diff options
Diffstat (limited to 'source3/libads')
| -rw-r--r-- | source3/libads/ads_status.c | 6 | ||||
| -rw-r--r-- | source3/libads/ads_struct.c | 1 | ||||
| -rw-r--r-- | source3/libads/ads_utils.c | 20 | ||||
| -rw-r--r-- | source3/libads/disp_sec.c | 3 | ||||
| -rw-r--r-- | source3/libads/kerberos.c | 9 | ||||
| -rw-r--r-- | source3/libads/krb5_setpw.c | 31 | ||||
| -rw-r--r-- | source3/libads/ldap.c | 202 | ||||
| -rw-r--r-- | source3/libads/sasl.c | 4 |
8 files changed, 74 insertions, 202 deletions
diff --git a/source3/libads/ads_status.c b/source3/libads/ads_status.c index 80fdb99eac..d85f9c9b58 100644 --- a/source3/libads/ads_status.c +++ b/source3/libads/ads_status.c @@ -72,12 +72,6 @@ NTSTATUS ads_ntstatus(ADS_STATUS status) if (status.error_type == ADS_ERROR_NT){ return status.err.nt_status; } -#ifdef HAVE_LDAP - if ((status.error_type == ADS_ERROR_LDAP) - && (status.err.rc == LDAP_NO_MEMORY)) { - return NT_STATUS_NO_MEMORY; - } -#endif if (ADS_ERR_OK(status)) return NT_STATUS_OK; return NT_STATUS_UNSUCCESSFUL; } diff --git a/source3/libads/ads_struct.c b/source3/libads/ads_struct.c index 3cdd015bf4..b68c822ce3 100644 --- a/source3/libads/ads_struct.c +++ b/source3/libads/ads_struct.c @@ -122,7 +122,6 @@ void ads_destroy(ADS_STRUCT **ads) SAFE_FREE((*ads)->server.realm); SAFE_FREE((*ads)->server.workgroup); SAFE_FREE((*ads)->server.ldap_server); - SAFE_FREE((*ads)->server.ldap_uri); SAFE_FREE((*ads)->auth.realm); SAFE_FREE((*ads)->auth.password); diff --git a/source3/libads/ads_utils.c b/source3/libads/ads_utils.c index 626c177926..fc8a270021 100644 --- a/source3/libads/ads_utils.c +++ b/source3/libads/ads_utils.c @@ -3,8 +3,7 @@ ads (active directory) utility library Copyright (C) Stefan (metze) Metzmacher 2002 - Copyright (C) Andrew Tridgell 2001 - + This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or @@ -22,6 +21,9 @@ #include "includes.h" +#ifdef HAVE_ADS + + /* translated the ACB_CTRL Flags to UserFlags (userAccountControl) */ @@ -166,16 +168,4 @@ uint32 ads_gtype2atype(uint32 gtype) return atype; } -/* turn a sAMAccountType into a SID_NAME_USE */ -enum SID_NAME_USE ads_atype_map(uint32 atype) -{ - switch (atype & 0xF0000000) { - case ATYPE_GLOBAL_GROUP: - return SID_NAME_DOM_GRP; - case ATYPE_ACCOUNT: - return SID_NAME_USER; - default: - DEBUG(1,("hmm, need to map account type 0x%x\n", atype)); - } - return SID_NAME_UNKNOWN; -} +#endif diff --git a/source3/libads/disp_sec.c b/source3/libads/disp_sec.c index a7b0bf6f07..a930fd6fe0 100644 --- a/source3/libads/disp_sec.c +++ b/source3/libads/disp_sec.c @@ -20,6 +20,8 @@ #include "includes.h" +#ifdef HAVE_ADS + static struct perm_mask_str { uint32 mask; char *str; @@ -156,4 +158,5 @@ void ads_disp_sd(SEC_DESC *sd) printf("-------------- End Of Security Descriptor\n"); } +#endif diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c index b586d84226..a80837cf4d 100644 --- a/source3/libads/kerberos.c +++ b/source3/libads/kerberos.c @@ -114,14 +114,7 @@ int ads_kinit_password(ADS_STRUCT *ads) char *s; int ret; - if (asprintf(&s, "%s@%s", ads->auth.user_name, ads->auth.realm) == -1) { - return KRB5_CC_NOMEM; - } - - if (!ads->auth.password) { - return KRB5_LIBOS_CANTREADPWD; - } - + asprintf(&s, "%s@%s", ads->auth.user_name, ads->auth.realm); ret = kerberos_kinit_password(s, ads->auth.password, ads->auth.time_offset); if (ret) { diff --git a/source3/libads/krb5_setpw.c b/source3/libads/krb5_setpw.c index 8079c0953f..a49b6cbe3b 100644 --- a/source3/libads/krb5_setpw.c +++ b/source3/libads/krb5_setpw.c @@ -471,35 +471,4 @@ ADS_STATUS kerberos_set_password(const char *kpasswd_server, } -/** - * Set the machine account password - * @param