summaryrefslogtreecommitdiff
path: root/source3
diff options
context:
space:
mode:
Diffstat (limited to 'source3')
-rw-r--r--source3/libads/ads_ldap.c145
-rw-r--r--source3/libads/ldap_utils.c96
-rwxr-xr-xsource3/script/creategroup27
3 files changed, 268 insertions, 0 deletions
diff --git a/source3/libads/ads_ldap.c b/source3/libads/ads_ldap.c
new file mode 100644
index 0000000000..05b016539e
--- /dev/null
+++ b/source3/libads/ads_ldap.c
@@ -0,0 +1,145 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ Winbind ADS backend functions
+
+ Copyright (C) Andrew Tridgell 2001
+ Copyright (C) Andrew Bartlett 2002
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#include "includes.h"
+#ifdef HAVE_LDAP
+
+/* convert a single name to a sid in a domain */
+NTSTATUS ads_name_to_sid(ADS_STRUCT *ads,
+ const char *name,
+ DOM_SID *sid,
+ enum SID_NAME_USE *type)
+{
+ const char *attrs[] = {"objectSid", "sAMAccountType", NULL};
+ int count;
+ ADS_STATUS rc;
+ void *res = NULL;
+ char *exp;
+ uint32 t;
+ NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
+
+ if (asprintf(&exp, "(|(sAMAccountName=%s)(userPrincipalName=%s@%s))",
+ name, name, ads->config.realm) == -1) {
+ DEBUG(1,("ads_name_to_sid: asprintf failed!\n"));
+ status = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
+
+ rc = ads_search_retry(ads, &res, exp, attrs);
+ free(exp);
+ if (!ADS_ERR_OK(rc)) {
+ DEBUG(1,("name_to_sid ads_search: %s\n", ads_errstr(rc)));
+ goto done;
+ }
+
+ count = ads_count_replies(ads, res);
+ if (count != 1) {
+ DEBUG(1,("name_to_sid: %s not found\n", name));
+ goto done;
+ }
+
+ if (!ads_pull_sid(ads, res, "objectSid", sid)) {
+ DEBUG(1,("No sid for %s !?\n", name));
+ goto done;
+ }
+
+ if (!ads_pull_uint32(ads, res, "sAMAccountType", &t)) {
+ DEBUG(1,("No sAMAccountType for %s !?\n", name));
+ goto done;
+ }
+
+ *type = ads_atype_map(t);
+
+ status = NT_STATUS_OK;
+
+ DEBUG(3,("ads name_to_sid mapped %s\n", name));
+
+done:
+ if (res) ads_msgfree(ads, res);
+
+ return status;
+}
+
+/* convert a sid to a user or group name */
+NTSTATUS ads_sid_to_name(ADS_STRUCT *ads,
+ TALLOC_CTX *mem_ctx,
+ const DOM_SID *sid,
+ char **name,
+ enum SID_NAME_USE *type)
+{
+ const char *attrs[] = {"userPrincipalName",
+ "sAMAccountName",
+ "sAMAccountType", NULL};
+ ADS_STATUS rc;
+ void *msg = NULL;
+ char *exp = NULL;
+ char *sidstr = NULL;
+ uint32 atype;
+ NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
+
+ if (!(sidstr = sid_binstring(sid))) {
+ DEBUG(1,("ads_sid_to_name: sid_binstring failed!\n"));
+ status = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
+
+ if (asprintf(&exp, "(objectSid=%s)", sidstr) == -1) {
+ DEBUG(1,("ads_sid_to_name: asprintf failed!\n"));
+ status = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
+
+ rc = ads_search_retry(ads, &msg, exp, attrs);
+ if (!ADS_ERR_OK(rc)) {
+ status = ads_ntstatus(rc);
+ DEBUG(1,("ads_sid_to_name ads_search: %s\n", ads_errstr(rc)));
+ goto done;
+ }
+
+ if (!ads_pull_uint32(ads, msg, "sAMAccountType", &atype)) {
+ goto done;
+ }
+
+ *name = ads_pull_username(ads, mem_ctx, msg);
+ if (!*name) {
+ DEBUG(1,("ads_sid_to_name: ads_pull_username retuned NULL!\n"));
+ status = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
+
+ *type = ads_atype_map(atype);
