @@ ADS_STATUS ads_server_info(ADS_STRUCT *ads)
ldap_value_free(values);
ldap_msgfree(res);
SAFE_FREE(ads->config.ldap_server_name);
+ DEBUG(1, ("ads_server_info: returned ldap server name did not contain '$@' so was deemed invalid\n"));
return ADS_ERROR(LDAP_DECODING_ERROR);
}
diff --git a/source3/nsswitch/winbindd_ads.c b/source3/nsswitch/winbindd_ads.c
index b0b70178a4..4f91ed0f20 100644
--- a/source3/nsswitch/winbindd_ads.c
+++ b/source3/nsswitch/winbindd_ads.c
@@ -143,7 +143,7 @@ static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain)
/* if we get ECONNREFUSED then it might be a NT4
server, fall back to MSRPC */
if (status.error_type == ADS_ERROR_SYSTEM &&
- status.rc == ECONNREFUSED) {
+ status.err.rc == ECONNREFUSED) {
DEBUG(1,("Trying MSRPC methods\n"));
domain->methods = &msrpc_methods;
}
@@ -170,9 +170,9 @@ static void sid_from_rid(struct winbindd_domain *domain, uint32 rid, DOM_SID *si
static enum SID_NAME_USE ads_atype_map(uint32 atype)
{
switch (atype & 0xF0000000) {
- case ATYPE_GROUP:
+ case ATYPE_GLOBAL_GROUP:
return SID_NAME_DOM_GRP;
- case ATYPE_USER:
+ case ATYPE_ACCOUNT:
return SID_NAME_USER;
default:
DEBUG(1,("hmm, need to map account type 0x%x\n", atype));
@@ -339,7 +339,7 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
if (!ads_pull_uint32(ads, msg, "sAMAccountType",
&account_type) ||
- !(account_type & ATYPE_GROUP)) continue;
+ !(account_type & ATYPE_GLOBAL_GROUP)) continue;
name = pull_username(ads, mem_ctx, msg);
gecos = ads_pull_string(ads, mem_ctx, msg, "name");
diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index c37c655fd1..0253422596 100644
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -313,6 +313,9 @@ static int reply_spnego_negotiate(connection_struct *conn,
NTLMSSP_NEGOTIATE_128 |
NTLMSSP_NEGOTIATE_NTLM |
NTLMSSP_CHAL_TARGET_INFO;
+
+ if (neg_flags & NTLMSSP_NEGOTIATE_NTLM2)
+ chal_flags |= NTLMSSP_NEGOTIATE_NTLM2;
{
DATA_BLOB domain_blob, struct_blob;
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index eb1c3fe059..8c85bd82f9 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -635,7 +635,7 @@ int net_ads_join(int argc, const char **argv)
rc = ads_search_dn(ads, &res, dn, NULL);
ads_msgfree(ads, res);
- if (rc.error_type == ADS_ERROR_LDAP && rc.rc == LDAP_NO_SUCH_OBJECT) {
+ if (rc.error_type == ADS_ERROR_LDAP && rc.err.rc == LDAP_NO_SUCH_OBJECT) {
d_printf("ads_join_realm: organizational unit %s does not exist (dn:%s)\n",
org_unit, dn);
return -1;