ads connection to ads server - * @param hostname machine whose password is being set - * @param password new password - * @return status of password change - **/ -ADS_STATUS ads_set_machine_password(ADS_STRUCT *ads, - const char *hostname, - const char *password) -{ - ADS_STATUS status; - char *host = strdup(hostname); - char *principal; - - strlower(host); - - /* - we need to use the '$' form of the name here, as otherwise the - server might end up setting the password for a user instead - */ - asprintf(&principal, "%s$@%s", host, ads->auth.realm); - - status = krb5_set_password(ads->auth.kdc_server, principal, password, ads->auth.time_offset); - - free(host); - free(principal); - - return status; -} - #endif diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c index 2133bf0719..7a0afb1a81 100644 --- a/source3/libads/ldap.c +++ b/source3/libads/ldap.c @@ -22,7 +22,7 @@ #include "includes.h" -#ifdef HAVE_LDAP +#ifdef HAVE_ADS /** * @file ldap.c @@ -67,29 +67,6 @@ static BOOL ads_try_connect(ADS_STRUCT *ads, const char *server, unsigned port) return True; } -/* - try a connection to a given ldap server, based on URL, returning True if successful - */ -static BOOL ads_try_connect_uri(ADS_STRUCT *ads) -{ -#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000) - DEBUG(5,("ads_try_connect: trying ldap server at URI '%s'\n", - ads->server.ldap_uri)); - - - if (ldap_initialize((LDAP**)&(ads->ld), ads->server.ldap_uri) == LDAP_SUCCESS) { - return True; - } - DEBUG(0, ("ldap_initialize: %s\n", strerror(errno))); - -#else - - DEBUG(1, ("no URL support in LDAP libs!\n")); -#endif - - return False; -} - /* used by the IP comparison function */ struct ldap_ip { struct in_addr ip; @@ -233,13 +210,6 @@ ADS_STATUS ads_connect(ADS_STRUCT *ads) ads->last_attempt = time(NULL); ads->ld = NULL; - /* try with a URL based server */ - - if (ads->server.ldap_uri && - ads_try_connect_uri(ads)) { - goto got_connection; - } - /* try with a user specified server */ if (ads->server.ldap_server && ads_try_connect(ads, ads->server.ldap_server, LDAP_PORT)) { @@ -308,14 +278,6 @@ got_connection: return ADS_SUCCESS; } - if (ads->auth.flags & ADS_AUTH_ANON_BIND) { - return ADS_ERROR(ldap_simple_bind_s( ads->ld, NULL, NULL)); - } - - if (ads->auth.flags & ADS_AUTH_SIMPLE_BIND) { - return ADS_ERROR(ldap_simple_bind_s( ads->ld, ads->auth.user_name, ads->auth.password)); - } - return ads_sasl_bind(ads); } @@ -779,11 +741,7 @@ ADS_STATUS ads_find_machine_acct(ADS_STRUCT *ads, void **res, const char *host) /* the easiest way to find a machine account anywhere in the tree is to look for hostname$ */ - if (asprintf(&exp, "(samAccountName=%s$)", host) == -1) { - DEBUG(1, ("asprintf failed!\n")); - return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); - } - + asprintf(&exp, "(samAccountName=%s$)", host); status = ads_search(ads, res, exp, attrs); free(exp); return status; @@ -940,15 +898,13 @@ ADS_STATUS ads_gen_mod(ADS_STRUCT *ads, const char *mod_dn, ADS_MODLIST mods) controls[0] = &PermitModify; controls[1] = NULL; - if (push_utf8_allocate(&utf8_dn, mod_dn) == -1) { - return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); - } + push_utf8_allocate((void **) &utf8_dn, mod_dn); /* find the end of the list, marked by NULL or -1 */ for(i=0;(mods[i]!=0)&&(mods[i]!=(LDAPMod *) -1);i++); /* make sure the end of the list is NULL */ mods[i] = NULL; - ret = ldap_modify_ext_s(ads->ld, utf8_dn, + ret = ldap_modify_ext_s(ads->ld, utf8_dn ? utf8_dn : mod_dn, (LDAPMod **) mods, controls, NULL); SAFE_FREE(utf8_dn); return ADS_ERROR(ret); @@ -966,10 +922,7 @@ ADS_STATUS ads_gen_add(ADS_STRUCT *ads, const char *new_dn, ADS_MODLIST mods) int ret, i; char *utf8_dn = NULL; - if (push_utf8_allocate(&utf8_dn, new_dn) == -1) { - DEBUG(1, ("ads_gen_add: push_utf8_allocate failed!")); - return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); - } + push_utf8_allocate((void **) &utf8_dn, new_dn); /* find the end of the list, marked by NULL or -1 */ for(i=0;(mods[i]!