diff options
-rw-r--r-- | source3/Makefile.in | 2 | ||||
-rw-r--r-- | source3/include/ads.h | 124 | ||||
-rw-r--r-- | source3/libads/ads_status.c | 48 | ||||
-rw-r--r-- | source3/libads/ldap.c | 2 | ||||
-rw-r--r-- | source3/nsswitch/winbindd_ads.c | 8 | ||||
-rw-r--r-- | source3/smbd/sesssetup.c | 3 | ||||
-rw-r--r-- | source3/utils/net_ads.c | 2 |
7 files changed, 154 insertions, 35 deletions
diff --git a/source3/Makefile.in b/source3/Makefile.in index 499a098577..531ca74474 100644 --- a/source3/Makefile.in +++ b/source3/Makefile.in @@ -153,7 +153,7 @@ PARAM_OBJ = param/loadparm.o param/params.o dynconfig.o LIBADS_OBJ = libads/ldap.o libads/ldap_printer.o libads/sasl.o \ libads/krb5_setpw.o libads/kerberos.o libads/ldap_user.o \ libads/ads_struct.o libads/ads_status.o \ - libads/disp_sec.o + libads/disp_sec.o libads/ads_utils.o LIBADS_SERVER_OBJ = libads/util.o libads/kerberos_verify.o diff --git a/source3/include/ads.h b/source3/include/ads.h index 7504a369b4..6106eb6b40 100644 --- a/source3/include/ads.h +++ b/source3/include/ads.h @@ -92,11 +92,14 @@ typedef struct { /* there are 4 possible types of errors the ads subsystem can produce */ enum ads_error_type {ADS_ERROR_KRB5, ADS_ERROR_GSS, - ADS_ERROR_LDAP, ADS_ERROR_SYSTEM}; + ADS_ERROR_LDAP, ADS_ERROR_SYSTEM, ADS_ERROR_NT}; typedef struct { enum ads_error_type error_type; - int rc; + union err_state{ + int rc; + NTSTATUS nt_status; + } err; /* For error_type = ADS_ERROR_GSS minor_status describe GSS API error */ /* Where rc represents major_status of GSS API error */ int minor_status; @@ -109,12 +112,14 @@ typedef void **ADS_MODLIST; #endif /* macros to simplify error returning */ -#define ADS_ERROR(rc) ads_build_error(ADS_ERROR_LDAP, rc, 0) +#define ADS_ERROR(rc) ADS_ERROR_LDAP(rc) +#define ADS_ERROR_LDAP(rc) ads_build_error(ADS_ERROR_LDAP, rc, 0) #define ADS_ERROR_SYSTEM(rc) ads_build_error(ADS_ERROR_SYSTEM, rc?rc:EINVAL, 0) #define ADS_ERROR_KRB5(rc) ads_build_error(ADS_ERROR_KRB5, rc, 0) #define ADS_ERROR_GSS(rc, minor) ads_build_error(ADS_ERROR_GSS, rc, minor) +#define ADS_ERROR_NT(rc) ads_build_nt_error(ADS_ERROR_NT,rc) -#define ADS_ERR_OK(status) ((status).rc == 0) +#define ADS_ERR_OK(status) ((status.error_type == ADS_ERROR_NT) ? NT_STATUS_IS_OK(status.err.nt_status):(status.err.rc == 0)) #define ADS_SUCCESS ADS_ERROR(0) /* time between reconnect attempts */ @@ -128,23 +133,100 @@ typedef void **ADS_MODLIST; #define ADS_NO_REFERRALS_OID "1.2.840.113556.1.4.1339" #define ADS_SERVER_SORT_OID "1.2.840.113556.1.4.473" -#define UF_DONT_EXPIRE_PASSWD 0x10000 -#define UF_MNS_LOGON_ACCOUNT 0x20000 -#define UF_SMARTCARD_REQUIRED 0x40000 -#define UF_TRUSTED_FOR_DELEGATION 0x80000 -#define UF_NOT_DELEGATED 0x100000 -#define UF_USE_DES_KEY_ONLY 0x200000 -#define UF_DONT_REQUIRE_PREAUTH 0x400000 - -#define UF_TEMP_DUPLICATE_ACCOUNT 0x0100 -#define UF_NORMAL_ACCOUNT 0x0200 -#define UF_INTERDOMAIN_TRUST_ACCOUNT 0x0800 -#define UF_WORKSTATION_TRUST_ACCOUNT 