+
+ status = NT_STATUS_OK;
+
+ DEBUG(3,("ads sid_to_name mapped %s\n", *name));
+
+done:
+ if (msg) ads_msgfree(ads, msg);
+
+ SAFE_FREE(exp);
+ SAFE_FREE(sidstr);
+
+ return status;
+}
+
+#endif
diff --git a/source3/libads/ldap_utils.c b/source3/libads/ldap_utils.c
new file mode 100644
index 0000000000..907f7c8aff
--- /dev/null
+++ b/source3/libads/ldap_utils.c
@@ -0,0 +1,96 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ Some Helpful wrappers on LDAP
+
+ Copyright (C) Andrew Tridgell 2001
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#include "includes.h"
+
+#ifdef HAVE_LDAP
+/*
+ a wrapper around ldap_search_s that retries depending on the error code
+ this is supposed to catch dropped connections and auto-reconnect
+*/
+ADS_STATUS ads_do_search_retry(ADS_STRUCT *ads, const char *bind_path, int scope,
+ const char *exp,
+ const char **attrs, void **res)
+{
+ ADS_STATUS status;
+ int count = 3;
+ char *bp;
+
+ if (!ads->ld &&
+ time(NULL) - ads->last_attempt < ADS_RECONNECT_TIME) {
+ return ADS_ERROR(LDAP_SERVER_DOWN);
+ }
+
+ bp = strdup(bind_path);
+
+ if (!bp)
+ return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
+
+ while (count--) {
+ status = ads_do_search_all(ads, bp, scope, exp, attrs, res);
+ if (ADS_ERR_OK(status)) {
+ DEBUG(5,("Search for %s gave %d replies\n",
+ exp, ads_count_replies(ads, *res)));
+ free(bp);
+ return status;
+ }
+
+ if (*res) ads_msgfree(ads, *res);
+ *res = NULL;
+ DEBUG(3,("Reopening ads connection to realm '%s' after error %s\n",
+ ads->config.realm, ads_errstr(status)));
+ if (ads->ld) {
+ ldap_unbind(ads->ld);
+ }
+ ads->ld = NULL;
+ status = ads_connect(ads);
+ if (!ADS_ERR_OK(status)) {
+ DEBUG(1,("ads_search_retry: failed to reconnect (%s)\n",
+ ads_errstr(status)));
+ ads_destroy(&ads);
+ free(bp);
+ return status;
+ }
+ }
+ free(bp);
+
+ DEBUG(1,("ads reopen failed after error %s\n", ads_errstr(status)));
+ return status;
+}
+
+
+ADS_STATUS ads_search_retry(ADS_STRUCT *ads, void **res,
+ const char *exp,
+ const char **attrs)
+{
+ return ads_do_search_retry(ads, ads->config.bind_path, LDAP_SCOPE_SUBTREE,
+ exp, attrs, res);
+}
+
+ADS_STATUS ads_search_retry_dn(ADS_STRUCT *ads, void **res,
+ const char *dn,
+ const char **attrs)
+{
+ return ads_do_search_retry(ads, dn, LDAP_SCOPE_BASE,
+ "(objectclass=*)", attrs, res);
+}
+#endif
diff --git a/source3/script/creategroup b/source3/script/creategroup
new file mode 100755
index 0000000000..01fb065944
--- /dev/null
+++ b/source3/script/creategroup
@@ -0,0 +1,27 @@
+#!/bin/sh
+
+# Example script for 'add group command'. Handle weird NT group
+# names. First attempt to create the group directly, if that fails
+# then create a random group and print the numeric group id.
+#
+# Note that this is only an example and assumes /dev/urandom.
+#
+# Volker
+
+GROUPNAME="$1"
+ITERS=0
+
+while ! /usr/sbin/groupadd "$GROUPNAME" > /dev/null 2>&1
+do
+ # we had difficulties creating that group. Maybe the name was
+ # too weird, or it already existed. Create a random name.
+ GROUPNAME=nt-$(dd if=/dev/urandom bs=16 count=1 2>/dev/null | md5sum | cut -b 1-5)
+ ITERS=$(expr "$ITERS" + 1)
+ if [ "$ITERS" -gt 10 ]
+ then
+ # Too many attempts
+ exit 1
+ fi
+done
+
+getent group | grep ^"$GROUPNAME": | cut -d : -f 3