=0)&&(mods[i]!=(LDAPMod *) -1);i++); @@ -991,11 +944,7 @@ ADS_STATUS ads_del_dn(ADS_STRUCT *ads, char *del_dn) { int ret; char *utf8_dn = NULL; - if (push_utf8_allocate(&utf8_dn, del_dn) == -1) { - DEBUG(1, ("ads_del_dn: push_utf8_allocate failed!")); - return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); - } - + push_utf8_allocate((void **) &utf8_dn, del_dn); ret = ldap_delete(ads->ld, utf8_dn ? utf8_dn : del_dn); return ADS_ERROR(ret); } @@ -1042,10 +991,6 @@ static ADS_STATUS ads_add_machine_acct(ADS_STRUCT *ads, const char *hostname, if (!(host_upn = talloc_asprintf(ctx, "%s@%s", host_spn, ads->config.realm))) goto done; ou_str = ads_ou_string(org_unit); - if (!ou_str) { - DEBUG(1, ("ads_ou_string returned NULL (malloc failure?)\n")); - goto done; - } new_dn = talloc_asprintf(ctx, "cn=%s,%s,%s", hostname, ou_str, ads->config.bind_path); free(ou_str); @@ -1375,7 +1320,9 @@ ADS_STATUS ads_set_machine_sd(ADS_STRUCT *ads, const char *hostname, char *dn) const char *attrs[] = {"ntSecurityDescriptor", "objectSid", 0}; char *exp = 0; size_t sd_size = 0; + struct berval **bvals = 0; struct berval bval = {0, NULL}; + prs_struct ps; prs_struct ps_wire; LDAPMessage *res = 0; @@ -1392,39 +1339,37 @@ ADS_STATUS ads_set_machine_sd(ADS_STRUCT *ads, const char *hostname, char *dn) ret = ADS_ERROR(LDAP_SUCCESS); - if (asprintf(&exp, "(samAccountName=%s$)", hostname) == -1) { - DEBUG(1, ("ads_set_machine_sd: asprintf failed!\n")); - return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); - } - + asprintf(&exp, "(samAccountName=%s$)", hostname); ret = ads_search(ads, (void *) &res, exp, attrs); if (!ADS_ERR_OK(ret)) return ret; msg = ads_first_entry(ads, res); + bvals = ldap_get_values_len(ads->ld, msg, attrs[0]); ads_pull_sid(ads, msg, attrs[1], &sid); - if (!(ctx = talloc_init_named("sec_io_desc"))) { - ret = ADS_ERROR(LDAP_NO_MEMORY); - goto ads_set_sd_error; - } + ads_msgfree(ads, res); +#if 0 + file_save("/tmp/sec_desc.old", bvals[0]->bv_val, bvals[0]->bv_len); +#endif + if (!(ctx = talloc_init_named("sec_io_desc"))) + return ADS_ERROR(LDAP_NO_MEMORY); - if (!ads_pull_sd(ads, ctx, msg, attrs[0], &psd)) { - ret = ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER); + prs_init(&ps, bvals[0]->bv_len, ctx, UNMARSHALL); + prs_append_data(&ps, bvals[0]->bv_val, bvals[0]->bv_len); + ps.data_offset = 0; + ldap_value_free_len(bvals); + + if (!sec_io_desc("sd", &psd, &ps, 1)) goto ads_set_sd_error; - } status = sec_desc_add_sid(ctx, &psd, &sid, SEC_RIGHTS_FULL_CTRL, &sd_size); - if (!NT_STATUS_IS_OK(status)) { - ret = ADS_ERROR_NT(status); + if (!NT_STATUS_IS_OK(status)) goto ads_set_sd_error; - } prs_init(&ps_wire, sd_size, ctx, MARSHALL); - if (!sec_io_desc("sd_wire", &psd, &ps_wire, 1)) { - ret = ADS_ERROR(LDAP_NO_MEMORY); + if (!sec_io_desc("sd_wire", &psd, &ps_wire, 1)) goto ads_set_sd_error; - } #if 0 file_save("/tmp/sec_desc.new", ps_wire.data_p, sd_size); @@ -1436,11 +1381,47 @@ ADS_STATUS ads_set_machine_sd(ADS_STRUCT *ads, const char *hostname, char *dn) ads_mod_ber(ctx, &mods, attrs[0], &bval); ret = ads_gen_mod(ads, dn, mods); -ads_set_sd_error: - ads_msgfree(ads, res); + prs_mem_free(&ps); prs_mem_free(&ps_wire); talloc_destroy(ctx); return ret; + +ads_set_sd_error: + prs_mem_free(&ps); + prs_mem_free(&ps_wire); + talloc_destroy(ctx); + return ADS_ERROR(LDAP_NO_MEMORY); +} + +/** + * Set