0x1000 -#define UF_SERVER_TRUST_ACCOUNT 0x2000 - -/* account types */ -#define ATYPE_GROUP 0x10000000 -#define ATYPE_USER 0x30000000 +/* UserFlags for userAccountControl */ +#define UF_SCRIPT 0x00000001 +#define UF_ACCOUNTDISABLE 0x00000002 +#define UF_UNUSED_1 0x00000004 +#define UF_HOMEDIR_REQUIRED 0x00000008 + +#define UF_LOCKOUT 0x00000010 +#define UF_PASSWD_NOTREQD 0x00000020 +#define UF_PASSWD_CANT_CHANGE 0x00000040 +#define UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED 0x00000080 + +#define UF_TEMP_DUPLICATE_ACCOUNT 0x00000100 +#define UF_NORMAL_ACCOUNT 0x00000200 +#define UF_UNUSED_2 0x00000400 +#define UF_INTERDOMAIN_TRUST_ACCOUNT 0x00000800 + +#define UF_WORKSTATION_TRUST_ACCOUNT 0x00001000 +#define UF_SERVER_TRUST_ACCOUNT 0x00002000 +#define UF_UNUSED_3 0x00004000 +#define UF_UNUSED_4 0x00008000 + +#define UF_DONT_EXPIRE_PASSWD 0x00010000 +#define UF_MNS_LOGON_ACCOUNT 0x00020000 +#define UF_SMARTCARD_REQUIRED 0x00040000 +#define UF_TRUSTED_FOR_DELEGATION 0x00080000 + +#define UF_NOT_DELEGATED 0x00100000 +#define UF_USE_DES_KEY_ONLY 0x00200000 +#define UF_DONT_REQUIRE_PREAUTH 0x00400000 +#define UF_UNUSED_5 0x00800000 + +#define UF_UNUSED_6 0x01000000 +#define UF_UNUSED_7 0x02000000 +#define UF_UNUSED_8 0x04000000 +#define UF_UNUSED_9 0x08000000 + +#define UF_UNUSED_10 0x10000000 +#define UF_UNUSED_11 0x20000000 +#define UF_UNUSED_12 0x40000000 +#define UF_UNUSED_13 0x80000000 + +#define UF_MACHINE_ACCOUNT_MASK (\ + UF_INTERDOMAIN_TRUST_ACCOUNT |\ + UF_WORKSTATION_TRUST_ACCOUNT |\ + UF_SERVER_TRUST_ACCOUNT \ + ) + +#define UF_ACCOUNT_TYPE_MASK (\ + UF_TEMP_DUPLICATE_ACCOUNT |\ + UF_NORMAL_ACCOUNT |\ + UF_INTERDOMAIN_TRUST_ACCOUNT |\ + UF_WORKSTATION_TRUST_ACCOUNT |\ + UF_SERVER_TRUST_ACCOUNT \ + ) + +#define UF_SETTABLE_BITS (\ + UF_SCRIPT |\ + UF_ACCOUNTDISABLE |\ + UF_HOMEDIR_REQUIRED |\ + UF_LOCKOUT |\ + UF_PASSWD_NOTREQD |\ + UF_PASSWD_CANT_CHANGE |\ + UF_ACCOUNT_TYPE_MASK | \ + UF_DONT_EXPIRE_PASSWD | \ + UF_MNS_LOGON_ACCOUNT |\ + UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED |\ + UF_SMARTCARD_REQUIRED |\ + UF_TRUSTED_FOR_DELEGATION |\ + UF_NOT_DELEGATED |\ + UF_USE_DES_KEY_ONLY |\ + UF_DONT_REQUIRE_PREAUTH \ + ) + +/* sAMAccountType */ +#define ATYPE_NORMAL_ACCOUNT 0x30000000 /* 805306368 */ +#define ATYPE_WORKSTATION_TRUST 0x30000001 /* 805306369 */ +#define ATYPE_INTERDOMAIN_TRUST 0x30000002 /* 805306370 */ +#define ATYPE_SECURITY_GLOBAL_GROUP 0x10000000 /* 268435456 */ +#define ATYPE_DISTRIBUTION_GLOBAL_GROUP 0x10000001 /* 268435457 */ +#define ATYPE_DISTRIBUTION_UNIVERSAL_GROUP AT_DISTRIBUTION_GLOBAL_GROUP +#define ATYPE_SECURITY_LOCAL_GROUP 0x20000000 /* 536870912 */ +#define ATYPE_DISTRIBUTION_LOCAL_GROUP 0x20000001 /* 536870913 */ + +#define ATYPE_ACCOUNT ATYPE_NORMAL_ACCOUNT /* 0x30000000 805306368 */ +#define ATYPE_GLOBAL_GROUP ATYPE_SECURITY_GLOBAL_GROUP /* 0x10000000 268435456 */ +#define ATYPE_LOCAL_GROUP ATYPE_SECURITY_LOCAL_GROUP /* 0x20000000 536870912 */ + +/* groupType */ +#define GTYPE_SECURITY_BUILTIN_LOCAL_GROUP 0x80000005 /* -2147483643 */ +#define GTYPE_SECURITY_DOMAIN_LOCAL_GROUP 0x80000004 /* -2147483644 */ +#define GTYPE_SECURITY_GLOBAL_GROUP 0x80000002 /* -2147483646 */ +#define GTYPE_DISTRIBUTION_GLOBAL_GROUP 0x00000002 /* 2 */ +#define GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP 0x00000004 /* 4 */ +#define GTYPE_DISTRIBUTION_UNIVERSAL_GROUP 0x00000008 /* 8 */ /* Mailslot or cldap getdcname response flags */ #define ADS_PDC 0x00000001 /* DC is PDC */ diff --git a/source3/libads/ads_status.c b/source3/libads/ads_status.c index 2d1830435f..d85f9c9b58 100644 --- a/source3/libads/ads_status.c +++ b/source3/libads/ads_status.c @@ -30,19 +30,49 @@ ADS_STATUS ads_build_error(enum ads_error_type etype, int rc, int minor_status) { ADS_STATUS ret; - ret.error_type = etype; - ret.rc = rc; + + if (etype == ADS_ERROR_NT) { + DEBUG(0,("don't use ads_build_error with ADS_ERROR_NT!\n")); + ret.err.rc = -1; + ret.error_type = ADS_ERROR_SYSTEM; + ret.minor_status = 0; + return ret; + } + + ret.err.rc = rc; + ret.error_type = etype; ret.minor_status = minor_status; return ret; } +ADS_STATUS ads_build_nt_error(enum ads_error_type etype, + NTSTATUS nt_status) +{ + ADS_STATUS ret; + + if (etype != ADS_ERROR_NT) { + DEBUG(0,("don't use ads_build_nt_error without ADS_ERROR_NT!\n")); + ret.err.rc = -1; + ret.error_type = ADS_ERROR_SYSTEM; + ret.minor_status = 0; + return ret; + } + ret.err.nt_status = nt_status; + ret.error_type = etype; + ret.minor_status = 0; + return ret; +} + /* do a rough conversion between ads error codes and NT status codes we'll need to fill this in more */ -NTSTATUS ads_ntstatus(ADS_STATUS rc) +NTSTATUS ads_ntstatus(ADS_STATUS status) { - if (ADS_ERR_OK(rc)) return NT_STATUS_OK; + if (status.error_type == ADS_ERROR_NT){ + return status.err.nt_status; + } + if (ADS_ERR_OK(status)) return NT_STATUS_OK; return NT_STATUS_UNSUCCESSFUL; } @@ -59,14 +89,14 @@ const char *ads_errstr(ADS_STATUS status) switch (status.error_type) { case ADS_ERROR_SYSTEM: - return strerror(status.rc); + return strerror(status.err.rc); #ifdef HAVE_LDAP case ADS_ERROR_LDAP: - return ldap_err2string(status.rc); + return ldap_err2string(status.err.rc); #endif #ifdef HAVE_KRB5 case ADS_ERROR_KRB5: - return error_message(status.rc); + return error_message(status.err.rc); #endif #ifdef HAVE_GSSAPI case ADS_ERROR_GSS: @@ -76,7 +106,7 @@ const char *ads_errstr(ADS_STATUS status) gss_buffer_desc msg1, msg2; msg1.value = NULL; msg2.value = NULL; - gss_display_status(&minor, status.rc, GSS_C_GSS_CODE, + gss_display_status(&minor, status.err.rc, GSS_C_GSS_CODE, GSS_C_NULL_OID, &msg_ctx, &msg1); gss_display_status(&minor, status.minor_status, GSS_C_MECH_CODE, GSS_C_NULL_OID, &msg_ctx, &msg2); @@ -86,6 +116,8 @@ const char *ads_errstr(ADS_STATUS status) return ret; } #endif + case ADS_ERROR_NT: + return nt_errstr(ads_ntstatus(status)); default: return "Unknown ADS error