the machine account password + * @param ads connection to ads server + * @param hostname machine whose password is being set + * @param password new password + * @return status of password change + **/ +ADS_STATUS ads_set_machine_password(ADS_STRUCT *ads, + const char *hostname, + const char *password) +{ + ADS_STATUS status; + char *host = strdup(hostname); + char *principal; + + strlower(host); + + /* + we need to use the '$' form of the name here, as otherwise the + server might end up setting the password for a user instead + */ + asprintf(&principal, "%s$@%s", host, ads->auth.realm); + + status = krb5_set_password(ads->auth.kdc_server, principal, password, ads->auth.time_offset); + + free(host); + free(principal); + + return status; } /** @@ -1615,60 +1596,6 @@ int ads_pull_sids(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, return count; } -/** - * pull a SEC_DESC from a ADS result - * @param ads connection to ads server - * @param mem_ctx TALLOC_CTX for allocating sid array - * @param msg Results of search - * @param field Attribute to retrieve - * @param sd Pointer to *SEC_DESC to store result (talloc()ed) - * @return boolean inidicating success -*/ -BOOL ads_pull_sd(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, - void *msg, const char *field, SEC_DESC **sd) -{ - struct berval **values; - prs_struct ps; - BOOL ret = False; - - values = ldap_get_values_len(ads->ld, msg, field); - - if (!values) return False; - - if (values[0]) { - prs_init(&ps, values[0]->bv_len, mem_ctx, UNMARSHALL); - prs_append_data(&ps, values[0]->bv_val, values[0]->bv_len); - ps.data_offset = 0; - - ret = sec_io_desc("sd", sd, &ps, 1); - } - - ldap_value_free_len(values); - return ret; -} - -/* - * in order to support usernames longer than 21 characters we need to - * use both the sAMAccountName and the userPrincipalName attributes - * It seems that not all users have the userPrincipalName attribute set - * - * @param ads connection to ads server - * @param mem_ctx TALLOC_CTX for allocating sid array - * @param msg Results of search - * @return the username - */ -char *ads_pull_username(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, void *msg) -{ - char *ret, *p; - - ret = ads_pull_string(ads, mem_ctx, msg, "userPrincipalName"); - if (ret && (p = strchr(ret, '@'))) { - *p = 0; - return ret; - } - return ads_pull_string(ads, mem_ctx, msg, "sAMAccountName"); -} - /** * find the update serial number - this is the core of the ldap cache @@ -1778,9 +1705,8 @@ ADS_STATUS ads_server_info(ADS_STRUCT *ads) ads->config.realm = strdup(p+2); ads->config.bind_path = ads_build_dn(ads->config.realm); - DEBUG(3,("got ldap server name %s@%s, using bind path: %s\n", - ads->config.ldap_server_name, ads->config.realm, - ads->config.bind_path)); + DEBUG(3,("got ldap server name %s@%s\n", + ads->config.ldap_server_name, ads->config.realm)); ads->config.current_time = ads_parse_time(timestr); diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c index aa7d99a5f7..f7dd01084a 100644 --- a/source3/libads/sasl.c +++ b/source3/libads/sasl.c @@ -20,7 +20,7 @@ #include "includes.h" -#ifdef HAVE_LDAP +#ifdef HAVE_ADS /* perform a LDAP/SASL/SPNEGO/NTLMSSP bind (just how many layers can @@ -190,12 +190,10 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) } DEBUG(3,("got principal=%s\n", principal)); -#ifdef HAVE_KRB5 if (!(ads->auth.flags & ADS_AUTH_DISABLE_KERBEROS) && got_kerberos_mechanism && ads_kinit_password(ads) == 0) { return ads_sasl_spnego_krb5_bind(ads, principal); } -#endif /* lets do NTLMSSP ... this has the big advantage that we don't need to sync clocks, and we don't rely on special versions of the krb5 |