type!? (not compiled in?)"; } diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c index 428fc02065..2f70d3a285 100644 --- a/source3/libads/ldap.c +++ b/source3/libads/ldap.c @@ -1648,6 +1648,7 @@ ADS_STATUS ads_server_info(ADS_STRUCT *ads) if (!p) { ldap_value_free(values); ldap_msgfree(res); + DEBUG(1, ("ads_server_info: returned ldap server name did not contain a ':' so was deemed invalid\n")); return ADS_ERROR(LDAP_DECODING_ERROR); } @@ -1659,6 +1660,7 @@ ADS_STATUS ads_server_info(ADS_STRUCT *ads) ldap_value_free(values); ldap_msgfree(res); SAFE_FREE(ads->config.ldap_server_name); + DEBUG(1, ("ads_server_info: returned ldap server name did not contain '$@' so was deemed invalid\n")); return ADS_ERROR(LDAP_DECODING_ERROR); } diff --git a/source3/nsswitch/winbindd_ads.c b/source3/nsswitch/winbindd_ads.c index b0b70178a4..4f91ed0f20 100644 --- a/source3/nsswitch/winbindd_ads.c +++ b/source3/nsswitch/winbindd_ads.c @@ -143,7 +143,7 @@ static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain) /* if we get ECONNREFUSED then it might be a NT4 server, fall back to MSRPC */ if (status.error_type == ADS_ERROR_SYSTEM && - status.rc == ECONNREFUSED) { + status.err.rc == ECONNREFUSED) { DEBUG(1,("Trying MSRPC methods\n")); domain->methods = &msrpc_methods; } @@ -170,9 +170,9 @@ static void sid_from_rid(struct winbindd_domain *domain, uint32 rid, DOM_SID *si static enum SID_NAME_USE ads_atype_map(uint32 atype) { switch (atype & 0xF0000000) { - case ATYPE_GROUP: + case ATYPE_GLOBAL_GROUP: return SID_NAME_DOM_GRP; - case ATYPE_USER: + case ATYPE_ACCOUNT: return SID_NAME_USER; default: DEBUG(1,("hmm, need to map account type 0x%x\n", atype)); @@ -339,7 +339,7 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain, if (!ads_pull_uint32(ads, msg, "sAMAccountType", &account_type) || - !(account_type & ATYPE_GROUP)) continue; + !(account_type & ATYPE_GLOBAL_GROUP)) continue; name = pull_username(ads, mem_ctx, msg); gecos = ads_pull_string(ads, mem_ctx, msg, "name"); diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c index c37c655fd1..0253422596 100644 --- a/source3/smbd/sesssetup.c +++ b/source3/smbd/sesssetup.c @@ -313,6 +313,9 @@ static int reply_spnego_negotiate(connection_struct *conn, NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_CHAL_TARGET_INFO; + + if (neg_flags & NTLMSSP_NEGOTIATE_NTLM2) + chal_flags |= NTLMSSP_NEGOTIATE_NTLM2; { DATA_BLOB domain_blob, struct_blob; diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c index eb1c3fe059..8c85bd82f9 100644 --- a/source3/utils/net_ads.c +++ b/source3/utils/net_ads.c @@ -635,7 +635,7 @@ int net_ads_join(int argc, const char **argv) rc = ads_search_dn(ads, &res, dn, NULL); ads_msgfree(ads, res); - if (rc.error_type == ADS_ERROR_LDAP && rc.rc == LDAP_NO_SUCH_OBJECT) { + if (rc.error_type == ADS_ERROR_LDAP && rc.err.rc == LDAP_NO_SUCH_OBJECT) { d_printf("ads_join_realm: organizational unit %s does not exist (dn:%s)\n", org_unit, dn); return -1; |